HMAC Authenticity Not Supported

[jezzsantos]

We have not yet completed the implementation of HMAC authenticity for subscriptions that pass a secret key.

We need the HMAC signature to be calculated over the whole request, and updated in the request headers. in: https://github.com/jezzsantos/ServiceStack.Webhooks/blob/master/src/Webhooks.Relays/Clients/EventServiceClient.cs#L135

If no support for creating the signature in ServiceStack, then we could look to bouncycastle or some other library for doing that for us.

[jezzsantos]

Specification is here: https://pubsubhubbub.github.io/PubSubHubbub/pubsubhubbub-core-0.4.html#authednotify

If the subscriber supplied a value for hub.secret in their subscription request, the hub MUST generate an HMAC signature of the payload and include that signature in the request headers of the content distribution request. The X-Hub-Signature header's value MUST be in the form sha1=signature where signature is a 40-byte, hexadecimal representation of a SHA1 signature [RFC3174]. The signature MUST be computed using the HMAC algorithm [RFC2104] with the request body as the data and the hub.secret as the key.

[jezzsantos]

Does anyone know how to do this properly?

Obviously, we would need end-to-end tests to verify we got it right. (i.e. creating hash in EventServiceClient, and then verifying the hash on the subscribers end.)

[jezzsantos]

Seems like ServiceStack does have this kind of code that may help:

            var hmac = HmacUtils.CreateHashAlgorithm(Encoding.Default.GetBytes(secret));
            var hash = Encoding.Default.GetString(hmac.ComputeHash(request.GetRequestStream()));

But I doubt very much it is that simple

[jezzsantos]

Clues here: http://stackoverflow.com/a/13857878

[jezzsantos]

On the webhooks side

We are going to need to complete the implementation at: https://github.com/jezzsantos/ServiceStack.Webhooks/blob/master/src/Webhooks.Relays/Clients/EventServiceClient.cs#L136

On the subscriber side

We are going to need to provide a HmacAuthProvider of our own that is a IAuthWithRequest that PreAuthenticates the request if it contains the X-Hub-Signature header. This provider must allow developer to hardcode the secret or read from IAppSettings.

Then developers who subscribe to webhooks can simply use this in their AuthFeature configuration.

[jezzsantos]

Got this spiked in 793ba1f47ba0f544ae74f15d88c1110017bc43ec.

• Still need some integration tests to verify the signature is presented correctly in the raised event (when secret is defined) and (not when signature not defined).
• Still need something to prove that we have calculated the signature correctly according to RFC3174 (according to github webhooks). i.e. that we have hashed the right things with the right encoding etc.
• Need to spike and demonstrate (in the integration tests) how a subscriber can easily validate the signature on their side (given they know the secret).

[jezzsantos]

Latest is 72e1a4629dda8b4adcf8b52a362c85eb9ee8720a containing integration tests and subscriber validation methods.

• Still need something to prove that we have calculated the signature correctly according to RFC3174 (according to github webhooks). i.e. that we have hashed the right things with the right encoding etc.

[jezzsantos]

Current branch is using ServiceStack Pre-Release version 4.5.7. So we need to wait for a new version of SS before we can merge this branch over. (i.e. can release Webhooks on a pre-release version of SS)

[jezzsantos]

I've updated the docs here: https://github.com/jezzsantos/ServiceStack.Webhooks/wiki/Subscriber-Security