Init

Author: reda-alaoui

src/main/java/com/cosium/standard_webhooks_consumer/CompositeVerificationKeyParser.java

@@ -0,0 +1,35 @@
+package com.cosium.standard_webhooks_consumer;
+
+import java.util.List;
+import java.util.Optional;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class CompositeVerificationKeyParser {
+
+  private final List<VerificationKeyParser> parsers;
+
+  CompositeVerificationKeyParser(VerificationKeyParser... parsers) {
+    this.parsers = List.of(parsers);
+  }
+
+  public VerificationKey parse(String serializedVerificationKey) {
+    return parsers.stream()
+        .map(verificationKeyParser -> verificationKeyParser.parse(serializedVerificationKey))
+        .filter(Optional::isPresent)
+        .map(Optional::get)
+        .findFirst()
+        .orElseThrow(
+            () ->
+                new IllegalArgumentException(
+                    "Could not parse verification key <%s>"
+                        .formatted(conceal(serializedVerificationKey))));
+  }
+
+  private String conceal(String serializedVerificationKey) {
+    int halfLength = Math.round(serializedVerificationKey.length() / 2f);
+    return serializedVerificationKey.substring(0, halfLength)
+        + "*".repeat(serializedVerificationKey.length() - halfLength);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/IdentifiedSignature.java

@@ -0,0 +1,72 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.net.http.HttpHeaders;
+import java.util.List;
+import java.util.Optional;
+import java.util.stream.Stream;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+record IdentifiedSignature(SignatureSchemeId schemeId, Signature content) {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(IdentifiedSignature.class);
+
+  private static final String MESSAGE_SIGNATURE_HEADER_NAME = "webhook-signature";
+
+  IdentifiedSignature {
+    requireNonNull(schemeId);
+    requireNonNull(content);
+  }
+
+  public static List<IdentifiedSignature> parseAtLeastOne(HttpHeaders headers)
+      throws WebhookSignatureVerificationException {
+    String messageSignatureHeaderValue =
+        headers.firstValue(MESSAGE_SIGNATURE_HEADER_NAME).orElse(null);
+    if (messageSignatureHeaderValue == null || messageSignatureHeaderValue.isBlank()) {
+      throw new WebhookSignatureVerificationException(
+          "No value found for header <%s>".formatted(MESSAGE_SIGNATURE_HEADER_NAME));
+    }
+
+    List<IdentifiedSignature> signatures =
+        Stream.of(messageSignatureHeaderValue.split(" "))
+            .map(IdentifiedSignature::parse)
+            .filter(Optional::isPresent)
+            .map(Optional::get)
+            .toList();
+
+    if (signatures.isEmpty()) {
+      throw new WebhookSignatureVerificationException(
+          "No well-formed signature(s) found for signature header value <%s>. A well-formed signature should have the form '$version,$base64encodedContent'."
+              .formatted(messageSignatureHeaderValue));
+    }
+
+    return signatures;
+  }
+
+  private static Optional<IdentifiedSignature> parse(String messageSignature) {
+    if (messageSignature == null || messageSignature.isBlank()) {
+      return Optional.empty();
+    }
+    String[] signatureParts = messageSignature.split(",");
+    if (signatureParts.length != 2) {
+      return Optional.empty();
+    }
+
+    IdentifiedSignature signature;
+    try {
+      signature =
+          new IdentifiedSignature(
+              new SignatureSchemeId(signatureParts[0]), new Signature(signatureParts[1]));
+    } catch (RuntimeException e) {
+      LOGGER.warn(e.getMessage());
+      return Optional.empty();
+    }
+
+    return Optional.of(signature);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/PublicKey.java

@@ -0,0 +1,82 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.SignatureException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Optional;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class PublicKey implements VerificationKey {
+
+  private static final String SERIALIZATION_PREFIX = "whpk_";
+  private static final SignatureSchemeId SCHEME_ID = new SignatureSchemeId("v1a");
+  private static final String ALGORITHM = "Ed25519";
+
+  private final byte[] value;
+
+  private PublicKey(byte[] value) {
+    this.value = requireNonNull(value);
+  }
+
+  public static Optional<PublicKey> parseKey(String serializedVerificationKey) {
+    if (!serializedVerificationKey.startsWith(SERIALIZATION_PREFIX)) {
+      return Optional.empty();
+    }
+    return Optional.of(
+        new PublicKey(
+            Base64.getDecoder()
+                .decode(serializedVerificationKey.substring(SERIALIZATION_PREFIX.length()))));
+  }
+
+  @Override
+  public boolean supports(SignatureSchemeId signatureSchemeId) {
+    return SCHEME_ID.equals(signatureSchemeId);
+  }
+
+  @Override
+  public void verify(String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws WebhookSignatureVerificationException {
+    try {
+      doVerify(messageId, timestamp, payload, signatureToVerify);
+    } catch (NoSuchAlgorithmException
+        | InvalidKeyException
+        | SignatureException
+        | InvalidKeySpecException e) {
+      throw new WebhookSignatureVerificationException(e);
+    }
+  }
+
+  private void doVerify(
+      String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws NoSuchAlgorithmException,
+          InvalidKeyException,
+          SignatureException,
+          InvalidKeySpecException,
+          WebhookSignatureVerificationException {
+
+    java.security.Signature signature = java.security.Signature.getInstance(ALGORITHM);
+
+    java.security.PublicKey publicKey =
+        KeyFactory.getInstance(ALGORITHM)
+            .generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(value), ALGORITHM));
+
+    String signedContent = "%s.%s.%s".formatted(messageId, timestamp, payload);
+    signature.initVerify(publicKey);
+    signature.update(signedContent.getBytes(StandardCharsets.UTF_8));
+
+    if (signature.verify(signatureToVerify.decode())) {
+      return;
+    }
+
+    throw new WebhookSignatureVerificationException("%s is not valid".formatted(signatureToVerify));
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/SecretKey.java

@@ -0,0 +1,73 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+import java.util.Optional;
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class SecretKey implements VerificationKey {
+
+  private static final String SERIALIZATION_PREFIX = "whsec_";
+  private static final SignatureSchemeId SCHEME_ID = new SignatureSchemeId("v1");
+  private static final String ALGORITHM = "HmacSHA256";
+
+  private final byte[] value;
+
+  private SecretKey(byte[] value) {
+    this.value = requireNonNull(value);
+  }
+
+  public static Optional<SecretKey> parseKey(String serializedVerificationKey) {
+    if (!serializedVerificationKey.startsWith(SERIALIZATION_PREFIX)) {
+      return Optional.empty();
+    }
+    return Optional.of(
+        new SecretKey(
+            Base64.getDecoder()
+                .decode(serializedVerificationKey.substring(SERIALIZATION_PREFIX.length()))));
+  }
+
+  @Override
+  public boolean supports(SignatureSchemeId signatureSchemeId) {
+    return SCHEME_ID.equals(signatureSchemeId);
+  }
+
+  @Override
+  public void verify(String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws WebhookSignatureVerificationException {
+
+    String expectedBase64EncodedSignatureContent;
+    try {
+      expectedBase64EncodedSignatureContent = sign(messageId, timestamp, payload);
+    } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+      throw new WebhookSignatureVerificationException(e);
+    }
+
+    if (expectedBase64EncodedSignatureContent.equals(signatureToVerify.base64EncodedValue())) {
+      return;
+    }
+
+    throw new WebhookSignatureVerificationException(
+        "The provided signature <%s> does not match the expected signature <%s>."
+            .formatted(
+                signatureToVerify.base64EncodedValue(), expectedBase64EncodedSignatureContent));
+  }
+
+  private String sign(String messageId, long timestamp, String payload)
+      throws NoSuchAlgorithmException, InvalidKeyException {
+    String contentToSign = "%s.%s.%s".formatted(messageId, timestamp, payload);
+    Mac sha512Hmac = Mac.getInstance(ALGORITHM);
+    SecretKeySpec keySpec = new SecretKeySpec(value, ALGORITHM);
+    sha512Hmac.init(keySpec);
+    byte[] macData = sha512Hmac.doFinal(contentToSign.getBytes(StandardCharsets.UTF_8));
+    return Base64.getEncoder().encodeToString(macData);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/Signature.java

@@ -0,0 +1,19 @@
+package com.cosium.standard_webhooks_consumer;
+
+import java.util.Base64;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+record Signature(String base64EncodedValue) {
+
+  Signature {
+    if (base64EncodedValue == null || base64EncodedValue.isBlank()) {
+      throw new IllegalArgumentException("base64EncodedValue cannot be blank");
+    }
+  }
+
+  public byte[] decode() {
+    return Base64.getDecoder().decode(base64EncodedValue);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/SignatureSchemeId.java

@@ -0,0 +1,13 @@
+package com.cosium.standard_webhooks_consumer;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+record SignatureSchemeId(String value) {
+
+  SignatureSchemeId {
+    if (value == null || value.isBlank()) {
+      throw new IllegalArgumentException("The value cannot be blank");
+    }
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/VerificationKey.java

@@ -0,0 +1,12 @@
+package com.cosium.standard_webhooks_consumer;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+interface VerificationKey {
+
+  boolean supports(SignatureSchemeId signatureSchemeId);
+
+  void verify(String messageId, long timestamp, String payload, Signature signatureToVerify)
+      throws WebhookSignatureVerificationException;
+}

src/main/java/com/cosium/standard_webhooks_consumer/VerificationKeyParser.java

@@ -0,0 +1,11 @@
+package com.cosium.standard_webhooks_consumer;
+
+import java.util.Optional;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+interface VerificationKeyParser {
+
+  Optional<? extends VerificationKey> parse(String serializedVerificationKey);
+}

src/main/java/com/cosium/standard_webhooks_consumer/WebhookSignatureVerificationException.java

@@ -0,0 +1,15 @@
+package com.cosium.standard_webhooks_consumer;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+public final class WebhookSignatureVerificationException extends Exception {
+
+  WebhookSignatureVerificationException(Throwable cause) {
+    super(cause);
+  }
+
+  WebhookSignatureVerificationException(String message) {
+    super(message);
+  }
+}

src/main/java/com/cosium/standard_webhooks_consumer/WebhookSignatureVerifier.java

@@ -0,0 +1,142 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static java.util.Objects.requireNonNull;
+
+import java.net.http.HttpHeaders;
+import java.time.Clock;
+import java.time.Duration;
+import java.util.ArrayList;
+import java.util.List;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+public class WebhookSignatureVerifier {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(WebhookSignatureVerifier.class);
+
+  private static final CompositeVerificationKeyParser VERIFICATION_KEY_PARSER =
+      new CompositeVerificationKeyParser(SecretKey::parseKey, PublicKey::parseKey);
+
+  private static final String MESSAGE_ID_HEADER_NAME = "webhook-id";
+  private static final String MESSAGE_TIMESTAMP_HEADER_NAME = "webhook-timestamp";
+
+  private static final Duration DEFAULT_MESSAGE_TIMESTAMP_ALLOWED_SKEW = Duration.ofMinutes(5);
+
+  private final List<VerificationKey> verificationKeys;
+  private final Clock clock;
+  private final Duration messageTimestampAllowedSkew;
+
+  private WebhookSignatureVerifier(Builder builder) {
+
+    verificationKeys =
+        builder.serializedVerificationKeys.stream().map(VERIFICATION_KEY_PARSER::parse).toList();
+    clock = builder.clock;
+    messageTimestampAllowedSkew = builder.messageTimestampAllowedSkew;
+  }
+
+  /**
+   * @param serializedVerificationKey e.g. "v1,K5oZfzN95Z9UVu1EsfQmfVNQhnkZ2pj9o9NDN/H/pI4="
+   */
+  public static Builder builder(String serializedVerificationKey) {
+    return new Builder(serializedVerificationKey);
+  }
+
+  public void verify(HttpHeaders headers, String payload)
+      throws WebhookSignatureVerificationException {
+
+    String messageId = headers.firstValue(MESSAGE_ID_HEADER_NAME).orElse(null);
+    if (messageId == null || messageId.isBlank()) {
+      throw new WebhookSignatureVerificationException(
+          "No value found for header <%s>".formatted(MESSAGE_ID_HEADER_NAME));
+    }
+
+    String messageTimestampAsString =
+        headers.firstValue(MESSAGE_TIMESTAMP_HEADER_NAME).orElse(null);
+    if (messageTimestampAsString == null || messageTimestampAsString.isBlank()) {
+      throw new WebhookSignatureVerificationException(
+          "No value found for header <%s>".formatted(MESSAGE_TIMESTAMP_HEADER_NAME));
+    }
+
+    long timestamp = verifyTimestamp(messageTimestampAsString);
+
+    List<IdentifiedSignature> signatures = IdentifiedSignature.parseAtLeastOne(headers);
+    for (IdentifiedSignature signature : signatures) {
+      for (VerificationKey verificationKey : verificationKeys) {
+        SignatureSchemeId signatureSchemeId = signature.schemeId();
+        if (!verificationKey.supports(signatureSchemeId)) {
+          LOGGER.debug("{} does not support {}", verificationKey, signatureSchemeId);
+          continue;
+        }
+        verificationKey.verify(messageId, timestamp, payload, signature.content());
+        return;
+      }
+    }
+
+    throw new WebhookSignatureVerificationException(
+        "No supporting verification key found for any signature among %s".formatted(signatures));
+  }
+
+  private long verifyTimestamp(String messageTimestamp)
+      throws WebhookSignatureVerificationException {
+    long nowInSeconds = Duration.ofMillis(clock.millis()).toSeconds();
+
+    long timestamp;
+    try {
+      timestamp = Long.parseLong(messageTimestamp);
+    } catch (NumberFormatException e) {
+      throw new WebhookSignatureVerificationException(
+          "Cannot parse timestamp <%s>".formatted(messageTimestamp));
+    }
+
+    if (timestamp < (nowInSeconds - messageTimestampAllowedSkew.toSeconds())) {
+      throw new WebhookSignatureVerificationException(
+          "Message timestamp <%s seconds> is too old compared to the current timestamp <%s seconds>"
+              .formatted(timestamp, nowInSeconds));
+    }
+    if (timestamp > (nowInSeconds + messageTimestampAllowedSkew.toSeconds())) {
+      throw new WebhookSignatureVerificationException(
+          "Message timestamp <%s seconds> is too new compared to the current timestamp <%s seconds>"
+              .formatted(timestamp, nowInSeconds));
+    }
+    return timestamp;
+  }
+
+  public static class Builder {
+    private final List<String> serializedVerificationKeys = new ArrayList<>();
+    private Duration messageTimestampAllowedSkew = DEFAULT_MESSAGE_TIMESTAMP_ALLOWED_SKEW;
+    private Clock clock = Clock.systemDefaultZone();
+
+    private Builder(String serializedVerificationKey) {
+      serializedVerificationKeys.add(requireNonNull(serializedVerificationKey));
+    }
+
+    /**
+     * @param serializedVerificationKey e.g. "v1,K5oZfzN95Z9UVu1EsfQmfVNQhnkZ2pj9o9NDN/H/pI4="
+     */
+    public Builder addSerializedVerificationKey(String serializedVerificationKey) {
+      serializedVerificationKeys.add(requireNonNull(serializedVerificationKey));
+      return this;
+    }
+
+    /**
+     * @param messageTimestampAllowedSkew Allowable tolerance of the current timestamp to prevent
+     *     replay attacks.
+     */
+    public Builder messageTimestampAllowedSkew(Duration messageTimestampAllowedSkew) {
+      this.messageTimestampAllowedSkew = requireNonNull(messageTimestampAllowedSkew);
+      return this;
+    }
+
+    public Builder clock(Clock clock) {
+      this.clock = requireNonNull(clock);
+      return this;
+    }
+
+    public WebhookSignatureVerifier build() {
+      return new WebhookSignatureVerifier(this);
+    }
+  }
+}

src/test/java/com/cosium/standard_webhooks_consumer/SymmetricWebhookSignatureVerifierTest.java

@@ -0,0 +1,372 @@
+package com.cosium.standard_webhooks_consumer;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+import java.net.http.HttpHeaders;
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
+import java.time.ZoneId;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+
+/**
+ * @author Réda Housni Alaoui
+ */
+class SymmetricWebhookSignatureVerifierTest {
+
+  @Test
+  @DisplayName("Verify valid signature")
+  void test1() throws WebhookSignatureVerificationException {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                "webhook-timestamp",
+                String.valueOf(1737987215),
+                "webhook-signature",
+                "v1,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+    verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}");
+  }
+
+  @Test
+  @DisplayName("Verify invalid signature")
+  void test2() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                "webhook-timestamp",
+                String.valueOf(1737987215),
+                "webhook-signature",
+                "v1,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo"));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining(
+            "The provided signature <iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo> does not match the expected signature");
+  }
+
+  @Test
+  @DisplayName("Verify invalid payload")
+  void test3() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                "webhook-timestamp",
+                String.valueOf(1737987215),
+                "webhook-signature",
+                "v1,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining(
+            "The provided signature <iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo=> does not match the expected signature");
+  }
+
+  @Test
+  @DisplayName("Verify invalid timestamp")
+  void test4() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                "webhook-timestamp",
+                String.valueOf(1737987216),
+                "webhook-signature",
+                "v1,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining(
+            "The provided signature <iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo=> does not match the expected signature");
+  }
+
+  @Test
+  @DisplayName("Verify invalid message id")
+  void test5() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd6",
+                "webhook-timestamp",
+                String.valueOf(1737987215),
+                "webhook-signature",
+                "v1,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining(
+            "The provided signature <iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo=> does not match the expected signature");
+  }
+
+  @Test
+  @DisplayName("Build with invalid verification key")
+  void test6() {
+    WebhookSignatureVerifier.Builder builder =
+        WebhookSignatureVerifier.builder("foo_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()));
+
+    assertThatThrownBy(builder::build)
+        .isInstanceOf(RuntimeException.class)
+        .hasMessageContaining(
+            "Could not parse verification key <foo_b6Ovv5eS7H5seJrGSStB************************>");
+  }
+
+  @Test
+  @DisplayName("Verify missing signature header")
+  void test7() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                "webhook-timestamp",
+                String.valueOf(1737987215)));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining("No value found for header <webhook-signature>");
+  }
+
+  @Test
+  @DisplayName("Verify blank signature header")
+  void test8() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                "webhook-timestamp",
+                String.valueOf(1737987215),
+                "webhook-signature",
+                " "));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining("No value found for header <webhook-signature>");
+  }
+
+  @Test
+  @DisplayName("Verify malformed signature header")
+  void test9() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                "webhook-timestamp",
+                String.valueOf(1737987215),
+                "webhook-signature",
+                "iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining(
+            "No well-formed signature(s) found for signature header value <iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo=>. A well-formed signature should have the form '$version,$base64encodedContent'.");
+  }
+
+  @Test
+  @DisplayName("Verify malformed signature header")
+  void test10() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                "webhook-timestamp",
+                String.valueOf(1737987215),
+                "webhook-signature",
+                ",iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining(
+            "No well-formed signature(s) found for signature header value <,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo=>. A well-formed signature should have the form '$version,$base64encodedContent'.");
+  }
+
+  @Test
+  @DisplayName("Verify missing message id")
+  void test11() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-timestamp",
+                String.valueOf(1737987215),
+                "webhook-signature",
+                "v1,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining("No value found for header <webhook-id>");
+  }
+
+  @Test
+  @DisplayName("Verify blank message id")
+  void test12() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                " ",
+                "webhook-timestamp",
+                String.valueOf(1737987215),
+                "webhook-signature",
+                "v1,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining("No value found for header <webhook-id>");
+  }
+
+  @Test
+  @DisplayName("Verify missing timestamp")
+  void test13() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                "webhook-signature",
+                "v1,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining("No value found for header <webhook-timestamp>");
+  }
+
+  @Test
+  @DisplayName("Verify blank timestamp")
+  void test14() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                "webhook-timestamp",
+                "",
+                "webhook-signature",
+                "v1,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining("No value found for header <webhook-timestamp>");
+  }
+
+  @Test
+  @DisplayName("Verify unparseable timestamp")
+  void test15() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(Clock.fixed(Instant.ofEpochSecond(1737987215), ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                "webhook-timestamp",
+                "yo",
+                "webhook-signature",
+                "v1,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining("Cannot parse timestamp <yo>");
+  }
+
+  @Test
+  @DisplayName("Verify too old timestamp")
+  void test16() {
+    WebhookSignatureVerifier verifier =
+        WebhookSignatureVerifier.builder("whsec_b6Ovv5eS7H5seJrGSStBYDivs8v2/KrFjfMaVZYsi7w=")
+            .clock(
+                Clock.fixed(
+                    Instant.ofEpochSecond(1737987215 + Duration.ofMinutes(10).toSeconds()),
+                    ZoneId.systemDefault()))
+            .build();
+    HttpHeaders httpHeaders =
+        createHttpHeaders(
+            Map.of(
+                "webhook-id",
+                "7a2486b3-31cf-4bd3-a460-df8845d16cd5",
+                "webhook-timestamp",
+                String.valueOf(1737987215),
+                "webhook-signature",
+                "v1,iayM3VaiYCEDP/CxWUFWcxUCJk2YmBDQHtHTsaHzrwo="));
+
+    assertThatThrownBy(() -> verifier.verify(httpHeaders, "{\"greetings\": \"Hello World\"}"))
+        .isInstanceOf(WebhookSignatureVerificationException.class)
+        .hasMessageContaining(
+            "Message timestamp <1737987215 seconds> is too old compared to the current timestamp <1737987815 seconds>");
+  }
+
+  private HttpHeaders createHttpHeaders(Map<String, String> headers) {
+    return HttpHeaders.of(
+        headers.entrySet().stream()
+            .map(entry -> Map.entry(entry.getKey(), List.of(entry.getValue())))
+            .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue)),
+        (s, s2) -> true);
+  }
+}