Debug in http signature verification

merge-requests/3/head
Bob Mottram 2019-11-12 15:03:17 +00:00
parent fd8f696f2e
commit 127a60280f
4 changed files with 26 additions and 7 deletions

View File

@ -244,7 +244,8 @@ class PubServer(BaseHTTPRequestHandler):
if verifyPostHeaders(self.server.httpPrefix, \ if verifyPostHeaders(self.server.httpPrefix, \
pubKey,self.headers, \ pubKey,self.headers, \
self.path,True, \ self.path,True, \
GETrequestDigest,GETrequestBody): GETrequestDigest, \
GETrequestBody,debug):
return True return True
return False return False

View File

@ -141,7 +141,7 @@ def verifyRecentSignature(signedDateStr: str) -> bool:
def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
path: str,GETmethod: bool, \ path: str,GETmethod: bool, \
messageBodyDigest: str, \ messageBodyDigest: str, \
messageBodyJsonStr: str) -> bool: messageBodyJsonStr: str,debug: bool) -> bool:
"""Returns true or false depending on if the key that we plugged in here """Returns true or false depending on if the key that we plugged in here
validates against the headers, method, and path. validates against the headers, method, and path.
publicKeyPem - the public key from an rsa key pair publicKeyPem - the public key from an rsa key pair
@ -156,6 +156,9 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
else: else:
method='POST' method='POST'
if debug:
print('DEBUG: verifyPostHeaders '+method)
publicKeyPem = RSA.import_key(publicKeyPem) publicKeyPem = RSA.import_key(publicKeyPem)
# Build a dictionary of the signature values # Build a dictionary of the signature values
signatureHeader = headers['signature'] signatureHeader = headers['signature']
@ -170,7 +173,11 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
# body (if a digest was included) # body (if a digest was included)
signedHeaderList = [] signedHeaderList = []
contentLength=len(messageBodyJsonStr) contentLength=len(messageBodyJsonStr)
if debug:
print('DEBUG: verifyPostHeaders contentLength='+str(contentLength))
for signedHeader in signatureDict['headers'].split(' '): for signedHeader in signatureDict['headers'].split(' '):
if debug:
print('DEBUG: verifyPostHeaders signedHeader='+signedHeader)
if signedHeader == '(request-target)': if signedHeader == '(request-target)':
signedHeaderList.append( signedHeaderList.append(
f'(request-target): {method.lower()} {path}') f'(request-target): {method.lower()} {path}')
@ -187,9 +194,13 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
if headers.get(signedHeader): if headers.get(signedHeader):
if signedHeader=='content-length': if signedHeader=='content-length':
if int(headers[signedHeader])!=contentLength: if int(headers[signedHeader])!=contentLength:
if debug:
print('DEBUG: verifyPostHeaders content-length does not match '+headers[signedHeader]+' != '+str(contentLength))
return False return False
if signedHeader=='date': if signedHeader=='date':
if not verifyRecentSignature(headers[signedHeader]): if not verifyRecentSignature(headers[signedHeader]):
if debug:
print('DEBUG: verifyPostHeaders date is not recent '+headers[signedHeader])
return False return False
#print('***************************Verify '+signedHeader+': '+headers[signedHeader]) #print('***************************Verify '+signedHeader+': '+headers[signedHeader])
signedHeaderList.append( signedHeaderList.append(
@ -198,9 +209,13 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
signedHeaderCap=signedHeader.capitalize() signedHeaderCap=signedHeader.capitalize()
if signedHeaderCap=='Content-Length': if signedHeaderCap=='Content-Length':
if int(headers[signedHeader])!=contentLength: if int(headers[signedHeader])!=contentLength:
if debug:
print('DEBUG: verifyPostHeaders Content-Length does not match '+headers[signedHeader]+' != '+str(contentLength))
return False return False
if signedHeaderCap=='Date': if signedHeaderCap=='Date':
if not verifyRecentSignature(headers[signedHeaderCap]): if not verifyRecentSignature(headers[signedHeaderCap]):
if debug:
print('DEBUG: verifyPostHeaders date is not recent '+headers[signedHeader])
return False return False
#print('***************************Verify '+signedHeaderCap+': '+headers[signedHeaderCap]) #print('***************************Verify '+signedHeaderCap+': '+headers[signedHeaderCap])
if headers.get(signedHeaderCap): if headers.get(signedHeaderCap):
@ -221,4 +236,6 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
pkcs1_15.new(publicKeyPem).verify(headerDigest, signature) pkcs1_15.new(publicKeyPem).verify(headerDigest, signature)
return True return True
except (ValueError, TypeError): except (ValueError, TypeError):
if debug:
print('DEBUG: verifyPostHeaders pkcs1_15 verify failure')
return False return False

View File

@ -1854,7 +1854,8 @@ def runInboxQueue(projectVersion: str, \
queueJson['httpHeaders'], \ queueJson['httpHeaders'], \
queueJson['path'],False, \ queueJson['path'],False, \
queueJson['digest'], \ queueJson['digest'], \
json.dumps(queueJson['post'])): json.dumps(queueJson['post']), \
debug):
if debug: if debug:
print('DEBUG: Header signature check failed') print('DEBUG: Header signature check failed')
if os.path.isfile(queueFilename): if os.path.isfile(queueFilename):

View File

@ -124,13 +124,13 @@ def testHttpsigBase(withDigest):
headers['signature'] = signatureHeader headers['signature'] = signatureHeader
assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \ assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \
boxpath,False,None, \ boxpath,False,None, \
messageBodyJsonStr) messageBodyJsonStr,False)
assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \ assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \
'/parambulator'+boxpath,False,None, \ '/parambulator'+boxpath,False,None, \
messageBodyJsonStr) == False messageBodyJsonStr,False) == False
assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \ assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \
boxpath,True,None, \ boxpath,True,None, \
messageBodyJsonStr) == False messageBodyJsonStr,False) == False
if not withDigest: if not withDigest:
# fake domain # fake domain
headers = {'host': 'bogon.domain','date': dateStr,'content-type': 'application/json'} headers = {'host': 'bogon.domain','date': dateStr,'content-type': 'application/json'}
@ -142,7 +142,7 @@ def testHttpsigBase(withDigest):
headers['signature'] = signatureHeader headers['signature'] = signatureHeader
assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \ assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \
boxpath,True,None, \ boxpath,True,None, \
messageBodyJsonStr) == False messageBodyJsonStr,False) == False
os.chdir(baseDir) os.chdir(baseDir)
shutil.rmtree(path) shutil.rmtree(path)