RSA Signature Verification

The section describes how the RSA signature sent in the callback header or redirect query data can be verified. For verification to succeed, the public key is required.

Download the Public Key File

Download the public key file by clicking the link below and store it somewhere on your server

Next Steps

Below is the sample callback data for this demonstration (sample redirect data is available here);

{
    "event": "transaction.failed",
    "payload": {
        "id": 708,
        "merchant_reference": "MCTREFYDPE9LMZ34S8HM",
        "internal_reference": "GOVBILGHQ6ZDXFK7C7NJ",
        "transaction_type": "COLLECTION",
        "request_currency": "UGX",
        "request_amount": 35000,
        "transaction_currency": "UGX",
        "transaction_amount": 35000,
        "transaction_charge": 0,
        "charge_customer": false,
        "provider_code": "mtn_momo_ug",
        "transaction_status": "FAILED",
        "status_message": "Balance Insufficient for the transaction",
        "transaction_account": "256772000002",
        "customer_name": "JOHN DOE",
        "institution_name": "MTN",
        "total_credit": 0
    }
}

Obtain the value of the rsa-signature header (if callback) OR the value of the rsa_signature query parameter (if redirect).
Form the string payload to be used in signature verification. This is obtained by concatenating values of the callback/redirect data in the format; event:merchant_reference:internal_reference:transaction_type:transaction_status and these values are obtained from the callback/redirect data. The string payload would therefore be transaction.failed:MCTREFYDPE9LMZ34S8HM:GOVBILGHQ6ZDXFK7C7NJ:COLLECTION:FAILED
Use the public key obtained above to verify the signature as described in the sample source codes below;

<?php

public function isValidSignature() {
    $file = "path-to-file/govnet.public.key.pem";
    $keyContent = file_get_contents($file);
    $publicKey = openssl_get_publickey($keyContent);
    $strPayload = "transaction.failed:MCTREFYDPE9LMZ34S8HM:GOVBILGHQ6ZDXFK7C7NJ:COLLECTION:FAILED";
    $signature = base64_decode("value-of-rsa-signature");

    /*true or false*/
    return openssl_verify($strPayload, $signature, $publicKey, "sha256") == 1;
}

?>

const crypto = require('crypto');
const fs = require('fs');

function isValidSignature() {
    const strPayload = "transaction.failed:MCTREFYDPE9LMZ34S8HM:GOVBILGHQ6ZDXFK7C7NJ:COLLECTION:FAILED";
    const signature = "value-of-rsa-signature";
    const publicKeyFile = "path-to-file/govnet.public.key.pem";
    const publicKey = fs.readFileSync(publicKeyFile).toString().replace(/\\n/g, '\n');

    const verify = crypto.createVerify("SHA256");
    verify.write(strPayload);
    verify.end();

    /*true or false*/
    return verify.verify(publicKey, signature, 'base64');
}

import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.Signature;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;

public class SignatureVerifier {

    public boolean isValidSignature() throws Exception {
        // Read public key from file
        Path pathToFile = Paths.get("path-to-file/govnet.public.key.pem");
        byte[] keyBytes = Files.readAllBytes(pathToFile);

        // Decode public key
        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        PublicKey publicKey = keyFactory.generatePublic(keySpec);

        // Signature and payload
        String strPayload = "transaction.failed:MCTREFYDPE9LMZ34S8HM:GOVBILGHQ6ZDXFK7C7NJ:COLLECTION:FAILED";
        byte[] signatureBytes = Base64.getDecoder().decode("value-of-rsa-signature");

        // Verify signature
        Signature signature = Signature.getInstance("SHA256withRSA");
        signature.initVerify(publicKey);
        signature.update(strPayload.getBytes());
        return signature.verify(signatureBytes);
    }

    public static void main(String[] args) throws Exception {
        SignatureVerifier verifier = new SignatureVerifier();
        System.out.println(verifier.isValidSignature());
    }
}

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

public class SignatureVerifier
{
    public bool IsValidSignature()
    {
        // Read public key from file
        string pathToFile = @"path-to-file\govnet.public.key.pem";
        string keyContent = File.ReadAllText(pathToFile);

        // Decode public key
        RSA rsa = RSA.Create();
        rsa.ImportFromPem(keyContent);

        // Signature and payload
        string strPayload = "transaction.failed:MCTREFYDPE9LMZ34S8HM:GOVBILGHQ6ZDXFK7C7NJ:COLLECTION:FAILED";
        byte[] signatureBytes = Convert.FromBase64String("value-of-rsa-signature");

        // Verify signature
        var verifier = new RSAPKCS1SignatureDeformatter(rsa);
        verifier.SetHashAlgorithm("SHA256");
        byte[] payloadBytes = Encoding.UTF8.GetBytes(strPayload);
        byte[] sha256Hash;

        using (SHA256 sha256 = SHA256.Create())
        {
            sha256Hash = sha256.ComputeHash(payloadBytes);
        }

        return verifier.VerifySignature(sha256Hash, signatureBytes);
    }

    public static void Main(string[] args)
    {
        SignatureVerifier verifier = new SignatureVerifier();
        Console.WriteLine(verifier.IsValidSignature());
    }
}

import base64
import hashlib
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.serialization import load_pem_public_key

def is_valid_signature():
    # Read public key from file
    with open("path-to-file/govnet.public.key.pem", "rb") as key_file:
        key_content = key_file.read()

    # Decode public key
    public_key = load_pem_public_key(key_content, backend=default_backend())

    # Signature and payload
    str_payload = "transaction.failed:MCTREFYDPE9LMZ34S8HM:GOVBILGHQ6ZDXFK7C7NJ:COLLECTION:FAILED"
    signature_bytes = base64.b64decode("value-of-rsa-signature")

    # Verify signature
    verifier = public_key.verifier(
        signature_bytes,
        padding.PKCS1v15(),
        hashlib.sha256
    )
    verifier.update(str_payload.encode())

    try:
        verifier.verify()
        return True
    except Exception as e:
        print("Signature verification failed:", e)
        return False

require 'openssl'
require 'base64'

def is_valid_signature
  # Read public key from file
  file = File.read("path-to-file/govnet.public.key.pem")

  # Decode public key
  public_key = OpenSSL::PKey::RSA.new(file)

  # Signature and payload
  str_payload = "transaction.failed:MCTREFYDPE9LMZ34S8HM:GOVBILGHQ6ZDXFK7C7NJ:COLLECTION:FAILED"
  signature_bytes = Base64.decode64("value-of-rsa-signature")

  # Verify signature
  sha256 = OpenSSL::Digest::SHA256.new
  result = public_key.verify(sha256, signature_bytes, str_payload)

  result
end

Below is an example of a generated RSA signature on the sandbox environment

KvaiKbXIf7t4iu8EyvvJp2OJUzseyNrJ6ZAHYxphM6ak1KuY6wWBkwIYLiEhTvYnpRGKN5Ohcw1jzHBYtS

PreviousHMAC Signature Verification

Last updated 1 year ago