Updated on 2023-03-01 GMT+08:00

Message Signature Verification

Scenarios

To ensure message security, SMN provides signature authentication for HTTP/HTTPS subscription confirmation messages, subscription cancellation messages, and notification messages. After you receive HTTP/HTTPS messages, check them based on the signatures.

Procedure

After receiving an HTTP/HTTPS message, check it with the following procedure:

  1. Verify the key-value pairs (which vary depending on the message type) contained in the message signature. For details, see Signature Strings for Different Message Types.
  2. Download the X509 certificate from the certificate URL (signing_cert_url) contained in the message.

    The request to download the certificate is always sent over HTTPS. When you download a certificate, verify the identity of the certificate server.

  3. Extract the public key from the X509 certificate for verifying the message reliability and integrity.
  4. Determine which method will be used to verify the signature based on the message type (the type field in the message).
  5. Create signature strings. Obtain the signature parameters from the message and sort them in alphabetical order. Each parameter occupies a line, with its value following in the next line.

Signature Strings for Different Message Types

  1. Notification messages
    • A notification message signature must contain the following parameters (If the value of subject is empty, do not include it in the signature):
      message
      message_id
      subject
      timestamp
      topic_urn
      type
    • For example, the signature information for a notification message is as follows:
      message
      My test message
      message_id
      88c726942175432bac921eafd0036163
      subject
      demo
      timestamp
      2016-08-15T07:29:16Z
      topic_urn
      urn:smn:regionId:74dc9e44d0cc4573adfce91cdfdd3ba9:xxxx
      type
      Notification

      Each parameter occupies a line, with its value following in the next line.

  2. Subscription confirmation and subscription cancellation messages
    • A subscription confirmation or subscription cancellation message signature must contain the following parameters:
      message
      message_id
      subscribe_url
      timestamp
      topic_urn
      type
    • For example, the signature information for a subscription confirmation message is as follows:
      message
      You are invited to subscribe to topic: urn:smn:regionId:d91989905b8449b896f3a4f0ad57222d:demo. To confirm this subscription, please visit the following SubscribeURL in this message.
      message_id
      def5c309cbff44d5a870787ed937edf8
      subscribe_url
      https://IP address/smn/subscription/confirm?Region ID&Token&Topic URN:demo
      timestamp
      2016-08-15T07:29:16Z
      topic_urn
      urn:smn:regionId:d91989905b8449b896f3a4f0ad57222d:demo
      type
      SubscriptionConfirmation

      Each parameter occupies a line, with its value following in the next line.