A great part of Amazon’s Simple Notification Service (SNS) is that it signs each notification, allowing your application to verify the signature before trusting any data inside of it. Of particular interest to us is an Amazon SES option that sends, complaint, hard bounce, and soft bounce messages via SNS rather than email. This allows us to easily parse that feedback and take further action without having to painfully dissect a bounce email and determine the cause.
Instead of using a shared secret, Amazon signs the notification with their private key and provides a URL to access the X509 certificate within each notification. The overall concept is similar to verifying an HMAC signature, except with using a public key infrastructure.
Unfortunately, extracting the public key from an X509 certificate is a bit more difficult than we initially expected (at least in Python, which our notification receiver is written in). Granted, we could’ve used
openssl via the
subprocess module, but ideally we didn’t want to run an external program just to verify the signature.
After several attempts at using 3rd party libraries, including pyOpenSSL (which had too many issues with our version of OpenSSL), I decided to try M2Crypto. M2Crypto can very easily digest an X509 certificate and spit out the public key, but the actual verification process still eluded me. Some trial and error and searching later, I discovered Arthur Rodrigues’ Verifying X509 Signature in Python which closed the last gap and allowed us to successfully verify the signatures.
See the link above for the proper verification process.