go.sns's Introduction

go.sns

A helper library for receiving Amazon AWS SNS HTTP(S) notifications.

It provides signature validation for payloads and conveinence functions for subscribing and unsubscribing from topics.

Usage

Verifying a HTTP POST (a payload)

import (
  "encoding/json"
  "fmt"

  "github.com/robbiet480/go.sns"
)

var notificationPayload sns.Payload
err := json.Unmarshal([]byte(notificationJson), &notificationPayload)
if err != nil {
  fmt.Print(err)
}
verifyErr := notificationPayload.VerifyPayload()
if verifyErr != nil {
  fmt.Print(verifyErr)
}
fmt.Print("Payload is valid!")

Subscribing to a topic

import (
  "encoding/json"
  "fmt"

  "github.com/robbiet480/go.sns"
)

// If it's a SubscriptionConfirmation or UnsubscribeConfirmation
subscriptionResponse, err := notificationPayload.Subscribe()
if err != nil {
  fmt.Println("Error when subscribing!", err)
}
fmt.Printf("subscriptionResponse %+v", subscriptionResponse)

Unsubscribing from a topic

import (
  "encoding/json"
  "fmt"

  "github.com/robbiet480/go.sns"
)

// If it's a Notification
unsubscriptionResponse, err := notificationPayload.Unsubscribe()
if err != nil {
  fmt.Println("Error when unsubscribing!", err)
}
fmt.Printf("unsubscriptionResponse %+v", unsubscriptionResponse)

Thanks

This library was based off work by lazywei, found on this Stack Overflow question and code written by syama666.

Thanks also goes to xibz for helping me work out some of the low level certificate/SHA1WithRSA stuff in this issue on aws-sdk-go.

Contributing

Fork, edit, write & run tests, submit PR, success!

Tests

Tests are written but not passing because the payload string is an example from the documentation.

License

MIT

go.sns's People

Contributors

Stargazers

Watchers

go.sns's Issues

Certificate verification results in "x509: certificate signed by unknown authority" error

I have a project that receives SNS messages and verifies them using this library. When I updated this library to the latest version (which incorporates #7), payload verification started failing with the following error:

x509: certificate signed by unknown authority

I haven't looked into the certificate itself, but is AWS not signing these via a valid authority? Or is it something on my end?

Thanks!

Security: Signing certificate URL should be validated

This code currently has a security vulnerability which allows an attacker to impersonate official AWS SNS requests.

The problem lies with how the payload is verified. An attacker can control the payload but this is supposed to be fine because the signature check will fail. This check, however, relies on SigningCertURL which is included in the payload, which is under the attacker's control. A malicious entity could point this URL to a valid certificate which was used to sign the malicious payload and this code will currently accept that.

It's unfortunate that the SNS API makes it really easy to footgun yourself here because it includes SigningCertURL as a key in the payload which is attacker controlled. This heavily encourages users to blindly use this URL to retrieve the certificate which is then used to verify the payload.

What's worse, the official AWS SNS docs for verifying payloads does not mention this, but this thread alludes to the problem. Interestingly, the official SNS validator for Node does include a hostname check on the SigningCertURL: we should be doing the same.

Build failing

Hi guys your build is failing on Travis.

Are you still actively maintaining the library? I'm looking to see if there is a good way to verify SNS in Go and this could be really helpful if so.

Alex

Recommend Projects

robbiet480 / go.sns Goto Github PK