Add SHA256 Verification to SNS (#2743)

parkerram · Parker Ram · web-flow · commit 842b8aeffd37 · 2022-08-22T11:08:23.000-04:00
* Add SHA256 Verification to SNS

* Adding to SNS unit tests

Co-authored-by: Parker Ram &lt;rmprke@amazon.com&gt;
diff --git a/gems/aws-sdk-sns/CHANGELOG.md b/gems/aws-sdk-sns/CHANGELOG.md
@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Feature - Adding SHA256 message verification
+
 1.53.0 (2022-02-24)
 ------------------
 
diff --git a/gems/aws-sdk-sns/lib/aws-sdk-sns/message_verifier.rb b/gems/aws-sdk-sns/lib/aws-sdk-sns/message_verifier.rb
@@ -65,11 +65,15 @@ def authentic?(message_body)
       def authenticate!(message_body)
         msg = Json.load(message_body)
         msg = convert_lambda_msg(msg) if is_from_lambda(msg)
-        if public_key(msg).verify(sha1, signature(msg), canonical_string(msg))
-          true
+
+        case msg['SignatureVersion']
+        when '1'
+          verify!(msg, sha1)
+        when '2'
+          verify!(msg, sha256)
         else
-          msg = 'the authenticity of the message cannot be verified'
-          raise VerificationError, msg
+          error_msg = 'Invalid SignatureVersion'
+          raise VerificationError, error_msg
         end
       end
 
@@ -88,10 +92,23 @@ def convert_lambda_msg(message)
         message
       end
 
+      def verify!(msg, hash_alg)
+        if public_key(msg).verify(hash_alg, signature(msg), canonical_string(msg))
+          true
+        else
+          msg = 'the authenticity of the message cannot be verified'
+          raise VerificationError, msg
+        end
+      end
+
       def sha1
         OpenSSL::Digest::SHA1.new
       end
 
+      def sha256
+        OpenSSL::Digest::SHA256.new
+      end
+
       def signature(message)
         Base64.decode64(message['Signature'])
       end
diff --git a/gems/aws-sdk-sns/spec/message_verifier_spec.rb b/gems/aws-sdk-sns/spec/message_verifier_spec.rb
@@ -7,67 +7,85 @@ module SNS
     describe MessageVerifier do
 
       let(:signing_cert_url) {
-        "https://sns.eu-west-1.amazonaws.com/SimpleNotificationService-f3ecfb7224c7233fe7bb5f59f96de52f.pem"
+        "https://sns.us-east-2.amazonaws.com/SimpleNotificationService-7ff5318490ec183fbaddaa2a969abfda.pem"
       }
 
-      let(:message) { <<-JSON.strip }
+      let(:message_SHA1) { <<-JSON.strip }
 {
   "Type" : "Notification",
-  "MessageId" : "5b324425-3d5e-4fdf-a3f6-f46b8f93df79",
-  "TopicArn" : "arn:aws:sns:eu-west-1:382739154790:for_justeat_aws_specs",
-  "Subject" : "sdfghdsfg",
-  "Message" : "dfgdsfg",
-  "Timestamp" : "2012-04-30T11:07:54.008Z",
+  "MessageId" : "792cda85-518f-5dd3-9163-81d851212f3a",
+  "TopicArn" : "arn:aws:sns:us-east-2:295079676684:publish-and-verify-892f85fe-4836-424d-8188-ab85bef0f362",
+  "Message" : "Hello world",
+  "Timestamp" : "2022-07-28T21:23:58.317Z",
   "SignatureVersion" : "1",
-  "Signature" : "CTbst0fA37gbKnC0fiWK6HB0nQOr767MSLCJaWb0GyXc7283m1gozU3lRvOBaKP5Cwcj+clhR+rAN1m0Cp6W63oxBEu9n1Z50oyWx/tWtQd2j+MPaes+tNJSGohjHSe5qAqMwvYFYTZkbgFDFoWuVQLQuRj9I53hR1Eo3waHkJQ=",
+  "Signature" : "ghtf+deOBAzHJJZ6s6CdRLfTQAlcGzq9naoFM1wi0CJiq//uVRuZnamrkWNF0fhouMFvuLVRwcz8PZLUMSfnmd5VpdTKpTyiKmy1qJAZXma0w+yi7G+I33hD1Jyk1Nbym2n0kqp3fVu2aoooiN2ZeLAT2bH0/BtjLSfN1yAOKNoprco4qV9gGUZinXJdj9a1YdNhDR2jKi33ldlsVtEXAtiaDklGEk7DgRKX38GerBPiLg3FdtgY6KC7cdeGpU/dGK+4hjc83Ive1HoFkAwqhpgInM2sMytBosoiXfCmOKmU4xeGD0gHDNZTlJUJQDlzw8Eag0H9f/5zXF9d3uy0YQ==",
   "SigningCertURL" : #{signing_cert_url.inspect},
-  "UnsubscribeURL" : "https://sns.eu-west-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-1:382739154790:for_justeat_aws_specs:674f4ab3-2d1d-4df9-b411-b8a336f0ef7d"
+  "UnsubscribeURL" : "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:295079676684:publish-and-verify-892f85fe-4836-424d-8188-ab85bef0f362:2296bc94-7992-4be1-b15f-b97229b5c1d8"
+}
+      JSON
+
+      let(:message_SHA256) { <<-JSON.strip }
+{
+  "Type" : "Notification",
+  "MessageId" : "17dea24b-55c2-540b-8362-f916557af765",
+  "TopicArn" : "arn:aws:sns:us-east-2:295079676684:publish-and-verify-62674b1d-4295-426b-88e7-5fb75652a04e",
+  "Message" : "Hello world",
+  "Timestamp" : "2022-07-28T21:24:08.324Z",
+  "SignatureVersion" : "2",
+  "Signature" : "CXVqp9PfZAL+4JHS3Zxo1PFbQsvnOjvmYhtIf17TWpwc+iIVas8kZ8GopuzVzVMdatE7rCl/O4P91Zp05Dwz8lk8dLhfp8gSu3Njlzxlyrmzo9x3va3Jb7zFnedgS2GKnZWHGBdwTXho+TosNUE+3e10OMSlwN5XGDwX7+R3WL+rn+AXmFAqp3alg27sYa55h1dLE9cGszGPjScPdtF3BmZsUDMx9wSdNKsCk+vSvE8yBjnCmUl7laSFj3LzPVrlSwgNYCF3kYnNAkah7NplK4SFhJYLwS0HCVCQJKa8rVbQLf9cBTu60U402mrgy0bN8xWoyimzbYbrOMJjalqkUg==",
+  "SigningCertURL" : #{signing_cert_url.inspect},
+  "UnsubscribeURL" : "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:295079676684:publish-and-verify-62674b1d-4295-426b-88e7-5fb75652a04e:ad7d16e3-0a7c-46aa-b23e-ffaf02250cbe"
 }
       JSON
 
       let(:lambda_message) { <<-JSON.strip }
 {
   "Type" : "Notification",
-  "MessageId" : "5b324425-3d5e-4fdf-a3f6-f46b8f93df79",
-  "TopicArn" : "arn:aws:sns:eu-west-1:382739154790:for_justeat_aws_specs",
-  "Subject" : "sdfghdsfg",
-  "Message" : "dfgdsfg",
-  "Timestamp" : "2012-04-30T11:07:54.008Z",
+  "MessageId" : "792cda85-518f-5dd3-9163-81d851212f3a",
+  "TopicArn" : "arn:aws:sns:us-east-2:295079676684:publish-and-verify-892f85fe-4836-424d-8188-ab85bef0f362",
+  "Message" : "Hello world",
+  "Timestamp" : "2022-07-28T21:23:58.317Z",
   "SignatureVersion" : "1",
-  "Signature" : "CTbst0fA37gbKnC0fiWK6HB0nQOr767MSLCJaWb0GyXc7283m1gozU3lRvOBaKP5Cwcj+clhR+rAN1m0Cp6W63oxBEu9n1Z50oyWx/tWtQd2j+MPaes+tNJSGohjHSe5qAqMwvYFYTZkbgFDFoWuVQLQuRj9I53hR1Eo3waHkJQ=",
+  "Signature" : "ghtf+deOBAzHJJZ6s6CdRLfTQAlcGzq9naoFM1wi0CJiq//uVRuZnamrkWNF0fhouMFvuLVRwcz8PZLUMSfnmd5VpdTKpTyiKmy1qJAZXma0w+yi7G+I33hD1Jyk1Nbym2n0kqp3fVu2aoooiN2ZeLAT2bH0/BtjLSfN1yAOKNoprco4qV9gGUZinXJdj9a1YdNhDR2jKi33ldlsVtEXAtiaDklGEk7DgRKX38GerBPiLg3FdtgY6KC7cdeGpU/dGK+4hjc83Ive1HoFkAwqhpgInM2sMytBosoiXfCmOKmU4xeGD0gHDNZTlJUJQDlzw8Eag0H9f/5zXF9d3uy0YQ==",
   "SigningCertUrl" : #{signing_cert_url.inspect},
-  "UnsubscribeUrl" : "https://sns.eu-west-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-1:382739154790:for_justeat_aws_specs:674f4ab3-2d1d-4df9-b411-b8a336f0ef7d"
+  "UnsubscribeUrl" : "https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:295079676684:publish-and-verify-892f85fe-4836-424d-8188-ab85bef0f362:2296bc94-7992-4be1-b15f-b97229b5c1d8"
 }
       JSON
+
       let(:cert) { <<-CERT.strip }
 -----BEGIN CERTIFICATE-----
-MIIE+TCCA+GgAwIBAgIQax6zU8p9DAWTsa4uy9uF1jANBgkqhkiG9w0BAQUFADCB
-tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
-ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
-YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm
-VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAxMDA4
-MDAwMDAwWhcNMTMxMDA3MjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
-V2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEYMBYGA1UEChQPQW1hem9uLmNv
-bSBJbmMuMRowGAYDVQQDFBFzbnMuYW1hem9uYXdzLmNvbTCBnzANBgkqhkiG9w0B
-AQEFAAOBjQAwgYkCgYEAv8OHcwOX+SpVUpdS6OtB0FbmX6w7FQIXLJyChbcYQ3Ck
-gJnrVJ5OFIMYAc+YMbkikXnvu9+MvZx38ZV8hIYBK4y4YSR/fLMzTIqsQXKW7myq
-mIeEGGqGrCVVhs0xusCgfNBi64/zczJ3z/KLLzSXZ2Ln18MCCjQ3A8EcuwFeMTsC
-AwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEUGA1UdHwQ+MDww
-OqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzItY3JsLnZlcmlzaWduLmNvbS9TVlJT
-ZWN1cmVHMi5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF
-BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsG
-AQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBSl7wsRzsBBA6NKZZBIshzgVy19
-RzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
-aWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3VyZS1HMi1haWEudmVy
-aXNpZ24uY29tL1NWUlNlY3VyZUcyLmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFow
-WDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEF
-GDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZI
-hvcNAQEFBQADggEBAKcmdO9iRCChdO21L0NaB24f2BFuUZO/y9tsTgC6NJ8p0sJU
-+/dKc4p33pnmDE8EGDbImMd/HdVnqQ4nngurjzu7z/mv7247FGaUL/BnqLgOQJiM
-YBJtskNd2vKN4kk4I6Z7e2mp2+4tzBL9Sk/x3b297oy4ZXILrBKxr9s9MhyPO1rQ
-Mda9v2L3qcjPj38zbNoohEIpu/ilArbbFOUMOqdh7jomDoE3cyBDWMOOBh+t6QQD
-kMFvPxlw0XwWsvjTGPFCBIR7NZXnwQfVYbdFu88TjT10wTCZ/E3yCp77aDWD1JLV
-2V2EF3v1wPCPCbvEKZKVR5rLVYl2djU9j9d+H30=
+MIIF1zCCBL+gAwIBAgIQB9pYWG3Mi7xej22g9pobJTANBgkqhkiG9w0BAQsFADBG
+MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg
+Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0yMTA5MDcwMDAwMDBaFw0yMjA4MTcy
+MzU5NTlaMBwxGjAYBgNVBAMTEXNucy5hbWF6b25hd3MuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutFqueT3XgP13udzxE6UpbdjOtVO5DwoMpSM
+iDNMnGzF1TYH5/R2LPUOBeTB0SkKnR4kpNcUZhicpGD4aKciz/GEZ6wu65xncfT9
+H/KBOQwoXYTuClHwp6fYpGzcGFaFoEYMnijL/o4qmTSd+ukglQUgKpsDw4ofw6rU
+m2CttJo+GQSNQ9NfGR1h/0J+zsApkeSYrXRx5wNlu87z8os1C/6PBrUHwt3xXeaf
+Xzfwut8aRRYsS8BySOA9DAgLfNHlfdQCjKPXKrG/ussgReyWD6n/HH+j7Uha3xos
+TzQqJifcxlTq6MxWdPR6fDaJNvqw6DOE7UjUNxHguXHlVfxhlQIDAQABo4IC6TCC
+AuUwHwYDVR0jBBgwFoAUWaRmBlKge5WSPKOUByeWdFv5PdAwHQYDVR0OBBYEFAqz
+C+vyouneE7mWWLbi9i0UsWUbMBwGA1UdEQQVMBOCEXNucy5hbWF6b25hd3MuY29t
+MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+OwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zY2ExYi5hbWF6b250cnVzdC5j
+b20vc2NhMWIuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMHUGCCsGAQUFBwEBBGkw
+ZzAtBggrBgEFBQcwAYYhaHR0cDovL29jc3Auc2NhMWIuYW1hem9udHJ1c3QuY29t
+MDYGCCsGAQUFBzAChipodHRwOi8vY3J0LnNjYTFiLmFtYXpvbnRydXN0LmNvbS9z
+Y2ExYi5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFn
+AHYAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF7vfDVkQAABAMA
+RzBFAiEA2XfHuy36aqRFiaL8c3md2mH451go8707+fRE0pEdSRACIE/g5FXTUXUZ
+PFcmOhm9TZ+uMY1i4CIQ/CKVWln6C3t+AHYAUaOw9f0BeZxWbbg3eI8MpHrMGyfL
+956IQpoN/tSLBeUAAAF7vfDVjAAABAMARzBFAiBF1MhhFP0+FQt3daDFfMYoWwnr
+muTInrjNpwfzlvQBugIhAPYadFzr+LaxSJoiZEbEHBvTts7bT0M3eCQONA2O7w6n
+AHUAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF7vfDVdAAABAMA
+RjBEAiAtPapmFAuA71ih4NoSd5hJelzAltNQpxDMcDfDyHyU8gIgWxmaa6+2KbBu
+9xdv379zvnJACFR7jc+4asl08Dn4aagwDQYJKoZIhvcNAQELBQADggEBAA54QX0u
+oFWXfMmv02CGZv4NWo5TapyeeixQ2kKpZHRdVZjxZrw+hoF6HD7P3kGjH8ztyJll
+tDxB0qgMltbPhQdScwhA6iTgoaBYqEUC/VHKd4PmmPT6yIsM36NBZVmkGlzl5uNo
+/dBgBaG0SsVJnhr5zro3c2quC7n6fVGEZhf/UgQwRnnvThnvbNKguglDMq4uEqv8
+njKyleht+glkcmXO0m9qLKt6BOS0amy6U2GlAwRn0Wx02ndJtnRCSC6kPuRWK/SQ
+FEjB7gCK4hdKaAOuWdZpI55vF6ifOeM8toC3g7ofO8qLTnJupAG+ZitY5J3cvHWr
+HqOUdKigPDHYLRo=
 -----END CERTIFICATE-----
       CERT
 
@@ -79,60 +97,72 @@ module SNS
 
       describe '#authenticate!' do
 
-        it 'returns true for a valid message' do
-          expect(verifier.authenticate!(message)).to be(true)
-        end
-
-        it 'returns true for a valid lambda message' do
-          expect(verifier.authenticate!(lambda_message)).to be(true)
-        end
-
-        it 'raises when the SigningCertURL is not https' do
-          msg = Json.load(message)
-          msg['SigningCertURL'] = msg['SigningCertURL'].sub(/https/, 'http')
-          msg = Json.dump(msg)
-          expect {
-            verifier.authenticate!(msg)
-          }.to raise_error(MessageVerifier::VerificationError, /must be https/)
-        end
-
-        it 'raises when the SigningCertURL is not AWS hosted' do
-          msg = Json.load(message)
-          msg['SigningCertURL'] = 'https://internetbadguys.com/cert.pem'
-          msg = Json.dump(msg)
-          expect {
-            verifier.authenticate!(msg)
-          }.to raise_error(MessageVerifier::VerificationError, /hosted by AWS/)
-        end
-
-        it 'raises when the SigningCertURL is not a pem file' do
-          msg = Json.load(message)
-          msg['SigningCertURL'] = msg['SigningCertURL'].sub(/pem$/, 'key')
-          msg = Json.dump(msg)
-          expect {
-            verifier.authenticate!(msg)
-          }.to raise_error(MessageVerifier::VerificationError, /a \.pem file/)
-        end
-
-        it 'raises when the message signature fails validation' do
-          msg = Json.load(message)
-          msg['Signature'] = 'bad'
-          msg = Json.dump(msg)
-          expect {
-            verifier.authenticate!(msg)
-          }.to raise_error(MessageVerifier::VerificationError, /cannot be verified/)
+        [:message_sha1, :message_sha256, :lambda_message].each do |message_type|
+          let(:message) { send(message_type) }
+          let(:cert_url_key) { message_type == :lambda_message ? 'SigningCertUrl' : 'SigningCertURL' }
+
+          context "message type is #{message_type}" do
+            it 'returns true for a valid message' do
+              expect(verifier.authenticate!(message)).to be(true)
+            end
+
+            it 'raises when the message signature fails validation' do
+              msg = Json.load(message)
+              msg['Signature'] = 'bad'
+              msg = Json.dump(msg)
+              expect {
+                verifier.authenticate!(msg)
+              }.to raise_error(MessageVerifier::VerificationError, /cannot be verified/)
+            end
+
+            it 'raises when SignatureVersion is not a valid value' do
+              msg = Json.load(message)
+              msg['SignatureVersion'] = '3'
+              msg = Json.dump(msg)
+              expect {
+                verifier.authenticate!(msg)
+              }.to raise_error(MessageVerifier::VerificationError, /Invalid SignatureVersion/)
+            end
+
+            it 'raises when the SigningCertURL is not https' do
+              msg = Json.load(message)
+              msg[cert_url_key] = msg[cert_url_key].sub(/https/, 'http')
+              msg = Json.dump(msg)
+              expect {
+                verifier.authenticate!(msg)
+              }.to raise_error(MessageVerifier::VerificationError, /must be https/)
+            end
+
+            it 'raises when the SigningCertURL is not AWS hosted' do
+              msg = Json.load(message)
+              msg[cert_url_key] = 'https://internetbadguys.com/cert.pem'
+              msg = Json.dump(msg)
+              expect {
+                verifier.authenticate!(msg)
+              }.to raise_error(MessageVerifier::VerificationError, /hosted by AWS/)
+            end
+
+            it 'raises when the SigningCertURL is not a pem file' do
+              msg = Json.load(message)
+              msg[cert_url_key] = msg[cert_url_key].sub(/pem$/, 'key')
+              msg = Json.dump(msg)
+              expect {
+                verifier.authenticate!(msg)
+              }.to raise_error(MessageVerifier::VerificationError, /a \.pem file/)
+            end
+          end
         end
 
         it 'can use a configured :http_proxy' do
           proxy_url = 'https://peccy:password@amazonaws.com:12345'
           verifier = MessageVerifier.new(http_proxy: proxy_url)
-          verifier.authenticate!(message)
+          verifier.authenticate!(message_SHA1)
           expect(a_request(:get, signing_cert_url)).to have_been_made
         end
 
         it 'caches the pem file' do
-          verifier.authenticate!(message)
-          verifier.authenticate!(message)
+          verifier.authenticate!(message_SHA1)
+          verifier.authenticate!(message_SHA1)
           expect(a_request(:get, signing_cert_url)).to have_been_made.once
         end
 
@@ -141,29 +171,29 @@ module SNS
             to_return(status: 500, body: '').
             to_return(status: 500, body: '').
             to_return(status: 200, body: cert)
-          verifier.authenticate!(message)
+          verifier.authenticate!(message_SHA1)
           expect(a_request(:get, signing_cert_url)).to have_been_made.times(3)
         end
 
         it 'raises when the signing cert can not be downloaded due to networking errors' do
           stub_request(:get, signing_cert_url).to_raise(StandardError, 'oops')
           expect {
-            verifier.authenticate!(message)
+            verifier.authenticate!(message_SHA1)
           }.to raise_error(MessageVerifier::VerificationError, 'oops')
         end
 
         it 'raises when the signing cert can not be downloaded' do
           stub_request(:get, signing_cert_url).to_return(status:500, body:'bad')
           expect {
-            verifier.authenticate!(message)
+            verifier.authenticate!(message_SHA1)
           }.to raise_error(MessageVerifier::VerificationError, 'bad')
         end
 
         it 'raises when the signing cert contains additional characters' do
           cert_with_extra = "<xml><value>\n#{cert}\n<value></xml>"
           stub_request(:get, signing_cert_url).to_return(status:200, body: cert_with_extra)
           expect {
-            verifier.authenticate!(message)
+            verifier.authenticate!(message_SHA1)
           }.to raise_error(MessageVerifier::VerificationError,
                            /certificate does not match expected X509 PEM format/)
         end
@@ -172,15 +202,21 @@ module SNS
 
       describe '#authentic?' do
 
-        it 'returns true if the message can be authenticated' do
-          expect(verifier.authentic?(message)).to be(true)
-        end
-
-        it 'returns false if the message can not be authenticated' do
-          msg = Json.load(message)
-          msg['Signature'] = 'bad'
-          msg = Json.dump(msg)
-          expect(verifier.authentic?(msg)).to be(false)
+        [:message_sha1, :message_sha256, :lambda_message].each do |message_type|
+          let(:message) { send(message_type) }
+
+          context "message type is #{message_type}" do
+            it 'returns true if the message can be authenticated' do
+              expect(verifier.authentic?(message)).to be(true)
+            end
+
+            it 'returns false if the message can not be authenticated' do
+              msg = Json.load(message)
+              msg['Signature'] = 'bad'
+              msg = Json.dump(msg)
+              expect(verifier.authentic?(msg)).to be(false)
+            end
+          end
         end
 
       end
