Validate the Basic Digital Signature
This task guides you through validating a basic digital signature for a Payment Page using Zuora's security library and callback parameters.
For the basic signature, when the callback occurs, Zuora signs the tenant ID, Payment Page ID, a generated Token, and a timestamp with the private key, and add the signature to the callback URL. On the client side, during the callback processing, the client uses the public key to verify the signature.
The basic signature is generated with the following parts, delimited by the “#” character.
-
Callback path
-
Tenant ID
-
Token
-
Timestamp when the signature is generated
-
Payment Page ID
To validate the Basic digital signature response for a Payment Page :
- Include the Zuora security library,
SignatureDecrypter. - Parse the callback parameters returned from Zuora and get the signature from the parameters.
- Decrypt the signature with the
SignatureDescryptermethod. See Obtain the Public Key for Payment Pages 2.0 for getting the public key. Alternatively, you can use a Zuora REST call to decrypt the signature. See Decrypt RSA signature for detailed information. - Parse the decrypted signature.
- Validate if the signature is trusted.
- Check if the signature timestamp is expired, i.e. the difference between the current time and the signature timestamp is more than 5 minutes.
The following code shows a sample implementation of the verification steps.
//Step 1: Include the Zuora library
com.zuora.rsa.security.decrypt.SignatureDecrypter;
//Step 2: Get the signature from the callback parameter.
String signature = request.getParameter("signature");
// Step 3: Decrypt the signature.
String decryptedSignature = SignatureDecrypter.decryptAsString(signature, publicKeyString);
// Step 4: Parse the decrypted signature and get the timestamp when this signature was generated.
StringTokenizer st = new StringTokenizer(decryptedSignature,"#");
String url = st.nextToken();
String tenanId = st.nextToken();
String token = st.nextToken();
String timestamp = st.nextToken();
String pageId = st.nextToken();
// Step 5: Validate signature for the page ID and tenant ID.
if(pageId != myPaymentPageID || tenantId != myTenantID) {
// the signature is invalid.
throw new Exception("Page Id in signature is invalid.");
}
// Step 6: Validate that the signature is not expired.
long expiredTime = 5 * 60 * 1000;
if((new Date()).getTime() > (Long.parseLong(timestamp) + expiredTime)) {
// signature is expired.
throw new Exception("Signature is expired.");
}
See the validSignature function in the Payment Pages 2.0 sample code suite on Zuora GitHub site for the complete example of signature verification.