API: fix JWT signature verification

Fixes https://github.com/shaarli/Shaarli/issues/737 Added: - Base64Url utilities Fixed: - use URL-safe Base64 encoding/decoding functions - use byte representations for HMAC digests - all JWT parts are Base64Url-encoded See: - https://en.wikipedia.org/wiki/JSON_Web_Token - https://tools.ietf.org/html/rfc7519 - https://scotch.io/tutorials/the-anatomy-of-a-json-web-token - https://jwt.io/introduction/ - https://en.wikipedia.org/wiki/Base64#URL_applications - https://secure.php.net/manual/en/function.base64-encode.php#103849 Signed-off-by: VirtualTam <virtualtam@flibidi.net>
author: VirtualTam <virtualtam@flibidi.net> 2017-01-04 11:41:05 +0100
committer: VirtualTam <virtualtam@flibidi.net> 2017-01-04 16:59:47 +0100
commit: 7a9daac56dc64ec1ddb12adece3e1a8f71778cc7 (patch)
tree: b92c37792e7af48e1da36686f1d722aaffb90a06 /application
parent: fc11ab2f290a3712b766d78fdbcd354625a35d0a (diff)
download: Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.tar.gz
Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.tar.zst
Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.zip
2 files changed, 39 insertions, 7 deletions
diff --git a/application/Base64Url.php b/application/Base64Url.php
new file mode 100644
index 00000000..61590e43
--- /dev/null
+++ b/application/Base64Url.php
@@ -0,0 +1,34 @@
+<?php
+namespace Shaarli;
+/**
+ * URL-safe Base64 operations
+ *
+ * @see https://en.wikipedia.org/wiki/Base64#URL_applications
+ */
+class Base64Url
+{
+    /**
+     * Base64Url-encodes data
+     *
+     * @param string $data Data to encode
+     *
+     * @return string Base64Url-encoded data
+     */
+    public static function encode($data) {
+        return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
+    }
+    /**
+     * Decodes Base64Url-encoded data
+     *
+     * @param string $data Data to decode
+     *
+     * @return string Decoded data
+     */
+    public static function decode($data) {
+        return base64_decode(str_pad(strtr($data, '-_', '+/'), strlen($data) % 4, '=', STR_PAD_RIGHT));
+    }
+}
diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php
index fbb1e72f..a419c396 100644
--- a/application/api/ApiUtils.php
+++ b/application/api/ApiUtils.php
@@ -1,13 +1,11 @@
 <?php
 namespace Shaarli\Api;
+use Shaarli\Base64Url;
 use Shaarli\Api\Exceptions\ApiAuthorizationException;
 /**
- * Class ApiUtils
+ * REST API utilities
- *
- * Utility functions for the API.
 */
 class ApiUtils
 {
@@ -26,17 +24,17 @@ class ApiUtils
            throw new ApiAuthorizationException('Malformed JWT token');
        }
-        $genSign = hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret);
+        $genSign = Base64Url::encode(hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret, true));
        if ($parts[2] != $genSign) {
            throw new ApiAuthorizationException('Invalid JWT signature');
        }
-        $header = json_decode(base64_decode($parts[0]));
+        $header = json_decode(Base64Url::decode($parts[0]));
        if ($header === null) {
            throw new ApiAuthorizationException('Invalid JWT header');
        }
-        $payload = json_decode(base64_decode($parts[1]));
+        $payload = json_decode(Base64Url::decode($parts[1]));
        if ($payload === null) {
            throw new ApiAuthorizationException('Invalid JWT payload');
        }
author	VirtualTam <virtualtam@flibidi.net>	2017-01-04 11:41:05 +0100
committer	VirtualTam <virtualtam@flibidi.net>	2017-01-04 16:59:47 +0100
commit	7a9daac56dc64ec1ddb12adece3e1a8f71778cc7 (patch)
tree	b92c37792e7af48e1da36686f1d722aaffb90a06 /application
parent	fc11ab2f290a3712b766d78fdbcd354625a35d0a (diff)
download	Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.tar.gz Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.tar.zst Shaarli-7a9daac56dc64ec1ddb12adece3e1a8f71778cc7.zip

diff --git a/application/Base64Url.php b/application/Base64Url.php new file mode 100644 index 00000000..61590e43 --- /dev/null +++ b/application/Base64Url.php
@@ -0,0 +1,34 @@
		1	<?php
		2
		3	namespace Shaarli;
		4
		5
		6	/**
		7	* URL-safe Base64 operations
		8	*
		9	* @see https://en.wikipedia.org/wiki/Base64#URL_applications
		10	*/
		11	class Base64Url
		12	{
		13	/**
		14	* Base64Url-encodes data
		15	*
		16	* @param string $data Data to encode
		17	*
		18	* @return string Base64Url-encoded data
		19	*/
		20	public static function encode($data) {
		21	return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
		22	}
		23
		24	/**
		25	* Decodes Base64Url-encoded data
		26	*
		27	* @param string $data Data to decode
		28	*
		29	* @return string Decoded data
		30	*/
		31	public static function decode($data) {
		32	return base64_decode(str_pad(strtr($data, '-_', '+/'), strlen($data) % 4, '=', STR_PAD_RIGHT));
		33	}
		34	}


diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php index fbb1e72f..a419c396 100644 --- a/application/api/ApiUtils.php +++ b/application/api/ApiUtils.php
@@ -1,13 +1,11 @@
1	<?php	1	<?php
2
3	namespace Shaarli\Api;	2	namespace Shaarli\Api;
4		3
		4	use Shaarli\Base64Url;
5	use Shaarli\Api\Exceptions\ApiAuthorizationException;	5	use Shaarli\Api\Exceptions\ApiAuthorizationException;
6		6
7	/**	7	/**
8	* Class ApiUtils	8	* REST API utilities
9	*
10	* Utility functions for the API.
11	*/	9	*/
12	class ApiUtils	10	class ApiUtils
13	{	11	{
@@ -26,17 +24,17 @@ class ApiUtils
26	throw new ApiAuthorizationException('Malformed JWT token');	24	throw new ApiAuthorizationException('Malformed JWT token');
27	}	25	}
28		26
29	$genSign = hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret);	27	$genSign = Base64Url::encode(hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret, true));
30	if ($parts[2] != $genSign) {	28	if ($parts[2] != $genSign) {
31	throw new ApiAuthorizationException('Invalid JWT signature');	29	throw new ApiAuthorizationException('Invalid JWT signature');
32	}	30	}
33		31
34	$header = json_decode(base64_decode($parts[0]));	32	$header = json_decode(Base64Url::decode($parts[0]));
35	if ($header === null) {	33	if ($header === null) {
36	throw new ApiAuthorizationException('Invalid JWT header');	34	throw new ApiAuthorizationException('Invalid JWT header');
37	}	35	}
38		36
39	$payload = json_decode(base64_decode($parts[1]));	37	$payload = json_decode(Base64Url::decode($parts[1]));
40	if ($payload === null) {	38	if ($payload === null) {
41	throw new ApiAuthorizationException('Invalid JWT payload');	39	throw new ApiAuthorizationException('Invalid JWT payload');
42	}	40	}