我正在尝试在 API 中实现 HTTP 签名以连接到 EWP 网络(Erasmus Without Paper)。我有一个工作数据示例,我正在尝试使用该数据进行测试,但我无法验证 HTTP 签名。
随着请求中的
keyId这是我从示例中得到的:
Header:
Authorization: Signature keyId="2bc25340265c0331632c2bc7d82cabdf3a6ebba0a8cc6435b401d62dd2c7daea",signature="dlpL2OjVMZi4bqFnVtvc8Z6qqOvdmb6g/P42PQrP6w5+/mxF1S9COx7CkRAMi+6KdH0XGdgT4G0Vi85VVI7vSoYgvVCSgBeyFyfP7HwYROEhd1QgM9VgV001wXvDNJbvTOXh2S+1IAP/8YwIM3RQOg64ZRJEMUEWf91VczjTXC9sElGK4jP0AAbsg727cE/b8LeOH25vl6tzyypDFaCCA3MAgdF2+fNdNG9gr0OKa5ia7Dums1aXKmcqhOaWTiiS7vTYhnwBS7BlQMnrDF6kOtVQomVDB11vfEKvmgkXIXxRvpHMTG6+7F32DCu3imS2wIjJccQSglyFFJ4/qjnNKA==",headers="(request-target) date digest host x-request-id",algorithm="rsa-sha256"
Date: Fri, 30 Oct 2020 14:19:18 GMT
Digest: "SHA-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="
Host: "sga-mobilidadenet.ua.pt"
X-Request-Id: "76092379-75d1-462d-b7b7-af6a87b000bd"
Url used is sga-mobilidadenet.ua.pt/mobilidadenet/ewp/ewpstage/echo?echo=a&echo=b&echo=a
我从其他API得到的公钥是
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA67WEK5VlMUFC0wdLmTV4TyeDwA1U4NV5GvL/x29ujKY0/tWSoqwRPvIyhQ6h2M3MQpaLIb4PQsRzh299KaCNQ799+0HH7KMTZMN5AwoSw4y5RS6ImhlwRm4N4yDoekQgQuXTaPLEfYBURPrTJ8/V2Wb6yW8LgfPknESNglRkprhFKOoWJzlv00rzCO7QZSdXh5LYU0TYOlj+WrfoCM8xODOQqCJsnS7grY7YNtR08qB2fo7UEYXrUw8aoe5ZZZeKv1b5M1+ZDR1aAHZRhMbPyp7JIRxW5fAT/ZDxUHv8lfOksgnF+AXHSGFdvteEbSJHrfOnMiUScBil306/VeSVXQIDAQAB
(有空格和线闸,但我把它们过滤掉了?)
我需要在我的 API 中做的是检查授权标头中的签名是否正确以及摘要是否是正确的哈希。
我用来测试的代码是这样的:
private void test()
{
//(request-target) date digest host x-request-id
string dataForSign = "(request-target): " + "get /mobilidadenet/ewp/ewpstage/echo?echo=a&echo=b&echo=a" + "\n" ;
dataForSign += "date: " + "Fri, 30 Oct 2020 14:19:18 GMT" + "\n";
dataForSign += "digest: " + "SHA-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=" + "\n";
dataForSign += "host: " + "sga-mobilidadenet.ua.pt" + "\n";
dataForSign += "x-request-id: " + "76092379-75d1-462d-b7b7-af6a87b000bd";
string signature = "dlpL2OjVMZi4bqFnVtvc8Z6qqOvdmb6g/P42PQrP6w5+/mxF1S9COx7CkRAMi+6KdH0XGdgT4G0Vi85VVI7vSoYgvVCSgBeyFyfP7HwYROEhd1QgM9VgV001wXvDNJbvTOXh2S+1IAP/8YwIM3RQOg64ZRJEMUEWf91VczjTXC9sElGK4jP0AAbsg727cE/b8LeOH25vl6tzyypDFaCCA3MAgdF2+fNdNG9gr0OKa5ia7Dums1aXKmcqhOaWTiiS7vTYhnwBS7BlQMnrDF6kOtVQomVDB11vfEKvmgkXIXxRvpHMTG6+7F32DCu3imS2wIjJccQSglyFFJ4/qjnNKA==";
string publicKey =
"<RSAKeyValue><Modulus>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA67WEK5VlMUFC0wdLmTV4TyeDwA1U4NV5GvL/x29ujKY0/tWSoqwRPvIyhQ6h2M3MQpaLIb4PQsRzh299KaCNQ799+0HH7KMTZMN5AwoSw4y5RS6ImhlwRm4N4yDoekQgQuXTaPLEfYBURPrTJ8/V2Wb6yW8LgfPknESNglRkprhFKOoWJzlv00rzCO7QZSdXh5LYU0TYOlj+WrfoCM8xODOQqCJsnS7grY7YNtR08qB2fo7UEYXrUw8aoe5ZZZeKv1b5M1+ZDR1aAHZRhMbPyp7JIRxW5fAT/ZDxUHv8lfOksgnF+AXHSGFdvteEbSJHrfOnMiUScBil306/VeSVXQIDAQAB</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>";
byte[] dataForSignAsBytes = Encoding.UTF8.GetBytes(dataForSign);
byte[] signatureEncoded = Convert.FromBase64String(signature);
RSACryptoServiceProvider rsaCryptoServiceProvider = new RSACryptoServiceProvider();
rsaCryptoServiceProvider.FromXmlString(publicKey);
var hashData = SHA256.Create().ComputeHash(dataForSignAsBytes);
var result1 = rsaCryptoServiceProvider.VerifyData(dataForSignAsBytes, CryptoConfig.MapNameToOID("SHA256"), signatureEncoded);
var result2 = rsaCryptoServiceProvider.VerifyHash(hashData, CryptoConfig.MapNameToOID("SHA256"), signatureEncoded);
Console.WriteLine(result1);
Console.WriteLine(result2);
}
两个结果都是假的...
我真的坚持这个,感觉我离解决方案只有一些改变,但只要它不起作用,我就被困住了......任何帮助将不胜感激,因为我没有经验使用 HTTP 签名或 RSA-SHA256...