Signature Generation and Verification

Working With Signature

We use signature when data authenticity must be ensured before we process it, In such case you will need to generate signature and it into request body. In some cases we may also provide the signature in response which you can validate to ensure that the data you have received has not been ultered on the way.

You have to use your Encryption Key to generate or validate the signature.

Generation of Signature

Pseudo Code

Function generateSignature(Argument requestBody, Argument apiSecret)
dataString: Stores the string genereated from request body
signature: To store the generated signature
For each KEY1 and VALUE1 in requestBody, do
If VALUE1 is Array Then
For each KEY2 and VALUE2 in VALUE1, do
APPEND VALUE2 to dataString
APPEND '|' to dataString
EndFor
Else
APPEND VALUE1 to dataString
APPEND '|' to dataString
EndIf
EndFor
APPEND '#' to dataString
signature = HASH_HMAC_SHA_256(dataString, apiSecret)
return signature
End function
PHP
Java
PHP
public function generateSignature($apiSecret, $requestBody) {
$dataString = '';
foreach ($requestBody as $key => $value) {
if (is_array($value)) {
foreach ($value as $_key => $_value) {
$dataString .= $_value;
$dataString .= '|';
}
} else {
$dataString .= $value;
$dataString .= '|';
}
}
$dataString .= '#';
$signature = hash_hmac('sha512', $dataString, $apiSecret);
return $signature;
}
Java
public String generateSignature(String apiSecret, Map<String, String> requestBody) {
try {
String[] signature = { "" };
requestBody.forEach((key, value) -> {
signature[0] += value;
signature[0] += "|";
});
signature[0] += "#";
return this.calculateHMAC(signature[0], apiSecret);
} catch (Exception e) {
System.out.println(e.getMessage());
return null;
}
}
private static String toHexString(byte[] bytes) {
Formatter formatter = new Formatter();
for (byte b : bytes) {
formatter.format("%02x", b);
}
return formatter.toString();
}
public static String calculateHMAC(String data, String key)
throws SignatureException, NoSuchAlgorithmException, InvalidKeyException
{
SecretKeySpec secretKeySpec = new SecretKeySpec(key.getBytes(), "HmacSHA512");
Mac mac = Mac.getInstance("HmacSHA512");
mac.init(secretKeySpec);
return toHexString(mac.doFinal(data.getBytes()));
}

Verification of the Signature

Pseudo Code

Function compareSignature(Argument responseData, Argument receivedSignature, Argument apiSecret)
dataString: Stores the string genereated from request body
signature: To store the generated signature
REMOVE_ARRAY_KEY(responseData['signature'])
For each KEY1 and VALUE1 in responseData, do
If VALUE1 is Array Then
For each KEY2 and VALUE2 in VALUE1, do
APPEND VALUE2 to dataString
APPEND '|' to dataString
EndFor
Else
APPEND VALUE1 to dataString
APPEND '|' to dataString
EndIf
EndFor
APPEND '#' to dataString
signature = HASH_HMAC_SHA_256(dataString, apiSecret)
If signature IS NOT EQUAL TO receivedSignature Then
Return False
Else
Return True
EndIf
EndFunction
PHP
PHP
function compareSignature($transactionData, $receivedSignature, $apiSecret) {
$dataString = '';
// Unset signature from data
unset($transactionData['signature']);
foreach ($transactionData as $key => $value) {
if (is_array($value)) {
foreach ($value as $_key => $_value) {
$dataString .= $_value;
$dataString .= '|';
}
} else {
$dataString .= $value;
$dataString .= '|';
}
}
$dataString .= '#';
// Creating signature
$signature = hash_hmac('sha512', $dataString, $apiSecret);
if(hash_equals($receivedSignature, $signature)) {
// Signature match
return true;
}
// Signature mismatch
return false;
}