I'm trying to get PayPal Webhooks to work with my PHP app. The problem is the hashing algorithm they send via headers, that i must use to verify if the request is valid.
When I try to use it, I get this error:
hash_hmac(): Unknown hashing algorithm: SHA256withRSA
I have tried hash_hmac using just the "sha256" algo and it worked, so I think the problem must be with the one they want me to use.
Here is the code I use to process the Webhook:
$headers = apache_request_headers();
$body = @file_get_contents('php://input');
$json = json_decode($body);
// Concatanate the reqired strings values
$sigString = $headers['PAYPAL-TRANSMISSION-ID'].'|'.$headers['PAYPAL-TRANSMISSION-TIME'].'|'.$json->id.'|'.crc32($body);
// Get the certificate file and read the key
$pub_key = openssl_pkey_get_public(file_get_contents($headers['PAYPAL-CERT-URL']));
$keyData = openssl_pkey_get_details($pub_key);
// check signature
if ($headers['PAYPAL-TRANSMISSION-SIG'] != hash_hmac($headers['PAYPAL-AUTH-ALGO'],$sigString,$keyData['key'])) {
//invalid
}
Here is the code that worked in the end:
// Get the certificate file and read the key
$pubKey = openssl_pkey_get_public(file_get_contents($headers['PAYPAL-CERT-URL']));
$details = openssl_pkey_get_details($pubKey);
$verifyResult = openssl_verify($sigString, base64_decode($headers['PAYPAL-TRANSMISSION-SIG']), $details['key'], 'sha256WithRSAEncryption');
if ($verifyResult === 0) {
throw new Exception('signature incorrect');
} elseif ($verifyResult === -1) {
throw new Exception('error checking signature');
}
//rest of the code when signature is correct...
I needed to decode the signature PayPal sent me with base64_decode() and for some reason the key worked only when I used openssl_pkey_get_details()
I think they are not using HMAC algorithm (symmetric), contrary to what they say in documentation, but RSA (asymmetric). So you should use openssl_verify to verify a signature. Maybe this will work:
//your code here...
// Get the certificate file and read the key
$pubKey = openssl_pkey_get_public(file_get_contents($headers['PAYPAL-CERT-URL']));
$verifyResult = openssl_verify($sigString, $headers['PAYPAL-TRANSMISSION-SIG'], $pubKey, 'sha256WithRSAEncryption');
if ($verifyResult === 0) {
throw new Exception('signature incorrect');
} elseif ($verifyResult === -1) {
throw new Exception('error checking signature');
}
//rest of the code when signature is correct...
The signature algorithm names used by PayPal may be different than those used by PHP. Refer to openssl_get_md_methods method to get valid PHP signature algorithms.