search

eBay / digital-signature-verification-ebay-api

Verification of digital signatures for use by developers sending HTTP requests to eBay's APIs
Apache License 2.0
8 stars 7 forks source link

Docker test image results in Invalid Signature using test data #7

Closed gwharton closed 2 years ago

gwharton commented 2 years ago

Still unable to validate test signature provided by eBay

docker-compose.yml

version: '3.8'

services:
  ebay:
    image: "ebay/digital-signature-verification-ebay-api:latest"
    ports:
      - "8083:8080"

docker-compose up

[+] Running 1/0
 - Container ebay-ebay-1  Created                                                                                                                                                                                 0.1s 
Attaching to ebay-ebay-1
ebay-ebay-1  | 
ebay-ebay-1  |   .   ____          _            __ _ _
ebay-ebay-1  |  /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
ebay-ebay-1  | ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
ebay-ebay-1  |  \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
ebay-ebay-1  |   '  |____| .__|_| |_|_| |_\__, | / / / /
ebay-ebay-1  |  =========|_|==============|___/=/_/_/_/
ebay-ebay-1  |  :: Spring Boot ::                (v2.6.9)
ebay-ebay-1  | 
ebay-ebay-1  | 2022-09-14 08:25:11.106  INFO 8 --- [           main] c.ebay.signaturevalidation.Application   : Starting Application v1.0.0-SNAPSHOT using Java 11.0.16 on 23277c8f8947 with PID 8 (/home/nouser/signat
urevalidation-1.0.0-SNAPSHOT.jar started by nobody in /home/nouser)
ebay-ebay-1  | 2022-09-14 08:25:11.110  INFO 8 --- [           main] c.ebay.signaturevalidation.Application   : No active profile set, falling back to 1 default profile: "default"
ebay-ebay-1  | 2022-09-14 08:25:12.316  INFO 8 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8080 (http)
ebay-ebay-1  | 2022-09-14 08:25:12.343  INFO 8 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
ebay-ebay-1  | 2022-09-14 08:25:12.344  INFO 8 --- [           main] org.apache.catalina.core.StandardEngine  : Starting Servlet engine: [Apache Tomcat/9.0.64]
ebay-ebay-1  | 2022-09-14 08:25:12.500  INFO 8 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
ebay-ebay-1  | 2022-09-14 08:25:12.500  INFO 8 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 1296 ms
ebay-ebay-1  | 2022-09-14 08:25:13.136  INFO 8 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8080 (http) with context path ''
ebay-ebay-1  | 2022-09-14 08:25:13.145  INFO 8 --- [           main] c.ebay.signaturevalidation.Application   : Started Application in 2.596 seconds (JVM running for 3.261)
ebay-ebay-1  | 2022-09-14 08:25:58.717  INFO 8 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring DispatcherServlet 'dispatcherServlet'
ebay-ebay-1  | 2022-09-14 08:25:58.717  INFO 8 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
ebay-ebay-1  | 2022-09-14 08:25:58.719  INFO 8 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 2 ms
ebay-ebay-1  | com.ebay.signaturevalidation.SignatureException: Signature invalid
ebay-ebay-1  |  at com.ebay.signaturevalidation.VerificationService.verifySignature(VerificationService.java:144)
ebay-ebay-1  |  at com.ebay.signaturevalidation.VerificationService.verifyMessage(VerificationService.java:52)
ebay-ebay-1  |  at com.ebay.signaturevalidation.VerificationInterceptor.preHandle(VerificationInterceptor.java:31)
ebay-ebay-1  |  at org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.java:148)
ebay-ebay-1  |  at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1062)
ebay-ebay-1  |  at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963)
ebay-ebay-1  |  at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
ebay-ebay-1  |  at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)
ebay-ebay-1  |  at javax.servlet.http.HttpServlet.service(HttpServlet.java:681)
ebay-ebay-1  |  at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
ebay-ebay-1  |  at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
ebay-ebay-1  |  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
ebay-ebay-1  |  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
ebay-ebay-1  |  at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
ebay-ebay-1  |  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
ebay-ebay-1  |  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
ebay-ebay-1  |  at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
ebay-ebay-1  |  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
ebay-ebay-1  |  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
ebay-ebay-1  |  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
ebay-ebay-1  |  at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
ebay-ebay-1  |  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
ebay-ebay-1  |  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
ebay-ebay-1  |  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
ebay-ebay-1  |  at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
ebay-ebay-1  |  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
ebay-ebay-1  |  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
ebay-ebay-1  |  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
ebay-ebay-1  |  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
ebay-ebay-1  |  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
ebay-ebay-1  |  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
ebay-ebay-1  |  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
ebay-ebay-1  |  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
ebay-ebay-1  |  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
ebay-ebay-1  |  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
ebay-ebay-1  |  at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
ebay-ebay-1  |  at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
ebay-ebay-1  |  at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
ebay-ebay-1  |  at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1787)
ebay-ebay-1  |  at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
ebay-ebay-1  |  at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
ebay-ebay-1  |  at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
ebay-ebay-1  |  at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
ebay-ebay-1  |  at java.base/java.lang.Thread.run(Thread.java:829)
curl --location --request POST 'http://localhost:8083/verifysignature' \
--header 'Content-Type: application/json' \
--header 'Signature-Input: sig1=("content-digest" "x-ebay-signature-key" "@method" "@path" "@authority");created=1658440308' \
--header 'Content-Digest: sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:' \
--header 'Signature: sig1=:ZMUpAejnqrt6POSx02ltx3cT9YODV2r+Cem/BKOagDSfztKOtCsjP/MxZqmY+FVJ3/8E4BL76T9Fjty8oJnsAw==:' \
--header 'x-ebay-signature-key: eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoiSXh2dVRMb0FLS0hlS0Zoa3BxQ05CUSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiaFd3YjNoczk2QzEyOTNucCJ9.2o02pR9SoTF4g_5qRXZm6tF4H52TarilIAKxoVUqjd8.3qaF0KJN-rFHHm_P.AMUAe9PPduew09mANIZ-O_68CCuv6EIx096rm9WyLZnYz5N1WFDQ3jP0RBkbaOtQZHImMSPXIHVaB96RWshLuJsUgCKmTAwkPVCZv3zhLxZVxMXtPUuJ-ppVmPIv0NzznWCOU5Kvb9Xux7ZtnlvLXgwOFEix-BaWNomUAazbsrUCbrp514GIea3butbyxXLNi6R9TJUNh8V2uan-optT1MMyS7eMQnVGL5rYBULk.9K5ucUqAu0DqkkhgubsHHw' \
--data-raw '{"hello": "world"}'
Signature invalid
glowruss commented 2 years ago

The demo signature in the README assumes that you're running the container on port 8080.

By changing the port number on the host to 8083, you're changing the @authroity value to localhost:8083, which changes the correct signature value.

Run your docker container using port 8080, and the signature in the README will verify correctly. Otherwise, you'll need to calculate the correct signature for your request with the changed port number.

version: '3.8'

services:
  ebay:
    image: "ebay/digital-signature-verification-ebay-api:latest"
    ports:
      - "8080:8080"
gwharton commented 2 years ago

AHH right. Gotcha. Makes perfect sense.