eSignature API

How to verify callback data

Legalesign API callbacks, aka webhooks, aka event notifications include a signed string you can use to verify the integrity of the data.

The procedure is the same as verifying AWS SNS broadcasts.

You will need:

  • the data that was sent in JSON format - JSON_DATA_THAT_WE_SENT

  • the signing data - SIGNED_STRING_WE_SENT

  • the X509 certificate (below) - X509_CERT_TEXT

How to find the data:

There are two types of callback, this is how to get the relevant data:

  1. Callback every 6 minutes - the callback is POSTED in two parts, 'data' and 'signed'. The SIGNED_STRING is within the 'signed' part, and the JSON_DATA is within the 'data'.

  2. Callback upon signing - the callback POST dictionary contains 'json_signed', this is the JSON_DATA you will need, and the request will include the custom header X-Signed (or HTTP-X-SIGNED), this is the SIGNED_STRING.

This is the verification procedure in python 2/3, you will need the M2Crypto module:

from M2Crypto import X509
from base64 import b64decode

cert = X509.load_cert_string(str(X509_CERT_TEXT))
pubkey = cert.get_pubkey()
pubkey.reset_context(md='sha1')
pubkey.verify_init()
pubkey.verify_update(JSON_DATA_THAT_WE_SENT) #python2
pubkey.verify_update(JSON_DATA_THAT_WE_SENT.encode()) #python3
verified  = pubkey.verify_final(b64decode(SIGNED_STRING_WE_SENT))
if verified == 1:
   print 'success!'
else:
   print 'fail :('

X509 certificate:

-----BEGIN CERTIFICATE-----
MIIFSjCCAzICAQAwDQYJKoZIhvcNAQEFBQAwazEeMBwGA1UEBxMVRWRpbmJ1cmdo
LFNjb3RsYW5kLEdCMRswGQYDVQQKExJMZWdhbGVzaWduIExpbWl0ZWQxLDAqBgNV
BAMUI2xlZ2FsZXNpZ24uY29tL2VtYWlsQGxlZ2FsZXNpZ24uY29tMB4XDTEzMDIw
MTE2MjgyN1oXDTMzMDIwMTE2MjgyN1owazEeMBwGA1UEBxMVRWRpbmJ1cmdoLFNj
b3RsYW5kLEdCMRswGQYDVQQKExJMZWdhbGVzaWduIExpbWl0ZWQxLDAqBgNVBAMU
I2xlZ2FsZXNpZ24uY29tL2VtYWlsQGxlZ2FsZXNpZ24uY29tMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAyzOOqZJ0BnwhJyOSBj1P3W7EGouKe0M1KFif
CEm9jlw1q5iKupOnbqJRAKG+znDTeocFfwywnQnz7b6AfZ33QiR/HYFJT4J+3HCO
186VUNsXcK3KtJxfIhsO03zFfIaoRmXLkwaUJlP2dfGc10PNX6EBYyqzRG6TzlB6
uNdb3R/EeSTMn+VVyZ8E/L1ujeAFW8nZ+V8xAdvqSSeP3tMHwcRq1u6Mk9DUdlhs
dL//sdTEkNar3FJAlisvXlLs6deXSLsIfr8g6K/59g0HsCEvRKqVa0WFs4OpPR3q
dN+0PecON0pU6tRuN+9TTsss3hzjRfijiiktLaAIKZrupZDPZ9gSb5bfwL6zjdTN
y3TTb/SzNZ1agwRoqftOAfff9ffCNUSrtQr4g3isGgtj2jQQ/W7+yFvEGGqy9/Co
inlaNJqJPYdfYhwJ30sihTkKKzIcUKRGvrnW7QlIl+6+QMToCGql1AbVG1CIQeiP
NkAmsQxieGrE0OszG1mTx1+SmBGo7WV32iV6sjmaOGHdE9zeNjRSJRS/SIWY8V+b
2i2W7zi3DvziRPqg6LUJX2pgAuDUmTxg6gMEzh8HHT36igzainrkKXqqoBsqwttY
OikzGBBcctlhyWApgNqKi953S6dvEMsjWuyzqaYTn4QkQZnfZaIHj8KVQOI3cCgD
6m8BjTMCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEARHEUsvB7aa+/hp1dR6bqaR0W
bigK3Xm8LLB7PR0AjojOW1TUUDQLFKkHayqMNB0jcML/7Np4dGhOuAB6hfaq09hw
xLexhix9DXgnm89QPzClHDTHzcbB2sqhqZKRlsJXfW3Dsh3iN9QdWt341ZsmaPBi
gPvJpzKCoG4FhUsXUwCKERh41xssPsg7c417+OnU15I63bb4SlGH9+6j4kHGZh7p
2Sxn27CC4tDLGkI6fOVZapmN1iM+x17n/GCOTDrqlGXw72u0xH3yUA8W75HyuL31
m/6jlO9VQfY7ZVJn9IuoFjX+sU3uTz7PZhqFHLi2M4hVSaRgJ5JZBkUtr2eTvvhL
iPBwjOfdba4rulqVni7joN1k4ulYnrpf6jmC/sbUPQkU9HbAUOhibyLEkysEhUPb
78aFbM+4c6rhzSRL5gvN7lVmBTZimmIs0x5y+Q5+GSIrRZgHkSxOGkrQtdsrJStg
zerSTb5dF+L9Jv0d2AhIWMLP4KIO4NMj/ljiPOwtqPHU2KSsRivJA1xybFI4peBE
aAocb936W/RabYdVCPITLsYA4ThApMI+jpJPvG8JKTrauOwZRBOq82lBJuoBgkAp
h6A3SPeR5GCnCRmPIvrv21Q7dm7Gg4lbPtEemH3QdNlCIY1BzADD/H1zDAU+0J5P
+PUQCjWRM3JmFbuYTjs=
-----END CERTIFICATE-----

You can force the system to send a test API notification to your callback URL if you are still in sandbox mode by using the /api/v1/sandbox/ endpoint .

curl --dump-header - -H "Authorization: ApiKey [x]:[y]"  
-X GET "https://eu-api.legalesign.com/api/v1/sandbox/?resource_uri=test&value=1"