Facebook Real-time Update: Validating X-Hub-Signature SHA1 signature in Java

Question

When Facebook sends real-time updates, they include a X-Hub-Signature in the HTTP header. According to their documentation, they're using SHA1 and the application secret as the key.

Based on a similar question for C# I tried to verify the signature like this ('body' is the message sent by facebook in the body of the request):

String passedSignature = req.getHeader("X-Hub-Signature").substring(5);
Mac hmac = Mac.getInstance("HmacSHA1");
hmac.init(new SecretKeySpec(FACEBOOK_SECRET.getBytes(Charset.forName("UTF-8")), "HmacSHA1"));
String calculatedSignature = Hex.encodeHexString(hmac.doFinal(body.getBytes(Charset.forName("UTF-8"))));
logger.debug("Calculated sigSHA1: " + calculatedSignature + " passedSignature: " + passedSignature);

But the passedSignature is always different from the calculatedSignature.

Anybody can help solving the problem?

You don't need to define `Charset.forName("UTF-8")` as the FB secret only uses Latin1 characters (ISO8859-1). — jbrios777, Aug 31 '16 at 19:24

score 13 · Accepted Answer · answered Jun 21 '13 at 12:52

13

Turns out the code is correct, I was using the wrong key :-/

Anyway I hope this could help somebody else.

answered Jun 21 '13 at 12:52

Alessandro Polverini

2,301
19
29

1

Yeah me too! :-( One should use the App Secret Token, not the Verify Token ('hub.verify_token') used in verification request. – Uhlen Nov 06 '18 at 08:17
@Uhlen, Thanks a lot. I was trying the same thing. :) – Lalithaditya Kota Sep 30 '22 at 04:52

Facebook Real-time Update: Validating X-Hub-Signature SHA1 signature in Java

1 Answers1