I use AWS SDK for Java 2.x, dependency software.amazon.awssdk:sns
I receive message from sns topic via http. I'm wondering if there're any official or non-official but well-supported libraries that can do verification of signature.
I've implemented verification using code snippets from https://docs.aws.amazon.com/sns/latest/dg/sns-example-code-endpoint-java-servlet.html, but perhaps better solution is existing
public void verifySignature(SnsMessage message) {
String signatureVersion = message.getSignatureVersion();
if (signatureVersion.equals("1")) {
// Check the signature and throw an exception if the signature verification fails.
if (isMessageSignatureVersion1Valid(message)) {
log.info("Signature verification succeeded");
} else {
log.info("Signature verification failed");
throw new SecurityException("Signature verification failed.");
}
} else {
log.info("Unexpected signature version. Unable to verify signature.");
throw new SecurityException("Unexpected signature version. Unable to verify signature.");
}
}
At the time of writing (August 2021) AWS SDK for Java 2.x doesn't yet support all the features of AWS SDK for Java 1.x. But fortunately, you can use them side-by-side. Quote from the official documentation:
You can use both versions of the AWS SDK for Java in your projects.
And in 1.x you have SnsMessageManager that apparently does the job:
public class SnsMessageManager
extends Object
Unmarshalls an SNS message and validates it using the SNS public certificate.