Debug in http signature verification

merge-requests/3/head
Bob Mottram 2019-11-12 15:03:17 +00:00
parent fd8f696f2e
commit 127a60280f
4 changed files with 26 additions and 7 deletions

View File

@ -244,7 +244,8 @@ class PubServer(BaseHTTPRequestHandler):
if verifyPostHeaders(self.server.httpPrefix, \
pubKey,self.headers, \
self.path,True, \
GETrequestDigest,GETrequestBody):
GETrequestDigest, \
GETrequestBody,debug):
return True
return False

View File

@ -141,7 +141,7 @@ def verifyRecentSignature(signedDateStr: str) -> bool:
def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
path: str,GETmethod: bool, \
messageBodyDigest: str, \
messageBodyJsonStr: str) -> bool:
messageBodyJsonStr: str,debug: bool) -> bool:
"""Returns true or false depending on if the key that we plugged in here
validates against the headers, method, and path.
publicKeyPem - the public key from an rsa key pair
@ -156,6 +156,9 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
else:
method='POST'
if debug:
print('DEBUG: verifyPostHeaders '+method)
publicKeyPem = RSA.import_key(publicKeyPem)
# Build a dictionary of the signature values
signatureHeader = headers['signature']
@ -170,7 +173,11 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
# body (if a digest was included)
signedHeaderList = []
contentLength=len(messageBodyJsonStr)
if debug:
print('DEBUG: verifyPostHeaders contentLength='+str(contentLength))
for signedHeader in signatureDict['headers'].split(' '):
if debug:
print('DEBUG: verifyPostHeaders signedHeader='+signedHeader)
if signedHeader == '(request-target)':
signedHeaderList.append(
f'(request-target): {method.lower()} {path}')
@ -187,9 +194,13 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
if headers.get(signedHeader):
if signedHeader=='content-length':
if int(headers[signedHeader])!=contentLength:
if debug:
print('DEBUG: verifyPostHeaders content-length does not match '+headers[signedHeader]+' != '+str(contentLength))
return False
if signedHeader=='date':
if not verifyRecentSignature(headers[signedHeader]):
if debug:
print('DEBUG: verifyPostHeaders date is not recent '+headers[signedHeader])
return False
#print('***************************Verify '+signedHeader+': '+headers[signedHeader])
signedHeaderList.append(
@ -198,9 +209,13 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
signedHeaderCap=signedHeader.capitalize()
if signedHeaderCap=='Content-Length':
if int(headers[signedHeader])!=contentLength:
if debug:
print('DEBUG: verifyPostHeaders Content-Length does not match '+headers[signedHeader]+' != '+str(contentLength))
return False
if signedHeaderCap=='Date':
if not verifyRecentSignature(headers[signedHeaderCap]):
if debug:
print('DEBUG: verifyPostHeaders date is not recent '+headers[signedHeader])
return False
#print('***************************Verify '+signedHeaderCap+': '+headers[signedHeaderCap])
if headers.get(signedHeaderCap):
@ -221,4 +236,6 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
pkcs1_15.new(publicKeyPem).verify(headerDigest, signature)
return True
except (ValueError, TypeError):
if debug:
print('DEBUG: verifyPostHeaders pkcs1_15 verify failure')
return False

View File

@ -1854,7 +1854,8 @@ def runInboxQueue(projectVersion: str, \
queueJson['httpHeaders'], \
queueJson['path'],False, \
queueJson['digest'], \
json.dumps(queueJson['post'])):
json.dumps(queueJson['post']), \
debug):
if debug:
print('DEBUG: Header signature check failed')
if os.path.isfile(queueFilename):

View File

@ -124,13 +124,13 @@ def testHttpsigBase(withDigest):
headers['signature'] = signatureHeader
assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \
boxpath,False,None, \
messageBodyJsonStr)
messageBodyJsonStr,False)
assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \
'/parambulator'+boxpath,False,None, \
messageBodyJsonStr) == False
messageBodyJsonStr,False) == False
assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \
boxpath,True,None, \
messageBodyJsonStr) == False
messageBodyJsonStr,False) == False
if not withDigest:
# fake domain
headers = {'host': 'bogon.domain','date': dateStr,'content-type': 'application/json'}
@ -142,7 +142,7 @@ def testHttpsigBase(withDigest):
headers['signature'] = signatureHeader
assert verifyPostHeaders(httpPrefix,publicKeyPem,headers, \
boxpath,True,None, \
messageBodyJsonStr) == False
messageBodyJsonStr,False) == False
os.chdir(baseDir)
shutil.rmtree(path)