epicyon/httpsig.py

__filename__ = "posts.py"
__author__ = "Bob Mottram"
__credits__ = ['lamia']
__license__ = "AGPL3+"
__version__ = "0.0.1"
__maintainer__ = "Bob Mottram"
__email__ = "bob@freedombone.net"
__status__ = "Production"

# see https://tools.ietf.org/html/draft-cavage-http-signatures-06

from Crypto.PublicKey import RSA
from Crypto.Hash import SHA256
#from Crypto.Signature import PKCS1_v1_5
from Crypto.Signature import pkcs1_15
from requests.auth import AuthBase
import base64
import json
from time import gmtime, strftime
from pprint import pprint

def signPostHeaders(dateStr: str,privateKeyPem: str, \
                    nickname: str, \
                    domain: str,port: int, \
                    toDomain: str,toPort: int, \
                    path: str, \
                    httpPrefix: str, messageBodyJson: {}) -> str:
    """Returns a raw signature string that can be plugged into a header and
    used to verify the authenticity of an HTTP transmission.
    """
    if port:
        if port!=80 and port!=443:
            if ':' not in domain:
                domain=domain+':'+str(port)

    if toPort:
        if toPort!=80 and toPort!=443:
            if ':' not in toDomain:
                toDomain=toDomain+':'+str(port)

    if not dateStr:
        dateStr=strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())
    keyID = httpPrefix+'://'+domain+'/users/'+nickname+'#main-key'
    if not messageBodyJson:
        headers = {'(request-target)': f'post {path}','host': toDomain,'date': dateStr,'content-type': 'application/json'}
    else:
        messageBodyJsonStr=json.dumps(messageBodyJson)
        bodyDigest = \
            base64.b64encode(SHA256.new(messageBodyJsonStr.encode()).digest()).decode('utf-8')
        headers = {'(request-target)': f'post {path}','host': toDomain,'date': dateStr,'digest': f'SHA-256={bodyDigest}','content-type': 'application/activity+json'}
    privateKeyPem = RSA.import_key(privateKeyPem)
    #headers.update({
    #    '(request-target)': f'post {path}',
    #})
    # build a digest for signing
    signedHeaderKeys = headers.keys()
    signedHeaderText = ''
    for headerKey in signedHeaderKeys:
        signedHeaderText += f'{headerKey}: {headers[headerKey]}\n'
        print(f'*********************signing:  headerKey: {headerKey}: {headers[headerKey]}')
    signedHeaderText = signedHeaderText.strip()
    print('******************************Send: signedHeaderText: '+signedHeaderText)
    headerDigest = SHA256.new(signedHeaderText.encode('ascii'))

    # Sign the digest
    rawSignature = pkcs1_15.new(privateKeyPem).sign(headerDigest)
    signature = base64.b64encode(rawSignature).decode('ascii')

    # Put it into a valid HTTP signature format
    signatureDict = {
        'keyId': keyID,
        'algorithm': 'rsa-sha256',
        'headers': ' '.join(signedHeaderKeys),
        'signature': signature
    }
    signatureHeader = ','.join(
        [f'{k}="{v}"' for k, v in signatureDict.items()])
    return signatureHeader

def createSignedHeader(privateKeyPem: str,nickname: str, \
                       domain: str,port: int, \
                       toDomain: str,toPort: int, \
                       path: str,httpPrefix: str,withDigest: bool, \
                       messageBodyJson: {}) -> {}:
    """Note that the domain is the destination, not the sender
    """
    contentType='application/activity+json'
    headerDomain=toDomain

    if toPort:
        if toPort!=80 and toPort!=443:
            if ':' not in headerDomain:
                headerDomain=headerDomain+':'+str(toPort)

    dateStr=strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())
    if not withDigest:
        headers = {'(request-target)': f'post {path}','host': headerDomain,'date': dateStr}
        signatureHeader = \
            signPostHeaders(dateStr,privateKeyPem,nickname, \
                            domain,port,toDomain,toPort, \
                            path,httpPrefix,None)
    else:
        messageBodyJsonStr=json.dumps(messageBodyJson)
        bodyDigest = \
            base64.b64encode(SHA256.new(messageBodyJsonStr.encode()).digest()).decode('utf-8')
        print('***************************Send (request-target): post '+path)
        print('***************************Send host: '+headerDomain)
        print('***************************Send date: '+dateStr)
        print('***************************Send digest: '+bodyDigest)
        print('***************************Send Content-type: '+contentType)
        print('***************************Send messageBodyJsonStr: '+messageBodyJsonStr)
        headers = {'(request-target)': f'post {path}','host': headerDomain,'date': dateStr,'digest': f'SHA-256={bodyDigest}','content-type': contentType}
        signatureHeader = \
            signPostHeaders(dateStr,privateKeyPem,nickname, \
                            domain,port, \
                            toDomain,toPort, \
                            path,httpPrefix,messageBodyJson)
    headers['signature'] = signatureHeader
    return headers

def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
                      path: str,GETmethod: bool, \
                      messageBodyJsonStr: str) -> bool:
    """Returns true or false depending on if the key that we plugged in here
    validates against the headers, method, and path.
    publicKeyPem - the public key from an rsa key pair
    headers - should be a dictionary of request headers
    path - the relative url that was requested from this site
    GETmethod - GET or POST
    messageBodyJsonStr - the received request body (used for digest)
    """
    if GETmethod:
        method='GET'
    else:
        method='POST'
        
    publicKeyPem = RSA.import_key(publicKeyPem)
    # Build a dictionary of the signature values
    signatureHeader = headers['signature']
    signatureDict = {
        k: v[1:-1]
        for k, v in [i.split('=', 1) for i in signatureHeader.split(',')]
    }
    print('********************signatureHeader: '+str(signatureHeader))
    print('********************signatureDict: '+str(signatureDict))

    # Unpack the signed headers and set values based on current headers and
    # body (if a digest was included)
    signedHeaderList = []
    for signedHeader in signatureDict['headers'].split(' '):
        if signedHeader == '(request-target)':
            signedHeaderList.append(
                f'(request-target): {method.lower()} {path}')
            print('***************************Verify (request-target): '+method.lower()+' '+path)
        elif signedHeader == 'digest':
            bodyDigest = \
                base64.b64encode(SHA256.new(messageBodyJsonStr.strip().encode()).digest()).decode('utf-8')
            signedHeaderList.append(f'digest: SHA-256={bodyDigest}')
            print('***************************Verify digest: SHA-256='+bodyDigest)
            print('***************************Verify messageBodyJsonStr: '+messageBodyJsonStr)
        else:
            if headers.get(signedHeader):
                print('***************************Verify '+signedHeader+': '+headers[signedHeader])
                signedHeaderList.append(
                    f'{signedHeader}: {headers[signedHeader]}')
            else:
                signedHeaderCap=signedHeader.capitalize()
                print('***************************Verify '+signedHeaderCap+': '+headers[signedHeaderCap])
                if headers.get(signedHeaderCap):
                    signedHeaderList.append(
                        f'{signedHeader}: {headers[signedHeaderCap]}')

    print('***********************signedHeaderList: ')
    pprint(signedHeaderList)
    # Now we have our header data digest
    signedHeaderText = '\n'.join(signedHeaderList)
    print('***********************Verify: signedHeaderText: '+signedHeaderText)
    headerDigest = SHA256.new(signedHeaderText.encode('ascii'))

    # Get the signature, verify with public key, return result
    signature = base64.b64decode(signatureDict['signature'])

    try:
        pkcs1_15.new(publicKeyPem).verify(headerDigest, signature)
        return True
    except (ValueError, TypeError):
        return False
Initial 2019-06-28 18:55:29 +00:00			`__filename__ = "posts.py"`
			`__author__ = "Bob Mottram"`
			`__credits__ = ['lamia']`
			`__license__ = "AGPL3+"`
			`__version__ = "0.0.1"`
			`__maintainer__ = "Bob Mottram"`
			`__email__ = "bob@freedombone.net"`
			`__status__ = "Production"`

Get host from post to inbox 2019-08-15 22:33:42 +00:00			`# see https://tools.ietf.org/html/draft-cavage-http-signatures-06`

Initial 2019-06-28 18:55:29 +00:00			`from Crypto.PublicKey import RSA`
			`from Crypto.Hash import SHA256`
			`#from Crypto.Signature import PKCS1_v1_5`
			`from Crypto.Signature import pkcs1_15`
			`from requests.auth import AuthBase`
			`import base64`
			`import json`
Include date in http signature 2019-08-15 09:08:18 +00:00			`from time import gmtime, strftime`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`from pprint import pprint`
Initial 2019-06-28 18:55:29 +00:00
Fixing http signatures 2019-08-16 13:47:01 +00:00			`def signPostHeaders(dateStr: str,privateKeyPem: str, \`
			`nickname: str, \`
			`domain: str,port: int, \`
			`toDomain: str,toPort: int, \`
			`path: str, \`
Option to use dat urls 2019-07-03 19:00:03 +00:00			`httpPrefix: str, messageBodyJson: {}) -> str:`
Initial 2019-06-28 18:55:29 +00:00			`"""Returns a raw signature string that can be plugged into a header and`
			`used to verify the authenticity of an HTTP transmission.`
			`"""`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`if port:`
			`if port!=80 and port!=443:`
			`if ':' not in domain:`
			`domain=domain+':'+str(port)`
Fix http signature with port number 2019-07-01 09:31:02 +00:00
Fixing http signatures 2019-08-16 13:47:01 +00:00			`if toPort:`
			`if toPort!=80 and toPort!=443:`
			`if ':' not in toDomain:`
			`toDomain=toDomain+':'+str(port)`

			`if not dateStr:`
			`dateStr=strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())`
Fixing public key lookup 2019-07-04 14:36:29 +00:00			`keyID = httpPrefix+'://'+domain+'/users/'+nickname+'#main-key'`
Initial 2019-06-28 18:55:29 +00:00			`if not messageBodyJson:`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`headers = {'(request-target)': f'post {path}','host': toDomain,'date': dateStr,'content-type': 'application/json'}`
Initial 2019-06-28 18:55:29 +00:00			`else:`
Fix digest encoding 2019-08-16 10:36:41 +00:00			`messageBodyJsonStr=json.dumps(messageBodyJson)`
Tidying 2019-07-02 20:54:22 +00:00			`bodyDigest = \`
Fix digest encoding 2019-08-16 10:36:41 +00:00			`base64.b64encode(SHA256.new(messageBodyJsonStr.encode()).digest()).decode('utf-8')`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`headers = {'(request-target)': f'post {path}','host': toDomain,'date': dateStr,'digest': f'SHA-256={bodyDigest}','content-type': 'application/activity+json'}`
Initial 2019-06-28 18:55:29 +00:00			`privateKeyPem = RSA.import_key(privateKeyPem)`
http signature fixes 2019-08-15 21:34:25 +00:00			`#headers.update({`
			`# '(request-target)': f'post {path}',`
			`#})`
Initial 2019-06-28 18:55:29 +00:00			`# build a digest for signing`
			`signedHeaderKeys = headers.keys()`
			`signedHeaderText = ''`
			`for headerKey in signedHeaderKeys:`
			`signedHeaderText += f'{headerKey}: {headers[headerKey]}\n'`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`print(f'*********************signing: headerKey: {headerKey}: {headers[headerKey]}')`
Initial 2019-06-28 18:55:29 +00:00			`signedHeaderText = signedHeaderText.strip()`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`print('******************************Send: signedHeaderText: '+signedHeaderText)`
Initial 2019-06-28 18:55:29 +00:00			`headerDigest = SHA256.new(signedHeaderText.encode('ascii'))`

			`# Sign the digest`
			`rawSignature = pkcs1_15.new(privateKeyPem).sign(headerDigest)`
			`signature = base64.b64encode(rawSignature).decode('ascii')`

			`# Put it into a valid HTTP signature format`
			`signatureDict = {`
			`'keyId': keyID,`
			`'algorithm': 'rsa-sha256',`
			`'headers': ' '.join(signedHeaderKeys),`
			`'signature': signature`
			`}`
			`signatureHeader = ','.join(`
			`[f'{k}="{v}"' for k, v in signatureDict.items()])`
			`return signatureHeader`

Fixing http signatures 2019-08-16 13:47:01 +00:00			`def createSignedHeader(privateKeyPem: str,nickname: str, \`
			`domain: str,port: int, \`
			`toDomain: str,toPort: int, \`
Option to use dat urls 2019-07-03 19:00:03 +00:00			`path: str,httpPrefix: str,withDigest: bool, \`
Tidying 2019-07-02 20:54:22 +00:00			`messageBodyJson: {}) -> {}:`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`"""Note that the domain is the destination, not the sender`
			`"""`
			`contentType='application/activity+json'`
			`headerDomain=toDomain`
Fix http signature with port number 2019-07-01 09:31:02 +00:00
Fixing http signatures 2019-08-16 13:47:01 +00:00			`if toPort:`
			`if toPort!=80 and toPort!=443:`
			`if ':' not in headerDomain:`
			`headerDomain=headerDomain+':'+str(toPort)`
Fix http signature with port number 2019-07-01 09:31:02 +00:00
Remove date 2019-08-15 18:21:43 +00:00			`dateStr=strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())`
Fix http signature with port number 2019-07-01 09:31:02 +00:00			`if not withDigest:`
http signature fixes 2019-08-15 21:34:25 +00:00			`headers = {'(request-target)': f'post {path}','host': headerDomain,'date': dateStr}`
Fix digest encoding 2019-08-16 10:36:41 +00:00			`signatureHeader = \`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`signPostHeaders(dateStr,privateKeyPem,nickname, \`
			`domain,port,toDomain,toPort, \`
			`path,httpPrefix,None)`
Fix http signature with port number 2019-07-01 09:31:02 +00:00			`else:`
			`messageBodyJsonStr=json.dumps(messageBodyJson)`
Tidying 2019-07-02 20:54:22 +00:00			`bodyDigest = \`
decode body digest 2019-08-16 09:56:58 +00:00			`base64.b64encode(SHA256.new(messageBodyJsonStr.encode()).digest()).decode('utf-8')`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`print('***************************Send (request-target): post '+path)`
			`print('***************************Send host: '+headerDomain)`
			`print('***************************Send date: '+dateStr)`
			`print('***************************Send digest: '+bodyDigest)`
			`print('***************************Send Content-type: '+contentType)`
			`print('***************************Send messageBodyJsonStr: '+messageBodyJsonStr)`
			`headers = {'(request-target)': f'post {path}','host': headerDomain,'date': dateStr,'digest': f'SHA-256={bodyDigest}','content-type': contentType}`
Fix digest encoding 2019-08-16 10:36:41 +00:00			`signatureHeader = \`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`signPostHeaders(dateStr,privateKeyPem,nickname, \`
			`domain,port, \`
			`toDomain,toPort, \`
			`path,httpPrefix,messageBodyJson)`
Fix http signature with port number 2019-07-01 09:31:02 +00:00			`headers['signature'] = signatureHeader`
			`return headers`

http signature fixes 2019-08-15 21:34:25 +00:00			`def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \`
			`path: str,GETmethod: bool, \`
Tidying 2019-07-02 20:54:22 +00:00			`messageBodyJsonStr: str) -> bool:`
Initial 2019-06-28 18:55:29 +00:00			`"""Returns true or false depending on if the key that we plugged in here`
			`validates against the headers, method, and path.`
			`publicKeyPem - the public key from an rsa key pair`
			`headers - should be a dictionary of request headers`
			`path - the relative url that was requested from this site`
			`GETmethod - GET or POST`
Fix http signature with port number 2019-07-01 09:31:02 +00:00			`messageBodyJsonStr - the received request body (used for digest)`
Initial 2019-06-28 18:55:29 +00:00			`"""`
			`if GETmethod:`
			`method='GET'`
			`else:`
			`method='POST'`

			`publicKeyPem = RSA.import_key(publicKeyPem)`
			`# Build a dictionary of the signature values`
			`signatureHeader = headers['signature']`
			`signatureDict = {`
			`k: v[1:-1]`
			`for k, v in [i.split('=', 1) for i in signatureHeader.split(',')]`
			`}`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`print('********************signatureHeader: '+str(signatureHeader))`
			`print('********************signatureDict: '+str(signatureDict))`
Initial 2019-06-28 18:55:29 +00:00
			`# Unpack the signed headers and set values based on current headers and`
			`# body (if a digest was included)`
			`signedHeaderList = []`
			`for signedHeader in signatureDict['headers'].split(' '):`
			`if signedHeader == '(request-target)':`
			`signedHeaderList.append(`
			`f'(request-target): {method.lower()} {path}')`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`print('***************************Verify (request-target): '+method.lower()+' '+path)`
Initial 2019-06-28 18:55:29 +00:00			`elif signedHeader == 'digest':`
Tidying 2019-07-02 20:54:22 +00:00			`bodyDigest = \`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`base64.b64encode(SHA256.new(messageBodyJsonStr.strip().encode()).digest()).decode('utf-8')`
Initial 2019-06-28 18:55:29 +00:00			`signedHeaderList.append(f'digest: SHA-256={bodyDigest}')`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`print('***************************Verify digest: SHA-256='+bodyDigest)`
			`print('***************************Verify messageBodyJsonStr: '+messageBodyJsonStr)`
Initial 2019-06-28 18:55:29 +00:00			`else:`
http signature fixes 2019-08-15 21:34:25 +00:00			`if headers.get(signedHeader):`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`print('***************************Verify '+signedHeader+': '+headers[signedHeader])`
Exception handling for http signature check 2019-08-15 17:09:17 +00:00			`signedHeaderList.append(`
			`f'{signedHeader}: {headers[signedHeader]}')`
http signature fixes 2019-08-15 21:34:25 +00:00			`else:`
			`signedHeaderCap=signedHeader.capitalize()`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`print('***************************Verify '+signedHeaderCap+': '+headers[signedHeaderCap])`
http signature fixes 2019-08-15 21:34:25 +00:00			`if headers.get(signedHeaderCap):`
			`signedHeaderList.append(`
			`f'{signedHeader}: {headers[signedHeaderCap]}')`
Initial 2019-06-28 18:55:29 +00:00
Fixing http signatures 2019-08-16 13:47:01 +00:00			`print('***********************signedHeaderList: ')`
			`pprint(signedHeaderList)`
Initial 2019-06-28 18:55:29 +00:00			`# Now we have our header data digest`
			`signedHeaderText = '\n'.join(signedHeaderList)`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`print('***********************Verify: signedHeaderText: '+signedHeaderText)`
Initial 2019-06-28 18:55:29 +00:00			`headerDigest = SHA256.new(signedHeaderText.encode('ascii'))`

			`# Get the signature, verify with public key, return result`
			`signature = base64.b64decode(signatureDict['signature'])`

			`try:`
			`pkcs1_15.new(publicKeyPem).verify(headerDigest, signature)`
			`return True`
			`except (ValueError, TypeError):`
			`return False`