Make PSS salt configurable

fulder · fulder · commit 619a13c72817 · 2020-08-24T15:55:39.000+02:00
In order to be able to decode the PSS message, the salt length need to
be known.
diff --git a/httpsig/sign.py b/httpsig/sign.py
@@ -10,6 +10,7 @@
 
 
 DEFAULT_SIGN_ALGORITHM = "hs2019"
+DEFAULT_SALT_LENGTH = 20
 
 
 class Signer(object):
@@ -19,9 +20,11 @@ class Signer(object):
 
     Password-protected keyfiles are not supported.
     """
-    def __init__(self, secret, algorithm=None, sign_algorithm=None):
+    def __init__(self, secret, algorithm=None, sign_algorithm=None, salt_length=None):
         if algorithm is None:
             algorithm = DEFAULT_SIGN_ALGORITHM
+        if salt_length is None:
+            salt_length = DEFAULT_SALT_LENGTH
 
         assert algorithm in ALGORITHMS, "Unknown algorithm"
         assert sign_algorithm is None or sign_algorithm in SIGN_ALGORITHMS, "Unsupported digital signature algorithm"
@@ -58,7 +61,7 @@ def __init__(self, secret, algorithm=None, sign_algorithm=None):
         elif self.sign_algorithm == "PSS":
             try:
                 rsa_key = RSA.importKey(secret)
-                self._rsa = PKCS1_PSS.new(rsa_key)
+                self._rsa = PKCS1_PSS.new(rsa_key, saltLen=salt_length)
                 self._hash = HASHES[self.hash_algorithm]
             except ValueError:
                 raise HttpSigException("Invalid key.")
@@ -100,18 +103,19 @@ class HeaderSigner(Signer):
         to use
     :arg secret:    a PEM-encoded RSA private key or an HMAC secret (must
         match the algorithm)
-    :arg algorithm: one of the seven specified algorithms
-    :arg sign_algorithm: required for 'hs2019' algorithm. Sign algorithm for the secret
-    :arg headers:   a list of http headers to be included in the signing
+    :param algorithm: one of the seven specified algorithms
+    :param sign_algorithm: required for 'hs2019' algorithm. Sign algorithm for the secret
+    :param sign_algorithm:      Custom salt length for 'hs2019' and 'PSS' sign algorithm.
+    :param headers:   a list of http headers to be included in the signing
         string, defaulting to ['date'].
-    :arg sign_header: header used to include signature, defaulting to
+    :param sign_header: header used to include signature, defaulting to
        'authorization'.
     """
-    def __init__(self, key_id, secret, algorithm=None, sign_algorithm=None, headers=None, sign_header='authorization'):
+    def __init__(self, key_id, secret, algorithm=None, sign_algorithm=None, salt_length=None, headers=None, sign_header='authorization'):
         if algorithm is None:
             algorithm = DEFAULT_SIGN_ALGORITHM
 
-        super(HeaderSigner, self).__init__(secret=secret, algorithm=algorithm, sign_algorithm=sign_algorithm)
+        super(HeaderSigner, self).__init__(secret=secret, algorithm=algorithm, sign_algorithm=sign_algorithm, salt_length=salt_length)
         self.headers = headers or ['date']
         self.signature_template = build_signature_template(
                                     key_id, algorithm, headers, sign_header)
diff --git a/httpsig/verify.py b/httpsig/verify.py
@@ -52,7 +52,7 @@ class HeaderVerifier(Verifier):
     """
 
     def __init__(self, headers, secret, required_headers=None, method=None,
-                 path=None, host=None, sign_header='authorization', sign_algorithm=None):
+                 path=None, host=None, sign_header='authorization', sign_algorithm=None, salt_length=None):
         """
         Instantiate a HeaderVerifier object.
 
@@ -73,6 +73,7 @@ def __init__(self, headers, secret, required_headers=None, method=None,
             Default is 'authorization'.
         :param sign_algorithm:      Required for 'hs2019' algorithm, specifies the
                                     digital signature algorithm (derived from keyId) to use.
+        :param sign_algorithm:      Custom salt length for 'hs2019' and 'PSS' sign algorithm.
         """
         required_headers = required_headers or ['date']
         self.headers = CaseInsensitiveDict(headers)
@@ -93,11 +94,11 @@ def __init__(self, headers, secret, required_headers=None, method=None,
 
         if self.auth_dict['algorithm'] != DEFAULT_SIGN_ALGORITHM:
             print("Algorithm: {} is deprecated please update to {}".format(self.auth_dict['algorithm'], DEFAULT_SIGN_ALGORITHM))
-        elif self.auth_dict['algorithm'] == DEFAULT_SIGN_ALGORITHM and self.sign_algorithm is None:
+        elif self.auth_dict['algorithm'] == DEFAULT_SIGN_ALGORITHM and sign_algorithm is None:
             raise HttpSigException("Required sign algorithm for {} algorithm not set".format(DEFAULT_SIGN_ALGORITHM))
 
         super(HeaderVerifier, self).__init__(
-                secret, algorithm=self.auth_dict['algorithm'], sign_algorithm=sign_algorithm)
+                secret, algorithm=self.auth_dict['algorithm'], sign_algorithm=sign_algorithm, salt_length=salt_length)
 
     def verify(self):
         """
