Piano provides an SDK to decrypt webhook as well as userRef token data with PHP and Java. Below we will describe the overall algorithm and what should be done in order to recreate this decryption in any programming language. The Private Key is available in the Piano Dashboard on the Home page.
As a first step, using the delimiter "~~~ " separate the header of the payload from the encrypted data. Where the payload is the first part, and the header is the second part.
An SHA-256 hash of the payload, signed with the Private Key must be equal to the string value of the header. Note, that to hash the header, you need to use the full private key. Also, the hashed payload needs to be base64 encoded. It may contain the "=" character at the end, but the webhook header itself does not contain this character at the end.
To decrypt the payload, you need to use only the first 32 characters of the Private Key. So please ensure that the Private Key is set to 32 characters. In case it's not, substring from a larger key (e.g. by removing any characters that are above the 32-character limit) or concatenate 'X' characters if smaller (by adding "XX" to the end of a key with characters, so it is in accordance with the character limit).
The encrypted webhook or token data should be first base64-decoded, however, the encoded data is URL-safe and has padding removed. Which means that prior to base64-decoding, all “-” characters must be replaced with “+”, and all “_” characters must be replaced with “/”.
Then, the resulting data can be decrypted using AES with ECB mode (Rijndael) in chunks of 16 bytes. Each decrypted chunk should be concatenated to a resulting string.
For example:
openssl_decrypt($str, 'aes-256-ecb', $keyString, OPENSSL_RAW_DATA);
The Key size is 256 bits and the output is base64 encoded, so to get it in plain text, you need to decode it.