--- page_source: https://juspay.io/in/docs/payment-page-enterprise/react-native/resources/generating-the-signature page_title: Generating the Signature --- # Generating the Signature --- ## Prerequisite Before merchants can generate the signature for the orderDetails payload, they need to generate a 2048 bit RSA Public Private Key pair on their servers. The Private Key is used by merchant to generate the signature while the public key is used by Juspay to verify the sanctity of the payload. ## **1. Generating the RSA Key Pair** > **Note** > To simplify integration on sandbox, we have already shared a set of auto-generated keys which need to be configured. Please make sure a new set of keys is generated for production prior to go-live For production integration, Merchant must configure the Public Key (KeyFormat-PEM) on Juspay Dashboard. The below command would generate a private key file **private-key.pem** #### Command Line Code Snippet: ```command line $ openssl genrsa -out private-key.pem 2048 ``` The below command would generate a public key file **public-key.pem** for the private key file generated via above command #### Command Line Code Snippet: ```command line $ openssl rsa -in private-key.pem -pubout -out public-key.pem ``` > **Warning** > _Private key must be securely kept in a crypto vault on the merchant servers. Private key should never flow to the client_ ## **2. Signing the Payload** | Algorithm | Format | |---|---| | RSA-SHA256 | HEX; base 64 encoded | The orderDetails JSON payload first needs to be converted into a string and then signed using the Private key stored on the merchant server. The signature should be encoded in **Base 64 format.** Implement the below signature generation algorithm based on compatible server side framework ### **Sample Code Snippet** #### Java Code Snippet: ```java import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.openssl.PEMKeyPair; import org.bouncycastle.openssl.PEMParser; import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; import org.json.JSONObject; import java.io.FileReader; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.security.*; import java.util.HashMap; import javax.xml.bind.DatatypeConverter; public class SignatureUtil { public static void main(String ...args) { JSONObject data = new JSONObject("{'order_id': 'venkatesh12','first_name': 'Test','last_name': 'Customer','customer_phone': '9876543210','customer_email': 'test@gmail.com','merchant_id': 'udit_juspay','amount': '1.00','customer_id': '9876543210','return_url': 'https://sandbox.juspay.in/end','currency': 'INR','mandate.start_date': '1638535683287','mandate.end_date': '2134731745451','timestamp': '1576227696'}"); String filePath = "//private-key.pem"; HashMap response = createSignature(data, filePath); } public static HashMap createSignature(JSONObject payload, String filePath) { try { PrivateKey privateKey = readPrivateKeyFromFile(filePath); Signature privateSignature = Signature.getInstance("SHA256withRSA"); String[] requiredFields = {"order_id", "merchant_id", "amount", "timestamp", "customer_id"}; for (String key : requiredFields) if(!payload.has(key)) throw new Exception(key + " not found in payload"); String signaturePayload = payload.toString(); privateSignature.initSign(privateKey); privateSignature.update(signaturePayload.getBytes(StandardCharsets.UTF_8)); byte[] signature = privateSignature.sign(); String encodedSignature = DatatypeConverter.printBase64Binary(signature); HashMap response = new HashMap(); response.put("signature",encodedSignature); response.put("signaturePayload", signaturePayload); return response; } catch (Exception e) { e.printStackTrace(); } return new HashMap(); } private static PrivateKey readPrivateKeyFromFile(String filePath) throws IOException { Security.addProvider(new BouncyCastleProvider()); PEMParser pemParser = new PEMParser(new FileReader(filePath)); JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC"); PEMKeyPair pemKeyPair = (PEMKeyPair) pemParser.readObject(); KeyPair keyPair = converter.getKeyPair(pemKeyPair); return keyPair.getPrivate(); } } ``` #### Alternate Java (below JDK 11) Code Snippet: ```alternate java (below jdk 11) import sun.security.util.DerInputStream; import sun.security.util.DerValue; import javax.xml.bind.DatatypeConverter; import java.io.*; import java.math.BigInteger; import java.security.*; import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.RSAPrivateCrtKeySpec; import java.util.HashMap; import org.json.JSONObject; public class SignatureUtil { //The method that signs the data using the private key that is stored in keyFile path public static HashMap createSignature (JSONObject payload, String keyContentOrFile) throws Exception { Signature rsa = Signature.getInstance("SHA256withRSA"); PrivateKey privateKey = null; if (keyContentOrFile.startsWith("--")) { privateKey = readPrivateKey(keyContentOrFile); } else { privateKey = readPrivateKeyFromFile(keyContentOrFile); } String[] requiredFields = {"order_id", "merchant_id", "amount", "timestamp", "customer_id"}; for (String key : requiredFields) if(!payload.has(key)) throw new Exception(key + " not found in payload"); String signaturePayload = payload.toString(); rsa.initSign(privateKey); rsa.update(signaturePayload.getBytes()); byte[] sign = rsa.sign(); String encodedSignature = DatatypeConverter.printBase64Binary(sign); HashMap response = new HashMap(); response.put("signature",encodedSignature); response.put("signaturePayload", signaturePayload); return response; } //Method to retrieve the Private Key from a file public static PrivateKey readPrivateKeyFromFile(String filename) throws Exception { File keyFile = new File(filename); BufferedReader reader = new BufferedReader(new FileReader(keyFile)); String line; StringBuffer fileContent = new StringBuffer(); Boolean isPkcs1Content = false; while ((line = reader.readLine()) != null) { if (!line.startsWith("--")) { fileContent.append(line).append("\n"); } else if (!isPkcs1Content && line.startsWith("-----BEGIN RSA PRIVATE KEY-----")){ isPkcs1Content = true; } } byte[] keyBytes = DatatypeConverter.parseBase64Binary(fileContent.toString()); return generatePrivateKey(keyBytes, isPkcs1Content); } //Method to retrieve the Private Key from a variable public static PrivateKey readPrivateKey(String content) throws Exception { Boolean isPkcs1Content = false; if (content.startsWith("-----BEGIN RSA PRIVATE KEY-----")){ isPkcs1Content = true; } content = content.replaceAll("-----BEGIN RSA PRIVATE KEY-----",""); content = content.replaceAll("-----BEGIN PRIVATE KEY-----",""); content = content.replaceAll("-----END RSA PRIVATE KEY-----",""); content = content.replaceAll("-----END PRIVATE KEY-----",""); byte[] keyBytes = DatatypeConverter.parseBase64Binary(content); return generatePrivateKey(keyBytes, isPkcs1Content); } private static PrivateKey generatePrivateKey(byte[] keyBytes, Boolean isPkcs1Content) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException { PrivateKey privateKey = null; if (isPkcs1Content) { DerInputStream derReader = new DerInputStream(keyBytes); DerValue[] seq = derReader.getSequence(0); // skip version seq[0]; BigInteger modulus = seq[1].getBigInteger(); BigInteger publicExp = seq[2].getBigInteger(); BigInteger privateExp = seq[3].getBigInteger(); BigInteger prime1 = seq[4].getBigInteger(); BigInteger prime2 = seq[5].getBigInteger(); BigInteger exp1 = seq[6].getBigInteger(); BigInteger exp2 = seq[7].getBigInteger(); BigInteger crtCoef = seq[8].getBigInteger(); RSAPrivateCrtKeySpec keySpec = new RSAPrivateCrtKeySpec(modulus, publicExp, privateExp, prime1, prime2, exp1, exp2, crtCoef); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); privateKey = keyFactory.generatePrivate(keySpec); } else { PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyBytes); KeyFactory kf = KeyFactory.getInstance("RSA"); privateKey = kf.generatePrivate(spec); } return privateKey; } public static void main(String[] args) throws Exception{ JSONObject data = new JSONObject("{'order_id': 'venkatesh12','first_name': 'Test','last_name': 'Customer','customer_phone': '9876543210','customer_email': 'test@gmail.com','merchant_id': 'udit_juspay','amount': '1.00','customer_id': '9876543210','return_url': 'https://sandbox.juspay.in/end','currency': 'INR','mandate.start_date': '1638535683287','mandate.end_date': '2134731745451','timestamp': '312342'}"); //This is a sample snippet. Always store and fetch the private key from crypto vault String fileContent = "-----BEGIN RSA PRIVATE KEY-----\r\n" + "MIIEpAIBAAKCAQEAzEHPYKNYRcZoWtgTvYPEmTeiSlMxJwNPf8bRJ5U6cXiup2j/\r\n" + "a/l1oAiuVNQiDRzvSflS80FoRjQjcGRyqTYcYYYUTYOTh6j1WY1SQuPqrsvGNR3L\r\n" + "/6CfbI2iD4bPRx2XdPbxr6UoHNvh6y1hAscZy5oxSCT6WW5jCpW1Bg==\r\n" + "-----END RSA PRIVATE KEY-----\r\n"; // Sign with content in code HashMap p1 = createSignature(data, fileContent); // Sign with content in file on given absolute path HashMap p2 = createSignature(data, "//private-key.pem"); } } ``` #### Python Code Snippet: ```python #!/bin/python # pip install pycryptodome import json from Crypto.PublicKey import RSA # ignore this from Crypto.Signature import PKCS1_v1_5 from Crypto.Hash import SHA256 from base64 import b64encode privateKeyString = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAA70vuNEyFLz2FzpPYzwN5...aX1rYhPBmS89Yt6pu6McT7jlnw\n-----END RSA PRIVATE KEY-----" # This is a sample snippet. Always store and fetch the private key from crypto vault privateKey = RSA.import_key(privateKeyString) def createSignature (payload, privateKey): requiredFields = ["order_id", "merchant_id", "amount", "timestamp", "customer_id"] signaturePayload = json.dumps(payload) for key in requiredFields: if key not in payload: raise ValueError (key , " not found in payload") signer = PKCS1_v1_5.new(privateKey) digest = SHA256.new() digest.update(signaturePayload.encode('utf-8')) signature = signer.sign(digest) encodedSignature = b64encode(signature) return encodedSignature, signaturePayload ``` #### PHP Code Snippet: ```php ``` #### Node.js Code Snippet: ```node.js const privateKeyString = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAA70vuNEyFLz2FzpPYzwN5aX1rYhPBmS89Yt6pu6McT7jlnw\n-----END RSA PRIVATE KEY-----" // This is a sample snippet. Always store and fetch the private key from crypto vault privateKey = new NodeRSA(privateKeyString); function createSignature (payload, privateKey) { const requiredFields = ["order_id", "merchant_id", "amount", "timestamp", "customer_id"]; var objKeys = Object.keys(payload); if (requiredFields.every(key => objKeys.includes(key))){ const signaturePayload = JSON.stringify(payload); const signature = privateKey.sign(signaturePayload, "base64", "utf8"); return {signature, signaturePayload} } throw Error ("Not a valid JSON payload"); } ``` #### C# Code Snippet: ```c# using System.Text; using Org.BouncyCastle.Crypto; using Org.BouncyCastle.Security; using Org.BouncyCastle.Crypto.Parameters; using Org.BouncyCastle.Asn1.Pkcs; using Org.BouncyCastle.OpenSsl; using Newtonsoft.Json.Linq; class SignatureUtil { // string filePath = "//private-key.pem"; public static Dictionary createSignature (JObject payload, string filePath){ string[] requiredFields = {"order_id", "merchant_id", "amount", "timestamp", "customer_id"}; foreach (string key in requiredFields) if(!payload.ContainsKey(key)) throw new Exception (key + " not found in payload"); string signaturePayload = payload.ToString(); byte[] byteArrayPayload = ASCIIEncoding.ASCII.GetBytes(signaturePayload); StreamReader sr = new StreamReader(filePath); PemReader pr = new PemReader(sr); AsymmetricCipherKeyPair keyPair = (AsymmetricCipherKeyPair)pr.ReadObject(); RsaKeyParameters privateKey = (RsaKeyParameters) keyPair.Private; ISigner sign = SignerUtilities.GetSigner(PkcsObjectIdentifiers.Sha256WithRsaEncryption.Id); sign.Init(true, privateKey); sign.BlockUpdate(byteArrayPayload, 0, byteArrayPayload.Length); byte[] signature = sign.GenerateSignature(); string encodeSignature = Convert.ToBase64String(signature); Dictionary response = new Dictionary(); response.Add("signature", encodeSignature); response.Add("signaturePayload", signaturePayload); Console.Write(encodeSignature); return response; } } ``` #### Ruby Code Snippet: ```ruby require 'openssl' require 'base64' require 'json' privateKeyString = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAA70vuN....EyFLz2FzpPYzwN5aX1rYhPBmS89Yt6pu6McT7jlnw\n-----END RSA PRIVATE KEY-----" privateKey = OpenSSL::PKey::RSA.new(privateKeyString) # This is a sample snippet. Always store and fetch the private key from crypto vault def createSignature (payload, privateKey) requiredFields = ["order_id", "merchant_id", "amount", "timestamp", "customer_id"] signaturePayload = JSON.generate(payload) jsonPayload = JSON.parse(signaturePayload) for key in requiredFields do if !jsonPayload.has_key?(key) raise (key + " not found in payload \n") end end signature = privateKey.sign(OpenSSL::Digest::SHA256.new, signaturePayload) encodedSignature = Base64.encode64(signature).delete!("\n") return encodedSignature, signaturePayload end ``` #### Java (Without BouncyCastle) Code Snippet: ```java (without bouncycastle) package com.newjuspay; import sun.security.util.DerInputStream; import sun.security.util.DerValue; import javax.xml.bind.DatatypeConverter; import java.io.*; import java.math.BigInteger; import java.net.URLEncoder; import java.net.URLDecoder; import java.security.*; import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.RSAPrivateCrtKeySpec; public class JuspayUtil { //The method that signs the data using the private key that is stored in keyFile path public static String sign(String data, String keyContentOrFile,Boolean urlEncodeSignature) throws Exception { Signature rsa = Signature.getInstance("SHA256withRSA"); PrivateKey privateKey = null; data = URLDecoder.decode(data); if (keyContentOrFile.startsWith("--")) { privateKey = readPrivateKey(keyContentOrFile); } else { privateKey = readPrivateKeyFromFile(keyContentOrFile); } rsa.initSign(privateKey); rsa.update(data.getBytes()); byte[] sign = rsa.sign(); if (urlEncodeSignature) { String signature = URLEncoder.encode(DatatypeConverter.printBase64Binary(sign), "UTF-8"); return URLDecoder.decode(signature, "UTF-8"); } else { return DatatypeConverter.printBase64Binary(sign); } } //Method to retrieve the Private Key from a file public static PrivateKey readPrivateKeyFromFile(String filename) throws Exception { File keyFile = new File(filename); BufferedReader reader = new BufferedReader(new FileReader(keyFile)); String line; StringBuffer fileContent = new StringBuffer(); Boolean isPkcs1Content = false; while ((line = reader.readLine()) != null) { if (!line.startsWith("--")) { fileContent.append(line).append("\n"); } else if (!isPkcs1Content && line.startsWith("-----BEGIN RSA PRIVATE KEY-----")){ isPkcs1Content = true; } } byte[] keyBytes = DatatypeConverter.parseBase64Binary(fileContent.toString()); return generatePrivateKey(keyBytes, isPkcs1Content); } //Method to retrieve the Private Key from a variable public static PrivateKey readPrivateKey(String content) throws Exception { Boolean isPkcs1Content = false; if (content.startsWith("-----BEGIN RSA PRIVATE KEY-----")){ isPkcs1Content = true; } content = content.replaceAll("-----BEGIN RSA PRIVATE KEY-----",""); content = content.replaceAll("-----BEGIN PRIVATE KEY-----",""); content = content.replaceAll("-----END RSA PRIVATE KEY-----",""); content = content.replaceAll("-----END PRIVATE KEY-----",""); byte[] keyBytes = DatatypeConverter.parseBase64Binary(content.toString()); return generatePrivateKey(keyBytes, isPkcs1Content); } private static PrivateKey generatePrivateKey(byte[] keyBytes, Boolean isPkcs1Content) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException { PrivateKey privateKey = null; if (isPkcs1Content) { DerInputStream derReader = new DerInputStream(keyBytes); DerValue[] seq = derReader.getSequence(0); // skip version seq[0]; BigInteger modulus = seq[1].getBigInteger(); BigInteger publicExp = seq[2].getBigInteger(); BigInteger privateExp = seq[3].getBigInteger(); BigInteger prime1 = seq[4].getBigInteger(); BigInteger prime2 = seq[5].getBigInteger(); BigInteger exp1 = seq[6].getBigInteger(); BigInteger exp2 = seq[7].getBigInteger(); BigInteger crtCoef = seq[8].getBigInteger(); RSAPrivateCrtKeySpec keySpec = new RSAPrivateCrtKeySpec(modulus, publicExp, privateExp, prime1, prime2, exp1, exp2, crtCoef); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); privateKey = keyFactory.generatePrivate(keySpec); } else { PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyBytes); KeyFactory kf = KeyFactory.getInstance("RSA"); privateKey = kf.generatePrivate(spec); } return privateKey; } public static void main(String[] args) throws Exception{ String data = "{\"merchant_id\":\"mid\",%20\"customer_id\":%20\"8600143648\",\"mobile_number\":%20\"8600143648\",\"email_address\":%20\"siddharth@gmail.com\",\"time_stamp\":\"1576227696\"}"; String fileContent = "-----BEGIN RSA PRIVATE KEY-----\r\n" + "MIIEpAIBAAKCAQEAzEHPYKNYRcZoWtgTvYPEmTeiSlMxJwNPf8bRJ5U6cXiup2j/\r\n" + "a/l1oAiuVNQiDRzvSflS80FoRjQjcGRyqTYcYYYUTYOTh6j1WY1SQuPqrsvGNR3L\r\n" + "NG0owiXTheDd4S6NlK9zBXI1Gtf6Q/mGowfOje/W1i6AwDl1stPmplA7YleiHOUU\r\n" + "X5XW3jKFChnLFcmD1hpvNrDbCYhy0xVHv2Pc0GhmFlavCTc2yPHYWwTyFYzY7PsX\r\n" + "UVn3gSuL6w+aW7h7/1OkSYQzr6siLSqfGUfDIXqF2Oke4+PdhmbyqJ6vqNhH7C3e\r\n" + "PuK8jGyaOsRWDgg1Sxc7fLFyA3CU7B00KIfcKwIDAQABAoIBAQCP8kkdh8Ar3Dmq\r\n" + "2+B9jKE+gVCkJKDdJ54dJJY92RMI6M3dOUfYZkOY9sU1DxK4Pw38CfOFbzD3WMMo\r\n" + "8AFGctXpfL5OKk4MKuxNoiS48zpu2TjkMg0E83Dn8hRxoxl7Gn24rTTYP7ZhJpg+\r\n" + "01kpB9VvffjflIIz9cqWrnM7/gr7sBZjfNFFXmq2D9mvUrJVeyEWdJc5//2OuJKS\r\n" + "tlDJmW6vrGM9K28Q8btyJcQOWl2IrIhICGMoSVdIJeRssd9mm1x4dVPaM315tQHe\r\n" + "/CIFbENWI5jmutGfwb0lmiZJXayxEB5+4CPsYd+vxac+DSsbpZ3KJGWdrm+SFBsK\r\n" + "WoM1Wq6hAoGBAP7MiOV/7Z9zJVVcwW3/R7BgW6T/fszqKfFdOcOCHq+IMH9gU/K/\r\n" + "qwf5LTCOfeK4yQLg+uY/27D2IhIbRapp60BJ0PB2AT6lp5WnZHjO0llYknJsGVmW\r\n" + "axMUi3+h+h1+UXfkb8yosY3PQcIdVp/zlJWT4qRQ5DWCPJLj6ah15V7JAoGBAM04\r\n" + "SVsD+axQMvTRLs46B0V9JCLlr/fNol1Y8PhRNka3qsmUmE0eYwrAMoBsFJczHbDX\r\n" + "JuViFTg5LKLemPi7lr3SY8LC2oCF0LZv8klyHxMD9ysw1wp5QKBHW+BxkFQMoqPT\r\n" + "jxgzr78hh2/KN7qk1yR9RWAemTRjHlzU6/q7ZJlTAoGAf8lMju0N234AJ0ORrvzs\r\n" + "k0SAMcwBZ/u4dVhv8+F6SkZfLEK/V2tQ93q8czHDaMWL6mmy627zW1jV1Ybf9YuR\r\n" + "dHiQ1UgZb7Xcym1dMklnrW+CYuhb/lY19SfEnoo5yjjj2uEyQM4J3jknnZbhLu8W\r\n" + "gb3dWNNI4J0ki/bJ5LbcBiECgYBcZAfaewqvwhd+0qJQ5B0b8sAPGftEBAciIYWz\r\n" + "NdTKt6ujP0vmBFUwpODXolEO1Ut7rxFq2eKVwl/PH4odCU9PPGX/a/w1OomBaRra\r\n" + "aA+HXxSrFDzsETTANAAwJtCEln+uY/ObQMHRucWg1ZiLZeUaH2/ZW008IZes0YtA\r\n" + "AZfD0wKBgQCyVj0GyMwnHdF4p8M9TFYWb6BbRIeE7iUXqPvX6bzksylBPngpBF+J\r\n" + "uEV0+VQiAjXwwzb8peuCNWZiyfpAn3v15GLPqOPURsL+HvIDwEBYerIh9p3Z2G38\r\n" + "/6CfbI2iD4bPRx2XdPbxr6UoHNvh6y1hAscZy5oxSCT6WW5jCpW1Bg==\r\n" + "-----END RSA PRIVATE KEY-----\r\n"; // Sign with content in code String p1 = sign(data, fileContent, true); // Sign with content in file on given absolute path String p2 = sign(data, "D:\\eclipse-workspaces\\general-projects\\Juspay\\lib\\idea-private-key.pem",true); System.out.println(p1.equals(p2)); System.out.println(p1); System.out.println(p2); } } ```