Sample code for 30+ languages & platforms
Delphi DLL

ebay: Add Digital Signature to HTTP Request

See more eBay Examples

Demonstrates how to add a digital signature to an ebay HTTP request.

Chilkat Delphi DLL Downloads

Delphi DLL
uses
    Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
    Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, Http, CkDateTime, HttpResponse, StringBuilder, BinData, PrivateKey, EdDSA;

...

procedure TForm1.Button1Click(Sender: TObject);
var
success: Boolean;
strPrivateKey: PWideChar;
strPublicKey: PWideChar;
strJwe: PWideChar;
sbBody: HCkStringBuilder;
sbSigBase: HCkStringBuilder;
sbSigInput: HCkStringBuilder;
dt: HCkDateTime;
unixTimeNow: PWideChar;
bdPrivKey: HCkBinData;
privKey: HCkPrivateKey;
bdToBeSigned: HCkBinData;
eddsa: HCkEdDSA;
sigBase64: PWideChar;
http: HCkHttp;
sbContentDigestHdr: HCkStringBuilder;
sbSigHdr: HCkStringBuilder;
url: PWideChar;
jsonStr: PWideChar;
resp: HCkHttpResponse;

begin
success := False;

// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// Note: Ebay provides a Key Management API
// See https://developer.ebay.com/api-docs/developer/key-management/overview.html

// The following test keys can be used: 
// 
// Ed25519 
// 
// Private Key:
// 
// -----BEGIN PRIVATE KEY-----
// MC4CAQAwBQYDK2VwBCIEIJ+DYvh6SEqVTm50DFtMDoQikTmiCqirVv9mWG9qfSnF
// -----END PRIVATE KEY-----

strPrivateKey := 'MC4CAQAwBQYDK2VwBCIEIJ+DYvh6SEqVTm50DFtMDoQikTmiCqirVv9mWG9qfSnF';

// 
// Public Key:
// 
// -----BEGIN PUBLIC KEY-----
// MCowBQYDK2VwAyEAJrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=
// -----END PUBLIC KEY-----

strPublicKey := 'MCowBQYDK2VwAyEAJrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=';

// This example assumes you got a JWE for your given private key from the Ebay Key Management REST API.
// This JWE is just for example:
strJwe := 'eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoiSXh2dVRMb0FLS0hlS0Zoa3BxQ05CUSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiaFd3YjNoczk2QzEyOTNucCJ9.2o02pR9SoTF4g_5qRXZm6tF4H52TarilIAKxoVUqjd8.3qaF0KJN-rFHHm_P.AMUAe9PPduew09mANIZ-O_68CCuv6EIx096rm9WyLZnYz5N1WFDQ3jP0RBkbaOtQZHImMSPXIHVaB96RWshLuJsUgCKmTAwkPVCZv3zhLxZVxMXtPUuJ-ppVmPIv0NzznWCOU5Kvb9Xux7ZtnlvLXgwOFEix-BaWNomUAazbsrUCbrp514GIea3butbyxXLNi6R9TJUNh8V2uan-optT1MMyS7eMQnVGL5rYBULk.9K5ucUqAu0DqkkhgubsHHw';

sbBody := CkStringBuilder_Create();
CkStringBuilder_Append(sbBody,'{"hello": "world"}');

Memo1.Lines.Add('Body of request:');
Memo1.Lines.Add(CkStringBuilder__getAsString(sbBody));

// -------------------------------------------------
// Build the signature base string...

sbSigBase := CkStringBuilder_Create();

CkStringBuilder_Append(sbSigBase,'"content-digest": sha-256=:');
CkStringBuilder_Append(sbSigBase,CkStringBuilder__getHash(sbBody,'sha256','base64','utf-8'));
CkStringBuilder_Append(sbSigBase,':' + #10);

CkStringBuilder_Append(sbSigBase,'"x-ebay-signature-key": ');
CkStringBuilder_Append(sbSigBase,strJwe);
CkStringBuilder_Append(sbSigBase,#10);

CkStringBuilder_Append(sbSigBase,'"@method": POST' + #10);

// This is the path part of the URL without query params...
CkStringBuilder_Append(sbSigBase,'"@path": ');
CkStringBuilder_Append(sbSigBase,'/verifysignature');
CkStringBuilder_Append(sbSigBase,#10);

// The is the domain, such as "api.ebay.com" w/ port if the port is something unusual.
// In this example, we're testing against a local docker test server (see the info at https://developer.ebay.com/develop/guides/digital-signatures-for-apis)
// Normally, I think it would just be "api.ebay.com" instead of "localhost:8080".
CkStringBuilder_Append(sbSigBase,'"@authority": ');
CkStringBuilder_Append(sbSigBase,'localhost:8080');
CkStringBuilder_Append(sbSigBase,#10);

CkStringBuilder_Append(sbSigBase,'"@signature-params": ');

sbSigInput := CkStringBuilder_Create();
CkStringBuilder_Append(sbSigInput,'("content-digest" "x-ebay-signature-key" "@method" "@path" "@authority")');
CkStringBuilder_Append(sbSigInput,';created=');

dt := CkDateTime_Create();
CkDateTime_SetFromCurrentSystemTime(dt);
unixTimeNow := CkDateTime__getAsUnixTimeStr(dt,False);
CkStringBuilder_Append(sbSigInput,unixTimeNow);

CkStringBuilder_AppendSb(sbSigBase,sbSigInput);

// -------------------------------------------------
// Sign the signature base string using the Ed25519 private key

bdPrivKey := CkBinData_Create();
CkBinData_AppendEncoded(bdPrivKey,strPrivateKey,'base64');

privKey := CkPrivateKey_Create();
success := CkPrivateKey_LoadAnyFormat(privKey,bdPrivKey,'');
if (success = False) then
  begin
    Memo1.Lines.Add(CkPrivateKey__lastErrorText(privKey));
    Exit;
  end;

bdToBeSigned := CkBinData_Create();
CkBinData_AppendSb(bdToBeSigned,sbSigBase,'utf-8');

eddsa := CkEdDSA_Create();
sigBase64 := CkEdDSA__signBdENC(eddsa,bdToBeSigned,'base64',privKey);
if (CkEdDSA_getLastMethodSuccess(eddsa) = False) then
  begin
    Memo1.Lines.Add(CkEdDSA__lastErrorText(eddsa));
    Exit;
  end;

Memo1.Lines.Add('sigBase64:');
Memo1.Lines.Add(sigBase64);

// ----------------------------------------------------------
// Send the JSON POST

http := CkHttp_Create();

CkHttp_SetRequestHeader(http,'x-ebay-signature-key',strJwe);

sbContentDigestHdr := CkStringBuilder_Create();
CkStringBuilder_Append(sbContentDigestHdr,'sha-256=:');
CkStringBuilder_Append(sbContentDigestHdr,CkStringBuilder__getHash(sbBody,'sha256','base64','utf-8'));
CkStringBuilder_Append(sbContentDigestHdr,':');
CkHttp_SetRequestHeader(http,'Content-Digest',CkStringBuilder__getAsString(sbContentDigestHdr));

sbSigHdr := CkStringBuilder_Create();
CkStringBuilder_Append(sbSigHdr,'sig1=:');
CkStringBuilder_Append(sbSigHdr,sigBase64);
CkStringBuilder_Append(sbSigHdr,':');
CkHttp_SetRequestHeader(http,'Signature',CkStringBuilder__getAsString(sbSigHdr));

CkStringBuilder_Prepend(sbSigInput,'sig1=');
CkHttp_SetRequestHeader(http,'Signature-Input',CkStringBuilder__getAsString(sbSigInput));

// Add this header to make eBay actually check the signature.
CkHttp_SetRequestHeader(http,'x-ebay-enforce-signature','true');

// Set the OAuth2 access token to add the "Authorization: Bearer <access_token>" to the header.
CkHttp_putAuthToken(http,'your_oauth2_access_token');

// The signature base string constructed above is valid if we send this POST to "http://localhost:8080/verifysignature"
// Normally, you'll send your POST to some api.ebay.com endpoint.
url := 'http://localhost:8080/verifysignature';

jsonStr := CkStringBuilder__getAsString(sbBody);
resp := CkHttpResponse_Create();
success := CkHttp_HttpStr(http,'POST','http://localhost:8080/verifysignature',jsonStr,'utf-8','application/json',resp);
if (success = False) then
  begin
    Memo1.Lines.Add(CkHttp__lastErrorText(http));
    Exit;
  end;

Memo1.Lines.Add('Response status code: ' + IntToStr(CkHttpResponse_getStatusCode(resp)));
Memo1.Lines.Add('Response body:');
Memo1.Lines.Add(CkHttpResponse__bodyStr(resp));

CkStringBuilder_Dispose(sbBody);
CkStringBuilder_Dispose(sbSigBase);
CkStringBuilder_Dispose(sbSigInput);
CkDateTime_Dispose(dt);
CkBinData_Dispose(bdPrivKey);
CkPrivateKey_Dispose(privKey);
CkBinData_Dispose(bdToBeSigned);
CkEdDSA_Dispose(eddsa);
CkHttp_Dispose(http);
CkStringBuilder_Dispose(sbContentDigestHdr);
CkStringBuilder_Dispose(sbSigHdr);
CkHttpResponse_Dispose(resp);

end;