Skip to content

SNS signature verification support #7985

Answered by bblommers
surgiie asked this question in Q&A
Discussion options

You must be logged in to vote

Moto >= 5.0.14.dev19 now returns a SigningCertificateURL that points to a valid certificate.

One point to note - we use the cryptography-library to create the certificate, and they don't support SHA-1 anymore because it is not secure. So Moto always creates the certificate using SHA-256, and we return the SignatureVersion="2" to reflect this.

So if the sample code that you provided would be changed to include this, I believe that should now work:

pubkey.verify(
        signature,
        message,
        padding.PKCS1v15(),
        hashes.SHA1() if data["SignatureVersion"] == "1" else hashes.SHA256(),
)

Replies: 2 comments 3 replies

Comment options

You must be logged in to vote
2 replies
@surgiie
Comment options

@bblommers
Comment options

Comment options

You must be logged in to vote
1 reply
@surgiie
Comment options

Answer selected by bblommers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
2 participants