Verify AppIdentityService signatures against all valid certificates

appengine-plugin/modules/uploads.php

@@ -148,14 +148,12 @@ public static function authenticate( $user, $username, $password ) {
 			return $user;
 		}
 
-		$user_id     = absint( $_GET['gae_auth_user'] );
-		$sign_result = self::sign_auth_key( AUTH_KEY . $user_id );
+		$user_id             = absint( $_GET['gae_auth_user'] );
+		$key_name            = $_GET['gae_auth_key'];
+		$string_to_verify    = AUTH_KEY . $user_id;
+		$signature_to_verify = base64_decode($_GET['gae_auth_signature']);
 
-		if ( $sign_result['key_name'] !== $_GET['gae_auth_key'] ) {
-			return $user;
-		}
-
-		if ( base64_decode( $_GET['gae_auth_signature'] ) !== $sign_result['signature'] ) {
+		if (self::verify_signed_auth_key($key_name, $string_to_verify, $signature_to_verify) !== true) {
 			return $user;
 		}
 
@@ -487,10 +485,38 @@ private static function sign_auth_key($auth_key) {
     }
   }
 
-	public static function custom_image_editor( $editors ) {
-		$editors = [ __NAMESPACE__ . '\\Editor' ] + $editors;
-		return $editors;
-	}
+  private static function verify_signed_auth_key($key_name, $string_to_verify, $signature_to_verify) {
+    if (self::is_production()) {
+
+      # get list of all valid certificates for GAE project
+      $public_certificates = AppIdentityService::getPublicCertificates();
+
+      # find certificate with matching key name
+      foreach ($public_certificates as $cert) {
+        if ($cert->getCertificateName() === $key_name) {
+
+          # extract public key from X509 certificate
+          $public_key = openssl_pkey_get_public($cert->getX509CertificateInPemFormat());
+
+          # verify the signed data, return true or false
+          return (openssl_verify($string_to_verify, $signature_to_verify, $public_key, "sha256") === 1);
+        }
+      }
+
+      # if no matching certificate, verification fails
+      return false;
+
+    } else {
+      // In the development server we are not concerned with trying to generate
+      // a secure signature.
+      return (sha1($string_to_verify) === $signature_to_verify);
+    }
+  }
+
+  public static function custom_image_editor( $editors ) {
+    $editors = [ __NAMESPACE__ . '\\Editor' ] + $editors;
+      return $editors;
+  }
 }
 
 /**

gcs-media-plugin/Uploads/Uploads.php

@@ -137,7 +137,8 @@ public static function use_https_form()
                 . '<strong>Note:</strong>This setting only affects new uploads,'
                 . ' it will not change the HTTP scheme for files previously '
                 . 'uploaded',
-                'gcp')
+                'gcp'
+            )
             . '</p>';
     }
 
@@ -151,7 +152,8 @@ public static function validate_bucket($input)
             add_settings_error(
                 'gcs_settings',
                 'invalid-bucket',
-                __('The bucket does not exist, or is not writable', 'gcp'));
+                __('The bucket does not exist, or is not writable', 'gcp')
+            );
             return get_option(self::BUCKET_OPTION, '');
         }
         return $input;

gcs-media-plugin/gcs.php

@@ -53,12 +53,12 @@ function options_page_view()
             <?php
             // output security fields for the registered setting "gcs_settings"
             settings_fields('gcs_settings');
-            // output setting sections and their fields (sections are
-            // registered for "gcs", each field is registered to a specific
-            // section)
-            do_settings_sections('gcs');
-            // output save settings button
-            submit_button(__('Save Settings', 'gcs')); ?>
+    // output setting sections and their fields (sections are
+    // registered for "gcs", each field is registered to a specific
+    // section)
+    do_settings_sections('gcs');
+    // output save settings button
+    submit_button(__('Save Settings', 'gcs')); ?>
         </form>
     </div>
     <?php