diff options
| author | VirtualTam <virtualtam@flibidi.net> | 2017-01-04 11:41:05 +0100 |
|---|---|---|
| committer | VirtualTam <virtualtam@flibidi.net> | 2017-01-04 16:59:47 +0100 |
| commit | 7a9daac56dc64ec1ddb12adece3e1a8f71778cc7 (patch) | |
| tree | b92c37792e7af48e1da36686f1d722aaffb90a06 | |
| parent | fc11ab2f290a3712b766d78fdbcd354625a35d0a (diff) | |
| download | Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.tar.gz Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.tar.zst Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.zip | |
API: fix JWT signature verification
Fixes https://github.com/shaarli/Shaarli/issues/737
Added:
- Base64Url utilities
Fixed:
- use URL-safe Base64 encoding/decoding functions
- use byte representations for HMAC digests
- all JWT parts are Base64Url-encoded
See:
- https://en.wikipedia.org/wiki/JSON_Web_Token
- https://tools.ietf.org/html/rfc7519
- https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
- https://jwt.io/introduction/
- https://en.wikipedia.org/wiki/Base64#URL_applications
- https://secure.php.net/manual/en/function.base64-encode.php#103849
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
| -rw-r--r-- | application/Base64Url.php | 34 | ||||
| -rw-r--r-- | application/api/ApiUtils.php | 12 | ||||
| -rw-r--r-- | composer.json | 1 | ||||
| -rw-r--r-- | tests/api/ApiUtilsTest.php | 15 |
4 files changed, 49 insertions, 13 deletions
diff --git a/application/Base64Url.php b/application/Base64Url.php new file mode 100644 index 00000000..61590e43 --- /dev/null +++ b/application/Base64Url.php | |||
| @@ -0,0 +1,34 @@ | |||
| 1 | <?php | ||
| 2 | |||
| 3 | namespace Shaarli; | ||
| 4 | |||
| 5 | |||
| 6 | /** | ||
| 7 | * URL-safe Base64 operations | ||
| 8 | * | ||
| 9 | * @see https://en.wikipedia.org/wiki/Base64#URL_applications | ||
| 10 | */ | ||
| 11 | class Base64Url | ||
| 12 | { | ||
| 13 | /** | ||
| 14 | * Base64Url-encodes data | ||
| 15 | * | ||
| 16 | * @param string $data Data to encode | ||
| 17 | * | ||
| 18 | * @return string Base64Url-encoded data | ||
| 19 | */ | ||
| 20 | public static function encode($data) { | ||
| 21 | return rtrim(strtr(base64_encode($data), '+/', '-_'), '='); | ||
| 22 | } | ||
| 23 | |||
| 24 | /** | ||
| 25 | * Decodes Base64Url-encoded data | ||
| 26 | * | ||
| 27 | * @param string $data Data to decode | ||
| 28 | * | ||
| 29 | * @return string Decoded data | ||
| 30 | */ | ||
| 31 | public static function decode($data) { | ||
| 32 | return base64_decode(str_pad(strtr($data, '-_', '+/'), strlen($data) % 4, '=', STR_PAD_RIGHT)); | ||
| 33 | } | ||
| 34 | } | ||
diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php index fbb1e72f..a419c396 100644 --- a/application/api/ApiUtils.php +++ b/application/api/ApiUtils.php | |||
| @@ -1,13 +1,11 @@ | |||
| 1 | <?php | 1 | <?php |
| 2 | |||
| 3 | namespace Shaarli\Api; | 2 | namespace Shaarli\Api; |
| 4 | 3 | ||
| 4 | use Shaarli\Base64Url; | ||
| 5 | use Shaarli\Api\Exceptions\ApiAuthorizationException; | 5 | use Shaarli\Api\Exceptions\ApiAuthorizationException; |
| 6 | 6 | ||
| 7 | /** | 7 | /** |
| 8 | * Class ApiUtils | 8 | * REST API utilities |
| 9 | * | ||
| 10 | * Utility functions for the API. | ||
| 11 | */ | 9 | */ |
| 12 | class ApiUtils | 10 | class ApiUtils |
| 13 | { | 11 | { |
| @@ -26,17 +24,17 @@ class ApiUtils | |||
| 26 | throw new ApiAuthorizationException('Malformed JWT token'); | 24 | throw new ApiAuthorizationException('Malformed JWT token'); |
| 27 | } | 25 | } |
| 28 | 26 | ||
| 29 | $genSign = hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret); | 27 | $genSign = Base64Url::encode(hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret, true)); |
| 30 | if ($parts[2] != $genSign) { | 28 | if ($parts[2] != $genSign) { |
| 31 | throw new ApiAuthorizationException('Invalid JWT signature'); | 29 | throw new ApiAuthorizationException('Invalid JWT signature'); |
| 32 | } | 30 | } |
| 33 | 31 | ||
| 34 | $header = json_decode(base64_decode($parts[0])); | 32 | $header = json_decode(Base64Url::decode($parts[0])); |
| 35 | if ($header === null) { | 33 | if ($header === null) { |
| 36 | throw new ApiAuthorizationException('Invalid JWT header'); | 34 | throw new ApiAuthorizationException('Invalid JWT header'); |
| 37 | } | 35 | } |
| 38 | 36 | ||
| 39 | $payload = json_decode(base64_decode($parts[1])); | 37 | $payload = json_decode(Base64Url::decode($parts[1])); |
| 40 | if ($payload === null) { | 38 | if ($payload === null) { |
| 41 | throw new ApiAuthorizationException('Invalid JWT payload'); | 39 | throw new ApiAuthorizationException('Invalid JWT payload'); |
| 42 | } | 40 | } |
diff --git a/composer.json b/composer.json index cfbde1a0..2fed0df7 100644 --- a/composer.json +++ b/composer.json | |||
| @@ -24,6 +24,7 @@ | |||
| 24 | }, | 24 | }, |
| 25 | "autoload": { | 25 | "autoload": { |
| 26 | "psr-4": { | 26 | "psr-4": { |
| 27 | "Shaarli\\": "application", | ||
| 27 | "Shaarli\\Api\\": "application/api/", | 28 | "Shaarli\\Api\\": "application/api/", |
| 28 | "Shaarli\\Api\\Controllers\\": "application/api/controllers", | 29 | "Shaarli\\Api\\Controllers\\": "application/api/controllers", |
| 29 | "Shaarli\\Api\\Exceptions\\": "application/api/exceptions" | 30 | "Shaarli\\Api\\Exceptions\\": "application/api/exceptions" |
diff --git a/tests/api/ApiUtilsTest.php b/tests/api/ApiUtilsTest.php index 10da1459..4b2fa3b2 100644 --- a/tests/api/ApiUtilsTest.php +++ b/tests/api/ApiUtilsTest.php | |||
| @@ -2,6 +2,9 @@ | |||
| 2 | 2 | ||
| 3 | namespace Shaarli\Api; | 3 | namespace Shaarli\Api; |
| 4 | 4 | ||
| 5 | use Shaarli\Base64Url; | ||
| 6 | |||
| 7 | |||
| 5 | /** | 8 | /** |
| 6 | * Class ApiUtilsTest | 9 | * Class ApiUtilsTest |
| 7 | */ | 10 | */ |
| @@ -24,14 +27,14 @@ class ApiUtilsTest extends \PHPUnit_Framework_TestCase | |||
| 24 | */ | 27 | */ |
| 25 | public static function generateValidJwtToken($secret) | 28 | public static function generateValidJwtToken($secret) |
| 26 | { | 29 | { |
| 27 | $header = base64_encode('{ | 30 | $header = Base64Url::encode('{ |
| 28 | "typ": "JWT", | 31 | "typ": "JWT", |
| 29 | "alg": "HS512" | 32 | "alg": "HS512" |
| 30 | }'); | 33 | }'); |
| 31 | $payload = base64_encode('{ | 34 | $payload = Base64Url::encode('{ |
| 32 | "iat": '. time() .' | 35 | "iat": '. time() .' |
| 33 | }'); | 36 | }'); |
| 34 | $signature = hash_hmac('sha512', $header .'.'. $payload , $secret); | 37 | $signature = Base64Url::encode(hash_hmac('sha512', $header .'.'. $payload , $secret, true)); |
| 35 | return $header .'.'. $payload .'.'. $signature; | 38 | return $header .'.'. $payload .'.'. $signature; |
| 36 | } | 39 | } |
| 37 | 40 | ||
| @@ -46,9 +49,9 @@ class ApiUtilsTest extends \PHPUnit_Framework_TestCase | |||
| 46 | */ | 49 | */ |
| 47 | public static function generateCustomJwtToken($header, $payload, $secret) | 50 | public static function generateCustomJwtToken($header, $payload, $secret) |
| 48 | { | 51 | { |
| 49 | $header = base64_encode($header); | 52 | $header = Base64Url::encode($header); |
| 50 | $payload = base64_encode($payload); | 53 | $payload = Base64Url::encode($payload); |
| 51 | $signature = hash_hmac('sha512', $header . '.' . $payload, $secret); | 54 | $signature = Base64Url::encode(hash_hmac('sha512', $header . '.' . $payload, $secret, true)); |
| 52 | return $header . '.' . $payload . '.' . $signature; | 55 | return $header . '.' . $payload . '.' . $signature; |
| 53 | } | 56 | } |
| 54 | 57 | ||