Sendgrid webhook 验证总是失败

Question

I cannot get the Sendgrid public key verification to work in my application. I already have all the prerequisites configured. (API key is added, Signed webhook is enabled etc)

This is my approach to test the webhook.

1. I register a webhook.site url as the webhook in Sendgrid
2. I invoke the webhook from Sendgrid so that I get the call to webook.site
3. I export the request received to webhook.site as a Curl.
4. I import it into Postman
5. In Postman, I change the URL to a one from a backend service that is running in my localhost and invoke the call from Postman.

Here is my code to verify the signature. This is a exact copy of what Sendgrid has provided here .

public boolean VerifySignature(ECPublicKey publicKey, byte[] payload, String signature, String timestamp)
        throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, SignatureException, IOException {

    // prepend the payload with the timestamp
    final ByteArrayOutputStream payloadWithTimestamp = new ByteArrayOutputStream();
    payloadWithTimestamp.write(timestamp.getBytes());
    payloadWithTimestamp.write(payload);

    // create the signature object
    final Signature signatureObject = Signature.getInstance("SHA256withECDSA", "BC");
    signatureObject.initVerify(publicKey);
    signatureObject.update(payloadWithTimestamp.toByteArray());

    // decode the signature
    final byte[] signatureInBytes = Base64.getDecoder().decode(signature);

    // verify the signature
    return signatureObject.verify(signatureInBytes);
}

Now this method always returns false when it is called from below controller method.

    @PostMapping("/sendgrid-callback")
public boolean acceptSendgridCallback(
        @RequestBody String rawData,
        @RequestHeader("X-Twilio-Email-Event-Webhook-Timestamp") String timestamp,
        @RequestHeader("X-Twilio-Email-Event-Webhook-Signature") String signature
) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException, SignatureException, IOException, InvalidKeyException {

    System.out.println("Req body = \n" + rawData);

    ECPublicKey ecdsaKey = eventWebhook.ConvertPublicKeyToECDSA
            ("public key taken from sendgrid");

    boolean b = eventWebhook.VerifySignature(ecdsaKey, rawData, signature, timestamp);
    return b;
}

I am unable to find the cause for that honestly.

Can someone help here.

Answer 1

You will need to add the \r\n with the request body to pass the verification. It passes for me when I run the service in Windows OS but it fails in unix system. I tried using System.getProperty("line.separator") also.Does anyone know the solution for unix system.