Merge branch 'master' into oidc-userinfooidc-userinfo

1 files changed, 30 insertions, 0 deletions

diff --git a/oauthlib/oauth1/rfc5849/signature.py b/oauthlib/oauth1/rfc5849/signature.py
index f899aca..a60bee2 100644
--- a/oauthlib/oauth1/rfc5849/signature.py
+++ b/oauthlib/oauth1/rfc5849/signature.py
@@ -661,6 +661,36 @@ def verify_hmac_sha1(request, client_secret=None,
     return match
 
 
+def verify_hmac_sha256(request, client_secret=None,
+                     resource_owner_secret=None):
+    """Verify a HMAC-SHA256 signature.
+
+    Per `section 3.4`_ of the spec.
+
+    .. _`section 3.4`: https://tools.ietf.org/html/rfc5849#section-3.4
+
+    To satisfy `RFC2616 section 5.2`_ item 1, the request argument's uri
+    attribute MUST be an absolute URI whose netloc part identifies the
+    origin server or gateway on which the resource resides. Any Host
+    item of the request argument's headers dict attribute will be
+    ignored.
+
+    .. _`RFC2616 section 5.2`: https://tools.ietf.org/html/rfc2616#section-5.2
+
+    """
+    norm_params = normalize_parameters(request.params)
+    bs_uri = base_string_uri(request.uri)
+    sig_base_str = signature_base_string(request.http_method, bs_uri,
+                                         norm_params)
+    signature = sign_hmac_sha256(sig_base_str, client_secret,
+                               resource_owner_secret)
+    match = safe_string_equals(signature, request.signature)
+    if not match:
+        log.debug('Verify HMAC-SHA256 failed: signature base string: %s',
+                  sig_base_str)
+    return match
+
+
 def _prepare_key_plus(alg, keystr):
     if isinstance(keystr, bytes):
         keystr = keystr.decode('utf-8')