使用 openssl_verify 签名校验 SHA256withRSA 的问题

2021-06-05 18:31:28 +08:00
 cs5117155

我最近在做 paypal 支付,需要校验异步通知是否伪造的,根据校验规则是 To generate the signature, PayPal concatenates and separates these items with the pipe (|) character. To validate a signature, use this input string:

这里有详细的参数校验规则

https://developer.paypal.com/docs/api-basics/notifications/webhooks/notification-messages/

原始数据如下

Client_pid: 124700
Content-Type: application/json
Correlation-Id: 79c56327c8eb6
Dfb0bc8d2e7022fa68259b0ae4e76bff: tag
Paypal-Auth-Algo: SHA256withRSA
Paypal-Auth-Version: v2
Paypal-Cert-Url: https://api.sandbox.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-7a8abba8
Paypal-Transmission-Id: c8defdc0-c51e-11eb-b07a-7921b31043db
Paypal-Transmission-Sig: k4pSxwMwn8I5ZcUplN2s4HUtZTueQ39hvdj8a8ozzsSP9+moZnexuiu6jD/RXKe49F+JsRqlkAoIac71D47FztZsME+gogT28Wyj8vdOa7RHyxW1qmOsAkL+7POfqv+qJhLeivfjjABMBnTUptJTHEBjAJe/OgAbBjb5RSFI18HXHqToAlNJzhjsfqAf02AL2a1NZvfVItsZ8/mqWlu6pQPRLlbOFQ4EdE4CIWL4stIyRLvjfye07XM6JMtC/FCqG7fVRya7TbYskNInEianSjDY1xKlOs48KJwEmi2dMYC2WBjkuTnhw3oAKztGHd91sDTWwmZum6ToxAXIaZL0Zw==
Paypal-Transmission-Time: 2021-06-04T10:22:37Z
X-Daa-Tunnel: hop_count=1
X-Forwarded-For: 173.0.80.116
X-Forwarded-Proto: https
X-Nws-Log-Uuid: 13526949154786814179
X-Tencent-Ua: Qcloud
Accept-Encoding: gzip

{"id":"WH-9XW19278373474026-31R040160R341690F","event_version":"1.0","create_time":"2021-06-04T10:22:33.352Z","resource_type":"refund","resource_version":"2.0","event_type":"PAYMENT.CAPTURE.REFUNDED","summary":"A $ 30.0 USD capture payment was refunded","resource":{"seller_payable_breakdown":{"total_refunded_amount":{"value":"30.00","currency_code":"USD"},"paypal_fee":{"value":"1.02","currency_code":"USD"},"gross_amount":{"value":"30.00","currency_code":"USD"},"net_amount":{"value":"28.98","currency_code":"USD"}},"amount":{"value":"30.00","currency_code":"USD"},"update_time":"2021-06-04T03:22:06-07:00","create_time":"2021-06-04T03:22:06-07:00","invoice_id":"202106041822037167","links":[{"method":"GET","rel":"self","href":"https://api.sandbox.paypal.com/v2/payments/refunds/0VS41158VR447232A"},{"method":"GET","rel":"up","href":"https://api.sandbox.paypal.com/v2/payments/captures/7YH3814131008200K"}],"id":"0VS41158VR447232A","note_to_payer":"Defective producgd","status":"COMPLETED"},"links":[{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F","rel":"self","method":"GET"},{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F/resend","rel":"resend","method":"POST"}]}

证书可以通过这个连接下载

https://api.sandbox.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-7a8abba8
$Paypal_Transmission_Id="c8defdc0-c51e-11eb-b07a-7921b31043db";
$Paypal_Transmission_Time="2021-06-04T10:22:37Z";
$wh_id="WH-9XW19278373474026-31R040160R341690F";

$json ='{"id":"WH-9XW19278373474026-31R040160R341690F","event_version":"1.0","create_time":"2021-06-04T10:22:33.352Z","resource_type":"refund","resource_version":"2.0","event_type":"PAYMENT.CAPTURE.REFUNDED","summary":"A $ 30.0 USD capture payment was refunded","resource":{"seller_payable_breakdown":{"total_refunded_amount":{"value":"30.00","currency_code":"USD"},"paypal_fee":{"value":"1.02","currency_code":"USD"},"gross_amount":{"value":"30.00","currency_code":"USD"},"net_amount":{"value":"28.98","currency_code":"USD"}},"amount":{"value":"30.00","currency_code":"USD"},"update_time":"2021-06-04T03:22:06-07:00","create_time":"2021-06-04T03:22:06-07:00","invoice_id":"202106041822037167","links":[{"method":"GET","rel":"self","href":"https://api.sandbox.paypal.com/v2/payments/refunds/0VS41158VR447232A"},{"method":"GET","rel":"up","href":"https://api.sandbox.paypal.com/v2/payments/captures/7YH3814131008200K"}],"id":"0VS41158VR447232A","note_to_payer":"Defective producgd","status":"COMPLETED"},"links":[{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F","rel":"self","method":"GET"},{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F/resend","rel":"resend","method":"POST"}]}';
$str = crc32($json);
$pem = file_get_contents("./1.pem");
$pubkeyid = openssl_get_publickey($pem);

$data= $Paypal_Transmission_Id."|".$Paypal_Transmission_Time."|".$wh_id."|".$str;
// state whether signature is okay or not
$signature = "k4pSxwMwn8I5ZcUplN2s4HUtZTueQ39hvdj8a8ozzsSP9+moZnexuiu6jD/RXKe49F+JsRqlkAoIac71D47FztZsME+gogT28Wyj8vdOa7RHyxW1qmOsAkL+7POfqv+qJhLeivfjjABMBnTUptJTHEBjAJe/OgAbBjb5RSFI18HXHqToAlNJzhjsfqAf02AL2a1NZvfVItsZ8/mqWlu6pQPRLlbOFQ4EdE4CIWL4stIyRLvjfye07XM6JMtC/FCqG7fVRya7TbYskNInEianSjDY1xKlOs48KJwEmi2dMYC2WBjkuTnhw3oAKztGHd91sDTWwmZum6ToxAXIaZL0Zw==";

$ok = openssl_verify($data, $signature, $pubkeyid,'SHA256');

var_dump($ok);die();

但是检验的结果是false,能帮我检查一下是哪里写错了吗

1912 次点击
所在节点    PHP
9 条回复
rockyliang
2021-06-05 20:40:03 +08:00
我都是直接用 paypal 的 api 来做校验: https://developer.paypal.com/docs/api/webhooks/v1/#verify-webhook-signature
dzdh
2021-06-05 21:11:16 +08:00
我记得要 base64_decode 一下?
thunderw
2021-06-05 21:42:13 +08:00
https://www.bahjeez.com/validating-paypal-webhooks-offline-almost/
webhook ID 看上去不是 WH-开头那个。
另外 signature 要 decode 一下 base64_decode($signature)
thunderw
2021-06-05 21:46:04 +08:00
<webhookid> is the ID that PayPal assigned to your webhook when you created it. You can find this a few different places:
If you used the Webhooks API to create the webhook, this would have been the value of /id in the response.
You can use the List All Webhooks API to see the webhooks you have registered. You can grab the webhook ID from there.
You can also see your webhooks from developer.paypal.com. (Go to the Dashboard, then the My Apps & Credentials page. Scroll down to the REST API Apps section and find your REST app. Click on it, then scroll down to the “Sandbox Webhooks” or “Live Webhooks” section. The webhook ID will be displayed in the “Webhook ID” column.)
fiypig
2021-06-05 21:53:05 +08:00
分段加解密
cs5117155
2021-06-05 23:11:13 +08:00
@thunderw 果然是要 base64_decode($signature),webhook ID 是后台配置固定的那个。而且我也很佩服你搜什么关键字找到这个 https://www.bahjeez.com/validating-paypal-webhooks-offline-almost/ 连接,我谷歌一上午找不到合适的答案
cs5117155
2021-06-05 23:12:16 +08:00
@rockyliang 这个每次收到异步请求,都要再 post 请求一次,我怕会担心资源消耗
thunderw
2021-06-06 09:05:51 +08:00
@cs5117155 我这个人比较擅长 Google 😄 关键字:
<transmissionId>|<timeStamp>|<webhookId>|<crc32> verify paypal php
cs5117155
2021-06-06 10:54:24 +08:00
@thunderw 果然厉害,之前我一直都是用 Paypal-Cert-Url,Paypal-Auth-Algo,Paypal-Transmission-Id 这样的关键词搜索,还真无想到用你那个关键词搜 😄

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/781592

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX