(Swift 3,4,5...) ebay: Add Digital Signature to HTTP Request

See more eBay Examples

Demonstrates how to add a digital signature to an ebay HTTP request.

For more information, see https://developer.ebay.com/develop/guides/digital-signatures-for-apis

Chilkat Downloads for the Swift Programming Language MAC OS X (Cocoa) Objective-C/Swift Libs iOS Objective-C/Swift Libs

func chilkatTest() {
    // This example requires the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    var success: Bool

    // Note: Ebay provides a Key Management API
    // See https://developer.ebay.com/api-docs/developer/key-management/overview.html

    // The following test keys can be used: 
    // 
    // Ed25519 
    // 
    // Private Key:
    // 
    // -----BEGIN PRIVATE KEY-----
    // MC4CAQAwBQYDK2VwBCIEIJ+DYvh6SEqVTm50DFtMDoQikTmiCqirVv9mWG9qfSnF
    // -----END PRIVATE KEY-----

    var strPrivateKey: String? = "MC4CAQAwBQYDK2VwBCIEIJ+DYvh6SEqVTm50DFtMDoQikTmiCqirVv9mWG9qfSnF"

    // 
    // Public Key:
    // 
    // -----BEGIN PUBLIC KEY-----
    // MCowBQYDK2VwAyEAJrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=
    // -----END PUBLIC KEY-----

    var strPublicKey: String? = "MCowBQYDK2VwAyEAJrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs="

    // This example assumes you got a JWE for your given private key from the Ebay Key Management REST API.
    // This JWE is just for example:
    var strJwe: String? = "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoiSXh2dVRMb0FLS0hlS0Zoa3BxQ05CUSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiaFd3YjNoczk2QzEyOTNucCJ9.2o02pR9SoTF4g_5qRXZm6tF4H52TarilIAKxoVUqjd8.3qaF0KJN-rFHHm_P.AMUAe9PPduew09mANIZ-O_68CCuv6EIx096rm9WyLZnYz5N1WFDQ3jP0RBkbaOtQZHImMSPXIHVaB96RWshLuJsUgCKmTAwkPVCZv3zhLxZVxMXtPUuJ-ppVmPIv0NzznWCOU5Kvb9Xux7ZtnlvLXgwOFEix-BaWNomUAazbsrUCbrp514GIea3butbyxXLNi6R9TJUNh8V2uan-optT1MMyS7eMQnVGL5rYBULk.9K5ucUqAu0DqkkhgubsHHw"

    let sbBody = CkoStringBuilder()!
    sbBody.append("{\"hello\": \"world\"}")

    print("Body of request:")
    print("\(sbBody.getAsString()!)")

    // -------------------------------------------------
    // Build the signature base string...

    let sbSigBase = CkoStringBuilder()!

    sbSigBase.append("\"content-digest\": sha-256=:")
    sbSigBase.append(sbBody.getHash("sha256", encoding: "base64", charset: "utf-8"))
    sbSigBase.append(":\n")

    sbSigBase.append("\"x-ebay-signature-key\": ")
    sbSigBase.append(strJwe)
    sbSigBase.append("\n")

    sbSigBase.append("\"@method\": POST\n")

    // This is the path part of the URL without query params...
    sbSigBase.append("\"@path\": ")
    sbSigBase.append("/verifysignature")
    sbSigBase.append("\n")

    // The is the domain, such as "api.ebay.com" w/ port if the port is something unusual.
    // In this example, we're testing against a local docker test server (see the info at https://developer.ebay.com/develop/guides/digital-signatures-for-apis)
    // Normally, I think it would just be "api.ebay.com" instead of "localhost:8080".
    sbSigBase.append("\"@authority\": ")
    sbSigBase.append("localhost:8080")
    sbSigBase.append("\n")

    sbSigBase.append("\"@signature-params\": ")

    let sbSigInput = CkoStringBuilder()!
    sbSigInput.append("(\"content-digest\" \"x-ebay-signature-key\" \"@method\" \"@path\" \"@authority\")")
    sbSigInput.append(";created=")

    let dt = CkoDateTime()!
    dt.setFromCurrentSystemTime()
    var unixTimeNow: String? = dt.getAsUnixTimeStr(false)
    sbSigInput.append(unixTimeNow)

    sbSigBase.appendSb(sbSigInput)

    // -------------------------------------------------
    // Sign the signature base string using the Ed25519 private key

    let bdPrivKey = CkoBinData()!
    bdPrivKey.appendEncoded(strPrivateKey, encoding: "base64")

    let privKey = CkoPrivateKey()!
    success = privKey.loadAnyFormat(bdPrivKey, password: "")
    if success == false {
        print("\(privKey.lastErrorText!)")
        return
    }

    let bdToBeSigned = CkoBinData()!
    bdToBeSigned.appendSb(sbSigBase, charset: "utf-8")

    let eddsa = CkoEdDSA()!
    var sigBase64: String? = eddsa.signBdENC(bdToBeSigned, encoding: "base64", privkey: privKey)
    if eddsa.lastMethodSuccess == false {
        print("\(eddsa.lastErrorText!)")
        return
    }

    print("sigBase64:")
    print("\(sigBase64!)")

    // ----------------------------------------------------------
    // Send the JSON POST

    let http = CkoHttp()!

    http.setRequestHeader("x-ebay-signature-key", value: strJwe)

    let sbContentDigestHdr = CkoStringBuilder()!
    sbContentDigestHdr.append("sha-256=:")
    sbContentDigestHdr.append(sbBody.getHash("sha256", encoding: "base64", charset: "utf-8"))
    sbContentDigestHdr.append(":")
    http.setRequestHeader("Content-Digest", value: sbContentDigestHdr.getAsString())

    let sbSigHdr = CkoStringBuilder()!
    sbSigHdr.append("sig1=:")
    sbSigHdr.append(sigBase64)
    sbSigHdr.append(":")
    http.setRequestHeader("Signature", value: sbSigHdr.getAsString())

    sbSigInput.prepend("sig1=")
    http.setRequestHeader("Signature-Input", value: sbSigInput.getAsString())

    // Add this header to make eBay actually check the signature.
    http.setRequestHeader("x-ebay-enforce-signature", value: "true")

    // Set the OAuth2 access token to add the "Authorization: Bearer <access_token>" to the header.
    http.authToken = "your_oauth2_access_token"

    // The signature base string constructed above is valid if we send this POST to "http://localhost:8080/verifysignature"
    // Normally, you'll send your POST to some api.ebay.com endpoint.
    var url: String? = "http://localhost:8080/verifysignature"

    var resp: CkoHttpResponse? = http.postJson2("http://localhost:8080/verifysignature", contentType: "application/json", jsonText: sbBody.getAsString())
    if http.lastMethodSuccess == false {
        print("\(http.lastErrorText!)")
        return
    }

    print("Response status code: \(resp!.statusCode.intValue)")
    print("Response body:")
    print("\(resp!.bodyStr!)")

    resp = nil

}