X509 Signature Validation

I am getting pretty far in developing my app, so I’m trying to get ahead of security and make my app verify the signature of SmartThings requests to my WebHook App and I’m having a not so great time at it.

I am not using the node or java JDKs, so I’m having to roll my own implementation of the request parser. I haven’t found anything that would do this in ruby as an analog to node-http-signature

I THINK my problem is in forming the signatureString for verification. I THINK I have everything else correct.

String algorithm: (request-target) digest date

psudo code:

=> <request_signature>
=> "(request-target): post https://app.sample.com/ digest: <request_digest> date: Fri, 12 Mar 2021 21:19:30 UTC"
public_key.verify(digest, signature, signatureString)

Am I formulating the signature string wrong here? I’m at a loss as to why I’m having trouble validating the signature.

I installed the nodeJS SDK and looked at the parsed signatureString there to see what was going on.

Needed to add a ‘new-line’ character (’\n’) after each header and the request-target does not include the domain.

"(request-target): post /\ndigest: <request_digest>\ndate: Fri, 12 Mar 2021 21:19:30 UTC"

Additionally, the signature needs to decoded base64.

public_key.verify(digest, Base64.decode64(signature), signatureString)