Skip to content
This repository was archived by the owner on Apr 13, 2024. It is now read-only.

Commit 912ff85

Browse files
fulderfulder
committed
Return false in verify on algorith mismatch
1 parent c5163f8 commit 912ff85

File tree

2 files changed

+22
-6
lines changed

2 files changed

+22
-6
lines changed

httpsig/tests/test_verify.py

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -242,3 +242,17 @@ def setUp(self):
242242
self.sign_secret = private_key
243243
self.verify_secret = public_key
244244
self.sign_algorithm = PSS(salt_length=0)
245+
246+
def test_algorithm_mismatch(self):
247+
unsigned = {
248+
'Date': self.header_date
249+
}
250+
251+
hs = HeaderSigner(
252+
key_id="Test", secret=self.sign_secret, algorithm=self.algorithm,
253+
sign_header=self.sign_header, sign_algorithm=self.sign_algorithm)
254+
signed = hs.sign(unsigned)
255+
256+
hv = HeaderVerifier(
257+
headers=signed, secret=self.verify_secret, sign_header=self.sign_header, algorithm="rsa-sha256", sign_algorithm=self.sign_algorithm)
258+
self.assertFalse(hv.verify())

httpsig/verify.py

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ class HeaderVerifier(Verifier):
5151
"""
5252

5353
def __init__(self, headers, secret, required_headers=None, method=None,
54-
path=None, host=None, sign_header='authorization', sign_algorithm=None):
54+
path=None, host=None, sign_header='authorization', algorithm=None, sign_algorithm=None):
5555
"""
5656
Instantiate a HeaderVerifier object.
5757
@@ -70,6 +70,7 @@ def __init__(self, headers, secret, required_headers=None, method=None,
7070
header, if not supplied in :param:headers.
7171
:param sign_header: Optional. The header where the signature is.
7272
Default is 'authorization'.
73+
:param algorithm: Algorithm derived from keyId (required for draft version >= 12)
7374
:param sign_algorithm: Required for 'hs2019' algorithm, specifies the
7475
digital signature algorithm (derived from keyId) to use.
7576
"""
@@ -89,11 +90,7 @@ def __init__(self, headers, secret, required_headers=None, method=None,
8990
self.method = method
9091
self.path = path
9192
self.host = host
92-
93-
if 'algorithm' in self.auth_dict and self.auth_dict['algorithm'] != self.algorithm:
94-
raise HttpSigException(
95-
"Algorithm mismath, signature parameter algorithm was: {}, but algorithm dervice from key is: {}".format(
96-
self.auth_dict['algorithm'], self.algorithm))
93+
self.derived_algorithm = algorithm
9794

9895
if self.auth_dict['algorithm'] != DEFAULT_ALGORITHM:
9996
print("Algorithm: {} is deprecated please update to {}".format(self.auth_dict['algorithm'], DEFAULT_ALGORITHM))
@@ -112,6 +109,11 @@ def verify(self):
112109
not found in the signature.
113110
Returns True or False.
114111
"""
112+
if 'algorithm' in self.auth_dict and self.derived_algorithm is not None and self.auth_dict['algorithm'] != self.derived_algorithm:
113+
print("Algorithm mismatch, signature parameter algorithm was: {}, but algorithm derived from key is: {}".format(
114+
self.auth_dict['algorithm'], self.derived_algorithm))
115+
return False
116+
115117
auth_headers = self.auth_dict.get('headers', 'date').split(' ')
116118

117119
if len(set(self.required_headers) - set(auth_headers)) > 0:

0 commit comments

Comments
 (0)