Add tests for Ed25519 signature verification and FASP integration.

pfefferle · claude · pfefferle · commit 9cd5a2d24521 · 2026-01-20T18:19:45.000+01:00
New FASP tests:
- Registration lookup by server_id
- Public key filter integration with Ed25519 keys
- Rejection of unapproved FASP registrations
- Pass-through for non-FASP keyIds
- Respecting existing keys from other filters

New Signature tests:
- Ed25519 signature verification via sodium
- Invalid signature detection
- Invalid key length detection

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/tests/phpunit/tests/includes/class-test-fasp.php b/tests/phpunit/tests/includes/class-test-fasp.php
@@ -485,4 +485,118 @@ function ( $capabilities ) {
 
 		remove_all_filters( 'activitypub_fasp_capabilities' );
 	}
+
+	/**
+	 * Test get_registration_by_server_id returns correct registration.
+	 *
+	 * @covers Activitypub\Fasp::get_registration_by_server_id
+	 */
+	public function test_get_registration_by_server_id() {
+		$registration_data = array(
+			'fasp_id'         => 'test-fasp-456',
+			'name'            => 'Test FASP by Server ID',
+			'base_url'        => 'https://fasp.example.com',
+			'server_id'       => 'unique-server-id-789',
+			'fasp_public_key' => 'dGVzdC1wdWJsaWMta2V5',
+			'status'          => 'approved',
+			'requested_at'    => current_time( 'mysql', true ),
+		);
+
+		update_option( 'activitypub_fasp_registrations', array( 'test-fasp-456' => $registration_data ) );
+
+		// Test finding by server_id.
+		$found = Fasp::get_registration_by_server_id( 'unique-server-id-789' );
+		$this->assertNotNull( $found );
+		$this->assertEquals( 'test-fasp-456', $found['fasp_id'] );
+		$this->assertEquals( 'Test FASP by Server ID', $found['name'] );
+
+		// Test not finding unknown server_id.
+		$not_found = Fasp::get_registration_by_server_id( 'unknown-server-id' );
+		$this->assertNull( $not_found );
+	}
+
+	/**
+	 * Test public key filter returns Ed25519 key for approved FASP.
+	 *
+	 * @covers Activitypub\Fasp::get_public_key_for_server_id
+	 */
+	public function test_public_key_filter_returns_ed25519_key() {
+		// Generate a valid Ed25519 keypair for testing.
+		$keypair    = sodium_crypto_sign_keypair();
+		$public_key = sodium_crypto_sign_publickey( $keypair );
+		$key_base64 = base64_encode( $public_key ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
+
+		$registration_data = array(
+			'fasp_id'         => 'ed25519-fasp',
+			'name'            => 'Ed25519 Test FASP',
+			'base_url'        => 'https://fasp.example.com',
+			'server_id'       => 'ed25519-server-id',
+			'fasp_public_key' => $key_base64,
+			'status'          => 'approved',
+			'requested_at'    => current_time( 'mysql', true ),
+		);
+
+		update_option( 'activitypub_fasp_registrations', array( 'ed25519-fasp' => $registration_data ) );
+
+		// Ensure filter is registered.
+		Fasp::init();
+
+		// Call the filter directly.
+		$result = Fasp::get_public_key_for_server_id( null, 'ed25519-server-id' );
+
+		$this->assertIsArray( $result );
+		$this->assertEquals( 'ed25519', $result['type'] );
+		$this->assertEquals( $public_key, $result['key'] );
+	}
+
+	/**
+	 * Test public key filter returns error for unapproved FASP.
+	 *
+	 * @covers Activitypub\Fasp::get_public_key_for_server_id
+	 */
+	public function test_public_key_filter_rejects_unapproved_fasp() {
+		$registration_data = array(
+			'fasp_id'         => 'pending-fasp',
+			'name'            => 'Pending FASP',
+			'base_url'        => 'https://fasp.example.com',
+			'server_id'       => 'pending-server-id',
+			'fasp_public_key' => 'dGVzdC1wdWJsaWMta2V5',
+			'status'          => 'pending', // Not approved.
+			'requested_at'    => current_time( 'mysql', true ),
+		);
+
+		update_option( 'activitypub_fasp_registrations', array( 'pending-fasp' => $registration_data ) );
+
+		$result = Fasp::get_public_key_for_server_id( null, 'pending-server-id' );
+
+		$this->assertInstanceOf( 'WP_Error', $result );
+		$this->assertEquals( 'fasp_not_approved', $result->get_error_code() );
+	}
+
+	/**
+	 * Test public key filter returns null for non-FASP keyIds.
+	 *
+	 * @covers Activitypub\Fasp::get_public_key_for_server_id
+	 */
+	public function test_public_key_filter_passes_through_non_fasp_keyids() {
+		// No FASP registrations.
+		delete_option( 'activitypub_fasp_registrations' );
+
+		// Should return null for unknown keyIds, allowing default lookup.
+		$result = Fasp::get_public_key_for_server_id( null, 'https://example.com/users/test#main-key' );
+		$this->assertNull( $result );
+	}
+
+	/**
+	 * Test public key filter doesn't override existing key.
+	 *
+	 * @covers Activitypub\Fasp::get_public_key_for_server_id
+	 */
+	public function test_public_key_filter_respects_existing_key() {
+		$existing_key = 'existing-key-from-another-filter';
+
+		$result = Fasp::get_public_key_for_server_id( $existing_key, 'any-server-id' );
+
+		$this->assertEquals( $existing_key, $result );
+	}
 }
diff --git a/tests/phpunit/tests/includes/class-test-signature.php b/tests/phpunit/tests/includes/class-test-signature.php
@@ -745,4 +745,181 @@ public function test_set_rfc9421_unsupported() {
 		\delete_option( 'activitypub_rfc9421_signature' );
 		\remove_filter( 'pre_http_request', $mock_callback );
 	}
+
+	/**
+	 * Test Ed25519 signature verification via activitypub_pre_get_public_key filter.
+	 *
+	 * @covers ::verify_http_signature
+	 * @covers \Activitypub\Signature\Http_Message_Signature::verify_ed25519_signature
+	 */
+	public function test_ed25519_signature_verification() {
+		// Generate Ed25519 keypair.
+		$keypair     = \sodium_crypto_sign_keypair();
+		$public_key  = \sodium_crypto_sign_publickey( $keypair );
+		$private_key = \sodium_crypto_sign_secretkey( $keypair );
+
+		// Create signature base string.
+		$date            = \gmdate( 'D, d M Y H:i:s T' );
+		$created         = \time();
+		$params_string   = \sprintf(
+			'("@method" "@target-uri" "date");created=%d;keyid="test-fasp-server-id"',
+			$created
+		);
+		$signature_base  = "\"@method\": POST\n";
+		$signature_base .= "\"@target-uri\": https://example.org/wp-json/activitypub/1.0/fasp/capabilities/test/1/activation\n";
+		$signature_base .= "\"date\": $date\n";
+		$signature_base .= "\"@signature-params\": $params_string";
+
+		// Sign with Ed25519.
+		$signature = \sodium_crypto_sign_detached( $signature_base, $private_key );
+
+		// Create signature headers.
+		$signature_input  = "sig=$params_string";
+		$signature_header = 'sig=:' . \base64_encode( $signature ) . ':';
+
+		// Mock the public key retrieval to return Ed25519 key.
+		$mock_ed25519_key = function ( $key, $key_id ) use ( $public_key ) {
+			if ( 'test-fasp-server-id' === $key_id ) {
+				return array(
+					'type' => 'ed25519',
+					'key'  => $public_key,
+				);
+			}
+			return $key;
+		};
+		\add_filter( 'activitypub_pre_get_public_key', $mock_ed25519_key, 10, 2 );
+
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+		$_SERVER['REQUEST_URI']    = '/' . \rest_get_url_prefix() . '/' . ACTIVITYPUB_REST_NAMESPACE . '/fasp/capabilities/test/1/activation';
+		$_SERVER['HTTP_HOST']      = 'example.org';
+		$_SERVER['HTTPS']          = 'on';
+
+		// Create REST request with Ed25519 signature.
+		$request = new \WP_REST_Request( 'POST', ACTIVITYPUB_REST_NAMESPACE . '/fasp/capabilities/test/1/activation' );
+		$request->set_header( 'Date', $date );
+		$request->set_header( 'Host', 'example.org' );
+		$request->set_header( 'Signature-Input', $signature_input );
+		$request->set_header( 'Signature', $signature_header );
+
+		// Verification should succeed.
+		$result = Signature::verify_http_signature( $request );
+		$this->assertTrue( $result, 'Valid Ed25519 signature should verify' );
+
+		\remove_filter( 'activitypub_pre_get_public_key', $mock_ed25519_key );
+	}
+
+	/**
+	 * Test Ed25519 signature verification fails with invalid signature.
+	 *
+	 * @covers ::verify_http_signature
+	 * @covers \Activitypub\Signature\Http_Message_Signature::verify_ed25519_signature
+	 */
+	public function test_ed25519_invalid_signature_fails() {
+		// Generate Ed25519 keypair.
+		$keypair    = \sodium_crypto_sign_keypair();
+		$public_key = \sodium_crypto_sign_publickey( $keypair );
+
+		// Create a different keypair to sign with (simulates wrong key).
+		$wrong_keypair    = \sodium_crypto_sign_keypair();
+		$wrong_secret_key = \sodium_crypto_sign_secretkey( $wrong_keypair );
+
+		// Create signature base string.
+		$date            = \gmdate( 'D, d M Y H:i:s T' );
+		$created         = \time();
+		$params_string   = \sprintf(
+			'("@method" "@target-uri" "date");created=%d;keyid="test-fasp-server-id"',
+			$created
+		);
+		$signature_base  = "\"@method\": POST\n";
+		$signature_base .= "\"@target-uri\": https://example.org/wp-json/activitypub/1.0/fasp/capabilities/test/1/activation\n";
+		$signature_base .= "\"date\": $date\n";
+		$signature_base .= "\"@signature-params\": $params_string";
+
+		// Sign with WRONG key.
+		$signature = \sodium_crypto_sign_detached( $signature_base, $wrong_secret_key );
+
+		// Create signature headers.
+		$signature_input  = "sig=$params_string";
+		$signature_header = 'sig=:' . \base64_encode( $signature ) . ':';
+
+		// Mock the public key retrieval to return the CORRECT public key.
+		$mock_ed25519_key = function ( $key, $key_id ) use ( $public_key ) {
+			if ( 'test-fasp-server-id' === $key_id ) {
+				return array(
+					'type' => 'ed25519',
+					'key'  => $public_key,
+				);
+			}
+			return $key;
+		};
+		\add_filter( 'activitypub_pre_get_public_key', $mock_ed25519_key, 10, 2 );
+
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+		$_SERVER['REQUEST_URI']    = '/' . \rest_get_url_prefix() . '/' . ACTIVITYPUB_REST_NAMESPACE . '/fasp/capabilities/test/1/activation';
+		$_SERVER['HTTP_HOST']      = 'example.org';
+		$_SERVER['HTTPS']          = 'on';
+
+		// Create REST request with Ed25519 signature (signed with wrong key).
+		$request = new \WP_REST_Request( 'POST', ACTIVITYPUB_REST_NAMESPACE . '/fasp/capabilities/test/1/activation' );
+		$request->set_header( 'Date', $date );
+		$request->set_header( 'Host', 'example.org' );
+		$request->set_header( 'Signature-Input', $signature_input );
+		$request->set_header( 'Signature', $signature_header );
+
+		// Verification should fail.
+		$result = Signature::verify_http_signature( $request );
+		$this->assertWPError( $result, 'Invalid Ed25519 signature should fail verification' );
+		$this->assertEquals( 'activitypub_signature', $result->get_error_code() );
+
+		\remove_filter( 'activitypub_pre_get_public_key', $mock_ed25519_key );
+	}
+
+	/**
+	 * Test Ed25519 signature verification fails with invalid key length.
+	 *
+	 * @covers ::verify_http_signature
+	 * @covers \Activitypub\Signature\Http_Message_Signature::verify_ed25519_signature
+	 */
+	public function test_ed25519_invalid_key_length_fails() {
+		// Create signature headers with dummy values.
+		$date             = \gmdate( 'D, d M Y H:i:s T' );
+		$created          = \time();
+		$params_string    = \sprintf(
+			'("@method" "@target-uri" "date");created=%d;keyid="test-fasp-server-id"',
+			$created
+		);
+		$signature_input  = "sig=$params_string";
+		$signature_header = 'sig=:' . \base64_encode( \str_repeat( 'x', 64 ) ) . ':'; // 64 bytes for signature.
+
+		// Mock the public key retrieval to return an invalid length key.
+		$mock_invalid_key = function ( $key, $key_id ) {
+			if ( 'test-fasp-server-id' === $key_id ) {
+				return array(
+					'type' => 'ed25519',
+					'key'  => 'too-short', // Invalid key length.
+				);
+			}
+			return $key;
+		};
+		\add_filter( 'activitypub_pre_get_public_key', $mock_invalid_key, 10, 2 );
+
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+		$_SERVER['REQUEST_URI']    = '/' . \rest_get_url_prefix() . '/' . ACTIVITYPUB_REST_NAMESPACE . '/fasp/capabilities/test/1/activation';
+		$_SERVER['HTTP_HOST']      = 'example.org';
+		$_SERVER['HTTPS']          = 'on';
+
+		// Create REST request.
+		$request = new \WP_REST_Request( 'POST', ACTIVITYPUB_REST_NAMESPACE . '/fasp/capabilities/test/1/activation' );
+		$request->set_header( 'Date', $date );
+		$request->set_header( 'Host', 'example.org' );
+		$request->set_header( 'Signature-Input', $signature_input );
+		$request->set_header( 'Signature', $signature_header );
+
+		// Verification should fail due to invalid key length.
+		$result = Signature::verify_http_signature( $request );
+		$this->assertWPError( $result, 'Invalid Ed25519 key length should fail verification' );
+		$this->assertEquals( 'invalid_key_length', $result->get_error_code() );
+
+		\remove_filter( 'activitypub_pre_get_public_key', $mock_invalid_key );
+	}
 }
