Merge pull request #200 from alexa/doiron-sha256-2

update signature algorithm validation from sha-1 to sha-256

Author: doiron

ask-sdk-webservice-support/ask_sdk_webservice_support/verifier.py

@@ -33,7 +33,7 @@
     SubjectAlternativeName)
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
-from cryptography.hazmat.primitives.hashes import SHA1
+from cryptography.hazmat.primitives.hashes import SHA256
 from cryptography.exceptions import InvalidSignature
 from contextlib import closing
 from asn1crypto import pem
@@ -121,7 +121,7 @@ def __init__(
             self,
             signature_cert_chain_url_key=SIGNATURE_CERT_CHAIN_URL_HEADER,
             signature_key=SIGNATURE_HEADER,
-            padding=PKCS1v15(), hash_algorithm=SHA1()):
+            padding=PKCS1v15(), hash_algorithm=SHA256()):
         # type: (str, str, AsymmetricPadding, HashAlgorithm) -> None
         """Verifier that performs request signature verification.
 
@@ -140,7 +140,7 @@ def __init__(
         can also provide the Padding and the Hash Algorithm functions
         that is used to verify the input body. These are defaulted as
         :py:class:`cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15`
-        and :py:class:`cryptography.hazmat.primitives.hashes.SHA1`
+        and :py:class:`cryptography.hazmat.primitives.hashes.SHA256`
         instances respectively.
 
         A certificate cache is initialized, to store certificate chains
@@ -160,7 +160,7 @@ def __init__(
             cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding
         :param hash_algorithm: Hash algorithm instance to be used
             to verify the hash value of the request body with the
-            decrypted signature. Defaulted to `SHA1`
+            decrypted signature. Defaulted to `SHA256`
         :type hash_algorithm:
             cryptography.hazmat.primitives.hashes.HashAlgorithm
         """

ask-sdk-webservice-support/ask_sdk_webservice_support/verifier_constants.py

@@ -25,7 +25,7 @@
 #: Header key to be used, to retrieve request header that contains the
 #: request signature.
 #: For more info, check `link <https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#check-request-signature>`__.
-SIGNATURE_HEADER = "Signature"
+SIGNATURE_HEADER = "Signature-256"
 
 #: Case insensitive protocol to be checked on signature certificate url.
 #: For more info, check `link <https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#check-request-signature>`__.

ask-sdk-webservice-support/tests/unit/test_verifier.py

@@ -36,7 +36,7 @@
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
-from cryptography.hazmat.primitives.hashes import SHA1
+from cryptography.hazmat.primitives.hashes import SHA256
 from cryptography.x509 import Certificate, load_pem_x509_certificate
 from cryptography.x509.oid import NameOID
 from dateutil.tz import tzlocal, tzutc
@@ -102,7 +102,7 @@ def create_self_signed_certificate(self):
                     [x509.DNSName(u"{}".format(CERT_CHAIN_DOMAIN))]),
             critical=False).sign(
             private_key=self.private_key,
-            algorithm=SHA1(),
+            algorithm=SHA256(),
             backend=default_backend()
         )  # type: Certificate
 
@@ -124,7 +124,7 @@ def load_valid_certificate(self):
 
     def sign_data(
             self, data, private_key=None,
-            padding=PKCS1v15(), hash_algorithm=SHA1()):
+            padding=PKCS1v15(), hash_algorithm=SHA256()):
         if private_key is None:
             private_key = self.private_key