Signed Webhook event verification fails when payload is a JSON String and api request body is map of string

[sauravkumar-dev]

Issue Summary
We are trying to validate signed webhook events in java with POST API.
We are sending mail and configured https://webhook.site/73452d78-3dea-478b-a005-d87371972190 as public webhoo url.
We are getting payload, timestamp and signature.
but while verifying above on public key its failing.

Steps to Reproduce
Enable Signed Event Webhook Requests on SendGrid website
Copy the public from SendGrid and paste it in the java method
Configure Mail Settings to enable webhooks and configure to send the event to our endpoint
Send an email using SendGrid
The webhook event is received and we try to validate the request against the public key
We retrieve the info in headers X-Twilio-Email-Event-Webhook-Signature and X-Twilio-Email-Event-Webhook-Timestamp
The validation always fails.

Pls find the code which i am using.

public Boolean isValidSignature(List<Map<String,Object>> emailActivities, Map<String, String> headers) throws JsonProcessingException {
String sandGridPublicKey=;
boolean isValid = false;
Security.addProvider(new BouncyCastleProvider());
String payload= new ObjectMapper().writeValueAsString(emailActivities) + "\r\n";
try {

	        String signature = headers.get(EventWebhookHeader.SIGNATURE.toString().toLowerCase());
	        String timeStamp = headers.get(EventWebhookHeader.TIMESTAMP.toString().toLowerCase());
	        EventWebhook ew = new EventWebhook();
	        ECPublicKey ellipticCurvePublicKey = ew.ConvertPublicKeyToECDSA(sandGridPublicKey);
	        isValid = ew.VerifySignature(ellipticCurvePublicKey, payload, signature, timeStamp);
	        System.out.println(isValid);
	         
	    } catch (Exception e) {
	        e.printStackTrace();
	    }

	    return isValid;
	}

Payload as below:

[
{
"email": "xxxx@gmail.com",
"event": "processed",
"send_at": 0,
"sg_event_id": "cHJvY2Vzc2VkLTIyODEyNzM5LTllOEljeGljUUt5cl8yWDNwZ0hnRlEtMA",
"sg_message_id": "9e8IcxicQKyr_2X3pgHgFQ.filterdrecv-75ff7b5ffb-96rhp-1-6227379B-A1.0",
"smtp-id": "9e8IcxicQKyr_2X3pgHgFQ@geopod-ismtpd-4-0",
"timestamp": 1646737307
}]

[childish-sambino]

Looks like it's not the raw payload which is needed to properly validate the event. Example here:

sendgrid-java/examples/helpers/eventwebhook/Example.java

Line 27 in f158675

final byte[] requestBody = req.bodyAsBytes();

[Kaushik612]

Hi, I am also facing the same issue, anyone knows how to get the right payload if we are using Spring boot? The example provided is using Spark

[Kaushik612]

@sauravkumar-dev Were you able to figure out a solution to this issue?

[sauravkumar-dev]

@Kaushik612 Yes, I was figure out the issues and its working for me now.
Below is the solution
String payload= new ObjectMapper().writeValueAsString(payloadFromSendgrid)+"\n\r";
payload=payload.replace("},{" , "},\n\r{");

[childish-sambino]

@Kaushik612 Was the above comment able to solve your issue? If not, are you able to get the raw payload from the Spring Boot implementation?