"Poor Man’s" PHP certificate cache
September 2nd, 2008 | Published in Google OpenSocial
Hi, I'm Johannes Fahrenkrug, a freelance software developer and security consultant. When working with the OpenSocial API on one of my client's PHP servers, I wanted to be able to validate signed requests without including the text of the container's public key directly in my code.
PHP doesn't offer a store for certificates, so I wrote a small article about caching a public RSA certificate in the server's filesystem. In the article, I describe the code for a PHP class that simply lets you drop the public certificate files for different social networks into a directory on disk and easily access them. The keys are indexed using the xoauth_signature_publickey parameter of an OpenSocial OAuth signed request, so you'll be able to tell if a request comes from a container which you don't have a public key for, or if an existing container's certificate has changed. New certificates simply have to be dropped into the appropriate directory. That's it.
By being able to switch keys easily, you can handle signed makeRequest calls from different containers, all in the same server side code. For example, this allows a user on orkut or hi5 to access the same application database backend.PHP doesn't offer a store for certificates, so I wrote a small article about caching a public RSA certificate in the server's filesystem. In the article, I describe the code for a PHP class that simply lets you drop the public certificate files for different social networks into a directory on disk and easily access them. The keys are indexed using the xoauth_signature_publickey parameter of an OpenSocial OAuth signed request, so you'll be able to tell if a request comes from a container which you don't have a public key for, or if an existing container's certificate has changed. New certificates simply have to be dropped into the appropriate directory. That's it.