Add SHA256 support (#32)

Co-authored-by: Parker Ram <[email protected]>
aws · Aug 19, 2022 · d7c45c7 · d7c45c7
1 parent dc05961
commit d7c45c7
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 18 deletions.
diff --git a/index.js b/index.js
@@ -122,9 +122,10 @@ var getCertificate = function (certUrl, cb) {
 };
 
 var validateSignature = function (message, cb, encoding) {
-    if (message['SignatureVersion'] !== '1') {
+    var signatureVersion = message['SignatureVersion'];
+    if (signatureVersion !== '1' && signatureVersion !== '2') {
         cb(new Error('The signature version '
-            + message['SignatureVersion'] + ' is not supported.'));
+            + signatureVersion + ' is not supported.'));
         return;
     }
 
@@ -135,7 +136,7 @@ var validateSignature = function (message, cb, encoding) {
         signableKeys = signableKeysForNotification.slice(0);
     }
 
-    var verifier = crypto.createVerify('RSA-SHA1');
+    var verifier = (signatureVersion === '1') ? crypto.createVerify('RSA-SHA1') : crypto.createVerify('RSA-SHA256');
     for (var i = 0; i < signableKeys.length; i++) {
         if (signableKeys[i] in message) {
             verifier.update(signableKeys[i] + "\n"

diff --git a/test/validator.js b/test/validator.js
@@ -21,6 +21,15 @@ var chai = require('chai'),
         SignatureVersion: '1',
         SigningCertURL: "https://localhost:56789/cert.pem"
     },
+    validSHA256Message = {
+        Type: 'Notification',
+        MessageId: '1',
+        TopicArn: 'arn',
+        Message: 'A message for you!',
+        Timestamp: (new Date).toISOString(),
+        SignatureVersion: '2',
+        SigningCertURL: "https://localhost:56789/cert.pem"
+    },
     validLambdaMessage = {
         Type: 'Notification',
         MessageId: '1',
@@ -56,14 +65,16 @@ describe('Message Validator', function () {
             var crypto = require('crypto'),
                 validMessages = [
                     validMessage,
+                    validSHA256Message,
                     validLambdaMessage,
                     validSubscriptionControlMessage,
                     utf8Message,
                     utf8SubscriptionControlMessage
                 ];
 
             for (var i = 0; i < validMessages.length; i++) {
-                var signer = crypto.createSign('RSA-SHA1');
+                var signatureVersion = validMessages[i]['SignatureVersion'];
+                var signer = (signatureVersion === '1') ? crypto.createSign('RSA-SHA1') : crypto.createSign('RSA-SHA256');
 
                 for (var j = 0; j < signableKeysForSubscription.length; j++) {
                     if (signableKeysForSubscription[j] in validMessages[i]) {
@@ -134,19 +145,19 @@ describe('Message Validator', function () {
 
         it('should accept Lambda payloads with improper "Url" casing', function (done) {
             (new MessageValidator(/^localhost:56789$/))
-              .validate(validLambdaMessage, function (err, message) {
-                  if (err) {
-                      return done(new Error('The validator should have accepted this message.'));
-                  }
+                .validate(validLambdaMessage, function (err, message) {
+                    if (err) {
+                        return done(new Error('The validator should have accepted this message.'));
+                    }
 
-                  try {
-                      expect(message.Message)
-                          .to.equal('A Lambda message for you!');
-                      done();
-                  } catch (e) {
-                      done(e);
-                  }
-              });
+                    try {
+                        expect(message.Message)
+                            .to.equal('A Lambda message for you!');
+                        done();
+                    } catch (e) {
+                        done(e);
+                    }
+                });
         });
 
         it('should reject hashes residing on an invalid domain', function (done) {
@@ -169,7 +180,7 @@ describe('Message Validator', function () {
         it('should reject hashes with an invalid signature type', function (done) {
             (new MessageValidator)
                 .validate(_.extend({}, validMessage, {
-                    SignatureVersion: '2',
+                    SignatureVersion: '3',
                     SigningCertURL: validCertUrl
                 }), function (err, message) {
                     if (!err) {
@@ -178,7 +189,7 @@ describe('Message Validator', function () {
 
                     try {
                         expect(err.message)
-                            .to.equal('The signature version 2 is not supported.');
+                            .to.equal('The signature version 3 is not supported.');
                         done();
                     } catch (e) {
                         done(e);
@@ -211,6 +222,11 @@ describe('Message Validator', function () {
                 .validate(validMessage, done);
         });
 
+        it('should accept a valid message', function (done) {
+            (new MessageValidator(/^localhost:56789$/))
+                .validate(validSHA256Message, done);
+        });
+
         it('should accept valid messages as JSON strings', function (done) {
             (new MessageValidator(/^localhost:56789$/))
                 .validate(JSON.stringify(validMessage), done);