Skip to content

Instantly share code, notes, and snippets.

@truth3
Created October 25, 2017 12:15
Show Gist options
  • Save truth3/95b14a419be9e0abbb6f54917a4fc73f to your computer and use it in GitHub Desktop.
Save truth3/95b14a419be9e0abbb6f54917a4fc73f to your computer and use it in GitHub Desktop.
Digital Signature Validation
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0cCM/xT5c6Czor3573pXlPEFbEzk4rm/iq15eWntOWMl3Bkb
dZY9Zbm8TOjh0YrHFH4ZrQmREXyxVQxZNQ7zwITmwyrMyb1/ravbSpuj9HIpY4hn
5sregUJZUtWTSvtlXSSKa60bva5qG8MHi+hK7qWayJwfriDung+T9jss6k8ANmin
2BPjpjTlMbbJbRyr+27XYov3nD9U1KYeBnGgyj8aplb/1e75Iuk7oCwVm+kTsPKI
/ZeATf/kfS93tQrw0/gozP4iVubyKBVG05BzerFcb3QUzLSo3LIJ/8VYuGHnz6y+
J6xy02EOhzJMPLUt3GQo7yUDOPls/W2tCBUebwIDAQABAoIBADmS9eDKnBI+CTDh
nqo6VbH/WnK4xJbrT4U8Sryl88Stz2WTyrLDE4VJr0MZJWsEAdNBLcEOgDBhnrdu
lUn4GbY9hK4LoHy7tEEyjBX1lNJzR6MXfRWfl+W5FZWkJDMPwGoJrqkRsiylpGCM
bxTbJT5OXKc2G4gLaBQgyIdtBM4nc7F/TraswmuU940NsVSKBIpeqsgh4jeV6p8T
1QG0SzrNAVsUXHCiXC9eU0aPFvfAaJtnTaZ3F42avWD+1rUlm+vjVHZzu+bzSQSo
23dqNmoNUIk4iyIA0/QzrAF0eZh1+/L4U/+rTEOxvQE4nmiL+jVY9smIUfUdnfNm
7QjJwkkCgYEA9/GXupJ+TCDJmfK5ILYP86fpKVUf+zPx+cPQ638LkLEEzKlVZNAW
Lx90W3S7Nf58FItH7wagXXrdEk+HhaWjUcwljxrWdSNFryuotMsUBqFXjhhWkEWZ
fscZHUOZhZKwursWifOxeHgMHyWF6ldwZ78DT7N/k2cReyZsb/821jUCgYEA2JFH
Yct58JoTr76YlemmXsBX02ILKwVwJbp1eqEcE8hzIGCDTHuCy1Ocr0J5vv/7125q
iHbG5JjmIFpArQ39zJOfphDQ9mj2+ZVvzI+gnenZKhRUFpYMlAwf+SSBZQPbYREN
s446iMBfCxb3ZhsHDtDe1T3D3qiK9XuSrBUjZpMCgYBS1K0BsUrsF9AB1CqwmOH/
XkrwefWzMAlYjWhQJCMy9VBLJw7WHQYsO+/dVcPtJ9U/77/aRHZyhEcyhMsbhNho
zTCG/EpE28G94XH85BMOm/vqBot0qyu6RL1JH3o8O2M7HqFK+NSDEGfMR/bS8N8m
aZOrnqWyEq6uW4nCaJpjOQKBgQDJ5T5fzFrk1C8wMwZ7E7TXNodp+EgjFlHDyn2F
EjdjtgamE3O0VJzNwygaN2XaiziUUUqd5+Vp7aT0Wk9bReTq2GEIZzr3zUkZypfM
Y8XAEeczlHoECGS3jEoucTr0GlFlv4k/cIPfQ0AXzZRcqyu8QzrKH2e/5u6NBmPp
a1dyYwKBgDg8qbmH4hq7L2/AbbR8QWDG9+fuDFi7UAbiAf6buRoU5kHuLcgE/Owi
nGkskWxlE1S2i6PRoFmmG0zcPhJbvejwe6ck5wVMomU7LdC4nAlVR/UhUCeI5lhm
fjYFouw2X2YA7MERMEh2Lat8wfnckg2fNdMcp+F0Auuoy7gc0MR7
-----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0cCM/xT5c6Czor3573pX
lPEFbEzk4rm/iq15eWntOWMl3BkbdZY9Zbm8TOjh0YrHFH4ZrQmREXyxVQxZNQ7z
wITmwyrMyb1/ravbSpuj9HIpY4hn5sregUJZUtWTSvtlXSSKa60bva5qG8MHi+hK
7qWayJwfriDung+T9jss6k8ANmin2BPjpjTlMbbJbRyr+27XYov3nD9U1KYeBnGg
yj8aplb/1e75Iuk7oCwVm+kTsPKI/ZeATf/kfS93tQrw0/gozP4iVubyKBVG05Bz
erFcb3QUzLSo3LIJ/8VYuGHnz6y+J6xy02EOhzJMPLUt3GQo7yUDOPls/W2tCBUe
bwIDAQAB
-----END PUBLIC KEY-----
<?php
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
die('GET requests are not allowed');
}
// Processing the headers to get the Signature and algorithm values
$headers = apache_request_headers();
$headerEncodedData = json_encode($headers);
$headerDecodedData = json_decode($headerEncodedData,true);
// Extracting the signature and the algorithm values
$signature = ($headerDecodedData["Hook-Signature"]);
$hashAlg = ($headerDecodedData["Hook-Algorithm"]);
// Grabbing the raw data
$data = file_get_contents('php://input');
// Check to see if the signature is present in the header
if (empty($signature)) {
$message ='Data was not signed, be careful';
sendMail($message,$data);
} else {
// Need to verify the signature hasn't been tampered with
if (base64_encode(base64_decode($signature, true)) === $signature){
$validatedSignature = base64_decode($signature);
} else {
$message = "Signature failed decoding";
sendMail($message,$data);
// break;
}
}
// Parsing the algorithm to figure out which way to verify the signature
$hashAlgMethod = substr($hashAlg,0,2);
$hashAlgStrength = substr($hashAlg,2,3);
$hashAlg = "sha" . $hashAlgStrength;
if ($hashAlgMethod=="RS") {
// Hash the data using the defined algorithm
$dataHash = hash($hashAlg,$data,true);
// Loading the public key for verification
$public_key_pem = file_get_contents("public_key.pem");
// Verify the signature
$r = openssl_verify($dataHash,$validatedSignature,$public_key_pem,$hashAlg);
if ($r == 1) {
$message ='Post Verification Passed';
} else if ($r == 0) {
$message ='Post Verification Failed';
$data ='Data has been thrown away, as verification failed';
}
sendMail($message,$data,$hashAlg,$signature);
} else if ($hashAlgMethod=="HS") {
//Use the same key that the signer used
$private_key_pem = file_get_contents("private_key.pem");
//Create a keyed hash of the data
$rawSignature = hash_hmac($hashAlg,$data,$private_key_pem,true);
//Encode the signature just like the sender
$verifySignature = base64_encode($rawSignature);
// Verify the signature
if ($verifySignature == $signature){
$message ='Post Verification Passed';
} else if ($verifySignature != $signature){
$message ='Post Verification Failed';
$data ='Data has been thrown away, as verification failed';
}
sendMail($message,$data,$hashAlg,$signature);
}
// Send an email explaining what happened during verification and include the raw data
function sendMail($message,$data,$hashAlg,$signature){
mail("#####@######.com", $message, "The Data Begins here: \r\n" . $data . "\r\nThe Hash Alg is here\r\n" . $hashAlg . "\r
\nThe Signature is here\r\n" . $signature );
}
?>
@truth3
Copy link
Author

truth3 commented Oct 25, 2017

Make sure to add your email address to line 81 to receive the test results.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment