Signature Verification

In addition to the header,Webhook-Hash,when we are sending notification back to the webhook URL we provideKitegateway-Signature so that merchants trust that the callbacks originate from the Kitegateway servers.

Signature verification can be done with the following procedure;

Retrieve the value of the Kitegateway-Signature header.
Form the string payload to be used in signature verification. This is obtained by concatenating values of the notification data in the format that follows id:merchant_reference:kitegateway_reference:transaction_status:webhook_url where webhook_url is the full URL as added to your merchant account API token settings.

Assume sample notification data below;

{
    ...
    "id": "383737927636356536773773",
    "merchant_reference": "88736jh-kkas87-mmn736-9n873ms-6636h",
    "kitegateway_reference": "PL-KMSSD-30000",
    "transaction_status": "COMPLETED",
    ...
}

and that the callback URL is https://some-callback-url The string payload would therefore be

383737927636356536773773:88736jh-kkas87-mmn736-9n873ms-6636h:PL-KMSSD-30000:COMPLETED:https://some-callback-url

Obtain the Kitegateway public key as explained here and store it as a file.
Use the Kitegateway public key to verify the signature as described in the example source codes below;

Signature Verification Code Example

const crypto = require('crypto');
const fs = require('fs');

function isSignatureValid() {
    const strPayload = "383737927636356536773773:88736jh-kkas87-mmn736-9n873ms-6636h:PL-KMSSD-30000:COMPLETED:https://some-callback-url";
    const signature = "value-of-kitegateway-signature";
    const publicKeyFile = "path-to-file/kitegateway.public.key.pem";
    const publicKey = fs.readFileSync(publicKeyFile).toString().replace(/\\n/g, '\n');

    const verify = crypto.createVerify("SHA512");
    verify.write(strPayload);
    verify.end();

    /*true or false*/
    return verify.verify(publicKey, signature, 'base64');
}

<?php

public function isSignatureValid() {
    $file = "path-to-file/kitegateway.public.key.pem";
    $keyContent = file_get_contents($file);
    $publicKey = openssl_get_publickey($keyContent);
    $strPayload = "383737927636356536773773:88736jh-kkas87-mmn736-9n873ms-6636h:PL-KMSSD-30000:COMPLETED:https://some-callback-url";
    $signature = base64_decode("value-of-kitegateway-signature");

    /*true or false*/
    return openssl_verify($strPayload, $signature, $publicKey, OPENSSL_ALGO_SHA512) == 1;
}

?>

PreviousWebhook Trigger NextWordpress Woocomerce Plugin

Last updated 7 months ago