Validate signatures from WaaS API #136

BellringerQuinn · 2024-08-19T13:59:07Z

The WaaS API now includes a response signature in the headers of its responses. The SDK should validate the responses match their signature. If the signature and responses don't match, we should throw an error and stop sending messages to the API (as our messages are likely being intercepted); we especially shouldn't send a RegisterSession request unless we got a valid signature back from our initiateAuth request. This helps protect against MITM attacks

Full context and explanation here: 0xsequence/waas-authenticator#49

One correction to the docs above:
Signatue Base should have the sig= removed from signature-input
So, for example, if you have these as headers:

Content-Digest: sha-256=:+JRUXNJDP056+ARGKwOqN9H0Fg/ug+cZWq0+jUs1Ifk=:
Signature-Input: sig=("content-digest");created=1723568257;keyid="9LkLZyHdNq1N2aeHMlC5jw";alg="rsa-v1_5-sha256"

You should use the following as signature base:

"content-digest": sha-256=:+JRUXNJDP056+ARGKwOqN9H0Fg/ug+cZWq0+jUs1Ifk=:
"@signature-params": ("content-digest");created=1723568511;keyid="9LkLZyHdNq1N2aeHMlC5jw";alg="rsa-v1_5-sha256"

Unity Implementation: 0xsequence/sequence-unity#164

The text was updated successfully, but these errors were encountered:

BellringerQuinn assigned caballoninja Aug 27, 2024

colezemind linked a pull request Oct 28, 2024 that will close this issue

First Commit for validation #187

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Validate signatures from WaaS API #136

Validate signatures from WaaS API #136

BellringerQuinn commented Aug 19, 2024

Validate signatures from WaaS API #136

Validate signatures from WaaS API #136

Comments

BellringerQuinn commented Aug 19, 2024