From b69d7a79b4cf4438a804ce47df78474f68552d3a Mon Sep 17 00:00:00 2001 From: "J. Maurice" Date: Sun, 19 Nov 2017 19:45:49 +0900 Subject: [PATCH] Verify AppIdentityService signatures against all valid certificates --- appengine-plugin/modules/uploads.php | 40 +++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/appengine-plugin/modules/uploads.php b/appengine-plugin/modules/uploads.php index e5e2eae..171d2b2 100644 --- a/appengine-plugin/modules/uploads.php +++ b/appengine-plugin/modules/uploads.php @@ -148,14 +148,12 @@ public static function authenticate( $user, $username, $password ) { return $user; } - $user_id = absint( $_GET['gae_auth_user'] ); - $sign_result = self::sign_auth_key( AUTH_KEY . $user_id ); + $user_id = absint( $_GET['gae_auth_user'] ); + $key_name = $_GET['gae_auth_key']; + $string_to_verify = AUTH_KEY . $user_id; + $signature_to_verify = base64_decode($_GET['gae_auth_signature']); - if ( $sign_result['key_name'] !== $_GET['gae_auth_key'] ) { - return $user; - } - - if ( base64_decode( $_GET['gae_auth_signature'] ) !== $sign_result['signature'] ) { + if (self::verify_signed_auth_key($key_name, $string_to_verify, $signature_to_verify) !== true) { return $user; } @@ -487,6 +485,34 @@ private static function sign_auth_key($auth_key) { } } + private static function verify_signed_auth_key($key_name, $string_to_verify, $signature_to_verify) { + if (self::is_production()) { + + # get list of all valid certificates for GAE project + $public_certificates = AppIdentityService::getPublicCertificates(); + + # find certificate with matching key name + foreach ($public_certificates as $cert) { + if ($cert->getCertificateName() === $key_name) { + + # extract public key from X509 certificate + $public_key = openssl_pkey_get_public($cert->getX509CertificateInPemFormat()); + + # verify the signed data, return true or false + return (openssl_verify($string_to_verify, $signature_to_verify, $public_key, "sha256") === 1); + } + } + + # if no matching certificate, verification fails + return false; + + } else { + // In the development server we are not concerned with trying to generate + // a secure signature. + return (sha1($string_to_verify) === $signature_to_verify); + } + } + public static function custom_image_editor( $editors ) { $editors = [ __NAMESPACE__ . '\\Editor' ] + $editors; return $editors;