Allow for varying http signature verification algorithms

2021-09-01 15:42:43 +01:00 · 2021-09-01 15:42:43 +01:00 · 196c8aba14
parent d04d047b64
commit 196c8aba14
1 changed files with 16 additions and 6 deletions
--- a/httpsig.py
+++ b/httpsig.py
@ -310,6 +310,7 @@ def verifyPostHeaders(httpPrefix: str, publicKeyPem: str, headers: dict,
    # Unpack the signed headers and set values based on current headers and
    # body (if a digest was included)
    signedHeaderList = []
    algorithm = 'rsa-sha256'
    for signedHeader in signatureDict[requestTargetKey].split(fieldSep2):
        signedHeader = signedHeader.strip()
        if debug:
@ -328,6 +329,9 @@ def verifyPostHeaders(httpPrefix: str, publicKeyPem: str, headers: dict,
            #     if ')' in appendStr:
            #         appendStr = appendStr.split(')')[0]
            signedHeaderList.append(appendStr)
        elif signedHeader == 'algorithm':
            if headers.get(signedHeader):
                algorithm = headers[signedHeader]
        elif signedHeader == 'digest':
            if messageBodyDigest:
                bodyDigest = messageBodyDigest
@ -402,7 +406,6 @@ def verifyPostHeaders(httpPrefix: str, publicKeyPem: str, headers: dict,
        print('DEBUG: signedHeaderList: ' + str(signedHeaderList))
    # Now we have our header data digest
    signedHeaderText = '\n'.join(signedHeaderList)
    headerDigest = getSHA256(signedHeaderText.encode('ascii'))
    # Get the signature, verify with public key, return result
    signature = None
@ -419,12 +422,19 @@ def verifyPostHeaders(httpPrefix: str, publicKeyPem: str, headers: dict,
        # Original Mastodon signature
        signature = base64.b64decode(signatureDict['signature'])
    # If extra signing algorithms need to be added then do it here
    if algorithm == 'rsa-sha256':
        headerDigest = getSHA256(signedHeaderText.encode('ascii'))
        paddingStr = padding.PKCS1v15()
        alg = hazutils.Prehashed(hashes.SHA256())
    else:
        print('Unknown http signature algorithm: ' + algorithm)
        paddingStr = padding.PKCS1v15()
        alg = hazutils.Prehashed(hashes.SHA256())
        headerDigest = ''
    try:
-        pubkey.verify(
+        pubkey.verify(signature, headerDigest, paddingStr, alg)
            signature,
            headerDigest,
            padding.PKCS1v15(),
            hazutils.Prehashed(hashes.SHA256()))
        return True
    except BaseException:
        if debug: