验证针对秘密java的哈希签名

时间:2014-12-01 06:02:35

标签: java facebook-oauth

我正在尝试将下面的php代码转换为java。我在比较哈希时遇到了困难。有人可以提供一些帮助。感谢

示例来自此处https://developers.facebook.com/docs/facebook-login/using-login-with-games/#parsingsr 

$secret = "appsecret"; // Use your app secret here

// decode the data
$sig = base64_url_decode($encoded_sig);
$data = json_decode(base64_url_decode($payload), true);

// confirm the signature
$expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
if ($sig !== $expected_sig) {

到目前为止我得到了什么。 

String secret = "somesecret";
String signedRequest = "some.signedrequest";

String[] encoded = signedRequest.split("\\.");

System.out.println(encoded[0]);
System.out.println(encoded[1]);

String signature = base64UrlDecode(encoded[0]);
String payload = base64UrlDecode(encoded[1]);


public static String base64UrlDecode(String input) {
    String result = null;
    Base64 decoder = new Base64(true);
    byte[] decodedBytes = decoder.decode(input);
    result = new String(decodedBytes);
    return result;
}

从这里我不知所措。

我不知道如何设置要与我的签名进行比较的哈希。

1 个答案:

答案 0 :(得分:2)

从中得到一些想法,这对我有用。

import org.apache.commons.codec.binary.Base64;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

private JSONObject parseFBSignedRequest(String signedRequest, String secret) throws UnsupportedEncodingException, Exception {


    //split request into signature and data
    String[] signedRequests = signedRequest.split("\\.", 2);
    //parse signature
    String sig = signedRequests[0];

    //parse data and convert to json object
    String data = signedRequests[1];

    //I assumed it is UTF8
    JSONObject jsonData = new JSONObject(new String(Base64.decodeBase64(data), "UTF-8"));
    //check signature algorithm
    if(!jsonData.getString("algorithm").equals("HMAC-SHA256")) {
        //unknown algorithm is used
        return null;
    }

    //check if data is signed correctly
    if(!hmacSHA256(signedRequests[1], secret).equals(sig)) {
        //signature is not correct, possibly the data was tampered with
        return null;
    }
    return jsonData;

}

//HmacSHA256 implementation 
private String hmacSHA256(String data, String key) throws Exception {
    SecretKeySpec secretKey = new SecretKeySpec(key.getBytes("UTF-8"), "HmacSHA256");
    Mac mac = Mac.getInstance("HmacSHA256");
    mac.init(secretKey);
    byte[] hmacData = mac.doFinal(data.getBytes("UTF-8"));
    return new String(Base64.encodeBase64URLSafe(hmacData), "UTF-8");
}
相关问题
最新问题