1

A client is using signed requests (with SignPost I believe) to call my Spring boot REST API server, I'm supposed to validate or verify that signature before allowing the access to my resources.

My question is how can I verify that signature?

EDIT

I'm not very familiar with SignPost, but I forgot to mention that I have the client's key and secret which is what I suppose I have to use to verify the signature.

Also to obtain the signature do I get it from the header of the request?

Ayane
  • 453
  • 2
  • 8
  • 17

1 Answers1

1

One way is to send the signature bytes along with the request where you can get the signatures using GET method of REST (if your request is restful api) and verify it using Java security class built in function,

Key publicKey = getPublicKey(); //provide path of public key here...
Signature sig = Signature.getInstance("SHA256WITHRSA");
        sig.initVerify((PublicKey) publicKey);
        sig.update(<Request on which sig are applied>);
        boolean result = sig.verify(verifyRequest.getSignature());

This is the easiest way to verify signatures before allowing access to your resources.

Rezwan
  • 1,203
  • 1
  • 7
  • 22
  • To verify the signature do I only need the clients key or the secret too?, the signature is done with SignPost which im not very familiar with, but I think it uses client key and secret to sign. – Ayane Mar 16 '18 at 12:21
  • for verifing the signatures, you need the client key, refers to as public key. for signing it requires a trust store such as JKS, which includes hash through which it gets private key and signs it.. – Rezwan Mar 16 '18 at 13:01