RSA Signature Verification

The section describes how the RSA signature sent in the callback header can be verified. The signature is generated using RSA Signing. For verification to succeed, the public key is required.

Obtain the Public Key - Based on environment

Copy the public key for the environment you're working with from here. This document assumes that the public key would be stored somewhere on your server under the name qwaap.public.key.pem

Next Steps

Below is the sample callback data for this demonstration

{
    "event": "transaction.completed",
    "payload": {
        "id": 34809,
        "merchant_reference": "MCTREF5JSPCLU2JHDAAZ",
        "internal_reference": "QWAAPWJYJXTAUN65FRF",
        "transaction_type": "COLLECTION",
        "request_currency": "UGX",
        "request_amount": 70000,
        "transaction_currency": "UGX",
        "transaction_amount": 70000,
        "transaction_charge": 2100,
        "transaction_account": "256787009959",
        "customer_name": "JOHN DOE",
        "charge_customer": false,
        "total_credit": 67900,
        "provider_code": "mtn_ug",
        "transaction_status": "COMPLETED",
        "status_message": "Transaction Completed Successfully"
    }
}

Obtain the value of the rsa-signature header (if callback) OR the value of the rsa_signature query parameter (if redirect).
Form the string payload to be used in signature verification. This is obtained by concatenating values of the callback/redirect data in the format; event:merchant_reference:internal_reference:transaction_type:transaction_status and these values are obtained from the callback/redirect data. The string payload would therefore be transaction.completed:MCTREF5JSPCLU2JHDAAZ:QWAAPWJYJXTAUN65FRF:COLLECTION:COMPLETED
Use the public key obtained above to verify the signature as described in the sample source codes below.

<?php

public function isValidSignature() {
    $file = "path-to-file/qwaap.public.key.pem";
    $keyContent = file_get_contents($file);
    $publicKey = openssl_get_publickey($keyContent);
    $strPayload = "transaction.completed:MCTREF5JSPCLU2JHDAAZ:QWAAPWJYJXTAUN65FRF:COLLECTION:COMPLETED";
    $signature = base64_decode("value-of-rsa-signature");

    /*true or false*/
    return openssl_verify($strPayload, $signature, $publicKey, "sha256") == 1;
}

?>

const crypto = require('crypto');
const fs = require('fs');

function isValidSignature() {
    const strPayload = "transaction.completed:MCTREF5JSPCLU2JHDAAZ:QWAAPWJYJXTAUN65FRF:COLLECTION:COMPLETED";
    const signature = "value-of-rsa-signature";
    const publicKeyFile = "path-to-file/qwaap.public.key.pem";
    const publicKey = fs.readFileSync(publicKeyFile).toString().replace(/\\n/g, '\n');

    const verify = crypto.createVerify("SHA256");
    verify.write(strPayload);
    verify.end();

    /*true or false*/
    return verify.verify(publicKey, signature, 'base64');
}

import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.Signature;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;

public class SignatureVerifier {

    public boolean isValidSignature() throws Exception {
        // Read public key from file
        Path pathToFile = Paths.get("path-to-file/qwaap.public.key.pem");
        byte[] keyBytes = Files.readAllBytes(pathToFile);

        // Decode public key
        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        PublicKey publicKey = keyFactory.generatePublic(keySpec);

        // Signature and payload
        String strPayload = "transaction.completed:MCTREF5JSPCLU2JHDAAZ:QWAAPWJYJXTAUN65FRF:COLLECTION:COMPLETED";
        byte[] signatureBytes = Base64.getDecoder().decode("value-of-rsa-signature");

        // Verify signature
        Signature signature = Signature.getInstance("SHA256withRSA");
        signature.initVerify(publicKey);
        signature.update(strPayload.getBytes());
        return signature.verify(signatureBytes);
    }

    public static void main(String[] args) throws Exception {
        SignatureVerifier verifier = new SignatureVerifier();
        System.out.println(verifier.isValidSignature());
    }
}

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

public class SignatureVerifier
{
    public bool IsValidSignature()
    {
        // Read public key from file
        string pathToFile = @"path-to-file\qwaap.public.key.pem";
        string keyContent = File.ReadAllText(pathToFile);

        // Decode public key
        RSA rsa = RSA.Create();
        rsa.ImportFromPem(keyContent);

        // Signature and payload
        string strPayload = "transaction.completed:MCTREF5JSPCLU2JHDAAZ:QWAAPWJYJXTAUN65FRF:COLLECTION:COMPLETED";
        byte[] signatureBytes = Convert.FromBase64String("value-of-rsa-signature");

        // Verify signature
        var verifier = new RSAPKCS1SignatureDeformatter(rsa);
        verifier.SetHashAlgorithm("SHA256");
        byte[] payloadBytes = Encoding.UTF8.GetBytes(strPayload);
        byte[] sha256Hash;

        using (SHA256 sha256 = SHA256.Create())
        {
            sha256Hash = sha256.ComputeHash(payloadBytes);
        }

        return verifier.VerifySignature(sha256Hash, signatureBytes);
    }

    public static void Main(string[] args)
    {
        SignatureVerifier verifier = new SignatureVerifier();
        Console.WriteLine(verifier.IsValidSignature());
    }
}

import base64
import hashlib
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.serialization import load_pem_public_key

def is_valid_signature():
    # Read public key from file
    with open("path-to-file/qwaap.public.key.pem", "rb") as key_file:
        key_content = key_file.read()

    # Decode public key
    public_key = load_pem_public_key(key_content, backend=default_backend())

    # Signature and payload
    str_payload = "transaction.completed:MCTREF5JSPCLU2JHDAAZ:QWAAPWJYJXTAUN65FRF:COLLECTION:COMPLETED"
    signature_bytes = base64.b64decode("value-of-rsa-signature")

    # Verify signature
    verifier = public_key.verifier(
        signature_bytes,
        padding.PKCS1v15(),
        hashlib.sha256
    )
    verifier.update(str_payload.encode())

    try:
        verifier.verify()
        return True
    except Exception as e:
        print("Signature verification failed:", e)
        return False

require 'openssl'
require 'base64'

def is_valid_signature
  # Read public key from file
  file = File.read("path-to-file/qwaap.public.key.pem")

  # Decode public key
  public_key = OpenSSL::PKey::RSA.new(file)

  # Signature and payload
  str_payload = "transaction.completed:MCTREF5JSPCLU2JHDAAZ:QWAAPWJYJXTAUN65FRF:COLLECTION:COMPLETED"
  signature_bytes = Base64.decode64("value-of-rsa-signature")

  # Verify signature
  sha256 = OpenSSL::Digest::SHA256.new
  result = public_key.verify(sha256, signature_bytes, str_payload)

  result
end

Below is an example of a generated RSA signature (rsa-signature) on the sandbox environment. Feel free to verify it using the sample payload above and the public key.

MomUix/YlbrEnP/IgnmsQLBJ1Fcgj3zZb/qJyynN6Xu8TecVmezFWlY9K+ws5Clg9nwxMJt8gnfhVLxpNyb7JcY8Weqg7HKFH4FmC7qGGinMU+JafeCMe4mXJUfBMjRD89oHB8rZ/3RUlkHojrPRN6IqAb2M0V7Gzv9JXg3qDTUO1lJcJxtITEAmNypcc24FTqLU1ZbnKYFkNMGD6kDP6sgl95IDD0HnkvCb39b8KamZG9l3gJ1VjGGo/YHZbK40eyB7zmRSC1oVZwYFWjXi9Gqgzezbh42ofoLMNvmYJjIdW+K+51NGBW68XSXhbUxyhxNFXvsjLyZ31V1kiG802MZEwNOmLH0UFdegrODPIQwfKU9wzJ7rOVhJ9tXxy6KtrZj/BbzKZN+sgDVIZ2EgZr86+AwoTYKtiluAOdRZEwA9l0QY3IVk1SFGYp9Ve+ju8etaU/LiLrIU7mQmB+Ecaek2v3PweTKlxlA/NnYJ4LeiVbd2hq+ls+ogU8+Gbw9FER3P3b3HhVwSHA4Yo5JS9qDbrJGt/G9+esWNYCJxesdEOchEh4HQYfJipw1UU8VwKcfg+1BFlRNmE3MFYNek9bV1/DQhA5O5VVq7Oc9ZPaXW993CyCHLXdL1mCB/2poVLzdxFfAmoK8S54u6q9YJWx3vEw8GeqwUpdh08CR+yMY=

PreviousHMAC Signature Verification NextMerchant Account Transfers

Last updated 1 year ago

hashtagObtain the Public Key - Based on environment

hashtagNext Steps

Obtain the Public Key - Based on environment

Next Steps