Add support for HMAC-SHA256 (builds on PR#388) (#498)

* Add support for HMAC-SHA256

* Add explicit declaration of HMAC-SHA1 and point HMAC at it

To avoid confusion, HMAC constant name should explicitly state which SHA variant is used, but for backwards compatibility, SIGNATURE_HMAC is still needed

* add support for HMAC-SHA256 including tests and comments

* constructor tests verify client built with correct signer method

3 files changed, 65 insertions, 5 deletions

diff --git a/oauthlib/oauth1/__init__.py b/oauthlib/oauth1/__init__.py
index f9dff74..dc908d4 100644
--- a/oauthlib/oauth1/__init__.py
+++ b/oauthlib/oauth1/__init__.py
@@ -9,7 +9,7 @@ and Server classes.
 from __future__ import absolute_import, unicode_literals
 
 from .rfc5849 import Client
-from .rfc5849 import SIGNATURE_HMAC, SIGNATURE_RSA, SIGNATURE_PLAINTEXT
+from .rfc5849 import SIGNATURE_HMAC, SIGNATURE_HMAC_SHA1, SIGNATURE_HMAC_SHA256, SIGNATURE_RSA, SIGNATURE_PLAINTEXT
 from .rfc5849 import SIGNATURE_TYPE_AUTH_HEADER, SIGNATURE_TYPE_QUERY
 from .rfc5849 import SIGNATURE_TYPE_BODY
 from .rfc5849.request_validator import RequestValidator
diff --git a/oauthlib/oauth1/rfc5849/__init__.py b/oauthlib/oauth1/rfc5849/__init__.py
index 06902e2..f9113ab 100644
--- a/oauthlib/oauth1/rfc5849/__init__.py
+++ b/oauthlib/oauth1/rfc5849/__init__.py
@@ -27,10 +27,12 @@ from oauthlib.common import Request, urlencode, generate_nonce
 from oauthlib.common import generate_timestamp, to_unicode
 from . import parameters, signature
 
-SIGNATURE_HMAC = "HMAC-SHA1"
+SIGNATURE_HMAC_SHA1 = "HMAC-SHA1"
+SIGNATURE_HMAC_SHA256 = "HMAC-SHA256"
+SIGNATURE_HMAC = SIGNATURE_HMAC_SHA1
 SIGNATURE_RSA = "RSA-SHA1"
 SIGNATURE_PLAINTEXT = "PLAINTEXT"
-SIGNATURE_METHODS = (SIGNATURE_HMAC, SIGNATURE_RSA, SIGNATURE_PLAINTEXT)
+SIGNATURE_METHODS = (SIGNATURE_HMAC_SHA1, SIGNATURE_HMAC_SHA256, SIGNATURE_RSA, SIGNATURE_PLAINTEXT)
 
 SIGNATURE_TYPE_AUTH_HEADER = 'AUTH_HEADER'
 SIGNATURE_TYPE_QUERY = 'QUERY'
@@ -43,7 +45,8 @@ class Client(object):
 
     """A client used to sign OAuth 1.0 RFC 5849 requests."""
     SIGNATURE_METHODS = {
-        SIGNATURE_HMAC: signature.sign_hmac_sha1_with_client,
+        SIGNATURE_HMAC_SHA1: signature.sign_hmac_sha1_with_client,
+        SIGNATURE_HMAC_SHA256: signature.sign_hmac_sha256_with_client,
         SIGNATURE_RSA: signature.sign_rsa_sha1_with_client,
         SIGNATURE_PLAINTEXT: signature.sign_plaintext_with_client
     }
@@ -57,7 +60,7 @@ class Client(object):
                  resource_owner_key=None,
                  resource_owner_secret=None,
                  callback_uri=None,
-                 signature_method=SIGNATURE_HMAC,
+                 signature_method=SIGNATURE_HMAC_SHA1,
                  signature_type=SIGNATURE_TYPE_AUTH_HEADER,
                  rsa_key=None, verifier=None, realm=None,
                  encoding='utf-8', decoding=None,
diff --git a/oauthlib/oauth1/rfc5849/signature.py b/oauthlib/oauth1/rfc5849/signature.py
index 10d057f..30001ef 100644
--- a/oauthlib/oauth1/rfc5849/signature.py
+++ b/oauthlib/oauth1/rfc5849/signature.py
@@ -469,6 +469,63 @@ def sign_hmac_sha1(base_string, client_secret, resource_owner_secret):
     # .. _`RFC2045, Section 6.8`: http://tools.ietf.org/html/rfc2045#section-6.8
     return binascii.b2a_base64(signature.digest())[:-1].decode('utf-8')
 
+
+def sign_hmac_sha256_with_client(base_string, client):
+    return sign_hmac_sha256(base_string,
+                          client.client_secret,
+                          client.resource_owner_secret
+                          )
+
+
+def sign_hmac_sha256(base_string, client_secret, resource_owner_secret):
+    """**HMAC-SHA256**
+
+    The "HMAC-SHA256" signature method uses the HMAC-SHA256 signature
+    algorithm as defined in `RFC4634`_::
+
+        digest = HMAC-SHA256 (key, text)
+
+    Per `section 3.4.2`_ of the spec.
+
+    .. _`RFC4634`: http://tools.ietf.org/html/rfc4634
+    .. _`section 3.4.2`: http://tools.ietf.org/html/rfc5849#section-3.4.2
+    """
+
+    # The HMAC-SHA256 function variables are used in following way:
+
+    # text is set to the value of the signature base string from
+    # `Section 3.4.1.1`_.
+    #
+    # .. _`Section 3.4.1.1`: http://tools.ietf.org/html/rfc5849#section-3.4.1.1
+    text = base_string
+
+    # key is set to the concatenated values of:
+    # 1.  The client shared-secret, after being encoded (`Section 3.6`_).
+    #
+    # .. _`Section 3.6`: http://tools.ietf.org/html/rfc5849#section-3.6
+    key = utils.escape(client_secret or '')
+
+    # 2.  An "&" character (ASCII code 38), which MUST be included
+    #     even when either secret is empty.
+    key += '&'
+
+    # 3.  The token shared-secret, after being encoded (`Section 3.6`_).
+    #
+    # .. _`Section 3.6`: http://tools.ietf.org/html/rfc5849#section-3.6
+    key += utils.escape(resource_owner_secret or '')
+
+    # FIXME: HMAC does not support unicode!
+    key_utf8 = key.encode('utf-8')
+    text_utf8 = text.encode('utf-8')
+    signature = hmac.new(key_utf8, text_utf8, hashlib.sha256)
+
+    # digest  is used to set the value of the "oauth_signature" protocol
+    #         parameter, after the result octet string is base64-encoded
+    #         per `RFC2045, Section 6.8`.
+    #
+    # .. _`RFC2045, Section 6.8`: http://tools.ietf.org/html/rfc2045#section-6.8
+    return binascii.b2a_base64(signature.digest())[:-1].decode('utf-8')
+
 _jwtrs1 = None
 
 #jwt has some nice pycrypto/cryptography abstractions