You should find sample code on the IMS developers site to help with this: http://developers.imsglobal.org
My own approach is to use a class library to handle the validation of launch requests; I have open source libraries for both PHP (http://www.spvsoftwareproducts.com/php/lti_tool_provider/) and Java (http://www.spvsoftwareproducts.com/java/lti_tool_provider/), but the actual code which does the message verification is just a few lines; for example;
try {
$store = new LTI_OAuthDataStore($this);
$server = new OAuthServer($store);
$method = new OAuthSignatureMethod_HMAC_SHA1();
$server->add_signature_method($method);
$request = OAuthRequest::from_request();
$res = $server->verify_request($request);
} catch (Exception $e) {
// invalid request
}
see the class library for details of the LTI_OAuthDataStore class but it is merely a way of providing the secret for a key and allows a nonce value to be checked against those used in previous requests.
