Signature Verification

Vendors can use the shared secret to verify the integrity of the payload by generating an HMAC signature with the same method and comparing it with the signature field.

python

import hmac
import hashlib

def verify_hmac_signature(secret, payload, received_signature):
    calculated_signature = hmac.new(
        bytes(secret, 'utf-8'),
        bytes(payload, 'utf-8'),
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(calculated_signature, received_signature.split('=')[1])

# Example usage
secret = "my-shared-secret"
payload = '{"event_id":"987e4567-e89b-12d3-a456-426614174000","machine_listing_id":"d63d2545-af1a-42e8-9d4b-2f36b064f0be","event_type":"MachineUpdated","machine_status":"active","timestamp":"2024-10-28T12:00:00Z"}'
received_signature = "sha256=abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890"

is_valid = verify_hmac_signature(secret, payload, received_signature)
print("Signature is valid!" if is_valid else "Invalid signature!")    

go

package main

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	"strings"
)

func verifyHMACSignature(secret, payload, receivedSignature string) bool {
	h := hmac.New(sha256.New, []byte(secret))
	h.Write([]byte(payload))
	calculatedSignature := hex.EncodeToString(h.Sum(nil))
	return hmac.Equal([]byte(calculatedSignature), []byte(strings.Split(receivedSignature, "=")[1]))
}

func main() {
	secret := "my-shared-secret"
	payload := `{"event_id":"987e4567-e89b-12d3-a456-426614174000","machine_listing_id":"d63d2545-af1a-42e8-9d4b-2f36b064f0be","event_type":"MachineUpdated","machine_status":"active","timestamp":"2024-10-28T12:00:00Z"}`
	receivedSignature := "sha256=abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890"

	isValid := verifyHMACSignature(secret, payload, receivedSignature)
	if isValid {
		fmt.Println("Signature is valid!")
	} else {
		fmt.Println("Invalid signature!")
	}
}

javascript

const crypto = require('crypto');

function verifyHMACSignature(secret, payload, receivedSignature) {
  const hmac = crypto.createHmac('sha256', secret);
  hmac.update(payload, 'utf-8');
  const calculatedSignature = hmac.digest('hex');
  return calculatedSignature === receivedSignature.split('=')[1];
}

// Example usage
const secret = 'my-shared-secret';
const payload = '{"event_id":"987e4567-e89b-12d3-a456-426614174000","machine_listing_id":"d63d2545-af1a-42e8-9d4b-2f36b064f0be","event_type":"MachineUpdated","machine_status":"active","timestamp":"2024-10-28T12:00:00Z"}';
const receivedSignature = 'sha256=abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890';

const isValid = verifyHMACSignature(secret, payload, receivedSignature);
console.log(isValid ? 'Signature is valid!' : 'Invalid signature!');

php

<?php
function verifyHMACSignature($secret, $payload, $receivedSignature) {
    $calculatedSignature = hash_hmac('sha256', $payload, $secret);
    return hash_equals($calculatedSignature, explode('=', $receivedSignature)[1]);
}

// Example usage
$secret = 'my-shared-secret';
$payload = '{"event_id":"987e4567-e89b-12d3-a456-426614174000","machine_listing_id":"d63d2545-af1a-42e8-9d4b-2f36b064f0be","event_type":"MachineUpdated","machine_status":"active","timestamp":"2024-10-28T12:00:00Z"}';
$receivedSignature = 'sha256=abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890';

$isValid = verifyHMACSignature($secret, $payload, $receivedSignature);
if ($isValid) {
    echo 'Signature is valid!';
} else {
    echo 'Invalid signature!';
}
?>