PHP implementation of HTTP Signatures draft specification; allowing cryptographic signing and verifying of PSR7 messages.
See also:
Add 99designs/http-signatures to your composer.json.
Configure a context with your algorithm, keys, headers to sign. This is best placed in an application startup file.
use HttpSignatures\Context;
$context = new Context([
'keys' => ['examplekey' => 'secret-key-here'],
'algorithm' => 'hmac-sha256',
'headers' => ['(request-target)', 'Date', 'Accept'],
]);
If there's only one key in the keys
hash, that will be used for signing.
Otherwise, specify one via 'signingKeyId' => 'examplekey'
.
A message is assumed to be a PSR-7 compatible request or response object.
$context->signer()->sign($message);
Now $message
contains the signature headers:
$message->headers->get('Signature');
// keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."
$message->headers->get('Authorization');
// Signature keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."
$context->verifier()->isValid($message); // true or false
Symfony requests normalize query strings which means the resulting request target can be incorrect. See https://github.com/symfony/psr-http-message-bridge/pull/30
When creating PSR-7 requests you use withRequestTarget
to ensure the request target is correct. For example
use Symfony\Bridge\PsrHttpMessage\Factory\DiactorosFactory;
use Symfony\Component\HttpFoundation\Request;
$symfonyRequest = Request::create('/foo?b=1&a=2');
$psrRequest = (new DiactorosFactory())
->createRequest($symfonyRequest)
->withRequestTarget($symfonyRequest->getRequestUri());
Pull Requests are welcome.
HTTP Signatures is licensed under The MIT License (MIT).