Sign and verify PSR-7 HTTP messages in PHP.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src
tests
.gitattributes
.gitignore
.php_cs
.travis.yml
LICENSE
README.md
composer.json
phpunit.xml.dist

README.md

HTTP Signatures

PHP implementation of HTTP Signatures draft specification; allowing cryptographic signing and verifying of PSR7 messages.

See also:

Usage

Add 99designs/http-signatures to your composer.json.

Configure a context with your algorithm, keys, headers to sign. This is best placed in an application startup file.

use HttpSignatures\Context;

$context = new Context([
  'keys' => ['examplekey' => 'secret-key-here'],
  'algorithm' => 'hmac-sha256',
  'headers' => ['(request-target)', 'Date', 'Accept'],
]);

If there's only one key in the keys hash, that will be used for signing. Otherwise, specify one via 'signingKeyId' => 'examplekey'.

Messages

A message is assumed to be a PSR-7 compatible request or response object.

Signing a message

$context->signer()->sign($message);

Now $message contains the signature headers:

$message->headers->get('Signature');
// keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

$message->headers->get('Authorization');
// Signature keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

Verifying a signed message

$context->verifier()->isValid($message); // true or false

Symfony compatibility

Symfony requests normalize query strings which means the resulting request target can be incorrect. See https://github.com/symfony/psr-http-message-bridge/pull/30

When creating PSR-7 requests you use withRequestTarget to ensure the request target is correct. For example

use Symfony\Bridge\PsrHttpMessage\Factory\DiactorosFactory;
use Symfony\Component\HttpFoundation\Request;

$symfonyRequest = Request::create('/foo?b=1&a=2');
$psrRequest = (new DiactorosFactory())
	->createRequest($symfonyRequest)
	->withRequestTarget($symfonyRequest->getRequestUri());

Contributing

Pull Requests are welcome.

License

HTTP Signatures is licensed under The MIT License (MIT).