Align client and server signature implementation

- Update server docs to use RFC 5869 hash_hkdf() for key derivation - Add recursive key sorting to client ResponseSignature - Ensures client and server produce matching signatures for nested objects Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-26 16:33:44 +01:00
parent 64d215cb26
commit 8062e1be77
2 changed files with 34 additions and 11 deletions
--- a/src/Security/ResponseSignature.php
+++ b/src/Security/ResponseSignature.php
@@ -129,11 +129,11 @@ final class ResponseSignature

    private function buildSignaturePayload(array $responseData, int $timestamp): string
    {
-        // Sort keys for consistent ordering
-        ksort($responseData);
+        // Sort keys recursively for consistent ordering (matches server implementation)
+        $sortedData = $this->sortKeysRecursive($responseData);

        // Create deterministic JSON representation
-        $jsonBody = json_encode($responseData, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
+        $jsonBody = json_encode($sortedData, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);

        if ($jsonBody === false) {
            throw new \RuntimeException(
@@ -145,6 +145,22 @@ final class ResponseSignature
        return $timestamp . ':' . $jsonBody;
    }

+    /**
+     * Recursively sort array keys for consistent JSON output.
+     */
+    private function sortKeysRecursive(array $data): array
+    {
+        ksort($data);
+
+        foreach ($data as $key => $value) {
+            if (is_array($value)) {
+                $data[$key] = $this->sortKeysRecursive($value);
+            }
+        }
+
+        return $data;
+    }
+
    private function isTimestampValid(int $timestamp): bool
    {
        $now = time();