Mobile Platform as a Service:Backend signature verification description

• After you enable signature verification for an API group in the Gateway console, Mobile Gateway creates a signature for each API request in the group. You can create a public /private key for the signature in the Gateway console.

• After the server reads the signature string, it calculates the local signature of the received request and compares it with the received signature to determine whether the request is valid.

Read signature

The signature calculated by the mobile gateway is stored in the header of the request, and the header key is X-Mgs-Proxy-Signature.

The key key configured in the API group can be used to distinguish and obtain keys corresponding to different key values. Header keys are X-Mgs-Proxy-Signature-Secret-Key.

Signature verification method

Organization signing data

String stringToSign =
HTTPMethod + "\n" +
Content-MD5 + "\n" +
Url

• HTTPMethod: All uppercase HTTPMethod, such as PUT or POST.

• Content-MD5: The MD5 hash of the request body. The calculation method is as follows:

  1. If the HTTPMethod is not one of PUT or POST, MD5 is an empty string ""; otherwise, the second step is executed.

  2. If the request contains a body and the body is a form, the MD5 value is an empty string "". Otherwise, perform step 3.

  3. Use the following method to calculate the MD5. If the request does not contain a body, the bodyStream is a string "null".

     String content-MD5 = Base64.encodeBase64(MD5(bodyStream.getbytes(“UTF-8”)));

     Important

     Even if the content-MD5 is an empty string "", the newline character "\n" after the content-MD5 in the signing method cannot be omitted, i.e. there will be two consecutive "\n" in the signature at this time.

• Url: The path, query, and form parameters in the body are assembled. Assume that the request format is http://ip:port/test/testSign?c=3&a=1 and the parameters in the Form are b=2&d=4. The assembly steps are as follows:

  1. Obtain the path: ip:port is the path after,? The previous part. In this case, the /test/testSign.

  2. If both the Query and Form parameters are empty, the Url is Path. Otherwise, the next step is performed.

  3. Concatenate the required parameters. Sort the parameters in the query and form by key and lexicographic order, and then concatenate them into Key1=Value1&Key2=Value2&...&KeyN=ValueN. In this case, the a=1&b=2&c=3&d=4.

     Note

     You can specify multiple values for a query or form parameter. You can specify only the first Value.

  4. The concatenated URL. The URL is Path?Key1=Value1&Key2=Value2&...&KeyN=ValueN. In this case, the /test/testSign?a=1&b=2&c=3&d=4.

Verify the signature

• Use the MD5 algorithm to verify signatures

  String sign = "xxxxxxx";// The signature passed by the mobile gateway.
    String salt ="xxx";     //MD5 Salt
  
    MessageDigest digest = MessageDigest.getInstance("MD5");
    String toSignedContent = stringToSign + salt;
    byte[] content = digest.digest(toSignedContent.getBytes("UTF-8"));
    String computedSign = new String(Hex.encodeHexString(content));
  
    boolean isSignLegal = sign.equals(computedSign) ? true : false;

• Use the RSA algorithm to verify signatures

  String sign = "xxxxxxx"; // The signature passed by the mobile gateway.
    String publicKey ="xxx"; // The RSA public key of the mobile gateway.
  
    PublicKey pubKey = KeyReader.getPublicKeyFromX509("RSA", new ByteArrayInputStream(publicKey.getBytes()));
    java.security.Signature signature = java.security.Signature.getInstance("SHA1WithRSA");
    signature.initVerify(pubKey);
    signature.update(stringToSign.getBytes("UTF-8"));
  
    boolean isSignLegal = signature.verify(Base64.decodeBase64(sign.getBytes(""UTF-8"")));

Examples

For more information, see HttpSignUtil.java.