plenigo Signature

Content of this article

  1. Preliminary Remarks
  2. Check plenigo-Signature

1. Preliminary Remarks

Each callback from the plenigo system comes with a signature in the header to ensure that the call comes from a trustworthy source and has not not been manipulated.

2. Check plenigo-Signature

Each callback is signed with a signature header. 
The header is called plenigo-signature and looks as follows:
t=1729583536,s=fdcd0a0ccd0b4db629d35a33c3aada5cf669a28f91adb38abcc9ffcdb1663d38
The header contains two elements. A time stamp that defines the time (t) at which the callback was generated, and a hash-based message authentication code (HMAC) with SHA-256 (s). 

To verify the header, follow the following steps:

Step 1: Extract the time stamp and the signatures from the header
The content of the header can be separated by "," (comma) to get a list of the elements. By using the "=" (equal sign) as separator, each element can be separated into a data pair containing a prefix and a value.

Values of the prefixes:
  • "t" = time stamp
  • "u" = unique Id 
  • "s" = a signature or several signatures
Any other elements can be ignored.

Step 2: Prepare string "signed_payload"
The string "signed_payload" is created by a chain: 
  • the time stamp as string
  • the sign "." (dot) 
  • the actual JSON payload (meaning the request content) as string 

Step 3: Determine expected signature
A HMAC authentication code with a SHA256 hash function is required. The signature secret of the end point is used as key and the string "singed_payload" is used as messsage.

Step 4: Compare signatures
The signature (or signatures) in the header are to be compared with the expected signature.
The difference between the current time stamp and the received time stamp should be calculated to be able to decide if the difference is within an acceptable tolerance.

To protect against timing attacks (a variant of a side-channel attack) it is recommended to carry out a time-constant string comparison to compare the expected signature with each of the received signatures.