indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

hs2019 same as rsa256

merge-requests/30/head
Bob Mottram 2021-11-22 11:52:55 +00:00
parent 8f50983816
commit d98e68be5b
2 changed files with 24 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
httpsig.py
View File

@ -312,7 +312,8 @@ def verifyPostHeaders(httpPrefix: str, publicKeyPem: str, headers: dict,
if v.startswith('('): if v.startswith('('):
requestTargetKey = k requestTargetKey = k
requestTargetStr = v[1:-1] requestTargetStr = v[1:-1]
break elif v.startswith('"'):
signatureDict[k] = v[1:-1]
if not requestTargetKey: if not requestTargetKey:
return False return False
signatureDict[requestTargetKey] = requestTargetStr signatureDict[requestTargetKey] = requestTargetStr
@ -354,6 +355,8 @@ def verifyPostHeaders(httpPrefix: str, publicKeyPem: str, headers: dict,
elif signedHeader == 'algorithm': elif signedHeader == 'algorithm':
if headers.get(signedHeader): if headers.get(signedHeader):
algorithm = headers[signedHeader] algorithm = headers[signedHeader]
if debug:
print('http signature algorithm: ' + algorithm)
elif signedHeader == 'digest': elif signedHeader == 'digest':
if messageBodyDigest: if messageBodyDigest:
bodyDigest = messageBodyDigest bodyDigest = messageBodyDigest
@ -447,20 +450,30 @@ def verifyPostHeaders(httpPrefix: str, publicKeyPem: str, headers: dict,
print('signature: ' + algorithm + ' ' + print('signature: ' + algorithm + ' ' +
signatureDict['signature']) signatureDict['signature'])
# log unusual signing algorithms
if signatureDict.get('alg'):
print('http signature algorithm: ' + signatureDict['alg'])
# If extra signing algorithms need to be added then do it here # If extra signing algorithms need to be added then do it here
if algorithm == 'rsa-sha256': if not signatureDict.get('alg'):
headerDigest = getSHA256(signedHeaderText.encode('ascii'))
paddingStr = padding.PKCS1v15()
alg = hazutils.Prehashed(hashes.SHA256()) alg = hazutils.Prehashed(hashes.SHA256())
elif algorithm == 'rsa-sha512': elif signatureDict['alg'] == 'rsa-sha256':
headerDigest = getSHA512(signedHeaderText.encode('ascii')) alg = hazutils.Prehashed(hashes.SHA256())
paddingStr = padding.PKCS1v15() elif signatureDict['alg'] == 'hs2019':
alg = hazutils.Prehashed(hashes.SHA256())
elif signatureDict['alg'] == 'rsa-sha512':
alg = hazutils.Prehashed(hashes.SHA512()) alg = hazutils.Prehashed(hashes.SHA512())
else: else:
print('Unknown http signature algorithm: ' + algorithm)
paddingStr = padding.PKCS1v15()
alg = hazutils.Prehashed(hashes.SHA256()) alg = hazutils.Prehashed(hashes.SHA256())
if algorithm == 'rsa-sha256' or algorithm == 'hs2019':
headerDigest = getSHA256(signedHeaderText.encode('ascii'))
elif algorithm == 'rsa-sha512':
headerDigest = getSHA512(signedHeaderText.encode('ascii'))
else:
print('Unknown http signature algorithm: ' + algorithm)
headerDigest = '' headerDigest = ''
paddingStr = padding.PKCS1v15()
try: try:
pubkey.verify(signature, headerDigest, paddingStr, alg) pubkey.verify(signature, headerDigest, paddingStr, alg)

3
tests.py
View File

@ -623,9 +623,10 @@ def _testHttpsigBase(withDigest: bool, baseDir: str):
headers['signature'] = signatureHeader headers['signature'] = signatureHeader
GETmethod = not withDigest GETmethod = not withDigest
debug = True
assert verifyPostHeaders(httpPrefix, publicKeyPem, headers, assert verifyPostHeaders(httpPrefix, publicKeyPem, headers,
boxpath, GETmethod, None, boxpath, GETmethod, None,
messageBodyJsonStr, False) messageBodyJsonStr, debug)
if withDigest: if withDigest:
# everything correct except for content-length # everything correct except for content-length
headers['content-length'] = str(contentLength + 2) headers['content-length'] = str(contentLength + 2)