epicyon/httpsig.py

__filename__ = "posts.py"
__author__ = "Bob Mottram"
__credits__ = ['lamia']
__license__ = "AGPL3+"
__version__ = "1.1.0"
__maintainer__ = "Bob Mottram"
__email__ = "bob@freedombone.net"
__status__ = "Production"

# see https://tools.ietf.org/html/draft-cavage-http-signatures-06

try:
    from Cryptodome.PublicKey import RSA
    from Cryptodome.Hash import SHA256
    from Cryptodome.Signature import pkcs1_15
except ImportError:
    from Crypto.PublicKey import RSA
    from Crypto.Hash import SHA256
    # from Crypto.Signature import PKCS1_v1_5
    from Crypto.Signature import pkcs1_15

import base64
from time import gmtime, strftime
import datetime
from utils import getFullDomain


def messageContentDigest(messageBodyJsonStr: str) -> str:
    msg = messageBodyJsonStr.encode('utf-8')
    digestStr = SHA256.new(msg).digest()
    return base64.b64encode(digestStr).decode('utf-8')


def signPostHeaders(dateStr: str, privateKeyPem: str,
                    nickname: str,
                    domain: str, port: int,
                    toDomain: str, toPort: int,
                    path: str,
                    httpPrefix: str,
                    messageBodyJsonStr: str) -> str:
    """Returns a raw signature string that can be plugged into a header and
    used to verify the authenticity of an HTTP transmission.
    """
    domain = getFullDomain(domain, port)

    toDomain = getFullDomain(toDomain, toPort)

    if not dateStr:
        dateStr = strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())
    keyID = httpPrefix + '://' + domain + '/users/' + nickname + '#main-key'
    if not messageBodyJsonStr:
        headers = {
            '(request-target)': f'post {path}',
            'host': toDomain,
            'date': dateStr,
            'content-type': 'application/json'
        }
    else:
        bodyDigest = messageContentDigest(messageBodyJsonStr)
        contentLength = len(messageBodyJsonStr)
        headers = {
            '(request-target)': f'post {path}',
            'host': toDomain,
            'date': dateStr,
            'digest': f'SHA-256={bodyDigest}',
            'content-type': 'application/activity+json',
            'content-length': str(contentLength)
        }
    privateKeyPem = RSA.import_key(privateKeyPem)
    # headers.update({
    #     '(request-target)': f'post {path}',
    # })
    # build a digest for signing
    signedHeaderKeys = headers.keys()
    signedHeaderText = ''
    for headerKey in signedHeaderKeys:
        signedHeaderText += f'{headerKey}: {headers[headerKey]}\n'
    signedHeaderText = signedHeaderText.strip()
    headerDigest = SHA256.new(signedHeaderText.encode('ascii'))

    # Sign the digest
    rawSignature = pkcs1_15.new(privateKeyPem).sign(headerDigest)
    signature = base64.b64encode(rawSignature).decode('ascii')

    # Put it into a valid HTTP signature format
    signatureDict = {
        'keyId': keyID,
        'algorithm': 'rsa-sha256',
        'headers': ' '.join(signedHeaderKeys),
        'signature': signature
    }
    signatureHeader = ','.join(
        [f'{k}="{v}"' for k, v in signatureDict.items()])
    return signatureHeader


def createSignedHeader(privateKeyPem: str, nickname: str,
                       domain: str, port: int,
                       toDomain: str, toPort: int,
                       path: str, httpPrefix: str, withDigest: bool,
                       messageBodyJsonStr: str) -> {}:
    """Note that the domain is the destination, not the sender
    """
    contentType = 'application/activity+json'
    headerDomain = getFullDomain(toDomain, toPort)

    dateStr = strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())
    if not withDigest:
        headers = {
            '(request-target)': f'post {path}',
            'host': headerDomain,
            'date': dateStr
        }
        signatureHeader = \
            signPostHeaders(dateStr, privateKeyPem, nickname,
                            domain, port, toDomain, toPort,
                            path, httpPrefix, None)
    else:
        bodyDigest = messageContentDigest(messageBodyJsonStr)
        contentLength = len(messageBodyJsonStr)
        headers = {
            '(request-target)': f'post {path}',
            'host': headerDomain,
            'date': dateStr,
            'digest': f'SHA-256={bodyDigest}',
            'content-length': str(contentLength),
            'content-type': contentType
        }
        signatureHeader = \
            signPostHeaders(dateStr, privateKeyPem, nickname,
                            domain, port,
                            toDomain, toPort,
                            path, httpPrefix, messageBodyJsonStr)
    headers['signature'] = signatureHeader
    return headers


def _verifyRecentSignature(signedDateStr: str) -> bool:
    """Checks whether the given time taken from the header is within
    12 hours of the current time
    """
    currDate = datetime.datetime.utcnow()
    dateFormat = "%a, %d %b %Y %H:%M:%S %Z"
    signedDate = datetime.datetime.strptime(signedDateStr, dateFormat)
    timeDiffSec = (currDate - signedDate).seconds
    # 12 hours tollerance
    if timeDiffSec > 43200:
        print('WARN: Header signed too long ago: ' + signedDateStr)
        print(str(timeDiffSec / (60 * 60)) + ' hours')
        return False
    if timeDiffSec < 0:
        print('WARN: Header signed in the future! ' + signedDateStr)
        print(str(timeDiffSec / (60 * 60)) + ' hours')
        return False
    return True


def verifyPostHeaders(httpPrefix: str, publicKeyPem: str, headers: dict,
                      path: str, GETmethod: bool,
                      messageBodyDigest: str,
                      messageBodyJsonStr: str, debug: bool) -> bool:
    """Returns true or false depending on if the key that we plugged in here
    validates against the headers, method, and path.
    publicKeyPem - the public key from an rsa key pair
    headers - should be a dictionary of request headers
    path - the relative url that was requested from this site
    GETmethod - GET or POST
    messageBodyJsonStr - the received request body (used for digest)
    """

    if GETmethod:
        method = 'GET'
    else:
        method = 'POST'

    if debug:
        print('DEBUG: verifyPostHeaders ' + method)

    publicKeyPem = RSA.import_key(publicKeyPem)
    # Build a dictionary of the signature values
    signatureHeader = headers['signature']
    signatureDict = {
        k: v[1:-1]
        for k, v in [i.split('=', 1) for i in signatureHeader.split(',')]
    }

    # Unpack the signed headers and set values based on current headers and
    # body (if a digest was included)
    signedHeaderList = []
    for signedHeader in signatureDict['headers'].split(' '):
        if debug:
            print('DEBUG: verifyPostHeaders signedHeader=' + signedHeader)
        if signedHeader == '(request-target)':
            appendStr = f'(request-target): {method.lower()} {path}'
            signedHeaderList.append(appendStr)
        elif signedHeader == 'digest':
            if messageBodyDigest:
                bodyDigest = messageBodyDigest
            else:
                bodyDigest = messageContentDigest(messageBodyJsonStr)
            signedHeaderList.append(f'digest: SHA-256={bodyDigest}')
        elif signedHeader == 'content-length':
            if headers.get(signedHeader):
                appendStr = f'content-length: {headers[signedHeader]}'
                signedHeaderList.append(appendStr)
            else:
                if headers.get('Content-Length'):
                    contentLength = headers['Content-Length']
                    signedHeaderList.append(f'content-length: {contentLength}')
                else:
                    if headers.get('Content-length'):
                        contentLength = headers['Content-length']
                        appendStr = f'content-length: {contentLength}'
                        signedHeaderList.append(appendStr)
                    else:
                        if debug:
                            print('DEBUG: verifyPostHeaders ' + signedHeader +
                                  ' not found in ' + str(headers))
        else:
            if headers.get(signedHeader):
                if signedHeader == 'date':
                    if not _verifyRecentSignature(headers[signedHeader]):
                        if debug:
                            print('DEBUG: ' +
                                  'verifyPostHeaders date is not recent ' +
                                  headers[signedHeader])
                        return False
                signedHeaderList.append(
                    f'{signedHeader}: {headers[signedHeader]}')
            else:
                signedHeaderCap = signedHeader.capitalize()
                if signedHeaderCap == 'Date':
                    if not _verifyRecentSignature(headers[signedHeaderCap]):
                        if debug:
                            print('DEBUG: ' +
                                  'verifyPostHeaders date is not recent ' +
                                  headers[signedHeader])
                        return False
                if headers.get(signedHeaderCap):
                    signedHeaderList.append(
                        f'{signedHeader}: {headers[signedHeaderCap]}')

    if debug:
        print('DEBUG: signedHeaderList: ' + str(signedHeaderList))
    # Now we have our header data digest
    signedHeaderText = '\n'.join(signedHeaderList)
    headerDigest = SHA256.new(signedHeaderText.encode('ascii'))

    # Get the signature, verify with public key, return result
    signature = base64.b64decode(signatureDict['signature'])

    try:
        pkcs1_15.new(publicKeyPem).verify(headerDigest, signature)
        return True
    except (ValueError, TypeError):
        if debug:
            print('DEBUG: verifyPostHeaders pkcs1_15 verify failure')
        return False
flake8 format 2020-04-03 12:05:30 +00:00			`__filename__ = "posts.py"`
			`__author__ = "Bob Mottram"`
			`__credits__ = ['lamia']`
			`__license__ = "AGPL3+"`
			`__version__ = "1.1.0"`
			`__maintainer__ = "Bob Mottram"`
			`__email__ = "bob@freedombone.net"`
			`__status__ = "Production"`
Initial 2019-06-28 18:55:29 +00:00
Get host from post to inbox 2019-08-15 22:33:42 +00:00			`# see https://tools.ietf.org/html/draft-cavage-http-signatures-06`

Remove trailing whitespace 2020-03-22 21:16:02 +00:00			`try:`
cryptodome fallback 2020-03-04 09:59:08 +00:00			`from Cryptodome.PublicKey import RSA`
			`from Cryptodome.Hash import SHA256`
			`from Cryptodome.Signature import pkcs1_15`
			`except ImportError:`
			`from Crypto.PublicKey import RSA`
			`from Crypto.Hash import SHA256`
flake8 format 2020-04-03 12:05:30 +00:00			`# from Crypto.Signature import PKCS1_v1_5`
cryptodome fallback 2020-03-04 09:59:08 +00:00			`from Crypto.Signature import pkcs1_15`
Use debian cryptodome package 2020-03-04 09:41:21 +00:00
Initial 2019-06-28 18:55:29 +00:00			`import base64`
Include date in http signature 2019-08-15 09:08:18 +00:00			`from time import gmtime, strftime`
Mitigate replay attacks 2019-08-23 11:20:20 +00:00			`import datetime`
Fix another port number bug 2020-12-16 11:38:40 +00:00			`from utils import getFullDomain`
flake8 format 2020-04-03 12:05:30 +00:00
Initial 2019-06-28 18:55:29 +00:00
Calculate message body digest from incoming bytes to avoid any json conversion issues 2019-08-16 17:19:23 +00:00			`def messageContentDigest(messageBodyJsonStr: str) -> str:`
flake8 format 2020-04-03 12:05:30 +00:00			`msg = messageBodyJsonStr.encode('utf-8')`
			`digestStr = SHA256.new(msg).digest()`
			`return base64.b64encode(digestStr).decode('utf-8')`

Calculate message body digest from incoming bytes to avoid any json conversion issues 2019-08-16 17:19:23 +00:00
flake8 format 2020-04-03 12:05:30 +00:00			`def signPostHeaders(dateStr: str, privateKeyPem: str,`
			`nickname: str,`
			`domain: str, port: int,`
			`toDomain: str, toPort: int,`
			`path: str,`
			`httpPrefix: str,`
Avoid post conversions between json and string after digest is calculated 2019-08-17 10:15:01 +00:00			`messageBodyJsonStr: str) -> str:`
Initial 2019-06-28 18:55:29 +00:00			`"""Returns a raw signature string that can be plugged into a header and`
			`used to verify the authenticity of an HTTP transmission.`
			`"""`
Fix another port number bug 2020-12-16 11:38:40 +00:00			`domain = getFullDomain(domain, port)`
Fix http signature with port number 2019-07-01 09:31:02 +00:00
Fix another port number bug 2020-12-16 11:38:40 +00:00			`toDomain = getFullDomain(toDomain, toPort)`
Fixing http signatures 2019-08-16 13:47:01 +00:00
			`if not dateStr:`
flake8 format 2020-04-03 12:05:30 +00:00			`dateStr = strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())`
			`keyID = httpPrefix + '://' + domain + '/users/' + nickname + '#main-key'`
Avoid post conversions between json and string after digest is calculated 2019-08-17 10:15:01 +00:00			`if not messageBodyJsonStr:`
flake8 format 2020-04-03 12:05:30 +00:00			`headers = {`
			`'(request-target)': f'post {path}',`
			`'host': toDomain,`
			`'date': dateStr,`
			`'content-type': 'application/json'`
			`}`
Initial 2019-06-28 18:55:29 +00:00			`else:`
flake8 format 2020-04-03 12:05:30 +00:00			`bodyDigest = messageContentDigest(messageBodyJsonStr)`
			`contentLength = len(messageBodyJsonStr)`
			`headers = {`
			`'(request-target)': f'post {path}',`
			`'host': toDomain,`
			`'date': dateStr,`
			`'digest': f'SHA-256={bodyDigest}',`
			`'content-type': 'application/activity+json',`
			`'content-length': str(contentLength)`
			`}`
			`privateKeyPem = RSA.import_key(privateKeyPem)`
			`# headers.update({`
			`# '(request-target)': f'post {path}',`
			`# })`
Initial 2019-06-28 18:55:29 +00:00			`# build a digest for signing`
flake8 format 2020-04-03 12:05:30 +00:00			`signedHeaderKeys = headers.keys()`
			`signedHeaderText = ''`
Initial 2019-06-28 18:55:29 +00:00			`for headerKey in signedHeaderKeys:`
			`signedHeaderText += f'{headerKey}: {headers[headerKey]}\n'`
flake8 format 2020-04-03 12:05:30 +00:00			`signedHeaderText = signedHeaderText.strip()`
			`headerDigest = SHA256.new(signedHeaderText.encode('ascii'))`
Initial 2019-06-28 18:55:29 +00:00
			`# Sign the digest`
flake8 format 2020-04-03 12:05:30 +00:00			`rawSignature = pkcs1_15.new(privateKeyPem).sign(headerDigest)`
			`signature = base64.b64encode(rawSignature).decode('ascii')`
Initial 2019-06-28 18:55:29 +00:00
			`# Put it into a valid HTTP signature format`
flake8 format 2020-04-03 12:05:30 +00:00			`signatureDict = {`
Initial 2019-06-28 18:55:29 +00:00			`'keyId': keyID,`
			`'algorithm': 'rsa-sha256',`
			`'headers': ' '.join(signedHeaderKeys),`
			`'signature': signature`
			`}`
flake8 format 2020-04-03 12:05:30 +00:00			`signatureHeader = ','.join(`
Initial 2019-06-28 18:55:29 +00:00			`[f'{k}="{v}"' for k, v in signatureDict.items()])`
			`return signatureHeader`

flake8 format 2020-04-03 12:05:30 +00:00
			`def createSignedHeader(privateKeyPem: str, nickname: str,`
			`domain: str, port: int,`
			`toDomain: str, toPort: int,`
			`path: str, httpPrefix: str, withDigest: bool,`
Avoid post conversions between json and string after digest is calculated 2019-08-17 10:15:01 +00:00			`messageBodyJsonStr: str) -> {}:`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`"""Note that the domain is the destination, not the sender`
			`"""`
flake8 format 2020-04-03 12:05:30 +00:00			`contentType = 'application/activity+json'`
Tidying 2020-12-16 11:42:11 +00:00			`headerDomain = getFullDomain(toDomain, toPort)`
Fix http signature with port number 2019-07-01 09:31:02 +00:00
flake8 format 2020-04-03 12:05:30 +00:00			`dateStr = strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())`
Fix http signature with port number 2019-07-01 09:31:02 +00:00			`if not withDigest:`
flake8 format 2020-04-03 12:05:30 +00:00			`headers = {`
			`'(request-target)': f'post {path}',`
			`'host': headerDomain,`
			`'date': dateStr`
Tidying 2020-03-22 20:36:19 +00:00			`}`
flake8 format 2020-04-03 12:05:30 +00:00			`signatureHeader = \`
			`signPostHeaders(dateStr, privateKeyPem, nickname,`
			`domain, port, toDomain, toPort,`
			`path, httpPrefix, None)`
Fix http signature with port number 2019-07-01 09:31:02 +00:00			`else:`
flake8 format 2020-04-03 12:05:30 +00:00			`bodyDigest = messageContentDigest(messageBodyJsonStr)`
			`contentLength = len(messageBodyJsonStr)`
			`headers = {`
Tidying 2020-03-22 20:36:19 +00:00			`'(request-target)': f'post {path}',`
			`'host': headerDomain,`
			`'date': dateStr,`
			`'digest': f'SHA-256={bodyDigest}',`
			`'content-length': str(contentLength),`
			`'content-type': contentType`
			`}`
flake8 format 2020-04-03 12:05:30 +00:00			`signatureHeader = \`
			`signPostHeaders(dateStr, privateKeyPem, nickname,`
			`domain, port,`
			`toDomain, toPort,`
			`path, httpPrefix, messageBodyJsonStr)`
			`headers['signature'] = signatureHeader`
Fix http signature with port number 2019-07-01 09:31:02 +00:00			`return headers`

flake8 format 2020-04-03 12:05:30 +00:00
Enforce convention of underscore before local function names 2020-12-22 18:06:23 +00:00			`def _verifyRecentSignature(signedDateStr: str) -> bool:`
Comments 2019-08-23 11:31:46 +00:00			`"""Checks whether the given time taken from the header is within`
			`12 hours of the current time`
			`"""`
flake8 format 2020-04-03 12:05:30 +00:00			`currDate = datetime.datetime.utcnow()`
			`dateFormat = "%a, %d %b %Y %H:%M:%S %Z"`
			`signedDate = datetime.datetime.strptime(signedDateStr, dateFormat)`
			`timeDiffSec = (currDate - signedDate).seconds`
Tidying 2019-08-23 11:39:16 +00:00			`# 12 hours tollerance`
Check that header was not signed in the future 2019-08-23 11:37:34 +00:00			`if timeDiffSec > 43200:`
flake8 format 2020-04-03 12:05:30 +00:00			`print('WARN: Header signed too long ago: ' + signedDateStr)`
			`print(str(timeDiffSec / (60 * 60)) + ' hours')`
Check that header was not signed in the future 2019-08-23 11:37:34 +00:00			`return False`
			`if timeDiffSec < 0:`
flake8 format 2020-04-03 12:05:30 +00:00			`print('WARN: Header signed in the future! ' + signedDateStr)`
			`print(str(timeDiffSec / (60 * 60)) + ' hours')`
Make date check into a function 2019-08-23 11:30:37 +00:00			`return False`
			`return True`

flake8 format 2020-04-03 12:05:30 +00:00
			`def verifyPostHeaders(httpPrefix: str, publicKeyPem: str, headers: dict,`
			`path: str, GETmethod: bool,`
			`messageBodyDigest: str,`
			`messageBodyJsonStr: str, debug: bool) -> bool:`
Initial 2019-06-28 18:55:29 +00:00			`"""Returns true or false depending on if the key that we plugged in here`
			`validates against the headers, method, and path.`
			`publicKeyPem - the public key from an rsa key pair`
			`headers - should be a dictionary of request headers`
			`path - the relative url that was requested from this site`
			`GETmethod - GET or POST`
Fix http signature with port number 2019-07-01 09:31:02 +00:00			`messageBodyJsonStr - the received request body (used for digest)`
Initial 2019-06-28 18:55:29 +00:00			`"""`
Mitigate replay attacks 2019-08-23 11:20:20 +00:00
Initial 2019-06-28 18:55:29 +00:00			`if GETmethod:`
flake8 format 2020-04-03 12:05:30 +00:00			`method = 'GET'`
Initial 2019-06-28 18:55:29 +00:00			`else:`
flake8 format 2020-04-03 12:05:30 +00:00			`method = 'POST'`
Debug in http signature verification 2019-11-12 15:03:17 +00:00
			`if debug:`
flake8 format 2020-04-03 12:05:30 +00:00			`print('DEBUG: verifyPostHeaders ' + method)`
Remove trailing whitespace 2020-03-22 21:16:02 +00:00
flake8 format 2020-04-03 12:05:30 +00:00			`publicKeyPem = RSA.import_key(publicKeyPem)`
Initial 2019-06-28 18:55:29 +00:00			`# Build a dictionary of the signature values`
flake8 format 2020-04-03 12:05:30 +00:00			`signatureHeader = headers['signature']`
			`signatureDict = {`
Initial 2019-06-28 18:55:29 +00:00			`k: v[1:-1]`
			`for k, v in [i.split('=', 1) for i in signatureHeader.split(',')]`
			`}`

			`# Unpack the signed headers and set values based on current headers and`
			`# body (if a digest was included)`
flake8 format 2020-04-03 12:05:30 +00:00			`signedHeaderList = []`
Initial 2019-06-28 18:55:29 +00:00			`for signedHeader in signatureDict['headers'].split(' '):`
Debug in http signature verification 2019-11-12 15:03:17 +00:00			`if debug:`
flake8 format 2020-04-03 12:05:30 +00:00			`print('DEBUG: verifyPostHeaders signedHeader=' + signedHeader)`
Initial 2019-06-28 18:55:29 +00:00			`if signedHeader == '(request-target)':`
flake8 format 2020-04-03 12:05:30 +00:00			`appendStr = f'(request-target): {method.lower()} {path}'`
			`signedHeaderList.append(appendStr)`
Initial 2019-06-28 18:55:29 +00:00			`elif signedHeader == 'digest':`
Calculate message body digest from incoming bytes to avoid any json conversion issues 2019-08-16 17:19:23 +00:00			`if messageBodyDigest:`
flake8 format 2020-04-03 12:05:30 +00:00			`bodyDigest = messageBodyDigest`
Calculate message body digest from incoming bytes to avoid any json conversion issues 2019-08-16 17:19:23 +00:00			`else:`
flake8 format 2020-04-03 12:05:30 +00:00			`bodyDigest = messageContentDigest(messageBodyJsonStr)`
Initial 2019-06-28 18:55:29 +00:00			`signedHeaderList.append(f'digest: SHA-256={bodyDigest}')`
Separate cases 2019-11-12 18:48:29 +00:00			`elif signedHeader == 'content-length':`
Return to case 2019-11-12 19:20:55 +00:00			`if headers.get(signedHeader):`
flake8 format 2020-04-03 12:05:30 +00:00			`appendStr = f'content-length: {headers[signedHeader]}'`
			`signedHeaderList.append(appendStr)`
More debug 2019-11-12 17:16:34 +00:00			`else:`
Variations on the theme 2019-11-12 19:32:23 +00:00			`if headers.get('Content-Length'):`
flake8 format 2020-04-03 12:05:30 +00:00			`contentLength = headers['Content-Length']`
Variations on the theme 2019-11-12 19:32:23 +00:00			`signedHeaderList.append(f'content-length: {contentLength}')`
			`else:`
			`if headers.get('Content-length'):`
flake8 format 2020-04-03 12:05:30 +00:00			`contentLength = headers['Content-length']`
			`appendStr = f'content-length: {contentLength}'`
			`signedHeaderList.append(appendStr)`
Variations on the theme 2019-11-12 19:32:23 +00:00			`else:`
			`if debug:`
flake8 format 2020-04-03 12:05:30 +00:00			`print('DEBUG: verifyPostHeaders ' + signedHeader +`
			`' not found in ' + str(headers))`
Initial 2019-06-28 18:55:29 +00:00			`else:`
http signature fixes 2019-08-15 21:34:25 +00:00			`if headers.get(signedHeader):`
flake8 format 2020-04-03 12:05:30 +00:00			`if signedHeader == 'date':`
Enforce convention of underscore before local function names 2020-12-22 18:06:23 +00:00			`if not _verifyRecentSignature(headers[signedHeader]):`
Debug in http signature verification 2019-11-12 15:03:17 +00:00			`if debug:`
flake8 format 2020-04-03 12:05:30 +00:00			`print('DEBUG: ' +`
			`'verifyPostHeaders date is not recent ' +`
			`headers[signedHeader])`
Make date check into a function 2019-08-23 11:30:37 +00:00			`return False`
Exception handling for http signature check 2019-08-15 17:09:17 +00:00			`signedHeaderList.append(`
			`f'{signedHeader}: {headers[signedHeader]}')`
http signature fixes 2019-08-15 21:34:25 +00:00			`else:`
flake8 format 2020-04-03 12:05:30 +00:00			`signedHeaderCap = signedHeader.capitalize()`
			`if signedHeaderCap == 'Date':`
Enforce convention of underscore before local function names 2020-12-22 18:06:23 +00:00			`if not _verifyRecentSignature(headers[signedHeaderCap]):`
Debug in http signature verification 2019-11-12 15:03:17 +00:00			`if debug:`
flake8 format 2020-04-03 12:05:30 +00:00			`print('DEBUG: ' +`
			`'verifyPostHeaders date is not recent ' +`
			`headers[signedHeader])`
Make date check into a function 2019-08-23 11:30:37 +00:00			`return False`
http signature fixes 2019-08-15 21:34:25 +00:00			`if headers.get(signedHeaderCap):`
			`signedHeaderList.append(`
			`f'{signedHeader}: {headers[signedHeaderCap]}')`
Initial 2019-06-28 18:55:29 +00:00
More debug 2019-11-12 15:25:47 +00:00			`if debug:`
flake8 format 2020-04-03 12:05:30 +00:00			`print('DEBUG: signedHeaderList: ' + str(signedHeaderList))`
Initial 2019-06-28 18:55:29 +00:00			`# Now we have our header data digest`
flake8 format 2020-04-03 12:05:30 +00:00			`signedHeaderText = '\n'.join(signedHeaderList)`
			`headerDigest = SHA256.new(signedHeaderText.encode('ascii'))`
Initial 2019-06-28 18:55:29 +00:00
			`# Get the signature, verify with public key, return result`
flake8 format 2020-04-03 12:05:30 +00:00			`signature = base64.b64decode(signatureDict['signature'])`
Initial 2019-06-28 18:55:29 +00:00
			`try:`
			`pkcs1_15.new(publicKeyPem).verify(headerDigest, signature)`
			`return True`
			`except (ValueError, TypeError):`
Debug in http signature verification 2019-11-12 15:03:17 +00:00			`if debug:`
			`print('DEBUG: verifyPostHeaders pkcs1_15 verify failure')`
Initial 2019-06-28 18:55:29 +00:00			`return False`