X509 Signature Validation

ethayer · March 12, 2021, 10:26pm

I am getting pretty far in developing my app, so I’m trying to get ahead of security and make my app verify the signature of SmartThings requests to my WebHook App and I’m having a not so great time at it.

I am not using the node or java JDKs, so I’m having to roll my own implementation of the request parser. I haven’t found anything that would do this in ruby as an analog to node-http-signature

I THINK my problem is in forming the signatureString for verification. I THINK I have everything else correct.

String algorithm: (request-target) digest date

psudo code:

signature
=> <request_signature>
signatureString
=> "(request-target): post https://app.sample.com/ digest: <request_digest> date: Fri, 12 Mar 2021 21:19:30 UTC"
public_key.verify(digest, signature, signatureString)
=> FALSE

Am I formulating the signature string wrong here? I’m at a loss as to why I’m having trouble validating the signature.

ethayer · March 13, 2021, 4:01pm

I installed the nodeJS SDK and looked at the parsed signatureString there to see what was going on.

Needed to add a ‘new-line’ character (’\n’) after each header and the request-target does not include the domain.

"(request-target): post /\ndigest: <request_digest>\ndate: Fri, 12 Mar 2021 21:19:30 UTC"

Additionally, the signature needs to decoded base64.

public_key.verify(digest, Base64.decode64(signature), signatureString)

Topic		Replies	Views
Verifying HTTP Signature (Webhook SmartApp, node.js) Writing SmartApps	2	1400	September 6, 2018
signatureIsVerified Failing Writing SmartApps	0	319	October 2, 2019
SmartApp Webhook HTTP Signatures Writing SmartApps	6	724	October 12, 2022
Forbidden - failed verifySignature Support	9	677	June 14, 2022
Problem with http-signature.verifySignature in Azure Functions Writing SmartApps	2	732	December 10, 2019

X509 Signature Validation

Related topics