cannot decrypt the webhook signature to authenticate events via the python helper

Question

cannot decrypt the webhook signature to authenticate events via the python helper

SOC-DDER opened this issue 3 years ago · 4 comments

Issue Summary

We are having an issue with the Sendgrid Event Security signature decryption tool to verify that incoming events to our webhook are coming from Sendgrid service. The following code example should follow the example shown in the documentation by implementing the Pytohn webhook helper library, but does not succeed due to encryption/decryption.
Recommended by SendGrid Tech Support to post a github issue based on support request #7439941

Steps to Reproduce

See python code snippet below:

Code Snippet

>>> public_key = "__redacted__"
>>> webhook_signature = "OnZ4emh***"
>>> webhook_timestamp = "16382***"
>>> body = [
{
"asm_group_id": "__redacted__”,
"category": [
"Internal"
],
"email": "__redacted__",
"event": "open",
"ip": ""__redacted__",
"mc_stats": "singlesend",
"phase_id": "send",
"send_at": "1637097***",
"sg_content_type": "html",
"sg_event_id": "dJ-1sxW7SgyOw5IEH***",
"sg_machine_open": true,
"sg_message_id": "Urv8-pmtRJ69EOmrJpAEaA.filterdrecv-can***",
"sg_template_id": "d-fb340e1905e44cd49c63a40ce793***",
"sg_template_name": "Version 2021-11-16T21:20:35.627Z",
"singlesend_id": "0a65e76a-4723-11ec-b6ea-9a***",
"singlesend_name": "__redacted__",
"template_hash": "107c25a9518cb1f9210c32c54de43757***",
"template_id": "d-fb340e1905e44cd49c63a4***",
"template_version_id": "e8943ccb-c4c8-4615-98ea-b6bff30***",
"timestamp": 1638266***,
"useragent": "Mozilla/5.0"
}
]
>>> payload = json.dumps(body["detail"]["body"])
>>> event_webhook = EventWebhook(public_key)
>>> ec_public_key = event_webhook.convert_public_key_to_ecdsa(public_key)
>>> event_webhook.verify_signature(
payload,
webhook_signature,
webhook_timestamp,
public_key
)
Traceback (most recent call last):
File ".../PycharmProjects/so_helpers/venv/lib/python3.9/site-packages/IPython/core/interactiveshell.py", line 3441, in run_code
exec(code_obj, self.user_global_ns, self.user_ns)
File "<ipython-input-33-ad7172d88110>", line 1, in <module>
event_webhook.verify_signature(payload, webhook_signature, webhook_timestamp, public_key)
File ".../PycharmProjects/so_helpers/venv/lib/python3.9/site-packages/sendgrid/helpers/eventwebhook/__init__.py", line 47, in verify_signature
decoded_signature = Signature.fromBase64(signature)
File ".../PycharmProjects/so_helpers/venv/lib/python3.9/site-packages/ellipticcurve/signature.py", line 44, in fromBase64
der = Base64.decode(string)
File ".../PycharmProjects/so_helpers/venv/lib/python3.9/site-packages/ellipticcurve/utils/base.py", line 8, in decode
return b64decode(string)
File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/base64.py", line 87, in b64decode
return binascii.a2b_base64(s)
binascii.Error: Incorrect padding

Exception/Log

Traceback (most recent call last):
File ".../PycharmProjects/so_helpers/venv/lib/python3.9/site-packages/IPython/core/interactiveshell.py", line 3441, in run_code
exec(code_obj, self.user_global_ns, self.user_ns)
File "<ipython-input-33-ad7172d88110>", line 1, in <module>
event_webhook.verify_signature(payload, webhook_signature, webhook_timestamp, public_key)
File ".../PycharmProjects/so_helpers/venv/lib/python3.9/site-packages/sendgrid/helpers/eventwebhook/__init__.py", line 47, in verify_signature
decoded_signature = Signature.fromBase64(signature)
File ".../PycharmProjects/so_helpers/venv/lib/python3.9/site-packages/ellipticcurve/signature.py", line 44, in fromBase64
der = Base64.decode(string)
File ".../PycharmProjects/so_helpers/venv/lib/python3.9/site-packages/ellipticcurve/utils/base.py", line 8, in decode
return b64decode(string)
File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/base64.py", line 87, in b64decode
return binascii.a2b_base64(s)
binascii.Error: Incorrect padding

Technical details:

sendgrid-python version: 6.8.1
python version: 3.9.4

Answer 1 · 2021-12-01T23:11:36.000Z

How are you getting the value for webhook_signature?

Answer 2 · 2022-01-12T14:30:24.000Z

I'm having the same issue with Python 3.8.9 and ecdsa==0.17.0, sendgrid==6.9.2. Any news about what is causing this and if there is an expected fix?

We are able to run the Unittest provided on github with no issu. But when we try to validate the actual webhook event sent containing the signature, timestamp and payload, the validation fails. I tried to add the trailing carriage return and newline "\r\n" to the payload but with no luck.

Answer 3 · 2022-02-18T17:34:51.000Z

@marceloaba Sounds like a different issue. Could you provide more details/code samples on how to recreate the issue?

Answer 4 · 2022-03-21T22:04:09.000Z

Closing due to inactivity. Please re-open this issue or open a new GitHub issue if you still need help.