那些遇到过的问题

如何在PHP单元测试中获得与C#相同的HMAC256结果?

Cam*_*out 18 .net c# hash facebook cryptography

我以为我会尝试将新的签名请求逻辑添加到我的Facebook画布应用程序中,以使我自己"轻松"我在GitHub上访问facebook PHP sdk并查看单元测试.

我的实际问题是我无法获得请求中包含的哈希值,以匹配我使用应用程序机密计算的哈希值以及请求中发送的数据.

Facebook的身份验证页面中描述了这是如何工作.

private string VALID_SIGNED_REQUEST = "ZcZocIFknCpcTLhwsRwwH5nL6oq7OmKWJx41xRTi59E.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOiIxMjczMzU5NjAwIiwib2F1dGhfdG9rZW4iOiIyNTQ3NTIwNzMxNTJ8Mi5JX2VURmtjVEtTelg1bm8zakk0cjFRX18uMzYwMC4xMjczMzU5NjAwLTE2Nzc4NDYzODV8dUk3R3dybUJVZWQ4c2VaWjA1SmJkekdGVXBrLiIsInNlc3Npb25fa2V5IjoiMi5JX2VURmtjVEtTelg1bm8zakk0cjFRX18uMzYwMC4xMjczMzU5NjAwLTE2Nzc4NDYzODUiLCJ1c2VyX2lkIjoiMTY3Nzg0NjM4NSJ9";

private string NON_TOSSED_SIGNED_REQUEST = "laEjO-az9kzgFOUldy1G7EyaP6tMQEsbFIDrB1RUamE.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiJ9";

public void SignedRequestExample()
{
 var Encoding = new UTF8Encoding();

 string ApplicationSecret = "904270b68a2cc3d54485323652da4d14"; 

 string SignedRequest = VALID_SIGNED_REQUEST;
 string ExpectedSignature = SignedRequest.Substring(0, SignedRequest.IndexOf('.'));
 string Payload = SignedRequest.Substring(SignedRequest.IndexOf('.') + 1);

 // Back & Forth with Signature
 byte[] ActualSignature = FromUrlBase64String(ExpectedSignature);
 string TestSignature = ToUrlBase64String(ActualSignature);

 // Back & Forth With Data
 byte[] ActualPayload = FromUrlBase64String(Payload);
 string Json = Encoding.GetString(ActualPayload);
 string TestPayload = ToUrlBase64String(ActualPayload);

 // Attempt to get same hash
 var Hmac = SignWithHMAC(ActualPayload, Encoding.GetBytes(ApplicationSecret));
 var HmacBase64 = ToUrlBase64String(Hmac);            
 var HmacHex = BytesToHex(Hmac);

 if (HmacBase64 != ExpectedSignature)
 {
  // YAY
 }
 else
 {
  // BOO
 }
}

private static string BytesToHex(byte[] input)
{
 StringBuilder sb = new StringBuilder();

 foreach (byte b in input)
 {
  sb.Append(string.Format("{0:x2}", b));
 }
 return sb.ToString();
}
private string ToUrlBase64String(byte[] Input)
{
 return Convert.ToBase64String(Input).Replace("=", String.Empty).Replace('+', '-').Replace('/', '_');
}

// http://tools.ietf.org/html/rfc4648#section-5            
private byte[] FromUrlBase64String(string Base64UrlSafe)
{
 Base64UrlSafe = Base64UrlSafe.PadRight(Base64UrlSafe.Length + (4 - Base64UrlSafe.Length % 4) % 4, '=');
 Base64UrlSafe = Base64UrlSafe.Replace('-', '+').Replace('_', '/');
 return Convert.FromBase64String(Base64UrlSafe);
}

private byte[] SignWithHMAC(byte[] dataToSign, byte[] keyBody)
{
 using (var hmac = new HMACSHA256(keyBody))
 {
  hmac.ComputeHash(dataToSign);
  /*
  CryptoStream cs = new CryptoStream(System.IO.Stream.Null, hmac, CryptoStreamMode.Write);
  cs.Write(dataToSign, 0, dataToSign.Length);
  cs.Flush();
  cs.Close();
  byte[] hashResult = hmac.Hash;
  */
  return hmac.Hash;
 }
}

public string Base64ToHex(string input)
{
 StringBuilder sb = new StringBuilder();
 byte[] inputBytes = Convert.FromBase64String(input);
 foreach (byte b in inputBytes)
 {
  sb.Append(string.Format("{0:x2}", b));
 }
 return sb.ToString();
}
Run Code Online (Sandbox Code Playgroud)

回答谢谢下面的Rasmus,以帮助其他人在这里更新(清理代码): 

/// Example signed_request variable from PHPSDK Unit Testing
private string VALID_SIGNED_REQUEST = "ZcZocIFknCpcTLhwsRwwH5nL6oq7OmKWJx41xRTi59E.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOiIxMjczMzU5NjAwIiwib2F1dGhfdG9rZW4iOiIyNTQ3NTIwNzMxNTJ8Mi5JX2VURmtjVEtTelg1bm8zakk0cjFRX18uMzYwMC4xMjczMzU5NjAwLTE2Nzc4NDYzODV8dUk3R3dybUJVZWQ4c2VaWjA1SmJkekdGVXBrLiIsInNlc3Npb25fa2V5IjoiMi5JX2VURmtjVEtTelg1bm8zakk0cjFRX18uMzYwMC4xMjczMzU5NjAwLTE2Nzc4NDYzODUiLCJ1c2VyX2lkIjoiMTY3Nzg0NjM4NSJ9";

public bool ValidateSignedRequest()
{            
    string applicationSecret = "904270b68a2cc3d54485323652da4d14";
    string[] signedRequest = VALID_SIGNED_REQUEST.Split('.');            
    string expectedSignature = signedRequest[0];
    string payload = signedRequest[1];

    // Attempt to get same hash
    var Hmac = SignWithHmac(UTF8Encoding.UTF8.GetBytes(payload), UTF8Encoding.UTF8.GetBytes(applicationSecret));
    var HmacBase64 = ToUrlBase64String(Hmac);

    return (HmacBase64 == expectedSignature);           
}


private string ToUrlBase64String(byte[] Input)
{
    return Convert.ToBase64String(Input).Replace("=", String.Empty)
                                        .Replace('+', '-')
                                        .Replace('/', '_');
}

private byte[] SignWithHmac(byte[] dataToSign, byte[] keyBody)
{
    using (var hmacAlgorithm = new HMACSHA256(keyBody))
    {
        hmacAlgorithm.ComputeHash(dataToSign);
        return hmacAlgorithm.Hash;
    }
}
Run Code Online (Sandbox Code Playgroud)

Ras*_*ber 17

You are not supposed to base64-decode the payload before calculating the HMAC.

Use this line:

var Hmac = SignWithHMAC(Encoding.GetBytes(Payload), Encoding.GetBytes(ApplicationSecret));
Run Code Online (Sandbox Code Playgroud)

and it should work.

A few more pointers:

  • Instead of fiddling with Substring() and IndexOf() try using String.Split()
  • You have switched the YAY and BOO comments around
  • C#代码的可读性,如果你遵循开始局部变量的小写名称的一般规律(是这样的:var applicationSecret = "...";)

归档时间:

查看次数:

8569 次

最近记录:

14 年,2 月 前
相关归档
如何在C#中创建自己的事件? 116
用户控制,自定义控件和组件有什么区别? 79
创建重复元素的List <T>的最短方法 36
将二进制字符串转换为整数 35
Android Facebook SDK:生成发布密钥哈希 33
iPhone上的单声道? 19
是否有安全的加密算法,加密和解密可以按任何顺序进行? 4
如何删除 Facebook 中的测试应用程序? 1
Facebook JS SDK FB.Login()如何获得扩展权限? 0
Facebook api('/ me')没有验证 0
难疑归档
为什么减去这两次(在1927年)给出一个奇怪的结果? 6628
迭代HashMap 3244
使用'for'循环迭代字典 2901
如何将package.json中的每个依赖项更新为最新版本? 1871
如何在JavaScript中将数字格式化为美元货币字符串? 1711
配置错误:此配置部分不能在此路径中使用 1694
警告:push.default未设置; 它的隐含值在Git 2.0中发生了变化 1615
如何在回调中访问正确的`this`? 1309
git:撤消所有工作目录更改,包括新文件 1108
如何初始化静态地图? 1084