I'm trying to use openssl_verify() to verify $payload with $publicKey.
Here's my code:
$publicKey = openssl_pkey_get_public($_POST['publicKeyURL']);
$playerID = $_POST['playerID'];
$timestamp = intval($_POST['timestamp']);
$signature = base64_decode($_POST['signature']);
$salt = base64_decode($_POST['salt']);
$payload = $playerID . $bundleID . $timestamp . $salt;
$status = openssl_verify($payload, $signature, $publicKey);
openssl_free_key($publicKey);
if ($status == 1) { /* */ }
I'm getting the following error:
openssl_verify() supplied key param cannot be coerced into a public key
The POST information is coming from an iOS app using this Game Center method.
Related
I am trying to generate a JWT for the DocuSign Embed API and I can't seem to figure out the private/public key part.
When I generate the JWT, the signature part is very short. Pasting it in jwt.io, it turns out both the header and payload are correct, but the signature part is wrong (and way too short when I compare it to what I get when I copy paste my public and rsa private keys.
Here is the relevant code:
$args = [
'envelope_id' => $_GET['envelope_id'],
'ds_return_url' => 'https://www.returnurl.be',
'starting_view' => 'envelope',
'base_path' => 'https://baseurl.be'
];
$args['integration_key'] = 'abc123';
if(isset($_GET['user_id'])) {
$args['user_id'] = $_GET['user_id'];
}
//generate jwt:
$headers = array('alg'=>'RS256','typ'=>'JWT');
$payload = array(
'iss'=>$args['integration_key'],
'sub'=>$args['user_id'],
'aud'=>'account-d.docusign.com', //prod: account.docusign.com
'iat'=>time(),
'exp'=>(time() + 6000),
'scope'=>'signature impersonation'
);
$secret = '-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAj...
-----END RSA PRIVATE KEY-----';
$jwt = generate_jwt($headers, $payload, $secret);
echo $jwt;
function generate_jwt($headers, $payload, $secret = 'secret') {
$headers_encoded = base64url_encode(json_encode($headers));
$payload_encoded = base64url_encode(json_encode($payload));
$signature = hash_hmac('SHA256', "$headers_encoded.$payload_encoded", $secret, true);
$signature_encoded = base64url_encode($signature);
$jwt = "$headers_encoded.$payload_encoded.$signature_encoded";
return $jwt;
}
function base64url_encode($str) {
return rtrim(strtr(base64_encode($str), '+/', '-_'), '=');
}
So I have got two parameters, Consumer name and api key so I need to generate a signature which is based on my $base and $key variable.
I have commented possible hint for the $key variable but don't know which parameters should I use to generate a key.
Code:
$consumer = 'name_name'; // Would be consumer key
$secret = 'c7b0ae051a3d4846a75e339d7ad8ff77'; // Would be Api key
$url = 'https://new.site.co.uk/api/list'; // Would be url
$method = 'GET';
$base = $method . '&' . rawurlencode($url). '&'
.rawurlencode("oauth_consumer_key=" . rawurlencode($consumer) . '&'
.'&oauth_nonce='.rawurlencode($secret)
.'&oauth_signature_method='.rawurlencode('HMAC-SHA1')
.'&oauth_timestamp='.rawurlencode(time())
.'&oauth_version='.rawurlencode('1.0'));
//$key = rawurlencode($this->secret).'&'.rawurlencode($this->token_secret);
$signature = base64_encode(hash_hmac(“sha1”, $base, $key, false));
dump($signature);die;
I want to use the Magento 1.x REST API to obtain all the products from the webshop. It uses OAUTH1 but I have some trouble getting it to work using PHP and Guzzle. I have the following information:
$consumerKey = '..';
$consumerSecret = '..';
$token = '..';
$tokenSecret = '..';
Using Postman I can already obtain all the products so I know for sure that the values are correct. My question now is how do I create the signature? I have the following code but it seems to be wrong:
private function buildSignature()
{
$nonce = uniqid(mt_rand(1, 1000));
$timestamp = time();
$consumerKey = 'xx';
$consumerSecret = 'xx';
$token = 'xx';
$tokenSecret = 'xx';
$base = 'GET&'. rawurlencode('https://www.magentoshop.com/api/rest/products') .'&'.
rawurlencode('oauth_consumer_key='. $consumerKey) .'&'.
rawurlencode('oauth_nonce='. $nonce) .'&'.
rawurlencode('oauth_signature_method=HMAC-SHA1') .'&'.
rawurlencode('oauth_timestamp='. $timestamp) .'&'.
rawurlencode('oauth_token='. $token) .'&'.
rawurlencode('oauth_version=1.0')
;
$key = rawurlencode($consumerSecret) .'&'. rawurlencode($tokenSecret);
return base64_encode(hash_hmac('sha1', $base, $key, true));
}
The response I get is always: "{"messages":{"error":[{"code":401,"message":"oauth_problem=signature_invalid"}]}}"
What am I doing wrong?
maybe you can review links
https://magento.stackexchange.com/questions/147319/error-oauth-problem-signature-invalid-for-post
http://developer.pearson.com/creating-and-using-oauth-10a-signature
I am trying to generate the Authorization header for quickbook online in Auth1.0, Here is my code. But when I trying to use API, it refuses the signature. Can anyone point out the error, please?
<?php
$method = "POST";
$QBO_SANDBOX_URL= "https://sandbox-quickbooks.api.intuit.com/";
$company_id = "123145773232334";
$consumerKey = "qyprdww4dFum0345345ffKla4dEa9HJ";
$consumerSecret = "57d5qY4sdmeUPertBgPtYBoeKYu9z6ip0XhXBhg";
$accessTokenKey = "qyprdgLFTNax4qv8zpA6fWUdkUunuvIfAK5LWsCUBDKyiB7p";
$accessTokenSecret = "HuEoqCQk01SKRgqRBZzEvhZvO5RIdWihK6vWodwG";
$query = "Select * from Account STARTPOSITION 1 MAXRESULTS 5";
$time = time();
$base = $method.'&'.rawurlencode($QBO_SANDBOX_URL.'v3/company/'.$company_id).'&'
.rawurlencode("oauth_consumer_key=".rawurlencode($consumerKey)
.'&oauth_nonce='.rawurlencode('34604g54654y456546')
.'&oauth_signature_method='.rawurlencode('HMAC-SHA1')
.'&oauth_timestamp='.rawurlencode($time)
.'&oauth_token='.rawurlencode($accessTokenKey)
.'&oauth_version='.rawurlencode('1.0')
.'&'.rawurlencode($query));
$key = rawurlencode($consumerSecret.'&'.$accessTokenSecret);
$signature = base64_encode(hash_hmac("sha1", $base, $key, true));
$auth = 'OAuth oauth_token="'.$accessTokenKey.'",oauth_nonce="ea9ec8429b68d6b77cd5600adbbb0456",oauth_consumer_key="'.$consumerKey.'",oauth_signature_method="HMAC-SHA1", oauth_timestamp="'.$time.'",oauth_version ="1.0",oauth_signature="'.$signature.'"';
echo $auth;
?>
There are a few libraries for implementing JSON Web Tokens (JWT) in PHP, such as php-jwt. I am writing my own, very small and simple class but cannot figure out why my signature fails validation here even though I've tried to stick to the standard. I've been trying for hours and I'm stuck. Please help!
My code is simple
//build the headers
$headers = ['alg'=>'HS256','typ'=>'JWT'];
$headers_encoded = base64url_encode(json_encode($headers));
//build the payload
$payload = ['sub'=>'1234567890','name'=>'John Doe', 'admin'=>true];
$payload_encoded = base64url_encode(json_encode($payload));
//build the signature
$key = 'secret';
$signature = hash_hmac('SHA256',"$headers_encoded.$payload_encoded",$key);
//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature";
echo $token;
The base64url_encode function:
function base64url_encode($data) {
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}
My headers and payload perfectly match the validation site's default JWT, but my signature doesn't match so my token is flagged as invalid. This standard seems really straightforward so what's wrong with my signature?
I solved it! I did not realize that the signature itself needs to be base64 encoded. In addition, I needed to set the last optional parameter of the hash_hmac function to $raw_output=true (see the docs. In short I needed to change my code from the original:
//build the signature
$key = 'secret';
$signature = hash_hmac('sha256',"$headers_encoded.$payload_encoded",$key);
//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature";
To the corrected:
//build the signature
$key = 'secret';
$signature = hash_hmac('sha256',"$headers_encoded.$payload_encoded",$key,true);
$signature_encoded = base64url_encode($signature);
//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature_encoded";
echo $token;
If you want to solve it using RS256 (instead of HS256 like OP) you can use it like this:
//build the headers
$headers = ['alg'=>'RS256','typ'=>'JWT'];
$headers_encoded = base64url_encode(json_encode($headers));
//build the payload
$payload = ['sub'=>'1234567890','name'=>'John Doe', 'admin'=>true];
$payload_encoded = base64url_encode(json_encode($payload));
//build the signature
$key = "-----BEGIN PRIVATE KEY----- ....";
openssl_sign("$headers_encoded.$payload_encoded", $signature, $key, 'sha256WithRSAEncryption');
$signature_encoded = base64url_encode($signature);
//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature_encoded";
echo $token;
Took me way longer than I'd like to admit
https://github.com/gradus0/appleAuth
look method $appleAuthObj->get_jwt_token()
<?php
include_once "appleAuth.class.php";
// https://developer.apple.com/account/resources/identifiers/list/serviceId -- indificator value
$clientId = ""; // com.youdomen
// your developer account id -> https://developer.apple.com/account/#/membership/
$teamId = "";
// key value show in -> https://developer.apple.com/account/resources/authkeys/list
$key = "";
// your page url where this script
$redirect_uri = ""; // example: youdomen.com/appleAuth.class.php
// path your key file, download file this -> https://developer.apple.com/account/resources/authkeys/list
$keyPath =''; // example: ./AuthKey_key.p8
try{
$appleAuthObj = new \appleAuth\sign($clientId,$teamId,$key,$redirect_uri,$keyPath);
if(isset($_REQUEST['code'])){
$jwt_token = $appleAuthObj->get_jwt_token($_REQUEST['code']);
$response = $appleAuthObj->get_response($_REQUEST['code'],$jwt_token);
$result_token = $this->read_id_token($response['read_id_token']);
var_dump($response);
var_dump($result_token);
}else{
$state = bin2hex(random_bytes(5));
echo "<a href='".$appleAuthObj->get_url($state)."'>sign</a>";
}
} catch (\Exception $e) {
echo "error: ".$e->getMessage();
}