V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
cs5117155
V2EX  ›  PHP

使用 openssl_verify 签名校验 SHA256withRSA 的问题

  •  
  •   cs5117155 · 2021-06-05 18:31:28 +08:00 · 1912 次点击
    这是一个创建于 1300 天前的主题,其中的信息可能已经有所发展或是发生改变。

    我最近在做 paypal 支付,需要校验异步通知是否伪造的,根据校验规则是 To generate the signature, PayPal concatenates and separates these items with the pipe (|) character. To validate a signature, use this input string:

    这里有详细的参数校验规则

    https://developer.paypal.com/docs/api-basics/notifications/webhooks/notification-messages/

    原始数据如下

    Client_pid: 124700
    Content-Type: application/json
    Correlation-Id: 79c56327c8eb6
    Dfb0bc8d2e7022fa68259b0ae4e76bff: tag
    Paypal-Auth-Algo: SHA256withRSA
    Paypal-Auth-Version: v2
    Paypal-Cert-Url: https://api.sandbox.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-7a8abba8
    Paypal-Transmission-Id: c8defdc0-c51e-11eb-b07a-7921b31043db
    Paypal-Transmission-Sig: k4pSxwMwn8I5ZcUplN2s4HUtZTueQ39hvdj8a8ozzsSP9+moZnexuiu6jD/RXKe49F+JsRqlkAoIac71D47FztZsME+gogT28Wyj8vdOa7RHyxW1qmOsAkL+7POfqv+qJhLeivfjjABMBnTUptJTHEBjAJe/OgAbBjb5RSFI18HXHqToAlNJzhjsfqAf02AL2a1NZvfVItsZ8/mqWlu6pQPRLlbOFQ4EdE4CIWL4stIyRLvjfye07XM6JMtC/FCqG7fVRya7TbYskNInEianSjDY1xKlOs48KJwEmi2dMYC2WBjkuTnhw3oAKztGHd91sDTWwmZum6ToxAXIaZL0Zw==
    Paypal-Transmission-Time: 2021-06-04T10:22:37Z
    X-Daa-Tunnel: hop_count=1
    X-Forwarded-For: 173.0.80.116
    X-Forwarded-Proto: https
    X-Nws-Log-Uuid: 13526949154786814179
    X-Tencent-Ua: Qcloud
    Accept-Encoding: gzip
    
    {"id":"WH-9XW19278373474026-31R040160R341690F","event_version":"1.0","create_time":"2021-06-04T10:22:33.352Z","resource_type":"refund","resource_version":"2.0","event_type":"PAYMENT.CAPTURE.REFUNDED","summary":"A $ 30.0 USD capture payment was refunded","resource":{"seller_payable_breakdown":{"total_refunded_amount":{"value":"30.00","currency_code":"USD"},"paypal_fee":{"value":"1.02","currency_code":"USD"},"gross_amount":{"value":"30.00","currency_code":"USD"},"net_amount":{"value":"28.98","currency_code":"USD"}},"amount":{"value":"30.00","currency_code":"USD"},"update_time":"2021-06-04T03:22:06-07:00","create_time":"2021-06-04T03:22:06-07:00","invoice_id":"202106041822037167","links":[{"method":"GET","rel":"self","href":"https://api.sandbox.paypal.com/v2/payments/refunds/0VS41158VR447232A"},{"method":"GET","rel":"up","href":"https://api.sandbox.paypal.com/v2/payments/captures/7YH3814131008200K"}],"id":"0VS41158VR447232A","note_to_payer":"Defective producgd","status":"COMPLETED"},"links":[{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F","rel":"self","method":"GET"},{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F/resend","rel":"resend","method":"POST"}]}
    

    证书可以通过这个连接下载

    https://api.sandbox.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-7a8abba8
    
    $Paypal_Transmission_Id="c8defdc0-c51e-11eb-b07a-7921b31043db";
    $Paypal_Transmission_Time="2021-06-04T10:22:37Z";
    $wh_id="WH-9XW19278373474026-31R040160R341690F";
    
    $json ='{"id":"WH-9XW19278373474026-31R040160R341690F","event_version":"1.0","create_time":"2021-06-04T10:22:33.352Z","resource_type":"refund","resource_version":"2.0","event_type":"PAYMENT.CAPTURE.REFUNDED","summary":"A $ 30.0 USD capture payment was refunded","resource":{"seller_payable_breakdown":{"total_refunded_amount":{"value":"30.00","currency_code":"USD"},"paypal_fee":{"value":"1.02","currency_code":"USD"},"gross_amount":{"value":"30.00","currency_code":"USD"},"net_amount":{"value":"28.98","currency_code":"USD"}},"amount":{"value":"30.00","currency_code":"USD"},"update_time":"2021-06-04T03:22:06-07:00","create_time":"2021-06-04T03:22:06-07:00","invoice_id":"202106041822037167","links":[{"method":"GET","rel":"self","href":"https://api.sandbox.paypal.com/v2/payments/refunds/0VS41158VR447232A"},{"method":"GET","rel":"up","href":"https://api.sandbox.paypal.com/v2/payments/captures/7YH3814131008200K"}],"id":"0VS41158VR447232A","note_to_payer":"Defective producgd","status":"COMPLETED"},"links":[{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F","rel":"self","method":"GET"},{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F/resend","rel":"resend","method":"POST"}]}';
    $str = crc32($json);
    $pem = file_get_contents("./1.pem");
    $pubkeyid = openssl_get_publickey($pem);
    
    $data= $Paypal_Transmission_Id."|".$Paypal_Transmission_Time."|".$wh_id."|".$str;
    // state whether signature is okay or not
    $signature = "k4pSxwMwn8I5ZcUplN2s4HUtZTueQ39hvdj8a8ozzsSP9+moZnexuiu6jD/RXKe49F+JsRqlkAoIac71D47FztZsME+gogT28Wyj8vdOa7RHyxW1qmOsAkL+7POfqv+qJhLeivfjjABMBnTUptJTHEBjAJe/OgAbBjb5RSFI18HXHqToAlNJzhjsfqAf02AL2a1NZvfVItsZ8/mqWlu6pQPRLlbOFQ4EdE4CIWL4stIyRLvjfye07XM6JMtC/FCqG7fVRya7TbYskNInEianSjDY1xKlOs48KJwEmi2dMYC2WBjkuTnhw3oAKztGHd91sDTWwmZum6ToxAXIaZL0Zw==";
    
    $ok = openssl_verify($data, $signature, $pubkeyid,'SHA256');
    
    var_dump($ok);die();
    
    

    但是检验的结果是false,能帮我检查一下是哪里写错了吗

    9 条回复    2021-06-06 10:54:24 +08:00
    rockyliang
        1
    rockyliang  
       2021-06-05 20:40:03 +08:00
    我都是直接用 paypal 的 api 来做校验: https://developer.paypal.com/docs/api/webhooks/v1/#verify-webhook-signature
    dzdh
        2
    dzdh  
       2021-06-05 21:11:16 +08:00
    我记得要 base64_decode 一下?
    thunderw
        3
    thunderw  
       2021-06-05 21:42:13 +08:00
    https://www.bahjeez.com/validating-paypal-webhooks-offline-almost/
    webhook ID 看上去不是 WH-开头那个。
    另外 signature 要 decode 一下 base64_decode($signature)
    thunderw
        4
    thunderw  
       2021-06-05 21:46:04 +08:00
    <webhookid> is the ID that PayPal assigned to your webhook when you created it. You can find this a few different places:
    If you used the Webhooks API to create the webhook, this would have been the value of /id in the response.
    You can use the List All Webhooks API to see the webhooks you have registered. You can grab the webhook ID from there.
    You can also see your webhooks from developer.paypal.com. (Go to the Dashboard, then the My Apps & Credentials page. Scroll down to the REST API Apps section and find your REST app. Click on it, then scroll down to the “Sandbox Webhooks” or “Live Webhooks” section. The webhook ID will be displayed in the “Webhook ID” column.)
    fiypig
        5
    fiypig  
       2021-06-05 21:53:05 +08:00 via iPhone
    分段加解密
    cs5117155
        6
    cs5117155  
    OP
       2021-06-05 23:11:13 +08:00
    @thunderw 果然是要 base64_decode($signature),webhook ID 是后台配置固定的那个。而且我也很佩服你搜什么关键字找到这个 https://www.bahjeez.com/validating-paypal-webhooks-offline-almost/ 连接,我谷歌一上午找不到合适的答案
    cs5117155
        7
    cs5117155  
    OP
       2021-06-05 23:12:16 +08:00
    @rockyliang 这个每次收到异步请求,都要再 post 请求一次,我怕会担心资源消耗
    thunderw
        8
    thunderw  
       2021-06-06 09:05:51 +08:00
    @cs5117155 我这个人比较擅长 Google 😄 关键字:
    <transmissionId>|<timeStamp>|<webhookId>|<crc32> verify paypal php
    cs5117155
        9
    cs5117155  
    OP
       2021-06-06 10:54:24 +08:00
    @thunderw 果然厉害,之前我一直都是用 Paypal-Cert-Url,Paypal-Auth-Algo,Paypal-Transmission-Id 这样的关键词搜索,还真无想到用你那个关键词搜 😄
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2651 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 00:25 · PVG 08:25 · LAX 16:25 · JFK 19:25
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.