From 2d2c9a60f8b118b7fbe34c70ea820f4b9094be4a Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Sat, 29 Dec 2018 21:50:37 -0700
Subject: [PATCH] Fixes #719, add blind key rotation

---
 app/Http/Controllers/FederationController.php | 44 +++++++++++++++++--
 1 file changed, 40 insertions(+), 4 deletions(-)

diff --git a/app/Http/Controllers/FederationController.php b/app/Http/Controllers/FederationController.php
index c93b1b664..508874341 100644
--- a/app/Http/Controllers/FederationController.php
+++ b/app/Http/Controllers/FederationController.php
@@ -180,6 +180,20 @@ XML;
         if($profile->status != null) {
             return ProfileController::accountCheck($profile);
         }
+        $body = $request->getContent();
+        $bodyDecoded = json_decode($body, true, 8);
+        if($this->verifySignature($request, $profile) == true) {
+            InboxWorker::dispatch($request->headers->all(), $profile, $bodyDecoded);
+        } else if($this->blindKeyRotation($request, $profile) == true) {
+            InboxWorker::dispatch($request->headers->all(), $profile, $bodyDecoded);
+        } else {
+            abort(400, 'Bad Signature');
+        }
+        return;
+    }
+
+    protected function verifySignature(Request $request, Profile $profile)
+    {
         $body = $request->getContent();
         $bodyDecoded = json_decode($body, true, 8);
         $signature = $request->header('signature');
@@ -209,11 +223,33 @@ XML;
         $pkey = openssl_pkey_get_public($actor->public_key);
         $inboxPath = "/users/{$profile->username}/inbox";
         list($verified, $headers) = HTTPSignature::verify($pkey, $signatureData, $request->headers->all(), $inboxPath, $body);
-        if($verified !== 1) { 
-            abort(400, 'Invalid signature.');
+        if($verified == 1) { 
+            return true;
+        } else {
+            return false;
         }
-        InboxWorker::dispatch($request->headers->all(), $profile, $bodyDecoded);
-        return;
+    }
+
+    protected function blindKeyRotation(Request $request, Profile $profile)
+    {
+        $signature = $request->header('signature');
+        if(!$signature) {
+            abort(400, 'Missing signature header');
+        }
+        $signatureData = HttpSignature::parseSignatureHeader($signature);
+        $keyId = Helpers::validateUrl($signatureData['keyId']);
+        $actor = Profile::whereKeyId($keyId)->first();
+        $res = Zttp::timeout(5)->withHeaders([
+          'Accept'     => 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
+          'User-Agent' => 'PixelFedBot v0.1 - https://pixelfed.org',
+        ])->get($actor->remote_url);
+        $res = json_decode($res->body(), true, 8);
+        if($res['publicKey']['id'] !== $actor->key_id) {
+            return false;
+        }
+        $actor->public_key = $res['publicKey']['publicKeyPem'];
+        $actor->save();
+        return $this->verifySignature($request, $profile);
     }
 
     public function userFollowing(Request $request, $username)