rivervanrain/http-signatures-php

Sign and verify PSR-7 HTTP messages with HMAC and RSA keys

Maintainers

Details

github.com/RiverVanRain/http-signatures-php

Source

Installs: 4

Dependents: 1

Suggesters: 0

Security: 0

Stars: 0

Watchers: 0

Forks: 34

pkg:composer/rivervanrain/http-signatures-php

dev-wzm 2025-01-17 12:08 UTC

Requires

MIT cc2652d9fa92fdb3bd65de52c63d9c0234ae2d89

  • Liam Dennehy <liam.woop@wiemax.net>
  • Paul Annesley <paul.woop@99designs.com>

httphttpssignaturesigningrsahmacsigneddigital signatureelectronic signature

This package is auto-updated.

Last update: 2025-10-17 13:47:20 UTC

README

Build Status Documentation Status

PHP implementation of Signing HTTP Messages draft specification; allowing cryptographic signing and verifying of PSR-7 messages.

Features

  • Sign HTTP Messages according to Signing HTTP Message draft IETF RFC version 10
  • Sign & verify messages using HMACs
  • Sign & verify messages with Asymmetric Keys:
    • RSA, DSA, EC
  • Add a Digest header, or automatically add the header while signing in a single operation
  • Verify a Digest header while verifying the signature

Complete documentation for this library can be found at Read The Docs

WARNING: Version 11 of this library incorporates phpseclib's ongoing work on their version 3.0 implementation. If there are any problems please log an issue, but as the library has not been stabilised or completely reviewed you are advised to proceed with caution, or remain at v10 of this library until phpseclib 3.0 is complete and the MAJOR version of this library is bumped.

Simple Usage

Add liamdennehy/http-signatures-php to your composer.json.

  • A message is assumed to be a PSR-7 compatible Request or Response.
  • A Context object is used to configure the signature parameters, and prepare the verifier functionality.
  • The signWithDigest function witll add a Digest header and digitally sign the message in a new Signature header.

Signing a PSR-7 request $message before sending:

  use HttpSignatures\Context;

  $context = new HttpSignatures\Context([
    'keys' => ['mykey' => file_get_contents('/path/to/privatekeyfile')],
    'algorithm' => 'rsa-sha256',
    'headers' => ['(request-target)', 'Date'],
  ]);

  $context->signer()->signWithDigest($message);

Complete documentation for this library for other ose cases can be found at Read The Docs

Contributing

Pull Requests are welcome, as are issue reports if you encounter any problems.

Note: Due to composer dependencies for the reference implementation composer install prior to local development is only posible on PHP 7.1, or by manually removing the incompatible dependencies using the command (wrapped for readability):

  composer remove --dev \
  nyholm/psr7 nyholm/psr7-server riswallsmith/buzz \
  endframework/zend-httphandlerrunner

License

HTTP Signatures PHP library is licensed under The MIT License (MIT).

Documentation of the library is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)

Details are in the LICENSE file