From 30d78417d87c5e4765e7c89cac7ffb3ee4c4cccf Mon Sep 17 00:00:00 2001
From: Django Doucet <mediaformat.ux@gmail.com>
Date: Fri, 14 Apr 2023 23:53:43 -0600
Subject: [PATCH] Fixes key retrieval

---
 includes/class-signature.php  | 15 ++++++---------
 includes/rest/class-inbox.php | 10 +++++-----
 2 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/includes/class-signature.php b/includes/class-signature.php
index 3c289418..84cf612b 100644
--- a/includes/class-signature.php
+++ b/includes/class-signature.php
@@ -112,6 +112,7 @@ class Signature {
 
 	public static function verify_http_signature( $request = null ) {
 		$headers = $request->get_headers();
+		$actor = isset( json_decode( $request->get_body() )->actor ) ? json_decode( $request->get_body() )->actor : '' ;
 		$headers['(request-target)'][0] = strtolower( $request->get_method() ) . ' /wp-json' . $request->get_route();
 
 		if ( ! $headers ) {
@@ -123,7 +124,7 @@ class Signature {
 			$signature_block = self::parse_signature_header( $headers['authorization'] );
 		}
 
-		if ( ! $signature_block ) {
+		if ( ! isset( $signature_block ) || ! $signature_block ) {
 			return false;
 		}
 
@@ -143,6 +144,9 @@ class Signature {
 		}
 
 		if ( \in_array( 'digest', $signed_headers, true ) && isset( $body ) ) {
+			if ( is_array( $headers['digest'] ) ) {
+				$headers['digest'] = $headers['digest'][0];
+			}
 			$digest = explode( '=', $headers['digest'], 2 );
 			if ( 'SHA-256' === $digest[0] ) {
 				$hashalg = 'sha256';
@@ -156,7 +160,7 @@ class Signature {
 			}
 		}
 
-		$public_key = isset( $key ) ? $key : self::get_key( $signature_block['keyId'] );
+		$public_key = \rtrim( \Activitypub\get_publickey_by_actor( $actor, $signature_block['keyId'] ) ); // phpcs:ignore
 
 		return \openssl_verify( $signed_data, $signature_block['signature'], $public_key, $algorithm ) > 0;
 
@@ -218,13 +222,6 @@ class Signature {
 		return $ret;
 	}
 
-	public static function get_key( $keyId ) { // phpcs:ignore
-		$actor = \Activitypub\get_actor_from_key( $keyId ); // phpcs:ignore
-		$publicKeyPem = \Activitypub\get_publickey_by_actor( $actor, $keyId ); // phpcs:ignore
-		return \rtrim( $publicKeyPem ); // phpcs:ignore
-	}
-
-
 	public static function get_signed_data( $signed_headers, $signature_block, $headers ) {
 		$signed_data = '';
 		// This also verifies time-based values by returning false if any of these are out of range.
diff --git a/includes/rest/class-inbox.php b/includes/rest/class-inbox.php
index 08695336..a93d0644 100644
--- a/includes/rest/class-inbox.php
+++ b/includes/rest/class-inbox.php
@@ -74,10 +74,6 @@ class Inbox {
 			return $served;
 		}
 
-		if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) {
-			return $served;
-		}
-
 		return $served;
 	}
 
@@ -230,9 +226,13 @@ class Inbox {
 		$params['id'] = array(
 			'required' => true,
 			'sanitize_callback' => 'esc_url_raw',
+		);
+
+		$params['signature'] = array(
+			'required' => true,
 			'validate_callback' => function( $param, $request, $key ) {
 				if ( ! \Activitypub\Signature::verify_http_signature( $request ) ) {
-					return false;
+					return false; // returns http 400 rest_invalid_param
 				}
 				return $param;
 			},