feat(notification/webhook): switches to using SignASN1 on keyring ins…

…tead of internal signing mechanism allows for greater compatibility with external libraries/languages and reduces cryptographic attack surface
target · Dec 26, 2024 · 2348db7 · 2348db7
1 parent dff69a4
commit 2348db7
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 9 deletions.
diff --git a/notification/webhook/sender.go b/notification/webhook/sender.go
@@ -161,11 +161,11 @@ func (s *Sender) SendMessage(ctx context.Context, msg notification.Message) (*no
 		return nil, err
 	}
 
-	signature, err := s.signingKeyring.Sign(data)
-	signatureBase64 := base64.StdEncoding.EncodeToString(signature)
+	signature, err := s.signingKeyring.SignASN1(data)
 	if err != nil {
 		return nil, err
 	}
+	signatureBase64 := base64.StdEncoding.EncodeToString(signature)
 
 	ctx, cancel := context.WithTimeout(ctx, time.Second*3)
 	defer cancel()

diff --git a/test/smoke/webhook_signing_test.go b/test/smoke/webhook_signing_test.go
@@ -1,12 +1,16 @@
 package smoke
 
 import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/sha512"
 	"encoding/base64"
 	"github.com/stretchr/testify/require"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/target/goalert/test/smoke/harness"
@@ -70,15 +74,28 @@ func TestWebhookSigning(t *testing.T) {
 	h := harness.NewHarness(t, sql, "webhook-user-contact-method-type")
 	defer h.Close()
 
-	alert := <-ch
+	timeout, cancellation := context.WithTimeout(context.Background(), 10*time.Second)
 
-	// convert alert.Signature from base64 to byte slice
-	signatureBytes, err := base64.StdEncoding.DecodeString(alert.Signature)
-	require.NoError(t, err)
+	select {
+	case alert := <-ch:
+		cancellation()
+		// convert alert.Signature from base64 to byte slice
+		signatureBytes, err := base64.StdEncoding.DecodeString(alert.Signature)
+		require.NoError(t, err)
 
-	valid, _ := h.App().WebhookKeyring.Verify(alert.Body, signatureBytes)
+		key, err := h.App().WebhookKeyring.CurrentPublicKey()
+		require.NoError(t, err)
 
-	if !assert.True(t, valid, "webhook signature invalid") {
-		return
+		// given a public key, this is how you'd validate the signature is valid
+		sum := sha512.Sum512_224(alert.Body)
+		valid := ecdsa.VerifyASN1(key, sum[:], signatureBytes)
+
+		if !assert.True(t, valid, "webhook signature invalid") {
+			return
+		}
+	case <-timeout.Done():
+		cancellation()
+		assert.Fail(t, "webhook timeout")
 	}
+
 }