From f74a91963e285c28766c451b9c33880361b581a6 Mon Sep 17 00:00:00 2001 From: netkas Date: Mon, 3 Feb 2025 13:38:41 -0500 Subject: [PATCH] Made message signing in Cryptography use SHA512 as the message content for signatures rather than the message content itself to allow for simplified verification in the future --- src/Socialbox/Classes/Cryptography.php | 64 +++++++++++++++++++------- 1 file changed, 47 insertions(+), 17 deletions(-) diff --git a/src/Socialbox/Classes/Cryptography.php b/src/Socialbox/Classes/Cryptography.php index d4337a9..b7b6e2c 100644 --- a/src/Socialbox/Classes/Cryptography.php +++ b/src/Socialbox/Classes/Cryptography.php @@ -297,20 +297,32 @@ * @return string The base64-encoded digital signature. * @throws CryptographyException If the message or private key is invalid, or if signing fails. */ - public static function signMessage(string $message, string $privateKey): string + public static function signMessage(string $message, string $privateKey, bool $hash=true): string { + if (empty($message)) + { + throw new CryptographyException("Empty message provided"); + } + + if (empty($privateKey)) + { + throw new CryptographyException("Empty private key provided"); + } + + if($hash) + { + $message = hash('sha512', $message); + } + else + { + if(!self::validateSha512($message)) + { + throw new CryptographyException("Invalid SHA-512 hash provided"); + } + } + try { - if (empty($message)) - { - throw new CryptographyException("Empty message provided"); - } - - if (empty($privateKey)) - { - throw new CryptographyException("Empty private key provided"); - } - $privateKey = self::validateAndExtractKey($privateKey, self::KEY_TYPE_SIGNING); $decodedKey = sodium_base642bin($privateKey, self::BASE64_VARIANT, true); @@ -326,6 +338,11 @@ } catch (Exception $e) { + if($e instanceof CryptographyException) + { + throw $e; + } + throw new CryptographyException("Failed to sign message: " . $e->getMessage()); } } @@ -336,18 +353,31 @@ * @param string $message The original message that was signed. * @param string $signature The base64-encoded signature to be verified. * @param string $publicKey The base64-encoded public key used to verify the signature. + * @param bool $hash True to hash the message before verification, false to use the message directly. * @return bool True if the signature is valid; false otherwise. * @throws CryptographyException If any parameter is empty, if the public key or signature is invalid, or if the verification process fails. */ - public static function verifyMessage(string $message, string $signature, string $publicKey): bool + public static function verifyMessage(string $message, string $signature, string $publicKey, bool $hash=true): bool { + if (empty($message) || empty($signature) || empty($publicKey)) + { + throw new CryptographyException("Empty parameter(s) provided"); + } + + if($hash) + { + $message = hash('sha512', $message); + } + else + { + if(!self::validateSha512($message)) + { + throw new CryptographyException("Invalid SHA-512 hash provided"); + } + } + try { - if (empty($message) || empty($signature) || empty($publicKey)) - { - throw new CryptographyException("Empty parameter(s) provided"); - } - $publicKey = self::validateAndExtractKey($publicKey, self::KEY_TYPE_SIGNING); $decodedKey = sodium_base642bin($publicKey, self::BASE64_VARIANT, true); $decodedSignature = sodium_base642bin($signature, self::BASE64_VARIANT, true);