PHP implementation of HTTP Signatures draft specification; cryptographically sign and verify HTTP requests and responses.

See also:

• https://github.com/99designs/http-signatures-guzzle
• https://github.com/99designs/http-signatures-ruby

Add 99designs/http-signatures to your composer.json.

Configure a context with your algorithm, keys, headers to sign. This is best placed in an application startup file.

use HttpSignatures\Context;

$context = new Context(array(
  'keys' => array('examplekey' => 'secret-key-here'),
  'algorithm' => 'hmac-sha256',
  'headers' => array('(request-target)', 'Date', 'Accept'),
));

If there's only one key in the keys hash, that will be used for signing. Otherwise, specify one via 'signingKeyId' => 'examplekey'.

A message is an HTTP request or response. A subset of the interface of Symfony\Component\HttpFoundation\Request is expected; the ability to read headers via $message->headers->get($name) and set them via $message->headers->set($name, $value), and for signing requests, methods to read the path, query string and request method.

use Symfony\Component\HttpFoundation\Request;

$message = Request::create('/path?query=123', 'GET');
$message->headers->replace(array(
  'Date' => 'Wed, 30 Jul 2014 16:40:19 -0700',
  'Accept' => 'llamas',
));

$context->signer()->sign($message);

Now $message contains the signature headers:

$message->headers->get('Signature');
# keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

$message->headers->get('Authorization');
# Signature keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

$context->verifier()->isValid($message); // true or false

Pull Requests are welcome.

HTTP Signatures is licensed under The MIT License (MIT).