Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RSA-based and SHA-256-involving signature methods #194

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

RSA-based and SHA-256-involving signature methods #194

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
db68652
RSA-based and SHA-256-involcing signature methods
rpuch Jun 8, 2017
35631a1
Added private-key-related and rsa-signing-related error checking
rpuch Jun 9, 2017
3d8bae4
Using int constants instead of strings to identify hashing algorithms…
rpuch Jun 9, 2017
aad9ecf
Added a comment clarifying that the private_key_pem is expected to be…
rpuch Jun 9, 2017
edb2934
Checking that openssl_sign function exists before calling it
rpuch Jun 9, 2017
3c3c210
Bumped version and date
rpuch Jun 9, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 45 additions & 5 deletions tmhOAuth.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ public function reconfigure($config=array()) {
'token' => '',
'secret' => '',

// RSA private key (for RSA-SHA1 and RSA-SHA256 methods)
'private_key_pem' => '',
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

openssl_sign is a messy function as it overloads the types that can be used for the key and algorithm variables.
it's possible to send a resource instead of a string as the private_key_pem but the implementation you are using assumes it's string. wanna call that out in the comment - that if used this is expecting a string representation of a private key and not a file resource?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A clarifying comment added


// OAuth2 bearer token. This should already be URL encoded
'bearer' => '',

Expand Down Expand Up @@ -453,11 +456,48 @@ private function prepare_base_string() {
* @return void oauth_signature is added to the parameters in the class array variable '$this->request_settings'
*/
private function prepare_oauth_signature() {
$this->request_settings['oauth1_params']['oauth_signature'] = $this->safe_encode(
base64_encode(
hash_hmac(
'sha1', $this->request_settings['basestring'], $this->request_settings['signing_key'], true
)));
switch ($this->config['oauth_signature_method']) {
case 'HMAC-SHA1':
$signature = $this->sign_with_hmac('sha1');
break;
case 'HMAC-SHA256':
$signature = $this->sign_with_hmac('sha256');
break;
case 'RSA-SHA1':
$signature = $this->sign_with_rsa('sha1');
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i know 'sha1' is supported but what about using OPENSSL_ALGO_SHA1 instead?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replaced 'sha1' with OPENSSL_ALGO_SHA1

break;
case 'RSA-SHA256':
$signature = $this->sign_with_rsa('sha256');
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i know 'sha256' is supported but what about using OPENSSL_ALGO_SHA256 instead?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replaced 'sha256' with OPENSSL_ALGO_SHA256

break;
default:
throw new Exception("Unsupported oauth_signature_method: '" . $this->config['oauth_signature_method'] . "'");
}
$this->request_settings['oauth1_params']['oauth_signature'] = $this->safe_encode(base64_encode($signature));
}

/**
* Signs the OAuth 1 request with HMAC-based signature
*
* @param string $algorithm algorithm name (like sha1 or sha256)
* @return binary signature
*/
private function sign_with_hmac($algorithm) {
return hash_hmac(
$algorithm, $this->request_settings['basestring'], $this->request_settings['signing_key'], true
);
}

/**
* Signs the OAuth 1 request with RSA-based signature
*
* @param string $algorithm name of hash algorithm that will be
* used to compute base string hash before encrypting it with RSA
* (like sha1 or sha256)
* @return binary signature
*/
private function sign_with_rsa($algorithm) {
openssl_sign($this->request_settings['basestring'], $signature, $this->config['private_key_pem'], $algorithm);
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thinking this might need a function_exists check on openssl_sign.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a check for whether 'openssl_sign' function exists. If not, an exception is thrown.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for contributing this, love it. just a couple of thoughts on improvements before a pull it in.
also - wanna bump the version number (0.8.5) and date?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bumped version and date

return $signature;
}

/**
Expand Down