这是一个创建于 1667 天前的主题,其中的信息可能已经有所发展或是发生改变。
我最近在做 paypal 支付,需要校验异步通知是否伪造的,根据校验规则是 To generate the signature, PayPal concatenates and separates these items with the pipe (|) character. To alidate a signature, use this input string:
这里有详细的参数校验规则
https://developer.paypal.com/docs/api-basics/notifications/webhooks/notification-messages/
原始数据如下
Client_pid: 124700 Content-Type: application/json Correlation-Id: 79c56327c8eb6 Dfb0bc8d2e7022fa68259b0ae4e76bff: tag Paypal-Auth-Algo: SHA256withRSA Paypal-Auth-Version: v2 Paypal-Cert-Url: https://api.sandbox.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-7a8abba8 Paypal-Transmission-Id: c8defdc0-c51e-11eb-b07a-7921b31043db Paypal-Transmission-Sig: k4pSxwMwn8I5ZcUplN2s4HUtZTueQ39hvdj8a8ozzsSP9+moZnexuiu6jD/RXKe49F+JsRqlkAoIac71D47FztZsME+gogT28Wyj8vdOa7RHyxW1qmOsAkL+7POfqv+qJhLeivfjjABMBnTUptJTHEBjAJe/OgAbBjb5RSFI18HXHqToAlNJzhjsfqAf02AL2a1NZvfVItsZ8/mqWlu6pQPRLlbOFQ4EdE4CIWL4stIyRLvjfye07XM6JMtC/FCqG7fVRya7TbYskNInEianSjDY1xKlOs48KJwEmi2dMYC2WBjkuTnhw3oAKztGHd91sDTWwmZum6ToxAXIaZL0Zw== Paypal-Transmission-Time: 2021-06-04T10:22:37Z X-Daa-Tunnel: hop_count=1 X-Forwarded-For: 173.0.80.116 X-Forwarded-Proto: https X-Nws-Log-Uuid: 13526949154786814179 X-Tencent-Ua: Qcloud Accept-Encoding: gzip {"id":"WH-9XW19278373474026-31R040160R341690F","event_version":"1.0","create_time":"2021-06-04T10:22:33.352Z","resource_type":"refund","resource_version":"2.0","event_type":"PAYMENT.CAPTURE.REFUNDED","summary":"A $ 30.0 USD capture payment was refunded","resource":{"seller_payable_breakdown":{"total_refunded_amount":{"value":"30.00","currency_code":"USD"},"paypal_fee":{"value":"1.02","currency_code":"USD"},"gross_amount":{"value":"30.00","currency_code":"USD"},"net_amount":{"value":"28.98","currency_code":"USD"}},"amount":{"value":"30.00","currency_code":"USD"},"update_time":"2021-06-04T03:22:06-07:00","create_time":"2021-06-04T03:22:06-07:00","invoice_id":"202106041822037167","links":[{"method":"GET","rel":"self","href":"https://api.sandbox.paypal.com/v2/payments/refunds/0VS41158VR447232A"},{"method":"GET","rel":"up","href":"https://api.sandbox.paypal.com/v2/payments/captures/7YH3814131008200K"}],"id":"0VS41158VR447232A","note_to_payer":"Defective producgd","status":"COMPLETED"},"links":[{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F","rel":"self","method":"GET"},{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F/resend","rel":"resend","method":"POST"}]} 证书可以通过这个连接下载
https://api.sandbox.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-7a8abba8 $Paypal_Transmission_Id="c8defdc0-c51e-11eb-b07a-7921b31043db"; $Paypal_Transmission_Time="2021-06-04T10:22:37Z"; $wh_id="WH-9XW19278373474026-31R040160R341690F"; $json ='{"id":"WH-9XW19278373474026-31R040160R341690F","event_version":"1.0","create_time":"2021-06-04T10:22:33.352Z","resource_type":"refund","resource_version":"2.0","event_type":"PAYMENT.CAPTURE.REFUNDED","summary":"A $ 30.0 USD capture payment was refunded","resource":{"seller_payable_breakdown":{"total_refunded_amount":{"value":"30.00","currency_code":"USD"},"paypal_fee":{"value":"1.02","currency_code":"USD"},"gross_amount":{"value":"30.00","currency_code":"USD"},"net_amount":{"value":"28.98","currency_code":"USD"}},"amount":{"value":"30.00","currency_code":"USD"},"update_time":"2021-06-04T03:22:06-07:00","create_time":"2021-06-04T03:22:06-07:00","invoice_id":"202106041822037167","links":[{"method":"GET","rel":"self","href":"https://api.sandbox.paypal.com/v2/payments/refunds/0VS41158VR447232A"},{"method":"GET","rel":"up","href":"https://api.sandbox.paypal.com/v2/payments/captures/7YH3814131008200K"}],"id":"0VS41158VR447232A","note_to_payer":"Defective producgd","status":"COMPLETED"},"links":[{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F","rel":"self","method":"GET"},{"href":"https://api.sandbox.paypal.com/v1/notifications/webhooks-events/WH-9XW19278373474026-31R040160R341690F/resend","rel":"resend","method":"POST"}]}'; $str = crc32($json); $pem = file_get_contents("./1.pem"); $pubkeyid = openssl_get_publickey($pem); $data= $Paypal_Transmission_Id."|".$Paypal_Transmission_Time."|".$wh_id."|".$str; // state whether signature is okay or not $signature = "k4pSxwMwn8I5ZcUplN2s4HUtZTueQ39hvdj8a8ozzsSP9+moZnexuiu6jD/RXKe49F+JsRqlkAoIac71D47FztZsME+gogT28Wyj8vdOa7RHyxW1qmOsAkL+7POfqv+qJhLeivfjjABMBnTUptJTHEBjAJe/OgAbBjb5RSFI18HXHqToAlNJzhjsfqAf02AL2a1NZvfVItsZ8/mqWlu6pQPRLlbOFQ4EdE4CIWL4stIyRLvjfye07XM6JMtC/FCqG7fVRya7TbYskNInEianSjDY1xKlOs48KJwEmi2dMYC2WBjkuTnhw3oAKztGHd91sDTWwmZum6ToxAXIaZL0Zw=="; $ok = openssl_verify($data, $signature, $pubkeyid,'SHA256'); var_dump($ok);die(); 但是检验的结果是false,能帮我检查一下是哪里写错了吗
9 条回复 2021-06-06 10:54:24 +08:00
 | 1 rockyliang 2021-06-05 20:40:03 +08:00 我都是直接用 paypal 的 api 来做校验: https://developer.paypal.com/docs/api/webhooks/v1/#verify-webhook-signature |
 | 2 dzdh 2021-06-05 21:11:16 +08:00 我记得要 base64_decode 一下? |
 | 3 thunderw 2021-06-05 21:42:13 +08:00 https://www.bahjeez.com/validating-paypal-webhooks-offline-almost/ webhook ID 看上去不是 WH-开头那个。 另外 signature 要 decode 一下 base64_decode($signature) |
| 4 thunderw 2021-06-05 21:46:04 +08:00 <webhookid> is the ID that PayPal assigned to your webhook when you created it. You can find this a few different places: If you used the Webhooks API to create the webhook, this would have been the value of /id in the response. You can use the List All Webhooks API to see the webhooks you have registered. You can grab the webhook ID from there. You can also see your webhooks from developer.paypal.com. (Go to the Dashboard, then the My Apps & Credentials page. Scroll down to the REST API Apps section and find your REST app. Click on it, then scroll down to the “Sandbox Webhooks” or “Live Webhooks” section. The webhook ID will be displayed in the “Webhook ID” column.) |
 | 5 fiypig 2021-06-05 21:53:05 +08:00 via iPhone 分段加解密 |
 | 6 cs5117155 OP @thunderw 果然是要 base64_decode($signature),webhook ID 是后台配置固定的那个。而且我也很佩服你搜什么关键字找到这个 https://www.bahjeez.com/validating-paypal-webhooks-offline-almost/ 连接,我谷歌一上午找不到合适的答案 |
| 7 cs5117155 OP @rockyliang 这个每次收到异步请求,都要再 post 请求一次,我怕会担心资源消耗 |
Select Language