99designs/http-signatures

3.1.1 2017-01-18 21:59 UTC

README

PHP implementation of HTTP Signatures draft specification; allowing cryptographic signing and verifying of PSR7 messages.

See also:

Usage

Add 99designs/http-signatures to your composer.json.

Configure a context with your algorithm, keys, headers to sign. This is best placed in an application startup file.

use HttpSignatures\Context;

$context = new Context([
  'keys' => ['examplekey' => 'secret-key-here'],
  'algorithm' => 'hmac-sha256',
  'headers' => ['(request-target)', 'Date', 'Accept'],
]);

If there's only one key in the keys hash, that will be used for signing. Otherwise, specify one via 'signingKeyId' => 'examplekey'.

Messages

A message is assumed to be a PSR-7 compatible request or response object.

Signing a message

$context->signer()->sign($message);

Now $message contains the signature headers:

$message->headers->get('Signature');
// keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

$message->headers->get('Authorization');
// Signature keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

Verifying a signed message

$context->verifier()->isValid($message); // true or false

Symfony Integration

Also included is a HttpMessageFactory class for converting Symfony Request objects into PSR-7 compatible messages.

$symfonyRequest = \Symfony\Component\HttpFoundation\Request::create('/foo');
$psr7Factory = new \HttpSignatures\HttpMessageFactory();
$psrRequest = $psr7Factory->createRequest($symfonyRequest);

Contributing

Pull Requests are welcome.

License

HTTP Signatures is licensed under The MIT License (MIT).