Add digests for outgoing messages, and testing.

2020-05-19 21:33:47 +01:00 · 2020-05-19 21:33:47 +01:00 · 58630a053f
commit 58630a053f
parent 0c22019306
3 changed files with 53 additions and 26 deletions
--- a/fedireads/signatures.py
+++ b/fedireads/signatures.py
@ -17,12 +17,13 @@ def create_key_pair():
    return private_key, public_key


-def make_signature(sender, destination, date):
+def make_signature(sender, destination, date, digest):
    inbox_parts = urlparse(destination)
    signature_headers = [
        '(request-target): post %s' % inbox_parts.path,
        'host: %s' % inbox_parts.netloc,
        'date: %s' % date,
+        'digest: %s' % digest,
    ]
    message_to_sign = '\n'.join(signature_headers)
    signer = pkcs1_15.new(RSA.import_key(sender.private_key))
@ -30,11 +31,14 @@ def make_signature(sender, destination, date):
    signature = {
        'keyId': '%s#main-key' % sender.remote_id,
        'algorithm': 'rsa-sha256',
-        'headers': '(request-target) host date',
+        'headers': '(request-target) host date digest',
        'signature': b64encode(signed_message).decode('utf8'),
    }
    return ','.join('%s="%s"' % (k, v) for (k, v) in signature.items())

+def make_digest(data):
+    return 'SHA-256=' + b64encode(hashlib.sha512(data).digest()).decode('utf-8')
+
 def verify_digest(request):
    algorithm, digest = request.headers['digest'].split('=', 1)
    if algorithm == 'SHA-256':
@ -42,7 +46,7 @@ def verify_digest(request):
    elif algorithm == 'SHA-512':
        hash_function = hashlib.sha512
    else:
-        raise ValueError("Unsupported hash function.")
+        raise ValueError("Unsupported hash function: {}".format(algorithm))

    expected = hash_function(request.body).digest()
    if b64decode(digest) != expected: