Skip to main content
Solved

How to calculate HMAC digest for Webhook payload to be able to validate the received message?

  • September 19, 2024
  • 3 replies
  • 100 views

Forum|alt.badge.img+1

When configuring Webhooks in SaaS console, you can set “Authentication” to “Secret HMAC”, which results in x-cv-signature-256 header being added to the payload with the digest of the message in it.

I would like to be able to validate the message by calculating the same digest at the receiving end and comparing to the value in the header. Trouble is, I cannot work out how Commvault generates the digest. For example, working with another API, the digest is calculated based on the HTTP method + current epoch + body + API endpoint. 

I need to do this in Powershell but any guidance or code examples in other languages would be appreciated. 

Best answer by Albert Williams

Hello @Adamski 

 

My dev has responding with the following: 

 

We use HMAC-SHA256 to calculate digest - 

echo -n '<PAYLOAD>' | openssl dgst -sha256 -hmac '<SECRET_KEY>'

 

I hope this answers your questions?

Kind regards

Albert Williams

View original
Did this answer your question?

3 replies

Forum|alt.badge.img+15

Hello @Adamski 

 

I have flagged this question internally with a Dev expert and i will keep you posted on their update. 


Kind regards
Albert Williams


Forum|alt.badge.img+15

Hello @Adamski 

 

My dev has responding with the following: 

 

We use HMAC-SHA256 to calculate digest - 

echo -n '<PAYLOAD>' | openssl dgst -sha256 -hmac '<SECRET_KEY>'

 

I hope this answers your questions?

Kind regards

Albert Williams


Forum|alt.badge.img+1
  • Author
  • Bit
  • 1 reply
  • September 23, 2024

Hi @Albert Williams ,

thank you for the confirmation, I now see where my problem is. Commvault appends a trailing space to the PAYLOAD before the signature is calculated.

I have set my alert template for the webhook as follows, all info is static, no tokens, no trailing spaces or new lines:

{"alertCategoryAlertType": "testtype","alertEventId": "123","clientDisplayName": "testclient","utcTime": "Mon Sep 23 13:53:27 2024"}

When I test the webhook, I see the digest in the header coming in as:

"x-cv-signature-256": "9dc53ebcdd55a34ae4e6b8b732305ab7c1f2ef4e79303f1fbf2457bcb1c2f7ec",

With the payload shown in the log as 

"body": "{\"alertCategoryAlertType\": \"testtype\",\"alertEventId\": \"123\",\"clientDisplayName\": \"testclient\",\"utcTime\": \"Mon Sep 23 13:53:27 2024\"} ",

Here are my digest calculations

# PAYLOAD copied from the alert template
echo -n '{"alertCategoryAlertType": "testtype","alertEventId": "123","clientDisplayName": "testclient","utcTime": "Mon Sep 23 13:53:27 2024"}' | openssl dgst -sha256 -hmac 'TestSecret'

SHA2-256(stdin)= f74dec8dc8c5ea22bc8e56c42a01ff500205c185c77249709adcc9a9bb3ab094


# PAYLOAD copied from the alert template and a trailing space added
# this one corresponds to the digest calculated by Commvault
echo -n '{"alertCategoryAlertType": "testtype","alertEventId": "123","clientDisplayName": "testclient","utcTime": "Mon Sep 23 13:53:27 2024"} ' | openssl dgst -sha256 -hmac 'TestSecret'

SHA2-256(stdin)= 9dc53ebcdd55a34ae4e6b8b732305ab7c1f2ef4e79303f1fbf2457bcb1c2f7ec

 

I will raise a support ticket for this.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings