def trusted_params(uri):
"""Walk through an URI, lookup the set of DNSKEYs for the origin
third party provider domain, validate URI signature against the
found keys. If valid, returns the trustable URI - otherwise raise
an exception.
/!\ User MUST use the returned URI, as signature validation is
only done on everything *before* the URI.
"""
# Truncate the signature= part
try:
uri, sig = uri.split('&signature=')
sig = parse.unquote(sig)
except ValueError:
raise exceptions.IncompleteURI
pr = parse.urlparse(uri)
if not pr.query:
raise exceptions.IncompleteURI
expires = _qsl_get_one(pr.query, 'expires')
if (datetime.datetime.utcnow() >
datetime.datetime.strptime(expires, '%Y%m%d%H%M%S')):
raise exceptions.Expired
source = _qsl_get_one(pr.query, 'source')
txtl = Checker(source, dnssec=True).txt('_tpda')
if not txtl:
raise exceptions.NoTPDA
keys = [RSA.importKey(base64.b64decode(txt.encode('ascii')))
for txt in txtl.split('\n')]
digest = SHA256.new()
digest.update(uri.encode('ascii'))
for key in keys:
signer = PKCS1_v1_5.new(key)
if signer.verify(digest, base64.b64decode(sig)):
return params(uri)
raise exceptions.NoSignatureMatch
评论列表
文章目录
