All element instances containing a Callback Notification Signature Key will include the Elements-Webhook-Signature
header field. The value of this field will contain a unique SHA256 hash that corresponds to the event (e.g., sha256=jHdbRx5EZAsOfTwAPJOGkNUzQMVVdu5VJlxcsk+G6jQ=
). This hash is calculated by creating a SHA256 hash of the payload using the Callback Notification Signature Key as the key. In order to verify Event Notifications originate from Cloud Elements regenerate the SHA256 hash and test it against the value of the Elements-Webhook-Signature
header.
Cloud Elements has provided sample code for re-generating the SHA256 hash for event notifications:
Java
import org.apache.commons.codec.binary.Base64;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
public class SecurityEventKey {
// Your Event Notification Signature
private static final String SIGNATUREKEY = "MySecretEventSignatureKey";
// Your Event Notification Payload (Raw Body)
private static String payload = "<INSERT_EVENT_NOTIFICATION_RESPONSE_BODY>";
public static void main(String[] args) {
try {
Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
SecretKeySpec secret_key = new SecretKeySpec(SIGNATUREKEY.getBytes(), "HmacSHA256");
sha256_HMAC.init(secret_key);
String hash = Base64.encodeBase64String(sha256_HMAC.doFinal(payload.getBytes()));
//This should equal what came on the event header as "Elements-Webhook-Signature"
System.out.println("sha256=" + hash);
}
catch (Exception e){
System.out.println("Error: " + e);
}
}
}
// sha256=jHdbRx5EZAsOfTwAPJOGkNUzQMVVdu5VJlxcsk+G6jQ=
Javascript (Node)
var hmac = crypto.createHmac('sha256', 'MySecretEventSignatureKey')
.update('<INSERT_EVENT_NOTIFICATION_RESPONSE_BODY>').digest('base64');
// shaHeader == “sha256=“ + hmac
// sha256=jHdbRx5EZAsOfTwAPJOGkNUzQMVVdu5VJlxcsk+G6jQ=
Ruby
require 'openssl'
require "base64"
hash = OpenSSL::HMAC.digest('sha256', "MySecretEventSignatureKey", "<INSERT_EVENT_NOTIFICATION_RESPONSE_BODY>")
puts "sha256="+Base64.strict_encode64(hash)
# sha256=jHdbRx5EZAsOfTwAPJOGkNUzQMVVdu5VJlxcsk+G6jQ=