We Keep Coding

OAuth in simple php without class

i want to generate the signature this code gives me using simple php with no oauth class:
$oauth = new OAuth($my_key, $my_secret);
$bodyHash = base64_encode(sha1($body_content, true)); //contains the body
$sig = $oauth->generateSignature('GET', $url, Array("oauth_body_hash" => $bodyHash));
what i have done so far is this:
$bodyHash = base64_encode(sha1($xml, true));
$result_data = array(
'oauth_body_hash' => $bodyHash
);
$result_data_keys = array_keys($result_data);
sort($result_data_keys);
$launch_params = array();
foreach ($result_data_keys as $key) {
array_push($launch_params, $key . "=" . rawurlencode($result_data[$key]));
}
$base_string = "POST&" . urlencode($sUrl) . "&" . rawurlencode(implode("&", $launch_params));
$signature = base64_encode(hash_hmac("sha1", $base_string, $my_secret, true));
but im not getting the same signature!
this is the simplified version of the problem i have posted earlier here: Building a body signed oauth xml request for LTI Outcomes service
any idea what im doing wrong?

Oauth signature generator failure

I am using php cURL to PUT some informations (Authorization type: Oauth 1.0),
my problem is about generate the unique signature using the consumer_secret and access_token and encoded URL and the '&' also,
I tried to use two methods to generate it but the cURL response is: The signature is invalid. Verify and try again.
this is my last method to generate the signature:
// ------------- START GENERATE SIGNATURE -------------
$oauth = array(
"OAuth oauth_consumer_key=".$this->consumer_key.",
oauth_token=".$this->access_token.",
oauth_signature_method=".$this->signature_method.",
oauth_timestamp=".$timestimp.",
oauth_nonce=".$nonce.",
oauth_version=".$this->version.""
);
$base_info = $this->buildBaseString($this->url, 'PUT', $oauth) .'&';
$composite_key = rawurlencode($this->consumer_secret) . '&' . rawurlencode($this->access_token);
$oauth_signature = base64_encode(hash_hmac('sha1', $base_info, $composite_key, true));
// ------------- END GENERATE SIGNATURE -------------
and this is the buildBaseString function
function buildBaseString($baseURI, $method, $params)
{
$r = array();
ksort($params);
foreach($params as $key=>$value){
$r[] = "$key=" . rawurlencode($value);
}
return $method."&" . rawurlencode($baseURI) . '&' . rawurlencode(implode('&', $r));
}
I need help please.
thanks.

JWT (JSON Web Token) in PHP without using 3rd-party library. How to sign?

There are a few libraries for implementing JSON Web Tokens (JWT) in PHP, such as php-jwt. I am writing my own, very small and simple class but cannot figure out why my signature fails validation here even though I've tried to stick to the standard. I've been trying for hours and I'm stuck. Please help!
My code is simple
//build the headers
$headers = ['alg'=>'HS256','typ'=>'JWT'];
$headers_encoded = base64url_encode(json_encode($headers));
//build the payload
$payload = ['sub'=>'1234567890','name'=>'John Doe', 'admin'=>true];
$payload_encoded = base64url_encode(json_encode($payload));
//build the signature
$key = 'secret';
$signature = hash_hmac('SHA256',"$headers_encoded.$payload_encoded",$key);
//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature";
echo $token;
The base64url_encode function:
function base64url_encode($data) {
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}
My headers and payload perfectly match the validation site's default JWT, but my signature doesn't match so my token is flagged as invalid. This standard seems really straightforward so what's wrong with my signature?

I solved it! I did not realize that the signature itself needs to be base64 encoded. In addition, I needed to set the last optional parameter of the hash_hmac function to $raw_output=true (see the docs. In short I needed to change my code from the original:
//build the signature
$key = 'secret';
$signature = hash_hmac('sha256',"$headers_encoded.$payload_encoded",$key);
//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature";
To the corrected:
//build the signature
$key = 'secret';
$signature = hash_hmac('sha256',"$headers_encoded.$payload_encoded",$key,true);
$signature_encoded = base64url_encode($signature);
//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature_encoded";
echo $token;

If you want to solve it using RS256 (instead of HS256 like OP) you can use it like this:
//build the headers
$headers = ['alg'=>'RS256','typ'=>'JWT'];
$headers_encoded = base64url_encode(json_encode($headers));
//build the payload
$payload = ['sub'=>'1234567890','name'=>'John Doe', 'admin'=>true];
$payload_encoded = base64url_encode(json_encode($payload));
//build the signature
$key = "-----BEGIN PRIVATE KEY----- ....";
openssl_sign("$headers_encoded.$payload_encoded", $signature, $key, 'sha256WithRSAEncryption');
$signature_encoded = base64url_encode($signature);
//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature_encoded";
echo $token;
Took me way longer than I'd like to admit

https://github.com/gradus0/appleAuth
look method $appleAuthObj->get_jwt_token()
<?php
include_once "appleAuth.class.php";
// https://developer.apple.com/account/resources/identifiers/list/serviceId -- indificator value
$clientId = ""; // com.youdomen
// your developer account id -> https://developer.apple.com/account/#/membership/
$teamId = "";
// key value show in -> https://developer.apple.com/account/resources/authkeys/list
$key = "";
// your page url where this script
$redirect_uri = ""; // example: youdomen.com/appleAuth.class.php
// path your key file, download file this -> https://developer.apple.com/account/resources/authkeys/list
$keyPath =''; // example: ./AuthKey_key.p8
try{
$appleAuthObj = new \appleAuth\sign($clientId,$teamId,$key,$redirect_uri,$keyPath);
if(isset($_REQUEST['code'])){
$jwt_token = $appleAuthObj->get_jwt_token($_REQUEST['code']);
$response = $appleAuthObj->get_response($_REQUEST['code'],$jwt_token);
$result_token = $this->read_id_token($response['read_id_token']);
var_dump($response);
var_dump($result_token);
}else{
$state = bin2hex(random_bytes(5));
echo "<a href='".$appleAuthObj->get_url($state)."'>sign</a>";
}
} catch (\Exception $e) {
echo "error: ".$e->getMessage();
}

The request signature we calculated does not match the signature you provided. - Error in AWS

I have following code :
$method = "GET";
$host = "payments-sandbox.amazon.com";
$uri = "/cba/api/purchasecontract/";
$private_key='PRIVATE_KEY';
$time = date('c');
$params = array(
'AWSAccessKeyId' => $private_key,
'Action' => "CreatePurchaseContract",
'SignatureMethod' => "HmacSHA256",
'SignatureVersion' => "2",
'Timestamp' => $time);
uksort($params, 'strcmp');
$canonicalized_query = array();
foreach ($params as $param => $value) {
$param = str_replace("%7E", "~", rawurlencode($param));
$value = str_replace("%7E", "~", rawurlencode($value));
$canonicalized_query[] = $param . "=" . $value;
}
$canonicalized_query = implode("&", $canonicalized_query);
$string_to_sign = $method . "\n" . $host . "\n" . $uri . "\n" . $canonicalized_query;
$signature = base64_encode(hash_hmac("sha256", $string_to_sign, $private_key, True));
$signature = str_replace("%7E", "~", rawurlencode($signature));
echo $url = "https://payments-sandbox.amazon.com/cba/api/purchasecontract/"
. "?Action=CreatePurchaseContract"
. "&SignatureMethod=HmacSHA256"
. "&AWSAccessKeyId=$private_key"
. "&Signature=".$signature
. "&SignatureVersion=2"
. "&Timestamp=" . $time;
But when i open url in new tab it's return following XML :
<ErrorResponse>
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>
</Error>
<RequestId>01a5de72-6e3f-11e4-85b3-9119f1b849cd</RequestId>
</ErrorResponse>
And it's give The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. error message when open $url link in new tab.
I dont know what's problem in creating signature??
[UPDATE]
I have try cUrl to fetch data :
$ch = curl_init();
$options = array(CURLOPT_URL => $url);
curl_setopt_array($ch, $options);
$data = curl_exec($ch);
if(!$data){
die('Error: "' . curl_error($ch) . '" - Code: ' . curl_errno($ch));
}
curl_close($ch);
print_r($data);
But it's give me Error: "SSL certificate problem: unable to get local issuer certificate" - Code: 60. So what i do to fetch data from payments-sandbox.amazon.com

I got the same error when I tried to add my credentials with the eb init command in EB CLIx3.
It turned out I had mistyped my credentials every single time. I switched over to console for Windows where I could copy/paste my credentials. Now everything went without a hitch.
So copy/past credentials is my suggestion. If that doesn't work, you might want to create a new access key for a user with admin privileges. You can do that at the IAM section. Then try to copy past again.

Can't verify openssl public key

I'm trying to use openssl_verify() to verify $payload with $publicKey.
Here's my code:
$publicKey = openssl_pkey_get_public($_POST['publicKeyURL']);
$playerID = $_POST['playerID'];
$timestamp = intval($_POST['timestamp']);
$signature = base64_decode($_POST['signature']);
$salt = base64_decode($_POST['salt']);
$payload = $playerID . $bundleID . $timestamp . $salt;
$status = openssl_verify($payload, $signature, $publicKey);
openssl_free_key($publicKey);
if ($status == 1) { /* */ }
I'm getting the following error:
openssl_verify() supplied key param cannot be coerced into a public key
The POST information is coming from an iOS app using this Game Center method.