fix: Use starkbank/ecdsa 2.1.0 (#1111)

simoheinonen · tiwarishubham635 · web-flow · commit bbc26aa5b8e0 · 2024-11-25T12:06:13.000+05:30
* Use starkbank/ecdsa 2

* Add gmp to CI

* Require gmp here as well

* Install gmp in docker

---------

Co-authored-by: Shubham &lt;tiwarishubham635@gmail.com&gt;
diff --git a/.github/workflows/test-and-deploy.yml b/.github/workflows/test-and-deploy.yml
@@ -52,6 +52,7 @@ jobs:
         uses: shivammathur/setup-php@2.15.0
         with:
           php-version: '8.1'
+          extensions: gmp
         id: php
 
       - name: Build Release Artifacts
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,9 @@ ARG version=latest
 FROM php:$version
 
 RUN apt-get update \
-    && apt-get install -y zip
+    && apt-get install -y zip \
+    && apt-get install -y libgmp-dev \
+    && docker-php-ext-install gmp
 
 RUN curl -s https://getcomposer.org/installer | php \
     && mv composer.phar /usr/local/bin/composer
diff --git a/composer.json b/composer.json
@@ -15,11 +15,12 @@
   "require": {
     "php": ">=7.3",
     "sendgrid/php-http-client": "~4.1",
-    "starkbank/ecdsa": "0.*",
+    "starkbank/ecdsa": "^2.1.0",
     "ext-curl": "*",
     "ext-json": "*",
     "ext-mbstring": "*",
-    "ext-openssl": "*"
+    "ext-openssl": "*",
+    "ext-gmp": "*"
   },
   "require-dev": {
     "phpunit/phpunit": "^9",
diff --git a/lib/eventwebhook/EventWebhook.php b/lib/eventwebhook/EventWebhook.php
@@ -5,6 +5,7 @@
 use EllipticCurve\Ecdsa;
 use EllipticCurve\PublicKey;
 use EllipticCurve\Signature;
+use EllipticCurve\Utils\Binary;
 
 /**
  * This class allows you to use the Event Webhook feature. Read the docs for
@@ -22,7 +23,7 @@ class EventWebhook
      */
     public function convertPublicKeyToECDSA($publicKey)
     {
-        return PublicKey::fromString($publicKey);
+        return PublicKey::fromDer(Binary::byteStringFromBase64($publicKey));
     }
 
     /**
diff --git a/test/unit/EventWebhookTest.php b/test/unit/EventWebhookTest.php
@@ -14,6 +14,7 @@ class EventWebhookTest extends TestCase
 {
     private static $PUBLIC_KEY;
     private static $SIGNATURE;
+    private static $BAD_SIGNATURE;
     private static $TIMESTAMP;
     private static $PAYLOAD;
 
@@ -23,6 +24,8 @@ public static function setUpBeforeClass(): void
         IW4mdBgQ/7dAfSmpqIM8kF9mN1flpVKS3GRqe62gw+2fNNRaINXvVpiglSI8eNEc6wEA3F+g==';
         self::$SIGNATURE = 'MEUCIGHQVtGj+Y3LkG9fLcxf3qfI10QysgDWmMOVmxG0u6ZUAiE
         AyBiXDWzM+uOe5W0JuG+luQAbPIqHh89M15TluLtEZtM=';
+        self::$BAD_SIGNATURE = 'BADSIGNATURE+Y3LkG9fLcxf3qfI10QysgDWmMOVmxG0u6ZUAiE
+        AyBiXDWzM+uOe5W0JuG+luQAbPIqHh89M15TluLtEZtM=';
         self::$TIMESTAMP = '1600112502';
         self::$PAYLOAD = \json_encode(
                 [
@@ -81,7 +84,7 @@ public function testBadSignature()
         $isValidSignature = $this->verify(
             self::$PUBLIC_KEY,
             self::$PAYLOAD,
-            'signature',
+            self::$BAD_SIGNATURE,
             self::$TIMESTAMP
         );
 

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`use EllipticCurve\Ecdsa;`
`6`	`6`	`use EllipticCurve\PublicKey;`
`7`	`7`	`use EllipticCurve\Signature;`
	`8`	`+use EllipticCurve\Utils\Binary;`
`8`	`9`
`9`	`10`	`/**`
`10`	`11`	`* This class allows you to use the Event Webhook feature. Read the docs for`
`@@ -22,7 +23,7 @@ class EventWebhook`
`22`	`23`	`*/`
`23`	`24`	`public function convertPublicKeyToECDSA($publicKey)`
`24`	`25`	`{`
`25`		`- return PublicKey::fromString($publicKey);`
	`26`	`+ return PublicKey::fromDer(Binary::byteStringFromBase64($publicKey));`
`26`	`27`	`}`
`27`	`28`
`28`	`29`	`/**`