[英]AWS SNS signature verification with GO
I want to implement AWS SNS signature verification in GO.我想在 GO 中实现 AWS SNS 签名验证。 Here is the signature verification tutorial provided by AWS.
这是AWS提供的签名验证教程。
However, there are some points I can not get it.但是,有些地方我无法理解。
7: Generate the derived hash value of the Amazon SNS message.
7:生成Amazon SNS消息的派生hash值。 Submit the Amazon SNS message, in canonical format, to the same hash function used to generate the signature.
以规范格式将 Amazon SNS 消息提交到用于生成签名的同一 hash function。
How to derived the hash value ?如何得出hash 值? Which hash function should I use?
我应该使用哪个 hash function?
8: Generate the asserted hash value of the Amazon SNS message.
8:生成 Amazon SNS 消息的断言 hash 值。 The asserted hash value is the result of using the public key value (from step 3) to decrypt the signature delivered with the Amazon SNS message.
断言的 hash 值是使用公钥值(来自步骤 3)解密随 Amazon SNS 消息传递的签名的结果。
How to get the asserted hash value ?如何获得断言的 hash 值?
Here is my code, I have a struct for notification :这是我的代码,我有一个通知结构:
type Notification struct {
Message string
MessageId string
Signature string
SignatureVersion string
SigningCertURL string
SubscribeURL string
Subject string
Timestamp string
TopicArn string
Type string
UnsubscribeURL string
}
and I've already generated the canonical string :而且我已经生成了规范字符串:
signString := fmt.Sprintf(`Message
%v
MessageId
%v`, self.Message, self.MessageId)
if self.Subject != "" {
signString = signString + fmt.Sprintf(`
Subject
%v`, self.Subject)
}
signString = signString + fmt.Sprintf(`
Timestamp
%v
TopicArn
%v
Type
%v`, self.Timestamp, self.TopicArn, self.Type)
Decode signature from base64从 base64 解码签名
signed, err := base64.StdEncoding.DecodeString(self.Signature)
Get the certificate from.pem从.pem 获取证书
resp, _ := http.Get(self.SigningCertURL)
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
p, _ := pem.Decode(body)
cert, err := x509.ParseCertificate(p.Bytes)
Now, how can I verify the signature with my canonical string ?现在,如何使用我的规范字符串验证签名? Is the following code right?
下面的代码对吗?
cert.CheckSignature(x509.SHA1WithRSA, signed, []byte(signString))
I always get crypto/rsa: verification error
from above code.我总是从上面的代码中得到
crypto/rsa: verification error
。
Thanks!谢谢!
I know this is a really old question, but I had the same problems as the reporter so I took a day to figure this out with the assistance of AWS.我知道这是一个很老的问题,但我和记者遇到了同样的问题,所以我花了一天时间在 AWS 的帮助下解决了这个问题。 I have open sourced my work as an external library, now available here .
我已将我的工作作为外部库开源,现在可在此处获得。
You can use it like this (notificationJson is a JSON string):你可以这样使用它(notificationJson 是一个 JSON 字符串):
import (
"encoding/json"
"fmt"
"github.com/robbiet480/go.sns"
)
var notificationPayload sns.Payload
err := json.Unmarshal([]byte(notificationJson), ¬ificationPayload)
if err != nil {
fmt.Print(err)
}
verifyErr := notificationPayload.VerifyPayload()
if verifyErr != nil {
fmt.Print(verifyErr)
}
fmt.Print("Payload is valid!")
Thanks for your initial work on this lazywei, I based my library on your above code!感谢您在此lazywei 上的初步工作,我的库基于您的上述代码!
In the context of this discussion about Amazon SNS message signature verification, it's also important to notice that Amazon SNS now supports message signatures based on SHA256 hashing:在讨论 Amazon SNS 消息签名验证的上下文中,还需要注意的是,Amazon SNS 现在支持基于 SHA256 散列的消息签名:
https://aws.amazon.com/about-aws/whats-new/2022/09/amazon-sns-supports-message-signatures-based-sha256-hashing/ https://aws.amazon.com/about-aws/whats-new/2022/09/amazon-sns-supports-message-signatures-based-sha256-hashing/
Here's the launch blog post:这是发布博客文章:
https://aws.amazon.com/blogs/security/sign-amazon-sns-messages-with-sha256-hashing-for-http-subscriptions/ https://aws.amazon.com/blogs/security/sign-amazon-sns-messages-with-sha256-hashing-for-http-subscriptions/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.