Check keyId against actor's public key

2024-03-07 21:40:50 +00:00 · 2024-03-07 21:40:50 +00:00 · 3231a4fc52
commit 3231a4fc52
--- a/index.php
+++ b/index.php
@ -1555,33 +1555,42 @@ HTML;
 		$userData  = getDataFromURl( $publicKeyURL );
 		$publicKey = $userData["publicKey"]["publicKeyPem"];

-		//	Get the remaining parts
-		$signature = base64_decode( $signatureParts["signature"] );
-		$algorithm = $signatureParts["algorithm"];
+		//	Check that the actor's key is the same as the key used to sign the message
+		//	Get the actor's public key
+		$actorData = getDataFromURl( $body["actor"] );
+		$actorPublicKey = $actorData["publicKey"]["publicKeyPem"];

-		//	There might be many different signing algorithms
-		//	TODO: Find a way to transform these automatically
-		//	See https://github.com/superseriousbusiness/gotosocial/issues/1186#issuecomment-1976166659 and https://github.com/snarfed/bridgy-fed/issues/430 for hs2019
-		if ( "hs2019" == $algorithm ) {
-			$algorithm = "sha256";
-		}
-
-		//	Finally! Calculate whether the signature is valid
-		//	Returns 1 if verified, 0 if not, false or -1 if an error occurred
-		$verified = openssl_verify(
-			$signatureString, 
-			$signature, 
-			$publicKey, 
-			$algorithm
-		);
-
-		//	Convert to boolean
-		if ( $verified === 1 ) {
-			$verified = true;
-		} elseif ( $verified === 0 ) {
+		if ( $publicKey != $actorPublicKey ) {	
 			$verified = false;
 		} else {
-			$verified = null;
+			//	Get the remaining parts
+			$signature = base64_decode( $signatureParts["signature"] );
+			$algorithm = $signatureParts["algorithm"];
+
+			//	There might be many different signing algorithms
+			//	TODO: Find a way to transform these automatically
+			//	See https://github.com/superseriousbusiness/gotosocial/issues/1186#issuecomment-1976166659 and https://github.com/snarfed/bridgy-fed/issues/430 for hs2019
+			if ( "hs2019" == $algorithm ) {
+				$algorithm = "sha256";
+			}
+
+			//	Finally! Calculate whether the signature is valid
+			//	Returns 1 if verified, 0 if not, false or -1 if an error occurred
+			$verified = openssl_verify(
+				$signatureString, 
+				$signature, 
+				$publicKey, 
+				$algorithm
+			);
+
+			//	Convert to boolean
+			if ( $verified === 1 ) {
+				$verified = true;
+			} elseif ( $verified === 0 ) {
+				$verified = false;
+			} else {
+				$verified = null;
+			}
 		}

 		//	Filename for the log
@ -1595,7 +1604,8 @@ HTML;
 			"Calculated signatureString:\n" . print_r( $signatureString, true )  . "\n\n" .
 			"Calculated algorithm:\n"       . print_r( $algorithm, true )        . "\n\n" .
 			"publicKeyURL:\n"               . print_r( $publicKeyURL, true )     . "\n\n" .
-			"publicKey:\n"                  . print_r( $publicKey, true )        . "\n"
+			"publicKey:\n"                  . print_r( $publicKey, true )        . "\n\n" .
+			"actorPublicKey:\n"             . print_r( $actorPublicKey, true )   . "\n"
 		);

 		return $verified;