lithium\security\validation\FormSignature::_signature()
Calculates signature over given data.
Will first derive a signing key from the secret key and current date, then calculate the HMAC over given data. This process is modelled after Amazon's Message Signature Version 4 but uses less key derivations as we don't have more information at our hands.
During key derivation the strings li3,1
and li3,1_form
are inserted. 1
denotes the version of our signature algorithm and should be raised when the
algorithm is changed. Derivation is needed to not reveal the secret key.
Note: As the current date (year, month, day) is used to increase key security by limiting its lifetime, a possible sideeffect is that a signature doen't verify if it is generated on day N and verified on day N+1.
Parameters
-
string
$data
The data to calculate the signature for.
Returns
stringThe signature.
Links
Source
protected static function _signature($data) {
$hash = static::$_classes['hash'];
if (empty(static::$_secret)) {
$message = 'Form signature requires a secret key. ';
$message .= 'Please see documentation on how to configure a key.';
throw new ConfigException($message);
}
$key = 'li3,1' . static::$_secret;
$key = $hash::calculate(date('YMD'), ['key' => $key, 'raw' => true]);
$key = $hash::calculate('li3,1_form', ['key' => $key, 'raw' => true]);
return $hash::calculate($data, ['key' => $key]);
}