epicyon/linked_data_sig.py

__filename__ = "linked_data_sig.py"
__author__ = "Bob Mottram"
__credits__ = ['Based on ' +
               'https://github.com/tsileo/little-boxes']
__license__ = "AGPL3+"
__version__ = "1.2.0"
__maintainer__ = "Bob Mottram"
__email__ = "bob@freedombone.net"
__status__ = "Production"
__module_group__ = "Security"

import base64
import hashlib
from datetime import datetime
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.serialization import load_pem_private_key
from cryptography.hazmat.primitives.serialization import load_pem_public_key
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import utils as hazutils
from pyjsonld import normalize
from context import hasValidContext
from utils import getSHA256


def _options_hash(doc: {}) -> str:
    """Returns a hash of the signature, with a few fields removed
    """
    docSig = dict(doc["signature"])

    # remove fields from signature
    for k in ["type", "id", "signatureValue"]:
        if k in docSig:
            del docSig[k]

    docSig["@context"] = "https://w3id.org/identity/v1"
    options = {
        "algorithm": "URDNA2015",
        "format": "application/nquads"
    }

    normalized = normalize(docSig, options)
    h = hashlib.new("sha256")
    h.update(normalized.encode("utf-8"))
    return h.hexdigest()


def _doc_hash(doc: {}) -> str:
    """Returns a hash of the ActivityPub post
    """
    doc = dict(doc)

    # remove the signature
    if "signature" in doc:
        del doc["signature"]

    options = {
        "algorithm": "URDNA2015",
        "format": "application/nquads"
    }

    normalized = normalize(doc, options)
    h = hashlib.new("sha256")
    h.update(normalized.encode("utf-8"))
    return h.hexdigest()


def verifyJsonSignature(doc: {}, publicKeyPem: str) -> bool:
    """Returns True if the given ActivityPub post was sent
    by an actor having the given public key
    """
    if not hasValidContext(doc):
        return False
    pubkey = load_pem_public_key(publicKeyPem.encode('utf-8'),
                                 backend=default_backend())
    to_be_signed = _options_hash(doc) + _doc_hash(doc)
    signature = doc["signature"]["signatureValue"]

    digest = getSHA256(to_be_signed.encode("utf-8"))
    base64sig = base64.b64decode(signature)

    try:
        pubkey.verify(
            base64sig,
            digest,
            padding.PKCS1v15(),
            hazutils.Prehashed(hashes.SHA256()))
        return True
    except BaseException:
        return False


def generateJsonSignature(doc: {}, privateKeyPem: str) -> None:
    """Adds a json signature to the given ActivityPub post
    """
    if not doc.get('actor'):
        return
    if not hasValidContext(doc):
        return
    options = {
        "type": "RsaSignature2017",
        "creator": doc["actor"] + "#main-key",
        "created": datetime.utcnow().replace(microsecond=0).isoformat() + "Z",
    }
    doc["signature"] = options
    to_be_signed = _options_hash(doc) + _doc_hash(doc)

    key = load_pem_private_key(privateKeyPem.encode('utf-8'),
                               None, backend=default_backend())
    digest = getSHA256(to_be_signed.encode("utf-8"))
    signature = key.sign(digest,
                         padding.PKCS1v15(),
                         hazutils.Prehashed(hashes.SHA256()))
    sig = base64.b64encode(signature)
    options["signatureValue"] = sig.decode("utf-8")
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`__filename__ = "linked_data_sig.py"`
			`__author__ = "Bob Mottram"`
			`__credits__ = ['Based on ' +`
			`'https://github.com/tsileo/little-boxes']`
			`__license__ = "AGPL3+"`
Version 1.2.0 2021-01-26 10:07:42 +00:00			`__version__ = "1.2.0"`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`__maintainer__ = "Bob Mottram"`
			`__email__ = "bob@freedombone.net"`
			`__status__ = "Production"`
Module groups 2021-06-15 15:08:12 +00:00			`__module_group__ = "Security"`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00
			`import base64`
			`import hashlib`
			`from datetime import datetime`
Move jsonld signatures to python3-cryptography 2021-02-04 18:18:31 +00:00			`from cryptography.hazmat.backends import default_backend`
			`from cryptography.hazmat.primitives.serialization import load_pem_private_key`
			`from cryptography.hazmat.primitives.serialization import load_pem_public_key`
			`from cryptography.hazmat.primitives.asymmetric import padding`
			`from cryptography.hazmat.primitives import hashes`
			`from cryptography.hazmat.primitives.asymmetric import utils as hazutils`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`from pyjsonld import normalize`
Check context before json signature verify 2021-01-05 20:11:16 +00:00			`from context import hasValidContext`
Move jsonld signatures to python3-cryptography 2021-02-04 18:18:31 +00:00			`from utils import getSHA256`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00

Comments 2021-01-05 17:27:11 +00:00			`def _options_hash(doc: {}) -> str:`
			`"""Returns a hash of the signature, with a few fields removed`
			`"""`
			`docSig = dict(doc["signature"])`

			`# remove fields from signature`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`for k in ["type", "id", "signatureValue"]:`
Comments 2021-01-05 17:27:11 +00:00			`if k in docSig:`
			`del docSig[k]`

			`docSig["@context"] = "https://w3id.org/identity/v1"`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`options = {`
			`"algorithm": "URDNA2015",`
			`"format": "application/nquads"`
			`}`
Comments 2021-01-05 17:27:11 +00:00
			`normalized = normalize(docSig, options)`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`h = hashlib.new("sha256")`
			`h.update(normalized.encode("utf-8"))`
			`return h.hexdigest()`


Comments 2021-01-05 17:27:11 +00:00			`def _doc_hash(doc: {}) -> str:`
			`"""Returns a hash of the ActivityPub post`
			`"""`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`doc = dict(doc)`
Comments 2021-01-05 17:27:11 +00:00
			`# remove the signature`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`if "signature" in doc:`
			`del doc["signature"]`
Comments 2021-01-05 17:27:11 +00:00
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`options = {`
			`"algorithm": "URDNA2015",`
			`"format": "application/nquads"`
			`}`
Comments 2021-01-05 17:27:11 +00:00
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`normalized = normalize(doc, options)`
			`h = hashlib.new("sha256")`
			`h.update(normalized.encode("utf-8"))`
			`return h.hexdigest()`


Comments 2021-01-05 17:27:11 +00:00			`def verifyJsonSignature(doc: {}, publicKeyPem: str) -> bool:`
			`"""Returns True if the given ActivityPub post was sent`
			`by an actor having the given public key`
			`"""`
Check context before json signature verify 2021-01-05 20:11:16 +00:00			`if not hasValidContext(doc):`
			`return False`
Move jsonld signatures to python3-cryptography 2021-02-04 18:18:31 +00:00			`pubkey = load_pem_public_key(publicKeyPem.encode('utf-8'),`
			`backend=default_backend())`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`to_be_signed = _options_hash(doc) + _doc_hash(doc)`
			`signature = doc["signature"]["signatureValue"]`
Move jsonld signatures to python3-cryptography 2021-02-04 18:18:31 +00:00
			`digest = getSHA256(to_be_signed.encode("utf-8"))`
Comments 2021-01-05 17:27:11 +00:00			`base64sig = base64.b64decode(signature)`
Move jsonld signatures to python3-cryptography 2021-02-04 18:18:31 +00:00
			`try:`
			`pubkey.verify(`
			`base64sig,`
			`digest,`
			`padding.PKCS1v15(),`
			`hazutils.Prehashed(hashes.SHA256()))`
			`return True`
			`except BaseException:`
			`return False`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00

Comments 2021-01-05 17:27:11 +00:00			`def generateJsonSignature(doc: {}, privateKeyPem: str) -> None:`
			`"""Adds a json signature to the given ActivityPub post`
			`"""`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`if not doc.get('actor'):`
			`return`
Check context before json signature verify 2021-01-05 20:11:16 +00:00			`if not hasValidContext(doc):`
			`return`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`options = {`
			`"type": "RsaSignature2017",`
			`"creator": doc["actor"] + "#main-key",`
			`"created": datetime.utcnow().replace(microsecond=0).isoformat() + "Z",`
			`}`
			`doc["signature"] = options`
			`to_be_signed = _options_hash(doc) + _doc_hash(doc)`

Move jsonld signatures to python3-cryptography 2021-02-04 18:18:31 +00:00			`key = load_pem_private_key(privateKeyPem.encode('utf-8'),`
			`None, backend=default_backend())`
			`digest = getSHA256(to_be_signed.encode("utf-8"))`
			`signature = key.sign(digest,`
			`padding.PKCS1v15(),`
			`hazutils.Prehashed(hashes.SHA256()))`
			`sig = base64.b64encode(signature)`
Fix jsonld signatures Also some schemas are no longer remotely accessed 2021-01-04 19:02:24 +00:00			`options["signatureValue"] = sig.decode("utf-8")`