与SHA512-HMAC的ColdFusion CFHTTP签署REST请求主体 [英] Coldfusion CFHTTP with SHA512-hmac signed REST request body
问题描述
我试图做一个签名的请求到交易API在bitfloor.com(这是一个REST API)
I am trying to make a signed request to the trading API at bitfloor.com (it's a REST API)
Bitfloor给我:
Bitfloor gives me:
1),API密钥(即6bd2b780-00be-11e2-bde3-2837371c3c3a)
1) API Key (i.e. 6bd2b780-00be-11e2-bde3-2837371c3c3a)
2)秘密密钥(即oaFz62YpmbWiXwseMUSod53D8pOjdyVcweNYdiab / TSQqxk6IuemDvimNaQoA ==)
2) Secret Key (i.e. oaFz62YpmbWiXwseMUSod53D8pOjdyVcweNYdiab/TSQqxk6IuemDvimNaQoA==)
以下是发出请求Bitfloor的详细说明:
请求必须是HTTPS端口443 POST请求(HTTPS)。每个请求都必须包含所需的头文件(如下所示)。标头识别,验证,并确认您的要求,以prevent篡改。
标题
Requests must be HTTPS POST requests on port 443 (https). Each request must contain the required headers (listed below). The headers identify, verify, and validate your request to prevent tampering. headers
bitfloor键这是由bitfloor提供唯一标识您的帐户。 (即6bd2b780-00be-11e2-bde3-2837371c3c3a)
bitfloor-key This is the provided by bitfloor to uniquely identify your account. (i.e. 6bd2b780-00be-11e2-bde3-2837371c3c3a)
bitfloor符号符号字段使用对应于您的API密钥的密钥请求主体的SHA512-HMAC。
bitfloor-sign The sign field is a sha512-hmac of the request body using the secret key which corresponds to your api key.
的要登录您的要求:的德的base64 code中的秘密钥匙插入原始字节(64字节)。使用这些字节的HTTP请求的身体你的SHA512-HMAC签名。 Base64编码的连接code签约结果,并在发送这个头字段。
To sign your request: base64 decode the secret key into the raw bytes (64 bytes). Use those bytes for your sha512-hmac signing of the http request body. Base64 encode the signing result and send in this header field.
bitfloor-密码创建这个API密钥时指定的密码。如果忘记了,我们不能恢复您的密码。您将需要创建一个新的API密钥。
bitfloor-passphrase The passphrase you specified when creating this api key. We cannot recover your passphrase if forgotten. You will need to create a new API key.
bitfloor版本你有兴趣,唯一的有效值目前1的资源的API版本
bitfloor-version The api version of the resource you are interested in. The only valid value currently is 1
整整八个小时的庭审和错误,并多次搜索互联网的任何类型的见解或信息后,下面的code是尽可能接近我可以来我认为可能是怎样的方向某处适当建设的要求,唉,不管我attmept我得到无效的签名其API返回。
After a full eight hours of trial and error and searching the internet repeatedly for any sort of insight or information, the following code is as close as I can come to what I think might be somewhere in the direction of how to construct the request properly, alas, no matter what I attmept I get "Invalid Signature" returned by their API.
下面是我迄今为止...
Here is what I have so far...
首先,我在网上找到了这个功能,有人写信给做SHA512签名:
FIRST, I found this function on the web that someone wrote to do the SHA512 signing:
<cffunction name="HMAC_SHA512" returntype="binary" access="public" output="false">
<cfargument name="signKey" type="string" required="true">
<cfargument name="signMessage" type="string" required="true">
<cfset var jMsg = JavaCast("string",arguments.signMessage).getBytes("iso-8859-1")>
<cfset var jKey = JavaCast("string",arguments.signKey).getBytes("iso-8859-1")>
<cfset var key = createObject("java","javax.crypto.spec.SecretKeySpec")>
<cfset var mac = createObject("java","javax.crypto.Mac")>
<cfset key = key.init(jKey,"HmacSHA512")>
<cfset mac = mac.getInstance(key.getAlgorithm())>
<cfset mac.init(key)>
<cfset mac.update(jMsg)>
<cfreturn mac.doFinal()>
</cffunction>
我不知道它做什么,但它似乎工作,这样做没有错误。
I have no idea what it does, but it seems to work and does so without error.
下面是我实现这个功能,我的在发出请求的尝试:
注意:在现时值是必需的参数必须与请求被发送
Here is my implementation of this function and my attempt at making the request: NOTE: The "nonce" value is a required param that must be sent with the request.
<cffunction name="myorders">
<cfset nonce = dateDiff("s",createDateTime(2012,01,01,0,0,0),now())>
<cfset requestbody = "?nonce=#nonce#">
<cfset key = "oaFz62YpmbWiXwseMUSod53D8pOjdyVcweNYdiab/TSQqxk6IuemDvimNaQoA==">
<cfset sign = HMAC_SHA512(key,requestbody)>
<cfset signed = binaryEncode(sign,"Base64")>
<!--- HTTP REQUEST --->
<cfhttp url = "https://api.bitfloor.com/orders#requestbody#"
method = "post"
result = "bitfloor">
<!--- HEADERS --->
<cfhttpparam
type = "body"
value = requestbody>
<cfhttpparam
type = "header"
name = "bitfloor-key"
value = "6bd2b780-00be-11e2-bde3-2837371c3c3a">
<cfhttpparam
type = "header"
name = "bitfloor-sign"
value = signed>
<cfhttpparam
type = "header"
name = "bitfloor-passphrase"
value = "mysecretpassphrase">
<cfhttpparam
type = "header"
name = "bitfloor-version"
value = "1">
</cfhttp>
</cffunction>
我想大多数我的困惑来自于不知道到底是什么请求体是什么。我觉得我也许不是签约的事情。
I think most of my confusion comes from not knowing exactly what the "request body" is. I feel like I'm not signing the right thing perhaps.
我希望有一个ColdFusion程序员那里谁是熟悉的签约请求。我在我束手无策。
I hope there is a Coldfusion programmer out there who is familiar with signed requests. I'm at my wit's end.
请帮帮忙!合十礼
推荐答案
我没有使用该API,但我跑了一些测试,它似乎与下面的调整工作:
I have not used that api, but I ran some tests and it seems to work with the following tweaks:
-
由于
SecretKey的值的base64 EN codeD,您的签名功能需要使用binaryDe code来正确提取字节。使用String.getBytes(...)产生完全不同的(和错误的)结果。
Since the
secretKeyvalue is base64 encoded, your signing function needs to usebinaryDecodeto properly extract the bytes. UsingString.getBytes(...)produces a completely different (and wrong) result.
预期请求主体的价值就是:?随机数=#nonceValue#(不带前导 )
The expected request body value is just: nonce=#nonceValue# (without the leading "?")
这似乎要求的Content-Type =应用程序/ x-WWW的形式urlen codeD 头,否则就无法解析的内容和响应为:{错误:未指定随机数}
It seems to require the Content-Type=application/x-www-form-urlencoded header, otherwise it fails to parse the content and the response is: {"error":"no nonce specified"}
code
<cfset apiKey = "6bd2b780-00be-11e2-bde3-2837371c3c3a">
<cfset secretKey = "oaFz62YpmbWiXwseMUSod53D8pOjdyVcweNYdiab/TSQqxk6IuemDvimNaQoA==">
<cfset passphrase = "your secret phrase">
<cfset requestBody = "nonce="& now().getTime()>
<cfset signBytes = HMAC_SHA512(secretKey, requestbody)>
<cfset signBase64 = binaryEncode(signBytes, "base64")>
<cfhttp url="https://api.bitfloor.com/orders" method="post" port="443" result="bitfloor">
<cfhttpparam type="header" name="Content-Type" value="application/x-www-form-urlencoded">
<cfhttpparam type="header" name="bitfloor-key" value="#apiKey#">
<cfhttpparam type="header" name="bitfloor-sign" value="#signBase64#">
<cfhttpparam type="header" name="bitfloor-passphrase" value="#passphrase#">
<cfhttpparam type="header" name="bitfloor-version" value="1">
<cfhttpparam type="body" value="#requestBody#">
</cfhttp>
<cfdump var="#bitfloor#" label="Response">
<cffunction name="HMAC_SHA512" returntype="binary" access="public" output="false">
<cfargument name="base64Key" type="string" required="true">
<cfargument name="signMessage" type="string" required="true">
<cfargument name="encoding" type="string" default="UTF-8">
<cfset var messageBytes = JavaCast("string",arguments.signMessage).getBytes(arguments.encoding)>
<cfset var keyBytes = binaryDecode(arguments.base64Key, "base64")>
<cfset var key = createObject("java","javax.crypto.spec.SecretKeySpec")>
<cfset var mac = createObject("java","javax.crypto.Mac")>
<cfset key = key.init(keyBytes,"HmacSHA512")>
<cfset mac = mac.getInstance(key.getAlgorithm())>
<cfset mac.init(key)>
<cfset mac.update(messageBytes)>
<cfreturn mac.doFinal()>
</cffunction>
这篇关于与SHA512-HMAC的ColdFusion CFHTTP签署REST请求主体的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
