<?php
/*
* OIDplus 2.0
* Copyright 2019 - 2022 Daniel Marschall, ViaThinkSoft
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
// Works with composer.json
// "sergeybrook/php-jws": "^1.0"
/**
* @param string $json_content
* @param string $pubkey
* @return void
* @throws Exception
*/
function oidplus_json_verify(string $json_content, string $pubkey) {
require_once __DIR__.'/vendor/autoload.php';
$jws = new \SBrook\JWS\JwsRsa();
// Load JSON
// 1. Extract the contents of the "signature" key from the JSON.
$signature = $json->signature;
// 2. Remove the "signature" key from the JSON
// 3. Canonize the JSON contents using RFC 8785
$canonicalization = \aywan\JsonCanonicalization\JsonCanonicalizationFactory::getInstance();
$canonical = $canonicalization->canonicalize($json);
$actual_payload = $canonical;
// 4. Compare the canonized JSON to the base64-encoded payload of the JSON Web Signature.
$expected_payload = $jws->getPayload($signature);
if ($actual_payload != $expected_payload) {
// echo "Actual:\n\n$actual_payload\n\n";
// echo "Expected:\n\n$expected_payload\n\n";
throw new Exception("Signature verification failed (Payload different)");
}
// 5. Verify the JSON Web Signature according to RFC 7515
$jws->setPublicKey($pubkey);
$v = $jws->verify($signature);
if (!$v) {
throw new Exception("Signature verification failed!");
}
}
/**
* @param string $json_content
* @param string $privkey
* @param string $pubkey
* @return string
* @throws Exception
*/
function oidplus_json_sign(string $json_content, string $privkey, string $pubkey) {
require_once __DIR__.'/vendor/autoload.php';
$jws = new \SBrook\JWS\JwsRsa();
// Load JSON
// 1. Make sure that the JSON file has no signature (remove "signature" key if one exists).
unset($input->signature);
// 2. Canonize the JSON contents using RFC 8785
$canonicalization = \aywan\JsonCanonicalization\JsonCanonicalizationFactory::getInstance();
$canonical = $canonicalization->canonicalize($input);
// 3. Sign the canonized JSON using a JSON Web Signature (JWS, RFC 7515)
// For JWS registered header parameter names see (RFC 7515, Section 4.1)
// Note that the required "alg" argument will be added automatically
$header = [
"typ" => "OID-IP", // optional (unused)
"cty" => "text/json" // optional
];
$payload = $canonical;
$jws->setPrivateKey($privkey, '');
$signature = $jws->sign($payload, $header);
// 4. Add the key "signature" into the final JSON. Note that the final JSON does not need to be canonized. It can be pretty-printed.
$output = $input;
$output->signature = $signature;
// Self-test and output
if (!$json_signed) throw new Exception("JSON Encoding failed");
oidplus_json_verify($json_signed, $pubkey);
return $json_signed;
}