python-oauthlib/SOURCES/0002-Rip-out-the-rest-of-RSA.patch

329 lines
16 KiB
Diff
Raw Permalink Normal View History

2023-05-09 05:27:08 +00:00
diff -up oauthlib-3.1.1/oauthlib/oauth1/__init__.py.orig oauthlib-3.1.1/oauthlib/oauth1/__init__.py
--- oauthlib-3.1.1/oauthlib/oauth1/__init__.py.orig 2022-07-12 14:00:51.468041694 +0200
+++ oauthlib-3.1.1/oauthlib/oauth1/__init__.py 2022-07-12 14:02:06.102946935 +0200
@@ -10,8 +10,6 @@ from .rfc5849 import (SIGNATURE_HMAC,
SIGNATURE_HMAC_SHA1,
SIGNATURE_HMAC_SHA256,
SIGNATURE_HMAC_SHA512,
- SIGNATURE_RSA_SHA256,
- SIGNATURE_RSA_SHA512,
SIGNATURE_PLAINTEXT)
from .rfc5849 import SIGNATURE_TYPE_AUTH_HEADER, SIGNATURE_TYPE_QUERY
from .rfc5849 import SIGNATURE_TYPE_BODY
diff -up oauthlib-3.1.1/oauthlib/oauth1/rfc5849/endpoints/base.py.orig oauthlib-3.1.1/oauthlib/oauth1/rfc5849/endpoints/base.py
--- oauthlib-3.1.1/oauthlib/oauth1/rfc5849/endpoints/base.py.orig 2022-07-13 16:45:37.104370084 +0200
+++ oauthlib-3.1.1/oauthlib/oauth1/rfc5849/endpoints/base.py 2022-07-12 14:17:46.689355274 +0200
@@ -180,27 +180,11 @@ class BaseEndpoint:
description='Invalid nonce format.')
def _check_signature(self, request, is_token_request=False):
- # ---- RSA-SHA1 is not allowed ------
- if request.signature_method == SIGNATURE_RSA_SHA1:
- raise ValueError("Using RSA-SHA1 is deprecated, use HMAC-SHA1 or a stronger RSA-SHA***")
-
- # ---- RSA Signature verification ----
- if request.signature_method == SIGNATURE_RSA_SHA256 or \
- request.signature_method == SIGNATURE_RSA_SHA512:
- # RSA-based signature method
-
- # The server verifies the signature per `[RFC3447] section 8.2.2`_
- # .. _`[RFC3447] section 8.2.2`: https://tools.ietf.org/html/rfc3447#section-8.2.1
-
- rsa_key = self.request_validator.get_rsa_key(
- request.client_key, request)
-
- if request.signature_method == SIGNATURE_RSA_SHA256:
- valid_signature = signature.verify_rsa_sha256(request, rsa_key)
- elif request.signature_method == SIGNATURE_RSA_SHA512:
- valid_signature = signature.verify_rsa_sha512(request, rsa_key)
- else:
- valid_signature = False
+ # ---- RSA-SHA is not allowed ------
+ if request.signature_method in (SIGNATURE_RSA_SHA1,
+ SIGNATURE_RSA_SHA256,
+ SIGNATURE_RSA_SHA512):
+ raise ValueError("Using RSA-SHA is deprecated, use HMAC-SHA")
# ---- HMAC or Plaintext Signature verification ----
else:
diff -up oauthlib-3.1.1/oauthlib/oauth1/rfc5849/__init__.py.orig oauthlib-3.1.1/oauthlib/oauth1/rfc5849/__init__.py
--- oauthlib-3.1.1/oauthlib/oauth1/rfc5849/__init__.py.orig 2022-07-13 16:45:37.103370073 +0200
+++ oauthlib-3.1.1/oauthlib/oauth1/rfc5849/__init__.py 2022-07-12 14:05:31.087433182 +0200
@@ -78,7 +78,7 @@ class Client:
SIGNATURE_HMAC_SHA1: signature.sign_hmac_sha1_with_client,
SIGNATURE_HMAC_SHA256: signature.sign_hmac_sha256_with_client,
SIGNATURE_HMAC_SHA512: signature.sign_hmac_sha512_with_client,
- # sign_rsa_sha1_with_client actually points out to a dummy method
+ # sign_rsa_shaXYZ_with_client actually points out to a dummy method
# that just throws an exception
SIGNATURE_RSA_SHA1: signature.sign_rsa_sha1_with_client,
SIGNATURE_RSA_SHA256: signature.sign_rsa_sha256_with_client,
diff -up oauthlib-3.1.1/oauthlib/oauth1/rfc5849/signature.py.orig oauthlib-3.1.1/oauthlib/oauth1/rfc5849/signature.py
--- oauthlib-3.1.1/oauthlib/oauth1/rfc5849/signature.py.orig 2022-07-13 16:45:37.104370084 +0200
+++ oauthlib-3.1.1/oauthlib/oauth1/rfc5849/signature.py 2022-08-10 12:05:45.642421443 +0200
@@ -559,16 +559,17 @@ def _get_jwt_rsa_algorithm(hash_algorith
# Not in cache: instantiate a new RSAAlgorithm
# PyJWT has some nice pycrypto/cryptography abstractions
- import jwt.algorithms as jwt_algorithms
- m = {
- 'SHA-256': jwt_algorithms.hashes.SHA256,
- 'SHA-512': jwt_algorithms.hashes.SHA512,
- }
- v = jwt_algorithms.RSAAlgorithm(m[hash_algorithm_name])
+ # import jwt.algorithms as jwt_algorithms
+ #m = {
+ # 'SHA-256': jwt_algorithms.hashes.SHA256,
+ # 'SHA-512': jwt_algorithms.hashes.SHA512,
+ #}
+ #v = jwt_algorithms.RSAAlgorithm(m[hash_algorithm_name])
- _jwt_rsa[hash_algorithm_name] = v # populate cache
+ #_jwt_rsa[hash_algorithm_name] = v # populate cache
- return v
+ #return v
+ return None
def _prepare_key_plus(alg, keystr):
@@ -612,6 +613,7 @@ def _sign_rsa(hash_algorithm_name: str,
"""
# Get the implementation of RSA-hash
+ raise ValueError('Invalid signature method.')
alg = _get_jwt_rsa_algorithm(hash_algorithm_name)
diff -up oauthlib-3.1.1/tests/oauth1/rfc5849/test_client.py.orig oauthlib-3.1.1/tests/oauth1/rfc5849/test_client.py
--- oauthlib-3.1.1/tests/oauth1/rfc5849/test_client.py.orig 2022-07-13 16:45:37.104370084 +0200
+++ oauthlib-3.1.1/tests/oauth1/rfc5849/test_client.py 2022-08-09 11:46:07.105962442 +0200
@@ -2,7 +2,7 @@
from oauthlib.common import Request
from oauthlib.oauth1 import (
SIGNATURE_HMAC_SHA1, SIGNATURE_HMAC_SHA256, SIGNATURE_PLAINTEXT,
- SIGNATURE_RSA_SHA256, SIGNATURE_TYPE_BODY, SIGNATURE_TYPE_QUERY,
+ SIGNATURE_TYPE_BODY, SIGNATURE_TYPE_QUERY,
)
from oauthlib.oauth1.rfc5849 import Client
@@ -74,14 +74,6 @@ class ClientConstructorTests(TestCase):
self.assertEqual(Client.SIGNATURE_METHODS[SIGNATURE_HMAC_SHA256],
client.SIGNATURE_METHODS[client.signature_method])
- def test_rsa(self):
- client = Client('client_key', signature_method=SIGNATURE_RSA_SHA256)
- # instance is using the correct signer method
- self.assertEqual(Client.SIGNATURE_METHODS[SIGNATURE_RSA_SHA256],
- client.SIGNATURE_METHODS[client.signature_method])
- # don't need an RSA key to instantiate
- self.assertIsNone(client.rsa_key)
-
class SignatureMethodTest(TestCase):
@@ -104,35 +96,6 @@ class SignatureMethodTest(TestCase):
'oauth_signature="JzgJWBxX664OiMW3WE4MEjtYwOjI%2FpaUWHqtdHe68Es%3D"')
self.assertEqual(h['Authorization'], correct)
- def test_rsa_method(self):
- private_key = (
- "-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDk1/bxy"
- "S8Q8jiheHeYYp/4rEKJopeQRRKKpZI4s5i+UPwVpupG\nAlwXWfzXw"
- "SMaKPAoKJNdu7tqKRniqst5uoHXw98gj0x7zamu0Ck1LtQ4c7pFMVa"
- "h\n5IYGhBi2E9ycNS329W27nJPWNCbESTu7snVlG8V8mfvGGg3xNjT"
- "MO7IdrwIDAQAB\nAoGBAOQ2KuH8S5+OrsL4K+wfjoCi6MfxCUyqVU9"
- "GxocdM1m30WyWRFMEz2nKJ8fR\np3vTD4w8yplTOhcoXdQZl0kRoaD"
- "zrcYkm2VvJtQRrX7dKFT8dR8D/Tr7dNQLOXfC\nDY6xveQczE7qt7V"
- "k7lp4FqmxBsaaEuokt78pOOjywZoInjZhAkEA9wz3zoZNT0/i\nrf6"
- "qv2qTIeieUB035N3dyw6f1BGSWYaXSuerDCD/J1qZbAPKKhyHZbVaw"
- "Ft3UMhe\n542UftBaxQJBAO0iJy1I8GQjGnS7B3yvyH3CcLYGy296+"
- "XO/2xKp/d/ty1OIeovx\nC60pLNwuFNF3z9d2GVQAdoQ89hUkOtjZL"
- "eMCQQD0JO6oPHUeUjYT+T7ImAv7UKVT\nSuy30sKjLzqoGw1kR+wv7"
- "C5PeDRvscs4wa4CW9s6mjSrMDkDrmCLuJDtmf55AkEA\nkmaMg2PNr"
- "jUR51F0zOEFycaaqXbGcFwe1/xx9zLmHzMDXd4bsnwt9kk+fe0hQzV"
- "S\nJzatanQit3+feev1PN3QewJAWv4RZeavEUhKv+kLe95Yd0su7lT"
- "LVduVgh4v5yLT\nGa6FHdjGPcfajt+nrpB1n8UQBEH9ZxniokR/IPv"
- "dMlxqXA==\n-----END RSA PRIVATE KEY-----"
- )
- client = Client('client_key', signature_method=SIGNATURE_RSA_SHA256,
- rsa_key=private_key, timestamp='1234567890', nonce='abc')
- u, h, b = client.sign('http://example.com')
- correct = ('OAuth oauth_nonce="abc", oauth_timestamp="1234567890", '
- 'oauth_version="1.0", oauth_signature_method="RSA-SHA256", '
- 'oauth_consumer_key="client_key", '
- 'oauth_signature="hJE2IGqCn3bw7ecu6psnsImrvERhTd667aIENzWbzdRGxEWwvAwJvWWCffD8P0Ox9IEu3gKD%2FzYdr36tBhW%2FMvdFsOAr4F41ojznv1urY6%2FD9FRs1py9dYuj1vdFYFUzziMBDv2w2emidDk8PqfHT1we5%2FIcH%2FKNCjMbkQgxsqE%3D"')
- self.assertEqual(h['Authorization'], correct)
-
def test_plaintext_method(self):
client = Client('client_key',
signature_method=SIGNATURE_PLAINTEXT,
@@ -151,10 +114,6 @@ class SignatureMethodTest(TestCase):
client = Client('client_key', signature_method='invalid')
self.assertRaises(ValueError, client.sign, 'http://example.com')
- def test_rsa_no_key(self):
- client = Client('client_key', signature_method=SIGNATURE_RSA_SHA256)
- self.assertRaises(ValueError, client.sign, 'http://example.com')
-
def test_register_method(self):
Client.register_signature_method('PIZZA',
lambda base_string, client: 'PIZZA')
diff -up oauthlib-3.1.1/tests/oauth1/rfc5849/test_signatures.py.orig oauthlib-3.1.1/tests/oauth1/rfc5849/test_signatures.py
--- oauthlib-3.1.1/tests/oauth1/rfc5849/test_signatures.py.orig 2022-07-13 16:45:37.104370084 +0200
+++ oauthlib-3.1.1/tests/oauth1/rfc5849/test_signatures.py 2022-08-09 11:55:56.834032943 +0200
@@ -657,129 +657,38 @@ GLYT3Jw1Lfb1bbuck9Y0JsRJO7uydWUbxXyZ+8Ya
def test_sign_rsa_sha256_with_client(self):
"""
- Test sign and verify with RSA-SHA256.
- """
- self.assertEqual(
- self.expected_signature_rsa_sha256,
- sign_rsa_sha256_with_client(self.eg_signature_base_string,
- self.rsa_private_client))
- self.assertTrue(verify_rsa_sha256(
- MockRequest('POST',
- 'http://example.com/request',
- self.eg_params,
- self.expected_signature_rsa_sha256),
- self.rsa_public_client.rsa_key))
-
- def test_sign_rsa_sha512_with_client(self):
- """
- Test sign and verify with RSA-SHA512.
- """
- self.assertEqual(
- self.expected_signature_rsa_sha512,
- sign_rsa_sha512_with_client(self.eg_signature_base_string,
- self.rsa_private_client))
- self.assertTrue(verify_rsa_sha512(
- MockRequest('POST',
- 'http://example.com/request',
- self.eg_params,
- self.expected_signature_rsa_sha512),
- self.rsa_public_client.rsa_key))
-
- def test_rsa_false_positives(self):
- """
- Test verify_rsa-* functions will correctly detect invalid signatures.
+ Test sign and verify with RSA-SHA256 throws an exception.
"""
+ self.assertRaises(ValueError,
+ sign_rsa_sha256_with_client,
+ self.eg_signature_base_string,
+ self.rsa_private_client)
- another_client = MockClient(rsa_key='''
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDZcD/1OZNJJ6Y3QZM16Z+O7fkD9kTIQuT2BfpAOUvDfxzYhVC9
-TNmSDHCQhr+ClutyolBk5jTE1/FXFUuHoPsTrkI7KQFXPP834D4gnSY9jrAiUJHe
-DVF6wXNuS7H4Ueh16YPjUxgLLRh/nn/JSEj98gsw+7DP01OWMfWS99S7eQIDAQAB
-AoGBALsQZRXVyK7BG7CiC8HwEcNnXDpaXmZjlpNKJTenk1THQMvONd4GBZAuf5D3
-PD9fE4R1u/ByVKecmBaxTV+L0TRQfD8K/nbQe0SKRQIkLI2ymLJKC/eyw5iTKT0E
-+BS6wYpVd+mfcqgvpHOYpUmz9X8k/eOa7uslFmvt+sDb5ZcBAkEA+++SRqqUxFEG
-s/ZWAKw9p5YgkeVUOYVUwyAeZ97heySrjVzg1nZ6v6kv7iOPi9KOEpaIGPW7x1K/
-uQuSt4YEqQJBANzyNqZTTPpv7b/R8ABFy0YMwPVNt3b1GOU1Xxl6iuhH2WcHuueo
-UB13JHoZCMZ7hsEqieEz6uteUjdRzRPKclECQFNhVK4iop3emzNQYeJTHwyp+RmQ
-JrHq2MTDioyiDUouNsDQbnFMQQ/RtNVB265Q/0hTnbN1ELLFRkK9+87VghECQQC9
-hacLFPk6+TffCp3sHfI3rEj4Iin1iFhKhHWGzW7JwJfjoOXaQK44GDLZ6Q918g+t
-MmgDHR2tt8KeYTSgfU+BAkBcaVF91EQ7VXhvyABNYjeYP7lU7orOgdWMa/zbLXSU
-4vLsK1WOmwPY9zsXpPkilqszqcru4gzlG462cSbEdAW9
------END RSA PRIVATE KEY-----
-''')
-
- for functions in [
- (sign_rsa_sha256_with_client, verify_rsa_sha256),
- (sign_rsa_sha512_with_client, verify_rsa_sha512),
- ]:
- signing_function = functions[0]
- verify_function = functions[1]
-
- good_signature = \
- signing_function(self.eg_signature_base_string,
- self.rsa_private_client)
-
- bad_signature_on_different_value = \
- signing_function('wrong value signed', self.rsa_private_client)
-
- bad_signature_produced_by_different_private_key = \
- signing_function(self.eg_signature_base_string, another_client)
-
- self.assertTrue(verify_function(
- MockRequest('POST',
- 'http://example.com/request',
- self.eg_params,
- good_signature),
- self.rsa_public_client.rsa_key))
-
- for bad_signature in [
- '',
- 'ZG9uJ3QgdHJ1c3QgbWUK', # random base64 encoded value
- 'altérer', # value with a non-ASCII character in it
- bad_signature_on_different_value,
- bad_signature_produced_by_different_private_key,
- ]:
- self.assertFalse(verify_function(
- MockRequest('POST',
- 'http://example.com/request',
- self.eg_params,
- bad_signature),
- self.rsa_public_client.rsa_key))
+ self.assertRaises(ValueError,
+ verify_rsa_sha1,
+ MockRequest('POST',
+ 'http://example.com/request',
+ self.eg_params,
+ self.expected_signature_rsa_sha256),
+ self.rsa_public_client.rsa_key)
- def test_rsa_bad_keys(self):
+ def test_sign_rsa_sha512_with_client(self):
"""
- Testing RSA sign and verify with bad key values produces errors.
-
- This test is useful for coverage tests, since it runs the code branches
- that deal with error situations.
+ Test sign and verify with RSA-SHA512 throws an exception.
"""
-
- # Signing needs a private key
-
- for bad_value in [None, '', 'foobar']:
- self.assertRaises(ValueError,
- sign_rsa_sha256_with_client,
- self.eg_signature_base_string,
- MockClient(rsa_key=bad_value))
-
- self.assertRaises(AttributeError,
- sign_rsa_sha256_with_client,
+ self.assertRaises(ValueError,
+ sign_rsa_sha512_with_client,
self.eg_signature_base_string,
- self.rsa_public_client) # public key doesn't sign
-
- # Verify needs a public key
+ self.rsa_private_client)
- for bad_value in [None, '', 'foobar', self.rsa_private_client.rsa_key]:
- self.assertRaises(TypeError,
- verify_rsa_sha256,
- MockRequest('POST',
- 'http://example.com/request',
- self.eg_params,
- self.expected_signature_rsa_sha256),
- MockClient(rsa_key=bad_value))
+ self.assertRaises(ValueError,
+ verify_rsa_sha1,
+ MockRequest('POST',
+ 'http://example.com/request',
+ self.eg_params,
+ self.expected_signature_rsa_sha512),
+ self.rsa_public_client.rsa_key)
- # For completeness, this text could repeat the above for RSA-SHA256 and
- # RSA-SHA512 signing and verification functions.
def test_rsa_jwt_algorithm_cache(self):
# Tests cache of RSAAlgorithm objects is implemented correctly.