0,0 → 1,97 |
<?php |
|
/* |
* OIDplus 2.0 |
* Copyright 2019 - 2022 Daniel Marschall, ViaThinkSoft |
* |
* Licensed under the Apache License, Version 2.0 (the "License"); |
* you may not use this file except in compliance with the License. |
* You may obtain a copy of the License at |
* |
* http://www.apache.org/licenses/LICENSE-2.0 |
* |
* Unless required by applicable law or agreed to in writing, software |
* distributed under the License is distributed on an "AS IS" BASIS, |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
* See the License for the specific language governing permissions and |
* limitations under the License. |
*/ |
|
// Works with composer.json |
// "sergeybrook/php-jws": "^1.0" |
|
require_once __DIR__.'/vendor/aywan/php-json-canonicalization/src/Utils.php'; |
require_once __DIR__.'/vendor/aywan/php-json-canonicalization/src/JsonCanonicalizationInterface.php'; |
require_once __DIR__.'/vendor/aywan/php-json-canonicalization/src/JsonCanonicalizationFactory.php'; |
require_once __DIR__.'/vendor/aywan/php-json-canonicalization/src/Canonicalizator.php'; |
|
function oidplus_json_verify($json_content, $pubkey) { |
require_once __DIR__.'/vendor/autoload.php'; |
|
$jws = new \SBrook\JWS\JwsRsa(); |
|
// Load JSON |
$json = json_decode($json_content); |
|
// 1. Extract the contents of the "signature" key from the JSON. |
$signature = $json->signature; |
|
// 2. Remove the "signature" key from the JSON |
unset($json->signature); |
|
// 3. Canonize the JSON contents using RFC 8785 |
$canonicalization = \aywan\JsonCanonicalization\JsonCanonicalizationFactory::getInstance(); |
$canonical = $canonicalization->canonicalize($json); |
$actual_payload = $canonical; |
|
// 4. Compare the canonized JSON to the base64-encoded payload of the JSON Web Signature. |
$expected_payload = $jws->getPayload($signature); |
if ($actual_payload != $expected_payload) { |
// echo "Actual:\n\n$actual_payload\n\n"; |
// echo "Expected:\n\n$expected_payload\n\n"; |
throw new Exception("Signature verification failed (Payload different)"); |
} |
|
// 5. Verify the JSON Web Signature according to RFC 7515 |
$jws->setPublicKey($pubkey); |
$v = $jws->verify($signature); |
if (!$v) { |
throw new Exception("Signature verification failed!"); |
} |
} |
|
function oidplus_json_sign($json_content, $privkey, $pubkey) { |
require_once __DIR__.'/vendor/autoload.php'; |
|
$jws = new \SBrook\JWS\JwsRsa(); |
|
// Load JSON |
$input = json_decode($json_content); |
|
// 1. Make sure that the JSON file has no signature (remove "signature" key if one exists). |
unset($input->signature); |
|
// 2. Canonize the JSON contents using RFC 8785 |
$canonicalization = \aywan\JsonCanonicalization\JsonCanonicalizationFactory::getInstance(); |
$canonical = $canonicalization->canonicalize($input); |
|
// 3. Sign the canonized JSON using a JSON Web Signature (JWS, RFC 7515) |
|
// For JWS registered header parameter names see (RFC 7515, Section 4.1) |
$header = [ |
"typ" => "JSON", |
"cty" => "text/json" |
]; |
$payload = $canonical; |
$jws->setPrivateKey($privkey, ''); |
$signature = $jws->sign($payload, $header); |
|
// 4. Add the key "signature" into the final JSON. Note that the final JSON does not need to be canonized. It can be pretty-printed. |
$output = $input; |
$output->signature = $signature; |
|
// Self-test and output |
$json_signed = json_encode($output); |
oidplus_json_verify($json_signed, $pubkey); |
return $json_signed; |
} |