From 6855366b4cd26dd04bda0a36c10d5972312d7556 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Thu, 15 Aug 2019 19:21:43 +0100
Subject: [PATCH] Remove date

---
 httpsig.py | 14 +++++++++-----
 tests.py   | 10 ++++++----
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/httpsig.py b/httpsig.py
index 6c9477280..7d2af3cd2 100644
--- a/httpsig.py
+++ b/httpsig.py
@@ -25,13 +25,14 @@ def signPostHeaders(privateKeyPem: str, nickname: str, domain: str, \
     if port!=80 and port!=443:
         domain=domain+':'+str(port)
 
+    dateStr=strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())
     keyID = httpPrefix+'://'+domain+'/users/'+nickname+'#main-key'
     if not messageBodyJson:
         headers = {'host': domain}
     else:
         bodyDigest = \
             base64.b64encode(SHA256.new(messageBodyJson.encode()).digest())
-        headers = {'host': domain, 'date': strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime()),'digest': f'SHA-256={bodyDigest}'}
+        headers = {'host': domain,'digest': f'SHA-256={bodyDigest}'}
     privateKeyPem = RSA.import_key(privateKeyPem)
     headers.update({
         '(request-target)': f'post {path}',
@@ -52,11 +53,13 @@ def signPostHeaders(privateKeyPem: str, nickname: str, domain: str, \
     signatureDict = {
         'keyId': keyID,
         'algorithm': 'rsa-sha256',
+#        'date': dateStr,
         'headers': ' '.join(signedHeaderKeys),
         'signature': signature
     }
     signatureHeader = ','.join(
         [f'{k}="{v}"' for k, v in signatureDict.items()])
+#    print('signatureHeader: '+str(signatureHeader))
     return signatureHeader
 
 def createSignedHeader(privateKeyPem: str,nickname: str,domain: str,port: int, \
@@ -67,16 +70,18 @@ def createSignedHeader(privateKeyPem: str,nickname: str,domain: str,port: int, \
     if port!=80 and port!=443:
         headerDomain=headerDomain+':'+str(port)
 
+    dateStr=strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())
     if not withDigest:
         headers = {'host': headerDomain}
     else:
         messageBodyJsonStr=json.dumps(messageBodyJson)
         bodyDigest = \
             base64.b64encode(SHA256.new(messageBodyJsonStr.encode()).digest())
-        headers = {'host': headerDomain, 'date': strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime()), 'digest': f'SHA-256={bodyDigest}'}        
+        headers = {'host': headerDomain, 'digest': f'SHA-256={bodyDigest}'}        
     path='/inbox'
     signatureHeader = signPostHeaders(privateKeyPem, nickname, domain, port, \
                                       path, httpPrefix, None)
+    headers['date'] = dateStr
     headers['signature'] = signatureHeader
     headers['Content-type'] = 'application/json'
     return headers
@@ -115,9 +120,8 @@ def verifyPostHeaders(httpPrefix: str, publicKeyPem: str, headers: dict, \
         elif signedHeader.lower() == 'content-type':
             continue
         elif signedHeader == 'date':
-            dateJson=messageBodyJsonStr.encode()
-            print('*********************date: '+str(dateJson))
-            #signedHeaderList.append(f'date: SHA-256={dateStr}')
+            signedHeaderList.append(f'date: {date}')
+            continue
         elif signedHeader == 'digest':
             bodyDigest = \
                 base64.b64encode(SHA256.new(messageBodyJsonStr.encode()).digest())
diff --git a/tests.py b/tests.py
index 766093117..e973bbdad 100644
--- a/tests.py
+++ b/tests.py
@@ -11,6 +11,7 @@ import time
 import os, os.path
 import shutil
 import commentjson
+from time import gmtime, strftime
 from pprint import pprint
 from person import createPerson
 from Crypto.Hash import SHA256
@@ -81,18 +82,19 @@ def testHttpsigBase(withDigest):
     privateKeyPem,publicKeyPem,person,wfEndpoint= \
         createPerson(path,nickname,domain,port,httpPrefix,False,password)
     assert privateKeyPem
-    messageBodyJsonStr = '{"a key": "a value", "another key": "A string"}'
+    messageBodyJsonStr = '{"a key": "a value", "another key": "A string","yet another key": "A string"}'
 
     headersDomain=domain
     if port!=80 and port !=443:
         headersDomain=domain+':'+str(port)
 
+    dateStr=strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())
     if not withDigest:
         headers = {'host': headersDomain}
     else:
         bodyDigest = \
             base64.b64encode(SHA256.new(messageBodyJsonStr.encode()).digest())
-        headers = {'host': headersDomain, 'digest': f'SHA-256={bodyDigest}'}
+        headers = {'host': headersDomain, 'date': dateStr, 'digest': f'SHA-256={bodyDigest}'}
 
     boxpath='/inbox'
     signatureHeader = \
@@ -109,9 +111,9 @@ def testHttpsigBase(withDigest):
         headers = {'host': 'bogon.domain'}
     else:
         # correct domain but fake message
-        messageBodyJsonStr = '{"a key": "a value", "another key": "Fake GNUs"}'
+        messageBodyJsonStr = '{"a key": "a value", "another key": "Fake GNUs", "yet another key": "Fake GNUs"}'
         bodyDigest = base64.b64encode(SHA256.new(messageBodyJsonStr.encode()).digest())
-        headers = {'host': domain, 'digest': f'SHA-256={bodyDigest}'}        
+        headers = {'host': domain, 'date': dateStr, 'digest': f'SHA-256={bodyDigest}'}        
     headers['signature'] = signatureHeader
     assert verifyPostHeaders(httpPrefix, publicKeyPem, headers, \
                              '/inbox', True, messageBodyJsonStr) == False