Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Facebook Real-time Update: Validating X-Hub-Signature SHA1 signature in Java

When Facebook sends real-time updates, they include a X-Hub-Signature in the HTTP header. According to their documentation, they're using SHA1 and the application secret as the key.

Based on a similar question for C# I tried to verify the signature like this ('body' is the message sent by facebook in the body of the request):

String passedSignature = req.getHeader("X-Hub-Signature").substring(5);
Mac hmac = Mac.getInstance("HmacSHA1");
hmac.init(new SecretKeySpec(FACEBOOK_SECRET.getBytes(Charset.forName("UTF-8")), "HmacSHA1"));
String calculatedSignature = Hex.encodeHexString(hmac.doFinal(body.getBytes(Charset.forName("UTF-8"))));
logger.debug("Calculated sigSHA1: " + calculatedSignature + " passedSignature: " + passedSignature);

But the passedSignature is always different from the calculatedSignature.

Anybody can help solving the problem?

like image 751
Alessandro Polverini Avatar asked Jun 20 '13 18:06

Alessandro Polverini


1 Answers

Turns out the code is correct, I was using the wrong key :-/

Anyway I hope this could help somebody else.

like image 156
Alessandro Polverini Avatar answered Oct 10 '22 01:10

Alessandro Polverini