diff --git a/composer.json b/composer.json index d5f06a6..f1c93ba 100644 --- a/composer.json +++ b/composer.json @@ -22,7 +22,7 @@ "ext-curl": "*", "ext-json": "*", "ext-openssl": "*", - "selective/xmldsig": "^3.0" + "robrichards/xmlseclibs": "^3.1" }, "autoload": { "psr-4": { diff --git a/composer.lock b/composer.lock index a894af6..7cdc22c 100644 --- a/composer.lock +++ b/composer.lock @@ -4,58 +4,49 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "1cd474d4354dafb5533494d852cad5bc", + "content-hash": "abfcea3a1385997af764e1857d3b5f72", "packages": [ { - "name": "selective/xmldsig", - "version": "3.1.0", + "name": "robrichards/xmlseclibs", + "version": "3.1.1", "source": { "type": "git", - "url": "https://github.com/selective-php/xmldsig.git", - "reference": "adfa81bc744a29f808a5216bf73e0cb2bcd7af91" + "url": "https://github.com/robrichards/xmlseclibs.git", + "reference": "f8f19e58f26cdb42c54b214ff8a820760292f8df" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/selective-php/xmldsig/zipball/adfa81bc744a29f808a5216bf73e0cb2bcd7af91", - "reference": "adfa81bc744a29f808a5216bf73e0cb2bcd7af91", + "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/f8f19e58f26cdb42c54b214ff8a820760292f8df", + "reference": "f8f19e58f26cdb42c54b214ff8a820760292f8df", "shasum": "" }, "require": { - "ext-dom": "*", "ext-openssl": "*", - "php": "~8.1 || ~8.2" - }, - "require-dev": { - "friendsofphp/php-cs-fixer": "^3", - "phpstan/phpstan": "^1", - "phpunit/phpunit": "^10", - "squizlabs/php_codesniffer": "^3", - "starkbank/ecdsa": "^2.0" + "php": ">= 5.4" }, "type": "library", "autoload": { "psr-4": { - "Selective\\XmlDSig\\": "src/" + "RobRichards\\XMLSecLibs\\": "src" } }, "notification-url": "https://packagist.org/downloads/", "license": [ - "MIT" + "BSD-3-Clause" ], - "description": "Sign XML Documents with Digital Signatures", - "homepage": "https://github.com/selective-php/xmldsig", + "description": "A PHP library for XML Security", + "homepage": "https://github.com/robrichards/xmlseclibs", "keywords": [ - "signatures", - "verify", + "security", + "signature", "xml", "xmldsig" ], "support": { - "issues": "https://github.com/selective-php/xmldsig/issues", - "source": "https://github.com/selective-php/xmldsig/tree/3.1.0" + "issues": "https://github.com/robrichards/xmlseclibs/issues", + "source": "https://github.com/robrichards/xmlseclibs/tree/3.1.1" }, - "abandoned": "robrichards/xmlseclibs", - "time": "2023-09-09T22:17:11+00:00" + "time": "2020-09-05T13:00:25+00:00" } ], "packages-dev": [ @@ -3049,7 +3040,7 @@ "prefer-stable": true, "prefer-lowest": false, "platform": { - "php": ">=8.1", + "php": ">=8.0", "ext-dom": "*", "ext-libxml": "*", "ext-simplexml": "*", diff --git a/src/Validators/WebhookSignatureValidation.php b/src/Validators/WebhookSignatureValidation.php index 6259ba5..6a07619 100644 --- a/src/Validators/WebhookSignatureValidation.php +++ b/src/Validators/WebhookSignatureValidation.php @@ -9,10 +9,10 @@ namespace Bluem\BluemPHP\Validators; use Bluem\BluemPHP\Helpers\Now; +use DOMDocument; use Exception; -use Selective\XmlDSig\CryptoVerifier; -use Selective\XmlDSig\PublicKeyStore; -use Selective\XmlDSig\XmlSignatureVerifier; +use RobRichards\XMLSecLibs\XMLSecurityDSig; +use RobRichards\XMLSecLibs\XMLSecurityKey; class WebhookSignatureValidation extends WebhookValidator { @@ -29,26 +29,44 @@ public function __construct( */ public function validate(string $data): self { + $public_key_file_path = dirname(__DIR__, 2) . self::KEY_FOLDER . $this->getKeyFileName(); + $temp_file = tmpfile(); fwrite($temp_file, $data); $temp_file_path = stream_get_meta_data($temp_file)['uri']; - $publicKeyStore = new PublicKeyStore(); - $public_key_file_path = dirname(__DIR__, 2) . self::KEY_FOLDER . $this->getKeyFileName(); + // Load the XML to be verified + $doc = new DOMDocument(); + $doc->load($temp_file_path); + // Create a new Security object + $objDSig = new XMLSecurityDSig(); + + // Locate the signature within the XML try { - $publicKeyStore->loadFromPem(file_get_contents($public_key_file_path)); - $cryptoVerifier = new CryptoVerifier($publicKeyStore); + $objDSig->locateSignature($doc); + $objDSig->canonicalizeSignedInfo(); + $objDSig->validateReference(); + } catch (Exception $e) { + $this->addError('Reference Validation Failed: ' . $e->getMessage()); + } - // Create a verifier instance and pass the crypto decoder - $xmlSignatureVerifier = new XmlSignatureVerifier($cryptoVerifier); + try { + // Load the public key + $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, ['type' => 'public']); + $objKey->loadKey($public_key_file_path, TRUE); - // Verify a XML file - $xmlVerified = $xmlSignatureVerifier->verifyXml(file_get_contents($temp_file_path)); - if (! $xmlVerified) { + } catch (Exception $e) { + $this->addError('Could not load public key'); + } + + try { + // Check the signature + if (!$objDSig->verify($objKey)) { $this->addError("Invalid signature"); } + // else, the signature is valid } catch (Exception $e) { $this->addError($e->getMessage()); }