question

crutchfield_electronics avatar image
0 Likes"
crutchfield_electronics asked

Verify ebay is sending notification (manual implementation)

I'm working on taking the x-ebay-signature from the header to retrieve the public key and signature, then using the public key, signature, and payload message to validate ebay is the sender of the notification. Here is my code to perform this:

 public static bool VerifyData(string signature, string payload, string publickey)
        {


            try
            {
                var decodedPublicKey = Convert.FromBase64String(publickey);
                var decodedSignature = Convert.FromBase64String(signature);
                var decodedPayLoad = Encoding.UTF8.GetBytes(payload);




                ReadOnlySpan<byte> ebayPublicKeySpan = new ReadOnlySpan<byte>(decodedPublicKey);
                var ecdsaVerify = ECDsa.Create();
               
                ecdsaVerify.ImportSubjectPublicKeyInfo(ebayPublicKeySpan, out _);
               
                var verified = ecdsaVerify.VerifyData(decodedPayLoad, decodedSignature, HashAlgorithmName.SHA1);
                return verified;




            }
            catch (CryptographicException e)
            {
                Console.WriteLine(e.Message);
                return false;
            }
        }
 static void Main(string[] args)
        {
            string messagepayloadMaybe = "{metadata:{topic:MARKETPLACE_ACCOUNT_DELETION,schemaVersion:1.0,deprecated:false},notification:{notificationId:49feeaeb-4982-42d9-a377-9645b8479411_33f7e043-fed8-442b-9d44-791923bd9a6d,eventDate:2021-03-19T20:43:59.462Z,publishDate:2021-03-19T20:43:59.679Z,publishAttemptCount:1,data:{username:test_user,userId:ma8vp1jySJC,eiasToken:nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6wJnY+gAZGEpwmdj6x9nY+seQ==}}}";
           //X-ebay-signature in the header  = ebayid
            // string ebayId = "eyJhbGciOiJlY2RzYSIsImtpZCI6Ijk5MzYyNjFhLTdkN2ItNDYyMS1hMGYxLTk2Y2NiNDI4YWY0OSIsInNpZ25hdHVyZSI6Ik1FWUNJUUNmeGZJV3V4bVdjSUJRSjljNS9YN2lHREpxczJSQ0dzQkVhQWppbnlycmZBSWhBSVY2d0djVGlCdVY1S0pVaWYyaG9reXJMK1E5c3NIa2FkK214Mm5FRTI1dyIsImRpZ2VzdCI6IlNIQTEifQ==";
            // when ebayid is decoded it contains the KID (use for getting the public key) and the signature
            //{alg:ecdsa,kid:9936261a-7d7b-4621-a0f1-96ccb428af49,signature:MEYCIQCfxfIWuxmWcIBQJ9c5/X7iGDJqs2RCGsBEaAjinyrrfAIhAIV6wGcTiBuV5KJUif2hokyrL+Q9ssHkad+mx2nEE25w,digest:SHA1}


            string publickey ="MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZhhxXKtR+TOvtDbgTPCkSof02qgBB7IsYOyf76ilExJ/upAa/vKIKheOoCyOpcLmi4t0b4uepb7LLjmMr90FUg==";           
            string signature = "MEYCIQCfxfIWuxmWcIBQJ9c5/X7iGDJqs2RCGsBEaAjinyrrfAIhAIV6wGcTiBuV5KJUif2hokyrL+Q9ssHkad+mx2nEE25w";       


            Class1.VerifyData(signature, messagepayloadMaybe, publickey);
        }

My call to verifyData returns false (

 var verified = ecdsaVerify.VerifyData(decodedPayLoad, decodedSignature, HashAlgorithmName.SHA1);

Do I have the right payload? Am i using the right encoding/decoder?

verifydata
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

0 Answers

· Write an Answer

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.