indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Using python3-cryptography 

Roughtly 18 times speedup on http signatures
merge-requests/30/head
Bob Mottram 2021-02-04 16:30:32 +00:00
parent f528171090
commit d6f7ad20a3
8 changed files with 42 additions and 32 deletions

3
Dockerfile
View File

@ -3,8 +3,7 @@ ENV DOMAIN=localhost
RUN apt-get update && \ RUN apt-get update && \
apt-get -y install \ apt-get -y install \
imagemagick \ imagemagick \
python3-crypto \ python3-cryptography \
python3-pycryptodome \
python3-dateutil \ python3-dateutil \
python3-idna \ python3-idna \
python3-requests \ python3-requests \

4
README.md
View File

@ -23,7 +23,7 @@ You will need python version 3.7 or later.
On Arch/Parabola: On Arch/Parabola:
``` bash ``` bash
sudo pacman -S tor python-pip python-pysocks python-pycryptodome \ sudo pacman -S tor python-pip python-pysocks python-cryptography \
imagemagick python-requests \ imagemagick python-requests \
perl-image-exiftool python-dateutil \ perl-image-exiftool python-dateutil \
certbot flake8 bandit certbot flake8 bandit
@ -36,7 +36,7 @@ Or on Debian:
sudo apt install -y \ sudo apt install -y \
tor python3-socks imagemagick \ tor python3-socks imagemagick \
python3-setuptools \ python3-setuptools \
python3-crypto python3-pycryptodome \ python3-crypto python3-cryptography \
python3-dateutil \ python3-dateutil \
python3-idna python3-requests \ python3-idna python3-requests \
python3-django-timezone-field \ python3-django-timezone-field \

4
deploy/i2p
View File

@ -60,7 +60,7 @@ fi
echo 'Adding Epicyon dependencies' echo 'Adding Epicyon dependencies'
if [ -f /usr/bin/pacman ]; then if [ -f /usr/bin/pacman ]; then
pacman -Syy pacman -Syy
pacman -S --noconfirm python-pip python-pysocks python-pycryptodome \ pacman -S --noconfirm python-pip python-pysocks python-cryptography \
imagemagick python-pillow python-requests \ imagemagick python-pillow python-requests \
perl-image-exiftool python-numpy python-dateutil \ perl-image-exiftool python-numpy python-dateutil \
certbot flake8 git i2pd wget qrencode \ certbot flake8 git i2pd wget qrencode \
@ -68,7 +68,7 @@ if [ -f /usr/bin/pacman ]; then
pip3 install pyLD pyqrcode pypng pip3 install pyLD pyqrcode pypng
else else
apt-get update apt-get update
apt-get -y install imagemagick python3-crypto python3-pycryptodome \ apt-get -y install imagemagick python3-crypto python3-cryptography \
python3-dateutil python3-idna python3-requests \ python3-dateutil python3-idna python3-requests \
python3-numpy python3-pil.imagetk python3-pip \ python3-numpy python3-pil.imagetk python3-pip \
python3-setuptools python3-socks python3-idna \ python3-setuptools python3-socks python3-idna \

4
deploy/onion
View File

@ -35,14 +35,14 @@ EPICYON_PORT=7157
echo 'Adding Epicyon dependencies' echo 'Adding Epicyon dependencies'
if [ -f /usr/bin/pacman ]; then if [ -f /usr/bin/pacman ]; then
pacman -Syy pacman -Syy
pacman -S --noconfirm tor python-pip python-pysocks python-pycryptodome \ pacman -S --noconfirm tor python-pip python-pysocks python-cryptography \
imagemagick python-pillow python-requests \ imagemagick python-pillow python-requests \
perl-image-exiftool python-numpy python-dateutil \ perl-image-exiftool python-numpy python-dateutil \
certbot flake8 git qrencode bandit certbot flake8 git qrencode bandit
pip3 install pyLD pyqrcode pypng pip3 install pyLD pyqrcode pypng
else else
apt-get update apt-get update
apt-get -y install imagemagick python3-crypto python3-pycryptodome \ apt-get -y install imagemagick python3-crypto python3-cryptography \
python3-dateutil python3-idna python3-requests \ python3-dateutil python3-idna python3-requests \
python3-numpy python3-pil.imagetk python3-pip \ python3-numpy python3-pil.imagetk python3-pip \
python3-setuptools python3-socks python3-idna \ python3-setuptools python3-socks python3-idna \

2
gemini/EN/install.gmi
View File

@ -4,7 +4,7 @@ You will need python version 3.7 or later.
On a Debian based system: On a Debian based system:
sudo apt install -y tor python3-socks imagemagick python3-setuptools python3-crypto python3-pycryptodome python3-dateutil python3-idna python3-requests python3-flake8 python3-django-timezone-field python3-pyqrcode python3-png python3-bandit libimage-exiftool-perl certbot nginx wget sudo apt install -y tor python3-socks imagemagick python3-setuptools python3-crypto python3-cryptography python3-dateutil python3-idna python3-requests python3-flake8 python3-django-timezone-field python3-pyqrcode python3-png python3-bandit libimage-exiftool-perl certbot nginx wget
The following instructions install Epicyon to the /opt directory. It's not essential that it be installed there, and it could be in any other preferred directory. The following instructions install Epicyon to the /opt directory. It's not essential that it be installed there, and it could be in any other preferred directory.

53
httpsig.py
View File

@ -1,4 +1,4 @@
__filename__ = "posts.py" __filename__ = "httpsig.py"
__author__ = "Bob Mottram" __author__ = "Bob Mottram"
__credits__ = ['lamia'] __credits__ = ['lamia']
__license__ = "AGPL3+" __license__ = "AGPL3+"
@ -9,26 +9,28 @@ __status__ = "Production"
# see https://tools.ietf.org/html/draft-cavage-http-signatures-06 # see https://tools.ietf.org/html/draft-cavage-http-signatures-06
try: from cryptography.hazmat.backends import default_backend
from Cryptodome.PublicKey import RSA from cryptography.hazmat.primitives.serialization import load_pem_private_key
from Cryptodome.Hash import SHA256 from cryptography.hazmat.primitives.serialization import load_pem_public_key
from Cryptodome.Signature import pkcs1_15 from cryptography.hazmat.primitives.asymmetric import padding
except ImportError: from cryptography.hazmat.primitives import hashes
from Crypto.PublicKey import RSA from cryptography.hazmat.primitives.asymmetric import utils as hazutils
from Crypto.Hash import SHA256
# from Crypto.Signature import PKCS1_v1_5
from Crypto.Signature import pkcs1_15
import base64 import base64
from time import gmtime, strftime from time import gmtime, strftime
import datetime import datetime
from utils import getFullDomain from utils import getFullDomain
def _getSHA256(msg: str):
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(msg)
return digest.finalize()
def messageContentDigest(messageBodyJsonStr: str) -> str: def messageContentDigest(messageBodyJsonStr: str) -> str:
msg = messageBodyJsonStr.encode('utf-8') msg = messageBodyJsonStr.encode('utf-8')
digestStr = SHA256.new(msg).digest() hashResult = _getSHA256(msg)
return base64.b64encode(digestStr).decode('utf-8') return base64.b64encode(hashResult).decode('utf-8')
def signPostHeaders(dateStr: str, privateKeyPem: str, def signPostHeaders(dateStr: str, privateKeyPem: str,
@ -66,7 +68,8 @@ def signPostHeaders(dateStr: str, privateKeyPem: str,
'content-type': 'application/activity+json', 'content-type': 'application/activity+json',
'content-length': str(contentLength) 'content-length': str(contentLength)
} }
privateKeyPem = RSA.import_key(privateKeyPem) key = load_pem_private_key(privateKeyPem.encode('utf-8'),
None, backend=default_backend())
# headers.update({ # headers.update({
# '(request-target)': f'post {path}', # '(request-target)': f'post {path}',
# }) # })
@ -76,10 +79,14 @@ def signPostHeaders(dateStr: str, privateKeyPem: str,
for headerKey in signedHeaderKeys: for headerKey in signedHeaderKeys:
signedHeaderText += f'{headerKey}: {headers[headerKey]}\n' signedHeaderText += f'{headerKey}: {headers[headerKey]}\n'
signedHeaderText = signedHeaderText.strip() signedHeaderText = signedHeaderText.strip()
headerDigest = SHA256.new(signedHeaderText.encode('ascii')) # signedHeaderText.encode('ascii') matches
headerDigest = _getSHA256(signedHeaderText.encode('ascii'))
# print('headerDigest2: ' + str(headerDigest))
# Sign the digest # Sign the digest
rawSignature = pkcs1_15.new(privateKeyPem).sign(headerDigest) rawSignature = key.sign(headerDigest,
padding.PKCS1v15(),
hazutils.Prehashed(hashes.SHA256()))
signature = base64.b64encode(rawSignature).decode('ascii') signature = base64.b64encode(rawSignature).decode('ascii')
# Put it into a valid HTTP signature format # Put it into a valid HTTP signature format
@ -176,7 +183,8 @@ def verifyPostHeaders(httpPrefix: str, publicKeyPem: str, headers: dict,
if debug: if debug:
print('DEBUG: verifyPostHeaders ' + method) print('DEBUG: verifyPostHeaders ' + method)
publicKeyPem = RSA.import_key(publicKeyPem) pubkey = load_pem_public_key(publicKeyPem.encode('utf-8'),
backend=default_backend())
# Build a dictionary of the signature values # Build a dictionary of the signature values
signatureHeader = headers['signature'] signatureHeader = headers['signature']
signatureDict = { signatureDict = {
@ -244,16 +252,19 @@ def verifyPostHeaders(httpPrefix: str, publicKeyPem: str, headers: dict,
print('DEBUG: signedHeaderList: ' + str(signedHeaderList)) print('DEBUG: signedHeaderList: ' + str(signedHeaderList))
# Now we have our header data digest # Now we have our header data digest
signedHeaderText = '\n'.join(signedHeaderList) signedHeaderText = '\n'.join(signedHeaderList)
headerDigest = SHA256.new(signedHeaderText.encode('ascii')) headerDigest = _getSHA256(signedHeaderText.encode('ascii'))
# Get the signature, verify with public key, return result # Get the signature, verify with public key, return result
signature = base64.b64decode(signatureDict['signature']) signature = base64.b64decode(signatureDict['signature'])
try: try:
pubKey = pkcs1_15.new(publicKeyPem) pubkey.verify(
pubKey.verify(headerDigest, signature) signature,
headerDigest,
padding.PKCS1v15(),
hazutils.Prehashed(hashes.SHA256()))
return True return True
except (ValueError, TypeError): except BaseException:
if debug: if debug:
print('DEBUG: verifyPostHeaders pkcs1_15 verify failure') print('DEBUG: verifyPostHeaders pkcs1_15 verify failure')
return False return False

2
setup.cfg
View File

@ -29,7 +29,7 @@ install_requires =
idna >= 2.5, < 3 idna >= 2.5, < 3
numpy >= 1.20.0, < 2 numpy >= 1.20.0, < 2
pillow >= 8.1.0, < 9 pillow >= 8.1.0, < 9
pycryptodome >= 3.9.9, < 4 cryptography
pyqrcode >= 1.2.1, < 2 pyqrcode >= 1.2.1, < 2
python-dateutil >= 2.8.1, < 3 python-dateutil >= 2.8.1, < 3
requests >= 2.25.1, < 3 requests >= 2.25.1, < 3

2
website/EN/index.html
View File

@ -1267,7 +1267,7 @@
<p class="intro">You will need python version 3.7 or later.</p> <p class="intro">You will need python version 3.7 or later.</p>
<p class="intro">On a Debian based system:</p> <p class="intro">On a Debian based system:</p>
<div class="shell"> <div class="shell">
<p>sudo apt install -y tor python3-socks imagemagick python3-setuptools python3-crypto python3-pycryptodome python3-dateutil python3-idna python3-requests python3-flake8 python3-django-timezone-field python3-pyqrcode python3-png python3-bandit libimage-exiftool-perl certbot nginx wget</p> <p>sudo apt install -y tor python3-socks imagemagick python3-setuptools python3-crypto python3-cryptography python3-dateutil python3-idna python3-requests python3-flake8 python3-django-timezone-field python3-pyqrcode python3-png python3-bandit libimage-exiftool-perl certbot nginx wget</p>
</div> </div>
<p class="intro"> <p class="intro">