Signature validation failed to fulfill the request

eBay / digital-signature-verification-ebay-api

Verification of digital signatures for use by developers sending HTTP requests to eBay's APIs

Apache License 2.0

8 stars 7 forks source link

Signature validation failed to fulfill the request #25

Open verghi opened 1 year ago

verghi commented 1 year ago

Hello, I have a problem using getTransactions call in Finances api. These steps I follow is as follows: 1- I got my ebay token 2- I generate a public and private key using ebay api 3- I sign my signature with my private key The format of my signature: '"x-ebay-signature-key": {{ebay_signature_key}}\n' '"@method": GET\n' '"@path": /sell/finances/v1/transaction\n' '"@authority": apiz.ebay.com\n' '"@signature-params": ("x-ebay-signature-key" "@method" "@path" "@authority");created={{date}}\n' 4- I use ebay api explorer to test my call ( not programming language yet) Authorization:Bearer {{token}} X-EBAY-C-MARKETPLACE-ID:EBAY_DE x-ebay-signature-key: {{signature_key}} Signature: sig1=:{{signature_signed_with_private_key}} Signature-Input: sig1=("x-ebay-signature-key" "@method" "@path" "@authority");created={{time_of_request}} Accept:application/json 5- When I make this call, I got a signature validation error, if you can help me to solve this issue please.

uherberg commented 1 year ago

@verghi Have you tried your signatures using the verification tool from this repo? In particular, please compare the signature base. Most likely, you calculate your base incorrectly. For example, there are no single quotes (') like you printed above. I have also seen that for Windows users, the line breaks weren't "\n". Which programming language and OS do you use? Can you post your code here? Which method do you use to calculate {{signature_signed_with_private_key}}?

verghi commented 1 year ago

Hello, thanks for your response, For now, I am using ebay explorer in order to test my calls (so no programming language used at that moment). I use Ubuntu, but I think there is no relation since I am using ebay explorer. I used this approach to sign my signature:

openssl dgst -sha256 -sign key.pem -out sign.txt.sha256 plain-signature.txt
openssl enc -base64 -in sign.txt.sha256 -out sign.txt.sha256.base64 In order to validate my signature, I used this command: openssl dgst -sha256 -verify public.pem -signature sign.txt.sha256 plain-signature.txt I didn't try the verification tool from this repo yet.

uherberg commented 1 year ago

@verghi I am not quite sure which algorithm openssl dgst uses. As per the specification, the RSASSA-PKCS1-v1_5 algorithm needs to be used to sign the signature base. Maybe openssl uses a different format. You can use one of the SDKs to generate the signature, in case you use Java, NodeJS or PHP. There is also some sample code for C# available.