在 C# 中验证签名请求
我正在尝试验证 C# 服务器中传入的签名请求。 这些请求来自社交平台(naver)。 我从他们那里得到的只是一份证书(如下)。
我正在使用 DevDefinedOAuth
http://code.google.com/p/devdefined-tools/< /a>
他们有一篇关于这个主题的维基文章。
http://code.google.com/p/devdefined-tools/wiki/OAuthSignatureValidation
这是我的代码:
public static bool isValidRequest2( HttpListenerRequest request )
{
X509Certificate2 cert = new X509Certificate2();
cert.Import( Encoding.ASCII.GetBytes(
@"-----BEGIN CERTIFICATE-----
MIICqDCCAhGgAwIBAgIJANDx5Es1s04zMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
BAYTAktSMQowCAYDVQQIDAEgMQowCAYDVQQHDAEgMQwwCgYDVQQKDANOSE4xEjAQ
BgNVBAsMCUNvbW11bml0eTESMBAGA1UEAwwJbmF2ZXIuY29tMRAwDgYJKoZIhvcN
AQkBFgEgMB4XDTEwMDYxNDA1MzAzNVoXDTExMDYxNDA1MzAzNVowbTELMAkGA1UE
BhMCS1IxCjAIBgNVBAgMASAxCjAIBgNVBAcMASAxDDAKBgNVBAoMA05ITjESMBAG
A1UECwwJQ29tbXVuaXR5MRIwEAYDVQQDDAluYXZlci5jb20xEDAOBgkqhkiG9w0B
CQEWASAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANX++6LgORv6caQ8LCVh
RYTXi2Lko7zn4wPeqvdCqNZsxcry2mNHn/ic+0XbhNgor5L0l048f0iicW/Qu4vw
RvkZy2N8dNE3Tb5dbPLNo+S+cExv/DhbQVFKGiOOvr4vQ+2Lgw7If5g3sh6/S8Gu
ot47cOrUkiLKBKJt614bue9zAgMBAAGjUDBOMB0GA1UdDgQWBBSB1ReDAnl4lRyl
Rfpl0EZ13E5LzzAfBgNVHSMEGDAWgBSB1ReDAnl4lRylRfpl0EZ13E5LzzAMBgNV
HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEYdZfQjvk/wvlFP4l3mDqS4NMac
txx1lyYGa0gX4DGhb7aGwBb3qwCdSX7szuYNHHq5Clf9TGQMqc49RFC2TGNRrpSw
BZFRmyzhMsqx/dLcNIBLfz4B+SUw+yiwNKo3krYCJfqgNy0cW8sF121yWI3tPzqr
kD8kEbCa5GvxmsdT
-----END CERTIFICATE-----" ) );
DevDefined.OAuth.Framework.OAuthContext context = new DevDefined.OAuth.Framework.OAuthContext
{
//RawUri = request.Url,
RawUri = CleanUri( request.Url ),
Cookies = new NameValueCollection(),
Headers = request.Headers,
RequestMethod = request.HttpMethod,
FormEncodedParameters = new NameValueCollection(),
QueryParameters = new NameValueCollection( request.QueryString )
};
// do I need to set them manually?.. let's try..
context.ConsumerKey = request.QueryString[ "oauth_consumer_key" ];
context.Timestamp = request.QueryString[ "oauth_timestamp" ];
context.Nonce = request.QueryString[ "oauth_nonce" ];
context.Signature = request.QueryString[ "oauth_signature" ];
var signer = new DevDefined.OAuth.Framework.Signing.OAuthContextSigner();
DevDefined.OAuth.Framework.SigningContext signingContext = new DevDefined.OAuth.Framework.SigningContext();
// use context.ConsumerKey to fetch information required for signature validation for this consumer.
signingContext.Algorithm = cert.PublicKey.Key;
//signingContext.ConsumerSecret; // if there is a consumer secret
return ( signer.ValidateSignature( context, signingContext ) );
}
这是一个示例请求:(出于安全原因,我稍微更改了网址)
网址:http://www.maxmax.co.cc:7677/?oauth_signature=b58R qdQ0Atnrvvy6Qi81BRv1fhmXIQEl3hY++ Wi7kiinSOhWq7mluhsapEi/GvCUG6RjrYVowwTcoi MqqmVCasFlON7zU7Yyi8nOUAoClpoft0BXbT5xyNUmLOxTk47tmjWVMLniaOieVUEQLwP2yycH6hiWkf2gFWGsu9LHZbE=&oauth_nonce=1461 1349243983507&oauth_version=1.0&oauth_body_hash=2jmj7l5rSw0yVb/vlWAYkK/YBwk=&oauth_signature_method=RSA-SHA1&oauth_consumer_key=naver.com&xoauth_sign ature_publickey=http:// nsocialcontainer.com/server/naver_socialapp_public.cer&xoauth_public_key=http://nsocialcontainer.com/server /naver_socialapp_public.cer&opensocial_owner_id=1400000000010946792&opensocial_app_id=25992&oauth_timestamp=1296334075
HttpMethod: Http
用户代理:Jakarta Commons-HttpClient/3.1
QueryString
- oauth_signature:b58RqdQ0Atnrvvy6Qi81BRv1fhmXIQEl3hY++Wi7kiinSOhWq7mluhsapEi/GvCUG6RjrYVowwTcoiMqqmVCasFlON7zU7Yyi8nOUAoClpoft0BX bT5xyNumLOxTk47tmjWVMLniaOieVUEQLw P2yycH6hiWkf2gFWGsu9LHZbE=
- oauth_nonce:14611349243983507 - oauth_version:1.0
- oauth_body_hash:2jmj7l5rSw0yVb/vlWAYkK/YBwk=
- oauth_signature_method:RSA-SHA1
- oauth_consumer_key:naver.com
- xoauth_signature_publickey:http://nsocialcontainer.com/server/naver_socialapp_public.cer
- xoauth_public_key:http://nsocialcontainer.com/server/naver_socialapp_public.cer
- opensocial_owner_id:1400000000010946792
- opensocial_app_id:25992
- oauth_timestamp:1296334075
标头
- X-Forwarded-For:61.75.38.242
- X-shindig-dos:on - 接受编码:gzip、deflate
- 主持人:www.maxmax.co.cc:7677
- body: ""
我没有收到任何错误消息,没有例外,但 isValidRequest2() 总是返回“false” 即使有有效的请求。
一定是我用错了。 任何帮助将不胜感激! 如果您对这个问题还有疑问,请追问。
谢谢!!!!
I'm trying to validate incoming signed requests in my C# server.
The requests comes from a social platform(naver).
All I get from them is a certificate(below).
I'm using DevDefinedOAuth
http://code.google.com/p/devdefined-tools/
They have a wiki article on this subject.
http://code.google.com/p/devdefined-tools/wiki/OAuthSignatureValidation
and Here's my code:
public static bool isValidRequest2( HttpListenerRequest request )
{
X509Certificate2 cert = new X509Certificate2();
cert.Import( Encoding.ASCII.GetBytes(
@"-----BEGIN CERTIFICATE-----
MIICqDCCAhGgAwIBAgIJANDx5Es1s04zMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
BAYTAktSMQowCAYDVQQIDAEgMQowCAYDVQQHDAEgMQwwCgYDVQQKDANOSE4xEjAQ
BgNVBAsMCUNvbW11bml0eTESMBAGA1UEAwwJbmF2ZXIuY29tMRAwDgYJKoZIhvcN
AQkBFgEgMB4XDTEwMDYxNDA1MzAzNVoXDTExMDYxNDA1MzAzNVowbTELMAkGA1UE
BhMCS1IxCjAIBgNVBAgMASAxCjAIBgNVBAcMASAxDDAKBgNVBAoMA05ITjESMBAG
A1UECwwJQ29tbXVuaXR5MRIwEAYDVQQDDAluYXZlci5jb20xEDAOBgkqhkiG9w0B
CQEWASAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANX++6LgORv6caQ8LCVh
RYTXi2Lko7zn4wPeqvdCqNZsxcry2mNHn/ic+0XbhNgor5L0l048f0iicW/Qu4vw
RvkZy2N8dNE3Tb5dbPLNo+S+cExv/DhbQVFKGiOOvr4vQ+2Lgw7If5g3sh6/S8Gu
ot47cOrUkiLKBKJt614bue9zAgMBAAGjUDBOMB0GA1UdDgQWBBSB1ReDAnl4lRyl
Rfpl0EZ13E5LzzAfBgNVHSMEGDAWgBSB1ReDAnl4lRylRfpl0EZ13E5LzzAMBgNV
HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEYdZfQjvk/wvlFP4l3mDqS4NMac
txx1lyYGa0gX4DGhb7aGwBb3qwCdSX7szuYNHHq5Clf9TGQMqc49RFC2TGNRrpSw
BZFRmyzhMsqx/dLcNIBLfz4B+SUw+yiwNKo3krYCJfqgNy0cW8sF121yWI3tPzqr
kD8kEbCa5GvxmsdT
-----END CERTIFICATE-----" ) );
DevDefined.OAuth.Framework.OAuthContext context = new DevDefined.OAuth.Framework.OAuthContext
{
//RawUri = request.Url,
RawUri = CleanUri( request.Url ),
Cookies = new NameValueCollection(),
Headers = request.Headers,
RequestMethod = request.HttpMethod,
FormEncodedParameters = new NameValueCollection(),
QueryParameters = new NameValueCollection( request.QueryString )
};
// do I need to set them manually?.. let's try..
context.ConsumerKey = request.QueryString[ "oauth_consumer_key" ];
context.Timestamp = request.QueryString[ "oauth_timestamp" ];
context.Nonce = request.QueryString[ "oauth_nonce" ];
context.Signature = request.QueryString[ "oauth_signature" ];
var signer = new DevDefined.OAuth.Framework.Signing.OAuthContextSigner();
DevDefined.OAuth.Framework.SigningContext signingContext = new DevDefined.OAuth.Framework.SigningContext();
// use context.ConsumerKey to fetch information required for signature validation for this consumer.
signingContext.Algorithm = cert.PublicKey.Key;
//signingContext.ConsumerSecret; // if there is a consumer secret
return ( signer.ValidateSignature( context, signingContext ) );
}
And here's a sample request: (I changed the url a bit for security reasons)
Url: http://www.maxmax.co.cc:7677/?oauth_signature=b58RqdQ0Atnrvvy6Qi81BRv1fhmXIQEl3hY++Wi7kiinSOhWq7mluhsapEi/GvCUG6RjrYVowwTcoi MqqmVCasFlON7zU7Yyi8nOUAoClpoft0BXbT5xyNUmLOxTk47tmjWVMLniaOieVUEQLwP2yycH6hiWkf2gFWGsu9LHZbE=&oauth_nonce=14611349243983507&oauth _version=1.0&oauth_body_hash=2jmj7l5rSw0yVb/vlWAYkK/YBwk=&oauth_signature_method=RSA-SHA1&oauth_consumer_key=naver.com&xoauth_sign ature_publickey=http://nsocialcontainer.com/server/naver_socialapp_public.cer&xoauth_public_key=http://nsocialcontainer.com/server /naver_socialapp_public.cer&opensocial_owner_id=1400000000010946792&opensocial_app_id=25992&oauth_timestamp=1296334075
HttpMethod: GET
UserAgent: Jakarta Commons-HttpClient/3.1
QueryString
- oauth_signature:b58RqdQ0Atnrvvy6Qi81BRv1fhmXIQEl3hY++Wi7kiinSOhWq7mluhsapEi/GvCUG6RjrYVowwTcoiMqqmVCasFlON7zU7Yyi8nOUAoClpoft0BX bT5xyNUmLOxTk47tmjWVMLniaOieVUEQLwP2yycH6hiWkf2gFWGsu9LHZbE=
- oauth_nonce:14611349243983507 - oauth_version:1.0
- oauth_body_hash:2jmj7l5rSw0yVb/vlWAYkK/YBwk=
- oauth_signature_method:RSA-SHA1
- oauth_consumer_key:naver.com
- xoauth_signature_publickey:http://nsocialcontainer.com/server/naver_socialapp_public.cer
- xoauth_public_key:http://nsocialcontainer.com/server/naver_socialapp_public.cer
- opensocial_owner_id:1400000000010946792
- opensocial_app_id:25992
- oauth_timestamp:1296334075
Headers
- X-Forwarded-For:61.75.38.242
- X-shindig-dos:on - Accept-Encoding:gzip, deflate
- Host:www.maxmax.co.cc:7677
- body: ""
I get no error messages, no exceptions, but isValidRequest2() always returns 'false'
even with valid requests.
I must be using it wrong.
Any help will be greatly appreciated!!
If you have any questions on this question, please ask.
Thanks!!!!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你正在使用什么版本的库,也许尝试从 github 上的源代码构建,如果你还没有:
https://github.com/bittercoder/DevDefined.OAuth
另外,值得注意的是,一些开放社交平台实现会返回带有额外“&”符号的 Url(例如 Friendster 曾经使用的) - 请参阅此博客文章的底部了解详细信息:
http://blog.bittercoder.com/PermaLink, guid,4f387bde-7ed6-480b-952b-bbc0ead9ebfb.aspx
如果您仍然遇到问题,是否可以提供指向消费者代码的完整示例的链接(我建议创建一个要点:https://gist.github.com/gists)这对于理解问题是什么非常有帮助。
What version of the library are you using, perhaps try building from source off github here, if you haven't already:
https://github.com/bittercoder/DevDefined.OAuth
Also, it's worth noting that some opensocial platform implementations return Url's with additional ampersands (such as friendster used to) - see the bottom of this blog post here for details:
http://blog.bittercoder.com/PermaLink,guid,4f387bde-7ed6-480b-952b-bbc0ead9ebfb.aspx
If you are still having trouble, if you could provide a link to a full example of your consumer code (I suggest creating a gist: https://gist.github.com/gists) that would be really helpful in understanding what the problem is.