Skip to content
Permalink
Browse files Browse the repository at this point in the history
explicit alg check & secure hash comparison
  • Loading branch information
nov committed Aug 30, 2016
1 parent 8ed99bc commit 1cce55e
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions src/JOSE/JWS.php
Expand Up @@ -122,14 +122,20 @@ private function _verify($public_key_or_secret, $expected_alg = null) {
$segments = explode('.', $this->raw);
$signature_base_string = implode('.', array($segments[0], $segments[1]));
if (!$expected_alg) {
# NOTE: might better to warn here
$expected_alg = $this->header['alg'];
$using_autodetected_alg = true;
}
switch ($expected_alg) {
case 'HS256':
case 'HS384':
case 'HS512':
return $this->signature === hash_hmac($this->digest(), $signature_base_string, $public_key_or_secret, true);
if ($using_autodetected_alg) {
throw new JOSE_Exception_UnexpectedAlgorithm(
'HMAC algs MUST be explicitly specified as $expected_alg'
);
}
$hmac_hash = hash_hmac($this->digest(), $signature_base_string, $public_key_or_secret, true);
return hash_equals($this->signature, $hmac_hash);
case 'RS256':
case 'RS384':
case 'RS512':
Expand Down

0 comments on commit 1cce55e

Please sign in to comment.