使用 GO 进行 AWS SNS 签名验证
[英]AWS SNS signature verification with GO
问题描述
I want to implement AWS SNS signature verification in GO.
我想在 GO 中实现 AWS SNS 签名验证。 Here is the signature verification tutorial provided by AWS. 这是AWS提供的签名验证教程。
However, there are some points I can not get it.但是,有些地方我无法理解。
7: Generate the derived hash value of the Amazon SNS message.
How to derived the hash value ?如何得出hash 值? Which hash function should I use?我应该使用哪个 hash function?
8: Generate the asserted hash value of the Amazon SNS message.
How to get the asserted hash value ?如何获得断言的 hash 值?
Here is my code, I have a struct for notification :这是我的代码,我有一个通知结构:
type Notification struct {
Message string
MessageId string
Signature string
SignatureVersion string
SigningCertURL string
SubscribeURL string
Subject string
Timestamp string
TopicArn string
Type string
UnsubscribeURL string
}
and I've already generated the canonical string :而且我已经生成了规范字符串:
signString := fmt.Sprintf(`Message
%v
MessageId
%v`, self.Message, self.MessageId)
if self.Subject != "" {
signString = signString + fmt.Sprintf(`
Subject
%v`, self.Subject)
}
signString = signString + fmt.Sprintf(`
Timestamp
%v
TopicArn
%v
Type
%v`, self.Timestamp, self.TopicArn, self.Type)
Decode signature from base64从 base64 解码签名
signed, err := base64.StdEncoding.DecodeString(self.Signature)
Get the certificate from.pem从.pem 获取证书
resp, _ := http.Get(self.SigningCertURL)
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
p, _ := pem.Decode(body)
cert, err := x509.ParseCertificate(p.Bytes)
Now, how can I verify the signature with my canonical string ?现在,如何使用我的规范字符串验证签名? Is the following code right?下面的代码对吗?
cert.CheckSignature(x509.SHA1WithRSA, signed, []byte(signString))
I always get crypto/rsa: verification error from above code.我总是从上面的代码中得到crypto/rsa: verification error 。
Thanks!谢谢!
2 个解决方案
解决方案1
4 已采纳 2016-02-24 23:55:44
I know this is a really old question, but I had the same problems as the reporter so I took a day to figure this out with the assistance of AWS.我知道这是一个很老的问题,但我和记者遇到了同样的问题,所以我花了一天时间在 AWS 的帮助下解决了这个问题。 I have open sourced my work as an external library, now available here .我已将我的工作作为外部库开源,现在可在此处获得。
You can use it like this (notificationJson is a JSON string):你可以这样使用它(notificationJson 是一个 JSON 字符串):
import (
"encoding/json"
"fmt"
"github.com/robbiet480/go.sns"
)
var notificationPayload sns.Payload
err := json.Unmarshal([]byte(notificationJson), ¬ificationPayload)
if err != nil {
fmt.Print(err)
}
verifyErr := notificationPayload.VerifyPayload()
if verifyErr != nil {
fmt.Print(verifyErr)
}
fmt.Print("Payload is valid!")
Thanks for your initial work on this lazywei, I based my library on your above code!感谢您在此lazywei 上的初步工作,我的库基于您的上述代码!
解决方案2
0 2022-09-20 14:15:19
In the context of this discussion about Amazon SNS message signature verification, it's also important to notice that Amazon SNS now supports message signatures based on SHA256 hashing:在讨论 Amazon SNS 消息签名验证的上下文中,还需要注意的是,Amazon SNS 现在支持基于 SHA256 散列的消息签名:
https://aws.amazon.com/about-aws/whats-new/2022/09/amazon-sns-supports-message-signatures-based-sha256-hashing/ https://aws.amazon.com/about-aws/whats-new/2022/09/amazon-sns-supports-message-signatures-based-sha256-hashing/
Here's the launch blog post:这是发布博客文章:
https://aws.amazon.com/blogs/security/sign-amazon-sns-messages-with-sha256-hashing-for-http-subscriptions/ https://aws.amazon.com/blogs/security/sign-amazon-sns-messages-with-sha256-hashing-for-http-subscriptions/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.