Shopify C＃HMAC SHA256 OAuth验证-Java 学习之路

我正在尝试在OAUTH请求期间验证Shopify HMAC，并且我生成的哈希与作为请求的一部分提供的哈希不匹配 .

我发现了一些其他线程，但它们是either outdated，因为文档现在声明它使用GET请求而不是POST，或者在java中使用unanswered .

我的C＃代码如下：

string key = "mysecretkey";

string message = string.Format("shop={0}&timestamp={1}", shop, timestamp);

System.Text.ASCIIEncoding encoding = new ASCIIEncoding();

byte[] keyBytes = encoding.GetBytes(key);

byte[] messageBytes = encoding.GetBytes(message);

System.Security.Cryptography.HMACSHA256 cryptographer = new System.Security.Cryptography.HMACSHA256(keyBytes);

byte[] bytes = cryptographer.ComputeHash(messageBytes);

string digest = BitConverter.ToString(bytes).Replace("-", "");

bool valid = digest == hmac.ToUpper();

我'm guessing the message is being built incorrectly but I'跟着official documentation没有运气 .

有人可以帮忙吗？

3 回答

您在不使用密钥的情况下计算HMAC .

文档说明您应该使用共享密钥生成HMAC摘要 . 没有密钥的HMAC值的含义是什么？如果Shopify没有使用您和他们之间的预共享密钥来计算HMAC，任何人都可以模仿shopify服务器 .

以下代码块来自文档：

digest = OpenSSL::Digest.new('sha256')
secret = "hush"
message = "shop=some-shop.myshopify.com&timestamp=1337178173"

digest = OpenSSL::HMAC.hexdigest(digest, secret, message)
digest == "2cb1a277650a659f1b11e92a4a64275b128e037f2c3390e3c8fd2d8721dac9e2"

因此，在计算Hash之前尝试 cryptographer.Key = keyBytes;

byte[] keyBytes = encoding.GetBytes(key);

byte[] messageBytes = encoding.GetBytes(message);

System.Security.Cryptography.HMACSHA256 cryptographer = new System.Security.Cryptography.HMACSHA256(keyBytes);

cryptographer.Key = keyBytes;

byte[] bytes = cryptographer.ComputeHash(messageBytes);

回复于 2024-05-02T10:59:25+08:00

好吧，Shopify的开发人员回答了我的答案 . 看来除了签名和hmac之外，你需要按字母顺序散列查询字符串的 entire 内容 . 我有自己的参数（rlr）我正在添加以及文档（状态）中未提及的参数 .

string message = "";// "code=7af66fd73427a1634cee3103297230b8&rlr=9DFD5EA9-7747-4142-97D9-2D44BBA442F1&shop=appswiz.myshopify.com&state=fa992b8f-762e-4813-b707-6044e71ad3b5&timestamp=1448856806";
        message = "code=xxxxxxxx";
        message += "&rlr=xxxxx";
        message += "&shop=xxx.myshopify.com";
        message += "&state=xxxxxxxx";
        message += "&timestamp=1449111190";
        hmac = "xxxxxxx";
        System.Text.ASCIIEncoding encoding = new ASCIIEncoding();
        byte[] keyBytes = encoding.GetBytes(key);
        byte[] messageBytes = encoding.GetBytes(message);
        System.Security.Cryptography.HMACSHA256 cryptographer = new System.Security.Cryptography.HMACSHA256(keyBytes);

        byte[] bytes = cryptographer.ComputeHash(messageBytes);

        string digest = BitConverter.ToString(bytes).Replace("-", "");
        return digest == hmac.ToUpper();

这现在有效 .

回复于 2024-05-02T10:59:25+08:00

使用Guy Lowe的回答我最近得到了这个工作：

public bool ValidateShopifyHmac(string hmacHeader, string localData, string apiSecret) {
        var ascii = new ASCIIEncoding();
        var secretBytes = ascii.GetBytes(apiSecret);
        var cryptographer = new System.Security.Cryptography.HMACSHA256(secretBytes);
        var messageBytes = ascii.GetBytes(localData);
        var hashedMessage = cryptographer.ComputeHash(messageBytes);
        var digest = BitConverter.ToString(hashedMessage).Replace("-", "");
        return digest == hmacHeader.ToUpper();
    }

回复于 2024-05-02T10:59:25+08:00

Shopify C＃HMAC SHA256 OAuth验证

3 回答

相关问题