如何解决邮递员:使用SHA256和RSA的自定义签名请求
我编写了一个接口,以使用python向内部可听api发送请求。每个API请求都需要使用RSA SHA256签名。
现在,我想使用Postman测试API的端点,并使用预请求脚本功能。但是我对javascript不太了解。也许有人可以帮助我将以下python函数转换为Postman脚本:
def sign_request(
request: httpx.Request,adp_token: str,private_key: str
) -> httpx.Request:
"""
Helper function who creates a signed requests for authentication.
:param request: The request to be signed
:param adp_token: the token is obtained after register as device
:param private_key: the rsa key obtained after register as device
:returns: The signed request
"""
method = request.method
path = request.url.path
query = request.url.query
body = request.content.decode("utf-8")
date = datetime.utcnow().isoformat("T") + "Z"
if query:
path += f"?{query}"
data = f"{method}\n{path}\n{date}\n{body}\n{adp_token}"
key = rsa.PrivateKey.load_pkcs1(private_key.encode())
cipher = rsa.pkcs1.sign(data.encode(),key,"SHA-256")
signed_encoded = base64.b64encode(cipher)
signed_header = {
"x-adp-token": adp_token,"x-adp-alg": "SHA256withRSA:1.0","x-adp-signature": f"{signed_encoded.decode()}:{date}"
}
request.headers.update(signed_header)
return request
我发现了如何获取请求方法和主体。我可以获取路径并使用pm.request.url.getPathWithQuery()
进行查询。要将标头添加到请求中,请使用pm.request.headers.add
。
但是我不知道如何以等格式获取日期时间,连接字符串并签署数据。
解决方法
在Postman中进行此操作的问题在于,您只能使用sandbox中可用的那些软件包。因此,为此,您拥有crypto-js作为加密操作的唯一软件包助手。
var CryptoJS = require("crypto-js");
var moment = require("moment");
signRequest(pm.request,"yourAdpToken","yourPrivateKey")
function signRequest(request,adpToken,privateKey) {
const method = request.method;
const path = request.url.getPathWithQuery();
const body = request.body.raw;
const date = moment.utc().format();
const data = `${method}\n${path}\n${date}\n${body}\n${adpToken}`
const hash = CryptoJS.HmacSHA256(data,privateKey);
const signedEncoded = CryptoJS.enc.Base64.stringify(hash);
pm.request.headers.add({
key: 'x-adp-token',value: adpToken
});
pm.request.headers.add({
key: 'x-adp-alg',value: 'SHA256withRSA:1.0'
});
pm.request.headers.add({
key: 'x-adp-signature',value: `${CryptoJS.enc.Base64.parse(signedEncoded)}:${date}`
});
}
将以上内容添加到请求前脚本中,会将您需要的标头添加到请求中,如下所示:
您可能需要更改编码部分,检查encode options
,我让它与pm lib一起运行。谢谢您的帮助。
唯一的问题是从env var获取包含换行符的私人证书,这些代码sig.init(privateKey);
出错。我必须直接在预请求脚本中写私有证书字符串。
这是我的剧本。
eval( pm.globals.get('pmlib_code') );
var CryptoJS = require("crypto-js");
var moment = require("moment");
const adpToken = pm.environment.get("adp-token")
// private-key loaded from env var doesn't work because of newlines in it; bugfix
const privateKey = pm.environment.get("private-key")
// use private-key in pre request script directly make use of newline correctly
const privateKey2 = "-----BEGIN RSA PRIVATE KEY-----\nMIIE...==\n-----END RSA PRIVATE KEY-----\n"
signRequest(pm.request,privateKey);
function signRequest(request,privateKey2) {
const method = request.method;
const path = request.url.getPathWithQuery();
const body = request.body || "";
const date = moment.utc().format();
const data = `${method}\n${path}\n${date}\n${body}\n${adpToken}`;
var sig = new pmlib.rs.KJUR.crypto.Signature({"alg": "SHA256withRSA"});
sig.init(privateKey);
var hash = sig.signString(data);
const signedEncoded = CryptoJS.enc.Base64.stringify(CryptoJS.enc.Hex.parse(hash));
pm.request.headers.add({
key: 'x-adp-token',value: `${signedEncoded}:${date}`
});
}
更新:
现在从env var works中读取设备证书。我不得不将const privateKey = pm.environment.get("private-key")
替换为const privateKey = pm.environment.get("private-key").replace(/\\n/g,"\n")
fwiw 使用“jsrsasign-js”库对 Adobe Experience Manager 的 JWT 令牌进行 RS256 签名
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。