diff -up oauthlib-3.1.1/oauthlib/oauth1/__init__.py.orig oauthlib-3.1.1/oauthlib/oauth1/__init__.py --- oauthlib-3.1.1/oauthlib/oauth1/__init__.py.orig 2022-07-12 14:00:51.468041694 +0200 +++ oauthlib-3.1.1/oauthlib/oauth1/__init__.py 2022-07-12 14:02:06.102946935 +0200 @@ -10,8 +10,6 @@ from .rfc5849 import (SIGNATURE_HMAC, SIGNATURE_HMAC_SHA1, SIGNATURE_HMAC_SHA256, SIGNATURE_HMAC_SHA512, - SIGNATURE_RSA_SHA256, - SIGNATURE_RSA_SHA512, SIGNATURE_PLAINTEXT) from .rfc5849 import SIGNATURE_TYPE_AUTH_HEADER, SIGNATURE_TYPE_QUERY from .rfc5849 import SIGNATURE_TYPE_BODY diff -up oauthlib-3.1.1/oauthlib/oauth1/rfc5849/endpoints/base.py.orig oauthlib-3.1.1/oauthlib/oauth1/rfc5849/endpoints/base.py --- oauthlib-3.1.1/oauthlib/oauth1/rfc5849/endpoints/base.py.orig 2022-07-13 16:45:37.104370084 +0200 +++ oauthlib-3.1.1/oauthlib/oauth1/rfc5849/endpoints/base.py 2022-07-12 14:17:46.689355274 +0200 @@ -180,27 +180,11 @@ class BaseEndpoint: description='Invalid nonce format.') def _check_signature(self, request, is_token_request=False): - # ---- RSA-SHA1 is not allowed ------ - if request.signature_method == SIGNATURE_RSA_SHA1: - raise ValueError("Using RSA-SHA1 is deprecated, use HMAC-SHA1 or a stronger RSA-SHA***") - - # ---- RSA Signature verification ---- - if request.signature_method == SIGNATURE_RSA_SHA256 or \ - request.signature_method == SIGNATURE_RSA_SHA512: - # RSA-based signature method - - # The server verifies the signature per `[RFC3447] section 8.2.2`_ - # .. _`[RFC3447] section 8.2.2`: https://tools.ietf.org/html/rfc3447#section-8.2.1 - - rsa_key = self.request_validator.get_rsa_key( - request.client_key, request) - - if request.signature_method == SIGNATURE_RSA_SHA256: - valid_signature = signature.verify_rsa_sha256(request, rsa_key) - elif request.signature_method == SIGNATURE_RSA_SHA512: - valid_signature = signature.verify_rsa_sha512(request, rsa_key) - else: - valid_signature = False + # ---- RSA-SHA is not allowed ------ + if request.signature_method in (SIGNATURE_RSA_SHA1, + SIGNATURE_RSA_SHA256, + SIGNATURE_RSA_SHA512): + raise ValueError("Using RSA-SHA is deprecated, use HMAC-SHA") # ---- HMAC or Plaintext Signature verification ---- else: diff -up oauthlib-3.1.1/oauthlib/oauth1/rfc5849/__init__.py.orig oauthlib-3.1.1/oauthlib/oauth1/rfc5849/__init__.py --- oauthlib-3.1.1/oauthlib/oauth1/rfc5849/__init__.py.orig 2022-07-13 16:45:37.103370073 +0200 +++ oauthlib-3.1.1/oauthlib/oauth1/rfc5849/__init__.py 2022-07-12 14:05:31.087433182 +0200 @@ -78,7 +78,7 @@ class Client: SIGNATURE_HMAC_SHA1: signature.sign_hmac_sha1_with_client, SIGNATURE_HMAC_SHA256: signature.sign_hmac_sha256_with_client, SIGNATURE_HMAC_SHA512: signature.sign_hmac_sha512_with_client, - # sign_rsa_sha1_with_client actually points out to a dummy method + # sign_rsa_shaXYZ_with_client actually points out to a dummy method # that just throws an exception SIGNATURE_RSA_SHA1: signature.sign_rsa_sha1_with_client, SIGNATURE_RSA_SHA256: signature.sign_rsa_sha256_with_client, diff -up oauthlib-3.1.1/oauthlib/oauth1/rfc5849/signature.py.orig oauthlib-3.1.1/oauthlib/oauth1/rfc5849/signature.py --- oauthlib-3.1.1/oauthlib/oauth1/rfc5849/signature.py.orig 2022-07-13 16:45:37.104370084 +0200 +++ oauthlib-3.1.1/oauthlib/oauth1/rfc5849/signature.py 2022-08-10 12:05:45.642421443 +0200 @@ -559,16 +559,17 @@ def _get_jwt_rsa_algorithm(hash_algorith # Not in cache: instantiate a new RSAAlgorithm # PyJWT has some nice pycrypto/cryptography abstractions - import jwt.algorithms as jwt_algorithms - m = { - 'SHA-256': jwt_algorithms.hashes.SHA256, - 'SHA-512': jwt_algorithms.hashes.SHA512, - } - v = jwt_algorithms.RSAAlgorithm(m[hash_algorithm_name]) + # import jwt.algorithms as jwt_algorithms + #m = { + # 'SHA-256': jwt_algorithms.hashes.SHA256, + # 'SHA-512': jwt_algorithms.hashes.SHA512, + #} + #v = jwt_algorithms.RSAAlgorithm(m[hash_algorithm_name]) - _jwt_rsa[hash_algorithm_name] = v # populate cache + #_jwt_rsa[hash_algorithm_name] = v # populate cache - return v + #return v + return None def _prepare_key_plus(alg, keystr): @@ -612,6 +613,7 @@ def _sign_rsa(hash_algorithm_name: str, """ # Get the implementation of RSA-hash + raise ValueError('Invalid signature method.') alg = _get_jwt_rsa_algorithm(hash_algorithm_name) diff -up oauthlib-3.1.1/tests/oauth1/rfc5849/test_client.py.orig oauthlib-3.1.1/tests/oauth1/rfc5849/test_client.py --- oauthlib-3.1.1/tests/oauth1/rfc5849/test_client.py.orig 2022-07-13 16:45:37.104370084 +0200 +++ oauthlib-3.1.1/tests/oauth1/rfc5849/test_client.py 2022-08-09 11:46:07.105962442 +0200 @@ -2,7 +2,7 @@ from oauthlib.common import Request from oauthlib.oauth1 import ( SIGNATURE_HMAC_SHA1, SIGNATURE_HMAC_SHA256, SIGNATURE_PLAINTEXT, - SIGNATURE_RSA_SHA256, SIGNATURE_TYPE_BODY, SIGNATURE_TYPE_QUERY, + SIGNATURE_TYPE_BODY, SIGNATURE_TYPE_QUERY, ) from oauthlib.oauth1.rfc5849 import Client @@ -74,14 +74,6 @@ class ClientConstructorTests(TestCase): self.assertEqual(Client.SIGNATURE_METHODS[SIGNATURE_HMAC_SHA256], client.SIGNATURE_METHODS[client.signature_method]) - def test_rsa(self): - client = Client('client_key', signature_method=SIGNATURE_RSA_SHA256) - # instance is using the correct signer method - self.assertEqual(Client.SIGNATURE_METHODS[SIGNATURE_RSA_SHA256], - client.SIGNATURE_METHODS[client.signature_method]) - # don't need an RSA key to instantiate - self.assertIsNone(client.rsa_key) - class SignatureMethodTest(TestCase): @@ -104,35 +96,6 @@ class SignatureMethodTest(TestCase): 'oauth_signature="JzgJWBxX664OiMW3WE4MEjtYwOjI%2FpaUWHqtdHe68Es%3D"') self.assertEqual(h['Authorization'], correct) - def test_rsa_method(self): - private_key = ( - "-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDk1/bxy" - "S8Q8jiheHeYYp/4rEKJopeQRRKKpZI4s5i+UPwVpupG\nAlwXWfzXw" - "SMaKPAoKJNdu7tqKRniqst5uoHXw98gj0x7zamu0Ck1LtQ4c7pFMVa" - "h\n5IYGhBi2E9ycNS329W27nJPWNCbESTu7snVlG8V8mfvGGg3xNjT" - "MO7IdrwIDAQAB\nAoGBAOQ2KuH8S5+OrsL4K+wfjoCi6MfxCUyqVU9" - "GxocdM1m30WyWRFMEz2nKJ8fR\np3vTD4w8yplTOhcoXdQZl0kRoaD" - "zrcYkm2VvJtQRrX7dKFT8dR8D/Tr7dNQLOXfC\nDY6xveQczE7qt7V" - "k7lp4FqmxBsaaEuokt78pOOjywZoInjZhAkEA9wz3zoZNT0/i\nrf6" - "qv2qTIeieUB035N3dyw6f1BGSWYaXSuerDCD/J1qZbAPKKhyHZbVaw" - "Ft3UMhe\n542UftBaxQJBAO0iJy1I8GQjGnS7B3yvyH3CcLYGy296+" - "XO/2xKp/d/ty1OIeovx\nC60pLNwuFNF3z9d2GVQAdoQ89hUkOtjZL" - "eMCQQD0JO6oPHUeUjYT+T7ImAv7UKVT\nSuy30sKjLzqoGw1kR+wv7" - "C5PeDRvscs4wa4CW9s6mjSrMDkDrmCLuJDtmf55AkEA\nkmaMg2PNr" - "jUR51F0zOEFycaaqXbGcFwe1/xx9zLmHzMDXd4bsnwt9kk+fe0hQzV" - "S\nJzatanQit3+feev1PN3QewJAWv4RZeavEUhKv+kLe95Yd0su7lT" - "LVduVgh4v5yLT\nGa6FHdjGPcfajt+nrpB1n8UQBEH9ZxniokR/IPv" - "dMlxqXA==\n-----END RSA PRIVATE KEY-----" - ) - client = Client('client_key', signature_method=SIGNATURE_RSA_SHA256, - rsa_key=private_key, timestamp='1234567890', nonce='abc') - u, h, b = client.sign('http://example.com') - correct = ('OAuth oauth_nonce="abc", oauth_timestamp="1234567890", ' - 'oauth_version="1.0", oauth_signature_method="RSA-SHA256", ' - 'oauth_consumer_key="client_key", ' - 'oauth_signature="hJE2IGqCn3bw7ecu6psnsImrvERhTd667aIENzWbzdRGxEWwvAwJvWWCffD8P0Ox9IEu3gKD%2FzYdr36tBhW%2FMvdFsOAr4F41ojznv1urY6%2FD9FRs1py9dYuj1vdFYFUzziMBDv2w2emidDk8PqfHT1we5%2FIcH%2FKNCjMbkQgxsqE%3D"') - self.assertEqual(h['Authorization'], correct) - def test_plaintext_method(self): client = Client('client_key', signature_method=SIGNATURE_PLAINTEXT, @@ -151,10 +114,6 @@ class SignatureMethodTest(TestCase): client = Client('client_key', signature_method='invalid') self.assertRaises(ValueError, client.sign, 'http://example.com') - def test_rsa_no_key(self): - client = Client('client_key', signature_method=SIGNATURE_RSA_SHA256) - self.assertRaises(ValueError, client.sign, 'http://example.com') - def test_register_method(self): Client.register_signature_method('PIZZA', lambda base_string, client: 'PIZZA') diff -up oauthlib-3.1.1/tests/oauth1/rfc5849/test_signatures.py.orig oauthlib-3.1.1/tests/oauth1/rfc5849/test_signatures.py --- oauthlib-3.1.1/tests/oauth1/rfc5849/test_signatures.py.orig 2022-07-13 16:45:37.104370084 +0200 +++ oauthlib-3.1.1/tests/oauth1/rfc5849/test_signatures.py 2022-08-09 11:55:56.834032943 +0200 @@ -657,129 +657,38 @@ GLYT3Jw1Lfb1bbuck9Y0JsRJO7uydWUbxXyZ+8Ya def test_sign_rsa_sha256_with_client(self): """ - Test sign and verify with RSA-SHA256. - """ - self.assertEqual( - self.expected_signature_rsa_sha256, - sign_rsa_sha256_with_client(self.eg_signature_base_string, - self.rsa_private_client)) - self.assertTrue(verify_rsa_sha256( - MockRequest('POST', - 'http://example.com/request', - self.eg_params, - self.expected_signature_rsa_sha256), - self.rsa_public_client.rsa_key)) - - def test_sign_rsa_sha512_with_client(self): - """ - Test sign and verify with RSA-SHA512. - """ - self.assertEqual( - self.expected_signature_rsa_sha512, - sign_rsa_sha512_with_client(self.eg_signature_base_string, - self.rsa_private_client)) - self.assertTrue(verify_rsa_sha512( - MockRequest('POST', - 'http://example.com/request', - self.eg_params, - self.expected_signature_rsa_sha512), - self.rsa_public_client.rsa_key)) - - def test_rsa_false_positives(self): - """ - Test verify_rsa-* functions will correctly detect invalid signatures. + Test sign and verify with RSA-SHA256 throws an exception. """ + self.assertRaises(ValueError, + sign_rsa_sha256_with_client, + self.eg_signature_base_string, + self.rsa_private_client) - another_client = MockClient(rsa_key=''' ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQDZcD/1OZNJJ6Y3QZM16Z+O7fkD9kTIQuT2BfpAOUvDfxzYhVC9 -TNmSDHCQhr+ClutyolBk5jTE1/FXFUuHoPsTrkI7KQFXPP834D4gnSY9jrAiUJHe -DVF6wXNuS7H4Ueh16YPjUxgLLRh/nn/JSEj98gsw+7DP01OWMfWS99S7eQIDAQAB -AoGBALsQZRXVyK7BG7CiC8HwEcNnXDpaXmZjlpNKJTenk1THQMvONd4GBZAuf5D3 -PD9fE4R1u/ByVKecmBaxTV+L0TRQfD8K/nbQe0SKRQIkLI2ymLJKC/eyw5iTKT0E -+BS6wYpVd+mfcqgvpHOYpUmz9X8k/eOa7uslFmvt+sDb5ZcBAkEA+++SRqqUxFEG -s/ZWAKw9p5YgkeVUOYVUwyAeZ97heySrjVzg1nZ6v6kv7iOPi9KOEpaIGPW7x1K/ -uQuSt4YEqQJBANzyNqZTTPpv7b/R8ABFy0YMwPVNt3b1GOU1Xxl6iuhH2WcHuueo -UB13JHoZCMZ7hsEqieEz6uteUjdRzRPKclECQFNhVK4iop3emzNQYeJTHwyp+RmQ -JrHq2MTDioyiDUouNsDQbnFMQQ/RtNVB265Q/0hTnbN1ELLFRkK9+87VghECQQC9 -hacLFPk6+TffCp3sHfI3rEj4Iin1iFhKhHWGzW7JwJfjoOXaQK44GDLZ6Q918g+t -MmgDHR2tt8KeYTSgfU+BAkBcaVF91EQ7VXhvyABNYjeYP7lU7orOgdWMa/zbLXSU -4vLsK1WOmwPY9zsXpPkilqszqcru4gzlG462cSbEdAW9 ------END RSA PRIVATE KEY----- -''') - - for functions in [ - (sign_rsa_sha256_with_client, verify_rsa_sha256), - (sign_rsa_sha512_with_client, verify_rsa_sha512), - ]: - signing_function = functions[0] - verify_function = functions[1] - - good_signature = \ - signing_function(self.eg_signature_base_string, - self.rsa_private_client) - - bad_signature_on_different_value = \ - signing_function('wrong value signed', self.rsa_private_client) - - bad_signature_produced_by_different_private_key = \ - signing_function(self.eg_signature_base_string, another_client) - - self.assertTrue(verify_function( - MockRequest('POST', - 'http://example.com/request', - self.eg_params, - good_signature), - self.rsa_public_client.rsa_key)) - - for bad_signature in [ - '', - 'ZG9uJ3QgdHJ1c3QgbWUK', # random base64 encoded value - 'altérer', # value with a non-ASCII character in it - bad_signature_on_different_value, - bad_signature_produced_by_different_private_key, - ]: - self.assertFalse(verify_function( - MockRequest('POST', - 'http://example.com/request', - self.eg_params, - bad_signature), - self.rsa_public_client.rsa_key)) + self.assertRaises(ValueError, + verify_rsa_sha1, + MockRequest('POST', + 'http://example.com/request', + self.eg_params, + self.expected_signature_rsa_sha256), + self.rsa_public_client.rsa_key) - def test_rsa_bad_keys(self): + def test_sign_rsa_sha512_with_client(self): """ - Testing RSA sign and verify with bad key values produces errors. - - This test is useful for coverage tests, since it runs the code branches - that deal with error situations. + Test sign and verify with RSA-SHA512 throws an exception. """ - - # Signing needs a private key - - for bad_value in [None, '', 'foobar']: - self.assertRaises(ValueError, - sign_rsa_sha256_with_client, - self.eg_signature_base_string, - MockClient(rsa_key=bad_value)) - - self.assertRaises(AttributeError, - sign_rsa_sha256_with_client, + self.assertRaises(ValueError, + sign_rsa_sha512_with_client, self.eg_signature_base_string, - self.rsa_public_client) # public key doesn't sign - - # Verify needs a public key + self.rsa_private_client) - for bad_value in [None, '', 'foobar', self.rsa_private_client.rsa_key]: - self.assertRaises(TypeError, - verify_rsa_sha256, - MockRequest('POST', - 'http://example.com/request', - self.eg_params, - self.expected_signature_rsa_sha256), - MockClient(rsa_key=bad_value)) + self.assertRaises(ValueError, + verify_rsa_sha1, + MockRequest('POST', + 'http://example.com/request', + self.eg_params, + self.expected_signature_rsa_sha512), + self.rsa_public_client.rsa_key) - # For completeness, this text could repeat the above for RSA-SHA256 and - # RSA-SHA512 signing and verification functions. def test_rsa_jwt_algorithm_cache(self): # Tests cache of RSAAlgorithm objects is implemented correctly.