CloudKit服务器到服务器的身份验证 [英] CloudKit Server-to-Server authentication
问题描述
昨日公布的苹果公司的新方法对抗CloudKit验证,服务器到服务器。 <一href=\"https://developer.apple.com/library/$p$prelease/ios/documentation/DataManagement/Conceptual/CloutKitWebServicesReference/SettingUpWebServices/SettingUpWebServices.html#//apple_ref/doc/uid/TP40015240-CH24-SW6\">https://developer.apple.com/library/$p$prelease/ios/documentation/DataManagement/Conceptual/CloutKitWebServicesReference/SettingUpWebServices/SettingUpWebServices.html#//apple_ref/doc/uid/TP40015240-CH24-SW6
今天,我想对CloudKit这种方法进行身份验证。起初我生成的密钥对,给了公钥CloudKit,没有问题为止。
我开始建立请求头。根据文档就应该是这样的:
X-苹果CloudKit请求-的KeyID:[KEYID]
的X苹果CloudKit请求-ISO8601Date:[日期]
的X苹果CloudKit请求-SignatureV1:[签名]
- [KEYID],没有问题。您可以在仪表盘CloudKit找到这个。
- [日期],我想这应该工作:2016-02-06T20:41:00Z
- [签名],这里的问题...
该文件说:
在步骤中创建的签名1.
块引用>步骤1说:
连接以下参数,并将它们用冒号分开。结果
[当前日期]:请求正文]:[Web服务URL]
块引用>我问自己我为什么要生成密钥对?结果
但第2步说:
计算此消息的ECDSA签名用你的私钥。
块引用>也许他们签署与私钥签名级联,并把这一进头?无论如何,我都试过...
我给这(无符号)签名值样本如下:
<$p$p><$c$c>2016-02-06T20:41:00Z:YTdkNzAwYTllNjI1M2EyZTllNDNiZjVmYjg0MWFhMGRiMTE2MjI1NTYwNTA2YzQyODc4MjUwNTQ0YTE5YTg4Yw==:https://api.apple-cloudkit.com/database/1/[iCloud容器] /开发/公/记录/查询
请求正文值为SHA256散列和连接的base64 codeD之后。我的问题是,我应该用串联:但是URL和日期也包含:。这是对的吗? (我也试图URL恩code中的URL,并删除:在日期)。结果
在接下来的我ECDSA签署此签名串,把它放到头和发送。但是,我总是得到401验证失败回来。要签字,我用了 ECDSA Python模块,用下面的命令:从ECDSA进口SigningKey
A = SigningKey.from_pem(开放(path_to_pem_file)。阅读())
B =[日期]:[BASE64(request_body)] /数据库/ 1 / iCloud中.....
打印a.sign(二).EN code(十六进制)也许Python模块不能正常工作。但它可以产生从私钥右公钥。所以我希望等功能也工作。
有没有人管理与服务器到服务器的方法对CloudKit认证?它是如何正常工作?
编辑:正确的python版本的作品
从ECDSA进口SigningKey
进口ECDSA,BASE64,hashlibA = SigningKey.from_pem(开放(path_to_pem_file)。阅读())
B =[日期]:[BASE64(SHA256(request_body))]:/数据库/ 1 / iCloud中.....
签名= a.sign(B,hashfunc = hashlib.sha256,SIGEN code = ecdsa.util.sigen code_der)
签名= base64.b64en code(签字)
打印签名#包含进这个头
解决方案消息的最后一部分
[当前日期]:请求正文]:[Web服务URL]
的不得的包含域(它的必须的包括任何查询参数):
<$p$p><$c$c>2016-02-06T20:41:00Z:YTdkNzAwYTllNjI1M2EyZTllNDNiZjVmYjg0MWFhMGRiMTE2MjI1NTYwNTA2YzQyODc4MjUwNTQ0YTE5YTg4Yw==:/database/1/[iCloud容器] /开发/公/记录/查询
使用新行更好的可读性:
2016-02-06T20:41:00Z
:YTdkNzAwYTllNjI1M2EyZTllNDNiZjVmYjg0MWFhMGRiMTE2MjI1NTYwNTA2YzQyODc4MjUwNTQ0YTE5YTg4Yw ==
:/数据库/ 1 / [iCloud的容器] /开发/公/记录/查询下面介绍如何计算伪code标头值
确切的API调用取决于你所使用的具体的语言和加密库。
// 1。日期
//例:2016-02-07T18:58:24Z
//陷阱:确保不包括毫秒
日期= isoDateWithoutMilliseconds()// 2。有效载荷
//例(空字符串的base64 EN codeD,GET请求):
// 47DEQpj8HBSa + / + TIMW = 5JCeuQeRkm5NMpJWZG3hSuFU
//陷阱:确保输出的base64是连接codeD(不是十六进制)
有效载荷= base64en code(SHA256(体))// 3。路径
//例:/数据库/ 1 / [containerIdentifier] /开发/公/记录/查询
//陷阱:不要包含域名;不包括任何查询参数
PATH = stripDomainKeepQueryParams(URL)// 4。信息
//注册日期,有效载荷和路径用冒号
消息=日期+:+有效载荷+:+路径// 5。计算使用您的私人密钥对消息的签名。
//这一步看起来每种语言/ lib目录加密很大的不同。
//陷阱:确保输出的base64是连接codeD。
//提示:密钥本身包含的签名算法信息
//(在你的NodeJS可以使用签名名称'RSA-SHA256'来计算
//与ECDSA键选择正确的ECDSA签名)。
签名= base64en code(符号(消息,键))// 6。设置头
的X苹果CloudKit请求-的KeyID = KEYID
的X苹果CloudKit请求-ISO8601Date =日期
的X苹果CloudKit请求-SignatureV1 =签名// 7。对于POST请求,不要忘了实际发送签名请求正文
//(不仅仅是头)Yesterday Apple published a new method to authenticate against CloudKit, server-to-server. https://developer.apple.com/library/prerelease/ios/documentation/DataManagement/Conceptual/CloutKitWebServicesReference/SettingUpWebServices/SettingUpWebServices.html#//apple_ref/doc/uid/TP40015240-CH24-SW6
Today I tried to authenticate against CloudKit and this method. At first I generated the key pair and gave the public key to CloudKit, no problem so far.
I started to build the request header. According to the documentation it should look like this:
X-Apple-CloudKit-Request-KeyID: [keyID] X-Apple-CloudKit-Request-ISO8601Date: [date] X-Apple-CloudKit-Request-SignatureV1: [signature]
- [keyID], no problem. You can find this in the CloudKit dashboard.
- [Date], I think this should work: 2016-02-06T20:41:00Z
- [signature], here is the problem...
The documentation says:
The signature created in Step 1.
Step 1 says:
Concatenate the following parameters and separate them with colons.
[Current date]:[Request body]:[Web Service URL]
I asked myself "Why do I have to generate the key pair?".
But step 2 says:Compute the ECDSA signature of this message with your private key.
Maybe they mean to sign the concatenated signature with the private key and put this into the header? Anyway I tried both...
My sample for this (unsigned) signature value looks like:
2016-02-06T20:41:00Z:YTdkNzAwYTllNjI1M2EyZTllNDNiZjVmYjg0MWFhMGRiMTE2MjI1NTYwNTA2YzQyODc4MjUwNTQ0YTE5YTg4Yw==:https://api.apple-cloudkit.com/database/1/[iCloud Container]/development/public/records/lookup
The request body value is SHA256 hashed and after that base64 encoded. My question is, I should concatenate with a ":" but the url and the date also contains ":". Is it correct? (I also tried to URL-Encode the URL and delete the ":" in the date).
At next I signed this signature string with ECDSA, put it into the header and send it. But I always get 401 "Authentication failed" back. To sign it, I used the ecdsa python module, with following commands:from ecdsa import SigningKey a = SigningKey.from_pem(open("path_to_pem_file").read()) b = "[date]:[base64(request_body)]:/database/1/iCloud....." print a.sign(b).encode('hex')
Maybe the python module doesn't work correctly. But it can generate the right public key from the private key. So I hope the other functions also work.
Has anybody managed to authenticate against CloudKit with the server-to-server method? How does it work correctly?
Edit: Correct python version that works
from ecdsa import SigningKey import ecdsa, base64, hashlib a = SigningKey.from_pem(open("path_to_pem_file").read()) b = "[date]:[base64(sha256(request_body))]:/database/1/iCloud....." signature = a.sign(b, hashfunc=hashlib.sha256, sigencode=ecdsa.util.sigencode_der) signature = base64.b64encode(signature) print signature #include this into the header
解决方案The last part of the message
[Current date]:[Request body]:[Web Service URL]
must not include the domain (it must include any query parameters):
2016-02-06T20:41:00Z:YTdkNzAwYTllNjI1M2EyZTllNDNiZjVmYjg0MWFhMGRiMTE2MjI1NTYwNTA2YzQyODc4MjUwNTQ0YTE5YTg4Yw==:/database/1/[iCloud Container]/development/public/records/lookup
With newlines for better readability:
2016-02-06T20:41:00Z :YTdkNzAwYTllNjI1M2EyZTllNDNiZjVmYjg0MWFhMGRiMTE2MjI1NTYwNTA2YzQyODc4MjUwNTQ0YTE5YTg4Yw== :/database/1/[iCloud Container]/development/public/records/lookup
The following shows how to compute the header value in pseudocode
The exact API calls depend on the concrete language and crypto library you use.
//1. Date //Example: 2016-02-07T18:58:24Z //Pitfall: make sure to not include milliseconds date = isoDateWithoutMilliseconds() //2. Payload //Example (empty string base64 encoded; GET requests): //47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= //Pitfall: make sure the output is base64 encoded (not hex) payload = base64encode(sha256(body)) //3. Path //Example: /database/1/[containerIdentifier]/development/public/records/lookup //Pitfall: Don't include the domain; do include any query parameter path = stripDomainKeepQueryParams(url) //4. Message //Join date, payload, and path with colons message = date + ':' + payload + ':' + path //5. Compute a signature for the message using your private key. //This step looks very different for every language/crypto lib. //Pitfall: make sure the output is base64 encoded. //Hint: the key itself contains information about the signature algorithm // (on NodeJS you can use the signature name 'RSA-SHA256' to compute a // the correct ECDSA signature with an ECDSA key). signature = base64encode(sign(message, key)) //6. Set headers X-Apple-CloudKit-Request-KeyID = keyID X-Apple-CloudKit-Request-ISO8601Date = date X-Apple-CloudKit-Request-SignatureV1 = signature //7. For POST requests, don't forget to actually send the unsigned request body // (not just the headers)
这篇关于CloudKit服务器到服务器的身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!