question

piypet_0 avatar image
1 Like"
piypet_0 asked ·

How to verification Notification API on PHP project.

I implement 'account deletion notification' on php project.


I got public key from getPublicKey but I can not verification it as manual validation


Manual validation

The following procedure can be used to manually process the notification and validate the message payload integrity:

  1. Use a Base64 function to decode the X-EBAY-SIGNATURE header and retrieve the public key ID and the signature. -- Done
  2. Call the getPublicKey Notification API method, passing in the public key ID ("kid") retrieved from the decoded signature header. -- Done
  3. Initialize the cryptographic library to perform the verification with the public key that is returned from the getPublicKey method.


Please advise how to process on 3.


Thanks in advance

notifications api
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

· Write an Answer
dimmi avatar image
1 Like"
dimmi answered ·

I will use openssl_verify function with code like this:

$message = json_decode(file_get_contents('php://input'), true);
if (!$message) {
    throw new Exception('Invalid message');
}

if (empty($_SERVER['HTTP_X_EBAY_SIGNATURE'])) {
    throw new Exception('No signature passed');
}
$signature = json_decode(base64_decode($_HEADER['HTTP_X_EBAY_SIGNATURE']), true) ?: [];
if (empty($signature['kid'])) {
    throw new Exception('Signature not decoded');
}

$publicKey = $client->getPublicKey($signature['kid']);
if (empty($publicKey['key'])) {
    throw new Exception(
        'getPublicKey response: ' . json_encode($publicKey) . ' for signature ' . $signature['kid']
    );
}

if ($publicKey['algorithm'] !== 'ECDSA' || $publicKey['digest'] !== 'SHA1') {
    throw new Exception('Unsupported encryption algorithm/digest');
}

if (preg_match('/^-----BEGIN PUBLIC KEY-----(.+)-----END PUBLIC KEY-----$/', $publicKey['key'], $matches)) {
    $key = "-----BEGIN PUBLIC KEY-----\n"
        . implode("\n", str_split($matches[1], 64))
        . "\n-----END PUBLIC KEY-----";
} else {
    throw new Exception('Invalid key');
}

$verificationResult = openssl_verify(
    json_encode($message),
    base64_decode($signature['signature']),
    $key,
    OPENSSL_ALGO_SHA1
);

if ($verificationResult === 1) {
    echo 'OK';
} else {
    throw new Exception('Verification failure', 412);
}


·
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.