COSCUP-ap-demo/demo/httpsig.py

#!/usr/bin/env python3
"""
Verify and build HTTP signatures
"""
import base64
import httpx
import hashlib

from Crypto.Hash import SHA256
from Crypto.Signature import PKCS1_v1_5
from Crypto.PublicKey import RSA
from werkzeug.datastructures import Headers
from httpx import Headers as Httpx_headers
from datetime import datetime
from loguru import logger

from dataclasses import dataclass
from demo.config import ID, KEY_PATH


@dataclass
class SignedData:
    """
    Signature data
    """
    method: str
    path: str
    signed_list: list
    body_digest: str | None
    headers: Headers | Httpx_headers


class HttpSignature:
    """
    calculation and verification of HTTP signatures
    """
    @classmethod
    def calculation_digest(
            cls,
            body: bytes,
            algorithm: str ="sha-256"
    ) -> str:
        """
        Calculates the digest header value for a given HTTP body
        """
        if "sha-256" == algorithm:
            body_digest = SHA256.new()
            body_digest.update(body)
            return "SHA-256=" + \
                base64.b64encode(body_digest.digest()
                                 ).decode("utf-8")

        raise ValueError(f"No support algorithm {algorithm}")

    @classmethod
    def verify_signature(
            cls,
            signature_string: str,
            signature: bytes,
            pubkey,
    ) -> bool:
        """
        Verify signatur that returns bool
        """
        pubkey = RSA.importKey(pubkey)
        signer = PKCS1_v1_5.new(pubkey)
        digest = SHA256.new()
        digest.update(signature_string.encode("utf-8"))
        return signer.verify(digest, signature) # pylint: disable=E1102


    @classmethod
    def parse_signature(
            cls,
            signature: str
    ) -> dict:
        """
        Parse signature string in headers
        """
        detail = {}
        for item in signature.split(','):
            name, value = item.split('=', 1)
            value = value.strip('"')
            detail[name.lower()] = value
        signature_details = {
            "headers": detail["headers"].split(),
            "signature": base64.b64decode(detail["signature"]),
            "algorithm": detail["algorithm"],
            "keyid": detail["keyid"],
        }
        return signature_details

    @classmethod
    def build_signature_string(
            cls,
            signed_data: SignedData,
    ) -> str:
        """
        Build signature string
        """
        signed_string = []
        for signed_str in signed_data.signed_list:
            if signed_str == "(request-target)":
                signed_string.append("(request-target): "
                                     + signed_data.method.lower() + ' ' + signed_data.path)
            elif signed_str == "digest" and signed_data.body_digest:
                signed_string.append("digest: " + signed_data.body_digest)
            else:
                signed_string.append(signed_str + ": "
                                     + signed_data.headers[signed_str])

        return "\n".join(signed_string)


class HTTPXSigAuth(httpx.Auth):
    def __init__(self, key) -> None:
        self.key = key

    def auth_flow(
        self,
        request: httpx.Request
    ):
        bodydigest = None
        if request.content:
            bh = hashlib.new("sha256")
            bh.update(request.content)
            bodydigest = "SHA-256=" + base64.b64encode(bh.digest()).decode("utf-8")

        date = datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT")
        request.headers["Date"] = date
        sigheaders = {}
        if bodydigest:
            request.headers["digest"] = bodydigest
            sigheaders = "(request-target) user-agent host date digest content-type"
        else:
            sigheaders = "(request-target) user-agent host date accept"

        logger.info(request.headers)

        sigdate = SignedData(
            method = request.method,
            path = request.url.path,
            signed_list = sigheaders.split(),
            body_digest = bodydigest,
            headers = request.headers,
        )

        to_be_signed = HttpSignature.build_signature_string(
            sigdate
        )

        logger.debug(f"{to_be_signed}")

        if not self.key:
            raise ValueError("Should never happen")
        signer = PKCS1_v1_5.new(self.key)
        digest = SHA256.new()
        digest.update(to_be_signed.encode("utf-8"))
        sig = base64.b64encode(signer.sign(digest))


        key_id = f"{ID}#main-key"
        sig_value = f'keyId="{key_id}",algorithm="rsa-sha256",\
            headers="{sigheaders}",signature="{sig.decode()}"'
        logger.debug(f"signed request {sig_value=}")
        request.headers["signature"] = sig_value
        yield request


k = KEY_PATH.read_text()
k = RSA.importKey(k)
auth = HTTPXSigAuth(k)
[feat] bulid and verify http signature 2023-06-09 04:52:07 +02:00			`#!/usr/bin/env python3`
			`"""`
			`Verify and build HTTP signatures`
			`"""`
			`import base64`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00			`import httpx`
			`import hashlib`

[feat] bulid and verify http signature 2023-06-09 04:52:07 +02:00			`from Crypto.Hash import SHA256`
			`from Crypto.Signature import PKCS1_v1_5`
			`from Crypto.PublicKey import RSA`
[feat] check inbox signature 2023-06-19 08:34:03 +02:00			`from werkzeug.datastructures import Headers`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00			`from httpx import Headers as Httpx_headers`
[lint] some lint 2023-07-27 09:49:14 +02:00			`from datetime import datetime`
			`from loguru import logger`

			`from dataclasses import dataclass`
[feat] auth flow 2023-07-27 14:30:02 +02:00			`from demo.config import ID, KEY_PATH`
[lint] some lint 2023-07-27 09:49:14 +02:00
[refactor] build httpsig string 2023-06-09 05:07:02 +02:00

			`@dataclass`
			`class SignedData:`
[lint] fix lint 2023-06-09 05:09:28 +02:00			`"""`
			`Signature data`
			`"""`
[refactor] build httpsig string 2023-06-09 05:07:02 +02:00			`method: str`
			`path: str`
			`signed_list: list`
			`body_digest: str \| None`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00			`headers: Headers \| Httpx_headers`
[feat] bulid and verify http signature 2023-06-09 04:52:07 +02:00

			`class HttpSignature:`
			`"""`
			`calculation and verification of HTTP signatures`
			`"""`
			`@classmethod`
			`def calculation_digest(`
			`cls,`
[lint] fix some lint pylint: - E1102: not-callable flake8: - E203 whitespace before ':' 2023-06-13 08:50:22 +02:00			`body: bytes,`
			`algorithm: str ="sha-256"`
[feat] bulid and verify http signature 2023-06-09 04:52:07 +02:00			`) -> str:`
			`"""`
			`Calculates the digest header value for a given HTTP body`
			`"""`
			`if "sha-256" == algorithm:`
			`body_digest = SHA256.new()`
			`body_digest.update(body)`
			`return "SHA-256=" + \`
			`base64.b64encode(body_digest.digest()`
			`).decode("utf-8")`

			`raise ValueError(f"No support algorithm {algorithm}")`

			`@classmethod`
			`def verify_signature(`
			`cls,`
[lint] fix some lint pylint: - E1102: not-callable flake8: - E203 whitespace before ':' 2023-06-13 08:50:22 +02:00			`signature_string: str,`
			`signature: bytes,`
[feat] bulid and verify http signature 2023-06-09 04:52:07 +02:00			`pubkey,`
			`) -> bool:`
			`"""`
			`Verify signatur that returns bool`
			`"""`
			`pubkey = RSA.importKey(pubkey)`
			`signer = PKCS1_v1_5.new(pubkey)`
			`digest = SHA256.new()`
			`digest.update(signature_string.encode("utf-8"))`
[lint] fix some lint pylint: - E1102: not-callable flake8: - E203 whitespace before ':' 2023-06-13 08:50:22 +02:00			`return signer.verify(digest, signature) # pylint: disable=E1102`
[feat] bulid and verify http signature 2023-06-09 04:52:07 +02:00

			`@classmethod`
			`def parse_signature(`
			`cls,`
[lint] fix some lint pylint: - E1102: not-callable flake8: - E203 whitespace before ':' 2023-06-13 08:50:22 +02:00			`signature: str`
[feat] bulid and verify http signature 2023-06-09 04:52:07 +02:00			`) -> dict:`
			`"""`
			`Parse signature string in headers`
			`"""`
			`detail = {}`
			`for item in signature.split(','):`
			`name, value = item.split('=', 1)`
			`value = value.strip('"')`
			`detail[name.lower()] = value`
			`signature_details = {`
			`"headers": detail["headers"].split(),`
			`"signature": base64.b64decode(detail["signature"]),`
			`"algorithm": detail["algorithm"],`
			`"keyid": detail["keyid"],`
			`}`
			`return signature_details`

			`@classmethod`
			`def build_signature_string(`
			`cls,`
[refactor] build httpsig string 2023-06-09 05:07:02 +02:00			`signed_data: SignedData,`
[feat] bulid and verify http signature 2023-06-09 04:52:07 +02:00			`) -> str:`
			`"""`
			`Build signature string`
			`"""`
			`signed_string = []`
[refactor] build httpsig string 2023-06-09 05:07:02 +02:00			`for signed_str in signed_data.signed_list:`
			`if signed_str == "(request-target)":`
[feat] bulid and verify http signature 2023-06-09 04:52:07 +02:00			`signed_string.append("(request-target): "`
[refactor] build httpsig string 2023-06-09 05:07:02 +02:00			`+ signed_data.method.lower() + ' ' + signed_data.path)`
			`elif signed_str == "digest" and signed_data.body_digest:`
			`signed_string.append("digest: " + signed_data.body_digest)`
[feat] bulid and verify http signature 2023-06-09 04:52:07 +02:00			`else:`
[refactor] build httpsig string 2023-06-09 05:07:02 +02:00			`signed_string.append(signed_str + ": "`
			`+ signed_data.headers[signed_str])`
[feat] bulid and verify http signature 2023-06-09 04:52:07 +02:00
			`return "\n".join(signed_string)`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00

			`class HTTPXSigAuth(httpx.Auth):`
			`def __init__(self, key) -> None:`
			`self.key = key`

			`def auth_flow(`
[lint] fix arguments-renamed 2023-07-27 09:53:45 +02:00			`self,`
			`request: httpx.Request`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00			`):`
			`bodydigest = None`
[lint] fix arguments-renamed 2023-07-27 09:53:45 +02:00			`if request.content:`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00			`bh = hashlib.new("sha256")`
[lint] fix arguments-renamed 2023-07-27 09:53:45 +02:00			`bh.update(request.content)`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00			`bodydigest = "SHA-256=" + base64.b64encode(bh.digest()).decode("utf-8")`

			`date = datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT")`
[lint] fix arguments-renamed 2023-07-27 09:53:45 +02:00			`request.headers["Date"] = date`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00			`sigheaders = {}`
			`if bodydigest:`
[lint] fix arguments-renamed 2023-07-27 09:53:45 +02:00			`request.headers["digest"] = bodydigest`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00			`sigheaders = "(request-target) user-agent host date digest content-type"`
			`else:`
			`sigheaders = "(request-target) user-agent host date accept"`

[perf] activity auth & logger 2023-07-27 19:21:24 +02:00			`logger.info(request.headers)`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00
			`sigdate = SignedData(`
[lint] fix arguments-renamed 2023-07-27 09:53:45 +02:00			`method = request.method,`
			`path = request.url.path,`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00			`signed_list = sigheaders.split(),`
			`body_digest = bodydigest,`
[lint] fix arguments-renamed 2023-07-27 09:53:45 +02:00			`headers = request.headers,`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00			`)`

			`to_be_signed = HttpSignature.build_signature_string(`
			`sigdate`
			`)`

[perf] activity auth & logger 2023-07-27 19:21:24 +02:00			`logger.debug(f"{to_be_signed}")`

[feat] add post sign flow 2023-07-27 09:16:34 +02:00			`if not self.key:`
			`raise ValueError("Should never happen")`
			`signer = PKCS1_v1_5.new(self.key)`
			`digest = SHA256.new()`
			`digest.update(to_be_signed.encode("utf-8"))`
			`sig = base64.b64encode(signer.sign(digest))`


			`key_id = f"{ID}#main-key"`
[lint] some lint 2023-07-27 09:49:14 +02:00			`sig_value = f'keyId="{key_id}",algorithm="rsa-sha256",\`
			`headers="{sigheaders}",signature="{sig.decode()}"'`
[feat] add post sign flow 2023-07-27 09:16:34 +02:00			`logger.debug(f"signed request {sig_value=}")`
[lint] fix arguments-renamed 2023-07-27 09:53:45 +02:00			`request.headers["signature"] = sig_value`
			`yield request`
[feat] auth flow 2023-07-27 14:30:02 +02:00

			`k = KEY_PATH.read_text()`
			`k = RSA.importKey(k)`
			`auth = HTTPXSigAuth(k)`