使用 PHP 和 gree/jose 库从签名验证 webhook

Verify webhook from signature using PHP with gree/jose library

我正在尝试关注 the 3rd party documentation for verifying a webhook body using the Signature header -- 3rd party 将被称为 3P 前进)。

3P 提供 a sample Kotlin implementation using a java library. I am using PHP and decided to try gree/jose 作为我的图书馆。

作为健全性检查,我已将他们的示例数据复制到我的实施中,但我仍然得到错误的结果。

$signature = '1IJl6VyKU4pYfqMHUd55QBNq5Etbz5a7DOCkID2Nloay76y4f02w2iMXONlyL/Bx9SkrbivOHW1l1XadkUrd5pKUK1fhpcnItukLrsK5ADQOcuEjSLBg9qJffZYooXfc7hOD/fV0sN33W2vBYJspbR3P766DwG/6IO/20f9t/DcSWa79EFZPMnsCicEArNS3iIYBtdZSX5ta5EETt7S8acHbpIlSDrTcYpo0vuz19LQ6SPQqN2LGdR+U7ZOiUQWdfMXhUgE7w94pHQzcOq1IHfw3CylUEcRR/DhrGqs4mBaagO6JpWzeqE1uTAiN579kOtSSqjblTb2AXALTQ3+TtA==';  // taken from "Signature" in headers
$payload = '{"eventId":"569886904","officeId":"132917981","eventType":"INTEGRATION_DEACTIVATED","event":{"integration":{"status":"INACTIVE","webhookId":"2bc47eed-08a0-4d18-a5c0-b7f18ab802e3","officeId":"132917981","createdDateTime":"2020-03-17T23:39:41.804Z","lastUpdatedDateTime":"2020-03-17T23:39:41.804Z"}},"createdDateTime":"2020-03-17T23:39:41.806Z"}';  // this is the body of the request sent to my application
$components = [
    'kty' => 'RSA',
    'e' => 'AQAB',
    'n' => 'ANV-aocctqt5xDRnqomCgsO9dm4hM0Qd75TqG7z2G5Z89JQ7SRy2ok-fIJRiSU5-JfjPc3uph3gSOXyqlNoEh4YGL2R4AP7jhxy9xv0gDVtj1tExB_mmk8EUbmj8hTIrfAgEJrDeB4qMk7MkkKxhHkhLNEJEPZfgYHcHcuKjp2l_vtpiuR9Ouz0febB9K4gLozrp9KHW2K-m0z02-tSurxmmij5nnJ-CEgp0wXcCS4w4G0jve4hcLlL9FU8HKxrb0d4rMQgM3VAal6yG5pwMdtrsch7xA-occwWFC_tHgpDJGNvOJNFtuk7Cit_aom-6U6ssGF13sUtdrog2ePWjVxc=',
    'kid' => '2020-03-18',
    'alg' => 'RSA256',
];  // the $components array values are sourced by a separate API call to the 3P
$rsa = JOSE_JWK::decode($components); // => phpseclib\Crypt\RSA instance
$publicKey = $rsa->createKey()['publickey'];  // this appears to work perfectly
$rsa->loadKey($publicKey);
var_dump($rsa->verify($payload, $rsa->sign($signature)));  // bool(false)

我已经在这个软件上苦苦挣扎了 2 天多了,我觉得我已经尝试了大约 100 种不同的东西 (some proof)。我什至尝试过部分放弃 gree/jose 库。最终,我只需要一个可行的解决方案(无论它是修复此实现还是娱乐不同的 implementation/library)。

我觉得我在调用 verify() 之前准备字符串的过程中可能遗漏了一个(或两个)步骤,但我对这个过程太不熟悉了,无法自己识别。当然,verify() 并不表示我变得 更热 更冷

我去过的地方:

RS256 在 Java 中表示 RSASSA-PKCS1-v1_5 using SHA-256

$signature = '1IJl6VyKU4pYfqMHUd55QBNq5Etbz5a7DOCkID2Nloay76y4f02w2iMXONlyL/Bx9SkrbivOHW1l1XadkUrd5pKUK1fhpcnItukLrsK5ADQOcuEjSLBg9qJffZYooXfc7hOD/fV0sN33W2vBYJspbR3P766DwG/6IO/20f9t/DcSWa79EFZPMnsCicEArNS3iIYBtdZSX5ta5EETt7S8acHbpIlSDrTcYpo0vuz19LQ6SPQqN2LGdR+U7ZOiUQWdfMXhUgE7w94pHQzcOq1IHfw3CylUEcRR/DhrGqs4mBaagO6JpWzeqE1uTAiN579kOtSSqjblTb2AXALTQ3+TtA==';  // taken from "Signature" in headers
$payload = '{"eventId":"569886904","officeId":"132917981","eventType":"INTEGRATION_DEACTIVATED","event":{"integration":{"status":"INACTIVE","webhookId":"2bc47eed-08a0-4d18-a5c0-b7f18ab802e3","officeId":"132917981","createdDateTime":"2020-03-17T23:39:41.804Z","lastUpdatedDateTime":"2020-03-17T23:39:41.804Z"}},"createdDateTime":"2020-03-17T23:39:41.806Z"}';  // this is the body of the request sent to my application
$components = [
    'kty' => 'RSA',
    'e' => 'AQAB',
    'n' => 'ANV-aocctqt5xDRnqomCgsO9dm4hM0Qd75TqG7z2G5Z89JQ7SRy2ok-fIJRiSU5-JfjPc3uph3gSOXyqlNoEh4YGL2R4AP7jhxy9xv0gDVtj1tExB_mmk8EUbmj8hTIrfAgEJrDeB4qMk7MkkKxhHkhLNEJEPZfgYHcHcuKjp2l_vtpiuR9Ouz0febB9K4gLozrp9KHW2K-m0z02-tSurxmmij5nnJ-CEgp0wXcCS4w4G0jve4hcLlL9FU8HKxrb0d4rMQgM3VAal6yG5pwMdtrsch7xA-occwWFC_tHgpDJGNvOJNFtuk7Cit_aom-6U6ssGF13sUtdrog2ePWjVxc=',
    'kid' => '2020-03-18',
    'alg' => 'RSA256',
];  // the $components array values are sourced by a separate API call to the 3P
$rsa = JOSE_JWK::decode($components); // => phpseclib\Crypt\RSA instance
$rsa->setHash('sha256');
var_dump($rsa->_rsassa_pkcs1_v1_5_verify($payload, JOSE_URLSafeBase64::decode($signature)));