public function testLoadAndFail()
{
$key = new Key();
$key->generate();
$data_to_sign = "On the whole, I'd rather be in Philadelphia";
$signature = 'This is not the correct signature';
$this->assertFalse($key->verify($data_to_sign, $signature));
}
/**
* Verify a HMAC for a request.
*
* Verifying a HMAC for a request requires knowledge of a key that is shared between
* the client and server and should not be disclosed to any third party.
*
* The request data *should* contain a nonce generated on the client and it
* *should* contain a nonce generated on the server. The client nonce should
* never have been used before (generated and used once, then discarded), and
* the server nonce should have been used exactly once before (generated by
* the server, used once and then discarded). These nonces ensure that the
* request data is unique even for identical requests.
*
* An exception is thrown if the signature did not verify or was not present.
*
* @param array $request_data
* @param string $ip_address
*
* @throws SignatureException
* @throws NonceException
*
* @return void
*/
public function verifyHMAC(array $request_data, $ip_address = '127.0.0.1')
{
if (empty($request_data['hmac'])) {
throw new SignatureException('No HMAC was present on the request data');
}
// Get the data that needs to be verified.
$supplied_hmac = $request_data['hmac'];
unset($request_data['hmac']);
$data_to_verify = http_build_query($request_data);
// Verify the client nonce if present. This will normally be created at
// the time that the HMAC is created.
if (empty($request_data['cnonce'])) {
throw new NonceException('No client nonce was present in signature verification');
}
$this->verifyClientNonce($request_data['cnonce']);
// Create the shared key object
$sharedKey = new Key();
$sharedKey->setSharedKey($this->sharedKey);
// Verify the signature.
$verify = $sharedKey->verify($data_to_verify, $supplied_hmac);
if (!$verify) {
throw new SignatureException('The HMAC on the request data did not verify');
}
// Verify the server nonce if present. Note that the client must request
// this.
if (!empty($request_data['snonce'])) {
$this->verifyServerNonce($request_data['snonce'], $ip_address);
}
}
