Signature Verification

In addition to the header,webhook-hash when calling back, there's another header with the name,dusupay-signature and this is to help merchants trust that the callbacks originate from the DusuPay servers. Signature verification can be done with the following procedure;

1. Retrieve the value of the dusupay-signature header.

2. Form the string payload to be used in signature verification. This is obtained by concatenating values of the callback data in the format that follows id:internal_reference:transaction_status:callback_url where callback_url is the full URL as added to your merchant account settings. The other values are obtained from the callback data. e.g. assume the following is the callback data

   Copy

   {
       "id": 226,
       "request_amount": 10,
       "request_currency": "USD",
       "account_amount": 737.9934,
       "account_currency": "UGX",
       "transaction_fee": 21.4018,
       "total_credit": 716.5916,
       "customer_charged": false,
       "provider_id": "mtn_ug",
       "merchant_reference": "76859aae-f148-48c5-9901-2e474cf19b71",
       "internal_reference": "DUSUPAY405GZM1G5JXGA71IK",
       "transaction_status": "COMPLETED",
       "transaction_type": "collection",
       "message": "Transaction Completed Successfully"
   }

   and that the callback URL is https://www.sample-url.com/callback The string payload would therefore be 226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:https://www.sample-url.com/callback

3. Obtain the public key as described here and store it as a file.

4. Use the public key to verify the signature as described in the example source codes below;

Signature Verification Code Samples

const crypto = require('crypto');
const fs = require('fs');

function isValidSignature() {
    const strPayload = "226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:https://www.sample-url.com/callback";
    const signature = "value-of-dusupay-signature";
    const publicKeyFile = "path-to-file/dusupay.public.key.pem";
    const publicKey = fs.readFileSync(publicKeyFile).toString().replace(/\\n/g, '\n');

    const verify = crypto.createVerify("SHA512");
    verify.write(strPayload);
    verify.end();

    /*true or false*/
    return verify.verify(publicKey, signature, 'base64');
}

<?php

public function isValidSignature() {
    $file = "path-to-file/dusupay.public.key.pem";
    $keyContent = file_get_contents($file);
    $publicKey = openssl_get_publickey($keyContent);
    $strPayload = "226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:https://www.sample-url.com/callback";
    $signature = base64_decode("value-of-dusupay-signature");

    /*true or false*/
    return openssl_verify($strPayload, $signature, $publicKey, "sha512") == 1;
}

?>