lithium\security\validation\FormSignature::_signature()

protected static method

Calculates signature over given data.

Will first derive a signing key from the secret key and current date, then calculate the HMAC over given data. This process is modelled after Amazon's Message Signature Version 4 but uses less key derivations as we don't have more information at our hands.

During key derivation the strings li3,1 and li3,1_form are inserted. 1 denotes the version of our signature algorithm and should be raised when the algorithm is changed. Derivation is needed to not reveal the secret key.

Note: As the current date (year, month, day) is used to increase key security by limiting its lifetime, a possible sideeffect is that a signature doen't verify if it is generated on day N and verified on day N+1.

Parameters

  • string $data

    The data to calculate the signature for.

Returns

string

The signature.

Source

	protected static function _signature($data) {
		$hash = static::$_classes['hash'];

		if (empty(static::$_secret)) {
			$message  = 'Form signature requires a secret key. ';
			$message .= 'Please see documentation on how to configure a key.';
			throw new ConfigException($message);
		}
		$key = 'li3,1' . static::$_secret;
		$key = $hash::calculate(date('YMD'), ['key' => $key, 'raw' => true]);
		$key = $hash::calculate('li3,1_form', ['key' => $key, 'raw' => true]);

		return $hash::calculate($data, ['key' => $key]);
	}