public function testVerifySignature()
{
$binary_data = "foo";
$signature = $this->signer->sign($binary_data);
$this->assertTrue($this->verifier->verify($binary_data, $signature));
$empty_string = "";
$signature = $this->signer->sign($empty_string);
$this->assertTrue($this->verifier->verify($empty_string, $signature));
$text = "foobar";
$signature = $this->signer->sign($text);
$this->assertTrue($this->verifier->verify($text, $signature));
$this->assertFalse($this->verifier->verify($empty_string, $signature));
}
function verifySignedJwtWithCerts($jwt, $certs, $required_audience)
{
$segments = explode(".", $jwt);
if (count($segments) != 3) {
throw new apiAuthException("Wrong number of segments in token: {$jwt}");
}
$signed = $segments[0] . "." . $segments[1];
$signature = apiUtils::urlSafeB64Decode($segments[2]);
// Parse envelope.
$envelope = json_decode(apiUtils::urlSafeB64Decode($segments[0]), true);
if (!$envelope) {
throw new apiAuthException("Can't parse token envelope: " . $segments[0]);
}
// Parse token
$json_body = apiUtils::urlSafeB64Decode($segments[1]);
$payload = json_decode($json_body, true);
if (!$payload) {
throw new apiAuthException("Can't parse token payload: " . $segments[1]);
}
// Check signature
$verified = false;
foreach ($certs as $keyName => $pem) {
$public_key = new apiPemVerifier($pem);
if ($public_key->verify($signed, $signature)) {
$verified = true;
break;
}
}
if (!$verified) {
throw new apiAuthException("Invalid token signature: {$jwt}");
}
// Check issued-at timestamp
$iat = 0;
if (array_key_exists("iat", $payload)) {
$iat = $payload["iat"];
}
if (!$iat) {
throw new apiAuthException("No issue time in token: {$json_body}");
}
$earliest = $iat - self::CLOCK_SKEW_SECS;
// Check expiration timestamp
$now = time();
$exp = 0;
if (array_key_exists("exp", $payload)) {
$exp = $payload["exp"];
}
if (!$exp) {
throw new apiAuthException("No expiration time in token: {$json_body}");
}
if ($exp >= $now + self::MAX_TOKEN_LIFETIME_SECS) {
throw new apiAuthException("Expiration time too far in future: {$json_body}");
}
$latest = $exp + self::CLOCK_SKEW_SECS;
if ($now < $earliest) {
throw new apiAuthException("Token used too early, {$now} < {$earliest}: {$json_body}");
}
if ($now > $latest) {
throw new apiAuthException("Token used too late, {$now} > {$latest}: {$json_body}");
}
// TODO(beaton): check issuer field?
// Check audience
$aud = $payload["aud"];
if ($aud != $required_audience) {
throw new apiAuthException("Wrong recipient, {$aud} != {$required_audience}: {$json_body}");
}
// All good.
return new apiLoginTicket($envelope, $payload);
}
