magdev/wc-licensed-product
1
Fork 0
Code Issues Pull Requests Actions Releases 4 Activity

Fix critical signature compatibility with client library (v0.5.5)

Browse Source 
CRITICAL: Key derivation now uses native hash_hkdf() for RFC 5869
compliance. Previous custom implementation was incompatible with
the magdev/wc-licensed-product-client library.

Changes:
- ResponseSigner::deriveCustomerSecret() now uses hash_hkdf()
- Added missing domain validation to /activate endpoint
- Customer secrets will change after upgrade (breaking change)

The signature algorithm now matches the client's ResponseSignature::deriveKey():
- IKM: server_secret
- Length: 32 bytes
- Info: license_key

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Marco Grätsch
2026-01-26 17:06:18 +01:00
parent ae49b262fa
commit 0b58de193e
5 changed files with 64 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
CLAUDE.md
View File

@@ -1406,3 +1406,34 @@ Bug fix release aligning server implementation with client documentation at `mag
- New `getStatusCodeForResult()` method maps error codes to HTTP status codes
- License key validation callback added to all three endpoints (validate, status, activate)
- Uses PHP 8 match expression for status code mapping
### 2026-01-26 - Version 0.5.5 - Critical Signature Fix
**Overview:**
Critical bug fix for response signing. The key derivation algorithm was incompatible with the client library, causing signature verification failures.
**Critical Fix:**
- Key derivation now uses PHP's native `hash_hkdf()` function per RFC 5869
- Previous custom implementation produced different keys than the client library
- Signatures now verify correctly with `magdev/wc-licensed-product-client`
**Additional Fix:**
- Added missing domain validation to `/activate` endpoint (1-255 characters)
**Modified files:**
- `src/Api/ResponseSigner.php` - Fixed key derivation to use `hash_hkdf()`
- `src/Api/RestApiController.php` - Added domain validation to `/activate` endpoint
**Technical notes:**
- Old implementation: `hash_hmac('sha256', $prk . "\x01", $serverSecret)` - custom HKDF-like
- New implementation: `bin2hex(hash_hkdf('sha256', $serverSecret, 32, $licenseKey))` - RFC 5869
- Parameters match client's `ResponseSignature::deriveKey()` exactly:
- IKM (input keying material): server_secret
- Length: 32 bytes (256 bits)
- Info: license_key (context-specific info)
- **Breaking change for existing signatures** - customer secrets will change after upgrade