daxko/dax-signature-validation

Add PHP Example & Translation

Opened this issue · 1 comments

There are a number of pieces here that don't translate directly to PHP so in addition to providing an example it might be good to translate some of the instructions too.

A few things:

  • PHP strings are byte arrays, so those conversions are irrelevant.
  • PHP time() is in seconds. There's no native function that gets milliseconds so we'll do a little rounding. Since we're just checking if 10 min has elapsed this doesn't really matter.

Here's a really rough code snippet that I tested on http://phptester.net/

<?php

// Mock a call in Postman or similar and enter the values here.
$dax_expiration = "";
$status = "";
$area_id = "";
$validation_secret = "";
$dax_signature = "";

// Get the date in milliseconds.
$now = round(microtime(true)*1000);
if ($now > $dax_expiration) {
	print nl2br("wrong time \n");
}

// Concatenate the strings together.
$input_string = $dax_expiration . $status . $area_id;

// Convert the secret from hex to bin, then use it to calculate our hash
// and upper-case it, as PHP returns lower by default.
$our_signature = strtoupper(hash_hmac("sha256", $input_string, hex2bin($validation_secret)));

print nl2br("Input: $input_string \n");
print nl2br("Our sig: $our_signature \n");
print nl2br("Their sig: $dax_signature \n");

// Use hash_equals for a timing attack safe string comparison.
print hash_equals($our_signature, $dax_signature) ? "True" : "False";

Here's a much cleaner function to validate:

/**
   * Validate Daxko Barcode signature as per instructions here
   * https://github.com/daxko/dax-signature-validation.
   *
   * @param string $dax_expiration
   * @param string $status
   * @param string $area_id
   * @param string $validation_secret
   * @param string $dax_signature
   *
   * @return bool
   *   Whether the signature is validated or not.
   */
  private function validDaxSignature($dax_expiration, $status, $area_id, $validation_secret, $dax_signature) {

    $now = round(microtime(true)*1000);
    if ($now > $dax_expiration) {
      return FALSE;
    }

    $input_string = $dax_expiration . $status . $area_id;
    $key = hex2bin($validation_secret);
    $our_signature = strtoupper(hash_hmac("sha256", $input_string, $key));

    return hash_equals($our_signature, $dax_signature);
  }