SNS signature verification support

[surgiie]

My application has verification validation for incoming SNS messages on a subscriber as documented here:

https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html

From what i can tell, the signature and other message data is hard coded:

https://github.com/getmoto/moto/blob/master/moto/sns/models.py#L306C14-L306C28

So when my code tries to validate the signature/cert url, moto is using a hard coded url of : https://sns.us-east-1.amazonaws.com/SimpleNotificationService-f3ecfb7224c7233fe7bb5f59f96de52f.pem

Is there any plans to support a url that would hit moto and allow this verification run as it would in my production environment?

[bblommers]

Hi @surgiie, I haven't looked too deeply into the details, but that definitely sounds possible.

Can you share a simplified test case, that passes against AWS, but fails against Moto?

[surgiie]

As far as I can tell moto doesnt provide a valid url for me to even do the validation. So as it stands, im currently just skipping this validation when my environment is local but as mentioned, id ideally like to be able to do the validation in local as well as it allows me to test that code works as expected when testing/troubleshooting from my local environment.

I believe the issue arises from the fact that the url to the certificate that i need to verify/validate is always hardcoded in the SNS message:

{
 ....
  "SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-f3ecfb7224c7233fe7bb5f59f96de52f.pem"
}

Im serving moto on https://motoserver:3000 so i would expect an incoming message to contain a url such as:

{
 ....
  "SigningCertURL" : "https://motoserver:3000/SimpleNotificationService-f3ecfb7224c7233fe7bb5f59f96de52f.pem"
}

From there the validation code would be able to fetch this certificate and validate the signature. Some sample code, of where the problem lies in context:

def verify_sns_signature(data: dict):
    try:
        message_type = data["MessageType"]
        message = "<computed-signed-string>"
        signing_url = urlparse(data["SigningCertURL"])
        signature = base64.b64decode(data["Signature"])
    except (ValueError, KeyError) as err:
        raise Exception(f"Invalid SNS Data: {err}")

   # This is the part that fails, as the url is not resolvable/hits moto.
    with urlopen(signing_url.geturl()) as signing_response:
        pem_data = signing_response.read()

    cert = x509.load_pem_x509_certificate(pem_data, default_backend())
    pubkey = cert.public_key()

    try:
        pubkey.verify(
            signature,
            message,
            padding.PKCS1v15(),
            hashes.SHA1(),
        )
      
    except InvalidSignature as err:
        raise Exception(f"Invalid SNS Signature: {err}")

To summarize I believe motoserver lacks the following steps in order to support this feature (https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html):

[bblommers]

Thank you for providing this sample @surgiie! I took the liberty to steal reuse it for our own internal test:

moto/tests/test_sns/test_http_message_verification.py

Line 85 in af18374

def test_http_message_verification(self):

[bblommers]

Moto >= 5.0.14.dev19 now returns a SigningCertificateURL that points to a valid certificate.

One point to note - we use the cryptography-library to create the certificate, and they don't support SHA-1 anymore because it is not secure. So Moto always creates the certificate using SHA-256, and we return the SignatureVersion="2" to reflect this.

So if the sample code that you provided would be changed to include this, I believe that should now work:

pubkey.verify(
        signature,
        message,
        padding.PKCS1v15(),
        hashes.SHA1() if data["SignatureVersion"] == "1" else hashes.SHA256(),
)

[surgiie]

Thank you for your work on this!