我有一个API,他在请求头(X-Signature(中发送签名:
标头的值是带有请求主体的RSA签名的SHA256。
围绕webhook的文档中有一个关于如何验证的示例:
bool Verify(string publicKey, string payload, string signature)
{
var key = (ICipherParameters)new PemReader(new StringReader(publicKey)).ReadObject();
var buffer = Encoding.UTF8.GetBytes(payload);
var signer = SignerUtilities.GetSigner("SHA256withRSA");
signer.Init(false, key);
signer.BlockUpdate(buffer, 0, buffer.Length);
return signer.VerifySignature(Convert.FromBase64String(signature));
}
不过,我正在尝试使用PHP/Laravel验证webhook。这是我的代码:
public function isValid(Request $request) : bool
{
$signature = $request->header('X-Signature');
if (! $signature) {
return false;
}
$signingSecret = ""-----BEGIN PUBLIC KEY-----rnMIIBIjAN......";
$computedSignature = hash_hmac('sha256', $request->getContent(), $signingSecret);
return hash_equals($signature, $computedSignature);
}
上面的isValid()函数在我尝试发出的每个请求上都返回false。
这是输出$request->all():
"webhookType": "test" ,
"companyId": "8628731d-ddb5-4c8f-82b1-823734962c1e" ,
"documentId": "3807f10a-9eeb-4818-a935-c8990bd50f71"
X-Signature确实在请求中:
"X-signature": "IY/QvzSDyV...."
有人能帮我做错事吗?
我最终使用了openssl:
public function isValid(Request $request, WebhookConfig $config): bool
{
$signature = $request->header('X-Signature');
if (! $signature) {
return false;
}
$publicKey = "...";
if (!$publicKey) {
return false;
}
$payload = $request->getContent();
$signature = base64_decode($signature);
$publicKey = openssl_pkey_get_public($publicKey);
$result = openssl_verify($payload, $signature, $publicKey, OPENSSL_ALGO_SHA256);
if ($result === 1) {
return true;
}
return false;
}