/** * The application does not want to verify the authenticity of the app list, * so it's valid - even if signed by someone else. */ public function testUnsignedValid() { list($caKeyPair, $caCert) = $this->createCA(); $distPointKeyPair = KeyPair::create(); $distPointCert = CA::signCSR($caKeyPair, $caCert, CA::createDirSvcCSR($distPointKeyPair, 'O=Someone, CN=else')); $msg = new AppMetasMessage($distPointCert, $distPointKeyPair, array('app-2' => array('appId' => 'app-2'))); $appMetas = AppMetasMessage::decode(NULL, $msg->encode())->getData(); $this->assertEquals('app-2', $appMetas['app-2']['appId']); }
/** * @param CertificateValidatorInterface|NULL $certValidator * @param string $blob * @return AppMetasMessage * Validated message. * @throws InvalidMessageException */ public static function decode($certValidator, $blob) { $parts = explode(Constants::PROTOCOL_DELIM, $blob, 4); if (count($parts) != 4) { throw new InvalidMessageException('Invalid message: insufficient parameters'); } list($wireProt, $wireCert, $wireSig, $wireEnvelope) = $parts; if ($wireProt != self::NAME) { throw new InvalidMessageException('Invalid message: wrong protocol name'); } if ($certValidator !== NULL) { $certValidator->validateCert($wireCert); $wireCertX509 = new \File_X509(); $wireCertX509->loadX509($wireCert); $cn = $wireCertX509->getDNProp('CN'); if (count($cn) != 1 || $cn[0] != Constants::OFFICIAL_APPMETAS_CN) { throw new InvalidMessageException('Invalid message: signed by unauthorized party'); } $isValid = UserError::adapt('Civi\\Cxn\\Rpc\\Exception\\InvalidMessageException', function () use($wireCertX509, $wireEnvelope, $wireSig) { return AppMetasMessage::getRsaFromCert($wireCertX509)->verify($wireEnvelope, base64_decode($wireSig)); }); if (!$isValid) { throw new InvalidMessageException("Invalid message: incorrect signature"); } } $envelope = json_decode($wireEnvelope, TRUE); if (empty($envelope)) { throw new InvalidMessageException("Invalid message: malformed envelope"); } if (Time::getTime() > $envelope['ttl']) { throw new InvalidMessageException("Invalid message: expired"); } return new AppMetasMessage($wireCert, NULL, json_decode($envelope['r'], TRUE)); }
/** * @param array|string $formats * @param string $blob * @return Message * @throws InvalidMessageException */ public function decode($formats, $blob) { $formats = (array) $formats; $prefixLen = 0; foreach ($formats as $format) { $prefixLen = max($prefixLen, strlen($format)); } list($prefix) = explode(Constants::PROTOCOL_DELIM, substr($blob, 0, $prefixLen + 1)); if (!in_array($prefix, $formats)) { if (in_array(GarbledMessage::NAME, $formats)) { return GarbledMessage::decode($blob); } else { throw new InvalidMessageException("Unexpected message type."); } } switch ($prefix) { case StdMessage::NAME: return StdMessage::decode($this->cxnStore, $blob); case InsecureMessage::NAME: return InsecureMessage::decode($blob); case RegistrationMessage::NAME: return RegistrationMessage::decode($this->appStore, $blob); case AppMetasMessage::NAME: return AppMetasMessage::decode($this->certValidator, $blob); default: throw new InvalidMessageException("Unrecognized message type."); } }