search

eBay / digital-signature-verification-ebay-api

Verification of digital signatures for use by developers sending HTTP requests to eBay's APIs
Apache License 2.0
8 stars 7 forks source link

Docker test image results in Invalid Signature using test data #3

Closed gwharton closed 1 year ago

gwharton commented 2 years ago

Using Docker Test image from

https://hub.docker.com/r/ebay/digital-signature-verification-ebay-api

running command 

curl --location --request POST 'http://localhost:8080/verifysignature' \
--header 'Content-Type: application/json' \
--header 'Signature-Input: sig1=("content-digest" "x-ebay-signature-key" "@method" "@path" "@authority");created=1658440308' \
--header 'Content-Digest: sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:' \
--header 'Signature: sig1=:uunxYrXKC8KaoupD5D1DKdmQmrOhz6b4Xbhb3o9d4x4xFIpg++XzEZztOyeOI59rMMjM3NIcFgxBH0c1ckpfBw==:' \
--header 'x-ebay-signature-key: eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoiSGdLcjNSSWFlZll0Mkd4blBUUTEwUSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiQTVOQXFYUXlITkNIT01GVSJ9.z3JcS0vvxrYboqpySAq_Znww-3V6AllxmJP5JEMkuLY.K1f4MVMEc8ylbfSS.fASwJyMCk2tXZsNWk13IcuVgSWTOcynSdAoJrK4WApZANlxAP9J0qr0Jz_4aFldFDSZ5tfuxLGqzJmWU7CiZWwNjk2XoVy8q5ogMrFNFwFXP4SrX1XORhNLZPTyS5DEqLDPYn2NX944xendEwfcxxXsTSeNCUnmSyfitiscUC04GYOfn0UWQ2buSWx7Yod0IR2GtTGUsM9o3J-riuNDKhw.rRsWM1Sl_2stTnZLJkWVmQ' \
--data-raw '{"hello": "world"}'

returns

Signature invalid

According to the docs, this should be a valid signature.

uherberg commented 2 years ago

@gwharton This PR should fix that: https://github.com/eBay/digital-signature-verification-ebay-api/pull/6

uherberg commented 2 years ago

@gwharton Please try it again now.

gwharton commented 2 years ago

I'm still unable to verify test signature.

docker-compose.yml

version: '3.8'

services:
  ebay:
    image: "ebay/digital-signature-verification-ebay-api:latest"
    ports:
      - "8083:8080"

docker-compose up

$ docker-compose up
Creating network "ebay_default" with the default driver
Creating ebay_ebay_1 ... done
Attaching to ebay_ebay_1
ebay_1  | 
ebay_1  |   .   ____          _            __ _ _
ebay_1  |  /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
ebay_1  | ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
ebay_1  |  \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
ebay_1  |   '  |____| .__|_| |_|_| |_\__, | / / / /
ebay_1  |  =========|_|==============|___/=/_/_/_/
ebay_1  |  :: Spring Boot ::                (v2.6.9)
ebay_1  |
ebay_1  | 2022-08-30 09:55:28.248  INFO 8 --- [           main] c.ebay.signaturevalidation.Application   : Starting Application v1.0.0-SNAPSHOT using Java 11.0.16 on 490c295d0c41 with PID 8 (/home/nouser/signaturevalidation-1.0.0-SNAPSHOT.jar starte
d by nobody in /home/nouser)
ebay_1  | 2022-08-30 09:55:28.252  INFO 8 --- [           main] c.ebay.signaturevalidation.Application   : No active profile set, falling back to 1 default profile: "default"
ebay_1  | 2022-08-30 09:55:29.334  INFO 8 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8080 (http)
ebay_1  | 2022-08-30 09:55:29.349  INFO 8 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
ebay_1  | 2022-08-30 09:55:29.349  INFO 8 --- [           main] org.apache.catalina.core.StandardEngine  : Starting Servlet engine: [Apache Tomcat/9.0.64]
ebay_1  | 2022-08-30 09:55:29.432  INFO 8 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
ebay_1  | 2022-08-30 09:55:29.432  INFO 8 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 1092 ms
ebay_1  | 2022-08-30 09:55:30.085  INFO 8 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8080 (http) with context path ''
ebay_1  | 2022-08-30 09:55:30.093  INFO 8 --- [           main] c.ebay.signaturevalidation.Application   : Started Application in 2.348 seconds (JVM running for 2.744)
ebay_1  | 2022-08-30 09:55:43.269  INFO 8 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring DispatcherServlet 'dispatcherServlet'
ebay_1  | 2022-08-30 09:55:43.270  INFO 8 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
ebay_1  | 2022-08-30 09:55:43.272  INFO 8 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 2 ms
$ curl --location --request POST 'http://localhost:8083/verifysignature' \
> --header 'Content-Type: application/json' \
> --header 'Signature-Input: sig1=("content-digest" "x-ebay-signature-key" "@method" "@path" "@authority");created=1658440308' \
> --header 'Content-Digest: sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:' \
> --header 'Signature: sig1=:ZMUpAejnqrt6POSx02ltx3cT9YODV2r+Cem/BKOagDSfztKOtCsjP/MxZqmY+FVJ3/8E4BL76T9Fjty8oJnsAw==:' \
> --header 'x-ebay-signature-key: eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoiSXh2dVRMb0FLS0hlS0Zoa3BxQ05CUSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiaFd3YjNoczk2QzEyOTNucCJ9.2o02pR9SoTF4g_5qRXZm6tF4H52TarilIAKxoVUqjd8.3qaF0KJN-rFHHm_P.AMUAe9PPduew09mANIZ-O_68CCuv6EIx096rm9Wy
LZnYz5N1WFDQ3jP0RBkbaOtQZHImMSPXIHVaB96RWshLuJsUgCKmTAwkPVCZv3zhLxZVxMXtPUuJ-ppVmPIv0NzznWCOU5Kvb9Xux7ZtnlvLXgwOFEix-BaWNomUAazbsrUCbrp514GIea3butbyxXLNi6R9TJUNh8V2uan-optT1MMyS7eMQnVGL5rYBULk.9K5ucUqAu0DqkkhgubsHHw' \
> --data-raw '{"hello": "world"}'
Signature invalid
uherberg commented 1 year ago

@gwharton Sorry that I just saw your response now. Let me reopen this and look into it.

uherberg commented 1 year ago

@gwharton I figured out what the problem is. You changed the port from 8080 to 8083; but the port is covered in the signature as part of the "authority" pseudo header. You will have to recalculate the signature to cover the updated authority. (or run it on port 8080 if you would like to use the exact same signature)