X-Signature HTTP Header for tax webhook
31 views
Skip to first unread message
Quinn Johns
May 30, 2024, 11:58:31 PMMay 30
to XMPie Interest Group
I'm struggling to understand the process that XMPie uses to hash the request payload to generate the X-SIGNATURE HTTP header (checksum).
I used the downloadable .NET example from the tax webhook documentation, and while this provides a GetHash method detailing how to create the hash, I have been unable to make it match the checksum my webhook receives from XMPie. When I put the data from XMPie into the example .NET project the checksum also does not match the output, and at this point I suspect the difference is in how the JSON is consumed.
The webhook is a Node application. Any guidance that can be provided on correctly generating this checksum would be most appreciated.
Thank you,
Quinn
west-digital.fr
May 31, 2024, 6:14:28 AMMay 31
to XMPie Interest Group
My code here-under re-calculates the same SHA-512 string (based on the raw, unencrypted Json sent by uStore and the key set in uStore Admin), that uStore provides in the "X-Signature" field, thus allowing me check that no distortion was applied:
byte[] valueBytes = Encoding.UTF8.GetBytes(myJsonRawTextSentByUstore);
byte[] keyBytes = Encoding.UTF8.GetBytes(mySignatureKey);
HMACSHA512 hmacsha512 = new HMACSHA512(keyBytes);
byte[] hashBytes = hmacsha512.ComputeHash(valueBytes);
string result = Convert.ToBase64String(hashBytes);
byte[] keyBytes = Encoding.UTF8.GetBytes(mySignatureKey);
HMACSHA512 hmacsha512 = new HMACSHA512(keyBytes);
byte[] hashBytes = hmacsha512.ComputeHash(valueBytes);
string result = Convert.ToBase64String(hashBytes);
Partial courtesy XMPie.
Quinn Johns
May 31, 2024, 11:16:46 AMMay 31
to XMPie Interest Group
What format is your JSON when feeding it into GetBytes? Is it stringified? Or are you feeding it directly from the POST payload untouched?
I believe that is where my issue currently resides. The HMAC functionality in Node's Crypto library fails to match the HMAC from C#, and I believe it has to do with the JSON. I can get the two systems to match each other with contrived examples, but it never matches the X-Sig from XMPie using the real JSON payload.
Quinn Johns
May 31, 2024, 11:28:02 AMMay 31
to XMPie Interest Group
I'll clarify a little bit on my question. I see your example has "myJsonRawTextSentByUstore", but I'm curious if you've done anything with it to make it a string for GetBytes.
As in, if you printed out the JSON being passed to GetBytes will it be encoded with escapes (\) or double quotes ("") so C# treats it as a string? So we're on the same page this is what I mean by each of those examples:
Raw JSON: {"Order": { "OrderId": 64076, "DisplayOrderId": 167046}}
Escaped: "{\"Order\": { \"OrderId\": 64076, \"DisplayOrderId\": 167046}}"
Double Quotes: "{""Order"": { ""OrderId"": 64076, ""DisplayOrderId"": 167046}}"
west-digital.fr
May 31, 2024, 11:54:28 AMMay 31
to XMPie Interest Group
Quinn Johns
May 31, 2024, 12:02:19 PMMay 31
to XMPie Interest Group
I appreciate the feedback, and will update here when I get this resolved.
Thank you for helping me to clarify a few lingering items.
Reply all
Reply to author
Forward
0 new messages