Decrypting Web Push notification with PHP

[mbootsman]

I'm building a PHP Web Push notification Listener for Mastodon.
I successfully created a subscription by sending the following post data to the Mastodon subscription API uri

$post_data = array(
        "subscription" => array(
            "endpoint" => $env["endpoint"], // URL of endpoint where PHP script is
            "keys" => array(
                "p256dh" => $env["vapid_public"], // Public key
                "auth" => $env["vapid_private"] // Private key
            )
        ),
        "data" => array(
            "alerts" => array(
                "mention" => true // receive notifications for mentions
            )
        )
    );

When I mention, or send a DM to the account the subscription is set up for, the PHP script receives a POST request with a notification. The notification payload is picked up by using file_get_contents("php://input"). This is binary data.

My question now is how do I decrypt this binary data. I have tried converting the payload to hex first, and then feeding it to openssl_decrypt() but I'm not sure what keys to use and so I'm kinda in the dark here. Any help is appreciated.

Update:
Here's a copy of the POST headers received by the Web Push Notification from Mastodon
The actual values of the keys is replaced with some words, because of security. Dots [.], identifiers [xx=] and semicolons[;] are left in place.

    [Authorization] => WebPush some_key_1.some_key_2.some_key_3 // This is the JSON Web Token https://web.dev/articles/push-notifications-web-push-protocol#json_web_token
    [Crypto-Key] => dh=crypto_key_1;p256ecdsa=crypto_key_2
    [Encryption] => salt=salt_key
    [Content-Encoding] => aesgcm
    [Urgency] => normal
    [Ttl] => 172800
    [Content-Type] => application/octet-stream
    [Digest] => SHA-256=digest_key
    [Accept-Encoding] => gzip
    [Date] => Wed, 22 Nov 2023 16:02:27 GMT
    [User-Agent] => http.rb/5.1.1 (Mastodon/4.2.1; +https://hidden_url.com/)
    [Content-Length] => 334
    [Connection] => close
    [Host] => other_hidden_url.com
    [X-Real-Port] => xxxxx
    [X-Port] => 443
    [X-Https] => on
    [X-Real-Ip] => hidden_ip
    [X-Forwarded-By] => other_hidden_ip

openssl_decrypt() uses the following parameters:

function openssl_decrypt(
    string $data,
    string $cipher_algo,
    string $passphrase,
    int $options = 0,
    string $iv = "",
    string|null $tag = null,
    string $aad = ""
): string|false { }

Now the challenge is to map the keys from the headers to these parameters, in combination with a private key that was submitted during the subscription. Any help with this is appreciated.

[ThisIsMissEm]

This may help: https://web.dev/articles/push-notifications-web-push-protocol#the_payload_encryption

[mbootsman]

Thanks, I have read that already, and I get the way the notification is encrypted. This still doesn't give me the information I need to decrypt it sadly.

[ThisIsMissEm]

Maybe this instead? https://github.com/web-push-libs/ecec#web-push

[mbootsman]

Thanks again @ThisIsMissEm, I'm unable to map the used parameters in openssl_decrypt() to any of the keys I have (used with the subscription, and received with the request headers when receiving a notification). The info and code in the link you shared does not help me. And that is probably because of my (lack of) skills 😉

[MAWane]

Looking at RFC 8188 you need to generate some of the keys using hash_hkdf()

[mbootsman]

I have picked up this after receiving some new intel about how to decrypt the notification payload.
But, whenever I mention the account that has a push notification subscription, nothing is received by my PHP app. I have also tried this with an account on mastodon.social. Is there anywhere I can track push notification subscriptions? In a log, or in the admin interface? Or is this a bug?

The server the PHP app is running on is accessible, I have tested this with some online tools.

[TomSmoot]

Are you getting anywhere with this? I think I have the same issue. I set up a PHP push requester and a push handler. I get a subscription response when I request a new subscription. It returns a subscription ID, the handler endpoint I gave it, etc. But I'm going crazy testing my push handler and starting to suspect I'm not getting the subscription notifications.

[mbootsman]

Hey @TomSmoot, I am experiencing the same problem right now. I registered my endpoint with the Mastodon instance, but do not get any notifications in my PHP app that is registered at the endpoint. Tried with my own instance, and with mastodon.social.

I have reported this as an issue, but no response there until now.

Receiving notifications is kinda required to continue with the decryption process 😉

[ThisIsMissEm]

What are these values? Are they base64 URL Safe encoded values?

"p256dh" => $env["vapid_public"], // Public key
"auth" => $env["vapid_private"] // Private key

For p256dh, if you have it in pem format, you'll need just the base64, iirc, so from:

----- BEGIN object-type -----
OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
----- END object-type -----

It should be:

OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkXxT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERKUM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==```