Skip to content

Commit

Permalink
Security - Fix CVE-2021-30130 - Improper Certificate Validation in ph…
Browse files Browse the repository at this point in the history 
…pseclib
  • Loading branch information
@landrok
landrok committed Apr 11, 2021
1 parent f7f2ee1 commit 9f5c24a
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 85 deletions.
4 changes: 2 additions & 2 deletions composer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@
"homepage": "https://github.com/landrok/activitypub",
"license": "MIT",
"require": {
"php": ">=7.1",
"php": "^7.2|^8.0",
"guzzlehttp/guzzle": ">=6.3",
"monolog/monolog": "^1.12|^2.0",
"symfony/http-foundation": ">=3.4",
"phpseclib/phpseclib": "^2.0",
"phpseclib/phpseclib": "^3.0.7",
"psr/cache": "^1.0",
"symfony/cache": ">=4.0"
},
Expand Down
9 changes: 4 additions & 5 deletions src/ActivityPhp/Server/Http/HttpSignature.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
use ActivityPhp\Server;
use ActivityPhp\Type\Util;
use Symfony\Component\HttpFoundation\Request;
use phpseclib\Crypt\RSA;
use phpseclib3\Crypt\RSA;

/**
* HTTP signatures tool
Expand Down Expand Up @@ -103,10 +103,9 @@ public function verify(Request $request): bool

// Verify that string using the public key and the original
// signature.
$rsa = new RSA();
$rsa->setHash("sha256");
$rsa->setSignatureMode(RSA::SIGNATURE_PSS);
$rsa->loadKey($publicKeyPem);
$rsa = RSA::createKey()
->loadPublicKey($publicKeyPem)
->withHash('sha256');

return $rsa->verify($data, base64_decode($signature, true));
}
Expand Down
108 changes: 40 additions & 68 deletions tests/ActivityPhp/Server/HttpSignatureTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
use Exception;
use PHPUnit\Framework\TestCase;
use Symfony\Component\HttpFoundation\Request;
use phpseclib\Crypt\RSA;
use phpseclib3\Crypt\RSA;

/*
* These scenarios are around verifying an HTTP signature
Expand Down Expand Up @@ -40,18 +40,14 @@ public function testValidSignature()
$host = 'localhost';
$path = '/my-path?q=ok';

$rsa = new RSA();
$rsa->loadKey(
$rsa = RSA::createKey()->loadPrivateKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
); // private key

)
)->withHash('sha256'); // private key

$plaintext = "(request-target) post $path\nhost: $host\ndate: $date";

$rsa->setHash("sha256");
$rsa->setSignatureMode(RSA::SIGNATURE_PSS);
$signature = $rsa->sign($plaintext);

/* ------------------------------------------------------------------
Expand Down Expand Up @@ -164,18 +160,14 @@ public function testValidSignatureWithFallbackHeaders()
$host = 'localhost';
$path = '/my-path?q=ok';

$rsa = new RSA();
$rsa->loadKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
); // private key

$rsa = RSA::createKey()
->loadPrivateKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
)->withHash("sha256"); // private key

$plaintext = "(request-target) post $path\ndate: $date";

$rsa->setHash("sha256");
$rsa->setSignatureMode(RSA::SIGNATURE_PSS);
$signature = $rsa->sign($plaintext);

/* ------------------------------------------------------------------
Expand Down Expand Up @@ -231,18 +223,14 @@ public function testWrongSignatureMissingSignatureHeader()
$host = 'localhost';
$path = '/my-path?q=ok';

$rsa = new RSA();
$rsa->loadKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
); // private key

$rsa = RSA::createKey()
->loadPrivateKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
)->withHash("sha256"); // private key

$plaintext = "(request-target) post $path\nhost: $host\ndate: $date";

$rsa->setHash("sha256");
$rsa->setSignatureMode(RSA::SIGNATURE_PSS);
$signature = $rsa->sign($plaintext);

/* ------------------------------------------------------------------
Expand Down Expand Up @@ -296,18 +284,14 @@ public function testWrongSignatureMissingKeyId()
$host = 'localhost';
$path = '/my-path?q=ok';

$rsa = new RSA();
$rsa->loadKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
); // private key

$rsa = RSA::createKey()
->loadPrivateKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
)->withHash("sha256"); // private key

$plaintext = "(request-target) post $path\nhost: $host\ndate: $date";

$rsa->setHash("sha256");
$rsa->setSignatureMode(RSA::SIGNATURE_PSS);
$signature = $rsa->sign($plaintext);

/* ------------------------------------------------------------------
Expand Down Expand Up @@ -362,18 +346,14 @@ public function testWrongSignatureMissingSignature()
$host = 'localhost';
$path = '/my-path?q=ok';

$rsa = new RSA();
$rsa->loadKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
); // private key

$rsa = RSA::createKey()
->loadPrivateKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
)->withHash("sha256"); // private key

$plaintext = "(request-target) post $path\nhost: $host\ndate: $date";

$rsa->setHash("sha256");
$rsa->setSignatureMode(RSA::SIGNATURE_PSS);
$signature = $rsa->sign($plaintext);

/* ------------------------------------------------------------------
Expand Down Expand Up @@ -430,18 +410,14 @@ public function testWrongSignatureActorDoesNotExist()
$host = 'localhost';
$path = '/my-path?q=ok';

$rsa = new RSA();
$rsa->loadKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
); // private key

$rsa = RSA::createKey()
->loadPrivateKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
)->withHash("sha256"); // private key

$plaintext = "(request-target) post $path\nhost: $host\ndate: $date";

$rsa->setHash("sha256");
$rsa->setSignatureMode(RSA::SIGNATURE_PSS);
$signature = $rsa->sign($plaintext);

/* ------------------------------------------------------------------
Expand Down Expand Up @@ -491,18 +467,14 @@ public function testWrongSignatureNotVerifiedSignature()
$host = 'localhost';
$path = '/my-path?q=ok';

$rsa = new RSA();
$rsa->loadKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
); // private key

$rsa = RSA::createKey()
->loadPrivateKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
)->withHash("sha256"); // private key

$plaintext = "(request-target) post $path\nhost: $host\ndate: $date";

$rsa->setHash("sha256");
$rsa->setSignatureMode(RSA::SIGNATURE_PSS);
$signature = $rsa->sign($plaintext);

/* ------------------------------------------------------------------
Expand Down
17 changes: 7 additions & 10 deletions tests/ActivityPhp/Server/InboxPostTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
use PHPUnit\Framework\TestCase;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use phpseclib\Crypt\RSA;
use phpseclib3\Crypt\RSA;

/*
* These scenarios are around receiving a POST on a local INBOX
Expand Down Expand Up @@ -65,18 +65,15 @@ public function testValidSignature()
$host = 'localhost';
$path = '/my-path?q=ok';

$rsa = new RSA();
$rsa->loadKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
); // private key
$rsa = RSA::createKey()
->loadPrivateKey(
file_get_contents(
dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem'
)
)->withHash("sha256"); // private key


$plaintext = "(request-target) post $path\nhost: $host\ndate: $date";

$rsa->setHash("sha256");
$rsa->setSignatureMode(RSA::SIGNATURE_PSS);
$signature = $rsa->sign($plaintext);

/* ------------------------------------------------------------------
Expand Down

0 comments on commit 9f5c24a

Please sign in to comment.