Saturday, October 11, 2014

Amazon SNS - Verifying Signatures

While creating a Bedrock example of using Amazon's Simple Notification Service, I was surprised to find that Googling for a Perl example of verifying the signature from an SNS notification message came up empty.  So I wrote my own...

Here's a description from Amazon's documentation regarding how to verify the signature.

As helpful as that might seem, I got stuck on steps 7 & 8.

7. Generate the derived hash value of the Amazon SNS message. Submit the Amazon SNS message, in canonical format, to the same hash function used to generate the signature.

8. Generate the asserted hash value of the Amazon SNS message. The asserted hash value is the result of using the public key value (from step 3) to decrypt the signature delivered with the Amazon SNS message.

Seems straightforward, but what is the same hash function used to generate the signature?  I think there is an answer, but it turned out easier to use the verify() method of the Crypt::OpenSSL::RSA module.

Here's the Perl module that implements a Bedrock plugin compatible component for verifying signatures.

It's also available from the Bedrock yum repository.

$ sudo yum install 'perl(Amazon::SNS::VerifySignature)'

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.