From 31da66c1244d6a36daaf3d2394037910df7ddccc Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Fri, 22 Sep 2023 13:21:00 -0700 Subject: [PATCH] Fix webhooks signature This commit fixes the way webhooks signatures are created. Before this change, the signature of an empty body was prepended by the body itself. --- authority/provisioner/webhook.go | 4 +++- authority/provisioner/webhook_test.go | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/authority/provisioner/webhook.go b/authority/provisioner/webhook.go index 407b84d83..4b517bb6f 100644 --- a/authority/provisioner/webhook.go +++ b/authority/provisioner/webhook.go @@ -173,7 +173,9 @@ retry: if err != nil { return nil, err } - sig := hmac.New(sha256.New, secret).Sum(reqBytes) + h := hmac.New(sha256.New, secret) + h.Write(reqBytes) + sig := h.Sum(nil) req.Header.Set("X-Smallstep-Signature", hex.EncodeToString(sig)) req.Header.Set("X-Smallstep-Webhook-ID", w.ID) diff --git a/authority/provisioner/webhook_test.go b/authority/provisioner/webhook_test.go index 656d75d86..9a2b62f07 100644 --- a/authority/provisioner/webhook_test.go +++ b/authority/provisioner/webhook_test.go @@ -482,7 +482,9 @@ func TestWebhook_Do(t *testing.T) { secret, err := base64.StdEncoding.DecodeString(tc.webhook.Secret) assert.FatalError(t, err) - mac := hmac.New(sha256.New, secret).Sum(body) + h := hmac.New(sha256.New, secret) + h.Write(body) + mac := h.Sum(nil) assert.True(t, hmac.Equal(sig, mac)) switch {