From b156337e62ddcc173f72cdc77b099c66bb0c3cb3 Mon Sep 17 00:00:00 2001
From: Tiago Garcia <tiago.rgarcia@ua.pt>
Date: Wed, 18 Dec 2024 20:03:52 +0000
Subject: [PATCH] Fix signature verification

Signed-off-by: Tiago Garcia <tiago.rgarcia@ua.pt>
---
 delivery2/client/bin/rep_create_session |  5 +++++
 delivery2/server/services/sessions.py   | 16 ++++++++++------
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/delivery2/client/bin/rep_create_session b/delivery2/client/bin/rep_create_session
index 70e5314..26ecac3 100755
--- a/delivery2/client/bin/rep_create_session
+++ b/delivery2/client/bin/rep_create_session
@@ -78,6 +78,11 @@ def createSession(args):
     try:
         req = requests.post(f'http://{state['REP_ADDRESS']}/user/login', json=json.dumps({'signature' : base64.b64encode(signature).decode('utf-8')}), headers={'Authorization': response['token']})
         req.raise_for_status()
+
+    except requests.exceptions.HTTPError:
+        logger.error("%d: %s", req.status_code, req.json()['error'])
+        sys.exit(-1)
+
     except requests.exceptions.RequestException as errex:
         logger.error("Failed to obtain response from server")
         sys.exit(-1)
diff --git a/delivery2/server/services/sessions.py b/delivery2/server/services/sessions.py
index 98bc0db..6ea5c4c 100644
--- a/delivery2/server/services/sessions.py
+++ b/delivery2/server/services/sessions.py
@@ -1,5 +1,6 @@
 import secrets
 
+from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.primitives.serialization import load_pem_public_key
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives import hashes
@@ -37,12 +38,15 @@ class SessionService:
         if not public_key_pem:
             return jsonify({"error": "Public key not found"}), 404
         public_key = load_pem_public_key(public_key_pem.encode())
-        public_key.verify(
-            signature,
-            session.challenge.encode(),
-            padding.PKCS1v15(),
-            hashes.SHA256()
-        )
+        try:
+            public_key.verify(
+                signature,
+                session.challenge.encode(),
+                padding.PKCS1v15(),
+                hashes.SHA256()
+            )
+        except InvalidSignature:
+            return jsonify({"error": "Invalid signature"}), 403
         session.challenge = None
         session.verified = True
         db.commit()