RSA Signature Verification

The section describes how the RSA signature sent in the callback header can be verified. The signature is generated using an RSA Signing. For verification to succeed, the public key is required.

Obtain the Public Key - Based on environment

Copy the public key for the environment you're working with from here. This document assumes that the public key would be stored somewhere on your server under the name gbipay.public.key.pem

Next Steps

Below is the sample callback data for this demonstration

{
    "event": "transaction.charges",
    "payload": {
        "id": 11833,
        "merchant_reference": "MCTREFBNKWHXANJBYX2L",
        "internal_reference": "GBPREFFFZNGLVH96GSKK",
        "transaction_type": "COLLECTION",
        "request_currency": "UGX",
        "transaction_amount": 100000,
        "transaction_currency": "UGX",
        "transaction_charge": 3000,
        "transaction_account": "256777000001",
        "charge_customer": false,
        "total_credit": 97000,
        "provider_code": "mtn_momo_ug",
        "request_amount": 100000,
        "institution_name": "MTN Mobile Money Uganda",
        "customer_name": "JOHN DOE",
        "transaction_status": "PENDING",
        "status_message": "Collection initialized successfully. Confirm charges"
    }
}

Obtain the value of the rsa-signature header.
Form the string payload to be used in signature verification. This is obtained by concatenating values of the callback data in the format; event:merchant_reference:internal_reference:transaction_type:transaction_status and these values are obtained from the callback data. The string payload in this case would therefore be transaction.charges:MCTREFBNKWHXANJBYX2L:GBPREFFFZNGLVH96GSKK:COLLECTION:PENDING
Use the public key obtained above to verify the signature as described in the sample source codes below;

<?php

public function isValidSignature() {
    $file = "path-to-file/gbipay.public.key.pem";
    $keyContent = file_get_contents($file);
    $publicKey = openssl_get_publickey($keyContent);
    $strPayload = "transaction.charges:MCTREFBNKWHXANJBYX2L:GBPREFFFZNGLVH96GSKK:COLLECTION:PENDING";
    $signature = base64_decode("value-of-rsa-signature");

    /*true or false*/
    return openssl_verify($strPayload, $signature, $publicKey, "sha256") == 1;
}

?>

const crypto = require('crypto');
const fs = require('fs');

function isValidSignature() {
    const strPayload = "transaction.charges:MCTREFBNKWHXANJBYX2L:GBPREFFFZNGLVH96GSKK:COLLECTION:PENDING";
    const signature = "value-of-rsa-signature";
    const publicKeyFile = "path-to-file/gbipay.public.key.pem";
    const publicKey = fs.readFileSync(publicKeyFile).toString().replace(/\\n/g, '\n');

    const verify = crypto.createVerify("SHA256");
    verify.write(strPayload);
    verify.end();

    /*true or false*/
    return verify.verify(publicKey, signature, 'base64');
}

import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.Signature;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;

public class SignatureVerifier {

    public boolean isValidSignature() throws Exception {
        // Read public key from file
        Path pathToFile = Paths.get("path-to-file/gbipay.public.key.pem");
        byte[] keyBytes = Files.readAllBytes(pathToFile);

        // Decode public key
        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        PublicKey publicKey = keyFactory.generatePublic(keySpec);

        // Signature and payload
        String strPayload = "transaction.charges:MCTREFBNKWHXANJBYX2L:GBPREFFFZNGLVH96GSKK:COLLECTION:PENDING";
        byte[] signatureBytes = Base64.getDecoder().decode("value-of-rsa-signature");

        // Verify signature
        Signature signature = Signature.getInstance("SHA256withRSA");
        signature.initVerify(publicKey);
        signature.update(strPayload.getBytes());
        return signature.verify(signatureBytes);
    }

    public static void main(String[] args) throws Exception {
        SignatureVerifier verifier = new SignatureVerifier();
        System.out.println(verifier.isValidSignature());
    }
}

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

public class SignatureVerifier
{
    public bool IsValidSignature()
    {
        // Read public key from file
        string pathToFile = @"path-to-file\gbipay.public.key.pem";
        string keyContent = File.ReadAllText(pathToFile);

        // Decode public key
        RSA rsa = RSA.Create();
        rsa.ImportFromPem(keyContent);

        // Signature and payload
        string strPayload = "transaction.charges:MCTREFBNKWHXANJBYX2L:GBPREFFFZNGLVH96GSKK:COLLECTION:PENDING";
        byte[] signatureBytes = Convert.FromBase64String("value-of-rsa-signature");

        // Verify signature
        var verifier = new RSAPKCS1SignatureDeformatter(rsa);
        verifier.SetHashAlgorithm("SHA256");
        byte[] payloadBytes = Encoding.UTF8.GetBytes(strPayload);
        byte[] sha256Hash;

        using (SHA256 sha256 = SHA256.Create())
        {
            sha256Hash = sha256.ComputeHash(payloadBytes);
        }

        return verifier.VerifySignature(sha256Hash, signatureBytes);
    }

    public static void Main(string[] args)
    {
        SignatureVerifier verifier = new SignatureVerifier();
        Console.WriteLine(verifier.IsValidSignature());
    }
}

import base64
import hashlib
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.serialization import load_pem_public_key

def is_valid_signature():
    # Read public key from file
    with open("path-to-file/gbipay.public.key.pem", "rb") as key_file:
        key_content = key_file.read()

    # Decode public key
    public_key = load_pem_public_key(key_content, backend=default_backend())

    # Signature and payload
    str_payload = "transaction.charges:MCTREFBNKWHXANJBYX2L:GBPREFFFZNGLVH96GSKK:COLLECTION:PENDING"
    signature_bytes = base64.b64decode("value-of-rsa-signature")

    # Verify signature
    verifier = public_key.verifier(
        signature_bytes,
        padding.PKCS1v15(),
        hashlib.sha256
    )
    verifier.update(str_payload.encode())

    try:
        verifier.verify()
        return True
    except Exception as e:
        print("Signature verification failed:", e)
        return False

require 'openssl'
require 'base64'

def is_valid_signature
  # Read public key from file
  file = File.read("path-to-file/gbipay.public.key.pem")

  # Decode public key
  public_key = OpenSSL::PKey::RSA.new(file)

  # Signature and payload
  str_payload = "transaction.charges:MCTREFBNKWHXANJBYX2L:GBPREFFFZNGLVH96GSKK:COLLECTION:PENDING"
  signature_bytes = Base64.decode64("value-of-rsa-signature")

  # Verify signature
  sha256 = OpenSSL::Digest::SHA256.new
  result = public_key.verify(sha256, signature_bytes, str_payload)

  result
end

Below is an example of a generated RSA signature (rsa-signature) on the sandbox environment. Feel free to verify it using the sample payload above and the public key.

SLc165TEc2bB+lvEDRVQZU6uMJtan246Jt4jFw19TCE+ErtHP8fpbduQ5uytDs39N7Wt+YpZCrmbg7TYbZYaAbTn7jF06K2T51nTYVlxH2v39phWA73TtqT16RC9STwFfTbJmZmJJuKcOqumEac1LqkwzA89Xl3C4iFlf7aa7fVCgxlEBF/C9z+8Q2NHrMVg3mkDbI8i3UP9RBSq6KPV/i/rtIhmEOoUMqkoUN62Sboy1K35ltryhgY5F2GDAmblFPdZLxf5DkRspXt01dKp+PEUjO+IAouXpVzasez/z7G6G+Jl9cTF3eNLuMdNJMLpJx4MSQdJepziB0TSwxlfl4tswzlogEHyg1Z6vicXfAw4OJuDYRptkjty2mS0IfrCnEypbx05tWoX8io+aZ9zpcCn4Zp9x9b2JqL5ogRDy5wPLS+hJjKPeAAYp/2UlJYdISqy5Alfek8mRiUh5K7+EcwvYb9S6rLU3Os2GzQv0el2lng6nnU5lqZpmmHi/GErmKdxCtFaKoS9c2j7pv2LPnCmZb+z/LO8ALZV1NtHwLnnqY74tT3nFXAzYPEgy3FAbFP+RPXnnjh2rxjOUFU/eYQeX3b5WbhkGGnrIh4Y7k5u64+TJzjA3phYfO8O1/trUA5yH/2P+drvZPRLZ3zDeNVR51D4U02k3fL+YwLcobA=

PreviousHMAC Signature Verification NextAvailing Payout Funds

Last updated 11 months ago

hashtagObtain the Public Key - Based on environment

hashtagNext Steps

Obtain the Public Key - Based on environment

Next Steps