1
|
|
|
<?php |
2
|
|
|
/* |
3
|
|
|
* This file is part of the Guarded Authentication package. |
4
|
|
|
* |
5
|
|
|
* (c) Jafar Jabr <[email protected]> |
6
|
|
|
* |
7
|
|
|
* For the full copyright and license information, please view the LICENSE |
8
|
|
|
* file that was distributed with this source code. |
9
|
|
|
*/ |
10
|
|
|
|
11
|
|
|
namespace Jafar\Bundle\GuardedAuthenticationBundle\Api\JWTSigner\Signer\OpenSSL; |
12
|
|
|
|
13
|
|
|
use Jafar\Bundle\GuardedAuthenticationBundle\Api\JWTSigner\Signer\SignerInterface; |
14
|
|
|
|
15
|
|
|
/** |
16
|
|
|
* Class HMAC. |
17
|
|
|
* This class is the base of all HMAC Signers. |
18
|
|
|
* |
19
|
|
|
* @author Jafar Jabr <[email protected]> |
20
|
|
|
*/ |
21
|
|
|
abstract class HMAC implements SignerInterface |
22
|
|
|
{ |
23
|
|
|
/** |
24
|
|
|
* {@inheritdoc} |
25
|
|
|
*/ |
26
|
|
|
public function sign($input, $key) |
27
|
|
|
{ |
28
|
|
|
return hash_hmac($this->getHashingAlgorithm(), $input, (string) $key, true); |
29
|
|
|
} |
30
|
|
|
|
31
|
|
|
/** |
32
|
|
|
* To prevent timing attacks we are using PHP 5.6 native function hash_equals, |
33
|
|
|
* in case of PHP < 5.6 a timing safe equals comparison function. |
34
|
|
|
* |
35
|
|
|
* more info here: |
36
|
|
|
* http://blog.ircmaxell.com/2014/11/its-all-about-time.html |
37
|
|
|
* |
38
|
|
|
* |
39
|
|
|
* {@inheritdoc} |
40
|
|
|
*/ |
41
|
|
|
public function verify($key, $signature, $input) |
42
|
|
|
{ |
43
|
|
|
$signedInput = $this->sign($input, $key); |
44
|
|
|
|
45
|
|
|
return $this->timingSafeEquals($signedInput, $signature); |
46
|
|
|
} |
47
|
|
|
|
48
|
|
|
/** |
49
|
|
|
* A timing safe equals comparison. |
50
|
|
|
* |
51
|
|
|
* @param string $known the internal signature to be checked |
52
|
|
|
* @param string $input The signed input submitted value |
53
|
|
|
* |
54
|
|
|
* @return bool true if the two strings are identical |
55
|
|
|
*/ |
56
|
|
|
public function timingSafeEquals($known, $input) |
57
|
|
|
{ |
58
|
|
|
return hash_equals($known, $input); |
59
|
|
|
} |
60
|
|
|
|
61
|
|
|
/** |
62
|
|
|
* Returns the hashing algorithm used in this signer. |
63
|
|
|
* |
64
|
|
|
* @return string |
65
|
|
|
*/ |
66
|
|
|
abstract public function getHashingAlgorithm(); |
67
|
|
|
} |
68
|
|
|
|