I am using DocusSign connect webhook service and want to use HMAC Security to validate the request. To do this I have followed the instructions mentioned in https://developers.docusign.com/esign-rest-api/guides/connect-hmac that is:
- On our account on DocuSign, I have set for Connect the Include HMAC Signature and created a Connect Authentication Key.
- Received the Connect message from Docusign connect containing the header with the data hashed with the application’s defined HMAC keys.
- But facing the issue in 3rd step i.e. validating the HMAC signature using below code -
// x-docusign-signature headers
String headerSign = request.getHeader("X-DocuSign-Signature-1");
String secret = "....";
-------
public static boolean HashIsValid(String secret, String payload,
String headerSign)
throws InvalidKeyException, NoSuchAlgorithmException,
UnsupportedEncodingException {
String computedHash = ComputeHash(secret, payload);
boolean isEqual =
MessageDigest.isEqual(computedHash.getBytes("UTF-8"),
headerSign.getBytes("UTF-8"));
return isEqual;
}
------
public static String ComputeHash(String secret, String payload)
throws InvalidKeyException, NoSuchAlgorithmException {
String digest = "HmacSHA256";
Mac mac = Mac.getInstance(digest);
mac.init(new SecretKeySpec(secret.getBytes(), digest));
String base64Hash = new String(
Base64.getEncoder().encode(mac.doFinal(payload.getBytes())));
return base64Hash;
}
But it always returns false.
Anyone who has any idea why my hash code is different from the one received from DocuSign?
