We came across a scenario where we need to verify the integrity of the AWS SNS messages in HTTP API at ServiceNow APP. When I say integrity of the message particularly, I am talking about verifying whether the messages are coming from AWS SNS only and from a particular topic only. Below is the message format from AWS SNS. It holds "Signature" and "SignatureCertUrl". SignatureCertUrl is the url of X509 pem certificate file which holds public key to verify the message.
This AWS article explains how do we verify the messages - https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html
I try to simplify the above article using below diagrams to make our discussion simple. First step is to download the certificate if the url changed in the incoming messages/ the cert is not already cached.
Then, verify the message by decrypting the Signature in the message using the public key in the pem file cached/downloaded. Compare the SHA from signature and the SHA generated from the message to verify the integrity of the message.
GlideScriptable - CertificateEncryption.verifySignature is the closest that I can use to verify the signature using a certificate with public key. However, the challenge is I will not be able to use it unless I add the certificate in sys_certificate table. But here the certificates are need to be added dynamically on receiving of SNS messages. I understood I won't be able to do it with app scope. Even if it is allowed, I don't know if it is acceptable(for security reasons) to add certificates from SNS messages dynamically in the sys_certificate table.
I am looking for help here. I am hoping servicenow crypto modules can help here. But I am not finding a way to add a crypto module dynamically using script when a new cert url is found in the incoming SNS messages.
Question:
- Can I create crypto modules (with signature verification as the purpose) using script? When I say using script, I mean - create crypto module with pem content as the certificate, verify the signature, delete the module if the message validation is failed.
- Is there any other way that signatures can be verified? I found a way using javascript code here. But it needs "crypto" node module which is not avaiable in servicenow ScriptIncludes.
