Utility.php
2.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
<?php
namespace Razorpay\Api;
class Utility
{
const SHA256 = 'sha256';
public function verifyPaymentSignature($attributes)
{
$actualSignature = $attributes['razorpay_signature'];
$paymentId = $attributes['razorpay_payment_id'];
if (isset($attributes['razorpay_order_id']) === true)
{
$orderId = $attributes['razorpay_order_id'];
$payload = $orderId . '|' . $paymentId;
}
else if (isset($attributes['razorpay_subscription_id']) === true)
{
$subscriptionId = $attributes['razorpay_subscription_id'];
$payload = $paymentId . '|' . $subscriptionId;
}
else if (isset($attributes['razorpay_payment_link_id']) === true)
{
$paymentLinkId = $attributes['razorpay_payment_link_id'];
$paymentLinkRefId = $attributes['razorpay_payment_link_reference_id'];
$paymentLinkStatus = $attributes['razorpay_payment_link_status'];
$payload = $paymentLinkId . '|'. $paymentLinkRefId . '|' . $paymentLinkStatus . '|' . $paymentId;
}
else
{
throw new Errors\SignatureVerificationError(
'Either razorpay_order_id or razorpay_subscription_id or razorpay_payment_link_id must be present.');
}
$secret = Api::getSecret();
self::verifySignature($payload, $actualSignature, $secret);
}
public function verifyWebhookSignature($payload, $actualSignature, $secret)
{
self::verifySignature($payload, $actualSignature, $secret);
}
public function verifySignature($payload, $actualSignature, $secret)
{
$expectedSignature = hash_hmac(self::SHA256, $payload, $secret);
// Use lang's built-in hash_equals if exists to mitigate timing attacks
if (function_exists('hash_equals'))
{
$verified = hash_equals($expectedSignature, $actualSignature);
}
else
{
$verified = $this->hashEquals($expectedSignature, $actualSignature);
}
if ($verified === false)
{
throw new Errors\SignatureVerificationError(
'Invalid signature passed');
}
}
private function hashEquals($expectedSignature, $actualSignature)
{
if (strlen($expectedSignature) === strlen($actualSignature))
{
$res = $expectedSignature ^ $actualSignature;
$return = 0;
for ($i = strlen($res) - 1; $i >= 0; $i--)
{
$return |= ord($res[$i]);
}
return ($return === 0);
}
return false;
}
}