github/XHubSignature.php at main · keruald/github · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
<?php

namespace Keruald\GitHub;

class XHubSignature {

    ///
    /// Properties
    ///

    /**
     * The secret token to secure messages
     *
     * @var string
     */
    private $secret;

    /**
     * The hash algorithm
     *
     * @var string
     */
    private $hashAlgo;

    /**
     * The payload
     *
     * @var string
     */
    public $payload;

    /**
     * The signature delivered with the payload, to validate it
     *
     * @var string
     */
    public $signature;

    ///
    /// Constants
    ///

    /**
     * The default hash algorithm to use if none is offered
     */
    const DEFAULT_HASH_ALGO = 'sha1';

    ///
    /// Constructor
    ///

    /**
     * Initializes a new instance of the XHubSignature class
     *
     * @param string $secret the secret token
     * @param string $algo the algorithm to use to compute hashs [facultative]
     */
    public function __construct ($secret, $algo = self::DEFAULT_HASH_ALGO) {
        $this->secret = $secret;
        $this->hashAlgo = $algo;
    }

    ///
    /// Signature methods
    ///

    /**
     * Computes the signature for the current payload
     *
     * @return string the payload signature
     */
    public function compute () {
        return hash_hmac($this->hashAlgo, $this->payload, $this->secret);
    }

    /**
     * Validates the signature
     *
     * @return bool true if the signature is correct; otherwise, false.
     */
    public function validate () {
        // Comparison with hash_equals allows to mitigate timing attacks.
        return hash_equals($this->compute(), $this->signature);
    }

    ///
    /// Static helper methods
    ///

    /**
     * Computes a signature for the specified secret and payload
     *
     * @param string $secret the secret token to secure messages
     * @param string $payload the payload
     * @param string $algo the hash algorithm [facultative]
     *
     * @return string the payload signature
     */
    public static function hashPayload(
        $secret,
        $payload,
        $algo = self::DEFAULT_HASH_ALGO
    ) {
        $instance = new static($secret, $algo);
        $instance->payload = $payload;

        return $instance->compute();
    }

    /**
     * Validates a payload against specified secret
     *
     * @param string $secret the secret token to secure messages
     * @param string $payload the payload
     * @param string $signature the signature delivered with the payload
     * @param string $algo the hash algorithm [facultative]
     *
     * @return bool true if the signature is correct; otherwise, false.
     */
    public static function validatePayload (
        $secret,
        $payload,
        $signature,
        $algo = self::DEFAULT_HASH_ALGO
    ) {
        $instance = new static($secret, $algo);
        $instance->payload = $payload;
        $instance->signature = $signature;

        return $instance->validate();
    }

    /**
     * Parses a X-Hub-Signature field from headers and gets the signature part
     *
     * @param string $header the header value
     * @return string the signature
     */
    public static function parseSignature ($header) {
        if ($header === null) {
            return "";
        }

        if (strpos($header, '=') === false) {
            return $header;
        }

        $data = explode('=', $header, 2);
        return $data[1];
    }
}