From 3ba14ec410db398c0acc87c9ac81a2cbf6705c57 Mon Sep 17 00:00:00 2001 From: "Sebastien Rosset (serosset)" Date: Mon, 13 Apr 2020 21:22:29 -0700 Subject: [PATCH 1/8] Use DER encoding for ECDSA signatures --- .../resources/python/python-experimental/signing.mustache | 4 +++- .../petstore/python-experimental/petstore_api/signing.py | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache b/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache index f52feb8f12a8..9521544d8dc6 100644 --- a/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache +++ b/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache @@ -340,7 +340,9 @@ class HttpSigningConfiguration(object): if sig_alg is None: sig_alg = ALGORITHM_ECDSA_MODE_FIPS_186_3 if sig_alg in ALGORITHM_ECDSA_KEY_SIGNING_ALGORITHMS: - signature = DSS.new(self.private_key, sig_alg).sign(digest) + # draft-ietf-httpbis-message-signatures-00 does not specify the ECDSA encoding. + # Issue: https://github.com/w3c-ccg/http-signatures/issues/107 + signature = DSS.new(key=self.private_key, mode=sig_alg, encoding='der').sign(digest) else: raise Exception("Unsupported signature algorithm: {0}".format(sig_alg)) else: diff --git a/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py b/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py index bce994648838..d3e05a83b0cb 100644 --- a/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py +++ b/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py @@ -348,7 +348,9 @@ def _sign_digest(self, digest): if sig_alg is None: sig_alg = ALGORITHM_ECDSA_MODE_FIPS_186_3 if sig_alg in ALGORITHM_ECDSA_KEY_SIGNING_ALGORITHMS: - signature = DSS.new(self.private_key, sig_alg).sign(digest) + # draft-ietf-httpbis-message-signatures-00 does not specify the ECDSA encoding. + # Issue: https://github.com/w3c-ccg/http-signatures/issues/107 + signature = DSS.new(key=self.private_key, mode=sig_alg, encoding='der').sign(digest) else: raise Exception("Unsupported signature algorithm: {0}".format(sig_alg)) else: From 5df82b8f3227002c5b9612ece28fb507432b1b69 Mon Sep 17 00:00:00 2001 From: "Sebastien Rosset (serosset)" Date: Mon, 13 Apr 2020 22:05:42 -0700 Subject: [PATCH 2/8] Use DER encoding for ECDSA signatures --- .../python-experimental/tests/test_http_signature.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/samples/openapi3/client/petstore/python-experimental/tests/test_http_signature.py b/samples/openapi3/client/petstore/python-experimental/tests/test_http_signature.py index 0ef089cfff51..909148aae904 100644 --- a/samples/openapi3/client/petstore/python-experimental/tests/test_http_signature.py +++ b/samples/openapi3/client/petstore/python-experimental/tests/test_http_signature.py @@ -295,7 +295,7 @@ def test_valid_http_signature(self): headers={'Content-Type': r'application/json', 'Authorization': r'Signature keyId="my-key-id",algorithm="hs2019",created=[0-9]+,' r'headers="\(request-target\) \(created\) host date digest content-type",' - r'signature="[a-zA-Z0-9+/]+="', + r'signature="[a-zA-Z0-9+/=]+"', 'User-Agent': r'OpenAPI-Generator/1.0.0/python'}, preload_content=True, timeout=None) @@ -326,7 +326,7 @@ def test_valid_http_signature_with_defaults(self): headers={'Content-Type': r'application/json', 'Authorization': r'Signature keyId="my-key-id",algorithm="hs2019",created=[0-9]+,' r'headers="\(created\)",' - r'signature="[a-zA-Z0-9+/]+="', + r'signature="[a-zA-Z0-9+/=]+"', 'User-Agent': r'OpenAPI-Generator/1.0.0/python'}, preload_content=True, timeout=None) @@ -362,7 +362,7 @@ def test_valid_http_signature_rsassa_pkcs1v15(self): headers={'Content-Type': r'application/json', 'Authorization': r'Signature keyId="my-key-id",algorithm="hs2019",created=[0-9]+,' r'headers="\(request-target\) \(created\)",' - r'signature="[a-zA-Z0-9+/]+="', + r'signature="[a-zA-Z0-9+/=]+"', 'User-Agent': r'OpenAPI-Generator/1.0.0/python'}, preload_content=True, timeout=None) @@ -398,7 +398,7 @@ def test_valid_http_signature_rsassa_pss(self): headers={'Content-Type': r'application/json', 'Authorization': r'Signature keyId="my-key-id",algorithm="hs2019",created=[0-9]+,' r'headers="\(request-target\) \(created\)",' - r'signature="[a-zA-Z0-9+/]+="', + r'signature="[a-zA-Z0-9+/=]+"', 'User-Agent': r'OpenAPI-Generator/1.0.0/python'}, preload_content=True, timeout=None) @@ -433,7 +433,7 @@ def test_valid_http_signature_ec_p521(self): headers={'Content-Type': r'application/json', 'Authorization': r'Signature keyId="my-key-id",algorithm="hs2019",created=[0-9]+,' r'headers="\(request-target\) \(created\)",' - r'signature="[a-zA-Z0-9+/]+"', + r'signature="[a-zA-Z0-9+/=]+"', 'User-Agent': r'OpenAPI-Generator/1.0.0/python'}, preload_content=True, timeout=None) From 23e28102fa5c427aedff4264af9223a79998ea2b Mon Sep 17 00:00:00 2001 From: "Sebastien Rosset (serosset)" Date: Tue, 14 Apr 2020 12:30:53 -0700 Subject: [PATCH 3/8] Use DER encoding for ECDSA signatures --- .../python-experimental/signing.mustache | 42 ++++++++++++++++--- .../petstore_api/signing.py | 42 ++++++++++++++++--- 2 files changed, 72 insertions(+), 12 deletions(-) diff --git a/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache b/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache index 9521544d8dc6..2688a07013bd 100644 --- a/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache +++ b/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache @@ -53,6 +53,11 @@ ALGORITHM_ECDSA_KEY_SIGNING_ALGORITHMS = { ALGORITHM_ECDSA_MODE_DETERMINISTIC_RFC6979 } +# The cryptographic hash algorithm for the message signature. +HASH_SHA256 = 'sha256' +HASH_SHA512 = 'sha512' + + class HttpSigningConfiguration(object): """The configuration parameters for the HTTP signature security scheme. @@ -98,9 +103,15 @@ class HttpSigningConfiguration(object): Supported values are: 1. For RSA keys: RSASSA-PSS, RSASSA-PKCS1-v1_5. 2. For ECDSA keys: fips-186-3, deterministic-rfc6979. - The default value is inferred from the private key. - The default value for RSA keys is RSASSA-PSS. - The default value for ECDSA keys is fips-186-3. + If None, the signing algorithm is inferred from the private key. + The default signing algorithm for RSA keys is RSASSA-PSS. + The default signing algorithm for ECDSA keys is fips-186-3. + :param hash_algorithm: The hash algorithm for the signature. Supported values are + sha256 and sha512. + If the signing_scheme is rsa-sha256, the hash algorithm must be set + to None or sha256. + If the signing_scheme is rsa-sha512, the hash algorithm must be set + to None or sha512. :param signature_max_validity: The signature max validity, expressed as a datetime.timedelta value. It must be a positive value. """ @@ -108,6 +119,7 @@ class HttpSigningConfiguration(object): private_key_passphrase=None, signed_headers=None, signing_algorithm=None, + hash_algorithm=None, signature_max_validity=None): self.key_id = key_id if signing_scheme not in {SCHEME_HS2019, SCHEME_RSA_SHA256, SCHEME_RSA_SHA512}: @@ -118,6 +130,24 @@ class HttpSigningConfiguration(object): self.private_key_path = private_key_path self.private_key_passphrase = private_key_passphrase self.signing_algorithm = signing_algorithm + self.hash_algorithm = hash_algorithm + if signing_scheme == SCHEME_RSA_SHA256: + if self.hash_algorithm == None: + self.hash_algorithm = HASH_SHA256 + elif self.hash_algorithm != HASH_SHA256: + raise Exception("Hash algorithm must be sha256 when security scheme is %s" % + SCHEME_RSA_SHA256) + elif signing_scheme == SCHEME_RSA_SHA512: + if self.hash_algorithm == None: + self.hash_algorithm = HASH_SHA512 + elif self.hash_algorithm != HASH_SHA512: + raise Exception("Hash algorithm must be sha512 when security scheme is %s" % + SCHEME_RSA_SHA512) + elif signing_scheme == SCHEME_HS2019: + if self.hash_algorithm == None: + self.hash_algorithm = HASH_SHA256 + elif self.hash_algorithm not in {HASH_SHA256, HASH_SHA512}: + raise Exception("Invalid hash algorithm") if signature_max_validity is not None and signature_max_validity.total_seconds() < 0: raise Exception("The signature max validity must be a positive value") self.signature_max_validity = signature_max_validity @@ -309,14 +339,14 @@ class HttpSigningConfiguration(object): The prefix is a string that identifies the cryptographc hash. It is used to generate the 'Digest' header as specified in RFC 3230. """ - if self.signing_scheme in {SCHEME_RSA_SHA512, SCHEME_HS2019}: + if self.hash_algorithm == HASH_SHA512: digest = SHA512.new() prefix = 'SHA-512=' - elif self.signing_scheme == SCHEME_RSA_SHA256: + elif self.hash_algorithm == HASH_SHA256: digest = SHA256.new() prefix = 'SHA-256=' else: - raise Exception("Unsupported signing algorithm: {0}".format(self.signing_scheme)) + raise Exception("Unsupported hash algorithm: {0}".format(self.hash_algorithm)) digest.update(data) return digest, prefix diff --git a/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py b/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py index d3e05a83b0cb..e77eb05af740 100644 --- a/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py +++ b/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py @@ -61,6 +61,11 @@ ALGORITHM_ECDSA_MODE_DETERMINISTIC_RFC6979 } +# The cryptographic hash algorithm for the message signature. +HASH_SHA256 = 'sha256' +HASH_SHA512 = 'sha512' + + class HttpSigningConfiguration(object): """The configuration parameters for the HTTP signature security scheme. @@ -106,9 +111,15 @@ class HttpSigningConfiguration(object): Supported values are: 1. For RSA keys: RSASSA-PSS, RSASSA-PKCS1-v1_5. 2. For ECDSA keys: fips-186-3, deterministic-rfc6979. - The default value is inferred from the private key. - The default value for RSA keys is RSASSA-PSS. - The default value for ECDSA keys is fips-186-3. + If None, the signing algorithm is inferred from the private key. + The default signing algorithm for RSA keys is RSASSA-PSS. + The default signing algorithm for ECDSA keys is fips-186-3. + :param hash_algorithm: The hash algorithm for the signature. Supported values are + sha256 and sha512. + If the signing_scheme is rsa-sha256, the hash algorithm must be set + to None or sha256. + If the signing_scheme is rsa-sha512, the hash algorithm must be set + to None or sha512. :param signature_max_validity: The signature max validity, expressed as a datetime.timedelta value. It must be a positive value. """ @@ -116,6 +127,7 @@ def __init__(self, key_id, signing_scheme, private_key_path, private_key_passphrase=None, signed_headers=None, signing_algorithm=None, + hash_algorithm=None, signature_max_validity=None): self.key_id = key_id if signing_scheme not in {SCHEME_HS2019, SCHEME_RSA_SHA256, SCHEME_RSA_SHA512}: @@ -126,6 +138,24 @@ def __init__(self, key_id, signing_scheme, private_key_path, self.private_key_path = private_key_path self.private_key_passphrase = private_key_passphrase self.signing_algorithm = signing_algorithm + self.hash_algorithm = hash_algorithm + if signing_scheme == SCHEME_RSA_SHA256: + if self.hash_algorithm == None: + self.hash_algorithm = HASH_SHA256 + elif self.hash_algorithm != HASH_SHA256: + raise Exception("Hash algorithm must be sha256 when security scheme is %s" % + SCHEME_RSA_SHA256) + elif signing_scheme == SCHEME_RSA_SHA512: + if self.hash_algorithm == None: + self.hash_algorithm = HASH_SHA512 + elif self.hash_algorithm != HASH_SHA512: + raise Exception("Hash algorithm must be sha512 when security scheme is %s" % + SCHEME_RSA_SHA512) + elif signing_scheme == SCHEME_HS2019: + if self.hash_algorithm == None: + self.hash_algorithm = HASH_SHA256 + elif self.hash_algorithm not in {HASH_SHA256, HASH_SHA512}: + raise Exception("Invalid hash algorithm") if signature_max_validity is not None and signature_max_validity.total_seconds() < 0: raise Exception("The signature max validity must be a positive value") self.signature_max_validity = signature_max_validity @@ -317,14 +347,14 @@ def _get_message_digest(self, data): The prefix is a string that identifies the cryptographc hash. It is used to generate the 'Digest' header as specified in RFC 3230. """ - if self.signing_scheme in {SCHEME_RSA_SHA512, SCHEME_HS2019}: + if self.hash_algorithm == HASH_SHA512: digest = SHA512.new() prefix = 'SHA-512=' - elif self.signing_scheme == SCHEME_RSA_SHA256: + elif self.hash_algorithm == HASH_SHA256: digest = SHA256.new() prefix = 'SHA-256=' else: - raise Exception("Unsupported signing algorithm: {0}".format(self.signing_scheme)) + raise Exception("Unsupported hash algorithm: {0}".format(self.hash_algorithm)) digest.update(data) return digest, prefix From 978df0172683bcb00880b654fed96af597498bb8 Mon Sep 17 00:00:00 2001 From: "Sebastien Rosset (serosset)" Date: Tue, 14 Apr 2020 13:14:53 -0700 Subject: [PATCH 4/8] Use DER encoding for ECDSA signatures --- .../resources/python/python-experimental/signing.mustache | 6 +++--- .../petstore/python-experimental/petstore_api/signing.py | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache b/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache index 2688a07013bd..277eff6b8727 100644 --- a/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache +++ b/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache @@ -132,19 +132,19 @@ class HttpSigningConfiguration(object): self.signing_algorithm = signing_algorithm self.hash_algorithm = hash_algorithm if signing_scheme == SCHEME_RSA_SHA256: - if self.hash_algorithm == None: + if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA256 elif self.hash_algorithm != HASH_SHA256: raise Exception("Hash algorithm must be sha256 when security scheme is %s" % SCHEME_RSA_SHA256) elif signing_scheme == SCHEME_RSA_SHA512: - if self.hash_algorithm == None: + if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA512 elif self.hash_algorithm != HASH_SHA512: raise Exception("Hash algorithm must be sha512 when security scheme is %s" % SCHEME_RSA_SHA512) elif signing_scheme == SCHEME_HS2019: - if self.hash_algorithm == None: + if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA256 elif self.hash_algorithm not in {HASH_SHA256, HASH_SHA512}: raise Exception("Invalid hash algorithm") diff --git a/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py b/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py index e77eb05af740..ece9d7b240e7 100644 --- a/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py +++ b/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py @@ -140,19 +140,19 @@ def __init__(self, key_id, signing_scheme, private_key_path, self.signing_algorithm = signing_algorithm self.hash_algorithm = hash_algorithm if signing_scheme == SCHEME_RSA_SHA256: - if self.hash_algorithm == None: + if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA256 elif self.hash_algorithm != HASH_SHA256: raise Exception("Hash algorithm must be sha256 when security scheme is %s" % SCHEME_RSA_SHA256) elif signing_scheme == SCHEME_RSA_SHA512: - if self.hash_algorithm == None: + if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA512 elif self.hash_algorithm != HASH_SHA512: raise Exception("Hash algorithm must be sha512 when security scheme is %s" % SCHEME_RSA_SHA512) elif signing_scheme == SCHEME_HS2019: - if self.hash_algorithm == None: + if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA256 elif self.hash_algorithm not in {HASH_SHA256, HASH_SHA512}: raise Exception("Invalid hash algorithm") From c7c8ef48cf3a82a906e76215f5a2c6ba29c50034 Mon Sep 17 00:00:00 2001 From: "Sebastien Rosset (serosset)" Date: Tue, 14 Apr 2020 15:56:50 -0700 Subject: [PATCH 5/8] fix python unit tests for http message signature --- .../tests/test_http_signature.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/samples/openapi3/client/petstore/python-experimental/tests/test_http_signature.py b/samples/openapi3/client/petstore/python-experimental/tests/test_http_signature.py index 909148aae904..424f8883fa39 100644 --- a/samples/openapi3/client/petstore/python-experimental/tests/test_http_signature.py +++ b/samples/openapi3/client/petstore/python-experimental/tests/test_http_signature.py @@ -151,9 +151,9 @@ def _validate_authorization_header(self, request_target, actual_headers, authori "{0}: {1}".format(key.lower(), value) for key, value in signed_headers_list] string_to_sign = "\n".join(header_items) digest = None - if self.signing_cfg.signing_scheme in {signing.SCHEME_RSA_SHA512, signing.SCHEME_HS2019}: + if self.signing_cfg.hash_algorithm == signing.HASH_SHA512: digest = SHA512.new() - elif self.signing_cfg.signing_scheme == signing.SCHEME_RSA_SHA256: + elif self.signing_cfg.hash_algorithm == signing.HASH_SHA256: digest = SHA256.new() else: self._tc.fail("Unsupported signature scheme: {0}".format(self.signing_cfg.signing_scheme)) @@ -165,7 +165,7 @@ def _validate_authorization_header(self, request_target, actual_headers, authori m2 = r2.search(authorization_header) self._tc.assertIsNotNone(m2) b64_signature = m2.group(1) - signature = base64.b64decode(b64_signature) + signature = base64.b64decode(b64_signature, validate=True) # Build the message signing_alg = self.signing_cfg.signing_algorithm if signing_alg is None: @@ -182,10 +182,12 @@ def _validate_authorization_header(self, request_target, actual_headers, authori elif signing_alg == signing.ALGORITHM_RSASSA_PSS: pss.new(self.pubkey).verify(digest, signature) elif signing_alg == signing.ALGORITHM_ECDSA_MODE_FIPS_186_3: - verifier = DSS.new(self.pubkey, signing.ALGORITHM_ECDSA_MODE_FIPS_186_3) + verifier = DSS.new(key=self.pubkey, mode=signing.ALGORITHM_ECDSA_MODE_FIPS_186_3, + encoding='der') verifier.verify(digest, signature) elif signing_alg == signing.ALGORITHM_ECDSA_MODE_DETERMINISTIC_RFC6979: - verifier = DSS.new(self.pubkey, signing.ALGORITHM_ECDSA_MODE_DETERMINISTIC_RFC6979) + verifier = DSS.new(key=self.pubkey, mode=signing.ALGORITHM_ECDSA_MODE_DETERMINISTIC_RFC6979, + encoding='der') verifier.verify(digest, signature) else: self._tc.fail("Unsupported signing algorithm: {0}".format(signing_alg)) @@ -411,6 +413,7 @@ def test_valid_http_signature_ec_p521(self): signing_scheme=signing.SCHEME_HS2019, private_key_path=privkey_path, private_key_passphrase=self.private_key_passphrase, + hash_algorithm=signing.HASH_SHA512, signed_headers=[ signing.HEADER_REQUEST_TARGET, signing.HEADER_CREATED, From 6cbc24aec17bf7ba66291a339211082f53c9624c Mon Sep 17 00:00:00 2001 From: "Sebastien Rosset (serosset)" Date: Tue, 14 Apr 2020 18:52:45 -0700 Subject: [PATCH 6/8] Fix error message --- .../petstore/python-experimental/tests/test_http_signature.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/samples/openapi3/client/petstore/python-experimental/tests/test_http_signature.py b/samples/openapi3/client/petstore/python-experimental/tests/test_http_signature.py index 424f8883fa39..9864cf1a2139 100644 --- a/samples/openapi3/client/petstore/python-experimental/tests/test_http_signature.py +++ b/samples/openapi3/client/petstore/python-experimental/tests/test_http_signature.py @@ -156,7 +156,7 @@ def _validate_authorization_header(self, request_target, actual_headers, authori elif self.signing_cfg.hash_algorithm == signing.HASH_SHA256: digest = SHA256.new() else: - self._tc.fail("Unsupported signature scheme: {0}".format(self.signing_cfg.signing_scheme)) + self._tc.fail("Unsupported hash algorithm: {0}".format(self.signing_cfg.hash_algorithm)) digest.update(string_to_sign.encode()) b64_body_digest = base64.b64encode(digest.digest()).decode() @@ -165,7 +165,7 @@ def _validate_authorization_header(self, request_target, actual_headers, authori m2 = r2.search(authorization_header) self._tc.assertIsNotNone(m2) b64_signature = m2.group(1) - signature = base64.b64decode(b64_signature, validate=True) + signature = base64.b64decode(b64_signature) # Build the message signing_alg = self.signing_cfg.signing_algorithm if signing_alg is None: From d22990f69b850971b1172cbba09a36e5d090a168 Mon Sep 17 00:00:00 2001 From: "Sebastien Rosset (serosset)" Date: Wed, 15 Apr 2020 07:29:06 -0700 Subject: [PATCH 7/8] format python code --- .../resources/python/python-experimental/signing.mustache | 8 ++++---- .../petstore/python-experimental/petstore_api/signing.py | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache b/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache index 277eff6b8727..2668979a9a89 100644 --- a/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache +++ b/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache @@ -58,7 +58,6 @@ HASH_SHA256 = 'sha256' HASH_SHA512 = 'sha512' - class HttpSigningConfiguration(object): """The configuration parameters for the HTTP signature security scheme. The HTTP signature security scheme is used to sign HTTP requests with a private key @@ -136,13 +135,13 @@ class HttpSigningConfiguration(object): self.hash_algorithm = HASH_SHA256 elif self.hash_algorithm != HASH_SHA256: raise Exception("Hash algorithm must be sha256 when security scheme is %s" % - SCHEME_RSA_SHA256) + SCHEME_RSA_SHA256) elif signing_scheme == SCHEME_RSA_SHA512: if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA512 elif self.hash_algorithm != HASH_SHA512: raise Exception("Hash algorithm must be sha512 when security scheme is %s" % - SCHEME_RSA_SHA512) + SCHEME_RSA_SHA512) elif signing_scheme == SCHEME_HS2019: if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA256 @@ -372,7 +371,8 @@ class HttpSigningConfiguration(object): if sig_alg in ALGORITHM_ECDSA_KEY_SIGNING_ALGORITHMS: # draft-ietf-httpbis-message-signatures-00 does not specify the ECDSA encoding. # Issue: https://github.com/w3c-ccg/http-signatures/issues/107 - signature = DSS.new(key=self.private_key, mode=sig_alg, encoding='der').sign(digest) + signature = DSS.new(key=self.private_key, mode=sig_alg, + encoding='der').sign(digest) else: raise Exception("Unsupported signature algorithm: {0}".format(sig_alg)) else: diff --git a/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py b/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py index ece9d7b240e7..f26bc0b37769 100644 --- a/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py +++ b/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py @@ -66,7 +66,6 @@ HASH_SHA512 = 'sha512' - class HttpSigningConfiguration(object): """The configuration parameters for the HTTP signature security scheme. The HTTP signature security scheme is used to sign HTTP requests with a private key @@ -144,13 +143,13 @@ def __init__(self, key_id, signing_scheme, private_key_path, self.hash_algorithm = HASH_SHA256 elif self.hash_algorithm != HASH_SHA256: raise Exception("Hash algorithm must be sha256 when security scheme is %s" % - SCHEME_RSA_SHA256) + SCHEME_RSA_SHA256) elif signing_scheme == SCHEME_RSA_SHA512: if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA512 elif self.hash_algorithm != HASH_SHA512: raise Exception("Hash algorithm must be sha512 when security scheme is %s" % - SCHEME_RSA_SHA512) + SCHEME_RSA_SHA512) elif signing_scheme == SCHEME_HS2019: if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA256 @@ -380,7 +379,8 @@ def _sign_digest(self, digest): if sig_alg in ALGORITHM_ECDSA_KEY_SIGNING_ALGORITHMS: # draft-ietf-httpbis-message-signatures-00 does not specify the ECDSA encoding. # Issue: https://github.com/w3c-ccg/http-signatures/issues/107 - signature = DSS.new(key=self.private_key, mode=sig_alg, encoding='der').sign(digest) + signature = DSS.new(key=self.private_key, mode=sig_alg, + encoding='der').sign(digest) else: raise Exception("Unsupported signature algorithm: {0}".format(sig_alg)) else: From a7bd6bab2866a850b32dcad5a7efd2f1c5917a59 Mon Sep 17 00:00:00 2001 From: "Sebastien Rosset (serosset)" Date: Wed, 15 Apr 2020 08:19:17 -0700 Subject: [PATCH 8/8] format python code --- .../resources/python/python-experimental/signing.mustache | 4 ++-- .../petstore/python-experimental/petstore_api/signing.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache b/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache index 2668979a9a89..0be0e1c46795 100644 --- a/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache +++ b/modules/openapi-generator/src/main/resources/python/python-experimental/signing.mustache @@ -135,13 +135,13 @@ class HttpSigningConfiguration(object): self.hash_algorithm = HASH_SHA256 elif self.hash_algorithm != HASH_SHA256: raise Exception("Hash algorithm must be sha256 when security scheme is %s" % - SCHEME_RSA_SHA256) + SCHEME_RSA_SHA256) elif signing_scheme == SCHEME_RSA_SHA512: if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA512 elif self.hash_algorithm != HASH_SHA512: raise Exception("Hash algorithm must be sha512 when security scheme is %s" % - SCHEME_RSA_SHA512) + SCHEME_RSA_SHA512) elif signing_scheme == SCHEME_HS2019: if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA256 diff --git a/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py b/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py index f26bc0b37769..0c361e5ed4d9 100644 --- a/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py +++ b/samples/openapi3/client/petstore/python-experimental/petstore_api/signing.py @@ -143,13 +143,13 @@ def __init__(self, key_id, signing_scheme, private_key_path, self.hash_algorithm = HASH_SHA256 elif self.hash_algorithm != HASH_SHA256: raise Exception("Hash algorithm must be sha256 when security scheme is %s" % - SCHEME_RSA_SHA256) + SCHEME_RSA_SHA256) elif signing_scheme == SCHEME_RSA_SHA512: if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA512 elif self.hash_algorithm != HASH_SHA512: raise Exception("Hash algorithm must be sha512 when security scheme is %s" % - SCHEME_RSA_SHA512) + SCHEME_RSA_SHA512) elif signing_scheme == SCHEME_HS2019: if self.hash_algorithm is None: self.hash_algorithm = HASH_SHA256