From bbe59a942a2e51071e12043e472f6056a6642743 Mon Sep 17 00:00:00 2001
From: Maxence Lange <maxence@artificial-owl.com>
Date: Thu, 18 Mar 2021 18:10:48 -0100
Subject: check content-length and digest

Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
---
 lib/Service/SignatureService.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/Service/SignatureService.php b/lib/Service/SignatureService.php
index f76ab2ad..71855e1a 100644
--- a/lib/Service/SignatureService.php
+++ b/lib/Service/SignatureService.php
@@ -256,6 +256,14 @@ class SignatureService {
 			throw new SignatureException('object is too old');
 		}
 
+		if (strlen($data) !== (int)$request->getHeader('content-length')) {
+			throw new SignatureException('issue with content-length');
+		}
+
+		if ($this->generateDigest($data) !== $request->getHeader('digest')) {
+			throw new SignatureException('issue with digest');
+		}
+
 		try {
 			return $this->checkRequestSignature($request, $data);
 		} catch (RequestContentException $e) {
@@ -379,9 +387,6 @@ class SignatureService {
 		$signed = base64_decode($sign['signature']);
 		$estimated = $this->generateEstimatedSignature($headers, $request);
 
-		// TODO: check digest
-		//	$this->generateDigest($data);
-
 		try {
 			$publicKey = $this->retrieveKey($keyId);
 			$this->checkRequestSignatureUsingPublicKey($publicKey, $sign, $estimated, $signed);
-- 
cgit v1.2.3


From 250be300bd77f77b3a4898753d1d991c04103267 Mon Sep 17 00:00:00 2001
From: Maxence Lange <maxence@artificial-owl.com>
Date: Thu, 18 Mar 2021 18:34:07 -0100
Subject: minimum elements for headers

Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
---
 lib/Service/SignatureService.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/Service/SignatureService.php b/lib/Service/SignatureService.php
index 71855e1a..2b1c94aa 100644
--- a/lib/Service/SignatureService.php
+++ b/lib/Service/SignatureService.php
@@ -427,10 +427,15 @@ class SignatureService {
 	 *
 	 * @return string
 	 * @throws SocialAppConfigException
+	 * @throws SignatureException
 	 */
 	private function generateEstimatedSignature(string $headers, IRequest $request): string {
 		$keys = explode(' ', $headers);
 
+		if (!empty(array_diff(['(request-target)', 'date', 'digest', 'host'], $keys))) {
+			throw new SignatureException('missing elements in \'headers\'');
+		}
+
 		$target = '';
 		try {
 			$target = strtolower($request->getMethod()) . " " . $request->getRequestUri();
-- 
cgit v1.2.3