Skip to content

Restore old device signature so the proxy works again #1100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
skjnldsv merged 1 commit into from
Oct 27, 2021
Merged

Restore old device signature so the proxy works again #1100

skjnldsv merged 1 commit into from
Oct 27, 2021

Conversation

@nickvergessen
Copy link
Member

@nickvergessen nickvergessen commented Oct 26, 2021
edited
Loading

Reverting #1081

cc @bytepoets-mzi Not sure what's wrong with golang vs. php, but I have to revert this so push notifications work again for our devices.

Verification test on https://play.golang.org/ prints:

OK HashAfterSign
Invalid signature HashBeforeSign

Program exited.

Sample go code:

// You can edit this code!
// Click here and start typing.
package main

import (
	"crypto"
	"crypto/rsa"
	"crypto/x509"
	"encoding/base64"
	"encoding/pem"
	"fmt"
)

func main() {
	userPublicKey := `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwc4lFZz05CtWnRVIKkOz
vSZYfVZpD23K/7YVsoMZXsh7hrzJTFV6dmrJS01yTecF3I/tgL3Kt5kEyL2bRJpy
DUWRuqTWnqTnpbL6yTsMqeC/+eVPH3boCj6xEBEM2NQrNjUDnm2BFZszGyEHJj0B
LeBmOxBE1e7V4jBQGCrhoW9bLL1Oc434q7+pIFCSBT5a/ZQefqRrRWb68KjA9Xzq
1RA4z1MCBgejeC/k14Pg/xsr8Ixjw2SxOaFGcszInQemTvAeHplwlwmebKpW3Q0l
QAbwSfPUGX9TAUsOyhbazinEUpUXMmobHQM3matTRjcwYVbRpRSbG3XIxSsrfF2a
UwIDAQAB
-----END PUBLIC KEY-----`

	block, _ := pem.Decode([]byte(userPublicKey))
	if block == nil {
		fmt.Println("Invalid public key")
	}

	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
	if err != nil || pub == nil {
		fmt.Println("Invalid public key")
	}

	publicKey, ok := pub.(*rsa.PublicKey)
	if !ok {
		fmt.Println("Invalid public key")
	}

	deviceIdentifierHashAfterSign := "JIFqiMjfu5uzeTqa2k++BimoukxtOwOAQjIT8MAZ8/5rbhXq085eXkUnaoJJWFTJ8u7jBVEWkIcuJYot1mhQUw=="
	deviceIdentifierSignatureHashAfterSign := "vYo3lnXW+fVjtI2+XRxWIidKY0iW6OLxcipe5ThuqGdfsXhJQhQHWuR7IUEmiLgPtiobHStFIVaddXfDhgZnDRLe//kKBRsPzfqRI1dS9Q0C+38DRz/loNMp/WXYs0Ug4CSkG5otVnbqtYErCluZ3gA/hhBAzRi+Jw4lGkECEVdpt5XEvAi0A/bF7KK04JUkSHcJGpuGtxUzqUhSpNRRVCyN8LY10Q59whwfd0zlEqgGq3Wv+7tFaoZsD7iQ7jWFmbtzF3Z4QV7E7zH33BFX8Bdzu3NdWfDmkBBaB0K6HESObkTv5+sX/Z6UJ1ETYdQed6H7E/FLTl5UN4CqCWEHPA=="

	rawDeviceIdentifierHashHashAfterSign, err := base64.StdEncoding.DecodeString(deviceIdentifierHashAfterSign)
	if err != nil {
		fmt.Println("Invalid input HashAfterSign")
	}

	signatureHashAfterSign, err := base64.StdEncoding.DecodeString(deviceIdentifierSignatureHashAfterSign)
	if err != nil {
		fmt.Println("Invalid signature data HashAfterSign")
	}

	if err = rsa.VerifyPKCS1v15(publicKey, crypto.SHA512, rawDeviceIdentifierHashHashAfterSign, signatureHashAfterSign); err != nil {
		fmt.Println("Invalid signature HashAfterSign")
	} else {
		fmt.Println("OK HashAfterSign")
	}
	
	deviceIdentifierHashBeforeSign := "396hZP/Ww13/fbg/7xyLHn789ZBfMBEnhX7gQBub7iWY0LhcPzOin28zM+bLwNSRNOOCbsspBEu1eZB61+rieA=="
	deviceIdentifierSignatureHashBeforeSign := "aZsxhwzLOFVigIp7SfOgxghIVu2sgCbipqmxwgEn2QBH0PA8/j0738MI90JtEe2Fv6mrg4Sjo7/CmCZlo/KCya6JahFtK4zy07CbLS7hX7y1ACBkJJ8CWfhxm/UHtwzG+DVN5UrelHYcTnq6+gGFAlZEKs2ehD3QEqGxHZuJKR8WsUYFIbdrcfqwpEjqT85jyr615+hBWDQuToQQa/xPzw2jotHPP7r5I2dTEwbxdHpThFA5Av9NT0RExLYaphti+lInN25JxqlWDIbVg4pHko3G0LS+ca4Eu1tV1NPwkilTVzAYYPpEi7tfYodbgoMzv/bs0gMpgA7E+pjz1sToAQ=="

	rawDeviceIdentifierHashHashBeforeSign, err := base64.StdEncoding.DecodeString(deviceIdentifierHashBeforeSign)
	if err != nil {
		fmt.Println("Invalid input HashBeforeSign")
	}

	signatureHashBeforeSign, err := base64.StdEncoding.DecodeString(deviceIdentifierSignatureHashBeforeSign)
	if err != nil {
		fmt.Println("Invalid signature data HashBeforeSign")
	}

	if err = rsa.VerifyPKCS1v15(publicKey, crypto.SHA512, rawDeviceIdentifierHashHashBeforeSign, signatureHashBeforeSign); err != nil {
		fmt.Println("Invalid signature HashBeforeSign")
	} else {
		fmt.Println("OK HashBeforeSign")
	}
}

@nickvergessen nickvergessen added this to the Nextcloud 23 milestone Oct 26, 2021
@nickvergessen
Copy link
Member Author

nickvergessen commented Oct 26, 2021

/backport to stable22

@nickvergessen
Copy link
Member Author

nickvergessen commented Oct 26, 2021

/backport to stable21

@nickvergessen
Copy link
Member Author

nickvergessen commented Oct 26, 2021

/backport to stable20

@nickvergessen nickvergessen force-pushed the bugfix/noid/restore-old-device-signature-so-the-proxy-works-again branch from e550a02 to 65fea4f Compare October 26, 2021 18:58
timkrueger
timkrueger approved these changes Oct 27, 2021
View reviewed changes
Copy link

@timkrueger timkrueger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Push messages arrive again in Talk for Android.

@skjnldsv skjnldsv merged commit 1077f28 into master Oct 27, 2021
@skjnldsv skjnldsv deleted the bugfix/noid/restore-old-device-signature-so-the-proxy-works-again branch October 27, 2021 08:27
This was referenced Oct 27, 2021
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skjnldsv skjnldsv skjnldsv approved these changes

@vitormattos vitormattos Awaiting requested review from vitormattos

@mahibi mahibi Awaiting requested review from mahibi

@Ivansss Ivansss Awaiting requested review from Ivansss

+1 more reviewer

@timkrueger timkrueger timkrueger approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

3. to review bug feature: push 📲 high

Projects

None yet

Milestone

Nextcloud 23

Development

Successfully merging this pull request may close these issues.

4 participants

@nickvergessen @timkrueger @skjnldsv