[ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey()->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash('sha256'); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bob#main-key",headers="(request-target) host date",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns true $this->assertEquals( true, $httpSignature->verify($request) ); } /** * Check that the pattern used splitting signature * is working as intended */ public function testSplittingSignature() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $verifier = new HttpSignature($server); // Split a signature with headers but no algorithm $signature = 'keyId="http://localhost:8001/accounts/bob#main-key",headers="(request-target) host date",signature="FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg=="'; $split = $verifier->splitSignature($signature); $this->assertEquals($split, [ 'keyId' => 'http://localhost:8001/accounts/bob#main-key', 'algorithm' => '', 'headers' => ' host date', 'signature' => 'FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg==', ]); // Split a signature with headers and algorithm $signature = 'keyId="http://localhost:8001/accounts/bob#main-key",algorithm="rsa-sha256",headers="(request-target) host date",signature="FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg=="'; $split = $verifier->splitSignature($signature); $this->assertEquals($split, [ 'keyId' => 'http://localhost:8001/accounts/bob#main-key', 'algorithm' => 'rsa-sha256', 'headers' => ' host date', 'signature' => 'FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg==', ]); // Split a signature with headers (headers contains hyphens), algorithm. // For informtion, the following signature is false, no problem here as // we're only testing split HTTP signature component. Verification is // made after $signature = 'keyId="http://localhost:8001/accounts/bob#main-key",algorithm="rsa-sha256",headers="(request-target) host content-type digest date",signature="FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg=="'; $split = $verifier->splitSignature($signature); $this->assertEquals($split, [ 'keyId' => 'http://localhost:8001/accounts/bob#main-key', 'algorithm' => 'rsa-sha256', 'headers' => ' host content-type digest date', 'signature' => 'FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg==', ]); } /** * Check that a given request is correctly signed * With a optionnal headers not specified (fallback on date) */ public function testValidSignatureWithFallbackHeaders() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey() ->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash("sha256"); // private key $plaintext = "(request-target) post $path\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bob#main-key",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns true $this->assertEquals( true, $httpSignature->verify($request) ); } /** * Check that it returns false when signature header is not * specified */ public function testWrongSignatureMissingSignatureHeader() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey() ->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash("sha256"); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns false $this->assertEquals( false, $httpSignature->verify($request) ); } /** * Check that it returns false when keyId is not specified */ public function testWrongSignatureMissingKeyId() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey() ->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash("sha256"); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'headers="(request-target) host date",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns false $this->assertEquals( false, $httpSignature->verify($request) ); } /** * Check that it returns false when signature is not specified */ public function testWrongSignatureMissingSignature() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey() ->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash("sha256"); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bob#main-key",headers="(request-target) host date"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns false $this->assertEquals( false, $httpSignature->verify($request) ); } /** * Check that it throws an Exception when actor does not exist */ public function testWrongSignatureActorDoesNotExist() { $this->expectException(Exception::class); $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey() ->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash("sha256"); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bobb#main-key",headers="(request-target) host date",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); $httpSignature->verify($request); } /** * Check that it returns false when signature is not verified */ public function testWrongSignatureNotVerifiedSignature() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey() ->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash("sha256"); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bob#main-key",headers="(request-target) host date",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', date('Y-m-d')); $httpSignature = new HttpSignature($server); // Assert verify method returns false $this->assertEquals( false, $httpSignature->verify($request) ); } } __halt_compiler();----SIGNATURE:----V+6FhuCTZ5bBFqkgaWU0OEcX11Ry2uhNEIVBVtG0eSPj1pa341IldrTzrccvvhNe4glHFXfMMKrwCl9G4gWSuse98zwqqqOVePD26UrBUCs9l7iYGiJqL2fX0PgtGgRtWS1Wi53dZrXNXpMQzRNSVohhMN3sbPaB28fncncyi/YeLVcJ1Mxypg1+AGuyTOMQAXRZYAtvKaPS+r2zmJ2ZmVNQOQMGRPUMnl3sLK/fh0/JBuqcY76zwqY4Irv8SHSkJ0KxZDuG1xuZjSoZljp/B23i7JD9yrQUzg7ICy5I4WGooG43XZdx38AONzKGRIYx16nrJMEa9Z58+1uiyF/yQuODUqtDMjtC6GCjrI7D5fXNFPfY+1iTVPCbCGlUn81bmF8OtUkmCmFcltzVD04jdsBrLNtuttI8G7Y02LrezbKr9X+A79uC3auyz8NIOi+4clpbfFKBoA7Q7ZULWQPXFqtPQD9qv6fcabUaKz2N5fTwbzmTuCTvfJDWduJxuqYwtnxvzaIECFQrRdEh5TDzXOioDVDav1018nGl9Xm7Qrf4WFLqaEJXbEWBqc6fFkfIg34l/M2O3BC5+7Ob9RHxYXB+G0Vn5G3gCQ/FNo7fiir+kqcRMrRSPConxUvxY6I4dFidwj1PbmtXlo4valHBUR08ddIOkqFCTi8xQuqwUdg=----ATTACHMENT:----NzQ3NDQ4ODU2NDI3MTgyMyA2MTkxNjIyNDM4Njc2Njc2IDEwMTg2MDk1MzM4NjI2NDE=