Skip to content

Add support for other PEM key formats than X.509 in signature verification #1130

New issue
Jump to bottom
New issue
Jump to bottom
Open
Bug
Open
Add support for other PEM key formats than X.509 in signature verification#1130
Bug
Labels
Needs triage[Pri] Low[Type] BugSomething isn't working
@Menrath

Description

@Menrath
Menrath
opened on Jan 7, 2025

Quick summary

Some applications do not use X.509 for their actors in their publicKeyPem.

Mobilizon for instance uses PEM-encoded PKCS#1 RSAPrivateKey

-----BEGIN RSA PUBLIC KEY-----

Steps to reproduce

Try to receive anything from an actor with a PKCS1 encoded key.

What you expected to happen

The signature verifiction should not fail because of the key not being X.509 encoded.

What actually happened

The signature verification of a valid key and signed request failed because openssl_verify gets passed the public_key paramter in a wrong format.

https://github.com/Automattic/wordpress-activitypub/blob/trunk/includes/class-signature.php#L323

Impact

Some (< 50%)

Available workarounds?

Yes, easy to implement

Logs or notes

Don't ask how many hours passed till, I found out about this. :)

Metadata

Assignees

No one assigned

    Labels

    Needs triage[Pri] Low[Type] BugSomething isn't working

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions