Skip to main content
Skip table of contents

Verify signature

Introduction

The purpose of including a signature in the Charges response for the authorisation flow is to reinforce security and guarantee the integrity of the data transmitted to the merchant by means of a redirection or a ServerToServer notification.

Datos de la llave privada:

  • Key Type: Asymmetric

  • Key Spec: RSA_2048

  • Key Length: 2048 bits

  • Key Usage: Sign and verify

  • Signing algorithm: SHA512withRSA

Signature length, consider up to a length of 512.

The steps for signature validation are shown below.

Step 1: Identify the Fields to Encrypt

Redirect Flow

In this flow, the merchant receives two parameters in the redirect (signature - authorisation_result). The authorization_result parameter is a Base64 JSON containing the result of the authorisation that will be used as the field to be encrypted and then compared with the signature parameter.

ServerToServer notification flow

In this flow, the merchant receives a REST request where the body is the result of the authorisation, and in the header travels the signature. The body will be used as the field to be encrypted and then compared with the signature parameter.

Step 2: Verify the signature

In the validation process, all merchants will use the public key provided by Alignet to verify the digital signature. Signature verification involves comparing the value (authorisation result) generated with the signature received from CHARGES.

Public Key:

Environment

Key in .pem file

Public Key

PRE-PRODUCTION

Publickey-6f031bb8-45cb-4aed-9375-80d8dbb9c8fd.pem  

-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkmpsqcJzjQ45u0K7JOQJ tfjXGeMXNwsaU6JDGSdKwSDGGXt1m551p2mlG0oGkmn9FPbp4E0lOQzkL/qhHB1Y pTP2MqecJ7pMTonEeXOv0P6uwR9yvV5lxK17nE3+xgfcpFfxT5GAI/wZsQJ3+Lsv qh3+IcRG2Hb2BUdM5pYZFOUBGGSZWc/ULPtsFx2DSjI9peJ9kYibpaokphP+Cypz /LgKV7Yiv/TUufPiUk5gFYIad5VhRU822sTMRQ7BgS2CY4t49jqFkIiRnmPwM8fF KjPD4wvzssrqbAQvkk56XOcE9ML0iJhcIY1/xgNSiHqij0Ql1UTU5nAIJR5/paOn hQIDAQAB -----END PUBLIC KEY-----

PRODUCTION

 

 

Example

Python

PY 
import json
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.serialization import load_pem_public_key
from cryptography.exceptions import InvalidSignature
def verify_rsa_signature(public_key_pem, authorization_result, signature):
    # Convert public key in PEM format to key object
    public_key = load_pem_public_key(public_key_pem.encode('utf-8'))
    # Convert message to bytes
    message_bytes = authorization_result.encode('utf-8')
    try:
        # Verify signature using PKCS#1 v1.5 and SHA-512
        public_key.verify(
            signature,
            message_bytes,
            padding.PKCS1v15(),
            hashes.SHA512()
        )
        return True
    except Exception:
        return False
if __name__ == "__main__":
    print("VERIFY SIGNATURE")
    public_key_pem = """""" #PUBLIC KEY DESCRIBED IN THE DOCUMENTATION
    signature = base64.b64decode("SIGNATURE")
    message = "" #RESULT OF THE AUTHORIZATION. In case of ServerToServer notification, apply json.dumps().
    result = verify_rsa_signature(public_key_pem, message, signature)
    print(f'Signature valid: {result}')

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close