Incorrect HMAC signature format

[kidtronnix]

The signing method in the HMAC class returns hexits format rather than binary. This lead to incorrect base64 encoded output, and tokens can not be verified by other libraries as the signature cannot be reproduced correctly.

[kidtronnix]

@cirpo You aksed for a little more detail.

The issue is that according to the HMAC256 spec, the signature is supposed to be in the following form:

From http://www.jokecamp.com/blog/examples-of-creating-base64-hashes-using-hmac-sha256-in-different-languages/#php

$s = hash_hmac('sha256', 'Message', 'secret', true);
echo base64_encode($s);

Currently this lib creates hmac hashes, hexit encodes them (the default of the php hash_hmac function) and THEN base64_encodes them. This creates tokens that can't be verified by any other HMAC compliant library. The temporary fix I created for correcting the signature produced by this library might help demostrate the issue:

$correctSignature = rtrim(strtr(base64_encode(hex2bin(base64_decode($brokenSignature))), '+/', '-_'), '=');

I checked this with 3 other libraries and if you you want to investigate the problem yourself try verifying the signature on tokens produced by this library on the homepage of the official JWT site, http://jwt.io.