aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorMaxence Lange <maxence@artificial-owl.com>2024-11-21 09:25:00 -0100
committerMaxence Lange <maxence@artificial-owl.com>2024-12-04 09:30:55 -0100
commit862a41111855314a9bf0d186ed02688386b70d73 (patch)
tree32c003ba203bc9af7c8c43c368975e6b8b2a0c93 /lib
parentf08d0532905c211d15effdfa1a9fa4f98921e2a9 (diff)
downloadnextcloud-server-862a41111855314a9bf0d186ed02688386b70d73.tar.gz
nextcloud-server-862a41111855314a9bf0d186ed02688386b70d73.zip
fix(ocm): simpler code
Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
Diffstat (limited to 'lib')
-rw-r--r--lib/composer/composer/autoload_classmap.php21
-rw-r--r--lib/composer/composer/autoload_static.php21
-rw-r--r--lib/private/Federation/CloudFederationProviderManager.php6
-rw-r--r--lib/private/OCM/OCMSignatoryManager.php20
-rw-r--r--lib/private/Security/Signature/Model/IncomingSignedRequest.php179
-rw-r--r--lib/private/Security/Signature/Model/OutgoingSignedRequest.php78
-rw-r--r--lib/private/Security/Signature/Model/SignedRequest.php62
-rw-r--r--lib/private/Security/Signature/SignatureManager.php530
-rw-r--r--lib/private/Server.php1
-rw-r--r--lib/unstable/Security/Signature/Exceptions/SignatureElementNotFoundException.php (renamed from lib/unstable/Security/Signature/Exceptions/IncomingRequestNotFoundException.php)2
-rw-r--r--lib/unstable/Security/Signature/ISignatoryManager.php6
-rw-r--r--lib/unstable/Security/Signature/ISignatureManager.php2
-rw-r--r--lib/unstable/Security/Signature/Model/IIncomingSignedRequest.php49
-rw-r--r--lib/unstable/Security/Signature/Model/IOutgoingSignedRequest.php25
-rw-r--r--lib/unstable/Security/Signature/Model/ISignedRequest.php37
-rw-r--r--lib/unstable/Security/Signature/Model/SignatoryStatus.php2
16 files changed, 509 insertions, 532 deletions
diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php
index d3aacae9647..bcffae9aff3 100644
--- a/lib/composer/composer/autoload_classmap.php
+++ b/lib/composer/composer/autoload_classmap.php
@@ -12,6 +12,25 @@ return array(
'NCU\\Config\\Exceptions\\UnknownKeyException' => $baseDir . '/lib/unstable/Config/Exceptions/UnknownKeyException.php',
'NCU\\Config\\IUserConfig' => $baseDir . '/lib/unstable/Config/IUserConfig.php',
'NCU\\Config\\ValueType' => $baseDir . '/lib/unstable/Config/ValueType.php',
+ 'NCU\\Security\\Signature\\Exceptions\\IdentityNotFoundException' => $baseDir . '/lib/unstable/Security/Signature/Exceptions/IdentityNotFoundException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\IncomingRequestException' => $baseDir . '/lib/unstable/Security/Signature/Exceptions/IncomingRequestException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\InvalidKeyOriginException' => $baseDir . '/lib/unstable/Security/Signature/Exceptions/InvalidKeyOriginException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\InvalidSignatureException' => $baseDir . '/lib/unstable/Security/Signature/Exceptions/InvalidSignatureException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\SignatoryConflictException' => $baseDir . '/lib/unstable/Security/Signature/Exceptions/SignatoryConflictException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\SignatoryException' => $baseDir . '/lib/unstable/Security/Signature/Exceptions/SignatoryException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\SignatoryNotFoundException' => $baseDir . '/lib/unstable/Security/Signature/Exceptions/SignatoryNotFoundException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\SignatureElementNotFoundException' => $baseDir . '/lib/unstable/Security/Signature/Exceptions/SignatureElementNotFoundException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\SignatureException' => $baseDir . '/lib/unstable/Security/Signature/Exceptions/SignatureException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\SignatureNotFoundException' => $baseDir . '/lib/unstable/Security/Signature/Exceptions/SignatureNotFoundException.php',
+ 'NCU\\Security\\Signature\\ISignatoryManager' => $baseDir . '/lib/unstable/Security/Signature/ISignatoryManager.php',
+ 'NCU\\Security\\Signature\\ISignatureManager' => $baseDir . '/lib/unstable/Security/Signature/ISignatureManager.php',
+ 'NCU\\Security\\Signature\\Model\\IIncomingSignedRequest' => $baseDir . '/lib/unstable/Security/Signature/Model/IIncomingSignedRequest.php',
+ 'NCU\\Security\\Signature\\Model\\IOutgoingSignedRequest' => $baseDir . '/lib/unstable/Security/Signature/Model/IOutgoingSignedRequest.php',
+ 'NCU\\Security\\Signature\\Model\\ISignatory' => $baseDir . '/lib/unstable/Security/Signature/Model/ISignatory.php',
+ 'NCU\\Security\\Signature\\Model\\ISignedRequest' => $baseDir . '/lib/unstable/Security/Signature/Model/ISignedRequest.php',
+ 'NCU\\Security\\Signature\\Model\\SignatoryStatus' => $baseDir . '/lib/unstable/Security/Signature/Model/SignatoryStatus.php',
+ 'NCU\\Security\\Signature\\Model\\SignatoryType' => $baseDir . '/lib/unstable/Security/Signature/Model/SignatoryType.php',
+ 'NCU\\Security\\Signature\\SignatureAlgorithm' => $baseDir . '/lib/unstable/Security/Signature/SignatureAlgorithm.php',
'OCP\\Accounts\\IAccount' => $baseDir . '/lib/public/Accounts/IAccount.php',
'OCP\\Accounts\\IAccountManager' => $baseDir . '/lib/public/Accounts/IAccountManager.php',
'OCP\\Accounts\\IAccountProperty' => $baseDir . '/lib/public/Accounts/IAccountProperty.php',
@@ -1393,6 +1412,8 @@ return array(
'OC\\Core\\Migrations\\Version30000Date20240814180800' => $baseDir . '/core/Migrations/Version30000Date20240814180800.php',
'OC\\Core\\Migrations\\Version30000Date20240815080800' => $baseDir . '/core/Migrations/Version30000Date20240815080800.php',
'OC\\Core\\Migrations\\Version30000Date20240906095113' => $baseDir . '/core/Migrations/Version30000Date20240906095113.php',
+ 'OC\\Core\\Migrations\\Version31000Date20240101084401' => $baseDir . '/core/Migrations/Version31000Date20240101084401.php',
+ 'OC\\Core\\Migrations\\Version31000Date20240814184402' => $baseDir . '/core/Migrations/Version31000Date20240814184402.php',
'OC\\Core\\Migrations\\Version31000Date20241018063111' => $baseDir . '/core/Migrations/Version31000Date20241018063111.php',
'OC\\Core\\Notification\\CoreNotifier' => $baseDir . '/core/Notification/CoreNotifier.php',
'OC\\Core\\ResponseDefinitions' => $baseDir . '/core/ResponseDefinitions.php',
diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php
index 15dbc08bec4..8a5d2d3fee6 100644
--- a/lib/composer/composer/autoload_static.php
+++ b/lib/composer/composer/autoload_static.php
@@ -53,6 +53,25 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
'NCU\\Config\\Exceptions\\UnknownKeyException' => __DIR__ . '/../../..' . '/lib/unstable/Config/Exceptions/UnknownKeyException.php',
'NCU\\Config\\IUserConfig' => __DIR__ . '/../../..' . '/lib/unstable/Config/IUserConfig.php',
'NCU\\Config\\ValueType' => __DIR__ . '/../../..' . '/lib/unstable/Config/ValueType.php',
+ 'NCU\\Security\\Signature\\Exceptions\\IdentityNotFoundException' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Exceptions/IdentityNotFoundException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\IncomingRequestException' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Exceptions/IncomingRequestException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\InvalidKeyOriginException' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Exceptions/InvalidKeyOriginException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\InvalidSignatureException' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Exceptions/InvalidSignatureException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\SignatoryConflictException' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Exceptions/SignatoryConflictException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\SignatoryException' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Exceptions/SignatoryException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\SignatoryNotFoundException' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Exceptions/SignatoryNotFoundException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\SignatureElementNotFoundException' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Exceptions/SignatureElementNotFoundException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\SignatureException' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Exceptions/SignatureException.php',
+ 'NCU\\Security\\Signature\\Exceptions\\SignatureNotFoundException' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Exceptions/SignatureNotFoundException.php',
+ 'NCU\\Security\\Signature\\ISignatoryManager' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/ISignatoryManager.php',
+ 'NCU\\Security\\Signature\\ISignatureManager' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/ISignatureManager.php',
+ 'NCU\\Security\\Signature\\Model\\IIncomingSignedRequest' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Model/IIncomingSignedRequest.php',
+ 'NCU\\Security\\Signature\\Model\\IOutgoingSignedRequest' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Model/IOutgoingSignedRequest.php',
+ 'NCU\\Security\\Signature\\Model\\ISignatory' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Model/ISignatory.php',
+ 'NCU\\Security\\Signature\\Model\\ISignedRequest' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Model/ISignedRequest.php',
+ 'NCU\\Security\\Signature\\Model\\SignatoryStatus' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Model/SignatoryStatus.php',
+ 'NCU\\Security\\Signature\\Model\\SignatoryType' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/Model/SignatoryType.php',
+ 'NCU\\Security\\Signature\\SignatureAlgorithm' => __DIR__ . '/../../..' . '/lib/unstable/Security/Signature/SignatureAlgorithm.php',
'OCP\\Accounts\\IAccount' => __DIR__ . '/../../..' . '/lib/public/Accounts/IAccount.php',
'OCP\\Accounts\\IAccountManager' => __DIR__ . '/../../..' . '/lib/public/Accounts/IAccountManager.php',
'OCP\\Accounts\\IAccountProperty' => __DIR__ . '/../../..' . '/lib/public/Accounts/IAccountProperty.php',
@@ -1434,6 +1453,8 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
'OC\\Core\\Migrations\\Version30000Date20240814180800' => __DIR__ . '/../../..' . '/core/Migrations/Version30000Date20240814180800.php',
'OC\\Core\\Migrations\\Version30000Date20240815080800' => __DIR__ . '/../../..' . '/core/Migrations/Version30000Date20240815080800.php',
'OC\\Core\\Migrations\\Version30000Date20240906095113' => __DIR__ . '/../../..' . '/core/Migrations/Version30000Date20240906095113.php',
+ 'OC\\Core\\Migrations\\Version31000Date20240101084401' => __DIR__ . '/../../..' . '/core/Migrations/Version31000Date20240101084401.php',
+ 'OC\\Core\\Migrations\\Version31000Date20240814184402' => __DIR__ . '/../../..' . '/core/Migrations/Version31000Date20240814184402.php',
'OC\\Core\\Migrations\\Version31000Date20241018063111' => __DIR__ . '/../../..' . '/core/Migrations/Version31000Date20241018063111.php',
'OC\\Core\\Notification\\CoreNotifier' => __DIR__ . '/../../..' . '/core/Notification/CoreNotifier.php',
'OC\\Core\\ResponseDefinitions' => __DIR__ . '/../../..' . '/core/ResponseDefinitions.php',
diff --git a/lib/private/Federation/CloudFederationProviderManager.php b/lib/private/Federation/CloudFederationProviderManager.php
index 74935ead401..e9354294351 100644
--- a/lib/private/Federation/CloudFederationProviderManager.php
+++ b/lib/private/Federation/CloudFederationProviderManager.php
@@ -226,6 +226,12 @@ class CloudFederationProviderManager implements ICloudFederationProviderManager
*/
private function prepareOcmPayload(string $uri, string $payload): array {
$payload = array_merge($this->getDefaultRequestOptions(), ['body' => $payload]);
+
+ if ($this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_ENFORCED, lazy: true) &&
+ $this->signatoryManager->getRemoteSignatory($this->signatureManager->extractIdentityFromUri($uri)) === null) {
+ return $payload;
+ }
+
if (!$this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
$signedPayload = $this->signatureManager->signOutgoingRequestIClientPayload(
$this->signatoryManager,
diff --git a/lib/private/OCM/OCMSignatoryManager.php b/lib/private/OCM/OCMSignatoryManager.php
index a90bb2c1f39..c7eb9ccda5a 100644
--- a/lib/private/OCM/OCMSignatoryManager.php
+++ b/lib/private/OCM/OCMSignatoryManager.php
@@ -6,12 +6,12 @@ declare(strict_types=1);
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-License-Identifier: AGPL-3.0-or-later
*/
+
namespace OC\OCM;
use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
use NCU\Security\Signature\ISignatoryManager;
use NCU\Security\Signature\ISignatureManager;
-use NCU\Security\Signature\Model\IIncomingSignedRequest;
use NCU\Security\Signature\Model\ISignatory;
use NCU\Security\Signature\Model\SignatoryType;
use OC\Security\IdentityProof\Manager;
@@ -19,6 +19,7 @@ use OC\Security\Signature\Model\Signatory;
use OCP\IAppConfig;
use OCP\IURLGenerator;
use OCP\OCM\Exceptions\OCMProviderException;
+use Psr\Log\LoggerInterface;
/**
* @inheritDoc
@@ -40,14 +41,15 @@ class OCMSignatoryManager implements ISignatoryManager {
private readonly IURLGenerator $urlGenerator,
private readonly Manager $identityProofManager,
private readonly OCMDiscoveryService $ocmDiscoveryService,
+ private readonly LoggerInterface $logger,
) {
}
/**
* @inheritDoc
*
- * @since 31.0.0
* @return string
+ * @since 31.0.0
*/
public function getProviderId(): string {
return self::PROVIDER_ID;
@@ -56,8 +58,8 @@ class OCMSignatoryManager implements ISignatoryManager {
/**
* @inheritDoc
*
- * @since 31.0.0
* @return array
+ * @since 31.0.0
*/
public function getOptions(): array {
return [];
@@ -121,14 +123,18 @@ class OCMSignatoryManager implements ISignatoryManager {
/**
* @inheritDoc
*
- * @param IIncomingSignedRequest $signedRequest
+ * @param string $remote
*
* @return ISignatory|null must be NULL if no signatory is found
- * @throws OCMProviderException on fail to discover ocm services
* @since 31.0.0
*/
- public function getRemoteSignatory(IIncomingSignedRequest $signedRequest): ?ISignatory {
- return $this->getRemoteSignatoryFromHost($signedRequest->getOrigin());
+ public function getRemoteSignatory(string $remote): ?ISignatory {
+ try {
+ return $this->getRemoteSignatoryFromHost($remote);
+ } catch (OCMProviderException $e) {
+ $this->logger->warning('fail to get remote signatory', ['exception' => $e, 'remote' => $remote]);
+ return null;
+ }
}
/**
diff --git a/lib/private/Security/Signature/Model/IncomingSignedRequest.php b/lib/private/Security/Signature/Model/IncomingSignedRequest.php
index 8fe83a7b09b..77914d1e3b2 100644
--- a/lib/private/Security/Signature/Model/IncomingSignedRequest.php
+++ b/lib/private/Security/Signature/Model/IncomingSignedRequest.php
@@ -10,11 +10,14 @@ namespace OC\Security\Signature\Model;
use JsonSerializable;
use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
-use NCU\Security\Signature\Exceptions\IncomingRequestNotFoundException;
+use NCU\Security\Signature\Exceptions\IncomingRequestException;
use NCU\Security\Signature\Exceptions\SignatoryException;
+use NCU\Security\Signature\Exceptions\SignatureElementNotFoundException;
+use NCU\Security\Signature\Exceptions\SignatureNotFoundException;
use NCU\Security\Signature\ISignatureManager;
use NCU\Security\Signature\Model\IIncomingSignedRequest;
use NCU\Security\Signature\Model\ISignatory;
+use OC\Security\Signature\SignatureManager;
use OCP\IRequest;
/**
@@ -26,77 +29,134 @@ use OCP\IRequest;
class IncomingSignedRequest extends SignedRequest implements
IIncomingSignedRequest,
JsonSerializable {
- private ?IRequest $request = null;
- private int $time = 0;
private string $origin = '';
- private string $estimatedSignature = '';
/**
- * @inheritDoc
+ * @throws IncomingRequestException if incoming request is wrongly signed
+ * @throws SignatureNotFoundException if signature is not fully implemented
+ */
+ public function __construct(
+ string $body,
+ private readonly IRequest $request,
+ private readonly array $options = [],
+ ) {
+ parent::__construct($body);
+ $this->verifyHeadersFromRequest();
+ $this->extractSignatureHeaderFromRequest();
+ }
+
+ /**
+ * confirm that:
*
- * @param ISignatory $signatory
+ * - date is available in the header and its value is less than 5 minutes old
+ * - content-length is available and is the same as the payload size
+ * - digest is available and fit the checksum of the payload
*
- * @return $this
- * @throws SignatoryException
- * @throws IdentityNotFoundException
- * @since 31.0.0
+ * @throws IncomingRequestException
+ * @throws SignatureNotFoundException
*/
- public function setSignatory(ISignatory $signatory): self {
- $identity = \OCP\Server::get(ISignatureManager::class)->extractIdentityFromUri($signatory->getKeyId());
- if ($identity !== $this->getOrigin()) {
- throw new SignatoryException('keyId from provider is different from the one from signed request');
+ private function verifyHeadersFromRequest(): void {
+ // confirm presence of date, content-length, digest and Signature
+ $date = $this->getRequest()->getHeader('date');
+ if ($date === '') {
+ throw new SignatureNotFoundException('missing date in header');
+ }
+ $contentLength = $this->getRequest()->getHeader('content-length');
+ if ($contentLength === '') {
+ throw new SignatureNotFoundException('missing content-length in header');
+ }
+ $digest = $this->getRequest()->getHeader('digest');
+ if ($digest === '') {
+ throw new SignatureNotFoundException('missing digest in header');
+ }
+ if ($this->getRequest()->getHeader('Signature') === '') {
+ throw new SignatureNotFoundException('missing Signature in header');
}
- parent::setSignatory($signatory);
- return $this;
+ // confirm date
+ try {
+ $dTime = new \DateTime($date);
+ $requestTime = $dTime->getTimestamp();
+ } catch (\Exception) {
+ throw new IncomingRequestException('datetime exception');
+ }
+ if ($requestTime < (time() - ($this->options['ttl'] ?? SignatureManager::DATE_TTL))) {
+ throw new IncomingRequestException('object is too old');
+ }
+
+ // confirm validity of content-length
+ if (strlen($this->getBody()) !== (int)$contentLength) {
+ throw new IncomingRequestException('inexact content-length in header');
+ }
+
+ // confirm digest value, based on body
+ if ($digest !== $this->getDigest()) {
+ throw new IncomingRequestException('invalid value for digest in header');
+ }
}
/**
- * @inheritDoc
+ * extract data from the header entry 'Signature' and convert its content from string to an array
+ * also confirm that it contains the minimum mandatory information
*
- * @param IRequest $request
- * @return IIncomingSignedRequest
- * @since 31.0.0
+ * @throws IncomingRequestException
*/
- public function setRequest(IRequest $request): IIncomingSignedRequest {
- $this->request = $request;
- return $this;
+ private function extractSignatureHeaderFromRequest(): void {
+ $sign = [];
+ foreach (explode(',', $this->getRequest()->getHeader('Signature')) as $entry) {
+ if ($entry === '' || !strpos($entry, '=')) {
+ continue;
+ }
+
+ [$k, $v] = explode('=', $entry, 2);
+ preg_match('/"([^"]+)"/', $v, $var);
+ if ($var[0] !== '') {
+ $v = trim($var[0], '"');
+ }
+ $sign[$k] = $v;
+ }
+
+ $this->setSignatureElements($sign);
+
+ try {
+ // confirm keys are in the Signature header
+ $this->getSignatureElement('keyId');
+ $this->getSignatureElement('headers');
+ $this->setSignedSignature($this->getSignatureElement('signature'));
+ } catch (SignatureElementNotFoundException $e) {
+ throw new IncomingRequestException($e->getMessage());
+ }
}
/**
* @inheritDoc
*
* @return IRequest
- * @throws IncomingRequestNotFoundException
* @since 31.0.0
*/
public function getRequest(): IRequest {
- if ($this->request === null) {
- throw new IncomingRequestNotFoundException();
- }
return $this->request;
}
/**
* @inheritDoc
*
- * @param int $time
- * @return IIncomingSignedRequest
- * @since 31.0.0
- */
- public function setTime(int $time): IIncomingSignedRequest {
- $this->time = $time;
- return $this;
- }
-
- /**
- * @inheritDoc
+ * @param ISignatory $signatory
*
- * @return int
+ * @return $this
+ * @throws IdentityNotFoundException
+ * @throws IncomingRequestException
+ * @throws SignatoryException
* @since 31.0.0
*/
- public function getTime(): int {
- return $this->time;
+ public function setSignatory(ISignatory $signatory): self {
+ $identity = \OCP\Server::get(ISignatureManager::class)->extractIdentityFromUri($signatory->getKeyId());
+ if ($identity !== $this->getOrigin()) {
+ throw new SignatoryException('keyId from provider is different from the one from signed request');
+ }
+
+ parent::setSignatory($signatory);
+ return $this;
}
/**
@@ -115,9 +175,13 @@ class IncomingSignedRequest extends SignedRequest implements
* @inheritDoc
*
* @return string
+ * @throws IncomingRequestException
* @since 31.0.0
*/
public function getOrigin(): string {
+ if ($this->origin === '') {
+ throw new IncomingRequestException('empty origin');
+ }
return $this->origin;
}
@@ -126,44 +190,19 @@ class IncomingSignedRequest extends SignedRequest implements
* keyId is a mandatory entry in the headers of a signed request.
*
* @return string
+ * @throws SignatureElementNotFoundException
* @since 31.0.0
*/
public function getKeyId(): string {
- return $this->getSignatureHeader()['keyId'] ?? '';
- }
-
- /**
- * @inheritDoc
- *
- * @param string $signature
- * @return IIncomingSignedRequest
- * @since 31.0.0
- */
- public function setEstimatedSignature(string $signature): IIncomingSignedRequest {
- $this->estimatedSignature = $signature;
- return $this;
- }
-
- /**
- * @inheritDoc
- *
- * @return string
- * @since 31.0.0
- */
- public function getEstimatedSignature(): string {
- return $this->estimatedSignature;
+ return $this->getSignatureElement('keyId');
}
public function jsonSerialize(): array {
return array_merge(
parent::jsonSerialize(),
[
- 'body' => $this->getBody(),
- 'time' => $this->getTime(),
- 'incomingRequest' => $this->request ?? false,
- 'origin' => $this->getOrigin(),
- 'keyId' => $this->getKeyId(),
- 'estimatedSignature' => $this->getEstimatedSignature(),
+ 'options' => $this->options,
+ 'origin' => $this->origin,
]
);
}
diff --git a/lib/private/Security/Signature/Model/OutgoingSignedRequest.php b/lib/private/Security/Signature/Model/OutgoingSignedRequest.php
index 04efcf8bfe1..d2d5b95e7b6 100644
--- a/lib/private/Security/Signature/Model/OutgoingSignedRequest.php
+++ b/lib/private/Security/Signature/Model/OutgoingSignedRequest.php
@@ -9,8 +9,11 @@ declare(strict_types=1);
namespace OC\Security\Signature\Model;
use JsonSerializable;
+use NCU\Security\Signature\ISignatoryManager;
use NCU\Security\Signature\ISignatureManager;
use NCU\Security\Signature\Model\IOutgoingSignedRequest;
+use NCU\Security\Signature\SignatureAlgorithm;
+use OC\Security\Signature\SignatureManager;
/**
* extends ISignedRequest to add info requested at the generation of the signature
@@ -23,8 +26,44 @@ class OutgoingSignedRequest extends SignedRequest implements
JsonSerializable {
private string $host = '';
private array $headers = [];
- private string $clearSignature = '';
- private string $algorithm;
+ /** @var list<string> $headerList */
+ private array $headerList = [];
+ private SignatureAlgorithm $algorithm;
+ public function __construct(
+ string $body,
+ ISignatoryManager $signatoryManager,
+ private readonly string $identity,
+ private readonly string $method,
+ private readonly string $path,
+ ) {
+ parent::__construct($body);
+
+ $options = $signatoryManager->getOptions();
+ $this->setHost($identity)
+ ->setAlgorithm(SignatureAlgorithm::from($options['algorithm'] ?? 'sha256'))
+ ->setSignatory($signatoryManager->getLocalSignatory());
+
+ $headers = array_merge([
+ '(request-target)' => strtolower($method) . ' ' . $path,
+ 'content-length' => strlen($this->getBody()),
+ 'date' => gmdate($options['dateHeader'] ?? SignatureManager::DATE_HEADER),
+ 'digest' => $this->getDigest(),
+ 'host' => $this->getHost()
+ ], $options['extraSignatureHeaders'] ?? []);
+
+ $signing = $headerList = [];
+ foreach ($headers as $element => $value) {
+ $value = $headers[$element];
+ $signing[] = $element . ': ' . $value;
+ $headerList[] = $element;
+ if ($element !== '(request-target)') {
+ $this->addHeader($element, $value);
+ }
+ }
+
+ $this->setHeaderList($headerList)
+ ->setClearSignature(implode("\n", $signing));
+ }
/**
* @inheritDoc
@@ -52,12 +91,12 @@ class OutgoingSignedRequest extends SignedRequest implements
* @inheritDoc
*
* @param string $key
- * @param string|int|float|bool|array $value
+ * @param string|int|float $value
*
* @return IOutgoingSignedRequest
* @since 31.0.0
*/
- public function addHeader(string $key, string|int|float|bool|array $value): IOutgoingSignedRequest {
+ public function addHeader(string $key, string|int|float $value): IOutgoingSignedRequest {
$this->headers[$key] = $value;
return $this;
}
@@ -73,37 +112,37 @@ class OutgoingSignedRequest extends SignedRequest implements
}
/**
- * @inheritDoc
+ * set the ordered list of used headers in the Signature
*
- * @param string $estimated
+ * @param list<string> $list
*
* @return IOutgoingSignedRequest
* @since 31.0.0
*/
- public function setClearSignature(string $estimated): IOutgoingSignedRequest {
- $this->clearSignature = $estimated;
+ public function setHeaderList(array $list): IOutgoingSignedRequest {
+ $this->headerList = $list;
return $this;
}
/**
- * @inheritDoc
+ * returns ordered list of used headers in the Signature
*
- * @return string
+ * @return list<string>
* @since 31.0.0
*/
- public function getClearSignature(): string {
- return $this->clearSignature;
+ public function getHeaderList(): array {
+ return $this->headerList;
}
/**
* @inheritDoc
*
- * @param string $algorithm
+ * @param SignatureAlgorithm $algorithm
*
* @return IOutgoingSignedRequest
* @since 31.0.0
*/
- public function setAlgorithm(string $algorithm): IOutgoingSignedRequest {
+ public function setAlgorithm(SignatureAlgorithm $algorithm): IOutgoingSignedRequest {
$this->algorithm = $algorithm;
return $this;
}
@@ -111,10 +150,10 @@ class OutgoingSignedRequest extends SignedRequest implements
/**
* @inheritDoc
*
- * @return string
+ * @return SignatureAlgorithm
* @since 31.0.0
*/
- public function getAlgorithm(): string {
+ public function getAlgorithm(): SignatureAlgorithm {
return $this->algorithm;
}
@@ -122,9 +161,12 @@ class OutgoingSignedRequest extends SignedRequest implements
return array_merge(
parent::jsonSerialize(),
[
+ 'host' => $this->host,
'headers' => $this->headers,
- 'host' => $this->getHost(),
- 'clearSignature' => $this->getClearSignature(),
+ 'algorithm' => $this->algorithm->value,
+ 'method' => $this->method,
+ 'identity' => $this->identity,
+ 'path' => $this->path,
]
);
}
diff --git a/lib/private/Security/Signature/Model/SignedRequest.php b/lib/private/Security/Signature/Model/SignedRequest.php
index 1587da9d631..56853ebade3 100644
--- a/lib/private/Security/Signature/Model/SignedRequest.php
+++ b/lib/private/Security/Signature/Model/SignedRequest.php
@@ -10,6 +10,7 @@ namespace OC\Security\Signature\Model;
use JsonSerializable;
use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
+use NCU\Security\Signature\Exceptions\SignatureElementNotFoundException;
use NCU\Security\Signature\Model\ISignatory;
use NCU\Security\Signature\Model\ISignedRequest;
@@ -20,8 +21,9 @@ use NCU\Security\Signature\Model\ISignedRequest;
*/
class SignedRequest implements ISignedRequest, JsonSerializable {
private string $digest;
+ private array $signatureElements = [];
+ private string $clearSignature = '';
private string $signedSignature = '';
- private array $signatureHeader = [];
private ?ISignatory $signatory = null;
public function __construct(
@@ -54,12 +56,13 @@ class SignedRequest implements ISignedRequest, JsonSerializable {
/**
* @inheritDoc
*
- * @param array $signatureHeader
+ * @param array $elements
+ *
* @return ISignedRequest
* @since 31.0.0
*/
- public function setSignatureHeader(array $signatureHeader): ISignedRequest {
- $this->signatureHeader = $signatureHeader;
+ public function setSignatureElements(array $elements): ISignedRequest {
+ $this->signatureElements = $elements;
return $this;
}
@@ -69,8 +72,47 @@ class SignedRequest implements ISignedRequest, JsonSerializable {
* @return array
* @since 31.0.0
*/
- public function getSignatureHeader(): array {
- return $this->signatureHeader;
+ public function getSignatureElements(): array {
+ return $this->signatureElements;
+ }
+
+ /**
+ * @param string $key
+ *
+ * @return string
+ * @throws SignatureElementNotFoundException
+ * @since 31.0.0
+ *
+ */
+ public function getSignatureElement(string $key): string {
+ if (!array_key_exists($key, $this->signatureElements)) {
+ throw new SignatureElementNotFoundException('missing element ' . $key . ' in Signature header');
+ }
+
+ return $this->signatureElements[$key];
+ }
+
+ /**
+ * @inheritDoc
+ *
+ * @param string $clearSignature
+ *
+ * @return ISignedRequest
+ * @since 31.0.0
+ */
+ public function setClearSignature(string $clearSignature): ISignedRequest {
+ $this->clearSignature = $clearSignature;
+ return $this;
+ }
+
+ /**
+ * @inheritDoc
+ *
+ * @return string
+ * @since 31.0.0
+ */
+ public function getClearSignature(): string {
+ return $this->clearSignature;
}
/**
@@ -134,9 +176,11 @@ class SignedRequest implements ISignedRequest, JsonSerializable {
public function jsonSerialize(): array {
return [
- 'body' => $this->getBody(),
- 'signatureHeader' => $this->getSignatureHeader(),
- 'signedSignature' => $this->getSignedSignature(),
+ 'body' => $this->body,
+ 'digest' => $this->digest,
+ 'signatureElements' => $this->signatureElements,
+ 'clearSignature' => $this->clearSignature,
+ 'signedSignature' => $this->signedSignature,
'signatory' => $this->signatory ?? false,
];
}
diff --git a/lib/private/Security/Signature/SignatureManager.php b/lib/private/Security/Signature/SignatureManager.php
index 8717171f4b4..2d895b465ab 100644
--- a/lib/private/Security/Signature/SignatureManager.php
+++ b/lib/private/Security/Signature/SignatureManager.php
@@ -1,7 +1,6 @@
<?php
declare(strict_types=1);
-
/**
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-License-Identifier: AGPL-3.0-or-later
@@ -16,6 +15,7 @@ use NCU\Security\Signature\Exceptions\InvalidSignatureException;
use NCU\Security\Signature\Exceptions\SignatoryConflictException;
use NCU\Security\Signature\Exceptions\SignatoryException;
use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
+use NCU\Security\Signature\Exceptions\SignatureElementNotFoundException;
use NCU\Security\Signature\Exceptions\SignatureException;
use NCU\Security\Signature\Exceptions\SignatureNotFoundException;
use NCU\Security\Signature\ISignatoryManager;
@@ -45,7 +45,7 @@ use Psr\Log\LoggerInterface;
* "date": "Mon, 08 Jul 2024 14:16:20 GMT",
* "digest": "SHA-256=U7gNVUQiixe5BRbp4Tg0xCZMTcSWXXUZI2\\/xtHM40S0=",
* "host": "hostname.of.the.recipient",
- * "Signature": "keyId=\"https://author.hostname/key\",algorithm=\"ras-sha256\",headers=\"content-length
+ * "Signature": "keyId=\"https://author.hostname/key\",algorithm=\"sha256\",headers=\"content-length
* date digest host\",signature=\"DzN12OCS1rsA[...]o0VmxjQooRo6HHabg==\""
* }
*
@@ -66,11 +66,11 @@ use Psr\Log\LoggerInterface;
* @since 31.0.0
*/
class SignatureManager implements ISignatureManager {
- private const DATE_HEADER = 'D, d M Y H:i:s T';
- private const DATE_TTL = 300;
- private const SIGNATORY_TTL = 86400 * 3;
- private const TABLE_SIGNATORIES = 'sec_signatory';
- private const BODY_MAXSIZE = 50000; // max size of the payload of the request
+ public const DATE_HEADER = 'D, d M Y H:i:s T';
+ public const DATE_TTL = 300;
+ public const SIGNATORY_TTL = 86400 * 3;
+ public const TABLE_SIGNATORIES = 'sec_signatory';
+ public const BODY_MAXSIZE = 50000; // max size of the payload of the request
public const APPCONFIG_IDENTITY = 'security.signature.identity';
public function __construct(
@@ -98,25 +98,29 @@ class SignatureManager implements ISignatureManager {
?string $body = null,
): IIncomingSignedRequest {
$body = $body ?? file_get_contents('php://input');
- if (strlen($body) > self::BODY_MAXSIZE) {
+ $options = $signatoryManager->getOptions();
+ if (strlen($body) > ($options['bodyMaxSize'] ?? self::BODY_MAXSIZE)) {
throw new IncomingRequestException('content of request is too big');
}
- $signedRequest = new IncomingSignedRequest($body);
- $signedRequest->setRequest($this->request);
- $options = $signatoryManager->getOptions();
+ // generate IncomingSignedRequest based on body and request
+ $signedRequest = new IncomingSignedRequest($body, $this->request, $options);
+ try {
+ // we set origin based on the keyId defined in the Signature header of the request
+ $signedRequest->setOrigin($this->extractIdentityFromUri($signedRequest->getSignatureElement('keyId')));
+ } catch (IdentityNotFoundException $e) {
+ throw new IncomingRequestException($e->getMessage());
+ }
try {
- $this->verifyIncomingRequestTime($signedRequest, $options['ttl'] ?? self::DATE_TTL);
- $this->verifyIncomingRequestContent($signedRequest);
- $this->prepIncomingSignatureHeader($signedRequest);
- $this->verifyIncomingSignatureHeader($signedRequest);
- $this->prepEstimatedSignature($signedRequest, $options['extraSignatureHeaders'] ?? []);
- $this->verifyIncomingRequestSignature($signedRequest, $signatoryManager, $options['ttlSignatory'] ?? self::SIGNATORY_TTL);
+ // confirm the validity of content and identity of the incoming request
+ $this->generateExpectedClearSignatureFromRequest($signedRequest, $options['extraSignatureHeaders'] ?? []);
+ $this->confirmIncomingRequestSignature($signedRequest, $signatoryManager, $options['ttlSignatory'] ?? self::SIGNATORY_TTL);
} catch (SignatureException $e) {
$this->logger->warning(
'signature could not be verified', [
- 'exception' => $e, 'signedRequest' => $signedRequest,
+ 'exception' => $e,
+ 'signedRequest' => $signedRequest,
'signatoryManager' => get_class($signatoryManager)
]
);
@@ -127,6 +131,95 @@ class SignatureManager implements ISignatureManager {
}
/**
+ * generating the expected signature (clear version) sent by the remote instance
+ * based on the data available in the Signature header.
+ *
+ * @param IIncomingSignedRequest $signedRequest
+ * @param array $extraSignatureHeaders
+ *
+ * @throws SignatureException
+ */
+ private function generateExpectedClearSignatureFromRequest(
+ IIncomingSignedRequest $signedRequest,
+ array $extraSignatureHeaders = [],
+ ): void {
+ $request = $signedRequest->getRequest();
+ $usedHeaders = explode(' ', $signedRequest->getSignatureElement('headers'));
+ $neededHeaders = array_merge(['date', 'host', 'content-length', 'digest'], array_keys($extraSignatureHeaders));
+
+ $missingHeaders = array_diff($neededHeaders, $usedHeaders);
+ if ($missingHeaders !== []) {
+ throw new SignatureException('missing entries in Signature.headers: ' . json_encode($missingHeaders));
+ }
+
+ $estimated = ['(request-target): ' . strtolower($request->getMethod()) . ' ' . $request->getRequestUri()];
+ foreach ($usedHeaders as $key) {
+ if ($key === '(request-target)') {
+ continue;
+ }
+ $value = (strtolower($key) === 'host') ? $request->getServerHost() : $request->getHeader($key);
+ if ($value === '') {
+ throw new SignatureException('missing header ' . $key . ' in request');
+ }
+
+ $estimated[] = $key . ': ' . $value;
+ }
+
+ $signedRequest->setClearSignature(implode("\n", $estimated));
+ }
+
+ /**
+ * confirm that the Signature is signed using the correct private key, using
+ * clear version of the Signature and the public key linked to the keyId
+ *
+ * @param IIncomingSignedRequest $signedRequest
+ * @param ISignatoryManager $signatoryManager
+ *
+ * @throws SignatoryNotFoundException
+ * @throws SignatureException
+ */
+ private function confirmIncomingRequestSignature(
+ IIncomingSignedRequest $signedRequest,
+ ISignatoryManager $signatoryManager,
+ int $ttlSignatory,
+ ): void {
+ $knownSignatory = null;
+ try {
+ $knownSignatory = $this->getStoredSignatory($signedRequest->getKeyId());
+ // refreshing ttl and compare with previous public key
+ if ($ttlSignatory > 0 && $knownSignatory->getLastUpdated() < (time() - $ttlSignatory)) {
+ $signatory = $this->getSaneRemoteSignatory($signatoryManager, $signedRequest);
+ $this->updateSignatoryMetadata($signatory);
+ $knownSignatory->setMetadata($signatory->getMetadata());
+ }
+
+ $signedRequest->setSignatory($knownSignatory);
+ $this->verifySignedRequest($signedRequest);
+ } catch (InvalidKeyOriginException $e) {
+ throw $e; // issue while requesting remote instance also means there is no 2nd try
+ } catch (SignatoryNotFoundException) {
+ // if no signatory in cache, we retrieve the one from the remote instance (using
+ // $signatoryManager), check its validity with current signature and store it
+ $signatory = $this->getSaneRemoteSignatory($signatoryManager, $signedRequest);
+ $signedRequest->setSignatory($signatory);
+ $this->verifySignedRequest($signedRequest);
+ $this->storeSignatory($signatory);
+ } catch (SignatureException) {
+ // if public key (from cache) is not valid, we try to refresh it (based on SignatoryType)
+ try {
+ $signatory = $this->getSaneRemoteSignatory($signatoryManager, $signedRequest);
+ } catch (SignatoryNotFoundException $e) {
+ $this->manageDeprecatedSignatory($knownSignatory);
+ throw $e;
+ }
+
+ $signedRequest->setSignatory($signatory);
+ $this->verifySignedRequest($signedRequest);
+ $this->storeSignatory($signatory);
+ }
+ }
+
+ /**
* @inheritDoc
*
* @param ISignatoryManager $signatoryManager
@@ -135,6 +228,9 @@ class SignatureManager implements ISignatureManager {
* @param string $uri needed in the signature
*
* @return IOutgoingSignedRequest
+ * @throws IdentityNotFoundException
+ * @throws SignatoryException
+ * @throws SignatoryNotFoundException
* @since 31.0.0
*/
public function getOutgoingSignedRequest(
@@ -143,27 +239,44 @@ class SignatureManager implements ISignatureManager {
string $method,
string $uri,
): IOutgoingSignedRequest {
- $signedRequest = new OutgoingSignedRequest($content);
- $options = $signatoryManager->getOptions();
-
- $signedRequest->setHost($this->getHostFromUri($uri))
- ->setAlgorithm($options['algorithm'] ?? 'sha256')
- ->setSignatory($signatoryManager->getLocalSignatory());
-
- $this->setOutgoingSignatureHeader(
- $signedRequest,
- strtolower($method),
- parse_url($uri, PHP_URL_PATH) ?? '/',
- $options['dateHeader'] ?? self::DATE_HEADER
+ $signedRequest = new OutgoingSignedRequest(
+ $content,
+ $signatoryManager,
+ $this->extractIdentityFromUri($uri),
+ $method,
+ parse_url($uri, PHP_URL_PATH) ?? '/'
);
- $this->setOutgoingClearSignature($signedRequest);
- $this->setOutgoingSignedSignature($signedRequest);
- $this->signingOutgoingRequest($signedRequest);
+
+ $this->signOutgoingRequest($signedRequest);
return $signedRequest;
}
/**
+ * signing clear version of the Signature header
+ *
+ * @param IOutgoingSignedRequest $signedRequest
+ *
+ * @throws SignatoryException
+ * @throws SignatoryNotFoundException
+ */
+ private function signOutgoingRequest(IOutgoingSignedRequest $signedRequest): void {
+ $clear = $signedRequest->getClearSignature();
+ $signed = $this->signString($clear, $signedRequest->getSignatory()->getPrivateKey(), $signedRequest->getAlgorithm());
+
+ $signatory = $signedRequest->getSignatory();
+ $signatureElements = [
+ 'keyId="' . $signatory->getKeyId() . '"',
+ 'algorithm="' . $signedRequest->getAlgorithm()->value . '"',
+ 'headers="' . implode(' ', $signedRequest->getHeaderList()) . '"',
+ 'signature="' . $signed . '"'
+ ];
+
+ $signedRequest->setSignedSignature($signed);
+ $signedRequest->addHeader('Signature', implode(',', $signatureElements));
+ }
+
+ /**
* @inheritDoc
*
* @param ISignatoryManager $signatoryManager
@@ -267,292 +380,36 @@ class SignatureManager implements ISignatureManager {
}
/**
- * using the requested 'date' entry from header to confirm request is not older than ttl
- *
- * @param IIncomingSignedRequest $signedRequest
- * @param int $ttl
- *
- * @throws IncomingRequestException
- * @throws SignatureNotFoundException
- */
- private function verifyIncomingRequestTime(IIncomingSignedRequest $signedRequest, int $ttl): void {
- $request = $signedRequest->getRequest();
- $date = $request->getHeader('date');
- if ($date === '') {
- throw new SignatureNotFoundException('missing date in header');
- }
-
- try {
- $dTime = new \DateTime($date);
- $signedRequest->setTime($dTime->getTimestamp());
- } catch (\Exception $e) {
- $this->logger->warning(
- 'datetime exception', ['exception' => $e, 'header' => $request->getHeader('date')]
- );
- throw new IncomingRequestException('datetime exception');
- }
-
- if ($signedRequest->getTime() < (time() - $ttl)) {
- throw new IncomingRequestException('object is too old');
- }
- }
-
-
- /**
- * confirm the values of 'content-length' and 'digest' from header
- * is related to request content
- *
- * @param IIncomingSignedRequest $signedRequest
- *
- * @throws IncomingRequestException
- * @throws SignatureNotFoundException
- */
- private function verifyIncomingRequestContent(IIncomingSignedRequest $signedRequest): void {
- $request = $signedRequest->getRequest();
- $contentLength = $request->getHeader('content-length');
- if ($contentLength === '') {
- throw new SignatureNotFoundException('missing content-length in header');
- }
-
- if (strlen($signedRequest->getBody()) !== (int)$request->getHeader('content-length')) {
- throw new IncomingRequestException(
- 'inexact content-length in header: ' . strlen($signedRequest->getBody()) . ' vs '
- . (int)$request->getHeader('content-length')
- );
- }
-
- $digest = $request->getHeader('digest');
- if ($digest === '') {
- throw new SignatureNotFoundException('missing digest in header');
- }
-
- if ($digest !== $signedRequest->getDigest()) {
- throw new IncomingRequestException('invalid value for digest in header');
- }
- }
-
- /**
- * preparing a clear version of the signature based on list of metadata from the
- * Signature entry in header
- *
- * @param IIncomingSignedRequest $signedRequest
- *
- * @throws SignatureNotFoundException
- */
- private function prepIncomingSignatureHeader(IIncomingSignedRequest $signedRequest): void {
- $sign = [];
- $request = $signedRequest->getRequest();
- $signature = $request->getHeader('Signature');
- if ($signature === '') {
- throw new SignatureNotFoundException('missing Signature in header');
- }
-
- foreach (explode(',', $signature) as $entry) {
- if ($entry === '' || !strpos($entry, '=')) {
- continue;
- }
-
- [$k, $v] = explode('=', $entry, 2);
- preg_match('/"([^"]+)"/', $v, $var);
- if ($var[0] !== '') {
- $v = trim($var[0], '"');
- }
- $sign[$k] = $v;
- }
-
- $signedRequest->setSignatureHeader($sign);
- }
-
-
- /**
- * @param IIncomingSignedRequest $signedRequest
- *
- * @throws IncomingRequestException
- * @throws InvalidKeyOriginException
- */
- private function verifyIncomingSignatureHeader(IIncomingSignedRequest $signedRequest): void {
- $data = $signedRequest->getSignatureHeader();
- if (!array_key_exists('keyId', $data) || !array_key_exists('headers', $data)
- || !array_key_exists('signature', $data)) {
- throw new IncomingRequestException('missing keys in signature headers: ' . json_encode($data));
- }
-
- try {
- $signedRequest->setOrigin($this->getHostFromUri($data['keyId']));
- } catch (\Exception) {
- throw new InvalidKeyOriginException('cannot retrieve origin from ' . $data['keyId']);
- }
-
- $signedRequest->setSignedSignature($data['signature']);
- }
-
-
- /**
- * @param IIncomingSignedRequest $signedRequest
- * @param array $extraSignatureHeaders
- *
- * @throws IncomingRequestException
- */
- private function prepEstimatedSignature(
- IIncomingSignedRequest $signedRequest,
- array $extraSignatureHeaders = [],
- ): void {
- $request = $signedRequest->getRequest();
- $headers = explode(' ', $signedRequest->getSignatureHeader()['headers'] ?? []);
-
- $enforceHeaders = array_merge(
- ['date', 'host', 'content-length', 'digest'],
- $extraSignatureHeaders
- );
-
- $missingHeaders = array_diff($enforceHeaders, $headers);
- if ($missingHeaders !== []) {
- throw new IncomingRequestException(
- 'missing elements in headers: ' . json_encode($missingHeaders)
- );
- }
-
- $target = strtolower($request->getMethod()) . ' ' . $request->getRequestUri();
- $estimated = ['(request-target): ' . $target];
-
- foreach ($headers as $key) {
- $value = $request->getHeader($key);
- if (strtolower($key) === 'host') {
- $value = $request->getServerHost();
- }
- if ($value === '') {
- throw new IncomingRequestException('empty elements in header ' . $key);
- }
-
- $estimated[] = $key . ': ' . $value;
- }
-
- $signedRequest->setEstimatedSignature(implode("\n", $estimated));
- }
-
-
- /**
- * @param IIncomingSignedRequest $signedRequest
- * @param ISignatoryManager $signatoryManager
+ * get remote signatory using the ISignatoryManager
+ * and confirm the validity of the keyId
*
- * @throws SignatoryNotFoundException
- * @throws SignatureException
- */
- private function verifyIncomingRequestSignature(
- IIncomingSignedRequest $signedRequest,
- ISignatoryManager $signatoryManager,
- int $ttlSignatory,
- ): void {
- $knownSignatory = null;
- try {
- $knownSignatory = $this->getStoredSignatory($signedRequest->getKeyId());
- if ($ttlSignatory > 0 && $knownSignatory->getLastUpdated() < (time() - $ttlSignatory)) {
- $signatory = $this->getSafeRemoteSignatory($signatoryManager, $signedRequest);
- $this->updateSignatoryMetadata($signatory);
- $knownSignatory->setMetadata($signatory->getMetadata());
- }
-
- $signedRequest->setSignatory($knownSignatory);
- $this->verifySignedRequest($signedRequest);
- } catch (InvalidKeyOriginException $e) {
- throw $e; // issue while requesting remote instance also means there is no 2nd try
- } catch (SignatoryNotFoundException|SignatureException) {
- try {
- $signatory = $this->getSafeRemoteSignatory($signatoryManager, $signedRequest);
- } catch (SignatoryNotFoundException $e) {
- $this->manageDeprecatedSignatory($knownSignatory);
- throw $e;
- }
-
- $signedRequest->setSignatory($signatory);
- $this->storeSignatory($signatory);
- $this->verifySignedRequest($signedRequest);
- }
- }
-
-
- /**
* @param ISignatoryManager $signatoryManager
* @param IIncomingSignedRequest $signedRequest
*
* @return ISignatory
* @throws InvalidKeyOriginException
* @throws SignatoryNotFoundException
+ * @see ISignatoryManager::getRemoteSignatory
*/
- private function getSafeRemoteSignatory(
+ private function getSaneRemoteSignatory(
ISignatoryManager $signatoryManager,
IIncomingSignedRequest $signedRequest,
): ISignatory {
- $signatory = $signatoryManager->getRemoteSignatory($signedRequest);
+ $signatory = $signatoryManager->getRemoteSignatory($signedRequest->getOrigin());
if ($signatory === null) {
throw new SignatoryNotFoundException('empty result from getRemoteSignatory');
}
- if ($signatory->getKeyId() !== $signedRequest->getKeyId()) {
- throw new InvalidKeyOriginException('keyId from signatory not related to the one from request');
- }
-
- return $signatory->setProviderId($signatoryManager->getProviderId());
- }
-
- private function setOutgoingSignatureHeader(
- IOutgoingSignedRequest $signedRequest,
- string $method,
- string $path,
- string $dateHeader,
- ): void {
- $header = [
- '(request-target)' => $method . ' ' . $path,
- 'content-length' => strlen($signedRequest->getBody()),
- 'date' => gmdate($dateHeader),
- 'digest' => $signedRequest->getDigest(),
- 'host' => $signedRequest->getHost()
- ];
-
- $signedRequest->setSignatureHeader($header);
- }
-
-
- /**
- * @param IOutgoingSignedRequest $signedRequest
- */
- private function setOutgoingClearSignature(IOutgoingSignedRequest $signedRequest): void {
- $signing = [];
- $header = $signedRequest->getSignatureHeader();
- foreach (array_keys($header) as $element) {
- $value = $header[$element];
- $signing[] = $element . ': ' . $value;
- if ($element !== '(request-target)') {
- $signedRequest->addHeader($element, $value);
+ try {
+ if ($signatory->getKeyId() !== $signedRequest->getKeyId()) {
+ throw new InvalidKeyOriginException('keyId from signatory not related to the one from request');
}
+ } catch (SignatureElementNotFoundException) {
+ throw new InvalidKeyOriginException('missing keyId');
}
- $signedRequest->setClearSignature(implode("\n", $signing));
- }
-
-
- private function setOutgoingSignedSignature(IOutgoingSignedRequest $signedRequest): void {
- $clear = $signedRequest->getClearSignature();
- $signed = $this->signString(
- $clear, $signedRequest->getSignatory()->getPrivateKey(), $signedRequest->getAlgorithm()
- );
- $signedRequest->setSignedSignature($signed);
- }
-
- private function signingOutgoingRequest(IOutgoingSignedRequest $signedRequest): void {
- $signatureHeader = $signedRequest->getSignatureHeader();
- $headers = array_diff(array_keys($signatureHeader), ['(request-target)']);
- $signatory = $signedRequest->getSignatory();
- $signatureElements = [
- 'keyId="' . $signatory->getKeyId() . '"',
- 'algorithm="' . $this->getChosenEncryption($signedRequest->getAlgorithm()) . '"',
- 'headers="' . implode(' ', $headers) . '"',
- 'signature="' . $signedRequest->getSignedSignature() . '"'
- ];
-
- $signedRequest->addHeader('Signature', implode(',', $signatureElements));
+ return $signatory->setProviderId($signatoryManager->getProviderId());
}
-
/**
* @param IIncomingSignedRequest $signedRequest
*
@@ -568,10 +425,10 @@ class SignatureManager implements ISignatureManager {
try {
$this->verifyString(
- $signedRequest->getEstimatedSignature(),
+ $signedRequest->getClearSignature(),
$signedRequest->getSignedSignature(),
$publicKey,
- $this->getUsedEncryption($signedRequest)
+ SignatureAlgorithm::tryFrom($signedRequest->getSignatureElement('algorithm')) ?? SignatureAlgorithm::SHA256
);
} catch (InvalidSignatureException $e) {
$this->logger->debug('signature issue', ['signed' => $signedRequest, 'exception' => $e]);
@@ -579,45 +436,20 @@ class SignatureManager implements ISignatureManager {
}
}
-
- private function getUsedEncryption(IIncomingSignedRequest $signedRequest): SignatureAlgorithm {
- $data = $signedRequest->getSignatureHeader();
-
- return match ($data['algorithm']) {
- 'rsa-sha512' => SignatureAlgorithm::SHA512,
- default => SignatureAlgorithm::SHA256,
- };
- }
-
- private function getChosenEncryption(string $algorithm): string {
- return match ($algorithm) {
- 'sha512' => 'ras-sha512',
- default => 'ras-sha256',
- };
- }
-
- public function getOpenSSLAlgo(string $algorithm): int {
- return match ($algorithm) {
- 'sha512' => OPENSSL_ALGO_SHA512,
- default => OPENSSL_ALGO_SHA256,
- };
- }
-
-
/**
* @param string $clear
* @param string $privateKey
- * @param string $algorithm
+ * @param SignatureAlgorithm $algorithm
*
* @return string
* @throws SignatoryException
*/
- private function signString(string $clear, string $privateKey, string $algorithm): string {
+ private function signString(string $clear, string $privateKey, SignatureAlgorithm $algorithm): string {
if ($privateKey === '') {
throw new SignatoryException('empty private key');
}
- openssl_sign($clear, $signed, $privateKey, $this->getOpenSSLAlgo($algorithm));
+ openssl_sign($clear, $signed, $privateKey, $algorithm->value);
return base64_encode($signed);
}
@@ -626,19 +458,18 @@ class SignatureManager implements ISignatureManager {
* @param string $clear
* @param string $encoded
* @param string $publicKey
- * @param SignatureAlgorithm $algo
+ * @param SignatureAlgorithm $algorithm
*
- * @return void
* @throws InvalidSignatureException
*/
private function verifyString(
string $clear,
string $encoded,
string $publicKey,
- SignatureAlgorithm $algo = SignatureAlgorithm::SHA256,
+ SignatureAlgorithm $algorithm = SignatureAlgorithm::SHA256,
): void {
$signed = base64_decode($encoded);
- if (openssl_verify($clear, $signed, $publicKey, $algo->value) !== 1) {
+ if (openssl_verify($clear, $signed, $publicKey, $algorithm->value) !== 1) {
throw new InvalidSignatureException('signature issue');
}
}
@@ -692,11 +523,15 @@ class SignatureManager implements ISignatureManager {
}
}
+ /**
+ * @param ISignatory $signatory
+ * @throws DBException
+ */
private function insertSignatory(ISignatory $signatory): void {
$qb = $this->connection->getQueryBuilder();
$qb->insert(self::TABLE_SIGNATORIES)
->setValue('provider_id', $qb->createNamedParameter($signatory->getProviderId()))
- ->setValue('host', $qb->createNamedParameter($this->getHostFromUri($signatory->getKeyId())))
+ ->setValue('host', $qb->createNamedParameter($this->extractIdentityFromUri($signatory->getKeyId())))
->setValue('account', $qb->createNamedParameter($signatory->getAccount()))
->setValue('key_id', $qb->createNamedParameter($signatory->getKeyId()))
->setValue('key_id_sum', $qb->createNamedParameter($this->hashKeyId($signatory->getKeyId())))
@@ -755,12 +590,12 @@ class SignatureManager implements ISignatureManager {
case SignatoryType::REFRESHABLE:
// TODO: send notice to admin
- throw new SignatoryConflictException();
+ throw new SignatoryConflictException(); // while it can be refreshed, it must exist
case SignatoryType::TRUSTED:
case SignatoryType::STATIC:
// TODO: send warning to admin
- throw new SignatoryConflictException();
+ throw new SignatoryConflictException(); // no way.
}
}
@@ -796,27 +631,6 @@ class SignatureManager implements ISignatureManager {
$qb->executeStatement();
}
-
- /**
- * @param string $uri
- *
- * @return string
- * @throws InvalidKeyOriginException
- */
- private function getHostFromUri(string $uri): string {
- $host = parse_url($uri, PHP_URL_HOST);
- $port = parse_url($uri, PHP_URL_PORT);
- if ($port !== null && $port !== false) {
- $host .= ':' . $port;
- }
-
- if (is_string($host) && $host !== '') {
- return $host;
- }
-
- throw new \Exception('invalid/empty uri');
- }
-
private function hashKeyId(string $keyId): string {
return hash('sha256', $keyId);
}
diff --git a/lib/private/Server.php b/lib/private/Server.php
index 2167bccec89..a20c37732a7 100644
--- a/lib/private/Server.php
+++ b/lib/private/Server.php
@@ -8,7 +8,6 @@ namespace OC;
use bantu\IniGetWrapper\IniGetWrapper;
use NCU\Config\IUserConfig;
-use NCU\Security\PublicPrivateKeyPairs\IKeyPairManager;
use NCU\Security\Signature\ISignatureManager;
use OC\Accounts\AccountManager;
use OC\App\AppManager;
diff --git a/lib/unstable/Security/Signature/Exceptions/IncomingRequestNotFoundException.php b/lib/unstable/Security/Signature/Exceptions/SignatureElementNotFoundException.php
index 1953af39ec5..f40f79410ae 100644
--- a/lib/unstable/Security/Signature/Exceptions/IncomingRequestNotFoundException.php
+++ b/lib/unstable/Security/Signature/Exceptions/SignatureElementNotFoundException.php
@@ -12,5 +12,5 @@ namespace NCU\Security\Signature\Exceptions;
* @since 31.0.0
* @experimental 31.0.0
*/
-class IncomingRequestNotFoundException extends SignatureException {
+class SignatureElementNotFoundException extends SignatureException {
}
diff --git a/lib/unstable/Security/Signature/ISignatoryManager.php b/lib/unstable/Security/Signature/ISignatoryManager.php
index 825ccac1ce9..19ba83a4206 100644
--- a/lib/unstable/Security/Signature/ISignatoryManager.php
+++ b/lib/unstable/Security/Signature/ISignatoryManager.php
@@ -8,7 +8,6 @@ declare(strict_types=1);
*/
namespace NCU\Security\Signature;
-use NCU\Security\Signature\Model\IIncomingSignedRequest;
use NCU\Security\Signature\Model\ISignatory;
/**
@@ -34,6 +33,7 @@ interface ISignatoryManager {
/**
* options that might affect the way the whole process is handled:
* [
+ * 'bodyMaxSize' => 10000,
* 'ttl' => 300,
* 'ttlSignatory' => 86400*3,
* 'extraSignatureHeaders' => [],
@@ -62,10 +62,10 @@ interface ISignatoryManager {
*
* Used to confirm authenticity of incoming request.
*
- * @param IIncomingSignedRequest $signedRequest
+ * @param string $remote
*
* @return ISignatory|null must be NULL if no signatory is found
* @since 31.0.0
*/
- public function getRemoteSignatory(IIncomingSignedRequest $signedRequest): ?ISignatory;
+ public function getRemoteSignatory(string $remote): ?ISignatory;
}
diff --git a/lib/unstable/Security/Signature/ISignatureManager.php b/lib/unstable/Security/Signature/ISignatureManager.php
index cc0297224dc..1969b970aa6 100644
--- a/lib/unstable/Security/Signature/ISignatureManager.php
+++ b/lib/unstable/Security/Signature/ISignatureManager.php
@@ -28,7 +28,7 @@ use NCU\Security\Signature\Model\ISignatory;
* "date": "Mon, 08 Jul 2024 14:16:20 GMT",
* "digest": "SHA-256=U7gNVUQiixe5BRbp4Tg0xCZMTcSWXXUZI2\\/xtHM40S0=",
* "host": "hostname.of.the.recipient",
- * "Signature": "keyId=\"https://author.hostname/key\",algorithm=\"ras-sha256\",headers=\"content-length date digest host\",signature=\"DzN12OCS1rsA[...]o0VmxjQooRo6HHabg==\""
+ * "Signature": "keyId=\"https://author.hostname/key\",algorithm=\"sha256\",headers=\"content-length date digest host\",signature=\"DzN12OCS1rsA[...]o0VmxjQooRo6HHabg==\""
* }
*
* 'content-length' is the total length of the data/content
diff --git a/lib/unstable/Security/Signature/Model/IIncomingSignedRequest.php b/lib/unstable/Security/Signature/Model/IIncomingSignedRequest.php
index a6682eff33c..3e2ebb22a5f 100644
--- a/lib/unstable/Security/Signature/Model/IIncomingSignedRequest.php
+++ b/lib/unstable/Security/Signature/Model/IIncomingSignedRequest.php
@@ -8,6 +8,7 @@ declare(strict_types=1);
*/
namespace NCU\Security\Signature\Model;
+use NCU\Security\Signature\Exceptions\SignatureElementNotFoundException;
use NCU\Security\Signature\ISignatureManager;
use OCP\IRequest;
@@ -21,15 +22,6 @@ use OCP\IRequest;
*/
interface IIncomingSignedRequest extends ISignedRequest {
/**
- * set the core IRequest that might be signed
- *
- * @param IRequest $request
- * @return IIncomingSignedRequest
- * @since 31.0.0
- */
- public function setRequest(IRequest $request): IIncomingSignedRequest;
-
- /**
* returns the base IRequest
*
* @return IRequest
@@ -38,23 +30,6 @@ interface IIncomingSignedRequest extends ISignedRequest {
public function getRequest(): IRequest;
/**
- * set the time, extracted from the base request headers
- *
- * @param int $time
- * @return IIncomingSignedRequest
- * @since 31.0.0
- */
- public function setTime(int $time): IIncomingSignedRequest;
-
- /**
- * get the time, extracted from the base request headers
- *
- * @return int
- * @since 31.0.0
- */
- public function getTime(): int;
-
- /**
* set the hostname at the source of the request,
* based on the keyId defined in the signature header.
*
@@ -78,28 +53,8 @@ interface IIncomingSignedRequest extends ISignedRequest {
* keyId is a mandatory entry in the headers of a signed request.
*
* @return string
+ * @throws SignatureElementNotFoundException
* @since 31.0.0
*/
public function getKeyId(): string;
-
- /**
- * store a clear and estimated version of the signature, based on payload and headers.
- * This clear version will be compared with the real signature using
- * the public key of remote instance at the origin of the request.
- *
- * @param string $signature
- * @return IIncomingSignedRequest
- * @since 31.0.0
- */
- public function setEstimatedSignature(string $signature): IIncomingSignedRequest;
-
- /**
- * returns a clear and estimated version of the signature, based on payload and headers.
- * This clear version will be compared with the real signature using
- * the public key of remote instance at the origin of the request.
- *
- * @return string
- * @since 31.0.0
- */
- public function getEstimatedSignature(): string;
}
diff --git a/lib/unstable/Security/Signature/Model/IOutgoingSignedRequest.php b/lib/unstable/Security/Signature/Model/IOutgoingSignedRequest.php
index b2ca221e126..3c9445af745 100644
--- a/lib/unstable/Security/Signature/Model/IOutgoingSignedRequest.php
+++ b/lib/unstable/Security/Signature/Model/IOutgoingSignedRequest.php
@@ -9,6 +9,7 @@ declare(strict_types=1);
namespace NCU\Security\Signature\Model;
use NCU\Security\Signature\ISignatureManager;
+use NCU\Security\Signature\SignatureAlgorithm;
/**
* extends ISignedRequest to add info requested at the generation of the signature
@@ -41,12 +42,12 @@ interface IOutgoingSignedRequest extends ISignedRequest {
* add a key/value pair to the headers of the request
*
* @param string $key
- * @param string|int|float|bool|array $value
+ * @param string|int|float $value
*
* @return IOutgoingSignedRequest
* @since 31.0.0
*/
- public function addHeader(string $key, string|int|float|bool|array $value): IOutgoingSignedRequest;
+ public function addHeader(string $key, string|int|float $value): IOutgoingSignedRequest;
/**
* returns list of headers value that will be added to the base request
@@ -57,38 +58,38 @@ interface IOutgoingSignedRequest extends ISignedRequest {
public function getHeaders(): array;
/**
- * store a clear version of the signature
+ * set the ordered list of used headers in the Signature
*
- * @param string $estimated
+ * @param list<string> $list
*
* @return IOutgoingSignedRequest
* @since 31.0.0
*/
- public function setClearSignature(string $estimated): IOutgoingSignedRequest;
+ public function setHeaderList(array $list): IOutgoingSignedRequest;
/**
- * returns the clear version of the signature
+ * returns ordered list of used headers in the Signature
*
- * @return string
+ * @return list<string>
* @since 31.0.0
*/
- public function getClearSignature(): string;
+ public function getHeaderList(): array;
/**
* set algorithm to be used to sign the signature
*
- * @param string $algorithm
+ * @param SignatureAlgorithm $algorithm
*
* @return IOutgoingSignedRequest
* @since 31.0.0
*/
- public function setAlgorithm(string $algorithm): IOutgoingSignedRequest;
+ public function setAlgorithm(SignatureAlgorithm $algorithm): IOutgoingSignedRequest;
/**
* returns the algorithm set to sign the signature
*
- * @return string
+ * @return SignatureAlgorithm
* @since 31.0.0
*/
- public function getAlgorithm(): string;
+ public function getAlgorithm(): SignatureAlgorithm;
}
diff --git a/lib/unstable/Security/Signature/Model/ISignedRequest.php b/lib/unstable/Security/Signature/Model/ISignedRequest.php
index ebb0e1c5b58..76c033970fe 100644
--- a/lib/unstable/Security/Signature/Model/ISignedRequest.php
+++ b/lib/unstable/Security/Signature/Model/ISignedRequest.php
@@ -9,6 +9,7 @@ declare(strict_types=1);
namespace NCU\Security\Signature\Model;
use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
+use NCU\Security\Signature\Exceptions\SignatureElementNotFoundException;
/**
* model that store data related to a possible signature.
@@ -39,19 +40,47 @@ interface ISignedRequest {
/**
* set the list of headers related to the signature of the request
*
- * @param array $signatureHeader
+ * @param array $elements
+ *
* @return ISignedRequest
* @since 31.0.0
*/
- public function setSignatureHeader(array $signatureHeader): ISignedRequest;
+ public function setSignatureElements(array $elements): ISignedRequest;
/**
- * get the list of headers related to the signature of the request
+ * get the list of elements in the Signature header of the request
*
* @return array
* @since 31.0.0
*/
- public function getSignatureHeader(): array;
+ public function getSignatureElements(): array;
+
+ /**
+ * @param string $key
+ *
+ * @return string
+ * @throws SignatureElementNotFoundException
+ * @since 31.0.0
+ */
+ public function getSignatureElement(string $key): string;
+
+ /**
+ * store a clear version of the signature
+ *
+ * @param string $clearSignature
+ *
+ * @return ISignedRequest
+ * @since 31.0.0
+ */
+ public function setClearSignature(string $clearSignature): ISignedRequest;
+
+ /**
+ * returns the clear version of the signature
+ *
+ * @return string
+ * @since 31.0.0
+ */
+ public function getClearSignature(): string;
/**
* set the signed version of the signature
diff --git a/lib/unstable/Security/Signature/Model/SignatoryStatus.php b/lib/unstable/Security/Signature/Model/SignatoryStatus.php
index 1c28f6580e7..4174102beae 100644
--- a/lib/unstable/Security/Signature/Model/SignatoryStatus.php
+++ b/lib/unstable/Security/Signature/Model/SignatoryStatus.php
@@ -12,7 +12,7 @@ namespace NCU\Security\Signature\Model;
* current status of signatory. is it trustable or not ?
*
* - SYNCED = the remote instance is trustable.
- * - BROKEN = the remote instance does not use the same key pairs
+ * - BROKEN = the remote instance does not use the same key pairs than previously
*
* @experimental 31.0.0
* @since 31.0.0