Skip to content
This repository was archived by the owner on Apr 13, 2024. It is now read-only.

Commit 79ca3a2

Browse files
fulderfulder
committed
Require sign_algorithm for 'hs2019' algorith in Verifier
1 parent bd001d8 commit 79ca3a2

File tree

1 file changed

+15
-3
lines changed

1 file changed

+15
-3
lines changed

httpsig/verify.py

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
import base64
55
import six
66

7-
from .sign import Signer
7+
from .sign import Signer, DEFAULT_SIGN_ALGORITHM
88
from .utils import *
99

1010

@@ -37,6 +37,11 @@ def _verify(self, data, signature):
3737
s = base64.b64decode(signature)
3838
return ct_bytes_compare(h, s)
3939

40+
elif self.sign_algorithm == 'PSS':
41+
h = self._hash.new()
42+
h.update(data)
43+
return self._rsa.verify(h, base64.b64decode(signature))
44+
4045
else:
4146
raise HttpSigException("Unsupported algorithm.")
4247

@@ -47,7 +52,7 @@ class HeaderVerifier(Verifier):
4752
"""
4853

4954
def __init__(self, headers, secret, required_headers=None, method=None,
50-
path=None, host=None, sign_header='authorization'):
55+
path=None, host=None, sign_header='authorization', sign_algorithm=None):
5156
"""
5257
Instantiate a HeaderVerifier object.
5358
@@ -66,6 +71,8 @@ def __init__(self, headers, secret, required_headers=None, method=None,
6671
header, if not supplied in :param:headers.
6772
:param sign_header: Optional. The header where the signature is.
6873
Default is 'authorization'.
74+
:param sign_algorithm: Required for 'hs2019' algorithm, specifies the
75+
digital signature algorithm (derived from keyId) to use.
6976
"""
7077
required_headers = required_headers or ['date']
7178
self.headers = CaseInsensitiveDict(headers)
@@ -84,8 +91,13 @@ def __init__(self, headers, secret, required_headers=None, method=None,
8491
self.path = path
8592
self.host = host
8693

94+
if self.auth_dict['algorithm'] != DEFAULT_SIGN_ALGORITHM:
95+
print("Algorithm: {} is deprecated please update to {}".format(self.auth_dict['algorithm'], DEFAULT_SIGN_ALGORITHM))
96+
elif self.auth_dict['algorithm'] == DEFAULT_SIGN_ALGORITHM and self.sign_algorithm is None:
97+
raise HttpSigException("Required sign algorithm for {} algorithm not set".format(DEFAULT_SIGN_ALGORITHM))
98+
8799
super(HeaderVerifier, self).__init__(
88-
secret, algorithm=self.auth_dict['algorithm'])
100+
secret, algorithm=self.auth_dict['algorithm'], sign_algorithm=sign_algorithm)
89101

90102
def verify(self):
91103
"""

0 commit comments

Comments
 (0)