Created
September 13, 2011 17:41
-
-
Save ritou/1214472 to your computer and use it in GitHub Desktop.
ID Token signature validation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ cat test.php | |
<?php | |
function base64_urlencode($str){ | |
$enc = base64_encode($str); | |
$enc = rtrim($enc,"="); | |
$enc = strtr($enc,"+/","-_"); | |
return $enc; | |
} | |
function base64_urldecode($str){ | |
$dec = strtr($str,"-_","+/"); | |
switch (strlen($dec)%4) { | |
case 0: | |
break; | |
case 2: | |
$dec .= "=="; | |
break; | |
case 3: | |
$dec .= "="; | |
break; | |
default: | |
Throw new Exception("Illegal base64url string!"); | |
} | |
return base64_decode($dec); | |
} | |
// verify RSA-SHA256 function | |
function digest_verify_data($data, $signature, $key, $alg='sha256') { | |
$sha1_header = pack('H*', '3021300906052b0e03021a05000414'); | |
$sha256_header = pack('H*', '3031300d060960864801650304020105000420'); | |
$md5_header = pack('H*', '3020300c06082a864886f70d020505000410'); | |
$plainText = NULL; | |
$status = openssl_public_decrypt($signature, $plainText, $key); | |
if(!$status) { | |
printf("Unable to decrypt sign data\n"); | |
return false; | |
} | |
$hash = hash($alg, $data, true); | |
$sign_data .= ${$alg . '_header'}; | |
if(!$sign_data) | |
return false; | |
$sign_data .= $hash; | |
if($sign_data == $plainText) { | |
return true; | |
} | |
else { | |
return false; | |
} | |
} | |
// nov's x509 cert | |
$x509 = <<<CRT | |
-----BEGIN CERTIFICATE----- | |
MIIDeDCCAmACCQDFeFSXWEnHxDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJK | |
UDEOMAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB1NoaWJ1eWExITAfBgNVBAoMGElu | |
dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAwwDTm92MRwwGgYJKoZIhvcN | |
AQkBFg1ub3ZAbWF0YWtlLmpwMB4XDTExMDkxMzEzMjIzNFoXDTEyMDkxMjEzMjIz | |
NFowfjELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMRAwDgYDVQQHDAdTaGli | |
dXlhMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDDAKBgNVBAMM | |
A05vdjEcMBoGCSqGSIb3DQEJARYNbm92QG1hdGFrZS5qcDCCASIwDQYJKoZIhvcN | |
AQEBBQADggEPADCCAQoCggEBAKSsm7NFmh1P8uHB8Vm5vFs4+uh7XMhZ+xYd5/vf | |
ak17ucjWt9DEWCGH0g8HvSVXNSVKBsONcqtkrXRgSeNB8YnIYxPmKKX7twefEJYC | |
b06FG1g+IJkwxoDBsUMbb9RJ9snnWsp0O97A6SCvtdiSQ2Oeab3/jwokkPTo8WS4 | |
lRipQpQ7rOOP7r9t+9G/SDdiYhDhfmuyQamkxGCz6V2qClg0pyTaJ6+/bS9E+4ri | |
ZjtZe9OaDt2NE0PiDS2Oo5yhv0abL8rxjZ8D/aTL3D9aYSrFmddKH7roSRkafCMU | |
C/UX80/OzrxdEQUjtVO94dPWD/nKK1g7JyiIuk280aTeWA8CAwEAATANBgkqhkiG | |
9w0BAQsFAAOCAQEAdiNDw9z6U8lIF0NWVObeGqoxn/MSp/W5S56ts3agw0meqc1J | |
gUPkncXbpjZ/wX0Y3pupmGBIO0XAHPhjyCu3HhplhaVxSNqKEg9wB3huYaMZ2Kbi | |
+Wy77hLO2hOYk8vI/ok5oW0lhhpA0o4GzbyV4SA3nZgT0u8YXC7cqAHqI9KsBU5z | |
62mjlptCR/b10xTlC13AtbdDM6s1hWP9XpDrm6Kxgfu7nKQ1Q31ag1Ukm9Gw8qcl | |
ILxZxqbqGy/q1C+6ObTmGtiVbJTs+W8u5BPg9S49O6qIhVN5wWCT4lRrlpXpYA3a | |
TTVBULB1g7Iod2g+kF0qAXnwqGvZ5LOgwFfmcw== | |
-----END CERTIFICATE----- | |
CRT; | |
$pub_key = openssl_pkey_get_public($x509); | |
// this is id_token segments | |
$header = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9"; | |
$payload = "eyJpc3MiOiJodHRwczovL2Nvbm5lY3Qtb3AuaGVyb2t1LmNvbSIsInVzZXJfaWQiOiJmZmM2ZTNkMDNjMTQzNjhjNTAxOTRjMWM1MDE1MDcxYSIsImF1ZCI6IjMzM2UzMDYyMTllZTIxNDk0OWEyZDU1NjVmZGE5YTA3IiwiZXhwIjoxMzE1OTUyOTU3fQ"; | |
$signature = "iC5QPS2Niu1nRAwFfDl2bm-SUpxFBEFI0vBUU9ZEOT06Wfb1XN8L_9Uq2qlb2wPbpxl7Peh-YPIvUNN4TLaut8SPZHEXcDwCnXOvOqQeuUgZgMe5j7IUehJ02_uPsGpS0eyXsc58nA9TqGr-BlBeksCPaDZjpwyE6-zdzbpBQ32_KmIaMqaEPxILIFGa48hqyIxMKNbN6gbf-VPuDfwwLuly34l_QXTuh0AqMjn3oADi8XBt-_P2F68IoCwz0aPmcp30HGrA-CgUXqAR8SitwRBsdmyHF6x857KKLxZGTepAOTKGapMh7bz9vfek2sQZAsOSZH-03MBUijbCJ-ynDQ"; | |
$sig = base64_urldecode($signature); | |
$status = digest_verify_data($header.".".$payload,$sig,$pub_key,'sha256'); | |
// validate signature | |
print "Status : ".$status; | |
?> | |
$ php test.php | |
Status : 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment