harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

For zot6, allow HTTP Signatures to be encrypted, as they may contain sensitive (envelope, metadata) information.

Browse Source
This commit is contained in:
zotlabs 2017-09-24 16:46:52 -07:00
parent 2988e33b57
commit 866dc9a9b3
1 changed files with 46 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
Zotlabs/Web/HTTPSig.php
View File

@ -175,7 +175,8 @@ class HTTPSig {
static function create_sig($request,$head,$prvkey,$keyid = 'Key',$send_headers = false,$auth = false,$alg = 'sha256') { static function create_sig($request,$head,$prvkey,$keyid = 'Key',$send_headers = false,$auth = false,$alg = 'sha256',
$crypt_key = null, $crypt_algo = 'aes256ctr') {
$return_headers = []; $return_headers = [];
@ -188,13 +189,19 @@ class HTTPSig {
$x = self::sign($request,$head,$prvkey,$alg); $x = self::sign($request,$head,$prvkey,$alg);
if($auth) { $headerval = keyId="' . $keyid . '",algorithm="' . $algorithm
$sighead = 'Authorization: Signature keyId="' . $keyid . '",algorithm="' . $algorithm
. '",headers="' . $x['headers'] . '",signature="' . $x['signature'] . '"'; . '",headers="' . $x['headers'] . '",signature="' . $x['signature'] . '"';
if($crypt_key) {
$x = crypto_encapsulate($headerval,$crypt_key,$crypt_alg);
$headerval = 'iv="' . $x['iv'] . '",key="' . $x['key'] . '",alg="' . $x['alg'] . '",data="' . $x['data'];
}
if($auth) {
$sighead = 'Authorization: Signature ' . $headerval;
} }
else { else {
$sighead = 'Signature: keyId="' . $keyid . '",algorithm="' . $algorithm $sighead = 'Signature: ' . $headerval;
. '",headers="' . $x['headers'] . '",signature="' . $x['signature'] . '"';
} }
if($head) { if($head) {
@ -249,8 +256,15 @@ class HTTPSig {
} }
static function parse_sigheader($header) { static function parse_sigheader($header) {
$ret = []; $ret = [];
$matches = []; $matches = [];
// if the header is encrypted, decrypt with (default) site private key and continue
if(preg_match('/iv="(.*?)"/ism',$header,$matches))
$header = self::decrypt_sigheader($header);
if(preg_match('/keyId="(.*?)"/ism',$header,$matches)) if(preg_match('/keyId="(.*?)"/ism',$header,$matches))
$ret['keyId'] = $matches[1]; $ret['keyId'] = $matches[1];
if(preg_match('/algorithm="(.*?)"/ism',$header,$matches)) if(preg_match('/algorithm="(.*?)"/ism',$header,$matches))
@ -267,6 +281,32 @@ class HTTPSig {
} }
static function decrypt_sigheader($header,$prvkey = null) {
$iv = $key = $alg = $data = null;
if(! $prvkey) {
$prvkey = get_config('system','prvkey');
}
$matches = [];
if(preg_match('/iv="(.*?)"/ism',$header,$matches))
$iv = $matches[1];
if(preg_match('/key="(.*?)"/ism',$header,$matches))
$key = $matches[1];
if(preg_match('/alg="(.*?)"/ism',$header,$matches))
$alg = $matches[1];
if(preg_match('/data="(.*?)"/ism',$header,$matches))
$data = $matches[1];
if($iv && $key && $alg && $data) {
return crypto_unencapsulate([ 'iv' => $iv, 'key' => $key, 'alg' => $alg, 'data' => $data ] , $prvkey);
}
return '';
}
} }