By using a public key you can check the signature in the headers to verify if the call is really from WebUntis.
Public Key - Integration-Stage:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxmHgTa7Qf4buurWraH9MqcEipr4YrMpIg1NVbV7sx2p1yhZ5HQ5hPfsuRRqk9ss7UYJS4dnTsjLCwJ1j91PmxZBnceSkgjHunZ53AxsQP7h/A8g3igbi+tRw6+9agyM8zRLeAaufQFvm6/81obezB54vjv1qPGXgX07cmgj2w2EMC39Q4S0eKVU8svjw3QTE0ZD7Gc92T+rMIhVrX5sAKviczs8VSA8CZnM7PDASZ/kjZF9umMfEzmxGm5BVCqMqpCTFh3CMljMmoH3lCro3r9Ve2Unl5Cc8wRJekSOIbpKJ54eVL6zwEExfPlTKQZslLKBhaNtquLJJkgV057ANDwIDAQAB
Public Key for Calendar-Integration - Integration-Stage:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5RoNcptXIbRuXlGAgmdgmKSuabMz6cUzVj7CTOKHpd1mBZanNkojUY+wJY2qobwuou5iwDFI58fR5QH8bp0H7NScg5oIiQW3c/0Idq82JhunhKRqco9KDNnT9Sehu6VdP8lmSa/IEtUkZMxJw/QQXrHE4veT78PmR0MfoNbiRrhRvQJYK4o2FdOLj3apY+JTfzL1n9xFDYAlNQssDS3QJ8KIXoz8d36wqALCxyC7PLKhceNWlION4XRFA1+AGYZ1ErvGHRk4RGim1sV/6Vev+JIo0E99VMg1Il3bDC6++RDOj9jMAwyLkGBwyIVmGbWUCknpqsI9BkSgKFInWSf4XwIDAQABPublic Key - Production:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy4SObQ2nfru24gRbrx7LqWbvbYyeMgWu6rWk5PdnZ5hFDoabRIdQPeL8EEp/vHz2AUjArYefoNuSY+0stSAdLYpH5OKLx
ao2fTpwpZxj70DNEPlFPsjQznX9OyXiNEEGKrXdXuuCHYjUsEwgbZijbJXWba/DqPqs9KIzRZBTjAOMKlPIm0cTtQ63GgD41AQoXY9PWnH8mDjrCrwXIgNiUw6imMUjsiR+kF9YP3+SizKDFoeiV7Xl6xdbi953OP
VZ/KtSx2hn9RqH7jXv43TYXyRsRnDAH1mWt6ZAYJV+3JaCHGEwvN6yNQcnaBPWGXjw3s614iQgDR5EF0EpU4JtOwIDAQAB
How to do in PHP:
Hint: If you are using PHP-FPM, check your htaccess-file and add "CGIPassAuth on". Otherwise there could be a problem, that the signature is not "visible" for your system.
How to do in JAVA:
- API:
@PostMapping("/credentials")
public ResponseEntity<?> getAll(@RequestBody String request,
@RequestHeader("Authorization") String requestSignature,
@RequestHeader("Algorithm") String algorithm) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, InvalidKeySpecException, JsonProcessingException, SignatureException {
- Verify signature:
// verify signatures using public key
byte[] decoded = Base64.getDecoder().decode(publicKeyString.getBytes());
X509EncodedKeySpec spec = new X509EncodedKeySpec(decoded);
KeyFactory kf = KeyFactory.getInstance("RSA");
PublicKey publicKey = kf.generatePublic(spec);
Signature signature = Signature.getInstance(algorithm);
signature.initVerify(publicKey);
signature.update(request);
// Signature in the header is BASE64 encoded
byte[] decodedSignature = Base64.getDecoder().decode(requestSignature.getBytes(StandardCharsets.UTF_8));
if (!signature.verify(decodedSignature)) {
throw new RestClientException("Invalid signature");
}
ObjectMapper mapper = new ObjectMapper();
PlatformCredentialsDto platformCredentialsDto = mapper.readValue(new String(decryptedRequest), PlatformCredentialsDto.class);
System.out.println(platformCredentialsDto.getTenantId());
System.out.println(platformCredentialsDto.getSecret());
System.out.println(platformCredentialsDto.getSchoolName());
System.out.println(platformCredentialsDto.getPassword());
System.out.println(platformCredentialsDto.getClientId());