search

eBay / digital-signature-verification-ebay-api

Verification of digital signatures for use by developers sending HTTP requests to eBay's APIs
Apache License 2.0
8 stars 7 forks source link

C# Signature validation failed #23

Closed matt-read closed 1 year ago

matt-read commented 1 year ago

We are looking to adopt the new digital signature needed to post to ebay issue_refund API calls as described here: https://developer.ebay.com/develop/guides/digital-signatures-for-apis.

We have set up a .Net console app to test the new signature code. See below for our sample code. The code we have produced is based on the PHP example code eBay provides here: https://github.com/eBay/digital-signature-php-sdk.

Sample Code

Using the Key Management API we have successfully created our keys. From which we use the public JWE for the x-ebay-signature-key header.

Content-Digest

The content-digest header is created by converting the response body payload and converting to a SHA-256 digest, so this:

{
  "refundDetail": {
    "itemizedRefundDetail": {
      "refundAmount": {
        "value": 17.95,
        "currency": "GBP"
      },
      "refundFeeType": "PURCHASE_PRICE"
    },
    "totalAmount": {
      "value": 17.95,
      "currency": "GBP"
    }
  }
}

Gets converted to:

sha-256=:HhLjZL3cSPNhpqDfrzIgYE4cZtKjQWDFJ85Qsuz3trA=:

Signature-Input

sig1=("content-digest" "x-ebay-signature-key" "@method" "@path" "@authority");created=1684937566

Signature

This calls a service which firstly builds up the signature base:

"content-digest": sha-256=:HhLjZL3cSPNhpqDfrzIgYE4cZtKjQWDFJ85Qsuz3trA=: "x-ebay-signature-key": eyJ6aXAiOiJERUYiLC..... "@method": POST "@path": /post-order/v2/return/return_id_here/issue_refund "@authority": api.ebay.com "@signature-params": ("content-digest" "x-ebay-signature-key" "@method" "@path" "@authority");created=1684938163

We then load in the private key and use this to convert to a base64 string. So we end up with:

sig1=:fM44WoC1C2n9oUDoQnZaRN9ujlVbgLw7Z58v5hw/R8hBYoNRcSQWkz1IhhGa1XqtKQUhpqKQd/feqoyWkyntoCdwBvWlZGdAsSwN3xGLd4S3UQpfiOGgcpjkvh47Fpym2jKXJaJ1TRsOdwOhFj/Zr771OGk+zq3pix8z98KyKLDKH2aoV0MbIxUH6cQhywktOWDfD9eqS4mUxrQvU5C3ddtT5MmFIwG5R9BZT4mv89N9F0qDd1ZH4P/jWpDuQTNnBDwaudYUloawUQQIDoqso03Y1nbiTOu77yht7KnozXVAnW6sTwAR1W7IGDlckglkPe2yzfhMchkUfu3N5k9Bjw==:

However after running our sample code, the response we are getting back from the API is:

{
  "errors": [
    {
      "errorId": 215120,
      "domain": "ACCESS",
      "category": "REQUEST",
      "message": "Signature validation failed",
      "longMessage": "Signature validation failed to fulfill the request."
    }
  ]
}

Some help to understand what we have done wrong would be gratefully received.

Many thanks

uherberg commented 1 year ago

Hi @matt-read. You may want to check out https://github.com/eBay/digital-signature-verification-ebay-api/issues/4 Someone else also had issues with C#. In that case, it was a different line break between Windows and Linux based operating systems. There was some sample code on that github issue as well. Please go through it and let me know if this is of any help.

matt-read commented 1 year ago

Many thanks for the pointer @uherberg. The line break was in fact the issue. All working well now.

Thank you

uherberg commented 1 year ago

@matt-read Awesome!