OAuth 1.0a signature methods: RSA-SHA256, RSA-SHA512 and HMAC-SHA512 #723
Conversation
Co-Authored-By: Omer Katz <omer.drow@gmail.com>
|
@thedrow I have addressed the review comments you made on 2020-03-29, but this PR still claims there are "Changes requested" (in big bold red text). This seems to be a bug/feature in GitHub, and you'll need to do something to move the PR forward. Thanks. |
|
@auvipy Merge conflict fixed. Thanks. The dependency in master on pyjwt had been bumped up from 1.6.0 to 1.7.1. Change merged into PR. |
|
@auvipy I have addressed the review comments you made on 2020-04-09, but this PR still claims there are "Changes requested" (in big bold red text). This seems to be a bug/feature in GitHub, and you'll need to do something to move the PR forward. Thanks. |
Co-authored-by: Omer Katz <omer.drow@gmail.com>
|
I'm going to wait for another day to see if someone else would like to review this PR. |
|
Thanks Omer. Much appreciated. |
Implemented new OAuth 1.0a signature methods that work exactly like RSA-SHA1, but replaces the deprecated SHA-1 algorithm with the more stronger SHA-256 or SHA-512 algorithm. For completeness, also implemented a HMAC-based signature method that also replaces SHA-1 with SHA-512.
This pull request addresses #722.
Overview of the changes
Implementation
The code in oauthlib/oauth1/rfc5849/signatures.py was reorganised so all of the HMAC-based signing functions calls a common
_sign_hmacfunction with the hash function to use as a parameter. Similarly, all of the RSA-based signing functions calls a common_sign_rsafunction. This is better than having lots of duplicated code (with only has one small difference between them) which would be harder to understand and maintain.This has resulted in some functions becoming deprecated. The old code implemented signing with a pair of functions. For example,
sign_rsa_sha1_with_clientandsign_rsa_sha1. The first calls the second. Now with a common_sign_rsafunction, the first directly calls the new common function - so the second function has been deprecated.Tests
The code in the unit test, tests/oauth1/rfc5849/test_signatures.py, has been substantially rewritten to be more clear and complete. It now tests the signature verification functions (it didn't before). It also achieves complete code coverage for signatures.py, with the exception of several functions which are now considered deprecated.
Documentation
There are some updates to the feature matrix document and the installation instructions document. The installation needed to be corrected to ensure RSA support is properly installed, if RSA-based signature methods are needed.
Some other files were updated so that the documentation built without errors. However, most of the changed are limited to oauthlib/oauth1/rfc5849/signatures.py, files that imports and uses it, and the unit tests for it.