hmac key and signature parameter names flipped?

[philipp-paland]

Describe the bug

Referring to this method at

adyen-java-api-library/src/main/java/com/adyen/util/HMACValidator.java

Line 77 in 1768c6d

public boolean validateHMAC(String hmacKey, String hmacSignature, String payload) throws SignatureException {

    // Calculate HMAC for BankingWebhooks and ManagementWebhooks (Generic webhooks)
    public boolean validateHMAC(String hmacKey, String hmacSignature, String payload) throws SignatureException {
        String calculatedSign = calculateHMAC(payload, hmacSignature);
        final byte [] expectedSign = calculatedSign.getBytes(StandardCharsets.UTF_8);
        final byte[] merchantSign =  hmacKey.getBytes(StandardCharsets.UTF_8);
        return MessageDigest.isEqual(expectedSign, merchantSign);
    }

Is it possible that the key and signature params are flipped? My understanding is that the signature is the string that gets sent in the request header, and the key is the string that gets generated during webhook configuration. So the expected signature is calculated based on the key and the merchantSignature is the one that was sent in the request?

[jillingk]

Hi @therealppa,

Thanks for reaching out here. Actually yes we did have this issue of flipped parameters on this method! We fixed it in a the latest versions though, apologies for the confusion that might have caused you :)

Best, Jilling
Adyen

[philipp-paland]

Thanks for the quick answer. In which version is it fixed? Looking at 22.1.0:

https://github.com/Adyen/adyen-java-api-library/blob/v22.1.0/src/main/java/com/adyen/util/HMACValidator.java

In line 78, note that it calls calculateHMAC with signature as the second parameter while that method (line 43) expects a key there.

[jillingk]

Ah my bad, we have not merged this yet as technically this is a breaking change. Hence we will hold of for a bit until we're ready to do another major release. You can follow the fix in this pr #1185.

[philipp-paland]

All clear now, thanks :)