问题描述
我正在尝试通过 Xamarin.Forms 项目与 Apple Music API 通信。由于 Microsoft ECDsa 实现在 Xamarin.Android 和 Xamarin.iOS 上不可用,我正在尝试使用 Portable.BouncyCastle Nuget 包解决该限制。总体而言,该过程似乎按预期工作,但在尝试使用签名的开发人员令牌调用 Apple Music API 时,我总是收到 HTTP/2 401。
我有一个可用的 MS ECDsa 实现,我在 ASP.NET Core 项目中使用它与 Apple 推送通知服务进行通信,因此我编写了一个快速的小演示工具,可以在两种方法中生成密钥,结果:签名不匹配并且 MS ECDsa 变体确实有效,我从 Apple 获得了正确的 API 响应。
我在网上看了很多样本,但我看不出我到底做错了什么,所以也许这里有人可以指出我正确的方向。
充气城堡方法:
public static AsymmetricCipherKeyPair GetKeys(string data)
{
var tag = $"{_className}.GetECDsa";
try
{
byte[] byteArray = Encoding.ASCII.GetBytes(data);
MemoryStream stream = new MemoryStream(byteArray);
using (TextReader reader = new StreamReader(stream))
{
var ecPrivateKeyParameters =
(ECPrivateKeyParameters)new PemReader(reader).ReadObject();
var q = ecPrivateKeyParameters.Parameters.G.Multiply(ecPrivateKeyParameters.D).Normalize();
var ecPublicKeyParameters = new ECPublicKeyParameters(q,ecPrivateKeyParameters.Parameters);
return new AsymmetricCipherKeyPair(ecPublicKeyParameters,ecPrivateKeyParameters);
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
public static string CreateToken(AsymmetricCipherKeyPair keyPair,string p8privateKeyId,string teamId,DateTime date)
{
var tag = $"{_className}.CreateJwtToken";
try
{
var header = JsonHelper.Serialize(new { alg = "ES256",kid = p8privateKeyId });
var payload = JsonHelper.Serialize(new { iss = teamId,iat = ToEpoch(date),exp = ToEpoch(date.AddSeconds(15777000)) });
var headerBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(header));
var payloadBasae64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(payload));
var unsignedJwtData = $"{headerBase64}.{payloadBasae64}";
var signature = GetSignature(unsignedJwtData,keyPair);
return $"{unsignedJwtData}.{Convert.ToBase64String(signature)}";
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
private static int ToEpoch(DateTime time)
{
var span = DateTime.UtcNow - new DateTime(1970,1,1);
return Convert.ToInt32(span.TotalSeconds);
}
private static byte[] GetSignature(string plainText,AsymmetricCipherKeyPair key)
{
var encoder = new UTF8Encoding();
var inputData = encoder.GetBytes(plainText);
var signer = SignerUtilities.GetSigner("SHA-256withECDSA");
signer.Init(true,key.Private);
signer.BlockUpdate(inputData,inputData.Length);
return signer.GenerateSignature();
}
MS ECDsa 方法:
public static string GetPrivateKey(string p8privateKey)
{
var tag = $"{_className}.GetPrivateKey";
try
{
var dsa = GetECDsa(p8privateKey);
var keyBytes = dsa.ExportPkcs8PrivateKey();
return Convert.ToBase64String(keyBytes);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
private static ECDsa GetECDsa(string p8privateKey)
{
var tag = $"{_className}.GetECDsa";
try
{
byte[] byteArray = Encoding.ASCII.GetBytes(p8privateKey);
MemoryStream stream = new MemoryStream(byteArray);
using (TextReader reader = new StreamReader(stream))
{
var ecPrivateKeyParameters =
(ECPrivateKeyParameters)new PemReader(reader).ReadObject();
var q = ecPrivateKeyParameters.Parameters.G.Multiply(ecPrivateKeyParameters.D).Normalize();
return ECDsa.Create(new ECParameters
{
Curve = ECCurve.CreateFromValue(ecPrivateKeyParameters.PublicKeyParamSet.Id),D = ecPrivateKeyParameters.D.ToByteArrayUnsigned(),Q =
{
X = q.XCoord.GetEncoded(),Y = q.YCoord.GetEncoded()
}
});
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
public static string CreateJwtToken(string p8privateKey,exp = ToEpoch(date.AddSeconds(15777000)) });
using var dsa = ECDsa.Create("ECDsa");
var keyBytes = Convert.FromBase64String(p8privateKey);
dsa.ImportPkcs8PrivateKey(keyBytes,out _);
var headerBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(header));
var payloadBasae64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(payload));
var unsignedJwtData = $"{headerBase64}.{payloadBasae64}";
var unsignedJwtBytes = Encoding.UTF8.GetBytes(unsignedJwtData);
var signature = dsa.SignData(unsignedJwtBytes,unsignedJwtBytes.Length,HashAlgorithmName.SHA256);
return $"{unsignedJwtData}.{Convert.ToBase64String(signature)}";
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return null;
}
期待您的反馈。
解决方法
感谢 Topaco 的评论,我用 SHA-256withPLAIN-ECDSA
测试并解决了问题。签名并不相同,但 Apple Music API 接受签名的 JWT 令牌并正确响应。所以感谢 Topaco 指出这一点。