/**
* All-in-one function to check the signature on a request.
*
* Should determine the signature method appropriately
*
* @param JacobKiers\OAuth\Request\RequestInterface $request
* @param JacobKiers\OAuth\Consumer\ConsumerInterface $consumer
* @param JacobKiers\OAuth\Token\TokenInterface $token
*
* @throws JacobKiers\OAuth\OAuthException
*/
private function checkSignature(RequestInterface $request, ConsumerInterface $consumer, TokenInterface $token)
{
// this should probably be in a different method
$timestamp = $request instanceof RequestInterface ? $request->getOAuthTimestamp() : null;
$nonce = $request instanceof RequestInterface ? $request->getOAuthNonce() : null;
$this->checkTimestamp($timestamp);
$this->checkNonce($consumer, $token, $nonce, $timestamp);
$signature_method = $this->getSignatureMethod($request);
$signature = $request->getOAuthSignature();
$valid_sig = $signature_method->checkSignature($request, $consumer, $token, $signature);
if (!$valid_sig) {
throw new OAuthException('Invalid signature');
}
}
/**
* Verifies that a given signature is correct.
*
* @param JacobKiers\OAuth\Request\RequestInterface $request
* @param JacobKiers\OAuth\Consumer\ConsumerInterface $consumer
* @param JacobKiers\OAuth\Token\TokenInterface $token
* @param string $signature
*
* @return bool
*/
public function checkSignature(RequestInterface $request, ConsumerInterface $consumer, TokenInterface $token, $signature)
{
$base_string = $request->getOAuthSignatureBaseString();
$decoded_sig = base64_decode($signature);
// Fetch the public key cert based on the request
$cert = $this->fetchPublicCert($request);
// Pull the public key ID from the certificate
$publickeyid = openssl_get_publickey($cert);
// Check the computed signature against the one passed in the query
$ok = openssl_verify($base_string, $decoded_sig, $publickeyid);
// Release the key resource
openssl_free_key($publickeyid);
return $ok == 1;
}
/**
* Build up the signature.
*
* oauth_signature is set to the concatenated encoded values of the Consumer Secret and
* Token Secret, separated by a '&' character (ASCII code 38), even if either secret is
* empty. The result MUST be encoded again.
* - Chapter 9.4.1 ("Generating Signatures")
*
* Please note that the second encoding MUST NOT happen in the SignatureMethod, as
* OAuthRequest handles this!
*
* @param JacobKiers\OAuth\Request\RequestInterface $request
* @param JacobKiers\OAuth\Consumer\ConsumerInterface $consumer
* @param JacobKiers\OAuth\Token\TokenInterface $token
*
* @return string
*/
public function buildSignature(RequestInterface $request, ConsumerInterface $consumer, TokenInterface $token = null)
{
$base_string = $request->getOAuthSignatureBaseString();
$key = $this->getSignatureKey($consumer, $token);
return base64_encode(hash_hmac('sha1', $base_string, $key, true));
}
