line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Net::Amazon::SNS::Signature; |
2
|
|
|
|
|
|
|
$Net::Amazon::SNS::Signature::VERSION = '0.006'; |
3
|
2
|
|
|
2
|
|
51942
|
use strict; use warnings; |
|
2
|
|
|
2
|
|
3
|
|
|
2
|
|
|
|
|
40
|
|
|
2
|
|
|
|
|
6
|
|
|
2
|
|
|
|
|
2
|
|
|
2
|
|
|
|
|
39
|
|
4
|
|
|
|
|
|
|
|
5
|
2
|
|
|
2
|
|
5
|
use Carp; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
83
|
|
6
|
2
|
|
|
2
|
|
820
|
use Crypt::OpenSSL::RSA; |
|
2
|
|
|
|
|
9842
|
|
|
2
|
|
|
|
|
62
|
|
7
|
2
|
|
|
2
|
|
770
|
use Crypt::OpenSSL::X509; |
|
2
|
|
|
|
|
2730
|
|
|
2
|
|
|
|
|
103
|
|
8
|
2
|
|
|
2
|
|
762
|
use MIME::Base64; |
|
2
|
|
|
|
|
875
|
|
|
2
|
|
|
|
|
89
|
|
9
|
2
|
|
|
2
|
|
1036
|
use LWP::UserAgent; |
|
2
|
|
|
|
|
56336
|
|
|
2
|
|
|
|
|
719
|
|
10
|
|
|
|
|
|
|
|
11
|
|
|
|
|
|
|
=head1 NAME |
12
|
|
|
|
|
|
|
|
13
|
|
|
|
|
|
|
Net::Amazon::SNS::Signature |
14
|
|
|
|
|
|
|
|
15
|
|
|
|
|
|
|
=head1 DESCRIPTION |
16
|
|
|
|
|
|
|
|
17
|
|
|
|
|
|
|
For the verification of Amazon SNS messages |
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
=head1 USAGE |
20
|
|
|
|
|
|
|
|
21
|
|
|
|
|
|
|
# Will download the signature certificate from SigningCertURL attribute of $message_ref |
22
|
|
|
|
|
|
|
# use LWP::UserAgent |
23
|
|
|
|
|
|
|
my $sns_signature = Net::Amazon::SNS::Signature->new(); |
24
|
|
|
|
|
|
|
if ( $sns_signature->verify( $message_ref ) ){ ... } |
25
|
|
|
|
|
|
|
|
26
|
|
|
|
|
|
|
# Will automatically download the certificate using your own user_agent ( supports ->get returns HTTP::Response ) |
27
|
|
|
|
|
|
|
my $sns_signature = Net::Amazon::SNS::Signature->new( user_agent => $my_user_agent ); |
28
|
|
|
|
|
|
|
if ( $sns_signature->verify( $message_ref ) ){ ... } |
29
|
|
|
|
|
|
|
|
30
|
|
|
|
|
|
|
# Provide the certificate yourself |
31
|
|
|
|
|
|
|
my $sns_signature = Net::Amazon::SNS::Signature->new() |
32
|
|
|
|
|
|
|
if ( $sns_signature->verify( $message_ref, $x509_cert ) ) { ... } |
33
|
|
|
|
|
|
|
|
34
|
|
|
|
|
|
|
=head2 verify |
35
|
|
|
|
|
|
|
|
36
|
|
|
|
|
|
|
Call to verify the message, C<$message_ref> is required as first parameter and should be |
37
|
|
|
|
|
|
|
a hash ref, C<$x509_cert> is optional and should be a raw x509 certificate as downloaded |
38
|
|
|
|
|
|
|
from Amazon. |
39
|
|
|
|
|
|
|
|
40
|
|
|
|
|
|
|
See L for |
41
|
|
|
|
|
|
|
information on the content of a message |
42
|
|
|
|
|
|
|
|
43
|
|
|
|
|
|
|
Usage: |
44
|
|
|
|
|
|
|
|
45
|
|
|
|
|
|
|
my $is_verified = $this->verify({ |
46
|
|
|
|
|
|
|
Message => 'My Test Message', |
47
|
|
|
|
|
|
|
MessageId => '4d4dc071-ddbf-465d-bba8-08f81c89da64', |
48
|
|
|
|
|
|
|
Subject => 'My subject', |
49
|
|
|
|
|
|
|
Timestamp => '2012-06-05T04:37:04.321Z', |
50
|
|
|
|
|
|
|
TopicArn => 'arn:aws:sns:us-east-1:123456789012:s4-MySNSTopic-1G1WEFCOXTC0P', |
51
|
|
|
|
|
|
|
Type => 'Notification', |
52
|
|
|
|
|
|
|
Signature => 'EXAMPLElDMXvB8r9R83tGoNn0ecwd5UjllzsvSvbItzfaMpN2nk5HVSw7XnOn', |
53
|
|
|
|
|
|
|
SigningCertURL => 'https://sns.us-west-2.amazonaws.com/SimpleNotificationService-f3e' |
54
|
|
|
|
|
|
|
}); |
55
|
|
|
|
|
|
|
|
56
|
|
|
|
|
|
|
=cut |
57
|
|
|
|
|
|
|
|
58
|
|
|
|
|
|
|
sub verify { |
59
|
1
|
|
|
1
|
1
|
381
|
my ( $self, $message, $cert ) = @_; |
60
|
|
|
|
|
|
|
|
61
|
|
|
|
|
|
|
my $signature = MIME::Base64::decode_base64($message->{Signature}) |
62
|
1
|
50
|
|
|
|
13
|
or carp( "Signature is a required attribute of message" ); |
63
|
1
|
|
|
|
|
2
|
my $string = $self->build_sign_string( $message ); |
64
|
|
|
|
|
|
|
my $public_key = $cert ? $self->_key_from_cert( $cert ) : |
65
|
1
|
50
|
|
|
|
3
|
$self->_public_key_from_url( $message->{SigningCertURL} ); |
66
|
|
|
|
|
|
|
|
67
|
1
|
|
|
|
|
12
|
my $rsa = Crypt::OpenSSL::RSA->new_public_key( $public_key ); |
68
|
1
|
|
|
|
|
546
|
return $rsa->verify($string, $signature); |
69
|
|
|
|
|
|
|
} |
70
|
|
|
|
|
|
|
|
71
|
|
|
|
|
|
|
=head2 build_sign_string |
72
|
|
|
|
|
|
|
|
73
|
|
|
|
|
|
|
Given a C<$message_ref> will return a formatted string ready to be signed. |
74
|
|
|
|
|
|
|
|
75
|
|
|
|
|
|
|
Usage: |
76
|
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
my $sign_string = $this->build_sign_string({ |
78
|
|
|
|
|
|
|
Message => 'Hello', |
79
|
|
|
|
|
|
|
MessageId => '12345', |
80
|
|
|
|
|
|
|
Subject => 'I am a message', |
81
|
|
|
|
|
|
|
Timestamp => '2016-01-20T14:37:01Z', |
82
|
|
|
|
|
|
|
TopicArn => 'xyz123', |
83
|
|
|
|
|
|
|
Type => 'Notification' |
84
|
|
|
|
|
|
|
}); |
85
|
|
|
|
|
|
|
|
86
|
|
|
|
|
|
|
=cut |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
sub build_sign_string { |
89
|
1
|
|
|
1
|
1
|
2
|
my ( $self, $message ) = @_; |
90
|
|
|
|
|
|
|
|
91
|
1
|
|
|
|
|
1
|
my @keys = $self->_signature_keys( $message ); |
92
|
1
|
|
33
|
|
|
10
|
defined($message->{$_}) or carp( sprintf( "%s is required", $_ ) ) for @keys; |
93
|
1
|
|
|
|
|
1
|
return join( "\n", ( map { ( $_, $message->{$_} ) } @keys ), "" ); |
|
6
|
|
|
|
|
10
|
|
94
|
|
|
|
|
|
|
} |
95
|
|
|
|
|
|
|
|
96
|
|
|
|
|
|
|
sub new { |
97
|
1
|
|
|
1
|
0
|
316
|
my ( $class, $args_ref ) = @_; |
98
|
|
|
|
|
|
|
return bless { |
99
|
1
|
50
|
|
|
|
5
|
defined($args_ref->{user_agent}) ? ( user_agent => $args_ref->{user_agent} ) : () |
100
|
|
|
|
|
|
|
}, $class; |
101
|
|
|
|
|
|
|
} |
102
|
|
|
|
|
|
|
|
103
|
|
|
|
|
|
|
sub _public_key_from_url { |
104
|
0
|
|
|
0
|
|
0
|
my ( $self, $url ) = @_; |
105
|
0
|
|
|
|
|
0
|
my $response = $self->user_agent->get( $url ); |
106
|
0
|
|
|
|
|
0
|
my $content = $response->decoded_content; |
107
|
0
|
|
|
|
|
0
|
return $self->_key_from_cert( $content ); |
108
|
|
|
|
|
|
|
} |
109
|
|
|
|
|
|
|
|
110
|
|
|
|
|
|
|
sub _key_from_cert { |
111
|
1
|
|
|
1
|
|
2
|
my ( $self, $cert ) = @_; |
112
|
1
|
|
|
|
|
102
|
my $x509 = Crypt::OpenSSL::X509->new_from_string( |
113
|
|
|
|
|
|
|
$cert, Crypt::OpenSSL::X509::FORMAT_PEM |
114
|
|
|
|
|
|
|
); |
115
|
1
|
|
|
|
|
63
|
return $x509->pubkey; |
116
|
|
|
|
|
|
|
} |
117
|
|
|
|
|
|
|
|
118
|
|
|
|
|
|
|
sub user_agent { |
119
|
0
|
|
|
0
|
0
|
0
|
my ( $self ) = @_; |
120
|
0
|
0
|
|
|
|
0
|
unless ( defined( $self->{user_agent} ) ){ |
121
|
0
|
|
|
|
|
0
|
$self->{user_agent} = LWP::UserAgent->new(); |
122
|
|
|
|
|
|
|
} |
123
|
0
|
|
|
|
|
0
|
return $self->{user_agent}; |
124
|
|
|
|
|
|
|
} |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
sub _signature_keys { |
127
|
6
|
|
|
6
|
|
16
|
my ( $self, $message ) = @_; |
128
|
6
|
|
|
|
|
10
|
my @keys = qw/Message MessageId/; |
129
|
|
|
|
|
|
|
|
130
|
6
|
100
|
66
|
|
|
36
|
if ( $message->{Type} && $message->{Type} =~ m/\A(?:Subscription|Unsubscribe)Confirmation\z/ ){ |
131
|
2
|
|
|
|
|
4
|
push @keys, qw/SubscribeURL Timestamp Token/; |
132
|
|
|
|
|
|
|
} |
133
|
|
|
|
|
|
|
else { |
134
|
4
|
100
|
|
|
|
9
|
push @keys, ( defined ( $message->{Subject} ) ? qw/Subject Timestamp/ : 'Timestamp' ); |
135
|
|
|
|
|
|
|
} |
136
|
|
|
|
|
|
|
|
137
|
6
|
|
|
|
|
29
|
return @keys, qw/TopicArn Type/; |
138
|
|
|
|
|
|
|
} |
139
|
|
|
|
|
|
|
|
140
|
|
|
|
|
|
|
1; |