About webhook validation in developer sandbox

I’m doing webhook validation in developer sandbox but it fails.

This is done with reference to “Webhooks & Notifications” - “Receiving Webhook Notifications” - “Validation” in the “Developer Portal”.

My question is, can the public key obtained from “Download this public key to validate the above signature.” be used in the developer sandbox?
If not, is it possible to download it somewhere?

I am using PHP and doing Validation with the code below.
Please let me know if there are any mistakes.

I deleted the code because there was an error.
Below is the code that worked fine.

Hi,

Thanks for bringing this to our attention, there is an issue with the documentation.

Please use the below public key for the sandbox webhooks.

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw+fZuC+0vDYTf8fYnCN6
71iHg98lPHBmafmqZqb+TUexn9sH6qNIBZ5SgYFxFK6dYXIuJ5uoORzihREvZVZP
8DphdeKOMUrMr6b+Cchb2qS8qz8WS7xtyLU9GnBn6M5mWfjkjQr1jbilH15Zvcpz
ECC8aPUAy2EbHpnr10if2IHkIAWLYD+0khpCjpWtsfuX+LxqzlqQVW9xc6z7tshK
eCSEa6Oh8+ia7Zlu0b+2xmy2Arb6xGl+s+Rnof4lsq9tZS6f03huc+XVTmd6H2We
WxFMfGyDCX2akEg2aAvx7231/6S0vBFGiX0C+3GbXlieHDplLGoODHUt5hxbPJnK
IwIDAQAB
-----END PUBLIC KEY-----

1 Like

Hi alinder

Thank you very much for your very prompt response.
Verification worked fine using the public key provided.
However, there was an error in the code I wrote, so I will post the corrected code.

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

class VerifyFireBlocks
{
    /**
     * Handle an incoming request.
     *
     * @param Request $request
     * @param \Closure(Request): (Response) $next
     * @return Response
     */
    public function handle(Request $request, Closure $next): Response
    {
        $signature = $request->header('fireblocks-signature');

        if (blank($signature)) {
            return response('Signature required', 401);
        }

        if (!$this->isSignatureValid($request->getContent(), $signature)) {
            return response('Unauthorized', 401);
        }

        return $next($request);
    }

    /**
     * @param $body
     * @param $signature
     * @return bool
     */
    private function isSignatureValid($body, $signature): bool
    {
        try {
            $public_key = '<PUBLIC KEY>';
            $key_resource = openssl_get_publickey($public_key);

            $verified = openssl_verify($body, base64_decode($signature), $key_resource, OPENSSL_ALGO_SHA512);

            return $verified === 1;
        } catch (\Exception $e) {
            return false;
        }
    }
}
1 Like