onetdev · October 22, 2020 13:26
diff --git a/signed-payload-test.php b/signed-payload-test.php
 <?php

 // Generate YOUR OWN KEY!!!!

 $private_key = <<<EOD
 -----BEGIN RSA PRIVATE KEY-----
 MIICXAIBAAKBgQCt6aDJvKu1lMOWwHE8tNRg1IV0edwEdqxweMM11Vh+jL9oWKZK
 OlBgRHi2qxTng7JuYu01onIdvX/zaEOvvDJhDjOQ5MtP0e7+nzqkY7P0ttP80+oH
 r0yVzyYcV1j7fjJsWfJ0IK/B2VHg2Zm3m/8blyQa5twFvOoCPvHRfpPDKwIDAQAB
 AoGAJpxV3DQNEzVB7zgua8Hh3NWSA3gChuMqCZZmEI+bJA1veWUlFhm4Ooc5HaUB
 8RxmAufnrh6wozWtMIcXb+6iaFfwA/sY/iIR+pNwo4wx0cNE05V9RvADcwcuV0QM
 0YvibsxJARQWPWrfBzm2+hFFnIgnI3y6CZH+EpsRc9+T3HECQQDhVyEL6Ce8EIja
 Xrm+7fZJ/l0w23ZHy8XgxhgZaiPDx/QZST9YlgPofXC9p6Gy6QjaxdpU0Ib/NZFW
 +Vhv666nAkEAxZM1xAnOwczsrs8yKxDXc6aYl/UMZwDzxxR+PD4Pa4XDr2d7/Cg2
 npXVwdKzaX8dpgdpf2cxQRtbvMrr92a73QJAIX4+1jM6fLSEctiziRJ7kgHxvgpQ
 qVk7Xy5ydIyXJkl5Ga0Ock9R42OJt1bMLPiALWxNCGA6QIKoyKGlKHWCbwJBAJi5
 psIXYr/kjMDEYV9w8Vrw2Nv+DMxCrC6j5MDkqD7Rc+bO88SDwVTtNgNRwGY4YM7K
 w/474pMVduCFa8oem/ECQAjSVan/jMu9ZPv5ElvmZkn9nrEFC3s/29/DIzCHW8At
 RGVsNgkKG/yI6bLErQbVmLB+E2qeCi5h5o8Gr72jN94=
 -----END RSA PRIVATE KEY-----
 EOD;

 $public_key = <<<EOD
 -----BEGIN PUBLIC KEY-----
 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt6aDJvKu1lMOWwHE8tNRg1IV0
 edwEdqxweMM11Vh+jL9oWKZKOlBgRHi2qxTng7JuYu01onIdvX/zaEOvvDJhDjOQ
 5MtP0e7+nzqkY7P0ttP80+oHr0yVzyYcV1j7fjJsWfJ0IK/B2VHg2Zm3m/8blyQa
 5twFvOoCPvHRfpPDKwIDAQAB
 -----END PUBLIC KEY-----
 EOD;

 // The data payload that we will secured
 $data = "666";

 // This will get overwritten with the signature output when signed
 $binary_signature = "";

 // Create signature, important to use the private key here
 openssl_sign($data, $binary_signature, $private_key, OPENSSL_ALGO_SHA1);

 // Capture POST requests, validating payload and signature using pubkey
 // Please note that we are converting the binary signature to ASCII friendly format to avoid character improper field processing.
 // There are better ways to do it but this was the fastest for testing purposes.
 if ($_POST['secure_data'] && $_POST['secure_data_signature']) {
  $result = openssl_verify(
    $_POST['secure_data'],
    base64_decode($_POST['secure_data_signature']),
    $public_key,
    OPENSSL_ALGO_SHA1,
  );

  if ($result == 1) {
    echo "Payload and signature verifies.\n";
  } elseif ($result == 0) {
    echo "Cannot verify payload and signature.\n";
  } else {
    echo "SSL error: \n";
    while ($error = openssl_error_string()) {
      echo $error . "\n";
    }
  }
  echo '<br><a href="?">Back to the form</a>';
  exit;
 }
 ?><!DOCTYPE html>
 <html lang="en">
 <head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Spoof protection</title>
  <style>
  input { width: 100%;}
  </style>
 </head>
 <body>
  <form method="post">
    <input type="text" name="secure_data" value="<?= $data ?>"><br>
    <input type="text" name="secure_data_signature" value="<?= base64_encode($binary_signature) ?>">
    <input type="submit">
  </form>
 </body>
 </html>
	<?php

	// Generate YOUR OWN KEY!!!!

	$private_key = <<<EOD
	-----BEGIN RSA PRIVATE KEY-----
	MIICXAIBAAKBgQCt6aDJvKu1lMOWwHE8tNRg1IV0edwEdqxweMM11Vh+jL9oWKZK
	OlBgRHi2qxTng7JuYu01onIdvX/zaEOvvDJhDjOQ5MtP0e7+nzqkY7P0ttP80+oH
	r0yVzyYcV1j7fjJsWfJ0IK/B2VHg2Zm3m/8blyQa5twFvOoCPvHRfpPDKwIDAQAB
	AoGAJpxV3DQNEzVB7zgua8Hh3NWSA3gChuMqCZZmEI+bJA1veWUlFhm4Ooc5HaUB
	8RxmAufnrh6wozWtMIcXb+6iaFfwA/sY/iIR+pNwo4wx0cNE05V9RvADcwcuV0QM
	0YvibsxJARQWPWrfBzm2+hFFnIgnI3y6CZH+EpsRc9+T3HECQQDhVyEL6Ce8EIja
	Xrm+7fZJ/l0w23ZHy8XgxhgZaiPDx/QZST9YlgPofXC9p6Gy6QjaxdpU0Ib/NZFW
	+Vhv666nAkEAxZM1xAnOwczsrs8yKxDXc6aYl/UMZwDzxxR+PD4Pa4XDr2d7/Cg2
	npXVwdKzaX8dpgdpf2cxQRtbvMrr92a73QJAIX4+1jM6fLSEctiziRJ7kgHxvgpQ
	qVk7Xy5ydIyXJkl5Ga0Ock9R42OJt1bMLPiALWxNCGA6QIKoyKGlKHWCbwJBAJi5
	psIXYr/kjMDEYV9w8Vrw2Nv+DMxCrC6j5MDkqD7Rc+bO88SDwVTtNgNRwGY4YM7K
	w/474pMVduCFa8oem/ECQAjSVan/jMu9ZPv5ElvmZkn9nrEFC3s/29/DIzCHW8At
	RGVsNgkKG/yI6bLErQbVmLB+E2qeCi5h5o8Gr72jN94=
	-----END RSA PRIVATE KEY-----
	EOD;

	$public_key = <<<EOD
	-----BEGIN PUBLIC KEY-----
	MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt6aDJvKu1lMOWwHE8tNRg1IV0
	edwEdqxweMM11Vh+jL9oWKZKOlBgRHi2qxTng7JuYu01onIdvX/zaEOvvDJhDjOQ
	5MtP0e7+nzqkY7P0ttP80+oHr0yVzyYcV1j7fjJsWfJ0IK/B2VHg2Zm3m/8blyQa
	5twFvOoCPvHRfpPDKwIDAQAB
	-----END PUBLIC KEY-----
	EOD;

	// The data payload that we will secured
	$data = "666";

	// This will get overwritten with the signature output when signed
	$binary_signature = "";

	// Create signature, important to use the private key here
	openssl_sign($data, $binary_signature, $private_key, OPENSSL_ALGO_SHA1);

	// Capture POST requests, validating payload and signature using pubkey
	// Please note that we are converting the binary signature to ASCII friendly format to avoid character improper field processing.
	// There are better ways to do it but this was the fastest for testing purposes.
	if ($_POST['secure_data'] && $_POST['secure_data_signature']) {
	$result = openssl_verify(
	$_POST['secure_data'],
	base64_decode($_POST['secure_data_signature']),
	$public_key,
	OPENSSL_ALGO_SHA1,
	);

	if ($result == 1) {
	echo "Payload and signature verifies.\n";
	} elseif ($result == 0) {
	echo "Cannot verify payload and signature.\n";
	} else {
	echo "SSL error: \n";
	while ($error = openssl_error_string()) {
	echo $error . "\n";
	}
	}
	echo '<br><a href="?">Back to the form</a>';
	exit;
	}
	?><!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>Spoof protection</title>
	<style>
	input { width: 100%;}
	</style>
	</head>
	<body>
	<form method="post">
	<input type="text" name="secure_data" value="<?= $data ?>"><br>
	<input type="text" name="secure_data_signature" value="<?= base64_encode($binary_signature) ?>">
	<input type="submit">
	</form>
	</body>
	</html>