Amazon提供了documentation来验证路由到HTTP/HTTPS端点的SNS消息是否有效。在服务器上使用Vapor和Swift,沿着swift-certificates和swift-crypto,我实现了验证逻辑:
func messageHasValidSignature<Message: VerifiableMessage>(_ message: Message) async throws -> Bool {
guard let certificateBytes = try await client.get(.init(message.signingCertificateURL)).body else {
logger.error("Failed to get signing certificate body")
throw Abort(.badRequest)
}
let certificateString = String(buffer: certificateBytes)
let certificate = try Certificate(pemEncoded: certificateString)
let publicKey = try _RSA.Signing.PublicKey(derRepresentation: certificate.publicKey.subjectPublicKeyInfoBytes)
guard let signatureData = Data(base64Encoded: message.signature) else {
logger.error("Failed to decode signature")
throw Abort(.badRequest)
}
let signature = _RSA.Signing.RSASignature(rawRepresentation: signatureData)
guard let dataToSign = message.stringToSign.data(using: .utf8) else {
logger.error("Failed to convert string to sign to data")
throw Abort(.badRequest)
}
let digest: any Digest
switch message.signatureVersion {
case ._1:
digest = Insecure.SHA1.hash(data: dataToSign)
case ._2:
digest = SHA256.hash(data: dataToSign)
}
return publicKey.isValidSignature(signature, for: digest)
}字符串
我正在构造要签名的字符串如下:
extension SubscriptionConfirmationMessage: VerifiableMessage {
var stringToSign: String {
"""
Message
\(message)
MessageId
\(messageID)
SubscribeURL
\(subscribeURL)
Timestamp
\(timestamp)
Token
\(token)
TopicArn
\(topicARN)
Type
SubscriptionConfirmation
"""
}
}型
但是isValidSignature总是返回false。如何正确验证消息?
1条答案
按热度按时间tgabmvqs1#
问题出在传递给
isValidSignature的填充上。默认值是PSS(“使用MGF1的PSS填充”)。通过检查C#实现的源代码,我发现它应该是insecurePKCS1v1_5(“PKCS#1 v1.5”)。验证签名的正确方法是:
字符串