Reputation: 430
Docusign: Verify HMAC key from header response with the secret key
I am working with Docusign connect and planning to use HMAC keys to authenticate the messages. I am referring https://developers.docusign.com/esign-rest-api/guides/connect-hmac#example-hmac-workflow link.
I find few terms confusing in the documentation. Attaching the code snippet from the doc for python.
def ComputeHash(secret, payload):
import hmac
import hashlib
import base64
hashBytes = hmac.new(secret, msg=payload, digestmod=hashlib.sha256).digest()
base64Hash = base64.b64encode(hashBytes)
return base64Hash;
def HashIsValid(secret, payload, verify):
return verify == ComputeHash(secret,payload)
Can you explain what payload(didn't understand exactly what it is), secret (I am guessing the secret key) and verify means from the above code and how do I verify my secret key with X-Docusign-Signature-1 which I get from response header?
My code:
message = request.headers
hashBytes = hmac.new(secret_key.encode('utf-8'), msg=message.encode('utf-8'), digestmod=hashlib.sha256).hexdigest()
base64Hash = base64.b64encode(hashBytes)
[Edited]
I found the solution on my own. Please read the first answer. I have explained it in details.
Upvotes: 2
Views: 1309
Answers (2)
Reputation: 430
I found the solution to my problem.
expected_signature = request.headers['X-Docusign-Signature-1']
message = request.data # It is already in bytes. No need to encode it again.
hashBytes = hmac.new(secret_key.encode('utf-8'), msg=message, digestmod=hashlib.sha256).hexdigest()
actual_signature = base64.b64encode(hashBytes)
hmac.compare_digest(actual_signature.decode('utf-8'),expected_signature):
Upvotes: 1
Reputation: 14015
Sorry for the confusion. Payload is "The entire body of the POST request is used, including line endings." This is what you're encoding here using a Hash (HMAC) function.
SHA256 HMAC digest take in an the array of bytes (payload) and a secret (some key to use for encryption) and produces some encrypted version of the payload that can later be verified.
I highly recommend you ensure you first understand how the Connect webhook works without using HAMC encoding. This feature is meant to secure your application and it's a bit more complex. If you first get it working without it - you'll get a better grasp of what's going on (as well as feel a bit better about accomplishing a subtask). Once you have it working, you can add the HMAC to make it secure and it will be easier at that point.
Upvotes: 2
Related Questions
- Generate connect keys for HMAC programmatically
- DocuSign Connect - HMAC Security with REST API v2.1 and Java Library
- HMAC webhook validation, from envelope callback
- PHP / Docusign - Verify HMAC signature on completed event
- DocuSign: How to receive the signature in the header?
- DocuSign Connect webhook not including HMAC header
- DocuSign Connect webhook call did not include HMAC header x-docusign-signature
- DocuSign API Email Verification
- How to handle DocuSign Authentication Assertion in an embedded signature request
- DocuSign ID Check with Embedded signing