diff --git a/ask-sdk-webservice-support/ask_sdk_webservice_support/verifier.py b/ask-sdk-webservice-support/ask_sdk_webservice_support/verifier.py index 91271d9..6dc8dd4 100644 --- a/ask-sdk-webservice-support/ask_sdk_webservice_support/verifier.py +++ b/ask-sdk-webservice-support/ask_sdk_webservice_support/verifier.py @@ -33,7 +33,7 @@ SubjectAlternativeName) from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 -from cryptography.hazmat.primitives.hashes import SHA1 +from cryptography.hazmat.primitives.hashes import SHA256 from cryptography.exceptions import InvalidSignature from contextlib import closing from asn1crypto import pem @@ -121,7 +121,7 @@ def __init__( self, signature_cert_chain_url_key=SIGNATURE_CERT_CHAIN_URL_HEADER, signature_key=SIGNATURE_HEADER, - padding=PKCS1v15(), hash_algorithm=SHA1()): + padding=PKCS1v15(), hash_algorithm=SHA256()): # type: (str, str, AsymmetricPadding, HashAlgorithm) -> None """Verifier that performs request signature verification. @@ -140,7 +140,7 @@ def __init__( can also provide the Padding and the Hash Algorithm functions that is used to verify the input body. These are defaulted as :py:class:`cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15` - and :py:class:`cryptography.hazmat.primitives.hashes.SHA1` + and :py:class:`cryptography.hazmat.primitives.hashes.SHA256` instances respectively. A certificate cache is initialized, to store certificate chains @@ -160,7 +160,7 @@ def __init__( cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding :param hash_algorithm: Hash algorithm instance to be used to verify the hash value of the request body with the - decrypted signature. Defaulted to `SHA1` + decrypted signature. Defaulted to `SHA256` :type hash_algorithm: cryptography.hazmat.primitives.hashes.HashAlgorithm """ diff --git a/ask-sdk-webservice-support/ask_sdk_webservice_support/verifier_constants.py b/ask-sdk-webservice-support/ask_sdk_webservice_support/verifier_constants.py index 08c37dc..10e87a6 100644 --- a/ask-sdk-webservice-support/ask_sdk_webservice_support/verifier_constants.py +++ b/ask-sdk-webservice-support/ask_sdk_webservice_support/verifier_constants.py @@ -25,7 +25,7 @@ #: Header key to be used, to retrieve request header that contains the #: request signature. #: For more info, check `link `__. -SIGNATURE_HEADER = "Signature" +SIGNATURE_HEADER = "Signature-256" #: Case insensitive protocol to be checked on signature certificate url. #: For more info, check `link `__. diff --git a/ask-sdk-webservice-support/tests/unit/test_verifier.py b/ask-sdk-webservice-support/tests/unit/test_verifier.py index 46ef6c5..a70169a 100644 --- a/ask-sdk-webservice-support/tests/unit/test_verifier.py +++ b/ask-sdk-webservice-support/tests/unit/test_verifier.py @@ -36,7 +36,7 @@ from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 -from cryptography.hazmat.primitives.hashes import SHA1 +from cryptography.hazmat.primitives.hashes import SHA256 from cryptography.x509 import Certificate, load_pem_x509_certificate from cryptography.x509.oid import NameOID from dateutil.tz import tzlocal, tzutc @@ -102,7 +102,7 @@ def create_self_signed_certificate(self): [x509.DNSName(u"{}".format(CERT_CHAIN_DOMAIN))]), critical=False).sign( private_key=self.private_key, - algorithm=SHA1(), + algorithm=SHA256(), backend=default_backend() ) # type: Certificate @@ -124,7 +124,7 @@ def load_valid_certificate(self): def sign_data( self, data, private_key=None, - padding=PKCS1v15(), hash_algorithm=SHA1()): + padding=PKCS1v15(), hash_algorithm=SHA256()): if private_key is None: private_key = self.private_key