How to read and verify backend signatures - Mobile Platform as a Service

Mobile Gateway Service provides server-side HTTP signature verification to secure traffic between the gateway and your backend server.

When you enable signature verification for an API group in the gateway console, Mobile Gateway Service signs each API request in that group. You can create the public and private keys used for signing in the gateway console.
Your backend server reads the signature string and performs a local signature calculation on the received request. It then compares the calculated signature with the received signature to determine whether the request is valid.

Reading the signature

The signature calculated by Mobile Gateway Service is stored in the request header. The header key is X-Mgs-Proxy-Signature.

The secret key identifier is configured in the API group and is used to find the corresponding secret value. This identifier is sent in the request header under the key X-Mgs-Proxy-Signature-Secret-Key.

Signature verification methods

Data for adding an organization signature

String stringToSign =
HTTPMethod + "\n" +
Content-MD5 + "\n" +
Url

HTTPMethod: The HTTP method in uppercase, such as PUT or POST.
Content-MD5: The MD5 value of the request body, calculated as follows:
1. If HTTPMethod is not `PUT` or `POST`, the MD5 value is an empty string (`""`).
2. If the request body is a form, the MD5 is an empty string "". Otherwise, execute the third step.
3. Calculate the MD5 value. If the request has no body, bodyStream is the string "null".
```
String content-MD5 = Base64.encodeBase64(MD5(bodyStream.getBytes("UTF-8")));
```
  Important
  Even if the Content-MD5 value is an empty string (`""`), the subsequent line feed (`\n`) in the string to sign must be included. This results in two consecutive `\n` characters in the string.
Url: The `Url` is constructed from the path, query, and form parameters in the body. For example, assume the request is http://ip:port/test/testSign?c=3&a=1 and the form parameters are b=2&d=4. The `Url` is constructed as follows:
1. Extract the path. The path is the part of the URL after ip:port and before ?. In this example, the path is /test/testSign.
2. If the request has no query or form parameters, the `Url` is the path.
3. Concatenate the parameters. Sort the query and form parameters by key in lexicographic order. Then, concatenate them into the format Key1=Value1&Key2=Value2&...&KeyN=ValueN. In this example, the result is a=1&b=2&c=3&d=4.
  Note
  If a query or form parameter has multiple values, use only the first value.
4. Construct the `Url`. The format is Path?Key1=Value1&Key2=Value2&...&KeyN=ValueN. In this example, the `Url` is /test/testSign?a=1&b=2&c=3&d=4.

Verify the signature

Verify the signature using the MD5 algorithm

  String sign = "xxxxxxx"; // The signature from Mobile Gateway Service
  String salt ="xxx";     // The MD5 salt

  MessageDigest digest = MessageDigest.getInstance("MD5");
  String toSignedContent = stringToSign + salt;
  byte[] content = digest.digest(toSignedContent.getBytes("UTF-8"));
  String computedSign = new String(Hex.encodeHexString(content));

  boolean isSignLegal = sign.equals(computedSign) ? true : false;

Verify the signature using the RSA algorithm

  String sign = "xxxxxxx"; // The signature from Mobile Gateway Service
  String publicKey ="xxx"; // The RSA public key from Mobile Gateway Service

  PublicKey pubKey = KeyReader.getPublicKeyFromX509("RSA", new ByteArrayInputStream(publicKey.getBytes()));
  java.security.Signature signature = java.security.Signature.getInstance("SHA1WithRSA");
  signature.initVerify(pubKey);
  signature.update(stringToSign.getBytes("UTF-8"));

  boolean isSignLegal = signature.verify(Base64.decodeBase64(sign.getBytes("UTF-8")));

Code examples

For more information, see HttpSignUtil.java.