Merge pull request #1100 from nextcloud/bugfix/noid/restore-old-device-signature-so-the-proxy-works-again

4 files changed, 24 insertions, 9 deletions

diff --git a/lib/Controller/PushController.php b/lib/Controller/PushController.php
index 544c17b..8d86d81 100644
--- a/lib/Controller/PushController.php
+++ b/lib/Controller/PushController.php
@@ -118,8 +118,13 @@ class PushController extends OCSController {
 		$key = $this->identityProof->getKey($user);
 
 		$deviceIdentifier = json_encode([$user->getCloudId(), $token->getId()]);
-		$deviceIdentifier = base64_encode(hash('sha512', $deviceIdentifier, true));
 		openssl_sign($deviceIdentifier, $signature, $key->getPrivate(), OPENSSL_ALGO_SHA512);
+		/**
+		 * For some reason the push proxy's golang code needs the signature
+		 * of the deviceIdentifier before the sha512 hashing. Assumption is that
+		 * openssl_sign already does the sha512 internally.
+		 */
+		$deviceIdentifier = base64_encode(hash('sha512', $deviceIdentifier, true));
 
 		$appType = 'unknown';
 		if ($this->request->isUserAgent([
diff --git a/tests/Integration/features/bootstrap/FeatureContext.php b/tests/Integration/features/bootstrap/FeatureContext.php
index 6ecb6d9..83c7b27 100644
--- a/tests/Integration/features/bootstrap/FeatureContext.php
+++ b/tests/Integration/features/bootstrap/FeatureContext.php
@@ -285,9 +285,9 @@ class FeatureContext implements Context, SnippetAcceptingContext {
 	}
 
 	/**
-	 * @Then /^can validate the response and signature$/
+	 * @Then /^can validate the response and (skip verifying|verify) signature$/
 	 */
-	public function validateResponseAndSignature(): void {
+	public function validateResponseAndSignature(string $verify): void {
 		$response = $this->getArrayOfNotificationsResponded($this->response);
 
 		Assert::assertStringStartsWith('-----BEGIN PUBLIC KEY-----' . "\n", $response['publicKey']);
@@ -295,8 +295,18 @@ class FeatureContext implements Context, SnippetAcceptingContext {
 		Assert::assertNotEmpty($response['deviceIdentifier'], 'Device identifier should not be empty');
 		Assert::assertNotEmpty($response['signature'], 'Signature should not be empty');
 
-		$result = openssl_verify($response['deviceIdentifier'], base64_decode($response['signature']), $response['publicKey'], OPENSSL_ALGO_SHA512);
-		Assert::assertEquals(true, $result, 'Failed to verify the signature');
+		if ($verify === 'verify') {
+			$result = openssl_verify($response['deviceIdentifier'], base64_decode($response['signature']), $response['publicKey'], OPENSSL_ALGO_SHA512);
+			Assert::assertEquals(true, $result, 'Failed to verify the signature');
+		} else {
+			/**
+			 * For some weird reason the push proxy's golang code needs the signature
+			 * of the deviceIdentifier before the sha512 hashing. Assumption is that
+			 * openssl_sign already does the sha512 internally.
+			 * The problem is we can not revert the sha512 of the deviceIdentifier
+			 */
+			var_dump("\n\nEnjoy with care, signature was not verified!\n\n");
+		}
 	}
 
 	/**
diff --git a/tests/Integration/features/push-registration.feature b/tests/Integration/features/push-registration.feature
index 3d1eea9..1bd5031 100644
--- a/tests/Integration/features/push-registration.feature
+++ b/tests/Integration/features/push-registration.feature
@@ -38,7 +38,7 @@ Feature: Push registration
     | devicePublicKey | VALID_KEY |
     | proxyServer | https://push-notifications.nextcloud.com/ |
     Then status code is 201
-    And can validate the response and signature
+    And can validate the response and skip verifying signature
 
   Scenario: Unregistering from push notifications without app password
     Given user "test1" forgets the app password
@@ -52,7 +52,7 @@ Feature: Push registration
       | devicePublicKey | VALID_KEY |
       | proxyServer | https://push-notifications.nextcloud.com/ |
     Then status code is 201
-    And can validate the response and signature
+    And can validate the response and skip verifying signature
     Given user "test1" unregisters from push notifications
     Then status code is 202
     Given user "test1" unregisters from push notifications
diff --git a/tests/Unit/Controller/PushControllerTest.php b/tests/Unit/Controller/PushControllerTest.php
index 3ac462f..9c84da2 100644
--- a/tests/Unit/Controller/PushControllerTest.php
+++ b/tests/Unit/Controller/PushControllerTest.php
@@ -302,7 +302,7 @@ FwIDAQAB
 				[
 					'publicKey' => $this->userPublicKey,
 					'deviceIdentifier' => 'XUCEZ1EHvTUcVhIvrQQQ1XcP0ZD2BFdFqw4EYbOhBfiEgXgirurR4x/ve4GSSyfivvbQOdOkZUM+g4m+tSb0Ew==',
-					'signature' => 'X9+J7NNLfG9Ft6C36zrYLVJ5aH5euIROzdV937hsU81jL7WvOwzBfc7bImzxU3Bnev5wEKwkw7Ts/2q/+UUkOxgtEZinp52s87S5obKtsVXsczHbsqg4p/ueoBPhF17VsP1e8kMtxZ4snk/iArX4Eu1cfaM3+OckmpO0MYXy0rUbYpQPAJo4VgRFKKjFvfEVOj8N74DTIJ+TjRsvvDhJbb9KpeFe3a6Rv9mIo0AqoK+deAbUkWY0aM+74noVXvPtNzExgK4mWJ02+JHEuQEUbCuQsgoBia0vC3fILbwVxHzrieWGEnE7vkRyFEzlkeo7ZSMawDPxsPN5HxwBs2SZig==',
+					'signature' => 'LRhbXO71WYX9qqDbQX7C+87YaaFfWoT/vG0DlaXdBz6+lhyOA0dw/1Ggz3fd7RerCQ0MfgnnTyxO+cSeRpUaPdA2yPjfoiPpfYA5SOJQGF3comS/HYna3fHiFDbOoM3BJOnjvqiSZdxA/ICdyl2mEEC5wO7AZ4OZKBTa5XfL7eSCXZLEv1YldqcLOStbXrI7voDQocTMJxoQZI/j8BVcf2i3D6F454aXIFDrYYzC2PQY+CKJoXZW0m0RMWaTM2B8tBmFFwrmaGLDqcjjpd33TsTtsV5DB7WimffLBPpOuGV4Z1Kiagp/mxpPLz2NImNV79mDX9gY3ZppCZTwChP5qQ==',
 				],
 				Http::STATUS_CREATED,
 			],
@@ -317,7 +317,7 @@ FwIDAQAB
 				[
 					'publicKey' => $this->userPublicKey,
 					'deviceIdentifier' => 'x9vSImcGjhzR9BfZ/XbbUqqCCNC4bHKsX7vkQWNZRd1/MiY+OuF02fx8K08My0RpkNnwj/rQ/gVSU1oEdFwkww==',
-					'signature' => 'GFpnv3MO7mcBef2RJ4Ayrl6RQakGM7AvlKhoTr3DUWnv+iBzwGy8YV34HIPoArz4tyqonHRlLsxPYq4ENPfGO99KrIS16z4RUq0wiCBGf+S8/K8lM9cE9EBKE9yrkTsSvZGICEusvxQ+cTfVr30bnavvi1wL1UuxxDBlJebda9FJ9HfaS24j4rT7K78oMguqDVM+4hhr6BMhcpUVV+kTpOaBpluw5pRDwUP3jJBmkkOa57WRKFcu0Lr/XIx/G0c8Si+BAfM//CTMstwp5XDFn4W9EYSStjNrvsULdV+tOKFwnowqts+UFzEDvmZ1g4qIMWUUPBF4/pjaiDqtMojgrA==',
+					'signature' => 'J9AcdJt5youJmMnBhS+Cc9ytArynIKtCRoNf/m0oOFO/e0hWHqs1NRdQBe81qzYIjf0+bj0Q97X9Xv1rnVJesPkQUbGaa4nAPt+viGSfvzTptjX4LKgqm8B3UkduBA262IcaWgM5P84gUqelkQIC1nIqq/MJTuC6oQ5lUwIV1a92ZurDjhwH4b3f7/ZLTTOTRD0DWN9W/yOyF1qECivgePR3eu+mkcBzXVU/TDZDJic9G7xhqcTnWV6qk+aKyzdNo1tu5W7mF+v5vF6rrGZrq55vPLWAHApTD7P+NFV01BnaCuN7/qGJNVs7m7EH03jpOw7y3jqNMmcmonYrJSMVqg==',
 				],
 				Http::STATUS_OK,
 			],