public function testVerifySignature() { $binary_data = "foo"; $signature = $this->signer->sign($binary_data); $this->assertTrue($this->verifier->verify($binary_data, $signature)); $empty_string = ""; $signature = $this->signer->sign($empty_string); $this->assertTrue($this->verifier->verify($empty_string, $signature)); $text = "foobar"; $signature = $this->signer->sign($text); $this->assertTrue($this->verifier->verify($text, $signature)); $this->assertFalse($this->verifier->verify($empty_string, $signature)); }
function verifySignedJwtWithCerts($jwt, $certs, $required_audience) { $segments = explode(".", $jwt); if (count($segments) != 3) { throw new apiAuthException("Wrong number of segments in token: {$jwt}"); } $signed = $segments[0] . "." . $segments[1]; $signature = apiUtils::urlSafeB64Decode($segments[2]); // Parse envelope. $envelope = json_decode(apiUtils::urlSafeB64Decode($segments[0]), true); if (!$envelope) { throw new apiAuthException("Can't parse token envelope: " . $segments[0]); } // Parse token $json_body = apiUtils::urlSafeB64Decode($segments[1]); $payload = json_decode($json_body, true); if (!$payload) { throw new apiAuthException("Can't parse token payload: " . $segments[1]); } // Check signature $verified = false; foreach ($certs as $keyName => $pem) { $public_key = new apiPemVerifier($pem); if ($public_key->verify($signed, $signature)) { $verified = true; break; } } if (!$verified) { throw new apiAuthException("Invalid token signature: {$jwt}"); } // Check issued-at timestamp $iat = 0; if (array_key_exists("iat", $payload)) { $iat = $payload["iat"]; } if (!$iat) { throw new apiAuthException("No issue time in token: {$json_body}"); } $earliest = $iat - self::CLOCK_SKEW_SECS; // Check expiration timestamp $now = time(); $exp = 0; if (array_key_exists("exp", $payload)) { $exp = $payload["exp"]; } if (!$exp) { throw new apiAuthException("No expiration time in token: {$json_body}"); } if ($exp >= $now + self::MAX_TOKEN_LIFETIME_SECS) { throw new apiAuthException("Expiration time too far in future: {$json_body}"); } $latest = $exp + self::CLOCK_SKEW_SECS; if ($now < $earliest) { throw new apiAuthException("Token used too early, {$now} < {$earliest}: {$json_body}"); } if ($now > $latest) { throw new apiAuthException("Token used too late, {$now} > {$latest}: {$json_body}"); } // TODO(beaton): check issuer field? // Check audience $aud = $payload["aud"]; if ($aud != $required_audience) { throw new apiAuthException("Wrong recipient, {$aud} != {$required_audience}: {$json_body}"); } // All good. return new apiLoginTicket($envelope, $payload); }