Mobile Gateway Service provides the function of verifying server HTTP service signature to improve the security of data from gateway to server.
- After initiating the signature verification on a certain API group on the console, Mobile Gateway Service creates signature information for each API request in the group. The public and private keys used in the signature can be created in the Mobile Gateway Service console.
- After the server reads signature string, it calculates the local signature of the received request, and compares if the signature is consistent with the received signature, thus judging if the request is legal.
The signature calculated by mobile gateway is saved in the Header of
Request, and the Header Key is
The secret key configured in API group is used to distinguish and obtain the Keys corresponding to different secret key values, and the Header Key is
String stringToSign =
HTTPMethod + "\n" +
Content-MD5 + "\n" +
HTTPMethod: HTTPMethod with all characters in upper case, for example:
Content-MD5: It indicates the MD5 value of a request Body. The MD5 value is calculated in the following methods:
POST, then the MD5 value is a empty string
"", otherwise the step 2 applies.
- If the request has a Body, and the Body is Form, then the MD5 value is an empty string
"", otherwise the step 3 applies.
Use the following method to calculate MD5. If the request has no Body, the bodyStream is string
Note: Even if content-MD5 is an empty string
String content-MD5 = Base64.encodeBase64(MD5(bodyStream.getbytes(“UTF-8”)));
"", the newline “\n” after content-MD5 in the signing method cannot be omitted. Namely, there will be two consecutive “\n” in the signature.
Url: It is assembled by
Query, and the
Formparameter in Body. Suppose the request is in the format of
b=2&d=4, then the assembling steps are as follows:
Pathis the part between
?, for example:
- If both the
Formparameter are empty, the Url is the
Path. Otherwise, you need to continue the next step.
- Concatenate parameters. Sort the
Formparameters by key in lexicographic order, and then concatenate them in the format of
Key1=Value1&Key2=Value2&...&KeyN=ValueN, for example:
Formparameters may have multiple values, but only the first value is used.
Path?Key1=Value1&Key2=Value2&...&KeyN=ValueN, for example
Use MD5 algorithm:
String sign = "xxxxxxx";// The signature passed from mobile gateway
String salt ="xxx"; //MD5 Salt
MessageDigest digest = MessageDigest.getInstance("MD5");
String toSignedContent = stringToSign + salt;
byte content = digest.digest(toSignedContent.getBytes("UTF-8"));
String computedSign = new String(Hex.encodeHexString(content));
boolean isSignLegal = sign.equals(computedSign) ? true : false;
Use RSA algorithm:
String sign = "xxxxxxx"; // The signature passed from mobile gateway
String publicKey ="xxx"; // The RSA public key of mobile gateway
PublicKey pubKey = KeyReader.getPublicKeyFromX509("RSA", new ByteArrayInputStream(publicKey.getBytes()));
java.security.Signature signature = java.security.Signature.getInstance("SHA1WithRSA");
boolean isSignLegal = signature.verify(Base64.decodeBase64(sign.getBytes(""UTF-8"")));