1

I know I probably shouldn't be doing this in Perl but please humour me:

Trying to validate the signature of a PayPal REST API 2 Webhook. The 'raw_query' is the HTTP payload sent by PayPal which is CRC32 encoded as per PayPal. The Public Key Cert is hard-coded in for ease (this has been downloaded from PayPal and checked).

wh_id is the Webhook ID, from the PayPal Developer backend (when you add a webhook to your app).

Anyone any ideas why this always fails to verify?

#The X509 Public Key Cert provided by PayPal (redacted)
my $pp='-----BEGIN CERTIFICATE-----
.......
-----END CERTIFICATE-----';

#Create the original message that would have been signed by PayPal
my $msg=$ENV{'HTTP_PAYPAL_TRANSMISSION_ID'}.'|'.$ENV{'HTTP_PAYPAL_TRANSMISSION_TIME'}.'|'.$wh_id.'|'.crc32($ppn{'raw_query'});

#Get a Crypt::RSA object from the X509 Public Key provided by PayPal
my $x509 = Crypt::OpenSSL::X509->new_from_string($pp);
my $rsa = Crypt::OpenSSL::RSA->new_public_key($x509->pubkey());
$rsa->use_pkcs1_padding();
$rsa->use_sha256_hash();

#Base64-Decode the signature provided by PayPal
my $pp_sig = decode_base64($ENV{'HTTP_PAYPAL_TRANSMISSION_SIG'});

#Do the verification
if ($rsa->verify($msg,$pp_sig))){

}
silversquonk
  • 49
  • 3
  • There are many [Paypal-related modules on CPAN](https://metacpan.org/search?size=50&q=paypal). Are there any that will do what you need, so that you don't need to re-invent the wheel? – Rob Jan 08 '22 at 12:10
  • Thanks, Rob. Unfortunately I can't find anything on CPAN, PayPal, stackoverflow, or generally searching the web. Normally I do try to sort these things out myself but I'm stuck! – silversquonk Jan 08 '22 at 12:37
  • 1
    Does [this](https://stackoverflow.com/a/62870569/2173773) answer help? – Håkon Hægland Jan 08 '22 at 18:41
  • Nice try by Hakon (and many thanks) but I'm already using the WebHook ID supplied by the developer backend - I think it's more to do with the encoding of the Public Key Cert or a perl-specific issue. – silversquonk Jan 08 '22 at 23:09

0 Answers0