epicyon/httpsig.py

__filename__ = "posts.py"
__author__ = "Bob Mottram"
__credits__ = ['lamia']
__license__ = "AGPL3+"
__version__ = "1.0.0"
__maintainer__ = "Bob Mottram"
__email__ = "bob@freedombone.net"
__status__ = "Production"

# see https://tools.ietf.org/html/draft-cavage-http-signatures-06

from Crypto.PublicKey import RSA
from Crypto.Hash import SHA256
#from Crypto.Signature import PKCS1_v1_5
from Crypto.Signature import pkcs1_15
from requests.auth import AuthBase
import base64
import json
from time import gmtime, strftime
import datetime
from pprint import pprint

def messageContentDigest(messageBodyJsonStr: str) -> str:
    return base64.b64encode(SHA256.new(messageBodyJsonStr.encode('utf-8')).digest()).decode('utf-8')

def signPostHeaders(dateStr: str,privateKeyPem: str, \
                    nickname: str, \
                    domain: str,port: int, \
                    toDomain: str,toPort: int, \
                    path: str, \
                    httpPrefix: str, \
                    messageBodyJsonStr: str) -> str:
    """Returns a raw signature string that can be plugged into a header and
    used to verify the authenticity of an HTTP transmission.
    """
    if port:
        if port!=80 and port!=443:
            if ':' not in domain:
                domain=domain+':'+str(port)

    if toPort:
        if toPort!=80 and toPort!=443:
            if ':' not in toDomain:
                toDomain=toDomain+':'+str(port)

    if not dateStr:
        dateStr=strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())
    keyID=httpPrefix+'://'+domain+'/users/'+nickname+'#main-key'
    if not messageBodyJsonStr:
        headers={'(request-target)': f'post {path}','host': toDomain,'date': dateStr,'content-type': 'application/json'}
    else:
        bodyDigest=messageContentDigest(messageBodyJsonStr)
        contentLength=len(messageBodyJsonStr)
        headers={'(request-target)': f'post {path}','host': toDomain,'date': dateStr,'digest': f'SHA-256={bodyDigest}','content-type': 'application/activity+json','content-length': str(contentLength)}
    privateKeyPem=RSA.import_key(privateKeyPem)
    #headers.update({
    #    '(request-target)': f'post {path}',
    #})
    # build a digest for signing
    signedHeaderKeys = headers.keys()
    signedHeaderText = ''
    for headerKey in signedHeaderKeys:
        signedHeaderText += f'{headerKey}: {headers[headerKey]}\n'
        #print(f'*********************signing:  headerKey: {headerKey}: {headers[headerKey]}')
    signedHeaderText = signedHeaderText.strip()
    #print('******************************Send: signedHeaderText: '+signedHeaderText)
    headerDigest = SHA256.new(signedHeaderText.encode('ascii'))

    # Sign the digest
    rawSignature = pkcs1_15.new(privateKeyPem).sign(headerDigest)
    signature = base64.b64encode(rawSignature).decode('ascii')

    # Put it into a valid HTTP signature format
    signatureDict = {
        'keyId': keyID,
        'algorithm': 'rsa-sha256',
        'headers': ' '.join(signedHeaderKeys),
        'signature': signature
    }
    signatureHeader = ','.join(
        [f'{k}="{v}"' for k, v in signatureDict.items()])
    return signatureHeader

def createSignedHeader(privateKeyPem: str,nickname: str, \
                       domain: str,port: int, \
                       toDomain: str,toPort: int, \
                       path: str,httpPrefix: str,withDigest: bool, \
                       messageBodyJsonStr: str) -> {}:
    """Note that the domain is the destination, not the sender
    """
    contentType='application/activity+json'
    headerDomain=toDomain

    if toPort:
        if toPort!=80 and toPort!=443:
            if ':' not in headerDomain:
                headerDomain=headerDomain+':'+str(toPort)

    dateStr=strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())
    if not withDigest:
        headers = {'(request-target)': f'post {path}','host': headerDomain,'date': dateStr}
        signatureHeader = \
            signPostHeaders(dateStr,privateKeyPem,nickname, \
                            domain,port,toDomain,toPort, \
                            path,httpPrefix,None)
    else:
        bodyDigest=messageContentDigest(messageBodyJsonStr)
        contentLength=len(messageBodyJsonStr)
        #print('***************************Send (request-target): post '+path)
        #print('***************************Send host: '+headerDomain)
        #print('***************************Send date: '+dateStr)
        #print('***************************Send digest: '+bodyDigest)
        #print('***************************Send Content-type: '+contentType)
        #print('***************************Send Content-Length: '+str(len(messageBodyJsonStr)))
        #print('***************************Send messageBodyJsonStr: '+messageBodyJsonStr)
        headers = {'(request-target)': f'post {path}','host': headerDomain,'date': dateStr,'digest': f'SHA-256={bodyDigest}','content-length': str(contentLength),'content-type': contentType}
        signatureHeader = \
            signPostHeaders(dateStr,privateKeyPem,nickname, \
                            domain,port, \
                            toDomain,toPort, \
                            path,httpPrefix,messageBodyJsonStr)
    headers['signature'] = signatureHeader
    return headers

def verifyRecentSignature(signedDateStr: str) -> bool:
    """Checks whether the given time taken from the header is within
    12 hours of the current time
    """
    currDate=datetime.datetime.utcnow()
    signedDate=datetime.datetime.strptime(signedDateStr,"%a, %d %b %Y %H:%M:%S %Z")
    timeDiffSec=(currDate-signedDate).seconds
    # 12 hours tollerance
    if timeDiffSec > 43200:
        print('WARN: Header signed too long ago: '+signedDateStr)
        print(str(timeDiffSec/(60*60))+' hours')
        return False
    if timeDiffSec < 0:
        print('WARN: Header signed in the future! '+signedDateStr)
        print(str(timeDiffSec/(60*60))+' hours')
        return False
    return True

def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
                      path: str,GETmethod: bool, \
                      messageBodyDigest: str, \
                      messageBodyJsonStr: str,debug: bool) -> bool:
    """Returns true or false depending on if the key that we plugged in here
    validates against the headers, method, and path.
    publicKeyPem - the public key from an rsa key pair
    headers - should be a dictionary of request headers
    path - the relative url that was requested from this site
    GETmethod - GET or POST
    messageBodyJsonStr - the received request body (used for digest)
    """

    if GETmethod:
        method='GET'
    else:
        method='POST'

    if debug:
        print('DEBUG: verifyPostHeaders '+method)
        
    publicKeyPem = RSA.import_key(publicKeyPem)
    # Build a dictionary of the signature values
    signatureHeader = headers['signature']
    signatureDict = {
        k: v[1:-1]
        for k, v in [i.split('=', 1) for i in signatureHeader.split(',')]
    }
    #print('********************signatureHeader: '+str(signatureHeader))
    #print('********************signatureDict: '+str(signatureDict))

    # Unpack the signed headers and set values based on current headers and
    # body (if a digest was included)
    signedHeaderList = []
    for signedHeader in signatureDict['headers'].split(' '):
        if debug:
            print('DEBUG: verifyPostHeaders signedHeader='+signedHeader)
        if signedHeader == '(request-target)':
            signedHeaderList.append(
                f'(request-target): {method.lower()} {path}')
            #print('***************************Verify (request-target): '+method.lower()+' '+path)
        elif signedHeader == 'digest':
            if messageBodyDigest:
                bodyDigest=messageBodyDigest
            else:
                bodyDigest=messageContentDigest(messageBodyJsonStr)
            signedHeaderList.append(f'digest: SHA-256={bodyDigest}')
            #print('***************************Verify digest: SHA-256='+bodyDigest)
            #print('***************************Verify messageBodyJsonStr: '+messageBodyJsonStr)
        elif signedHeader == 'content-length':
            if headers.get(signedHeader):
                signedHeaderList.append(f'content-length: {headers[signedHeader]}')
            else:
                if headers.get('Content-Length'):
                    contentLength=headers['Content-Length']
                    signedHeaderList.append(f'content-length: {contentLength}')
                else:
                    if headers.get('Content-length'):
                        contentLength=headers['Content-length']
                        signedHeaderList.append(f'content-length: {contentLength}')
                    else:
                        if debug:
                            print('DEBUG: verifyPostHeaders '+signedHeader+' not found in '+str(headers))
        else:
            if headers.get(signedHeader):
                if signedHeader=='date':
                    if not verifyRecentSignature(headers[signedHeader]):
                        if debug:
                            print('DEBUG: verifyPostHeaders date is not recent '+headers[signedHeader])
                        return False
                #print('***************************Verify '+signedHeader+': '+headers[signedHeader])
                signedHeaderList.append(
                    f'{signedHeader}: {headers[signedHeader]}')
            else:
                signedHeaderCap=signedHeader.capitalize()
                if signedHeaderCap=='Date':
                    if not verifyRecentSignature(headers[signedHeaderCap]):
                        if debug:
                            print('DEBUG: verifyPostHeaders date is not recent '+headers[signedHeader])
                        return False
                #print('***************************Verify '+signedHeaderCap+': '+headers[signedHeaderCap])
                if headers.get(signedHeaderCap):
                    signedHeaderList.append(
                        f'{signedHeader}: {headers[signedHeaderCap]}')

    #print('***********************signedHeaderList: ')
    #pprint(signedHeaderList)
    if debug:
        print('DEBUG: signedHeaderList: '+str(signedHeaderList))
    # Now we have our header data digest
    signedHeaderText = '\n'.join(signedHeaderList)
    #print('***********************Verify: signedHeaderText: '+signedHeaderText)
    headerDigest = SHA256.new(signedHeaderText.encode('ascii'))

    # Get the signature, verify with public key, return result
    signature = base64.b64decode(signatureDict['signature'])

    try:
        pkcs1_15.new(publicKeyPem).verify(headerDigest, signature)
        return True
    except (ValueError, TypeError):
        if debug:
            print('DEBUG: verifyPostHeaders pkcs1_15 verify failure')
        return False
Initial 2019-06-28 18:55:29 +00:00			`__filename__ = "posts.py"`
			`__author__ = "Bob Mottram"`
			`__credits__ = ['lamia']`
			`__license__ = "AGPL3+"`
Version 1.0.0 2019-08-29 13:35:29 +00:00			`__version__ = "1.0.0"`
Initial 2019-06-28 18:55:29 +00:00			`__maintainer__ = "Bob Mottram"`
			`__email__ = "bob@freedombone.net"`
			`__status__ = "Production"`

Get host from post to inbox 2019-08-15 22:33:42 +00:00			`# see https://tools.ietf.org/html/draft-cavage-http-signatures-06`

Initial 2019-06-28 18:55:29 +00:00			`from Crypto.PublicKey import RSA`
			`from Crypto.Hash import SHA256`
			`#from Crypto.Signature import PKCS1_v1_5`
			`from Crypto.Signature import pkcs1_15`
			`from requests.auth import AuthBase`
			`import base64`
			`import json`
Include date in http signature 2019-08-15 09:08:18 +00:00			`from time import gmtime, strftime`
Mitigate replay attacks 2019-08-23 11:20:20 +00:00			`import datetime`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`from pprint import pprint`
Initial 2019-06-28 18:55:29 +00:00
Calculate message body digest from incoming bytes to avoid any json conversion issues 2019-08-16 17:19:23 +00:00			`def messageContentDigest(messageBodyJsonStr: str) -> str:`
Avoid post conversions between json and string after digest is calculated 2019-08-17 10:15:01 +00:00			`return base64.b64encode(SHA256.new(messageBodyJsonStr.encode('utf-8')).digest()).decode('utf-8')`
Calculate message body digest from incoming bytes to avoid any json conversion issues 2019-08-16 17:19:23 +00:00
Fixing http signatures 2019-08-16 13:47:01 +00:00			`def signPostHeaders(dateStr: str,privateKeyPem: str, \`
			`nickname: str, \`
			`domain: str,port: int, \`
			`toDomain: str,toPort: int, \`
			`path: str, \`
Calculate message body digest from incoming bytes to avoid any json conversion issues 2019-08-16 17:19:23 +00:00			`httpPrefix: str, \`
Avoid post conversions between json and string after digest is calculated 2019-08-17 10:15:01 +00:00			`messageBodyJsonStr: str) -> str:`
Initial 2019-06-28 18:55:29 +00:00			`"""Returns a raw signature string that can be plugged into a header and`
			`used to verify the authenticity of an HTTP transmission.`
			`"""`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`if port:`
			`if port!=80 and port!=443:`
			`if ':' not in domain:`
			`domain=domain+':'+str(port)`
Fix http signature with port number 2019-07-01 09:31:02 +00:00
Fixing http signatures 2019-08-16 13:47:01 +00:00			`if toPort:`
			`if toPort!=80 and toPort!=443:`
			`if ':' not in toDomain:`
			`toDomain=toDomain+':'+str(port)`

			`if not dateStr:`
			`dateStr=strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())`
Avoid post conversions between json and string after digest is calculated 2019-08-17 10:15:01 +00:00			`keyID=httpPrefix+'://'+domain+'/users/'+nickname+'#main-key'`
			`if not messageBodyJsonStr:`
Fixing non-ascii text 2019-11-09 21:39:04 +00:00			`headers={'(request-target)': f'post {path}','host': toDomain,'date': dateStr,'content-type': 'application/json'}`
Initial 2019-06-28 18:55:29 +00:00			`else:`
Calculate message body digest from incoming bytes to avoid any json conversion issues 2019-08-16 17:19:23 +00:00			`bodyDigest=messageContentDigest(messageBodyJsonStr)`
Extra test for content length 2019-11-12 18:21:52 +00:00			`contentLength=len(messageBodyJsonStr)`
			`headers={'(request-target)': f'post {path}','host': toDomain,'date': dateStr,'digest': f'SHA-256={bodyDigest}','content-type': 'application/activity+json','content-length': str(contentLength)}`
Avoid post conversions between json and string after digest is calculated 2019-08-17 10:15:01 +00:00			`privateKeyPem=RSA.import_key(privateKeyPem)`
http signature fixes 2019-08-15 21:34:25 +00:00			`#headers.update({`
			`# '(request-target)': f'post {path}',`
			`#})`
Initial 2019-06-28 18:55:29 +00:00			`# build a digest for signing`
			`signedHeaderKeys = headers.keys()`
			`signedHeaderText = ''`
			`for headerKey in signedHeaderKeys:`
			`signedHeaderText += f'{headerKey}: {headers[headerKey]}\n'`
Mitigate replay attacks 2019-08-23 11:20:20 +00:00			`#print(f'*********************signing: headerKey: {headerKey}: {headers[headerKey]}')`
Initial 2019-06-28 18:55:29 +00:00			`signedHeaderText = signedHeaderText.strip()`
Mitigate replay attacks 2019-08-23 11:20:20 +00:00			`#print('******************************Send: signedHeaderText: '+signedHeaderText)`
Initial 2019-06-28 18:55:29 +00:00			`headerDigest = SHA256.new(signedHeaderText.encode('ascii'))`

			`# Sign the digest`
			`rawSignature = pkcs1_15.new(privateKeyPem).sign(headerDigest)`
			`signature = base64.b64encode(rawSignature).decode('ascii')`

			`# Put it into a valid HTTP signature format`
			`signatureDict = {`
			`'keyId': keyID,`
			`'algorithm': 'rsa-sha256',`
			`'headers': ' '.join(signedHeaderKeys),`
			`'signature': signature`
			`}`
			`signatureHeader = ','.join(`
			`[f'{k}="{v}"' for k, v in signatureDict.items()])`
			`return signatureHeader`

Fixing http signatures 2019-08-16 13:47:01 +00:00			`def createSignedHeader(privateKeyPem: str,nickname: str, \`
			`domain: str,port: int, \`
			`toDomain: str,toPort: int, \`
Option to use dat urls 2019-07-03 19:00:03 +00:00			`path: str,httpPrefix: str,withDigest: bool, \`
Avoid post conversions between json and string after digest is calculated 2019-08-17 10:15:01 +00:00			`messageBodyJsonStr: str) -> {}:`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`"""Note that the domain is the destination, not the sender`
			`"""`
Fixing non-ascii text 2019-11-09 21:39:04 +00:00			`contentType='application/activity+json'`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`headerDomain=toDomain`
Fix http signature with port number 2019-07-01 09:31:02 +00:00
Fixing http signatures 2019-08-16 13:47:01 +00:00			`if toPort:`
			`if toPort!=80 and toPort!=443:`
			`if ':' not in headerDomain:`
			`headerDomain=headerDomain+':'+str(toPort)`
Fix http signature with port number 2019-07-01 09:31:02 +00:00
Remove date 2019-08-15 18:21:43 +00:00			`dateStr=strftime("%a, %d %b %Y %H:%M:%S %Z", gmtime())`
Fix http signature with port number 2019-07-01 09:31:02 +00:00			`if not withDigest:`
http signature fixes 2019-08-15 21:34:25 +00:00			`headers = {'(request-target)': f'post {path}','host': headerDomain,'date': dateStr}`
Fix digest encoding 2019-08-16 10:36:41 +00:00			`signatureHeader = \`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`signPostHeaders(dateStr,privateKeyPem,nickname, \`
			`domain,port,toDomain,toPort, \`
			`path,httpPrefix,None)`
Fix http signature with port number 2019-07-01 09:31:02 +00:00			`else:`
Calculate message body digest from incoming bytes to avoid any json conversion issues 2019-08-16 17:19:23 +00:00			`bodyDigest=messageContentDigest(messageBodyJsonStr)`
Add content langth to http signature 2019-11-12 13:01:56 +00:00			`contentLength=len(messageBodyJsonStr)`
Mitigate replay attacks 2019-08-23 11:20:20 +00:00			`#print('***************************Send (request-target): post '+path)`
			`#print('***************************Send host: '+headerDomain)`
			`#print('***************************Send date: '+dateStr)`
			`#print('***************************Send digest: '+bodyDigest)`
			`#print('***************************Send Content-type: '+contentType)`
Comment 2019-11-12 19:23:57 +00:00			`#print('***************************Send Content-Length: '+str(len(messageBodyJsonStr)))`
Mitigate replay attacks 2019-08-23 11:20:20 +00:00			`#print('***************************Send messageBodyJsonStr: '+messageBodyJsonStr)`
content length as string 2019-11-12 13:15:45 +00:00			`headers = {'(request-target)': f'post {path}','host': headerDomain,'date': dateStr,'digest': f'SHA-256={bodyDigest}','content-length': str(contentLength),'content-type': contentType}`
Fix digest encoding 2019-08-16 10:36:41 +00:00			`signatureHeader = \`
Fixing http signatures 2019-08-16 13:47:01 +00:00			`signPostHeaders(dateStr,privateKeyPem,nickname, \`
			`domain,port, \`
			`toDomain,toPort, \`
Avoid post conversions between json and string after digest is calculated 2019-08-17 10:15:01 +00:00			`path,httpPrefix,messageBodyJsonStr)`
Fix http signature with port number 2019-07-01 09:31:02 +00:00			`headers['signature'] = signatureHeader`
			`return headers`

Make date check into a function 2019-08-23 11:30:37 +00:00			`def verifyRecentSignature(signedDateStr: str) -> bool:`
Comments 2019-08-23 11:31:46 +00:00			`"""Checks whether the given time taken from the header is within`
			`12 hours of the current time`
			`"""`
Make date check into a function 2019-08-23 11:30:37 +00:00			`currDate=datetime.datetime.utcnow()`
			`signedDate=datetime.datetime.strptime(signedDateStr,"%a, %d %b %Y %H:%M:%S %Z")`
Check that header was not signed in the future 2019-08-23 11:37:34 +00:00			`timeDiffSec=(currDate-signedDate).seconds`
Tidying 2019-08-23 11:39:16 +00:00			`# 12 hours tollerance`
Check that header was not signed in the future 2019-08-23 11:37:34 +00:00			`if timeDiffSec > 43200:`
Make date check into a function 2019-08-23 11:30:37 +00:00			`print('WARN: Header signed too long ago: '+signedDateStr)`
Check that header was not signed in the future 2019-08-23 11:37:34 +00:00			`print(str(timeDiffSec/(60*60))+' hours')`
			`return False`
			`if timeDiffSec < 0:`
			`print('WARN: Header signed in the future! '+signedDateStr)`
			`print(str(timeDiffSec/(60*60))+' hours')`
Make date check into a function 2019-08-23 11:30:37 +00:00			`return False`
			`return True`

http signature fixes 2019-08-15 21:34:25 +00:00			`def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \`
			`path: str,GETmethod: bool, \`
Calculate message body digest from incoming bytes to avoid any json conversion issues 2019-08-16 17:19:23 +00:00			`messageBodyDigest: str, \`
Debug in http signature verification 2019-11-12 15:03:17 +00:00			`messageBodyJsonStr: str,debug: bool) -> bool:`
Initial 2019-06-28 18:55:29 +00:00			`"""Returns true or false depending on if the key that we plugged in here`
			`validates against the headers, method, and path.`
			`publicKeyPem - the public key from an rsa key pair`
			`headers - should be a dictionary of request headers`
			`path - the relative url that was requested from this site`
			`GETmethod - GET or POST`
Fix http signature with port number 2019-07-01 09:31:02 +00:00			`messageBodyJsonStr - the received request body (used for digest)`
Initial 2019-06-28 18:55:29 +00:00			`"""`
Mitigate replay attacks 2019-08-23 11:20:20 +00:00
Initial 2019-06-28 18:55:29 +00:00			`if GETmethod:`
			`method='GET'`
			`else:`
			`method='POST'`
Debug in http signature verification 2019-11-12 15:03:17 +00:00
			`if debug:`
			`print('DEBUG: verifyPostHeaders '+method)`
Initial 2019-06-28 18:55:29 +00:00
			`publicKeyPem = RSA.import_key(publicKeyPem)`
			`# Build a dictionary of the signature values`
			`signatureHeader = headers['signature']`
			`signatureDict = {`
			`k: v[1:-1]`
			`for k, v in [i.split('=', 1) for i in signatureHeader.split(',')]`
			`}`
quieten some debug 2019-08-23 10:57:27 +00:00			`#print('********************signatureHeader: '+str(signatureHeader))`
			`#print('********************signatureDict: '+str(signatureDict))`
Initial 2019-06-28 18:55:29 +00:00
			`# Unpack the signed headers and set values based on current headers and`
			`# body (if a digest was included)`
			`signedHeaderList = []`
			`for signedHeader in signatureDict['headers'].split(' '):`
Debug in http signature verification 2019-11-12 15:03:17 +00:00			`if debug:`
			`print('DEBUG: verifyPostHeaders signedHeader='+signedHeader)`
Initial 2019-06-28 18:55:29 +00:00			`if signedHeader == '(request-target)':`
			`signedHeaderList.append(`
			`f'(request-target): {method.lower()} {path}')`
quieten some debug 2019-08-23 10:57:27 +00:00			`#print('***************************Verify (request-target): '+method.lower()+' '+path)`
Initial 2019-06-28 18:55:29 +00:00			`elif signedHeader == 'digest':`
Calculate message body digest from incoming bytes to avoid any json conversion issues 2019-08-16 17:19:23 +00:00			`if messageBodyDigest:`
			`bodyDigest=messageBodyDigest`
			`else:`
More debug 2019-11-12 15:25:47 +00:00			`bodyDigest=messageContentDigest(messageBodyJsonStr)`
Initial 2019-06-28 18:55:29 +00:00			`signedHeaderList.append(f'digest: SHA-256={bodyDigest}')`
quieten some debug 2019-08-23 10:57:27 +00:00			`#print('***************************Verify digest: SHA-256='+bodyDigest)`
			`#print('***************************Verify messageBodyJsonStr: '+messageBodyJsonStr)`
Separate cases 2019-11-12 18:48:29 +00:00			`elif signedHeader == 'content-length':`
Return to case 2019-11-12 19:20:55 +00:00			`if headers.get(signedHeader):`
			`signedHeaderList.append(f'content-length: {headers[signedHeader]}')`
More debug 2019-11-12 17:16:34 +00:00			`else:`
Variations on the theme 2019-11-12 19:32:23 +00:00			`if headers.get('Content-Length'):`
			`contentLength=headers['Content-Length']`
			`signedHeaderList.append(f'content-length: {contentLength}')`
			`else:`
			`if headers.get('Content-length'):`
			`contentLength=headers['Content-length']`
			`signedHeaderList.append(f'content-length: {contentLength}')`
			`else:`
			`if debug:`
			`print('DEBUG: verifyPostHeaders '+signedHeader+' not found in '+str(headers))`
Initial 2019-06-28 18:55:29 +00:00			`else:`
http signature fixes 2019-08-15 21:34:25 +00:00			`if headers.get(signedHeader):`
Separate content-length check 2019-11-12 16:48:05 +00:00			`if signedHeader=='date':`
Make date check into a function 2019-08-23 11:30:37 +00:00			`if not verifyRecentSignature(headers[signedHeader]):`
Debug in http signature verification 2019-11-12 15:03:17 +00:00			`if debug:`
			`print('DEBUG: verifyPostHeaders date is not recent '+headers[signedHeader])`
Make date check into a function 2019-08-23 11:30:37 +00:00			`return False`
quieten some debug 2019-08-23 10:57:27 +00:00			`#print('***************************Verify '+signedHeader+': '+headers[signedHeader])`
Exception handling for http signature check 2019-08-15 17:09:17 +00:00			`signedHeaderList.append(`
			`f'{signedHeader}: {headers[signedHeader]}')`
http signature fixes 2019-08-15 21:34:25 +00:00			`else:`
			`signedHeaderCap=signedHeader.capitalize()`
Separate content-length check 2019-11-12 16:48:05 +00:00			`if signedHeaderCap=='Date':`
Make date check into a function 2019-08-23 11:30:37 +00:00			`if not verifyRecentSignature(headers[signedHeaderCap]):`
Debug in http signature verification 2019-11-12 15:03:17 +00:00			`if debug:`
			`print('DEBUG: verifyPostHeaders date is not recent '+headers[signedHeader])`
Make date check into a function 2019-08-23 11:30:37 +00:00			`return False`
quieten some debug 2019-08-23 10:57:27 +00:00			`#print('***************************Verify '+signedHeaderCap+': '+headers[signedHeaderCap])`
http signature fixes 2019-08-15 21:34:25 +00:00			`if headers.get(signedHeaderCap):`
			`signedHeaderList.append(`
			`f'{signedHeader}: {headers[signedHeaderCap]}')`
Initial 2019-06-28 18:55:29 +00:00
quieten some debug 2019-08-23 10:57:27 +00:00			`#print('***********************signedHeaderList: ')`
			`#pprint(signedHeaderList)`
More debug 2019-11-12 15:25:47 +00:00			`if debug:`
			`print('DEBUG: signedHeaderList: '+str(signedHeaderList))`
Initial 2019-06-28 18:55:29 +00:00			`# Now we have our header data digest`
			`signedHeaderText = '\n'.join(signedHeaderList)`
quieten some debug 2019-08-23 10:57:27 +00:00			`#print('***********************Verify: signedHeaderText: '+signedHeaderText)`
Initial 2019-06-28 18:55:29 +00:00			`headerDigest = SHA256.new(signedHeaderText.encode('ascii'))`

			`# Get the signature, verify with public key, return result`
			`signature = base64.b64decode(signatureDict['signature'])`

			`try:`
			`pkcs1_15.new(publicKeyPem).verify(headerDigest, signature)`
			`return True`
			`except (ValueError, TypeError):`
Debug in http signature verification 2019-11-12 15:03:17 +00:00			`if debug:`
			`print('DEBUG: verifyPostHeaders pkcs1_15 verify failure')`
Initial 2019-06-28 18:55:29 +00:00			`return False`