diff options
author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2021-10-27 13:00:45 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-27 13:00:45 +0300 |
commit | e7e11f749c1428bc8280cf45cb15d7acb140394f (patch) | |
tree | 778a3e17790fdfc4a464113ef00228492076399b | |
parent | 97f95062c8c81f76c777729ef0f18f14f69702ed (diff) | |
parent | 86087ab14fbd039e40e44623f0bde0f492895d84 (diff) |
Merge pull request #1105 from nextcloud/backport/1100/stable20
[stable20] Restore old device signature so the proxy works again
-rw-r--r-- | lib/Controller/PushController.php | 7 | ||||
-rw-r--r-- | tests/Integration/features/bootstrap/FeatureContext.php | 18 | ||||
-rw-r--r-- | tests/Integration/features/push-registration.feature | 4 | ||||
-rw-r--r-- | tests/Unit/Controller/PushControllerTest.php | 4 |
4 files changed, 24 insertions, 9 deletions
diff --git a/lib/Controller/PushController.php b/lib/Controller/PushController.php index f1b20a0..16f6b6a 100644 --- a/lib/Controller/PushController.php +++ b/lib/Controller/PushController.php @@ -118,8 +118,13 @@ class PushController extends OCSController { $key = $this->identityProof->getKey($user); $deviceIdentifier = json_encode([$user->getCloudId(), $token->getId()]); - $deviceIdentifier = base64_encode(hash('sha512', $deviceIdentifier, true)); openssl_sign($deviceIdentifier, $signature, $key->getPrivate(), OPENSSL_ALGO_SHA512); + /** + * For some reason the push proxy's golang code needs the signature + * of the deviceIdentifier before the sha512 hashing. Assumption is that + * openssl_sign already does the sha512 internally. + */ + $deviceIdentifier = base64_encode(hash('sha512', $deviceIdentifier, true)); $appType = 'unknown'; if ($this->request->isUserAgent([ diff --git a/tests/Integration/features/bootstrap/FeatureContext.php b/tests/Integration/features/bootstrap/FeatureContext.php index b6e42c6..ce68b41 100644 --- a/tests/Integration/features/bootstrap/FeatureContext.php +++ b/tests/Integration/features/bootstrap/FeatureContext.php @@ -268,9 +268,9 @@ class FeatureContext implements Context, SnippetAcceptingContext { } /** - * @Then /^can validate the response and signature$/ + * @Then /^can validate the response and (skip verifying|verify) signature$/ */ - public function validateResponseAndSignature(): void { + public function validateResponseAndSignature(string $verify): void { $response = $this->getArrayOfNotificationsResponded($this->response); Assert::assertStringStartsWith('-----BEGIN PUBLIC KEY-----' . "\n", $response['publicKey']); @@ -278,8 +278,18 @@ class FeatureContext implements Context, SnippetAcceptingContext { Assert::assertNotEmpty($response['deviceIdentifier'], 'Device identifier should not be empty'); Assert::assertNotEmpty($response['signature'], 'Signature should not be empty'); - $result = openssl_verify($response['deviceIdentifier'], base64_decode($response['signature']), $response['publicKey'], OPENSSL_ALGO_SHA512); - Assert::assertEquals(true, $result, 'Failed to verify the signature'); + if ($verify === 'verify') { + $result = openssl_verify($response['deviceIdentifier'], base64_decode($response['signature']), $response['publicKey'], OPENSSL_ALGO_SHA512); + Assert::assertEquals(true, $result, 'Failed to verify the signature'); + } else { + /** + * For some weird reason the push proxy's golang code needs the signature + * of the deviceIdentifier before the sha512 hashing. Assumption is that + * openssl_sign already does the sha512 internally. + * The problem is we can not revert the sha512 of the deviceIdentifier + */ + var_dump("\n\nEnjoy with care, signature was not verified!\n\n"); + } } /** diff --git a/tests/Integration/features/push-registration.feature b/tests/Integration/features/push-registration.feature index 3d1eea9..1bd5031 100644 --- a/tests/Integration/features/push-registration.feature +++ b/tests/Integration/features/push-registration.feature @@ -38,7 +38,7 @@ Feature: Push registration | devicePublicKey | VALID_KEY | | proxyServer | https://push-notifications.nextcloud.com/ | Then status code is 201 - And can validate the response and signature + And can validate the response and skip verifying signature Scenario: Unregistering from push notifications without app password Given user "test1" forgets the app password @@ -52,7 +52,7 @@ Feature: Push registration | devicePublicKey | VALID_KEY | | proxyServer | https://push-notifications.nextcloud.com/ | Then status code is 201 - And can validate the response and signature + And can validate the response and skip verifying signature Given user "test1" unregisters from push notifications Then status code is 202 Given user "test1" unregisters from push notifications diff --git a/tests/Unit/Controller/PushControllerTest.php b/tests/Unit/Controller/PushControllerTest.php index 3ac462f..9c84da2 100644 --- a/tests/Unit/Controller/PushControllerTest.php +++ b/tests/Unit/Controller/PushControllerTest.php @@ -302,7 +302,7 @@ FwIDAQAB [ 'publicKey' => $this->userPublicKey, 'deviceIdentifier' => 'XUCEZ1EHvTUcVhIvrQQQ1XcP0ZD2BFdFqw4EYbOhBfiEgXgirurR4x/ve4GSSyfivvbQOdOkZUM+g4m+tSb0Ew==', - 'signature' => 'X9+J7NNLfG9Ft6C36zrYLVJ5aH5euIROzdV937hsU81jL7WvOwzBfc7bImzxU3Bnev5wEKwkw7Ts/2q/+UUkOxgtEZinp52s87S5obKtsVXsczHbsqg4p/ueoBPhF17VsP1e8kMtxZ4snk/iArX4Eu1cfaM3+OckmpO0MYXy0rUbYpQPAJo4VgRFKKjFvfEVOj8N74DTIJ+TjRsvvDhJbb9KpeFe3a6Rv9mIo0AqoK+deAbUkWY0aM+74noVXvPtNzExgK4mWJ02+JHEuQEUbCuQsgoBia0vC3fILbwVxHzrieWGEnE7vkRyFEzlkeo7ZSMawDPxsPN5HxwBs2SZig==', + 'signature' => 'LRhbXO71WYX9qqDbQX7C+87YaaFfWoT/vG0DlaXdBz6+lhyOA0dw/1Ggz3fd7RerCQ0MfgnnTyxO+cSeRpUaPdA2yPjfoiPpfYA5SOJQGF3comS/HYna3fHiFDbOoM3BJOnjvqiSZdxA/ICdyl2mEEC5wO7AZ4OZKBTa5XfL7eSCXZLEv1YldqcLOStbXrI7voDQocTMJxoQZI/j8BVcf2i3D6F454aXIFDrYYzC2PQY+CKJoXZW0m0RMWaTM2B8tBmFFwrmaGLDqcjjpd33TsTtsV5DB7WimffLBPpOuGV4Z1Kiagp/mxpPLz2NImNV79mDX9gY3ZppCZTwChP5qQ==', ], Http::STATUS_CREATED, ], @@ -317,7 +317,7 @@ FwIDAQAB [ 'publicKey' => $this->userPublicKey, 'deviceIdentifier' => 'x9vSImcGjhzR9BfZ/XbbUqqCCNC4bHKsX7vkQWNZRd1/MiY+OuF02fx8K08My0RpkNnwj/rQ/gVSU1oEdFwkww==', - 'signature' => 'GFpnv3MO7mcBef2RJ4Ayrl6RQakGM7AvlKhoTr3DUWnv+iBzwGy8YV34HIPoArz4tyqonHRlLsxPYq4ENPfGO99KrIS16z4RUq0wiCBGf+S8/K8lM9cE9EBKE9yrkTsSvZGICEusvxQ+cTfVr30bnavvi1wL1UuxxDBlJebda9FJ9HfaS24j4rT7K78oMguqDVM+4hhr6BMhcpUVV+kTpOaBpluw5pRDwUP3jJBmkkOa57WRKFcu0Lr/XIx/G0c8Si+BAfM//CTMstwp5XDFn4W9EYSStjNrvsULdV+tOKFwnowqts+UFzEDvmZ1g4qIMWUUPBF4/pjaiDqtMojgrA==', + 'signature' => 'J9AcdJt5youJmMnBhS+Cc9ytArynIKtCRoNf/m0oOFO/e0hWHqs1NRdQBe81qzYIjf0+bj0Q97X9Xv1rnVJesPkQUbGaa4nAPt+viGSfvzTptjX4LKgqm8B3UkduBA262IcaWgM5P84gUqelkQIC1nIqq/MJTuC6oQ5lUwIV1a92ZurDjhwH4b3f7/ZLTTOTRD0DWN9W/yOyF1qECivgePR3eu+mkcBzXVU/TDZDJic9G7xhqcTnWV6qk+aKyzdNo1tu5W7mF+v5vF6rrGZrq55vPLWAHApTD7P+NFV01BnaCuN7/qGJNVs7m7EH03jpOw7y3jqNMmcmonYrJSMVqg==', ], Http::STATUS_OK, ], |