From d2587251a9b1b1d4d8f887fe079a3e0bbc017de8 Mon Sep 17 00:00:00 2001
From: Teddy Wing
Date: Sat, 10 Nov 2018 18:40:05 +0100
Subject: paddle::verify_signature(): Fix signature verification

I think I was doing it in the wrong direction. Previously, I had added
the signature from the POST param to the verifier, and verified against
the serialized params.

Seems like I was instead supposed to add the serialized params to the
verifier, and verify against the input signature.

It works correctly now against a request from Paddle.
---
 license-generator/paddle/src/lib.rs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/license-generator/paddle/src/lib.rs b/license-generator/paddle/src/lib.rs
index d725efe..be10a76 100644
--- a/license-generator/paddle/src/lib.rs
+++ b/license-generator/paddle/src/lib.rs
@@ -36,11 +36,11 @@ where
     let rsa = Rsa::public_key_from_pem(pem)?;
     let pkey = PKey::from_rsa(rsa)?;
     let mut verifier = Verifier::new(MessageDigest::sha1(), &pkey)?;
-    verifier.update(signature)?;
 
-    let signature = php_serialize(params);
+    let digest = php_serialize(params);
+    verifier.update(digest.as_bytes())?;
 
-    Ok(verifier.verify(signature.as_ref())?)
+    Ok(verifier.verify(signature)?)
 }
 
 fn php_serialize<'a, S, I>(pairs: I) -> String
-- 
cgit v1.2.3