/** * All-in-one function to check the signature on a request. * * Should determine the signature method appropriately * * @param JacobKiers\OAuth\Request\RequestInterface $request * @param JacobKiers\OAuth\Consumer\ConsumerInterface $consumer * @param JacobKiers\OAuth\Token\TokenInterface $token * * @throws JacobKiers\OAuth\OAuthException */ private function checkSignature(RequestInterface $request, ConsumerInterface $consumer, TokenInterface $token) { // this should probably be in a different method $timestamp = $request instanceof RequestInterface ? $request->getOAuthTimestamp() : null; $nonce = $request instanceof RequestInterface ? $request->getOAuthNonce() : null; $this->checkTimestamp($timestamp); $this->checkNonce($consumer, $token, $nonce, $timestamp); $signature_method = $this->getSignatureMethod($request); $signature = $request->getOAuthSignature(); $valid_sig = $signature_method->checkSignature($request, $consumer, $token, $signature); if (!$valid_sig) { throw new OAuthException('Invalid signature'); } }
/** * Verifies that a given signature is correct. * * @param JacobKiers\OAuth\Request\RequestInterface $request * @param JacobKiers\OAuth\Consumer\ConsumerInterface $consumer * @param JacobKiers\OAuth\Token\TokenInterface $token * @param string $signature * * @return bool */ public function checkSignature(RequestInterface $request, ConsumerInterface $consumer, TokenInterface $token, $signature) { $base_string = $request->getOAuthSignatureBaseString(); $decoded_sig = base64_decode($signature); // Fetch the public key cert based on the request $cert = $this->fetchPublicCert($request); // Pull the public key ID from the certificate $publickeyid = openssl_get_publickey($cert); // Check the computed signature against the one passed in the query $ok = openssl_verify($base_string, $decoded_sig, $publickeyid); // Release the key resource openssl_free_key($publickeyid); return $ok == 1; }
/** * Build up the signature. * * oauth_signature is set to the concatenated encoded values of the Consumer Secret and * Token Secret, separated by a '&' character (ASCII code 38), even if either secret is * empty. The result MUST be encoded again. * - Chapter 9.4.1 ("Generating Signatures") * * Please note that the second encoding MUST NOT happen in the SignatureMethod, as * OAuthRequest handles this! * * @param JacobKiers\OAuth\Request\RequestInterface $request * @param JacobKiers\OAuth\Consumer\ConsumerInterface $consumer * @param JacobKiers\OAuth\Token\TokenInterface $token * * @return string */ public function buildSignature(RequestInterface $request, ConsumerInterface $consumer, TokenInterface $token = null) { $base_string = $request->getOAuthSignatureBaseString(); $key = $this->getSignatureKey($consumer, $token); return base64_encode(hash_hmac('sha1', $base_string, $key, true)); }