/**
* Validates a message from SNS to ensure that it was delivered by AWS
*
* @param Message $message The message to validate
*
* @throws CannotGetPublicKeyFromCertificateException If the certificate cannot be retrieved
* @throws CertificateFromUnrecognizedSourceException If the certificate's source cannot be verified
* @throws InvalidMessageSignatureException If the message's signature is invalid
*/
public function validate(Message $message)
{
// Get the cert's URL and ensure it is from AWS
$certUrl = Url::factory($message->get('SigningCertURL'));
$this->validateUrl($certUrl);
// Get the cert itself and extract the public key
$certificate = $this->client->get((string) $certUrl)->send()->getBody();
$publicKey = openssl_get_publickey($certificate);
if (!$publicKey) {
throw new CannotGetPublicKeyFromCertificateException();
}
// Verify the signature of the message
$stringToSign = $message->getStringToSign();
$incomingSignature = base64_decode($message->get('Signature'));
if (!openssl_verify($stringToSign, $incomingSignature, $publicKey, OPENSSL_ALGO_SHA1)) {
throw new InvalidMessageSignatureException();
}
}
/**
* Validates a message from SNS to ensure that it was delivered by AWS
*
* @param Message $message The message to validate
*
* @throws MessageValidatorException If the certificate cannot be
* retrieved, if the certificate's source cannot be verified, or if the
* message's signature is invalid.
*/
public function validate(Message $message)
{
// Get and validate the URL for the certificate.
$certUrl = Url::fromString($message->get('SigningCertURL'));
$this->validateUrl($certUrl);
// Get the cert itself and extract the public key
$certificate = $this->client->get((string) $certUrl)->getBody();
$key = openssl_get_publickey($certificate);
if (!$key) {
throw new MessageValidatorException('Cannot get the public key ' . 'from the certificate.');
}
// Verify the signature of the message
$content = $message->getStringToSign();
$signature = base64_decode($message->get('Signature'));
if (!openssl_verify($content, $signature, $key, OPENSSL_ALGO_SHA1)) {
throw new MessageValidatorException('The message signature is ' . 'invalid.');
}
}
/**
* @dataProvider getDataForStringToSignTest
*/
public function testBuildsStringToSignCorrectly(array $messageData, $expectedSubject, $expectedStringToSign)
{
$message = new Message(new Collection($messageData));
$this->assertEquals($expectedSubject, $message->get('Subject'));
$this->assertEquals($expectedStringToSign, $message->getStringToSign());
}
