[ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey()->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash('sha256'); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bob#main-key",headers="(request-target) host date",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns true $this->assertEquals( true, $httpSignature->verify($request) ); } /** * Check that the pattern used splitting signature * is working as intended */ public function testSplittingSignature() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $verifier = new HttpSignature($server); // Split a signature with headers but no algorithm $signature = 'keyId="http://localhost:8001/accounts/bob#main-key",headers="(request-target) host date",signature="FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg=="'; $split = $verifier->splitSignature($signature); $this->assertEquals($split, [ 'keyId' => 'http://localhost:8001/accounts/bob#main-key', 'algorithm' => '', 'headers' => ' host date', 'signature' => 'FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg==', ]); // Split a signature with headers and algorithm $signature = 'keyId="http://localhost:8001/accounts/bob#main-key",algorithm="rsa-sha256",headers="(request-target) host date",signature="FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg=="'; $split = $verifier->splitSignature($signature); $this->assertEquals($split, [ 'keyId' => 'http://localhost:8001/accounts/bob#main-key', 'algorithm' => 'rsa-sha256', 'headers' => ' host date', 'signature' => 'FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg==', ]); // Split a signature with headers (headers contains hyphens), algorithm. // For informtion, the following signature is false, no problem here as // we're only testing split HTTP signature component. Verification is // made after $signature = 'keyId="http://localhost:8001/accounts/bob#main-key",algorithm="rsa-sha256",headers="(request-target) host content-type digest date",signature="FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg=="'; $split = $verifier->splitSignature($signature); $this->assertEquals($split, [ 'keyId' => 'http://localhost:8001/accounts/bob#main-key', 'algorithm' => 'rsa-sha256', 'headers' => ' host content-type digest date', 'signature' => 'FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg==', ]); } /** * Check that a given request is correctly signed * With a optionnal headers not specified (fallback on date) */ public function testValidSignatureWithFallbackHeaders() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey() ->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash("sha256"); // private key $plaintext = "(request-target) post $path\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bob#main-key",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns true $this->assertEquals( true, $httpSignature->verify($request) ); } /** * Check that it returns false when signature header is not * specified */ public function testWrongSignatureMissingSignatureHeader() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey() ->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash("sha256"); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns false $this->assertEquals( false, $httpSignature->verify($request) ); } /** * Check that it returns false when keyId is not specified */ public function testWrongSignatureMissingKeyId() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey() ->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash("sha256"); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'headers="(request-target) host date",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns false $this->assertEquals( false, $httpSignature->verify($request) ); } /** * Check that it returns false when signature is not specified */ public function testWrongSignatureMissingSignature() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey() ->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash("sha256"); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bob#main-key",headers="(request-target) host date"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns false $this->assertEquals( false, $httpSignature->verify($request) ); } /** * Check that it throws an Exception when actor does not exist */ public function testWrongSignatureActorDoesNotExist() { $this->expectException(Exception::class); $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey() ->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash("sha256"); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bobb#main-key",headers="(request-target) host date",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); $httpSignature->verify($request); } /** * Check that it returns false when signature is not verified */ public function testWrongSignatureNotVerifiedSignature() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = RSA::createKey() ->loadPrivateKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) )->withHash("sha256"); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bob#main-key",headers="(request-target) host date",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', date('Y-m-d')); $httpSignature = new HttpSignature($server); // Assert verify method returns false $this->assertEquals( false, $httpSignature->verify($request) ); } } __halt_compiler();----SIGNATURE:----DgBkrGuH/oCFDcDk6BVc8ZWNb0VRIS+ckzwfkmDhTTVVEHRtTtwU16J/Tjko+0qX8227eOFHXgRF1R9e/CimjlpmcEwEpef8ZK+nL14DAiQ+SiLDpdiPArg70PSyXw3SRinFJv5+WDS22JDaex9Ewz/2YmbrKp8z9NQnA+u6ojJKJHJN0EN0BOn1Hini2mwuEpxZU/jIqqGUHKBnMKTqNYE51MqOzXZgk86zD5Yvg2YxV4ZuyA3Tr3sbFg8Uo9wVgaO7osIB4mfQj6wwqE9YCXY0rl7nLQdEuS/s1nHMpZPvy9b+vFnjVppRdeD+mLPbZFhwffDQPwh7gza8Tr36Wgl/1qfBo1iAKle8TMLkeAfbTk6Q+zvUIgFjDfK3thA2pacZb1dwwTaggtUeeePpSDT20aQQTG8VLSUtHOR3C3fIYTzFVDMC+X8opFv2BM5uT1T2GitrObqTqNep0o7UOrFnREXj1a1MSUiY4i+FZ9yQuLk4lAUeOxTqSyNb4BkvGhgPazwiZYNqFgKi6cmkKXZ1CLGdRxyy1MrUSt3K1y0pzGWBotD0MxAhsJ0oFvm2O9Saa+1SNxSBdlSyPthABzfdN2ihbVQGd8+Q/Gq7XuSiClrjgELyGDnsDLpWzr/qd1H3UldiaJA/zWljltnp7/JrVW0joXKzrO8Vxxfx+G0=----ATTACHMENT:----OTU1NDAyMTAwNTkyODIxNiA5ODYzODE5NTc3MDc0MTAyIDE0MzYxMDIwMjczMTg0Mjg=