Merge pull request #52 from web-push-libs/bug/crypto

bug: baseline cryptography library to 1.8.2

Author: jrconlin

python/py_vapid/__init__.py

@@ -13,6 +13,7 @@
 from cryptography.hazmat.primitives import serialization
 
 from cryptography.hazmat.primitives import hashes
+from cryptography.exceptions import InvalidSignature
 
 from py_vapid.utils import b64urldecode, b64urlencode
 from py_vapid.jwt import sign
@@ -112,7 +113,8 @@ def from_file(cls, private_key_file=None):
             vapid.generate_keys()
             vapid.save_key(private_key_file)
             return vapid
-        private_key = open(private_key_file, 'r').read()
+        with open(private_key_file, 'r') as file:
+            private_key = file.read()
         try:
             if "-----BEGIN" in private_key:
                 vapid = cls.from_pem(private_key.encode('utf8'))
@@ -218,11 +220,15 @@ def verify_token(self, validation_token, verification_token):
         hsig = b64urldecode(verification_token.encode('utf8'))
         r = int(binascii.hexlify(hsig[:32]), 16)
         s = int(binascii.hexlify(hsig[32:]), 16)
-        return self.public_key.verify(
-            ecutils.encode_dss_signature(r, s),
-            validation_token,
-            signature_algorithm=ec.ECDSA(hashes.SHA256())
-        )
+        try:
+            self.public_key.verify(
+                ecutils.encode_dss_signature(r, s),
+                validation_token,
+                signature_algorithm=ec.ECDSA(hashes.SHA256())
+            )
+            return True
+        except InvalidSignature:
+            return False
 
     def _base_sign(self, claims):
         if not claims.get('exp'):

python/py_vapid/tests/test_vapid.py

@@ -169,14 +169,24 @@ def test_integration(self):
         # These values were taken from a test page. DO NOT ALTER!
         key = ("BDd3_hVL9fZi9Ybo2UUzA284WG5FZR30_95YeZJsiApwXKpNcF1rRPF3foI"
                "iBHXRdJI2Qhumhf6_LFTeZaNndIo")
-
         auth = ("WebPush eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJod"
                 "HRwczovL3VwZGF0ZXMucHVzaC5zZXJ2aWNlcy5tb3ppbGxhLmNvbSIsImV"
                 "4cCI6MTQ5NDY3MTQ3MCwic3ViIjoibWFpbHRvOnNpbXBsZS1wdXNoLWRlb"
                 "W9AZ2F1bnRmYWNlLmNvLnVrIn0.LqPi86T-HJ71TXHAYFptZEHD7Wlfjcc"
                 "4u5jYZ17WpqOlqDcW-5Wtx3x1OgYX19alhJ9oLumlS2VzEvNioZolQA")
         ok_(Vapid01.verify(key=key, auth=auth))
 
+    def test_bad_integration(self):
+        # These values were taken from a test page. DO NOT ALTER!
+        key = ("BDd3_hVL9fZi9Ybo2UUzA284WG5FZR30_95YeZJsiApwXKpNcF1rRPF3foI"
+               "iBHXRdJI2Qhumhf6_LFTeZaNndIo")
+        auth = ("WebPush eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJhdWQiOiJod"
+                "HRwczovL3VwZGF0ZXMucHVzaC5zZXJ2aWNlcy5tb3ppbGxhLmNvbSIsImV"
+                "4cCI6MTQ5NDY3MTQ3MCwic3ViIjoibWFpbHRvOnNpbXBsZS1wdXNoLWRlb"
+                "W9AZ2F1bnRmYWNlLmNvLnVrIn0.LqPi86T-HJ71TXHAYFptZEHD7Wlfjcc"
+                "4u5jYZ17WpqOlqDcW-5Wtx3x1OgYX19alhJ9oLumlS2VzEvNioZ_BAD")
+        eq_(Vapid01.verify(key=key, auth=auth), False)
+
     def test_bad_sign(self):
         v = Vapid01.from_file("/tmp/private")
         self.assertRaises(VapidException,

python/requirements.txt

@@ -1,2 +1,2 @@
 ecdsa==0.13
-cryptography==1.8.2
+cryptography>=1.8.2,<=1.10

python/setup.py

@@ -3,7 +3,7 @@
 
 from setuptools import setup, find_packages
 
-__version__ = "1.2.4"
+__version__ = "1.2.5"
 
 
 def read_from(file):