Merge pull request #1105 from nextcloud/backport/1100/stable20

[stable20] Restore old device signature so the proxy works again

Author: nickvergessen

lib/Controller/PushController.php

@@ -118,8 +118,13 @@ public function registerDevice(string $pushTokenHash, string $devicePublicKey, s
 		$key = $this->identityProof->getKey($user);
 
 		$deviceIdentifier = json_encode([$user->getCloudId(), $token->getId()]);
-		$deviceIdentifier = base64_encode(hash('sha512', $deviceIdentifier, true));
 		openssl_sign($deviceIdentifier, $signature, $key->getPrivate(), OPENSSL_ALGO_SHA512);
+		/**
+		 * For some reason the push proxy's golang code needs the signature
+		 * of the deviceIdentifier before the sha512 hashing. Assumption is that
+		 * openssl_sign already does the sha512 internally.
+		 */
+		$deviceIdentifier = base64_encode(hash('sha512', $deviceIdentifier, true));
 
 		$appType = 'unknown';
 		if ($this->request->isUserAgent([

tests/Integration/features/bootstrap/FeatureContext.php

@@ -268,18 +268,28 @@ public function registerForPushNotifications(string $user, TableNode $formData)
 	}
 
 	/**
-	 * @Then /^can validate the response and signature$/
+	 * @Then /^can validate the response and (skip verifying|verify) signature$/
 	 */
-	public function validateResponseAndSignature(): void {
+	public function validateResponseAndSignature(string $verify): void {
 		$response = $this->getArrayOfNotificationsResponded($this->response);
 
 		Assert::assertStringStartsWith('-----BEGIN PUBLIC KEY-----' . "\n", $response['publicKey']);
 		Assert::assertStringEndsWith('-----END PUBLIC KEY-----' . "\n", $response['publicKey']);
 		Assert::assertNotEmpty($response['deviceIdentifier'], 'Device identifier should not be empty');
 		Assert::assertNotEmpty($response['signature'], 'Signature should not be empty');
 
-		$result = openssl_verify($response['deviceIdentifier'], base64_decode($response['signature']), $response['publicKey'], OPENSSL_ALGO_SHA512);
-		Assert::assertEquals(true, $result, 'Failed to verify the signature');
+		if ($verify === 'verify') {
+			$result = openssl_verify($response['deviceIdentifier'], base64_decode($response['signature']), $response['publicKey'], OPENSSL_ALGO_SHA512);
+			Assert::assertEquals(true, $result, 'Failed to verify the signature');
+		} else {
+			/**
+			 * For some weird reason the push proxy's golang code needs the signature
+			 * of the deviceIdentifier before the sha512 hashing. Assumption is that
+			 * openssl_sign already does the sha512 internally.
+			 * The problem is we can not revert the sha512 of the deviceIdentifier
+			 */
+			var_dump("\n\nEnjoy with care, signature was not verified!\n\n");
+		}
 	}
 
 	/**

tests/Integration/features/push-registration.feature

@@ -38,7 +38,7 @@ Feature: Push registration
     | devicePublicKey | VALID_KEY |
     | proxyServer | https://push-notifications.nextcloud.com/ |
     Then status code is 201
-    And can validate the response and signature
+    And can validate the response and skip verifying signature
 
   Scenario: Unregistering from push notifications without app password
     Given user "test1" forgets the app password
@@ -52,7 +52,7 @@ Feature: Push registration
       | devicePublicKey | VALID_KEY |
       | proxyServer | https://push-notifications.nextcloud.com/ |
     Then status code is 201
-    And can validate the response and signature
+    And can validate the response and skip verifying signature
     Given user "test1" unregisters from push notifications
     Then status code is 202
     Given user "test1" unregisters from push notifications

tests/Unit/Controller/PushControllerTest.php

@@ -302,7 +302,7 @@ public function dataRegisterDevice() {
 				[
 					'publicKey' => $this->userPublicKey,
 					'deviceIdentifier' => 'XUCEZ1EHvTUcVhIvrQQQ1XcP0ZD2BFdFqw4EYbOhBfiEgXgirurR4x/ve4GSSyfivvbQOdOkZUM+g4m+tSb0Ew==',
-					'signature' => 'X9+J7NNLfG9Ft6C36zrYLVJ5aH5euIROzdV937hsU81jL7WvOwzBfc7bImzxU3Bnev5wEKwkw7Ts/2q/+UUkOxgtEZinp52s87S5obKtsVXsczHbsqg4p/ueoBPhF17VsP1e8kMtxZ4snk/iArX4Eu1cfaM3+OckmpO0MYXy0rUbYpQPAJo4VgRFKKjFvfEVOj8N74DTIJ+TjRsvvDhJbb9KpeFe3a6Rv9mIo0AqoK+deAbUkWY0aM+74noVXvPtNzExgK4mWJ02+JHEuQEUbCuQsgoBia0vC3fILbwVxHzrieWGEnE7vkRyFEzlkeo7ZSMawDPxsPN5HxwBs2SZig==',
+					'signature' => 'LRhbXO71WYX9qqDbQX7C+87YaaFfWoT/vG0DlaXdBz6+lhyOA0dw/1Ggz3fd7RerCQ0MfgnnTyxO+cSeRpUaPdA2yPjfoiPpfYA5SOJQGF3comS/HYna3fHiFDbOoM3BJOnjvqiSZdxA/ICdyl2mEEC5wO7AZ4OZKBTa5XfL7eSCXZLEv1YldqcLOStbXrI7voDQocTMJxoQZI/j8BVcf2i3D6F454aXIFDrYYzC2PQY+CKJoXZW0m0RMWaTM2B8tBmFFwrmaGLDqcjjpd33TsTtsV5DB7WimffLBPpOuGV4Z1Kiagp/mxpPLz2NImNV79mDX9gY3ZppCZTwChP5qQ==',
 				],
 				Http::STATUS_CREATED,
 			],
@@ -317,7 +317,7 @@ public function dataRegisterDevice() {
 				[
 					'publicKey' => $this->userPublicKey,
 					'deviceIdentifier' => 'x9vSImcGjhzR9BfZ/XbbUqqCCNC4bHKsX7vkQWNZRd1/MiY+OuF02fx8K08My0RpkNnwj/rQ/gVSU1oEdFwkww==',
-					'signature' => 'GFpnv3MO7mcBef2RJ4Ayrl6RQakGM7AvlKhoTr3DUWnv+iBzwGy8YV34HIPoArz4tyqonHRlLsxPYq4ENPfGO99KrIS16z4RUq0wiCBGf+S8/K8lM9cE9EBKE9yrkTsSvZGICEusvxQ+cTfVr30bnavvi1wL1UuxxDBlJebda9FJ9HfaS24j4rT7K78oMguqDVM+4hhr6BMhcpUVV+kTpOaBpluw5pRDwUP3jJBmkkOa57WRKFcu0Lr/XIx/G0c8Si+BAfM//CTMstwp5XDFn4W9EYSStjNrvsULdV+tOKFwnowqts+UFzEDvmZ1g4qIMWUUPBF4/pjaiDqtMojgrA==',
+					'signature' => 'J9AcdJt5youJmMnBhS+Cc9ytArynIKtCRoNf/m0oOFO/e0hWHqs1NRdQBe81qzYIjf0+bj0Q97X9Xv1rnVJesPkQUbGaa4nAPt+viGSfvzTptjX4LKgqm8B3UkduBA262IcaWgM5P84gUqelkQIC1nIqq/MJTuC6oQ5lUwIV1a92ZurDjhwH4b3f7/ZLTTOTRD0DWN9W/yOyF1qECivgePR3eu+mkcBzXVU/TDZDJic9G7xhqcTnWV6qk+aKyzdNo1tu5W7mF+v5vF6rrGZrq55vPLWAHApTD7P+NFV01BnaCuN7/qGJNVs7m7EH03jpOw7y3jqNMmcmonYrJSMVqg==',
 				],
 				Http::STATUS_OK,
 			],