API common signature verification methods (PHP implementation)

Usage scenarios

Now more and more projects use the front-end and back-end separation model for development. Back-end developers use API interfaces to transfer data to front-end developers for processing and display. In some more important Modification of data interfaces, involving money, user information, etc., if the interfaces are not protected and verified, it is often easy for someone to maliciously swipe the interface, resulting in huge losses.

API Signature Verification

Here we introduce a more common signature verification in the industry to encrypt the parameters of the interface, which has the following advantages.

• Requested uniqueness: The calculated signature is unique and can be used for verification.

• Variability of parameters: The parameters include the timestamp parameter, which ensures that the signature calculated for each request is different.

• Request aging: Since the request contains the timestamp parameter of the current request, the server can verify the timestamp and filter requests that exceed the aging limit.

• Security: Even if the request is maliciously captured and the other party maliciously tamperes with the parameters, the signature will be wrong and the parameters cannot be modified.

Practice the truth

1. Sort the data to be signed of map type (that is, a set of key-value pairs) according to the size of the key. The parameters in the map are sorted in alphabetical order. If the first letters are the same, they are sorted by the second letter, and so on. For example,

{
    "timestamp": "2017-06-08 09:38:00",
    "format": "xml",
    "app_id": "aabbc",
    "cp_extend_info": "",
    "sign_type": "HMAC-SHA1",
    "sign": "abc"
}

then becomes

{
    "app_id": "aabbc",
    "cp_extend_info": "",
    "format": "xml",
    "sign_type": "HMAC-SHA1",
    "timestamp": "2017-06-08 09:38:00"
}

after sorting. Note: If the map contains a signature parameter (sign), the key value of the parameter needs to be filtered. Participate in signing. Please do not participate in signing parameters without values.

2. Serialize the sorted map into a string to be signed. The spliced ​​string to be signed is

app_id=aabbc&format=xml&sign_type=HMAC-SHA1&timestamp=2017-06-08 09:38:00

3. Use the key to extract the digest (hash) signature of the string to be signed according to the HMAC-SHA1 algorithm and base64_encode it (to facilitate explicit transmission and comparison). Assuming that the signature key is test, the extracted digest signature is The value of base64_encode is

JqoEqPIVVor0eyRHMYiZftsycVo=

Note: Because some data are required by the HTTP protocol, URLencoding needs to be performed during network transmission so that the receiver can receive the correct parameters. But if this parameter participates in signature, then the string to be signed must be the original value of the string rather than the value of URLencoding.

Code Practice

PHP Example

/**
 * 使用密钥生成HMAC-Sha1签名
 * @param array $params 请求参数
 * @param string $signKey 签名密钥
 * @return string
 */
function hmacSha1Sign($params,$signKey)
{
    ksort($params);
 
    $paramString = '';
    foreach ($params as $key => $value) {
        if (is_null($value) || $value=='' || $key == 'sign') {
            continue;
        }
        $paramString .= $key.'='.$value.'&';
    }
    $paramString = substr($paramString,0,-1);
    $sign = base64_encode(hash_hmac("sha1", $paramString, $signKey, $raw_output=TRUE));
    return $sign;
}

The above is the API verification signature method commonly used in daily development. It is very simple and very useful. Welcome to follow for more tutorials.

The above is the detailed content of API common signature verification methods (PHP implementation). For more information, please follow other related articles on the PHP Chinese website!