Login/Register
Facebook Real-time Update: Validating X-Hub-Signature SHA1 signature in Java
Asked Answered
Solved javafacebookshareal-time-updates
C

1

11

When Facebook sends real-time updates, they include a X-Hub-Signature in the HTTP header. According to their documentation, they're using SHA1 and the application secret as the key.

Based on a similar question for C# I tried to verify the signature like this ('body' is the message sent by facebook in the body of the request):

String passedSignature = req.getHeader("X-Hub-Signature").substring(5);
Mac hmac = Mac.getInstance("HmacSHA1");
hmac.init(new SecretKeySpec(FACEBOOK_SECRET.getBytes(Charset.forName("UTF-8")), "HmacSHA1"));
String calculatedSignature = Hex.encodeHexString(hmac.doFinal(body.getBytes(Charset.forName("UTF-8"))));
logger.debug("Calculated sigSHA1: " + calculatedSignature + " passedSignature: " + passedSignature);

But the passedSignature is always different from the calculatedSignature.

Anybody can help solving the problem?

Condyloma answered 20/6, 2013 at 18:36 Comment(1)
You don't need to define Charset.forName("UTF-8") as the FB secret only uses Latin1 characters (ISO8859-1).Hatcher
C
13

Turns out the code is correct, I was using the wrong key :-/

Anyway I hope this could help somebody else.

Condyloma answered 21/6, 2013 at 12:52 Comment(2)
Yeah me too! :-( One should use the App Secret Token, not the Verify Token ('hub.verify_token') used in verification request.Splashboard
@Uhlen, Thanks a lot. I was trying the same thing. :)Anadromous

© 2022 - 2024 — McMap. All rights reserved.