This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Verifying an ECDSA digital signature

Posted on 09-29-2021 06:26 AM
dhoenig23
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

We have a proxy that needs to be secured by a ECDSA digital signature. Are there any policies that can verify the signature using a public key? Or, will we need to verify this in Java, Python, or other code?

Here's the security guidance. 

 

 

Security: Digital Signature
Type: Public/Private Key
Header: The x-webhook-signature header includes a digital signature header signed by the webhook provider
Digital Signature Algorithm: Elliptical Curve Digital Signature Algorithm
Hash: SHA256
Header Example: x-webhook-signature:86-6D-59-BE-8A-...E9-B0-49-F6-39-95
Example cURL:

  curl -X POST 
  https://xyz.com/endpoint1
  -H 'Accept: */*'
  -H 'Accept-Encoding: gzip, deflate'
  -H 'Content-Type: application/json'
  -H 'x-webhook-signature: 86-6D-59-BE-8A-E9-B0-49-F6-39-9'
  -d '{"application":"data"}'

 

 

 

Solved Solved
0 14 4,713
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to dhoenig23
Reply posted on --/--/---- --:-- AM

The reason I asked for test vectors is ... I thought I might be able to put something together for you.  And this is what I did:

https://github.com/DinoChiesa/Apigee-CustomPolicy-EcdsaSig

It's pretty simple. Signs or verifies, depending on your configuration.  Check the README for further information. 

 

View solution in original post

Jump to Solution
14 REPLIES 14