Better casing of signature verification

merge-requests/5/head
Terence Eden 2024-02-26 16:15:04 +00:00
rodzic 5e6a98dee3
commit cd145915be
1 zmienionych plików z 8 dodań i 7 usunięć

Wyświetl plik

@ -775,10 +775,12 @@ HTML;
// Get the headers send with the request // Get the headers send with the request
$headers = getallheaders(); $headers = getallheaders();
// Ensure the header keys match the format expected by the signature
$headers = array_change_key_case( $headers, CASE_LOWER );
// Validate the timestamp is within ±30 seconds // Validate the timestamp is within ±30 seconds
if ( !isset( $headers["Date"] ) ) { return null; } // No date set if ( !isset( $headers["date"] ) ) { return null; } // No date set
$dateHeader = $headers["Date"]; $dateHeader = $headers["date"];
$headerDatetime = DateTime::createFromFormat('D, d M Y H:i:s T', $dateHeader); $headerDatetime = DateTime::createFromFormat('D, d M Y H:i:s T', $dateHeader);
$currentDatetime = new DateTime(); $currentDatetime = new DateTime();
@ -802,7 +804,7 @@ HTML;
// Validate the Digest // Validate the Digest
// It is the hash of the raw input string, in binary, encoded as base64 // It is the hash of the raw input string, in binary, encoded as base64
$digestString = $headers["Digest"]; $digestString = $headers["digest"];
// Usually in the form `SHA-256=Ofv56Jm9rlowLR9zTkfeMGLUG1JYQZj0up3aRPZgT0c=` // Usually in the form `SHA-256=Ofv56Jm9rlowLR9zTkfeMGLUG1JYQZj0up3aRPZgT0c=`
// The Base64 encoding may have multiple `=` at the end. So split this at the first `=` // The Base64 encoding may have multiple `=` at the end. So split this at the first `=`
$digestData = explode( "=", $digestString, 2 ); $digestData = explode( "=", $digestString, 2 );
@ -839,7 +841,7 @@ HTML;
} }
// Examine the signature // Examine the signature
$signatureHeader = $headers["Signature"]; $signatureHeader = $headers["signature"];
// Extract key information from the Signature header // Extract key information from the Signature header
$signatureParts = []; $signatureParts = [];
@ -856,14 +858,13 @@ HTML;
foreach ($signatureHeaders as $signatureHeader) { foreach ($signatureHeaders as $signatureHeader) {
if ( "(request-target)" == $signatureHeader ) { if ( "(request-target)" == $signatureHeader ) {
$method = strtolower( $_SERVER["REQUEST_METHOD"] ); $method = strtolower( $_SERVER["REQUEST_METHOD"] );
$target = strtolower( $_SERVER["REQUEST_URI"] ); $target = $_SERVER["REQUEST_URI"];
$signatureString .= "(request-target): {$method} {$target}\n"; $signatureString .= "(request-target): {$method} {$target}\n";
} else if ( "host" == $signatureHeader ) { } else if ( "host" == $signatureHeader ) {
$host = strtolower( $_SERVER["HTTP_HOST"] ); $host = strtolower( $_SERVER["HTTP_HOST"] );
$signatureString .= "host: {$host}\n"; $signatureString .= "host: {$host}\n";
} else { } else {
// In the HTTP header, the keys use Title Case $signatureString .= "{$signatureHeader}: " . $headers[$signatureHeader] . "\n";
$signatureString .= "{$signatureHeader}: " . $headers[ ucwords( $signatureHeader, "-" ) ] . "\n";
} }
} }