Página inicial Explorar Ajuda
Entrar
someonewithpc
/
gnusocial-issues
Observar 1
Favorito 0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Tree: 7bcd512927
Branches Tags
gnusocial-is...
/
issues
/
notabug.org
/
104

104 10 KB
Histórico Raw

12345678910111213141516171819202122232425262728293031 
  1. ---
    2. 

  2. title: Mastodon AP notices comes to the server but are discarded because signature validation fails
    3. 

  3. author: notabug.org/colegota
    4. 

  4. time: Mon, 20 Jan 2020 15:11:02 UTC
    5. 

  5. status: closed
    6. 

  6. ---
    7. 

  7. 

  8. author: notabug.org
    9. 

  9. time: Mon, 20 Jan 2020 15:11:02 UTC
    10. 

  10. content: -----
    11. 

  11. Hi! Did build a new instance at https://gnusocial.sierranorte.red with the first aim to test an debug. Now it's running Nightly/2.0-dev from scratch. With AP plugin enabled I can follow Mastodon 3.x accounts but timelines does not show their notices. Then I've found that notices appears at debug log as they come to the server but finally gives an error due to signature validation. `2020-01-20 07:25:37 LOG_DEBUG: [gnusocial.sierranorte.red:11156.e9a03dac POST /inbox.json] ActivityPub Inbox: HTTP Signature: Invalid signature.` https://notabug.org/diogo/gnu-social/src/nightly/plugins/ActivityPub/actions/apinbox.php#L130 The result is for the call to [list($verified, /*$headers*/) = HTTPSignature::verify($actor_public_key, $signatureData, $headers, $path, $body);](https://notabug.org/diogo/gnu-social/src/nightly/plugins/ActivityPub/actions/apinbox.php#L125) So I added some tor debug traces and had this values for those parameters at the end. That parameters seems OK, but `list($verified, $headers) = HTTPSignature::verify($actor_public_key, $signatureData, $headers, $path, $body);' returns ~~~ verified: 0 headers: (request-target): post /inbox.json host: gnusocial.sierranorte.red date: Mon, 20 Jan 2020 14:49:11 GMT digest: SHA-256=YHe2Dz7P9LBqoYYMlbTyed1Ph2hO5ztUS7480s2evEE= ~~~ Then, I've commented the validation code at the end of handle() function to test the rest of the process and notices and replies comes to my timeline as for example this mastodon.social user. https://gnusocial.sierranorte.red/user/61 Below are the paramters in call to `list($verified, $headers) = HTTPSignature::verify($actor_public_key, $signatureData, $headers, $path, $body);` ~~~ actor_public_key: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7y34s/IBMGPLl4bKxKGH TBRK0jdmEnhjRvDUGGy3ogfYAMd/g7ffLUzhGXVi14I7C+zNIU06c8Fp77Zb341d PMK87ftDd4etcsR4lAIoCGE7jPOVyf+/TKVMv5u6zvo4Nxb9q/Ux/RCRZOQcgoqM gWWYxspejjc9EF8W3+k2tNQhgJJk623UieCsR+nXNuvdV3+emWoQ9ka+u7X8rwaT hTIHIKOb+zC+CG+BjCzTZJgJyz87zZSlKyv5acfMUWyV6W6kBZe4YsGpUAX4p5Xi FsdbcVck3sjjYqWV+S9mbpK1lzF22jBczatN8iMhi/LMsaa5lAkjK66FcgNOrSu5 9QIDAQAB -----END PUBLIC KEY----- ~~~ ~~~ Request Headers: Array ( [connection] => Keep-Alive [signature] => keyId="https://mastodon.social/users/victorhck#main-key",algorithm="rsa-sha256",headers="(request-target) host date digest content-type",signature="IiFUvRSwo6LBFQs0BPI6agSaXSzSvWsv8hblz29GoVA4UK50QvpuHyjOBzEPuI9Qcsu1ZfWm9J8yST0UThwCYGlpg9gAGCOf4FYaElh745BfC2CKvsIMrFu6a5fu+VOc9hirtTFh9XYhoW8/7BU7AUTYX21jX1VhKNbRqea5xJjVxzCHRnUA4EIXi7Q04QMQ3GUXmCr/wbtBTFiJCG5TuBMMkVMx+cEj5wxyR2gHLFHPirje+X+HQU5s1wpuQOcZ705JmrKkMSAz5a2QkYNWucsxRXaa0L5wFWSMTkVzTj8nLaLB+tCEB1VdPOh5zHd608xwfCgs2QU0xQxHwHZfnA==" [digest] => SHA-256=xxbPGkw6LF9TnL5K7fD85TpU3XUAC4PpyciXcvl+oXY= [accept-encoding] => gzip [date] => Mon, 20 Jan 2020 13:42:52 GMT [host] => gnusocial.sierranorte.red [user-agent] => http.rb/3.3.0 (Mastodon/3.0.1; +https://mastodon.social/) ) ~~~ ~~~ path: /inbox.json ~~~ ~~~ body: {"@context":["https://www.w3.org/ns/activitystreams",{"ostatus":"http://ostatus.org#","atomUri":"ostatus:atomUri","inReplyToAtomUri":"ostatus:inReplyToAtomUri","conversation":"ostatus:conversation","sensitive":"as:sensitive","toot":"http://joinmastodon.org/ns#","votersCount":"toot:votersCount","Hashtag":"as:Hashtag"}],"id":"https://mastodon.social/users/victorhck/statuses/103515932057829491/activity","type":"Create","actor":"https://mastodon.social/users/victorhck","published":"2020-01-20T13:42:51Z","to":["https://www.w3.org/ns/activitystreams#Public"],"cc":["https://mastodon.social/users/victorhck/followers"],"object":{"id":"https://mastodon.social/users/victorhck/statuses/103515932057829491","type":"Note","summary":null,"inReplyTo":null,"published":"2020-01-20T13:42:51Z","url":"https://mastodon.social/@victorhck/103515932057829491","attributedTo":"https://mastodon.social/users/victorhck","to":["https://www.w3.org/ns/activitystreams#Public"],"cc":["https://mastodon.social/users/victorhck/followers"],"sensitive":false,"atomUri":"https://mastodon.social/users/victorhck/statuses/103515932057829491","inReplyToAtomUri":null,"conversation":"tag:mastodon.social,2020-01-20:objectId=148736816:objectType=Conversation","content":"\u003cp\u003eUn cantaor grita «¡Vámonos!» en pleno concierto y se marcha todo el público \u003ca href=\"https://www.elmundotoday.com/2020/01/un-cantaor-grita-vamonos-en-pleno-concierto-y-se-marcha-todo-el-publico/\" rel=\"nofollow noopener noreferrer\" target=\"_blank\"\u003e\u003cspan class=\"invisible\"\u003ehttps://www.\u003c/span\u003e\u003cspan class=\"ellipsis\"\u003eelmundotoday.com/2020/01/un-ca\u003c/span\u003e\u003cspan class=\"invisible\"\u003entaor-grita-vamonos-en-pleno-concierto-y-se-marcha-todo-el-publico/\u003c/span\u003e\u003c/a\u003e \u003ca href=\"https://mastodon.social/tags/GazpachitodeUtrera\" class=\"mention hashtag\" rel=\"tag\"\u003e#\u003cspan\u003eGazpachitodeUtrera\u003c/span\u003e\u003c/a\u003e \u003ca href=\"https://mastodon.social/tags/flamenco\" class=\"mention hashtag\" rel=\"tag\"\u003e#\u003cspan\u003eflamenco\u003c/span\u003e\u003c/a\u003e \u003ca href=\"https://mastodon.social/tags/Cultura\" class=\"mention hashtag\" rel=\"tag\"\u003e#\u003cspan\u003eCultura\u003c/span\u003e\u003c/a\u003e \u003ca href=\"https://mastodon.social/tags/cantaor\" class=\"mention hashtag\" rel=\"tag\"\u003e#\u003cspan\u003ecantaor\u003c/span\u003e\u003c/a\u003e \u003ca href=\"https://mastodon.social/tags/P%C3%BAblico\" class=\"mention hashtag\" rel=\"tag\"\u003e#\u003cspan\u003ePúblico\u003c/span\u003e\u003c/a\u003e \u003ca href=\"https://mastodon.social/tags/duende\" class=\"mention hashtag\" rel=\"tag\"\u003e#\u003cspan\u003eduende\u003c/span\u003e\u003c/a\u003e\u003c/p\u003e","contentMap":{"es":"\u003cp\u003eUn cantaor grita «¡Vámonos!» en pleno concierto y se marcha todo el público \u003ca href=\"https://www.elmundotoday.com/2020/01/un-cantaor-grita-vamonos-en-pleno-concierto-y-se-marcha-todo-el-publico/\" rel=\"nofollow noopener noreferrer\" target=\"_blank\"\u003e\u003cspan class=\"invisible\"\u003ehttps://www.\u003c/span\u003e\u003cspan class=\"ellipsis\"\u003eelmundotoday.com/2020/01/un-ca\u003c/span\u003e\u003cspan class=\"invisible\"\u003entaor-grita-vamonos-en-pleno-concierto-y-se-marcha-todo-el-publico/\u003c/span\u003e\u003c/a\u003e \u003ca href=\"https://mastodon.social/tags/GazpachitodeUtrera\" class=\"mention hashtag\" rel=\"tag\"\u003e#\u003cspan\u003eGazpachitodeUtrera\u003c/span\u003e\u003c/a\u003e \u003ca href=\"https://mastodon.social/tags/flamenco\" class=\"mention hashtag\" rel=\"tag\"\u003e#\u003cspan\u003eflamenco\u003c/span\u003e\u003c/a\u003e \u003ca href=\"https://mastodon.social/tags/Cultura\" class=\"mention hashtag\" rel=\"tag\"\u003e#\u003cspan\u003eCultura\u003c/span\u003e\u003c/a\u003e \u003ca href=\"https://mastodon.social/tags/cantaor\" class=\"mention hashtag\" rel=\"tag\"\u003e#\u003cspan\u003ecantaor\u003c/span\u003e\u003c/a\u003e \u003ca href=\"https://mastodon.social/tags/P%C3%BAblico\" class=\"mention hashtag\" rel=\"tag\"\u003e#\u003cspan\u003ePúblico\u003c/span\u003e\u003c/a\u003e \u003ca href=\"https://mastodon.social/tags/duende\" class=\"mention hashtag\" rel=\"tag\"\u003e#\u003cspan\u003eduende\u003c/span\u003e\u003c/a\u003e\u003c/p\u003e"},"attachment":[],"tag":[{"type":"Hashtag","href":"https://mastodon.social/tags/duende","name":"#duende"},{"type":"Hashtag","href":"https://mastodon.social/tags/p%C3%BAblico","name":"#público"},{"type":"Hashtag","href":"https://mastodon.social/tags/cantaor","name":"#cantaor"},{"type":"Hashtag","href":"https://mastodon.social/tags/cultura","name":"#cultura"},{"type":"Hashtag","href":"https://mastodon.social/tags/flamenco","name":"#flamenco"},{"type":"Hashtag","href":"https://mastodon.social/tags/GazpachitodeUtrera","name":"#GazpachitodeUtrera"}],"replies":{"id":"https://mastodon.social/users/victorhck/statuses/103515932057829491/replies","type":"Collection","first":{"type":"CollectionPage","next":"https://mastodon.social/users/victorhck/statuses/103515932057829491/replies?only_other_accounts=true\u0026page=true","partOf":"https://mastodon.social/users/victorhck/statuses/103515932057829491/replies","items":[]}}},"signature":{"type":"RsaSignature2017","creator":"https://mastodon.social/users/victorhck#main-key","created":"2020-01-20T13:42:52Z","signatureValue":"mUrODNBalDdRm1/yuOEcg8dJnxWcHp9oWdSVyue/xO0qXZBHTXGLnQS+sw/FFMIUOAYAINiYsR7pofle/v0vPdgy9edJHresmnO8dDiwTEaO7HnaJaxU6LNVWooVwY2xw5aXpyqDLqhRVpon/9XPW5XAaqUATDNXW3qT84JDbPZ28MOvwEQH9z1YvkqH6IbgafR176ddc0Y+4SqmNRD2ZURTVFPpZAVtkpFiCCc8tzBV0UjvyDizk14lwxexgwaF4EuOzTNlnnQKbeiwfYLcew+iQqhCAluiwtVMcwrDQSy6LxWxP7DMfXcEB1848ecaCPStB4VoTbIPQ2RiQ86Stw=="}} 2020-01-20 13:42:53 LOG_INFO: [gnusocial.sierranorte.red:19209.a3b53881 POST /inbox.json] HTTPClient: HTTP GET https://mastodon.social/users/victorhck - 200 OK 2020-01-20 13:42:53 LOG_DEBUG: [gnusocial.sierranorte.red:19209.a3b53881 POST /inbox.json] ActivityPub Explorer: Found a valid remote actor for https://mastodon.social/users/victorhck ~~~ Hope it helps! Colegota
    12. 

  12. -----
    13. 

  13. 

  14. author: notabug.org
    15. 

  15. time: Mon, 20 Jan 2020 16:29:58 UTC
    16. 

  16. content: -----
    17. 

  17. Hi, I can confirm this. I've commented out 129 to 132 in apinbox.php, and notices from Mastodon 3.0 and 3.1 have started to arrive.
    18. 

  18. -----
    19. 

  19. 

  20. author: notabug.org
    21. 

  21. time: Mon, 20 Jan 2020 22:31:45 UTC
    22. 

  22. content: -----
    23. 

  23. Don't know if this is correct... As seen in [manual, openssl_verify() first argument](https://www.php.net/manual/en/function.openssl-verify.php) must be an string, but it receives an array: signingString: `(request-target): post /inbox.json digest: SHA-256=5BzkbCPUSd8UFrq3srpatTBMHnThhSy/QHI6aK3fHNs=` https://notabug.org/diogo/gnu-social/src/nightly/plugins/ActivityPub/lib/httpsignature.php#L176
    24. 

  24. -----
    25. 

  25. 

  26. author: notabug.org
    27. 

  27. time: Wed, 08 Jul 2020 09:45:30 UTC
    28. 

  28. content: -----
    29. 

  29. Fixed with https://notabug.org/diogo/gnu-social/commit/737f3eb55338a2d196b281114b9bb72e0a53168c . Related to https://notabug.org/diogo/gnu-social/issues/108
    30. 

  30. -----
    31. 

  31.