forked from ahknight/httpsig
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsign.py
More file actions
120 lines (97 loc) · 4.09 KB
/
sign.py
File metadata and controls
120 lines (97 loc) · 4.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
import base64
import six
from Crypto.Hash import HMAC
from Crypto.PublicKey import RSA
from Crypto.Signature import PKCS1_v1_5
from .utils import *
DEFAULT_SIGN_ALGORITHM = "hmac-sha256"
class Signer(object):
"""
When using an RSA algo, the secret is a PEM-encoded private key.
When using an HMAC algo, the secret is the HMAC signing secret.
Password-protected keyfiles are not supported.
"""
def __init__(self, secret, algorithm=None):
if algorithm is None:
algorithm = DEFAULT_SIGN_ALGORITHM
assert algorithm in ALGORITHMS, "Unknown algorithm"
if isinstance(secret, six.string_types):
secret = secret.encode("ascii")
self._rsa = None
self._hash = None
self.sign_algorithm, self.hash_algorithm = algorithm.split('-')
if self.sign_algorithm == 'rsa':
try:
rsa_key = RSA.importKey(secret)
self._rsa = PKCS1_v1_5.new(rsa_key)
self._hash = HASHES[self.hash_algorithm]
except ValueError:
raise HttpSigException("Invalid key.")
elif self.sign_algorithm == 'hmac':
self._hash = HMAC.new(secret,
digestmod=HASHES[self.hash_algorithm])
@property
def algorithm(self):
return '%s-%s' % (self.sign_algorithm, self.hash_algorithm)
def _sign_rsa(self, data):
if isinstance(data, six.string_types):
data = data.encode("ascii")
h = self._hash.new()
h.update(data)
return self._rsa.sign(h)
def _sign_hmac(self, data):
if isinstance(data, six.string_types):
data = data.encode("ascii")
hmac = self._hash.copy()
hmac.update(data)
return hmac.digest()
def _sign(self, data):
if isinstance(data, six.string_types):
data = data.encode("ascii")
signed = None
if self._rsa:
signed = self._sign_rsa(data)
elif self._hash:
signed = self._sign_hmac(data)
if not signed:
raise SystemError('No valid encryptor found.')
return base64.b64encode(signed).decode("ascii")
class HeaderSigner(Signer):
"""
Generic object that will sign headers as a dictionary using the
http-signature scheme.
https://github.com/joyent/node-http-signature/blob/master/http_signing.md
:arg key_id: the mandatory label indicating to the server which secret
to use
:arg secret: a PEM-encoded RSA private key or an HMAC secret (must
match the algorithm)
:arg algorithm: one of the six specified algorithms
:arg headers: a list of http headers to be included in the signing
string, defaulting to ['date'].
:arg sign_header: header used to include signature, defaulting to
'authorization'.
"""
def __init__(self, key_id, secret, algorithm=None, headers=None, sign_header='authorization'):
if algorithm is None:
algorithm = DEFAULT_SIGN_ALGORITHM
super(HeaderSigner, self).__init__(secret=secret, algorithm=algorithm)
self.headers = headers or ['date']
self.signature_template = build_signature_template(
key_id, algorithm, headers, sign_header)
self.sign_header = sign_header
def sign(self, headers, host=None, method=None, path=None):
"""
Add Signature Authorization header to case-insensitive header dict.
`headers` is a case-insensitive dict of mutable headers.
`host` is a override for the 'host' header (defaults to value in
headers).
`method` is the HTTP method (required when using '(request-target)').
`path` is the HTTP path (required when using '(request-target)').
"""
headers = CaseInsensitiveDict(headers)
required_headers = self.headers or ['date']
signable = generate_message(
required_headers, headers, host, method, path)
signature = self._sign(signable)
headers[self.sign_header] = self.signature_template % signature
return headers