Skip to content
Permalink
Browse files

explicit alg check & secure hash comparison

  • Loading branch information...
nov
nov committed Aug 30, 2016
1 parent 8ed99bc commit 1cce55e27adf0274193eb1cd74b927a398a3df4b
Showing with 8 additions and 2 deletions.
  1. +8 −2 src/JOSE/JWS.php
@@ -122,14 +122,20 @@ private function _verify($public_key_or_secret, $expected_alg = null) {
$segments = explode('.', $this->raw);
$signature_base_string = implode('.', array($segments[0], $segments[1]));
if (!$expected_alg) {
# NOTE: might better to warn here
$expected_alg = $this->header['alg'];
$using_autodetected_alg = true;
}
switch ($expected_alg) {
case 'HS256':
case 'HS384':
case 'HS512':
return $this->signature === hash_hmac($this->digest(), $signature_base_string, $public_key_or_secret, true);
if ($using_autodetected_alg) {
throw new JOSE_Exception_UnexpectedAlgorithm(
'HMAC algs MUST be explicitly specified as $expected_alg'
);
}
$hmac_hash = hash_hmac($this->digest(), $signature_base_string, $public_key_or_secret, true);
return hash_equals($this->signature, $hmac_hash);
case 'RS256':
case 'RS384':
case 'RS512':

0 comments on commit 1cce55e

Please sign in to comment.
You can’t perform that action at this time.