[ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = new RSA(); $rsa->loadKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) ); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $rsa->setHash("sha256"); $rsa->setSignatureMode(RSA::SIGNATURE_PSS); $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bob#main-key",headers="(request-target) host date",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns true $this->assertEquals( true, $httpSignature->verify($request) ); } /** * Check that the pattern used splitting signature * is working as intended */ public function testSplittingSignature() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $verifier = new HttpSignature($server); // Split a signature with headers but no algorithm $signature = 'keyId="http://localhost:8001/accounts/bob#main-key",headers="(request-target) host date",signature="FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg=="'; $split = $verifier->splitSignature($signature); $this->assertEquals($split, [ 'keyId' => 'http://localhost:8001/accounts/bob#main-key', 'algorithm' => '', 'headers' => ' host date', 'signature' => 'FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg==', ]); // Split a signature with headers and algorithm $signature = 'keyId="http://localhost:8001/accounts/bob#main-key",algorithm="rsa-sha256",headers="(request-target) host date",signature="FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg=="'; $split = $verifier->splitSignature($signature); $this->assertEquals($split, [ 'keyId' => 'http://localhost:8001/accounts/bob#main-key', 'algorithm' => 'rsa-sha256', 'headers' => ' host date', 'signature' => 'FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg==', ]); // Split a signature with headers (headers contains hyphens), algorithm. // For informtion, the following signature is false, no problem here as // we're only testing split HTTP signature component. Verification is // made after $signature = 'keyId="http://localhost:8001/accounts/bob#main-key",algorithm="rsa-sha256",headers="(request-target) host content-type digest date",signature="FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg=="'; $split = $verifier->splitSignature($signature); $this->assertEquals($split, [ 'keyId' => 'http://localhost:8001/accounts/bob#main-key', 'algorithm' => 'rsa-sha256', 'headers' => ' host content-type digest date', 'signature' => 'FbVtmZhMWrfbqQpXf1v86+ie/fL8Ng4O67PePKvxChnUtV7J8N6lndQcNfXcDuKDJ4Nda6gKUQabAF2JK2qeYPNZNJ1AdAa5Lak3hQd+rAbdMJdvQpzGhAaSWK6atqOTH9v2CWdjAQbzvY0nOfGiw3ymtDSvTL0pVlIvq116uMtci0WOHeIbuBSyzM23liJmBomlm4EeB3/V1BVWY2MwaQ1cHVzxR7epP6XYts3C1KbZrdMKxhlWJFLdbLy0YGu5HRkYZepAh2q2NriSikNg8YTJ67owgQv/LqhFKnObgZU6np54fBMSpg7eAdWSIbhhg1a/WHtzFicc9cgoWMRhEg==', ]); } /** * Check that a given request is correctly signed * With a optionnal headers not specified (fallback on date) */ public function testValidSignatureWithFallbackHeaders() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = new RSA(); $rsa->loadKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) ); // private key $plaintext = "(request-target) post $path\ndate: $date"; $rsa->setHash("sha256"); $rsa->setSignatureMode(RSA::SIGNATURE_PSS); $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bob#main-key",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns true $this->assertEquals( true, $httpSignature->verify($request) ); } /** * Check that it returns false when signature header is not * specified */ public function testWrongSignatureMissingSignatureHeader() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = new RSA(); $rsa->loadKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) ); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $rsa->setHash("sha256"); $rsa->setSignatureMode(RSA::SIGNATURE_PSS); $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns false $this->assertEquals( false, $httpSignature->verify($request) ); } /** * Check that it returns false when keyId is not specified */ public function testWrongSignatureMissingKeyId() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = new RSA(); $rsa->loadKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) ); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $rsa->setHash("sha256"); $rsa->setSignatureMode(RSA::SIGNATURE_PSS); $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'headers="(request-target) host date",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns false $this->assertEquals( false, $httpSignature->verify($request) ); } /** * Check that it returns false when signature is not specified */ public function testWrongSignatureMissingSignature() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = new RSA(); $rsa->loadKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) ); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $rsa->setHash("sha256"); $rsa->setSignatureMode(RSA::SIGNATURE_PSS); $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bob#main-key",headers="(request-target) host date"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); // Assert verify method returns false $this->assertEquals( false, $httpSignature->verify($request) ); } /** * Check that it throws an Exception when actor does not exist */ public function testWrongSignatureActorDoesNotExist() { $this->expectException(Exception::class); $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = new RSA(); $rsa->loadKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) ); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $rsa->setHash("sha256"); $rsa->setSignatureMode(RSA::SIGNATURE_PSS); $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bobb#main-key",headers="(request-target) host date",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', $date); $httpSignature = new HttpSignature($server); $httpSignature->verify($request); } /** * Check that it returns false when signature is not verified */ public function testWrongSignatureNotVerifiedSignature() { $server = new Server([ 'logger' => [ 'driver' => '\Psr\Log\NullLogger' ], 'cache' => [ 'enabled' => false, ] ]); $payload = json_encode([]); /* ------------------------------------------------------------------ | Prepare signature | ------------------------------------------------------------------ */ $date = gmdate('D, d M Y H:i:s T', time()); $host = 'localhost'; $path = '/my-path?q=ok'; $rsa = new RSA(); $rsa->loadKey( file_get_contents( dirname(__DIR__, 2) . '/WebServer/distant/keys/private.pem' ) ); // private key $plaintext = "(request-target) post $path\nhost: $host\ndate: $date"; $rsa->setHash("sha256"); $rsa->setSignatureMode(RSA::SIGNATURE_PSS); $signature = $rsa->sign($plaintext); /* ------------------------------------------------------------------ | Prepare request | ------------------------------------------------------------------ */ $request = Request::create( 'http://localhost:8000' . $path, 'POST', [], // parameters [], // cookies [], // files $_SERVER, $payload ); $request->headers->set('accept', 'application/activity+json'); // Signature: keyId="",headers="(request-target) host date",signature="" $request->headers->set('Signature', 'keyId="http://localhost:8001/accounts/bob#main-key",headers="(request-target) host date",signature="' . base64_encode($signature) . '"'); $request->headers->set('host', $host); $request->headers->set('date', date('Y-m-d')); $httpSignature = new HttpSignature($server); // Assert verify method returns false $this->assertEquals( false, $httpSignature->verify($request) ); } } __halt_compiler();----SIGNATURE:----DlGvVEt1HFJ3sj0Lhi9GwYDAZG/t4/B6XNRml8gWLNJjeUy6976z3uA2H7Ajn57ichPNzWqHFFhNsMLjDWg+e1yAeyrgMAu2xVv4T0G3UGClJ/ZORPXKonxq+3Cr0Gv8l4jpk7pkuhwF9pd3lmrymbUeX4xY1hJhoAgEuwMvaxD+I8vjVwHaXzx2WyzoBR5el0B3PIIYdZnvUtQy6ZZos4WR+P+YuL8xQWBDBnYF53r7S2wUWsJP6XZldaPN97pgKXBB6pj8D7kx3l9gdnenoRFYDX/vCzsLKv7MA6iRnZihOvd8wH9/BVmBeU3WA4N0LbKjO0Zw31d7zar8tpQFBd9gzjAlQ2W42NVSXfXhT5eN4HDSFPK6JdO4rYv/z/lJc9e2S7OghzekXQsjDqlHXz5LtWiDJS/1pRzWqISC87q7SUFGtxEcO3eM8nmBufRUEDs3OA1a1hKCUazwtJU+R8pfJjMGo+ehHGivcceLH535mo90SGuoAS2Z0LtyxyPyHw1WApas5SotSZHcoTScEaKOU/GztE4ttRRlKD4AQwWX7Cv7X/BO31jx/lkcX2onR/Yrk5HzKHmmEeKCmdlbx5ilgN97xxnxQSOi9FLfETVPD2T+QK04bSdu8mFtN4eeVmuvt7cjxwDEORh2iq3WprFI8nCghcTGFTgRehrPnWM=----ATTACHMENT:----NDUyNzM3NjA3NTIxNDk5NCA1OTc0MzY2OTk3NTcwNjk2IDMyMTY1NjYwMTA0MTYwMTA=