Amazon provides documentation for verifying that SNS messages routed to an HTTP/HTTPS endpoint are valid. Using Vapor and Swift on the server, along with swift-certificates and swift-crypto, I implemented the verification logic:
func messageHasValidSignature<Message: VerifiableMessage>(_ message: Message) async throws -> Bool {
guard let certificateBytes = try await client.get(.init(message.signingCertificateURL)).body else {
logger.error("Failed to get signing certificate body")
throw Abort(.badRequest)
}
let certificateString = String(buffer: certificateBytes)
let certificate = try Certificate(pemEncoded: certificateString)
let publicKey = try _RSA.Signing.PublicKey(derRepresentation: certificate.publicKey.subjectPublicKeyInfoBytes)
guard let signatureData = Data(base64Encoded: message.signature) else {
logger.error("Failed to decode signature")
throw Abort(.badRequest)
}
let signature = _RSA.Signing.RSASignature(rawRepresentation: signatureData)
guard let dataToSign = message.stringToSign.data(using: .utf8) else {
logger.error("Failed to convert string to sign to data")
throw Abort(.badRequest)
}
let digest: any Digest
switch message.signatureVersion {
case ._1:
digest = Insecure.SHA1.hash(data: dataToSign)
case ._2:
digest = SHA256.hash(data: dataToSign)
}
return publicKey.isValidSignature(signature, for: digest)
}
I am constructing the string to sign as follows:
extension SubscriptionConfirmationMessage: VerifiableMessage {
var stringToSign: String {
"""
Message
\(message)
MessageId
\(messageID)
SubscribeURL
\(subscribeURL)
Timestamp
\(timestamp)
Token
\(token)
TopicArn
\(topicARN)
Type
SubscriptionConfirmation
"""
}
}
But isValidSignature always returns false. How can I properly verify the message?
