1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
import base64
import six
from Cryptodome.Hash import HMAC
from Cryptodome.PublicKey import RSA
from Cryptodome.Signature import PKCS1_v1_5
from .utils import *
DEFAULT_SIGN_ALGORITHM = "hmac-sha256"
class Signer(object):
"""
When using an RSA algo, the secret is a PEM-encoded private key.
When using an HMAC algo, the secret is the HMAC signing secret.
Password-protected keyfiles are not supported.
"""
def __init__(self, secret, algorithm=None):
if algorithm is None:
algorithm = DEFAULT_SIGN_ALGORITHM
assert algorithm in ALGORITHMS, "Unknown algorithm"
if isinstance(secret, six.string_types):
secret = secret.encode("ascii")
self._rsa = None
self._hash = None
self.sign_algorithm, self.hash_algorithm = algorithm.split('-')
if self.sign_algorithm == 'rsa':
try:
rsa_key = RSA.importKey(secret)
self._rsa = PKCS1_v1_5.new(rsa_key)
self._hash = HASHES[self.hash_algorithm]
except ValueError:
raise HttpSigException("Invalid key.")
elif self.sign_algorithm == 'hmac':
self._hash = HMAC.new(secret,
digestmod=HASHES[self.hash_algorithm])
@property
def algorithm(self):
return '%s-%s' % (self.sign_algorithm, self.hash_algorithm)
def _sign_rsa(self, data):
if isinstance(data, six.string_types):
data = data.encode("ascii")
h = self._hash.new()
h.update(data)
return self._rsa.sign(h)
def _sign_hmac(self, data):
if isinstance(data, six.string_types):
data = data.encode("ascii")
hmac = self._hash.copy()
hmac.update(data)
return hmac.digest()
def sign(self, data):
if isinstance(data, six.string_types):
data = data.encode("ascii")
signed = None
if self._rsa:
signed = self._sign_rsa(data)
elif self._hash:
signed = self._sign_hmac(data)
if not signed:
raise SystemError('No valid encryptor found.')
return base64.b64encode(signed).decode("ascii")
class HeaderSigner(Signer):
"""
Generic object that will sign headers as a dictionary using the
http-signature scheme.
https://github.com/joyent/node-http-signature/blob/master/http_signing.md
:arg key_id: the mandatory label indicating to the server which secret
to use
:arg secret: a PEM-encoded RSA private key or an HMAC secret (must
match the algorithm)
:arg algorithm: one of the six specified algorithms
:arg headers: a list of http headers to be included in the signing
string, defaulting to ['date'].
:arg sign_header: header used to include signature, defaulting to
'authorization'.
"""
def __init__(self, key_id, secret, algorithm=None, headers=None, sign_header='authorization'):
if algorithm is None:
algorithm = DEFAULT_SIGN_ALGORITHM
super(HeaderSigner, self).__init__(secret=secret, algorithm=algorithm)
self.headers = headers or ['date']
self.signature_template = build_signature_template(
key_id, algorithm, headers, sign_header)
self.sign_header = sign_header
def sign(self, headers, host=None, method=None, path=None):
"""
Add Signature Authorization header to case-insensitive header dict.
`headers` is a case-insensitive dict of mutable headers.
`host` is a override for the 'host' header (defaults to value in
headers).
`method` is the HTTP method (required when using '(request-target)').
`path` is the HTTP path (required when using '(request-target)').
"""
headers = CaseInsensitiveDict(headers)
required_headers = self.headers or ['date']
signable = generate_message(
required_headers, headers, host, method, path)
signature = super(HeaderSigner, self).sign(signable)
headers[self.sign_header] = self.signature_template % signature
return headers
|
