amazon-web-services - Amazon-Pay-IPN 签名验证与 AWS-SNS 签名验证有何不同？

Question

我是 aws-services 和 amazon-pay-services 的新手。我正在尝试为亚马逊支付服务添加即时支付通知（ IPN ）。我正在通过IPN-doc，提到我们需要验证IPN-body的签名，类似于aws-sns-sign-verify

所以我在这里有点困惑。

根据aws-sns的文档，发布请求将是这样的

POST / HTTP/1.1
x-amz-sns-message-type: Notification
x-amz-sns-message-id: da41e39f-ea4d-435a-b922-c6aae3915ebe
x-amz-sns-topic-arn: arn:aws:sns:us-west-2:123456789012:MyTopic
x-amz-sns-subscription-arn: arn:aws:sns:us-west-2:123456789012:MyTopic:2bcfbf39-05c3-41de-beaa-fcfcc21c8f55
Content-Length: 761
Content-Type: text/plain; charset=UTF-8
Host: ec2-50-17-44-49.compute-1.amazonaws.com
Connection: Keep-Alive
User-Agent: Amazon Simple Notification Service Agent

{
  "Type" : "Notification",
  "MessageId" : "da41e39f-ea4d-435a-b922-c6aae3915ebe",
  "TopicArn" : "arn:aws:sns:us-west-2:123456789012:MyTopic",
  "Subject" : "test",
  "Message" : "test message",
  "Timestamp" : "2012-04-25T21:49:25.719Z",
  "SignatureVersion" : "1",
  "Signature" : "EXAMPLElDMXvB8r9R83tGoNn0ecwd5UjllzsvSvbItzfaMpN2nk5HVSw7XnOn/49IkxDKz8YrlH2qJXj2iZB0Zo2O71c4qQk1fMUDi3LGpij7RCW7AW9vYYsSqIKRnFS94ilu7NFhUzLiieYr4BKHpdTmdD6c0esKEYBpabxDSc=",
  "SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-f3ecfb7224c7233fe7bb5f59f96de52f.pem",
  "UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:MyTopic:2bcfbf39-05c3-41de-beaa-fcfcc21c8f55"
} 

并且帖子请求amazon-pay-IPN看起来像这样

POST /SPN_project2/iopn HTTP/1.1
x-amz-sns-message-type: Notification
x-amz-sns-message-id: 4227aa54-ccf8-5a2a-8038-fb740d9f65d6
x-amz-sns-topic-arn: arn:aws:sns:eu-west-1:598607868003:A18VPDB9UTK24DA3GEDG4FJC14BQ
x-amz-sns-subscription-arn: arn:aws:sns:eu-west-1:598607868003:A18VPDB9UTK24DA3GEDG4FJC14BQ:993a0851-1b8d-4e0c-a48a-c4b2cbd17036
Content-Length: 2301
Content-Type: text/plain; charset=UTF-8
Host: ded73b97.ngrok.io
User-Agent: Amazon Simple Notification Service Agent
Accept-Encoding: gzip,deflate
X-Forwarded-Proto: https
X-Forwarded-For: 54.240.197.7

{

  "Type" : "Notification",
  "MessageId" : "4227aa54-ccf8-5a2a-8038-fb740d9f65d6",
  "TopicArn" : "arn:aws:sns:eu-west-1:598607868003:A18VPDB9UTK24DA3GEDG4FJC14BQ",
  "Message" : "{\"ReleaeEnvironment\":\"Live\",\"MarketplaceID\":\"220451\",\"Version\":\"2013-01-01\",\"NotificationType\":\"OrderReferenceNotification\",\"SellerId\":\"A3GEDG4FJC14BQ\",\"NotificationReferenceId\":\"f80ab4f0-82ca-42c8-a0d1-9b07f5b3fa30\",\"Timestamp\":\"2017-02-17T09:15:18.679Z\",\"NotificationData\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><ChargeTransactionNotification xmlns=\\\"https://mws.amazonservices.com/ipn/OffAmazonPayments/2013-01-01\\\">\\n    <ChargeTransactionDetails>\\n        <OrderID>P04-5366666-6431174<\\/OrderID>\\n        <SellerReferenceId>test<\\/SellerReferenceId>\\n        <Amount>\\n            <Amount>10.0<\\/Amount>\\n            <CurrencyCode>INR<\\/CurrencyCode>\\n        <\\/Amount>\\n        <TotalFee>\\n            <Amount>0.0<\\/Amount>\\n            <CurrencyCode>INR<\\/CurrencyCode>\\n        <\\/TotalFee>\\n        <PaymentModes/>\\n        <FeeBreakup/>\\n        <CreationTimestamp>2017-02-17T09:00:13.592Z<\\/CreationTimestamp>\\n        <Status>\\n            <State>Declined<\\/State>\\n            <LastUpdateTimestamp>2017-02-17T09:15:13.879Z<\\/LastUpdateTimestamp>\\n            <ReasonCode>SessionExpired<\\/ReasonCode>\\n            <ReasonDescription>Session Expired<\\/ReasonDescription>\\n        <\\/Status>\\n    <\\/ChargeTransactionDetails>\\n<\\/ChargeTransactionNotification>\"}",
  "Timestamp" : "2017-02-17T09:15:19.922Z",
  "SignatureVersion" : "1",
  "Signature" : "FIRgFXytZTrpt4axHOHqVto+hbXadKhCnP2gfGaII3+6Jnawz939iT/KW4Z8wVYed3s+EGtC+xM3JCBVNJ5m7Ctf4bZZ9rFy+7Y7hAS/c18J1bNeEbEz2l0WQvpI4MDzH5/mmSVEWawfwX6zPE0R9U9kT81hac7a/NRedbUnJpOQCytCbTHxCn/k1s4WQQpXwIPnOVyp0x3Dj7ofkhJNB7bZk2bQET22DaOpSg01I4/KTU5t1iFzYVeoVRa3BcnB+X9d5GEdbmKjGg0SHhVSkzq0Qx3cpcipiyXzqv1IR62wxlpVC1yYkGXiw5uNU9k8QIweAoO4TuzR1IwYakTO3g==",
  "SigningCertURL" : "https://sns.eu-west-1.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem",
  "UnsubscribeURL" : "https://sns.eu-west-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-1:598607868003:A18VPDB9UTK24DA3GEDG4FJC14BQ:993a0851-1b8d-4e0c-a48a-c4b2cbd17036"
}

如我们所见，在 的情况下sns-service，正文的Message字段具有纯字符串类型的值（即上面示例中的测试消息）

但是在 的情况下Amazon-pay-IPN-service，正文的Message字段具有字符串类型的值，但包含 json-data、大量转义字符以及 xml-string。

因此，在 IPN 服务中进行签名验证时，我是否需要Message在创建规范消息时处理这些额外的字段数据？IPN-body 中的这些额外数据 ( json, xml-str, escape-char) 是否会对签名验证过程产生任何影响？

任何帮助，将不胜感激。谢谢。

Answer 1

使用 JSON 库反序列化整个正文。

将Message是一个字符串，任何被 SNS 转义的内容都将被正确地转义以进行签名验证。此时字符串的含义并不重要——它将以正确的形式进行验证。

然后，验证签名后，Message使用 JSON 库再次反序列化该字符串，您将获得最终消息，作为有效对象，然后您可以对其进行处理。

Answer 2

您是否有理由要手动验证 IPN 消息？有适用于 PHP、Java、Python、.NET/C# 和 Ruby 等主要语言的SDK，它们已经实现了 IPN 验证。

如果您不能使用任何这些 SKD，您仍然可以查看PHP SDK的IpnHandler 类或 Java SDK 的NotificationVerification 类等实现，以了解其工作原理。