Skip to content

Signature: Accept signatures with hs2019 algorithm #1814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jun 19, 2025
Merged

Signature: Accept signatures with hs2019 algorithm #1814

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
61334d8
Add failing test
obenland Jun 13, 2025
407ff00
Fix (most) tests
obenland Jun 13, 2025
090f690
Add changelog
matticbot Jun 13, 2025
6e9c3ce
Merge branch 'trunk' into fix/signature-variables
obenland Jun 16, 2025
6a91458
Update includes/class-signature.php
obenland Jun 19, 2025
b7c6072
Merge branch 'trunk' into fix/signature-variables
obenland Jun 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/changelog/1814-from-description
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Significance: patch
Type: fixed

HTTP signatures using the hs2019 algorithm now get accepted without error.
5 changes: 3 additions & 2 deletions includes/class-signature.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -356,8 +356,9 @@ public static function get_remote_key( $key_id ) {
public static function get_signature_algorithm( $signature_block ) {
if ( ! empty( $signature_block['algorithm'] ) ) {
switch ( $signature_block['algorithm'] ) {
case 'rsa-sha-512':
return 'sha512'; // hs2019 https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12.
case 'hs2019':
case 'rsa-sha512':
return 'sha512'; // https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12.
default:
return 'sha256';
}
Expand Down
115 changes: 115 additions & 0 deletions tests/includes/class-test-signature.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,121 @@ public function test_key_format_handling() {
\remove_filter( 'pre_get_remote_metadata_by_actor', array( $this, 'pre_get_remote_metadata_by_actor' ) );
}

/**
* Data provider for signature algorithm tests.
*
* @return string[][] Test data.
*/
public function signature_algorithm_provider() {
return array(
'hs2019 algorithm' => array(
array( 'algorithm' => 'hs2019' ),
'sha512',
'hs2019 algorithm should return sha512.',
),
'rsa-sha256 algorithm' => array(
array( 'algorithm' => 'rsa-sha256' ),
'sha256',
'rsa-sha256 algorithm should return sha256.',
),
'unknown algorithm' => array(
array( 'algorithm' => 'unknown-algorithm' ),
'sha256',
'Unknown algorithm should return sha256.',
),
'empty algorithm' => array(
array( 'algorithm' => '' ),
false,
'Empty algorithm should return false.',
),
'missing algorithm key' => array(
array(),
false,
'Missing algorithm key should return false.',
),
);
}

/**
* Test signature algorithm detection.
*
* @covers ::get_signature_algorithm
* @dataProvider signature_algorithm_provider
*
* @param array $signature_block The signature block to test.
* @param string|false $expected The expected result.
* @param string $message The assertion message.
*/
public function test_get_signature_algorithm( $signature_block, $expected, $message ) {
$this->assertEquals( $expected, Signature::get_signature_algorithm( $signature_block ), $message );
}

/**
* Test full signature verification with hs2019 algorithm.
*
* @covers ::verify_http_signature
* @covers ::get_signature_algorithm
* @covers ::parse_signature_header
* @covers ::get_signed_data
*/
public function test_verify_signature_with_hs2019() {
// Mock a request with hs2019 algorithm signature.
$key = openssl_pkey_new(
array(
'digest_alg' => 'sha512',
'private_key_bits' => 2048,
'private_key_type' => OPENSSL_KEYTYPE_RSA,
)
);

// Extract the public key.
$key_details = openssl_pkey_get_details( $key );
$public_key = $key_details['key'];

// Create a string to sign.
$date = gmdate( 'D, d M Y H:i:s T' );
$string_to_sign = "(request-target): post /wp-json/activitypub/1.0/inbox\nhost: example.org\ndate: {$date}";

// Sign the string.
$signature = '';
openssl_sign( $string_to_sign, $signature, $key, OPENSSL_ALGO_SHA512 );

// Create the mock request as a $_SERVER-like array.
// This will be passed through format_server_request().
$request = array(
'REQUEST_METHOD' => 'POST',
'REQUEST_URI' => '/wp-json/activitypub/1.0/inbox',
'HTTP_HOST' => 'example.org',
'HTTP_DATE' => $date,
'HTTP_SIGNATURE' => sprintf(
'keyId="https://example.com/users/test#main-key",algorithm="hs2019",headers="(request-target) host date",signature="%s"',
base64_encode( $signature ) // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
),
);

// Add filter to mock the remote key retrieval.
\add_filter(
'pre_get_remote_metadata_by_actor',
function () use ( $public_key ) {
return array(
'name' => 'Test User',
'url' => 'https://example.com/users/test',
'publicKey' => array(
'id' => 'https://example.com/users/test#main-key',
'owner' => 'https://example.com/users/test',
'publicKeyPem' => $public_key,
),
);
}
);

// Verify the signature.
$this->assertTrue( Signature::verify_http_signature( $request ) );

// Remove the filter.
\remove_all_filters( 'pre_get_remote_metadata_by_actor' );
}

/**
* Pre get remote metadata by actor.
*
Expand Down
Loading