Delphi DLL
Delphi DLL
ebay: Add Digital Signature to HTTP Request
See more eBay Examples
Demonstrates how to add a digital signature to an ebay HTTP request.Chilkat Delphi DLL Downloads
uses
Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, Http, CkDateTime, HttpResponse, StringBuilder, BinData, PrivateKey, EdDSA;
...
procedure TForm1.Button1Click(Sender: TObject);
var
success: Boolean;
strPrivateKey: PWideChar;
strPublicKey: PWideChar;
strJwe: PWideChar;
sbBody: HCkStringBuilder;
sbSigBase: HCkStringBuilder;
sbSigInput: HCkStringBuilder;
dt: HCkDateTime;
unixTimeNow: PWideChar;
bdPrivKey: HCkBinData;
privKey: HCkPrivateKey;
bdToBeSigned: HCkBinData;
eddsa: HCkEdDSA;
sigBase64: PWideChar;
http: HCkHttp;
sbContentDigestHdr: HCkStringBuilder;
sbSigHdr: HCkStringBuilder;
url: PWideChar;
jsonStr: PWideChar;
resp: HCkHttpResponse;
begin
success := False;
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
// Note: Ebay provides a Key Management API
// See https://developer.ebay.com/api-docs/developer/key-management/overview.html
// The following test keys can be used:
//
// Ed25519
//
// Private Key:
//
// -----BEGIN PRIVATE KEY-----
// MC4CAQAwBQYDK2VwBCIEIJ+DYvh6SEqVTm50DFtMDoQikTmiCqirVv9mWG9qfSnF
// -----END PRIVATE KEY-----
strPrivateKey := 'MC4CAQAwBQYDK2VwBCIEIJ+DYvh6SEqVTm50DFtMDoQikTmiCqirVv9mWG9qfSnF';
//
// Public Key:
//
// -----BEGIN PUBLIC KEY-----
// MCowBQYDK2VwAyEAJrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=
// -----END PUBLIC KEY-----
strPublicKey := 'MCowBQYDK2VwAyEAJrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=';
// This example assumes you got a JWE for your given private key from the Ebay Key Management REST API.
// This JWE is just for example:
strJwe := 'eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoiSXh2dVRMb0FLS0hlS0Zoa3BxQ05CUSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiaFd3YjNoczk2QzEyOTNucCJ9.2o02pR9SoTF4g_5qRXZm6tF4H52TarilIAKxoVUqjd8.3qaF0KJN-rFHHm_P.AMUAe9PPduew09mANIZ-O_68CCuv6EIx096rm9WyLZnYz5N1WFDQ3jP0RBkbaOtQZHImMSPXIHVaB96RWshLuJsUgCKmTAwkPVCZv3zhLxZVxMXtPUuJ-ppVmPIv0NzznWCOU5Kvb9Xux7ZtnlvLXgwOFEix-BaWNomUAazbsrUCbrp514GIea3butbyxXLNi6R9TJUNh8V2uan-optT1MMyS7eMQnVGL5rYBULk.9K5ucUqAu0DqkkhgubsHHw';
sbBody := CkStringBuilder_Create();
CkStringBuilder_Append(sbBody,'{"hello": "world"}');
Memo1.Lines.Add('Body of request:');
Memo1.Lines.Add(CkStringBuilder__getAsString(sbBody));
// -------------------------------------------------
// Build the signature base string...
sbSigBase := CkStringBuilder_Create();
CkStringBuilder_Append(sbSigBase,'"content-digest": sha-256=:');
CkStringBuilder_Append(sbSigBase,CkStringBuilder__getHash(sbBody,'sha256','base64','utf-8'));
CkStringBuilder_Append(sbSigBase,':' + #10);
CkStringBuilder_Append(sbSigBase,'"x-ebay-signature-key": ');
CkStringBuilder_Append(sbSigBase,strJwe);
CkStringBuilder_Append(sbSigBase,#10);
CkStringBuilder_Append(sbSigBase,'"@method": POST' + #10);
// This is the path part of the URL without query params...
CkStringBuilder_Append(sbSigBase,'"@path": ');
CkStringBuilder_Append(sbSigBase,'/verifysignature');
CkStringBuilder_Append(sbSigBase,#10);
// The is the domain, such as "api.ebay.com" w/ port if the port is something unusual.
// In this example, we're testing against a local docker test server (see the info at https://developer.ebay.com/develop/guides/digital-signatures-for-apis)
// Normally, I think it would just be "api.ebay.com" instead of "localhost:8080".
CkStringBuilder_Append(sbSigBase,'"@authority": ');
CkStringBuilder_Append(sbSigBase,'localhost:8080');
CkStringBuilder_Append(sbSigBase,#10);
CkStringBuilder_Append(sbSigBase,'"@signature-params": ');
sbSigInput := CkStringBuilder_Create();
CkStringBuilder_Append(sbSigInput,'("content-digest" "x-ebay-signature-key" "@method" "@path" "@authority")');
CkStringBuilder_Append(sbSigInput,';created=');
dt := CkDateTime_Create();
CkDateTime_SetFromCurrentSystemTime(dt);
unixTimeNow := CkDateTime__getAsUnixTimeStr(dt,False);
CkStringBuilder_Append(sbSigInput,unixTimeNow);
CkStringBuilder_AppendSb(sbSigBase,sbSigInput);
// -------------------------------------------------
// Sign the signature base string using the Ed25519 private key
bdPrivKey := CkBinData_Create();
CkBinData_AppendEncoded(bdPrivKey,strPrivateKey,'base64');
privKey := CkPrivateKey_Create();
success := CkPrivateKey_LoadAnyFormat(privKey,bdPrivKey,'');
if (success = False) then
begin
Memo1.Lines.Add(CkPrivateKey__lastErrorText(privKey));
Exit;
end;
bdToBeSigned := CkBinData_Create();
CkBinData_AppendSb(bdToBeSigned,sbSigBase,'utf-8');
eddsa := CkEdDSA_Create();
sigBase64 := CkEdDSA__signBdENC(eddsa,bdToBeSigned,'base64',privKey);
if (CkEdDSA_getLastMethodSuccess(eddsa) = False) then
begin
Memo1.Lines.Add(CkEdDSA__lastErrorText(eddsa));
Exit;
end;
Memo1.Lines.Add('sigBase64:');
Memo1.Lines.Add(sigBase64);
// ----------------------------------------------------------
// Send the JSON POST
http := CkHttp_Create();
CkHttp_SetRequestHeader(http,'x-ebay-signature-key',strJwe);
sbContentDigestHdr := CkStringBuilder_Create();
CkStringBuilder_Append(sbContentDigestHdr,'sha-256=:');
CkStringBuilder_Append(sbContentDigestHdr,CkStringBuilder__getHash(sbBody,'sha256','base64','utf-8'));
CkStringBuilder_Append(sbContentDigestHdr,':');
CkHttp_SetRequestHeader(http,'Content-Digest',CkStringBuilder__getAsString(sbContentDigestHdr));
sbSigHdr := CkStringBuilder_Create();
CkStringBuilder_Append(sbSigHdr,'sig1=:');
CkStringBuilder_Append(sbSigHdr,sigBase64);
CkStringBuilder_Append(sbSigHdr,':');
CkHttp_SetRequestHeader(http,'Signature',CkStringBuilder__getAsString(sbSigHdr));
CkStringBuilder_Prepend(sbSigInput,'sig1=');
CkHttp_SetRequestHeader(http,'Signature-Input',CkStringBuilder__getAsString(sbSigInput));
// Add this header to make eBay actually check the signature.
CkHttp_SetRequestHeader(http,'x-ebay-enforce-signature','true');
// Set the OAuth2 access token to add the "Authorization: Bearer <access_token>" to the header.
CkHttp_putAuthToken(http,'your_oauth2_access_token');
// The signature base string constructed above is valid if we send this POST to "http://localhost:8080/verifysignature"
// Normally, you'll send your POST to some api.ebay.com endpoint.
url := 'http://localhost:8080/verifysignature';
jsonStr := CkStringBuilder__getAsString(sbBody);
resp := CkHttpResponse_Create();
success := CkHttp_HttpStr(http,'POST','http://localhost:8080/verifysignature',jsonStr,'utf-8','application/json',resp);
if (success = False) then
begin
Memo1.Lines.Add(CkHttp__lastErrorText(http));
Exit;
end;
Memo1.Lines.Add('Response status code: ' + IntToStr(CkHttpResponse_getStatusCode(resp)));
Memo1.Lines.Add('Response body:');
Memo1.Lines.Add(CkHttpResponse__bodyStr(resp));
CkStringBuilder_Dispose(sbBody);
CkStringBuilder_Dispose(sbSigBase);
CkStringBuilder_Dispose(sbSigInput);
CkDateTime_Dispose(dt);
CkBinData_Dispose(bdPrivKey);
CkPrivateKey_Dispose(privKey);
CkBinData_Dispose(bdToBeSigned);
CkEdDSA_Dispose(eddsa);
CkHttp_Dispose(http);
CkStringBuilder_Dispose(sbContentDigestHdr);
CkStringBuilder_Dispose(sbSigHdr);
CkHttpResponse_Dispose(resp);
end;