Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verifying the Signatures of Amazon SNS Messages #176

Closed
maciejwalkowiak opened this issue Aug 14, 2021 · 6 comments
Closed

Verifying the Signatures of Amazon SNS Messages #176

maciejwalkowiak opened this issue Aug 14, 2021 · 6 comments
Labels
component: sns SNS integration related issue type: bug Something isn't working

Comments

@maciejwalkowiak
Copy link
Contributor

From spring-cloud-aws created by madoxas: spring-attic/spring-cloud-aws#240

I can't find where spring cloud aws verifies sns message signature (http://docs.aws.amazon.com/sns/latest/dg/SendMessageToHttp.verify.signature.html).
Is it done at all?
@maciejwalkowiak maciejwalkowiak added component: sns SNS integration related issue type: bug Something isn't working labels Aug 14, 2021
@maciejwalkowiak
Copy link
Contributor Author

With the move to a new repository (https://github.com/awspring/spring-cloud-aws) I was wondering if there was any update on this issue being addressed?

I had a quick look but the code still looks to be very similar to the code in this repository (I might have missed it).

@maciejwalkowiak
Copy link
Contributor Author

Closing this due to inactivity. Please re-open if there's more to discuss.

@maciejwalkowiak
Copy link
Contributor Author

I know this is an old ticket, but I can't find the part of code that verifies the signature too. I think it should be in the NotificationRequestConverter.java, but I could not find it there.
According to AWS Docu the message signature should be verified on all messages. Therefore, not checking the signature could be a security leak. 🤔
And, in the Java code example from AWS it is also pointed out that the DNS name should be verified. (Don't know if this is done yet)

In the official aws-sdk-java this is automatically done in the SnsMessageManager.java, but this is not used.

Can someone either:

  1. show me where the signature is verified(what I don't think is done yet),
  2. or make this to a feature request.

@maciejwalkowiak
Copy link
Contributor Author

Thanks @KarlKl for letting us know. We are taking care of it.

@github-actions github-actions bot added the status: waiting-for-triage Team has not yet looked into this issue label Aug 14, 2021
@maciejwalkowiak maciejwalkowiak mentioned this issue Aug 14, 2021
Closed
@maciejwalkowiak maciejwalkowiak removed the status: waiting-for-triage Team has not yet looked into this issue label Aug 14, 2021
@maciejwalkowiak maciejwalkowiak added this to the 2.3.2 milestone Aug 14, 2021
@maciejwalkowiak maciejwalkowiak modified the milestones: 2.3.2, 2.3.3 Sep 6, 2021
@WtfJoke
Copy link
Contributor

WtfJoke commented Oct 31, 2021

I've tried to implement this feature in my fork. Not finished yet (mainly tests are missing), but verifying signature seems to work.

WtfJoke added a commit to WtfJoke/spring-cloud-aws that referenced this issue Nov 2, 2021
@WtfJoke
Verify sns message signature
a7fde60 
Fixes awspringgh-176
@WtfJoke WtfJoke mentioned this issue Nov 2, 2021
Closed
8 tasks
@WtfJoke
Copy link
Contributor

WtfJoke commented Nov 2, 2021

Now I have opened #198

@maciejwalkowiak maciejwalkowiak removed this from the 2.3.3 milestone Dec 14, 2021
@MatejNedic MatejNedic mentioned this issue Feb 11, 2022
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: sns SNS integration related issue type: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Verify sns message signature WtfJoke/spring-cloud-aws
2 participants
@maciejwalkowiak @WtfJoke