Skip to content

Appendix

Signature Verification Description

To allow third-party applications to confirm that event pushes come from IDaaS, when IDaaS pushes events to the enterprise application callback service, the request body contains a request signature identified by the parameter sign. The third-party application needs to verify the correctness of this parameter. The verification steps are as follows:

  1. Calculate the signature: The signature calculation consists of 5 parts: signature secret key, nonce value, timestamp, event type, and message body, connected with &. It is encrypted using the HMAC-SHA256 + Base64 algorithm.
  2. Compare the calculated signature newSign with the request parameter sign. If they are equal, the verification passes.
  3. The third-party application returns the response message format as required.

Example:

java
String message = nonce + "&" + timestamp + "&" + eventType + "&" + data; 
Mac mac = Mac.getInstance("HmacSHA256"); 
SecretKeySpec secretKey = new SecretKeySpec(signatureSecretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256"); 
mac.init(secretKey); 
String newSign = Base64.getEncoder().encodeToString(mac.doFinal(message.getBytes(StandardCharsets.UTF_8)));
if (!newSign.equals(sign)) {
    response.setStatus(400);
}

Data Decryption Description

To ensure that data is not leaked or stolen during transmission, IDaaS encrypts data during transmission. After receiving the data, the third-party application needs to decrypt it. The decryption steps are as follows:

  1. BASE64 decode the ciphertext.

  2. Decrypt using AESKey.

Example:

java
byte[] encryptStr = Base64.getDecoder().decode(data);
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding"); 
SecretKeySpec secretKey = new SecretKeySpec(encryptionKey.getBytes(StandardCharsets.UTF_8), "AES"); 
cipher.init(2, secretKey); 
byte[] bytes = cipher.doFinal(encryptStr);
String dataStr = new String(bytes, StandardCharsets.UTF_8);

BambooCloud IDaaS Open Platform