PHP REST API webhook verification not successful, PHP SDK no longer in development

this_is_gunther
Contributor
Contributor

As there is currently no official SDK provided provided (which isn't out of date) I decided to integrate the REST API myself.

So far so good. I can create orders and receive webhooks if something happens on the paypal side of things.

However I ran into problems verifying the webhook server side.

There is a documentation which explains it here:
https://developer.paypal.com/api/rest/webhooks/

I set together the string which is mentioned there co...

<transmissionId>|<timeStamp>|<webhookId>|<crc32>


And to verify this I wrote the following code using the openssl_verify() method:
I have spent at least 3-4 days debugging and researching this issue. Does anybody have an idea what I am missing here?

<?php

$payload = file_get_contents('php://input');

$transmission_id = $_SERVER['HTTP_PAYPAL_TRANSMISSION_ID'];
$transmission_sig = $_SERVER['HTTP_PAYPAL_TRANSMISSION_SIG'];
$transmission_time = $_SERVER['HTTP_PAYPAL_TRANSMISSION_TIME'];

$cert_url = $_SERVER['HTTP_PAYPAL_CERT_URL'];
$cert = file_get_contents($cert_url);

$signature = base64_decode($transmission_sig);

// <transmissionId>|<timeStamp>|<webhookId>|<crc32>
$string_chain = implode('|', [
    $transmission_id,
    $transmission_time,
    'mywebhookid',
    crc32($payload),
]);

$success = openssl_verify(
    data: $string_chain,
    signature: $signature,
    public_key: $cert,
    algorithm: 'sha256WithRSAEncryption'
);

 

 

Login to Me Too
1 REPLY 1

ChristofMoser
New Community Member

Hey, it looks like you were very close.

 

This is how i solved that problem:

$success = (
	openssl_verify(
		data: implode(separator: '|', array: [
			$httpPayPalTransmissionId,
			$httpPayPalTransmissionTime,
			$webhookID,
			crc32(string: $rawRequestBody),
		]),
		signature: base64_decode(string: $httpPayPalTransmissionSignature),
		public_key: openssl_pkey_get_public(public_key: file_get_contents(filename: $httpPayPalCertUrl)),
		algorithm: 'sha256WithRSAEncryption'
	) === 1
);
Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.