Shopify C# HMAC SHA256 OAuth 验证
Shopify C# HMAC SHA256 OAuth Validation
我正在尝试在 OAUTH 请求期间验证 Shopify HMAC,但我生成的哈希与请求中提供的哈希不匹配。
我找到了一些其他话题,但它们在 java 中 either outdated, as the documentation now states it uses a GET request instead of POST, or 。
我的C#代码如下:
string key = "mysecretkey";
string message = string.Format("shop={0}×tamp={1}", shop, timestamp);
System.Text.ASCIIEncoding encoding = new ASCIIEncoding();
byte[] keyBytes = encoding.GetBytes(key);
byte[] messageBytes = encoding.GetBytes(message);
System.Security.Cryptography.HMACSHA256 cryptographer = new System.Security.Cryptography.HMACSHA256(keyBytes);
byte[] bytes = cryptographer.ComputeHash(messageBytes);
string digest = BitConverter.ToString(bytes).Replace("-", "");
bool valid = digest == hmac.ToUpper();
我猜消息构建有误,但我遵循了 official documentation 但没有成功。
有人可以帮忙吗?
您正在计算 HMAC,但没有使用您的密钥。
文档指出您应该使用共享密钥生成 HMAC 摘要。无论如何,没有密钥的 HMAC 值是什么意思?如果 Shopify 没有使用您和他们之间的预共享密钥来计算 HMAC,任何人都可以模仿 shopify 服务器。
以下代码块来自文档:
digest = OpenSSL::Digest.new('sha256')
secret = "hush"
message = "shop=some-shop.myshopify.com×tamp=1337178173"
digest = OpenSSL::HMAC.hexdigest(digest, secret, message)
digest == "2cb1a277650a659f1b11e92a4a64275b128e037f2c3390e3c8fd2d8721dac9e2"
因此,在计算哈希
之前尝试 cryptographer.Key = keyBytes;
byte[] keyBytes = encoding.GetBytes(key);
byte[] messageBytes = encoding.GetBytes(message);
System.Security.Cryptography.HMACSHA256 cryptographer = new System.Security.Cryptography.HMACSHA256(keyBytes);
cryptographer.Key = keyBytes;
byte[] bytes = cryptographer.ComputeHash(messageBytes);
好的,Shopify 的开发人员回复了我答案。看来您需要按字母顺序散列查询字符串的 entire 内容,签名和 hmac 除外。我有自己的参数 (rlr) 以及文档中未提及的参数 (state)。
string message = "";// "code=7af66fd73427a1634cee3103297230b8&rlr=9DFD5EA9-7747-4142-97D9-2D44BBA442F1&shop=appswiz.myshopify.com&state=fa992b8f-762e-4813-b707-6044e71ad3b5×tamp=1448856806";
message = "code=xxxxxxxx";
message += "&rlr=xxxxx";
message += "&shop=xxx.myshopify.com";
message += "&state=xxxxxxxx";
message += "×tamp=1449111190";
hmac = "xxxxxxx";
System.Text.ASCIIEncoding encoding = new ASCIIEncoding();
byte[] keyBytes = encoding.GetBytes(key);
byte[] messageBytes = encoding.GetBytes(message);
System.Security.Cryptography.HMACSHA256 cryptographer = new System.Security.Cryptography.HMACSHA256(keyBytes);
byte[] bytes = cryptographer.ComputeHash(messageBytes);
string digest = BitConverter.ToString(bytes).Replace("-", "");
return digest == hmac.ToUpper();
现在可以使用了。
使用 Guy Lowe 的回答我最近得到了这个工作:
public bool ValidateShopifyHmac(string hmacHeader, string localData, string apiSecret) {
var ascii = new ASCIIEncoding();
var secretBytes = ascii.GetBytes(apiSecret);
var cryptographer = new System.Security.Cryptography.HMACSHA256(secretBytes);
var messageBytes = ascii.GetBytes(localData);
var hashedMessage = cryptographer.ComputeHash(messageBytes);
var digest = BitConverter.ToString(hashedMessage).Replace("-", "");
return digest == hmacHeader.ToUpper();
}
我正在尝试在 OAUTH 请求期间验证 Shopify HMAC,但我生成的哈希与请求中提供的哈希不匹配。
我找到了一些其他话题,但它们在 java 中 either outdated, as the documentation now states it uses a GET request instead of POST, or
我的C#代码如下:
string key = "mysecretkey";
string message = string.Format("shop={0}×tamp={1}", shop, timestamp);
System.Text.ASCIIEncoding encoding = new ASCIIEncoding();
byte[] keyBytes = encoding.GetBytes(key);
byte[] messageBytes = encoding.GetBytes(message);
System.Security.Cryptography.HMACSHA256 cryptographer = new System.Security.Cryptography.HMACSHA256(keyBytes);
byte[] bytes = cryptographer.ComputeHash(messageBytes);
string digest = BitConverter.ToString(bytes).Replace("-", "");
bool valid = digest == hmac.ToUpper();
我猜消息构建有误,但我遵循了 official documentation 但没有成功。
有人可以帮忙吗?
您正在计算 HMAC,但没有使用您的密钥。
文档指出您应该使用共享密钥生成 HMAC 摘要。无论如何,没有密钥的 HMAC 值是什么意思?如果 Shopify 没有使用您和他们之间的预共享密钥来计算 HMAC,任何人都可以模仿 shopify 服务器。
以下代码块来自文档:
digest = OpenSSL::Digest.new('sha256')
secret = "hush"
message = "shop=some-shop.myshopify.com×tamp=1337178173"
digest = OpenSSL::HMAC.hexdigest(digest, secret, message)
digest == "2cb1a277650a659f1b11e92a4a64275b128e037f2c3390e3c8fd2d8721dac9e2"
因此,在计算哈希
之前尝试cryptographer.Key = keyBytes;
byte[] keyBytes = encoding.GetBytes(key);
byte[] messageBytes = encoding.GetBytes(message);
System.Security.Cryptography.HMACSHA256 cryptographer = new System.Security.Cryptography.HMACSHA256(keyBytes);
cryptographer.Key = keyBytes;
byte[] bytes = cryptographer.ComputeHash(messageBytes);
好的,Shopify 的开发人员回复了我答案。看来您需要按字母顺序散列查询字符串的 entire 内容,签名和 hmac 除外。我有自己的参数 (rlr) 以及文档中未提及的参数 (state)。
string message = "";// "code=7af66fd73427a1634cee3103297230b8&rlr=9DFD5EA9-7747-4142-97D9-2D44BBA442F1&shop=appswiz.myshopify.com&state=fa992b8f-762e-4813-b707-6044e71ad3b5×tamp=1448856806";
message = "code=xxxxxxxx";
message += "&rlr=xxxxx";
message += "&shop=xxx.myshopify.com";
message += "&state=xxxxxxxx";
message += "×tamp=1449111190";
hmac = "xxxxxxx";
System.Text.ASCIIEncoding encoding = new ASCIIEncoding();
byte[] keyBytes = encoding.GetBytes(key);
byte[] messageBytes = encoding.GetBytes(message);
System.Security.Cryptography.HMACSHA256 cryptographer = new System.Security.Cryptography.HMACSHA256(keyBytes);
byte[] bytes = cryptographer.ComputeHash(messageBytes);
string digest = BitConverter.ToString(bytes).Replace("-", "");
return digest == hmac.ToUpper();
现在可以使用了。
使用 Guy Lowe 的回答我最近得到了这个工作:
public bool ValidateShopifyHmac(string hmacHeader, string localData, string apiSecret) {
var ascii = new ASCIIEncoding();
var secretBytes = ascii.GetBytes(apiSecret);
var cryptographer = new System.Security.Cryptography.HMACSHA256(secretBytes);
var messageBytes = ascii.GetBytes(localData);
var hashedMessage = cryptographer.ComputeHash(messageBytes);
var digest = BitConverter.ToString(hashedMessage).Replace("-", "");
return digest == hmacHeader.ToUpper();
}