sign final payload

[ghost]

Returned signature did not match payload as it was changed after signing.

[nickvergessen]

I will check it next week with Ivan to confirm it's not breaking device and also to check why the mobile apps didn't complain so far XP

[ghost]

Maybe I didn't unterstand the verification part. But I am not able to verify the signature. It works when I actually sign the final payload.

Is the signature verification by any means necessary to verify the response?

[nickvergessen]

Is the signature verification by any means necessary to verify the response?

Well the mobile apps can verify it to make sure the data is correct before passing the information on to the push proxy.

[ghost]

A checksum should be enough for that purpose.

I forgot to add the commands to verify the response as I am still unsure if I do it just wrong:

POST {{nextcloud-uri}}/api/v1/push/devices
{
  "pushTokenHash": "016bb1db6496579b8957ab935d5ef244d57d261b315b317ef96bb4a67098600bcac4ea78675c5c4bd315d3bdf95738012244eef85ebb6529fd9e3a12efadc76c",
  "devicePublicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzShlV+8U4Q5TV2q1cvF\nDcak1uxRZYGsZOQmG1O5+/qogwlFT1sLgcy3HVTzUmad3irFVZEy8OvmnjnG8wH/\nYP09ejEYvtVgshxMNWZbF2r7B4fWREMetkXZGRs7AyYBkUqfwFMpsc5PDflVdQ9j\n3ZqvzpXoy8mmAD6yYufEtH4k4lvFlc75wHb+tkEB8/0dt0YbB2IQzeq1M1BmVb+U\n/x/uCa2mx8ezqgjKtnscN2XoBpUqAzlFLB7dM+NMHvr42hi3JUMHWoFyF3+pFpCh\nNTVw+V78dITCCAOLaVe7UE+H5otvo+Dkf4E8T20GfITmuy/WW6Vz3WBfw0bZ9V/Z\nBQIDAQAB\n-----END PUBLIC KEY-----\n",
  "proxyServer": "<push-gateway>/api/v1/push"
}

This returns

<?xml version="1.0"?>
<ocs>
    <meta>
        <status>ok</status>
        <statuscode>201</statuscode>
        <message>OK</message>
    </meta>
    <data>
        <publicKey>-----BEGIN PUBLIC KEY-----
            MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+DDqWrS9fivOaWZeI71P
            18/BRF2k8SjBWv4HK+yC3OWbpumVN7avZoFIh084EIEq8NlZeb/y+ElFhsNunpDH
            xL2O4vjaRA+s8SyWhEOpjnaRIzoZuWYyerSo9SIGuV7HQytbrT5R6JlrKcgbA1Ja
            wTUhQOpAPUNz89WruhagEJ1j/xPIhZ2ffBCJlUxORL2shmpZoXRTQyFABaLoVpP+
            iupf9MJoTvr8HTq6Ozh2cvZMOTxfrk8HLeWKAAeGQOlUSrq7Z6o7SiicrpugTZfO
            K/9pb8kfZui0G+qK5xcPQRn4yDEi61Jc2WFG+dS6ucoyYpLTyCt9qLklEE1aCgfn
            UwIDAQAB
            -----END PUBLIC KEY-----
        </publicKey>
        <deviceIdentifier>poVIPAEfVaXi/KQABRfSi1DaxlAL1CmfoUKfDKwb2cWugH5+Qbh/BNb0csCFuQUdUbep1X3Lhwvf1tuLypBU4Q==
        </deviceIdentifier>
        <signature>
            JoJB840g4x/z8n/wByGDJnpkXSWBiqh9gPXprrrvAMNaQkPswoMF2FOF1QR6dR8BmDpd3FMI3C8r8C1K67Eg2qnHRYqD4yPmvUOGw/6aJXmqIRzTB6cObQRgea1H1KUySFmnNSAmspCankLPwHjpFNZ6PBbntt/WElQUZqb+gnov1ixiftokStju6eMSLDKb3OKH0gVpkEuR5wnPB6bjyfao5mqVNIdwiGG33upIJlK0lrAx+oyT1wgrsWCUe2amuseWnl7MUe1gQCoHh7X4Y2bHnZV1599nQWull4CoaPndCnxNMRovB5njzOrgW0P/BBTaWqx0tPhaPDv3uGgWhA==
        </signature>
    </data>
</ocs>

Now, you can use openssl to verify this message: Copy publicKey to public.pem, convert deviceIdentifier to binary and save it as data via xsel --clipboard | base64 -D >data and finally convert the signature to binary and save it as signature.

The command to verify data is: openssl dgst -verify public.pem -keyform PEM -sha512 -signature signature -binary data but fails.

[nickvergessen]

I wrote an integration test and could confirm the issue. I pushed it to #1094 together with your commit and a fix for the failing unit tests, so let's continue it there.

[ghost]

Thanks!