Class: SesDashboard::SnsSignatureVerifier

Inherits:

Object

• Object
• SesDashboard::SnsSignatureVerifier

Defined in:

lib/ses_dashboard/sns_signature_verifier.rb

Overview

Verifies the authenticity of an SNS HTTP POST using AWS’s RSA signature.

SNS signs messages with SHA1 (SignatureVersion “1”) or SHA256 (SignatureVersion “2”) using a per-region X.509 certificate hosted at a amazonaws.com URL included in every message.

Verification steps:

1. Validate the SigningCertURL is from amazonaws.com (prevents substitution attacks)
2. Fetch and parse the X.509 certificate
3. Reconstruct the canonical string-to-sign
4. Verify the Signature against the cert's public key

Defined Under Namespace

Classes: VerificationError

Constant Summary

CERT_URL_PATTERN =

Only trust certs hosted on Amazon’s own infrastructure.

%r{\Ahttps://sns\.[a-z0-9\-]+\.amazonaws\.com/}.freeze

Instance Method Summary

• #initialize(sns_message) ⇒ SnsSignatureVerifier constructor

  A new instance of SnsSignatureVerifier.

• #verify! ⇒ Object

  Returns true if valid, raises VerificationError if not.

Constructor Details

#initialize(sns_message) ⇒ SnsSignatureVerifier

Returns a new instance of SnsSignatureVerifier.

# File 'lib/ses_dashboard/sns_signature_verifier.rb', line 25

def initialize(sns_message)
  @msg = sns_message
end

Instance Method Details

#verify! ⇒ Object

Returns true if valid, raises VerificationError if not.

# File 'lib/ses_dashboard/sns_signature_verifier.rb', line 30

def verify!
  validate_cert_url!
  cert   = fetch_cert
  digest = signature_version == "2" ? OpenSSL::Digest::SHA256.new : OpenSSL::Digest::SHA1.new

  unless cert.public_key.verify(digest, decoded_signature, string_to_sign)
    raise VerificationError, "SNS signature verification failed"
  end

  true
end