1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120
|
import base64
import six
from Cryptodome.Hash import HMAC
from Cryptodome.PublicKey import RSA
from Cryptodome.Signature import PKCS1_v1_5
from .utils import *
DEFAULT_SIGN_ALGORITHM = "hmac-sha256"
class Signer(object):
"""
When using an RSA algo, the secret is a PEM-encoded private key.
When using an HMAC algo, the secret is the HMAC signing secret.
Password-protected keyfiles are not supported.
"""
def __init__(self, secret, algorithm=None):
if algorithm is None:
algorithm = DEFAULT_SIGN_ALGORITHM
assert algorithm in ALGORITHMS, "Unknown algorithm"
if isinstance(secret, six.string_types):
secret = secret.encode("ascii")
self._rsa = None
self._hash = None
self.sign_algorithm, self.hash_algorithm = algorithm.split('-')
if self.sign_algorithm == 'rsa':
try:
rsa_key = RSA.importKey(secret)
self._rsa = PKCS1_v1_5.new(rsa_key)
self._hash = HASHES[self.hash_algorithm]
except ValueError:
raise HttpSigException("Invalid key.")
elif self.sign_algorithm == 'hmac':
self._hash = HMAC.new(secret,
digestmod=HASHES[self.hash_algorithm])
@property
def algorithm(self):
return '%s-%s' % (self.sign_algorithm, self.hash_algorithm)
def _sign_rsa(self, data):
if isinstance(data, six.string_types):
data = data.encode("ascii")
h = self._hash.new()
h.update(data)
return self._rsa.sign(h)
def _sign_hmac(self, data):
if isinstance(data, six.string_types):
data = data.encode("ascii")
hmac = self._hash.copy()
hmac.update(data)
return hmac.digest()
def sign(self, data):
if isinstance(data, six.string_types):
data = data.encode("ascii")
signed = None
if self._rsa:
signed = self._sign_rsa(data)
elif self._hash:
signed = self._sign_hmac(data)
if not signed:
raise SystemError('No valid encryptor found.')
return base64.b64encode(signed).decode("ascii")
class HeaderSigner(Signer):
"""
Generic object that will sign headers as a dictionary using the
http-signature scheme.
https://github.com/joyent/node-http-signature/blob/master/http_signing.md
:arg key_id: the mandatory label indicating to the server which secret
to use
:arg secret: a PEM-encoded RSA private key or an HMAC secret (must
match the algorithm)
:arg algorithm: one of the six specified algorithms
:arg headers: a list of http headers to be included in the signing
string, defaulting to ['date'].
:arg sign_header: header used to include signature, defaulting to
'authorization'.
"""
def __init__(self, key_id, secret, algorithm=None, headers=None, sign_header='authorization'):
if algorithm is None:
algorithm = DEFAULT_SIGN_ALGORITHM
super(HeaderSigner, self).__init__(secret=secret, algorithm=algorithm)
self.headers = headers or ['date']
self.signature_template = build_signature_template(
key_id, algorithm, headers, sign_header)
self.sign_header = sign_header
def sign(self, headers, host=None, method=None, path=None):
"""
Add Signature Authorization header to case-insensitive header dict.
`headers` is a case-insensitive dict of mutable headers.
`host` is a override for the 'host' header (defaults to value in
headers).
`method` is the HTTP method (required when using '(request-target)').
`path` is the HTTP path (required when using '(request-target)').
"""
headers = CaseInsensitiveDict(headers)
required_headers = self.headers or ['date']
signable = generate_message(
required_headers, headers, host, method, path)
signature = super(HeaderSigner, self).sign(signable)
headers[self.sign_header] = self.signature_template % signature
return headers
|