All Products
Search
Document Center

Backend signature verification

Last Updated: Apr 26, 2021

Mobile Gateway Service provides the function of verifying server HTTP service signature to improve the security of data from gateway to server.

  • After initiating the signature verification on a certain API group on the console, Mobile Gateway Service creates signature information for each API request in the group. The public and private keys used in the signature can be created in the Mobile Gateway Service console.
  • After the server reads signature string, it calculates the local signature of the received request, and compares if the signature is consistent with the received signature, thus judging if the request is legal.

Read signature

The signature calculated by mobile gateway is saved in the Header of Request, and the Header Key is X-Mgs-Proxy-Signature.

The secret key configured in API group is used to distinguish and obtain the Keys corresponding to different secret key values, and the Header Key is X-Mgs-Proxy-Signature-Secret-Key.

Verify signature

Organize signature data

 
  1. String stringToSign =
  2. HTTPMethod + "\n" +
  3. Content-MD5 + "\n" +
  4. Url
  • HTTPMethod: HTTPMethod with all characters in upper case, for example: PUT or POST.

  • Content-MD5: It indicates the MD5 value of a request Body. The MD5 value is calculated in the following methods:

    1. If HttpMethod is not PUT or POST, then the MD5 value is a empty string "", otherwise the step 2 applies.
    2. If the request has a Body, and the Body is Form, then the MD5 value is an empty string "", otherwise the step 3 applies.
    3. Use the following method to calculate MD5. If the request has no Body, the bodyStream is string "null".

           
      1. String content-MD5 = Base64.encodeBase64(MD5(bodyStream.getbytes(“UTF-8”)));
      Note: Even if content-MD5 is an empty string "", the newline “\n” after content-MD5 in the signing method cannot be omitted. Namely, there will be two consecutive “\n” in the signature.
  • Url: It is assembled by Path, Query, and the Form parameter in Body. Suppose the request is in the format of http://ip:port/test/testSign?c=3&a=1 and the Form parameter is b=2&d=4, then the assembling steps are as follows:

    1. Obtain Path. Path is the part between ip:port and ?, for example: /test/testSign.
    2. If both the Query and Form parameter are empty, the Url is the Path. Otherwise, you need to continue the next step.
    3. Concatenate parameters. Sort the Query and Form parameters by key in lexicographic order, and then concatenate them in the format of Key1=Value1&Key2=Value2&...&KeyN=ValueN, for example: a=1&b=2&c=3&d=4.
      Note: The Query or Form parameters may have multiple values, but only the first value is used.
    4. Concatenate Url. Url is Path?Key1=Value1&Key2=Value2&...&KeyN=ValueN, for example /test/testSign?a=1&b=2&c=3&d=4.

Verify signature

  • Use MD5 algorithm:

       
    1. String sign = "xxxxxxx";// The signature passed from mobile gateway
    2. String salt ="xxx"; //MD5 Salt
    3. MessageDigest digest = MessageDigest.getInstance("MD5");
    4. String toSignedContent = stringToSign + salt;
    5. byte[] content = digest.digest(toSignedContent.getBytes("UTF-8"));
    6. String computedSign = new String(Hex.encodeHexString(content));
    7. boolean isSignLegal = sign.equals(computedSign) ? true : false;
  • Use RSA algorithm:

       
    1. String sign = "xxxxxxx"; // The signature passed from mobile gateway
    2. String publicKey ="xxx"; // The RSA public key of mobile gateway
    3. PublicKey pubKey = KeyReader.getPublicKeyFromX509("RSA", new ByteArrayInputStream(publicKey.getBytes()));
    4. java.security.Signature signature = java.security.Signature.getInstance("SHA1WithRSA");
    5. signature.initVerify(pubKey);
    6. signature.update(stringToSign.getBytes("UTF-8"));
    7. boolean isSignLegal = signature.verify(Base64.decodeBase64(sign.getBytes(""UTF-8"")));