yul
/
bookwyrm-mastodon
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Verify http digest is correct if specified in signature.

This commit is contained in:
Adam Kelly 2020-05-18 19:42:22 +01:00
parent b54c6f7855
commit 0c22019306
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
fedireads/signatures.py
View File

@ -1,3 +1,4 @@
import hashlib
from urllib.parse import urlparse from urllib.parse import urlparse
from base64 import b64encode, b64decode from base64 import b64encode, b64decode
@ -34,6 +35,18 @@ def make_signature(sender, destination, date):
} }
return ','.join('%s="%s"' % (k, v) for (k, v) in signature.items()) return ','.join('%s="%s"' % (k, v) for (k, v) in signature.items())
def verify_digest(request):
algorithm, digest = request.headers['digest'].split('=', 1)
if algorithm == 'SHA-256':
hash_function = hashlib.sha256
elif algorithm == 'SHA-512':
hash_function = hashlib.sha512
else:
raise ValueError("Unsupported hash function.")
expected = hash_function(request.body).digest()
if b64decode(digest) != expected:
return ValueError("Invalid HTTP Digest header")
class Signature: class Signature:
def __init__(self, key_id, headers, signature): def __init__(self, key_id, headers, signature):
@ -68,6 +81,8 @@ class Signature:
comparison_string.append( comparison_string.append(
'(request-target): post %s' % request.path) '(request-target): post %s' % request.path)
else: else:
if signed_header_name == 'digest':
verify_digest(request)
comparison_string.append('%s: %s' % ( comparison_string.append('%s: %s' % (
signed_header_name, signed_header_name,
request.headers[signed_header_name] request.headers[signed_header_name]