def verify_sig(self, qs, sig, key, ignore_signature=False):
"""
This method will verify a signature of a query string.
In Domain Connect a signed query string comes in with the domain,
parameters, the signature (sig=) and a key to read the public key
(key=).
The signature is generated based on the qs without the sig= or key=.
The sig is of course the signature. The key is used to fetch the public
key from DNS.
The public key is published in DNS in the zone specified in
syncPubKeyDomain from the template at the host <key>.
This method will raise an execption if the signature fails.
It will return if it suceeds.
"""
if ignore_signature:
return
if not qs or not sig or not key:
raise InvalidSignature('Missing data for signature verification')
syncPubKeyDomain = self.data['syncPubKeyDomain']
pubKey = get_publickey(key + '.' + syncPubKeyDomain)
if not pubKey:
msg = ('Unable to get public key for template/key from ' + key +
'.' + syncPubKeyDomain)
raise InvalidSignature(msg)
if not verify_sig(pubKey, sig, qs):
raise InvalidSignature('Signature not valid')
def VerifySig(self, qs, sig, key):
syncPubKeyDomain = self.jsonData['syncPubKeyDomain']
pubKey = sigutil.get_publickey(key + '.' + syncPubKeyDomain)
if not pubKey:
raise InvalidSignature('Unable to get public key for template/key')
if not sigutil.verify_sig(pubKey, sig, qs):
raise InvalidSignature('Signature not valid')
def sig_verify_url():
# This only works for the hosting website over the supported protocol
if request.headers[
'Host'] != config.hosting_website or request.urlparts.scheme != config.protocol:
return abort(404)
# Get the domain/message and validate
url = request.forms.get('url')
domain = request.forms.get('domain')
#params = urlparse.urlparse(url).query.split('&')
params = urllib.parse(url).query.split('&')
sig = None
key = None
qs = None
for param in params:
if param.startswith('sig='):
sig = urllib.unquote(param[4:])
elif param.startswith('key='):
key = urllib.unquote(param[4:])
else:
if not qs:
qs = param
else:
qs = qs + '&' + param
try:
pub, record_strings = sigutil.get_publickey(key + "." + domain)
pub = '-----BEGIN PUBLIC KEY-----\n' + pub + '\n-----END PUBLIC KEY-----\n'
except:
pub = None
record_strings = []
try:
verified = sigutil.verify_sig(pub, sig, qs)
except:
verified = False
return template(
'sig_verify.tpl', {
'domain': domain,
'key': key,
'sig': sig,
'qs': qs,
'verified': verified,
'pubKey': pub,
'record_strings': record_strings
})
def VerifySig(self, qs, sig, key, ignoreSignature=False):
if ignoreSignature:
return
if not qs or not sig or not key:
raise InvalidSignature('Missing data for signature verification')
syncPubKeyDomain = self.jsonData['syncPubKeyDomain']
pubKey = sigutil.get_publickey(key + '.' + syncPubKeyDomain)
if not pubKey:
raise InvalidSignature('Unable to get public key for template/key from ' + key + '.' + syncPubKeyDomain)
if not sigutil.verify_sig(pubKey, sig, qs):
raise InvalidSignature('Signature not valid')
def sig_verify():
# This only works for the hosting website over the supported protocol
if request.headers[
'Host'] != config.hosting_website or request.urlparts.scheme != config.protocol:
return abort(404)
# Get the domain/message and validate
domain = request.forms.get('domain')
key = request.forms.get('key')
pub = request.forms.get('publickey')
if pub:
pub = pub.replace('\\n', '')
pub = pub.replace(' ', '')
pub = '-----BEGIN PUBLIC KEY-----\n' + pub + '\n-----END PUBLIC KEY-----\n'
sig = request.forms.get('sig')
qs = request.forms.get('qs')
if not pub:
try:
pub, record_strings = sigutil.get_publickey(key + "." + domain)
pub = '-----BEGIN PUBLIC KEY-----\n' + pub + '\n-----END PUBLIC KEY-----\n'
except:
pub = None
record_strings = []
else:
record_strings = []
try:
verified = sigutil.verify_sig(pub, sig, qs)
except:
verified = False
return template(
'sig_verify.tpl', {
'domain': domain,
'key': key,
'sig': sig,
'qs': qs,
'verified': verified,
'pubKey': pub,
'record_strings': record_strings
})
