Amazon 提供文档,用于验证路由到 HTTP/HTTPS 端点的 SNS 消息是否有效。在服务器上使用 Vapor 和 Swift,以及 swift-certificates 和 swift-crypto,我实现了验证逻辑:
func messageHasValidSignature<Message: VerifiableMessage>(_ message: Message) async throws -> Bool {
guard let certificateBytes = try await client.get(.init(message.signingCertificateURL)).body else {
logger.error("Failed to get signing certificate body")
throw Abort(.badRequest)
}
let certificateString = String(buffer: certificateBytes)
let certificate = try Certificate(pemEncoded: certificateString)
let publicKey = try _RSA.Signing.PublicKey(derRepresentation: certificate.publicKey.subjectPublicKeyInfoBytes)
guard let signatureData = Data(base64Encoded: message.signature) else {
logger.error("Failed to decode signature")
throw Abort(.badRequest)
}
let signature = _RSA.Signing.RSASignature(rawRepresentation: signatureData)
guard let dataToSign = message.stringToSign.data(using: .utf8) else {
logger.error("Failed to convert string to sign to data")
throw Abort(.badRequest)
}
let digest: any Digest
switch message.signatureVersion {
case ._1:
digest = Insecure.SHA1.hash(data: dataToSign)
case ._2:
digest = SHA256.hash(data: dataToSign)
}
return publicKey.isValidSignature(signature, for: digest)
}
我正在构建要签名的字符串,如下所示:
extension SubscriptionConfirmationMessage: VerifiableMessage {
var stringToSign: String {
"""
Message
\(message)
MessageId
\(messageID)
SubscribeURL
\(subscribeURL)
Timestamp
\(timestamp)
Token
\(token)
TopicArn
\(topicARN)
Type
SubscriptionConfirmation
"""
}
}
但是
isValidSignature问题在于传递给
isValidSignaturePSSinsecurePKCS1v1_5所以验证签名的正确方法是:
return publicKey.isValidSignature(signature, for: digest, padding: .insecurePKCS1v1_5)