我知道我可能不应该在 Perl 中这样做,但请幽默:
尝试验证 PayPal REST API 2 Webhook 的签名。“raw_query”是 PayPal 发送的 HTTP 有效负载,按照 PayPal 进行 CRC32 编码。为方便起见,公钥证书被硬编码(已从 PayPal 下载并检查)。
wh_id 是来自 PayPal 开发人员后端的 Webhook ID(当您将 Webhook 添加到您的应用程序时)。
有人知道为什么这总是无法验证吗?
#The X509 Public Key Cert provided by PayPal (redacted)
my $pp='-----BEGIN CERTIFICATE-----
.......
-----END CERTIFICATE-----';
#Create the original message that would have been signed by PayPal
my $msg=$ENV{'HTTP_PAYPAL_TRANSMISSION_ID'}.'|'.$ENV{'HTTP_PAYPAL_TRANSMISSION_TIME'}.'|'.$wh_id.'|'.crc32($ppn{'raw_query'});
#Get a Crypt::RSA object from the X509 Public Key provided by PayPal
my $x509 = Crypt::OpenSSL::X509->new_from_string($pp);
my $rsa = Crypt::OpenSSL::RSA->new_public_key($x509->pubkey());
$rsa->use_pkcs1_padding();
$rsa->use_sha256_hash();
#Base64-Decode the signature provided by PayPal
my $pp_sig = decode_base64($ENV{'HTTP_PAYPAL_TRANSMISSION_SIG'});
#Do the verification
if ($rsa->verify($msg,$pp_sig))){
}