Amazon提供了documentation来验证路由到HTTP/HTTPS端点的SNS消息是否有效。在服务器上使用Vapor和Swift,沿着swift-certificates和swift-crypto,我实现了验证逻辑:
func messageHasValidSignature<Message: VerifiableMessage>(_ message: Message) async throws -> Bool {guard let certificateBytes = try await client.get(.init(message.signingCertificateURL)).body else {logger.error("Failed to get signing certificate body")throw Abort(.badRequest)}let certificateString = String(buffer: certificateBytes)let certificate = try Certificate(pemEncoded: certificateString)let publicKey = try _RSA.Signing.PublicKey(derRepresentation: certificate.publicKey.subjectPublicKeyInfoBytes)guard let signatureData = Data(base64Encoded: message.signature) else {logger.error("Failed to decode signature")throw Abort(.badRequest)}let signature = _RSA.Signing.RSASignature(rawRepresentation: signatureData)guard let dataToSign = message.stringToSign.data(using: .utf8) else {logger.error("Failed to convert string to sign to data")throw Abort(.badRequest)}let digest: any Digestswitch message.signatureVersion {case ._1:digest = Insecure.SHA1.hash(data: dataToSign)case ._2:digest = SHA256.hash(data: dataToSign)}return publicKey.isValidSignature(signature, for: digest)}
字符串
我正在构造要签名的字符串如下:
extension SubscriptionConfirmationMessage: VerifiableMessage {var stringToSign: String {"""Message\(message)MessageId\(messageID)SubscribeURL\(subscribeURL)Timestamp\(timestamp)Token\(token)TopicArn\(topicARN)TypeSubscriptionConfirmation"""}}
型
但是isValidSignature总是返回false。如何正确验证消息?
1条答案
按热度按时间tgabmvqs1#
问题出在传递给
isValidSignature的填充上。默认值是PSS(“使用MGF1的PSS填充”)。通过检查C#实现的源代码,我发现它应该是insecurePKCS1v1_5(“PKCS#1 v1.5”)。验证签名的正确方法是:
字符串