0

I am following this guide https://p.agnihotry.com/post/validating_sign_in_with_apple_authorization_code to be able to "server verify" an Apple AuthCode by sending a request to Apple.

These below are indications to generate client_secret:

Following are the steps to calculate the signature from the SHA-256:

  1. Generate r,s by signing using ecdsa.
  2. Append r and s, meaning join the r and s together.
  3. base64 url encode the appended result.

I am really struggling to find any examples on how to complete the first step. I previously generated a string that I assume I have to sign, and then somehow extract r and s. By "ecdsa signing" this string, I obtain a byte array, but cant really figure out how to solve the "Generate r,s by signing using ecdsa" piece, or how to basically obtain these "r,s".

Anybody that can shed any light, highly appreciated.

Current Sample code:

public static string GenerateAppleClientSecret(string data)
{
    byte[] bytesData = Encoding.UTF8.GetBytes(data);
    var ecDsa = ECDsaFromFile();

    var signedData = ecDsa.SignData(bytesData, HashAlgorithmName.SHA256);

    string r = "Where do I get r??";
    string s = "Where do I get s??";

    return Base64UrlEncoder.Encode(r + s);
}

public static ECDsa ECDsaFromFile()
{
    var privateKey = LoadPrivateKey().CleanKey(); //loads private Key string (Format -----BEGIN PRIVATE KEY-----) and removes header and footer

    var key = ECDsa.Create();
    key.ImportPkcs8PrivateKey(Convert.FromBase64String(privateKey), out _);
    return key;
}
cmarrades
  • 55
  • 9
  • There are two formats for ECDSA signatures, P1363 and ASN.1/DER. Post the C# code you sign with and if possible a sample signature. – Topaco Jun 15 '22 at 07:47
  • Just edited the original Question with the code – cmarrades Jun 15 '22 at 07:58
  • `ImportPkcs8PrivateKey()` is not available in .NET Framework, but only in .NET Core (and here from 3.0) and .NET. The solution depends on the .NET version, which one are you actually using? – Topaco Jun 15 '22 at 08:00
  • You are actually right. I just noticed my test project has different version than the actual production codebase version. But at this stage if I can get it working on .net Core3.1 id be happy enough Happier if anybody sheds light for 4.6 as well – cmarrades Jun 15 '22 at 08:14
  • 1
    The posted code uses P1363 format, which corresponds to the concatenation of r and s. The first half is r, the second s. I.e. you only need to Base64url encode `signedData`. – Topaco Jun 15 '22 at 08:15
  • I assume with the first and second half , you mean the first half of the array, and the second half of the array, therefore Base64encoding signed data, would do. Thank you for the help and clarification – cmarrades Jun 15 '22 at 08:22
  • 1
    Yes, `Base64UrlEncoder.Encode(signedData)` corresponds to the format derived via steps 1, 2 and 3. – Topaco Jun 15 '22 at 08:24

0 Answers0