From 127a60280f5d04a1c0eb21e59e6ad77240dad620 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 12 Nov 2019 15:03:17 +0000 Subject: [PATCH] Debug in http signature verification --- daemon.py | 3 ++- httpsig.py | 19 ++++++++++++++++++- inbox.py | 3 ++- tests.py | 8 ++++---- 4 files changed, 26 insertions(+), 7 deletions(-) diff --git a/daemon.py b/daemon.py index 26ad6db6e..e39a6454e 100644 --- a/daemon.py +++ b/daemon.py @@ -244,7 +244,8 @@ class PubServer(BaseHTTPRequestHandler): if verifyPostHeaders(self.server.httpPrefix, \ pubKey,self.headers, \ self.path,True, \ - GETrequestDigest,GETrequestBody): + GETrequestDigest, \ + GETrequestBody,debug): return True return False diff --git a/httpsig.py b/httpsig.py index 112d2808b..87cbf3640 100644 --- a/httpsig.py +++ b/httpsig.py @@ -141,7 +141,7 @@ def verifyRecentSignature(signedDateStr: str) -> bool: def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \ path: str,GETmethod: bool, \ messageBodyDigest: str, \ - messageBodyJsonStr: str) -> bool: + messageBodyJsonStr: str,debug: bool) -> bool: """Returns true or false depending on if the key that we plugged in here validates against the headers, method, and path. publicKeyPem - the public key from an rsa key pair @@ -155,6 +155,9 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \ method='GET' else: method='POST' + + if debug: + print('DEBUG: verifyPostHeaders '+method) publicKeyPem = RSA.import_key(publicKeyPem) # Build a dictionary of the signature values @@ -170,7 +173,11 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \ # body (if a digest was included) signedHeaderList = [] contentLength=len(messageBodyJsonStr) + if debug: + print('DEBUG: verifyPostHeaders contentLength='+str(contentLength)) for signedHeader in signatureDict['headers'].split(' '): + if debug: + print('DEBUG: verifyPostHeaders signedHeader='+signedHeader) if signedHeader == '(request-target)': signedHeaderList.append( f'(request-target): {method.lower()} {path}') @@ -187,9 +194,13 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \ if headers.get(signedHeader): if signedHeader=='content-length': if int(headers[signedHeader])!=contentLength: + if debug: + print('DEBUG: verifyPostHeaders content-length does not match '+headers[signedHeader]+' != '+str(contentLength)) return False if signedHeader=='date': if not verifyRecentSignature(headers[signedHeader]): + if debug: + print('DEBUG: verifyPostHeaders date is not recent '+headers[signedHeader]) return False #print('***************************Verify '+signedHeader+': '+headers[signedHeader]) signedHeaderList.append( @@ -198,9 +209,13 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \ signedHeaderCap=signedHeader.capitalize() if signedHeaderCap=='Content-Length': if int(headers[signedHeader])!=contentLength: + if debug: + print('DEBUG: verifyPostHeaders Content-Length does not match '+headers[signedHeader]+' != '+str(contentLength)) return False if signedHeaderCap=='Date': if not verifyRecentSignature(headers[signedHeaderCap]): + if debug: + print('DEBUG: verifyPostHeaders date is not recent '+headers[signedHeader]) return False #print('***************************Verify '+signedHeaderCap+': '+headers[signedHeaderCap]) if headers.get(signedHeaderCap): @@ -221,4 +236,6 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \ pkcs1_15.new(publicKeyPem).verify(headerDigest, signature) return True except (ValueError, TypeError): + if debug: + print('DEBUG: verifyPostHeaders pkcs1_15 verify failure') return False diff --git a/inbox.py b/inbox.py index ec97c161c..42efe4fe3 100644 --- a/inbox.py +++ b/inbox.py @@ -1854,7 +1854,8 @@ def runInboxQueue(projectVersion: str, \ queueJson['httpHeaders'], \ queueJson['path'],False, \ queueJson['digest'], \ - json.dumps(queueJson['post'])): + json.dumps(queueJson['post']), \ + debug): if debug: print('DEBUG: Header signature check failed') if os.path.isfile(queueFilename): diff --git a/tests.py b/tests.py index 32ac7fdcd..b1073ca86 100644 --- a/tests.py +++ b/tests.py @@ -124,13 +124,13 @@ def testHttpsigBase(withDigest): headers['signature'] = signatureHeader assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \ boxpath,False,None, \ - messageBodyJsonStr) + messageBodyJsonStr,False) assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \ '/parambulator'+boxpath,False,None, \ - messageBodyJsonStr) == False + messageBodyJsonStr,False) == False assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \ boxpath,True,None, \ - messageBodyJsonStr) == False + messageBodyJsonStr,False) == False if not withDigest: # fake domain headers = {'host': 'bogon.domain','date': dateStr,'content-type': 'application/json'} @@ -142,7 +142,7 @@ def testHttpsigBase(withDigest): headers['signature'] = signatureHeader assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \ boxpath,True,None, \ - messageBodyJsonStr) == False + messageBodyJsonStr,False) == False os.chdir(baseDir) shutil.rmtree(path)