Exemplo n.º 1
0
 public function testVerifySignature()
 {
     $binary_data = "foo";
     $signature = $this->signer->sign($binary_data);
     $this->assertTrue($this->verifier->verify($binary_data, $signature));
     $empty_string = "";
     $signature = $this->signer->sign($empty_string);
     $this->assertTrue($this->verifier->verify($empty_string, $signature));
     $text = "foobar";
     $signature = $this->signer->sign($text);
     $this->assertTrue($this->verifier->verify($text, $signature));
     $this->assertFalse($this->verifier->verify($empty_string, $signature));
 }
Exemplo n.º 2
0
 function verifySignedJwtWithCerts($jwt, $certs, $required_audience)
 {
     $segments = explode(".", $jwt);
     if (count($segments) != 3) {
         throw new Google_AuthException("Wrong number of segments in token: {$jwt}");
     }
     $signed = $segments[0] . "." . $segments[1];
     $signature = Google_Utils::urlSafeB64Decode($segments[2]);
     // Parse envelope.
     $envelope = json_decode(Google_Utils::urlSafeB64Decode($segments[0]), true);
     if (!$envelope) {
         throw new Google_AuthException("Can't parse token envelope: " . $segments[0]);
     }
     // Parse token
     $json_body = Google_Utils::urlSafeB64Decode($segments[1]);
     $payload = json_decode($json_body, true);
     if (!$payload) {
         throw new Google_AuthException("Can't parse token payload: " . $segments[1]);
     }
     // Check signature
     $verified = false;
     foreach ($certs as $keyName => $pem) {
         $public_key = new Google_PemVerifier($pem);
         if ($public_key->verify($signed, $signature)) {
             $verified = true;
             break;
         }
     }
     if (!$verified) {
         throw new Google_AuthException("Invalid token signature: {$jwt}");
     }
     // Check issued-at timestamp
     $iat = 0;
     if (array_key_exists("iat", $payload)) {
         $iat = $payload["iat"];
     }
     if (!$iat) {
         throw new Google_AuthException("No issue time in token: {$json_body}");
     }
     $earliest = $iat - self::CLOCK_SKEW_SECS;
     // Check expiration timestamp
     $now = time();
     $exp = 0;
     if (array_key_exists("exp", $payload)) {
         $exp = $payload["exp"];
     }
     if (!$exp) {
         throw new Google_AuthException("No expiration time in token: {$json_body}");
     }
     if ($exp >= $now + self::MAX_TOKEN_LIFETIME_SECS) {
         throw new Google_AuthException("Expiration time too far in future: {$json_body}");
     }
     $latest = $exp + self::CLOCK_SKEW_SECS;
     if ($now < $earliest) {
         throw new Google_AuthException("Token used too early, {$now} < {$earliest}: {$json_body}");
     }
     if ($now > $latest) {
         throw new Google_AuthException("Token used too late, {$now} > {$latest}: {$json_body}");
     }
     // TODO(beaton): check issuer field?
     // Check audience
     $aud = $payload["aud"];
     if ($aud != $required_audience) {
         throw new Google_AuthException("Wrong recipient, {$aud} != {$required_audience}: {$json_body}");
     }
     // All good.
     return new Google_LoginTicket($envelope, $payload);
 }