使用 PHP 和 gree/jose 库验证来自签名的 webhook
[英]Verify webhook from signature using PHP with gree/jose library
问题描述
I'm trying to follow the 3rd party documentation for verifying a webhook body using the Signature header -- the 3rd party will be referred to as 3P going forward).
我正在尝试遵循第 3 方文档以使用Signature标头验证 webhook 主体——第 3 方将被称为 3P。
3P offered a sample Kotlin implementation using a java library . 3P 提供了一个使用 Java 库的示例 Kotlin 实现。 I am using PHP and decided to try gree/jose as my library.我正在使用 PHP 并决定尝试使用gree/jose作为我的库。
As a sanity check, I've copied their sample data into my implementation, but I am still getting a false outcome.作为健全性检查,我已将他们的示例数据复制到我的实现中,但我仍然得到错误的结果。
$signature = '1IJl6VyKU4pYfqMHUd55QBNq5Etbz5a7DOCkID2Nloay76y4f02w2iMXONlyL/Bx9SkrbivOHW1l1XadkUrd5pKUK1fhpcnItukLrsK5ADQOcuEjSLBg9qJffZYooXfc7hOD/fV0sN33W2vBYJspbR3P766DwG/6IO/20f9t/DcSWa79EFZPMnsCicEArNS3iIYBtdZSX5ta5EETt7S8acHbpIlSDrTcYpo0vuz19LQ6SPQqN2LGdR+U7ZOiUQWdfMXhUgE7w94pHQzcOq1IHfw3CylUEcRR/DhrGqs4mBaagO6JpWzeqE1uTAiN579kOtSSqjblTb2AXALTQ3+TtA=='; // taken from "Signature" in headers
$payload = '{"eventId":"569886904","officeId":"132917981","eventType":"INTEGRATION_DEACTIVATED","event":{"integration":{"status":"INACTIVE","webhookId":"2bc47eed-08a0-4d18-a5c0-b7f18ab802e3","officeId":"132917981","createdDateTime":"2020-03-17T23:39:41.804Z","lastUpdatedDateTime":"2020-03-17T23:39:41.804Z"}},"createdDateTime":"2020-03-17T23:39:41.806Z"}'; // this is the body of the request sent to my application
$components = [
'kty' => 'RSA',
'e' => 'AQAB',
'n' => 'ANV-aocctqt5xDRnqomCgsO9dm4hM0Qd75TqG7z2G5Z89JQ7SRy2ok-fIJRiSU5-JfjPc3uph3gSOXyqlNoEh4YGL2R4AP7jhxy9xv0gDVtj1tExB_mmk8EUbmj8hTIrfAgEJrDeB4qMk7MkkKxhHkhLNEJEPZfgYHcHcuKjp2l_vtpiuR9Ouz0febB9K4gLozrp9KHW2K-m0z02-tSurxmmij5nnJ-CEgp0wXcCS4w4G0jve4hcLlL9FU8HKxrb0d4rMQgM3VAal6yG5pwMdtrsch7xA-occwWFC_tHgpDJGNvOJNFtuk7Cit_aom-6U6ssGF13sUtdrog2ePWjVxc=',
'kid' => '2020-03-18',
'alg' => 'RSA256',
]; // the $components array values are sourced by a separate API call to the 3P
$rsa = JOSE_JWK::decode($components); // => phpseclib\Crypt\RSA instance
$publicKey = $rsa->createKey()['publickey']; // this appears to work perfectly
$rsa->loadKey($publicKey);
var_dump($rsa->verify($payload, $rsa->sign($signature))); // bool(false)
I've been floundering with this piece of software for over 2 days now and I feel like I've tried ~100 different things ( some proof ).我已经在这个软件上挣扎了 2 天多了,我觉得我已经尝试了大约 100 种不同的东西(一些证据)。 I've even tried partially abandoning the gree/jose library.我什至尝试过部分放弃 gree/jose 库。 Ultimately, I just need a working solution (regardless of if it is repairing this implementation or entertaining a different implementation/library).最终,我只需要一个可行的解决方案(无论是修复此实现还是娱乐不同的实现/库)。
I feel like I am probably missing a step (or two) in preparing my strings prior to calling verify() , but I am too unfamiliar with this process to identify it myself.我觉得在调用verify()之前我可能错过了准备字符串的一个(或两个)步骤,但我对这个过程太陌生而无法自己识别它。 Of course, verify() doesn't indicate if I'm getting hotter or colder .当然, verify()并不表示我是变得更热还是更冷。
Places I've been:我去过的地方:
- How to convert C# RSA to php?如何将 C# RSA 转换为 php?
- RSA signature verification in php not working when signed from c# code从 c# 代码签名时,php 中的 RSA 签名验证不起作用
- https://hotexamples.com/examples/-/-/openssl_verify/php-openssl_verify-function-examples.html https://hotexamples.com/examples/-/-/openssl_verify/php-openssl_verify-function-examples.html
- https://www.php.net/manual/en/function.openssl-verify.php https://www.php.net/manual/en/function.openssl-verify.php
- https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/RSA_(加密系统)
- Signing JSON objects签署 JSON 对象
- https://tools.ietf.org/id/draft-ietf-jose-json-web-signature-09.html https://tools.ietf.org/id/draft-ietf-jose-json-web-signature-09.html
- https://hotexamples.com/examples/phpseclib.crypt/RSA/verify/php-rsa-verify-method-examples.html https://hotexamples.com/examples/phpseclib.crypt/RSA/verify/php-rsa-verify-method-examples.html
- https://github.com/nov/jose-php https://github.com/nov/jose-php
1 个解决方案
解决方案1
0 2021-10-20 03:28:12
RS256 in Java means RSASSA-PKCS1-v1_5 using SHA-256 RS256在Java中是指使用SHA-256 RSASSA-PKCS1-v1_5中
$signature = '1IJl6VyKU4pYfqMHUd55QBNq5Etbz5a7DOCkID2Nloay76y4f02w2iMXONlyL/Bx9SkrbivOHW1l1XadkUrd5pKUK1fhpcnItukLrsK5ADQOcuEjSLBg9qJffZYooXfc7hOD/fV0sN33W2vBYJspbR3P766DwG/6IO/20f9t/DcSWa79EFZPMnsCicEArNS3iIYBtdZSX5ta5EETt7S8acHbpIlSDrTcYpo0vuz19LQ6SPQqN2LGdR+U7ZOiUQWdfMXhUgE7w94pHQzcOq1IHfw3CylUEcRR/DhrGqs4mBaagO6JpWzeqE1uTAiN579kOtSSqjblTb2AXALTQ3+TtA=='; // taken from "Signature" in headers
$payload = '{"eventId":"569886904","officeId":"132917981","eventType":"INTEGRATION_DEACTIVATED","event":{"integration":{"status":"INACTIVE","webhookId":"2bc47eed-08a0-4d18-a5c0-b7f18ab802e3","officeId":"132917981","createdDateTime":"2020-03-17T23:39:41.804Z","lastUpdatedDateTime":"2020-03-17T23:39:41.804Z"}},"createdDateTime":"2020-03-17T23:39:41.806Z"}'; // this is the body of the request sent to my application
$components = [
'kty' => 'RSA',
'e' => 'AQAB',
'n' => 'ANV-aocctqt5xDRnqomCgsO9dm4hM0Qd75TqG7z2G5Z89JQ7SRy2ok-fIJRiSU5-JfjPc3uph3gSOXyqlNoEh4YGL2R4AP7jhxy9xv0gDVtj1tExB_mmk8EUbmj8hTIrfAgEJrDeB4qMk7MkkKxhHkhLNEJEPZfgYHcHcuKjp2l_vtpiuR9Ouz0febB9K4gLozrp9KHW2K-m0z02-tSurxmmij5nnJ-CEgp0wXcCS4w4G0jve4hcLlL9FU8HKxrb0d4rMQgM3VAal6yG5pwMdtrsch7xA-occwWFC_tHgpDJGNvOJNFtuk7Cit_aom-6U6ssGF13sUtdrog2ePWjVxc=',
'kid' => '2020-03-18',
'alg' => 'RSA256',
]; // the $components array values are sourced by a separate API call to the 3P
$rsa = JOSE_JWK::decode($components); // => phpseclib\Crypt\RSA instance
$rsa->setHash('sha256');
var_dump($rsa->_rsassa_pkcs1_v1_5_verify($payload, JOSE_URLSafeBase64::decode($signature)));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.