Signed webhook verification fails

Question

Signed webhook verification fails

simopot opened this issue 3 years ago · 3 comments

Issue Summary

EventWebhook.convert_public_key_to_ecdsa doesn't seem to be compatible with the version 2.0.0 of starkbank-ecdsa released a couple of days ago. Installing the older starkbank-ecdsa==1.0.0 fixes the issue.

Steps to Reproduce

Call convert_public_key_to_ecdsa with a valid public key
or
Run tests in test/test_eventwebhook.py

Code Snippet

from sendgrid.helpers.eventwebhook import EventWebhook
PUBLIC_KEY = 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE83T4O/n84iotIvIW4mdBgQ/7dAfSmpqIM8kF9mN1flpVKS3GRqe62gw+2fNNRaINXvVpiglSI8eNEc6wEA3F+g=='
ew = EventWebhook()
ew.convert_public_key_to_ecdsa(PUBLIC_KEY)

Exception/Log

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/xxx/sendgrid-python/sendgrid/helpers/eventwebhook/__init__.py", line 30, in convert_public_key_to_ecdsa
    return PublicKey.fromPem(public_key)
  File "/usr/local/lib/python3.9/site-packages/ellipticcurve/publicKey.py", line 39, in fromPem
    publicKeyPem = getPemContent(pem=string, template=_pemTemplate)
  File "/usr/local/lib/python3.9/site-packages/ellipticcurve/utils/pem.py", line 6, in getPemContent
    return search("".join(pattern.splitlines()), "".join(pem.splitlines())).group(1)
AttributeError: 'NoneType' object has no attribute 'group'

Technical details:

Tried with

sendgrid-python version: 6.8.2
python version: 3.9.5

and

sendgrid-python version: 6.7.1
python version: 3.6.13

Answer 1 · 2021-10-11T17:45:10.000Z

This is a pretty big issue for the team I'm working on as we cannot push any code updates since this library is broken.

A quick fix would be to update setup.py from

def getRequires():
    deps = [
        'python_http_client>=3.2.1',
        'starkbank-ecdsa>=1.0.0'
    ]
    return deps

to

def getRequires():
    deps = [
        'python_http_client>=3.2.1',
        'starkbank-ecdsa>=1.0.0,<2.0'
    ]
    return deps

Answer 2 · 2021-10-12T12:07:58.000Z

@eshanholtz when can we expect a new release with this Fix to be pushed to PyPI? I'm really quite stuck until this happens because my CI/CD system fails without this fix.

Answer 3 · 2021-10-12T16:08:59.000Z

Hi @amcquistan! This fix should be included in our next release on 10/18/21.