magdev/wc-licensed-product
1
Fork 0
Code Issues Pull Requests Actions Releases 4 Activity

Fix critical signature compatibility with client library (v0.5.5)

Browse Source 
CRITICAL: Key derivation now uses native hash_hkdf() for RFC 5869
compliance. Previous custom implementation was incompatible with
the magdev/wc-licensed-product-client library.

Changes:
- ResponseSigner::deriveCustomerSecret() now uses hash_hkdf()
- Added missing domain validation to /activate endpoint
- Customer secrets will change after upgrade (breaking change)

The signature algorithm now matches the client's ResponseSignature::deriveKey():
- IKM: server_secret
- Length: 32 bytes
- Info: license_key

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Marco Grätsch
2026-01-26 17:06:18 +01:00
parent ae49b262fa
commit 0b58de193e
5 changed files with 64 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
CHANGELOG.md
View File

@@ -7,6 +7,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
## [0.5.5] - 2026-01-26
### Fixed
- **CRITICAL:** Response signing key derivation now uses native `hash_hkdf()` for RFC 5869 compliance
- Key derivation now matches client library (`SecureLicenseClient`) exactly
- Added missing domain validation to `/activate` endpoint (1-255 characters)
### Changed
- `ResponseSigner::deriveCustomerSecret()` now uses `hash_hkdf('sha256', $serverSecret, 32, $licenseKey)`
- Previous custom HKDF-like implementation was incompatible with client library
### Security
- Signatures generated by server now verify correctly with `magdev/wc-licensed-product-client`
- All three API endpoints now have consistent parameter validation
## [0.5.4] - 2026-01-26
### Fixed