Skip to main content
commvault.com commvault.com
Solved

How to calculate HMAC digest for Webhook payload to be able to validate the received message?

  • September 19, 2024
  • 3 replies
  • 102 views
A
Bit
Forum|alt.badge.img+1

When configuring Webhooks in SaaS console, you can set “Authentication” to “Secret HMAC”, which results in x-cv-signature-256 header being added to the payload with the digest of the message in it.

I would like to be able to validate the message by calculating the same digest at the receiving end and comparing to the value in the header. Trouble is, I cannot work out how Commvault generates the digest. For example, working with another API, the digest is calculated based on the HTTP method + current epoch + body + API endpoint. 

I need to do this in Powershell but any guidance or code examples in other languages would be appreciated. 

Best answer by Albert Williams

Hello @Adamski 

 

My dev has responding with the following: 

 

We use HMAC-SHA256 to calculate digest - 

echo -n '<PAYLOAD>' | openssl dgst -sha256 -hmac '<SECRET_KEY>'

 

I hope this answers your questions?

Kind regards

Albert Williams

View original
    Did this answer your question?

    3 replies

    A
    Vaulter
    Forum|alt.badge.img+15

    Hello @Adamski 

     

    I have flagged this question internally with a Dev expert and i will keep you posted on their update. 


    Kind regards
    Albert Williams

    The best way to learn anything, is to question everything
    A
    Vaulter
    Forum|alt.badge.img+15

    Hello @Adamski 

     

    My dev has responding with the following: 

     

    We use HMAC-SHA256 to calculate digest - 

    echo -n '<PAYLOAD>' | openssl dgst -sha256 -hmac '<SECRET_KEY>'

     

    I hope this answers your questions?

    Kind regards

    Albert Williams

    The best way to learn anything, is to question everything
    A
    1 person likes this
    • A
      Adamski
    A
    Bit
    Forum|alt.badge.img+1
    • Adamski
    • Author
    • Bit
    • 1 reply
    • September 23, 2024

    Hi @Albert Williams ,

    thank you for the confirmation, I now see where my problem is. Commvault appends a trailing space to the PAYLOAD before the signature is calculated.

    I have set my alert template for the webhook as follows, all info is static, no tokens, no trailing spaces or new lines:

    {"alertCategoryAlertType": "testtype","alertEventId": "123","clientDisplayName": "testclient","utcTime": "Mon Sep 23 13:53:27 2024"}

    When I test the webhook, I see the digest in the header coming in as:

    "x-cv-signature-256": "9dc53ebcdd55a34ae4e6b8b732305ab7c1f2ef4e79303f1fbf2457bcb1c2f7ec",

    With the payload shown in the log as 

    "body": "{\"alertCategoryAlertType\": \"testtype\",\"alertEventId\": \"123\",\"clientDisplayName\": \"testclient\",\"utcTime\": \"Mon Sep 23 13:53:27 2024\"} ",

    Here are my digest calculations

    # PAYLOAD copied from the alert template
echo -n '{"alertCategoryAlertType": "testtype","alertEventId": "123","clientDisplayName": "testclient","utcTime": "Mon Sep 23 13:53:27 2024"}' | openssl dgst -sha256 -hmac 'TestSecret'

SHA2-256(stdin)= f74dec8dc8c5ea22bc8e56c42a01ff500205c185c77249709adcc9a9bb3ab094


# PAYLOAD copied from the alert template and a trailing space added
# this one corresponds to the digest calculated by Commvault
echo -n '{"alertCategoryAlertType": "testtype","alertEventId": "123","clientDisplayName": "testclient","utcTime": "Mon Sep 23 13:53:27 2024"} ' | openssl dgst -sha256 -hmac 'TestSecret'

SHA2-256(stdin)= 9dc53ebcdd55a34ae4e6b8b732305ab7c1f2ef4e79303f1fbf2457bcb1c2f7ec

     

    I will raise a support ticket for this.

    A
    1 person likes this
    • A
      Albert Williams

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settings

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings