public function testLoadAndFail() { $key = new Key(); $key->generate(); $data_to_sign = "On the whole, I'd rather be in Philadelphia"; $signature = 'This is not the correct signature'; $this->assertFalse($key->verify($data_to_sign, $signature)); }
/** * Verify a HMAC for a request. * * Verifying a HMAC for a request requires knowledge of a key that is shared between * the client and server and should not be disclosed to any third party. * * The request data *should* contain a nonce generated on the client and it * *should* contain a nonce generated on the server. The client nonce should * never have been used before (generated and used once, then discarded), and * the server nonce should have been used exactly once before (generated by * the server, used once and then discarded). These nonces ensure that the * request data is unique even for identical requests. * * An exception is thrown if the signature did not verify or was not present. * * @param array $request_data * @param string $ip_address * * @throws SignatureException * @throws NonceException * * @return void */ public function verifyHMAC(array $request_data, $ip_address = '127.0.0.1') { if (empty($request_data['hmac'])) { throw new SignatureException('No HMAC was present on the request data'); } // Get the data that needs to be verified. $supplied_hmac = $request_data['hmac']; unset($request_data['hmac']); $data_to_verify = http_build_query($request_data); // Verify the client nonce if present. This will normally be created at // the time that the HMAC is created. if (empty($request_data['cnonce'])) { throw new NonceException('No client nonce was present in signature verification'); } $this->verifyClientNonce($request_data['cnonce']); // Create the shared key object $sharedKey = new Key(); $sharedKey->setSharedKey($this->sharedKey); // Verify the signature. $verify = $sharedKey->verify($data_to_verify, $supplied_hmac); if (!$verify) { throw new SignatureException('The HMAC on the request data did not verify'); } // Verify the server nonce if present. Note that the client must request // this. if (!empty($request_data['snonce'])) { $this->verifyServerNonce($request_data['snonce'], $ip_address); } }