This is a creation in Article, where the information may have evolved or changed.
HMAC-SHA1 (message authentication code based on the SHA1 hash algorithm) is a keyed hash algorithm. This HMAC process mixes the key with the message data, uses a hash function to hash the mixed result, mixes the resulting hash value with the key, and then applies the hash function again. The hash value of the output is 160 bits long.
Although the Secure Hash algorithm (secured hash algorithm, referred to as SHA1) is an irreversible cryptographic algorithm, the results are the same after the same content calculation and are not duplicated, so the data can be restored by brute force computation. So hmac-sha1 on the basis of SHA1, add a key. As a result, the information content cannot be cracked as long as the key is not compromised.
During the interface verification process, the data parameters to be sent, together with the time slice and key to send the moment, are computed by HMAC-SHA1, and the computed signature is sent to the server as a parameter when requested. The server is also evaluated against the locally saved key and compared to the signature provided by the client. The same is true for authorization success.
With HMAC-SHA1 encryption, you can prevent the request parameters from being modified maliciously. If the parameter is modified, the signature will change as well, so simply modifying the parameters will cause the server authorization validation to fail. Again the parameters are added to the time slice information, if and server time is too large, the request will be discarded.
Interface validation is implemented based on the Beego framework, which can be achieved using the filters provided by it. The filter functions are as follows:
beego.InsertFilter(pattern string, postion int, filter FilterFunc)
Three parameters:
- Routing rules that can be routed according to certain rules, if you have a full match can be used
*
- Postion where the Filter is executed, the four fixed parameters are as follows, representing different execution processes
- Beforerouter before looking for routes
- Beforeexec after the route is found, start executing the appropriate Controller
- Afterexec the filter executed after the Controller logic has been executed
- Finishrouter filter executed after execution of the logic
- Filter Filter function
type FilterFunc func(*context.Context)
Routing rules are used to match filters. There are 4 locations to filter. We are here to verify the request parameters, so the call is based on the previous, can reduce the subsequent unnecessary calculation. So use BeforeRouter
better. The check function is as follows:
func FilterOauth(ctx *context.Context) {timestamp, err := strconv.ParseInt(ctx.Input.Query("timestamp"), 10, 64)if err != nil {ctx.Abort(http.StatusUnauthorized, "")}timestamp_t := time.Unix(timestamp, 0)now_t := time.Now()if now_t.Sub(timestamp_t).Minutes() > 10 {fmt.Println(timestamp_t, "Duration is too long")ctx.Abort(http.StatusUnauthorized, "")}size := ctx.Input.Query("size")if size == "" {ctx.Abort(http.StatusUnauthorized, "")}sign := ctx.Input.Query("sign")if sign == "" {ctx.Abort(http.StatusUnauthorized, "")}if CheckMAC(size+timestamp_t.String(), sign, "seckey") {fmt.Println("Verify error")ctx.Abort(http.StatusUnauthorized, "")}}
The checksum is based on the parameters passed in size
and the timestape
incoming sign
signature is used for the alignment. The filter function passed in the context object *context.Context
. If the incoming time slice and system time differ by more than 10 minutes, it is considered an out-of-date request.
The check function uses the Golang crypto/hmac
and crypto/sha1
packet:
func CheckMAC(message, sign, key string) bool {mac := hmac.New(sha1.New, []byte(key))mac.Write([]byte(message))return hex.EncodeToString(mac.Sum(nil)) == sign}
The result of the encryption is the []byte
type, which also needs to be converted into a readable 16-encoding, which can be implemented by the package encoding/hex
.
Interface encryption can also use HTTPS encryption transmission mode, this I do not understand, later understand and then write.
###### References + "1" Filter-beego development documentation
Original link: interface security mechanism, reproduced please indicate the source!