How to decrypt response on whatsapp flows using phpseclib3 library? on whatsapp business API

Question

im failing to decrypt the response from the whatsapp flow, and im using php, codeigniter 4 with the phpseclib3 library, and below is my sample code:

private function decryptRequest($body, $privatePem)
{
    $encryptedAesKey   = base64_decode($body['encrypted_aes_key']);
    $encryptedFlowData = base64_decode($body['encrypted_flow_data']);
    $initialVector     = base64_decode($body['initial_vector']);

    $rsa = RSA::load($privatePem)
        ->withPadding(RSA::ENCRYPTION_OAEP)
        ->withHash('sha256')
        ->withMGFHash('sha256');
                    
    $decryptedAesKey = $rsa->decrypt($encryptedAesKey);
        
    if (!$decryptedAesKey) {
        throw new Exception('Decryption of AES key failed.');
    }
    
    $aes = new AES('gcm');
    $aes->setKey($decryptedAesKey);
    $aes->setNonce($initialVector);
    
    $decrypted = $aes->decrypt($encryptedFlowData);
    if (!$decrypted) {
        throw new Exception('Decryption of flow data failed.');
    }
    
    return [
        'decryptedBody' => json_decode($decrypted, true),
        'aesKeyBuffer' => $decryptedAesKey,
        'initialVectorBuffer' => $initialVector,
    ];
}

and im getting the Ciphertext representative too long error on this line: $decryptedAesKey = $rsa->decrypt($encryptedAesKey);

I have tried to refer to the docementation here https://developers.facebook.com/docs/whatsapp/cloud-api/reference/whatsapp-business-encryption

Answer 1

I have some questions to help debug:

1. Did you use a passphrase while generating the private key? You don't seem to be using it in the code above
2. Did you recently update the public key and you're testing on a phone? If so, the old public key might be cached on the phone. Return HTTP code 421 from the endpoint to refresh the key on the client as mentioned in the docs https://developers.facebook.com/docs/whatsapp/flows/reference/error-codes#endpoint_error_codes
3. Are you able to preview with the endpoint in the Flow Builder? https://developers.facebook.com/docs/whatsapp/flows/introduction/flowbuilderui

There's a full code example in PHP for decryption here. You seem to be missing a few steps after the one that's currently failing, so please refer to the example https://developers.facebook.com/docs/whatsapp/flows/guides/implementingyourflowendpoint#php-slim-example