使用 openssl_verify 签名校验 SHA256withRSA 的问题

我最近在做 paypal 支付,需要校验异步通知是否伪造的,根据校验规则是 To generate the signature, PayPal concatenates and separates these items with the pipe (|) character. To validate a signature, use this input string:

这里有详细的参数校验规则

https://developer.paypal.com/docs/api-basics/notifications/webhooks/notification-messages/

原始数据如下

Client_pid: 124700
Content-Type: application/json
Correlation-Id: 79c56327c8eb6
Dfb0bc8d2e7022fa68259b0ae4e76bff: tag
Paypal-Auth-Algo: SHA256withRSA
Paypal-Auth-Version: v2
Paypal-Cert-Url: https://api.sandbox.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-7a8abba8
Paypal-Transmission-Id: c8defdc0-c51e-11eb-b07a-7921b31043db
Paypal-Transmission-Sig: k4pSxwMwn8I5ZcUplN2s4HUtZTueQ39hvdj8a8ozzsSP9+moZnexuiu6jD/RXKe49F+JsRqlkAoIac71D47FztZsME+gogT28Wyj8vdOa7RHyxW1qmOsAkL+7POfqv+qJhLeivfjjABMBnTUptJTHEBjAJe/OgAbBjb5RSFI18HXHqToAlNJzhjsfqAf02AL2a1NZvfVItsZ8/mqWlu6pQPRLlbOFQ4EdE4CIWL4stIyRLvjfye07XM6JMtC/FCqG7fVRya7TbYskNInEianSjDY1xKlOs48KJwEmi2dMYC2WBjkuTnhw3oAKztGHd91sDTWwmZum6ToxAXIaZL0Zw==
Paypal-Transmission-Time: 2021-06-04T10:22:37Z
X-Daa-Tunnel: hop_count=1
X-Forwarded-For: 173.0.80.116
X-Forwarded-Proto: https
X-Nws-Log-Uuid: 13526949154786814179
X-Tencent-Ua: Qcloud
Accept-Encoding: gzip

{"id":"WH-9XW19278373474026-31R040160R341690F","event_version":"1.0","create_time":"2021-06-04T10:22:33.352Z","resource_type":"refund","resource_version":"2.0","event_type":"PAYMENT.CAPTURE.REFUNDED","summary":"A $ 30.0 USD capture payment was refunded","resource":{"seller_payable_breakdown":{"total_refunded_amount":{"value":"30.00","currency_code":"USD"},"paypal_fee":{"value":"1.02","currency_code":"USD"},"gross_amount":{"value":"30.00","currency_code":"USD"},"net_amount":{"value":"28.98","currency_code":"USD"}},"amount":{"value":"30.00","currency_code":"USD"},"update_time":"2021-06-04T03:22:06-07:00","create_time":"2021-06-04T03:22:06-07:00","invoice_id":"202106041822037167","links":[{"method":"GET","rel":"self","href":"https://api.sandbox.paypal.com/v2/payments/refunds/0VS41158VR447232A"},{"method":"GET","rel":"up","href":"https://api.sandbox.paypal.com/v2/payments/captures/7YH3814131008200K"}],"id":"0VS41158VR447232A","note_to_payer":"Defective producgd","status":"COMPLETED"},"links":[{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F","rel":"self","method":"GET"},{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F/resend","rel":"resend","method":"POST"}]}

证书可以通过这个连接下载

https://api.sandbox.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-7a8abba8

$Paypal_Transmission_Id="c8defdc0-c51e-11eb-b07a-7921b31043db";
$Paypal_Transmission_Time="2021-06-04T10:22:37Z";
$wh_id="WH-9XW19278373474026-31R040160R341690F";

$json ='{"id":"WH-9XW19278373474026-31R040160R341690F","event_version":"1.0","create_time":"2021-06-04T10:22:33.352Z","resource_type":"refund","resource_version":"2.0","event_type":"PAYMENT.CAPTURE.REFUNDED","summary":"A $ 30.0 USD capture payment was refunded","resource":{"seller_payable_breakdown":{"total_refunded_amount":{"value":"30.00","currency_code":"USD"},"paypal_fee":{"value":"1.02","currency_code":"USD"},"gross_amount":{"value":"30.00","currency_code":"USD"},"net_amount":{"value":"28.98","currency_code":"USD"}},"amount":{"value":"30.00","currency_code":"USD"},"update_time":"2021-06-04T03:22:06-07:00","create_time":"2021-06-04T03:22:06-07:00","invoice_id":"202106041822037167","links":[{"method":"GET","rel":"self","href":"https://api.sandbox.paypal.com/v2/payments/refunds/0VS41158VR447232A"},{"method":"GET","rel":"up","href":"https://api.sandbox.paypal.com/v2/payments/captures/7YH3814131008200K"}],"id":"0VS41158VR447232A","note_to_payer":"Defective producgd","status":"COMPLETED"},"links":[{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F","rel":"self","method":"GET"},{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F/resend","rel":"resend","method":"POST"}]}';
$str = crc32($json);
$pem = file_get_contents("./1.pem");
$pubkeyid = openssl_get_publickey($pem);

$data= $Paypal_Transmission_Id."|".$Paypal_Transmission_Time."|".$wh_id."|".$str;
// state whether signature is okay or not
$signature = "k4pSxwMwn8I5ZcUplN2s4HUtZTueQ39hvdj8a8ozzsSP9+moZnexuiu6jD/RXKe49F+JsRqlkAoIac71D47FztZsME+gogT28Wyj8vdOa7RHyxW1qmOsAkL+7POfqv+qJhLeivfjjABMBnTUptJTHEBjAJe/OgAbBjb5RSFI18HXHqToAlNJzhjsfqAf02AL2a1NZvfVItsZ8/mqWlu6pQPRLlbOFQ4EdE4CIWL4stIyRLvjfye07XM6JMtC/FCqG7fVRya7TbYskNInEianSjDY1xKlOs48KJwEmi2dMYC2WBjkuTnhw3oAKztGHd91sDTWwmZum6ToxAXIaZL0Zw==";

$ok = openssl_verify($data, $signature, $pubkeyid,'SHA256');

var_dump($ok);die();

但是检验的结果是false，能帮我检查一下是哪里写错了吗