http-message-signatures

An implementation of the IETF HTTP Message Signatures draft standard

These details have not been verified by PyPI

Project links

Homepage

Project description

http-message-signatures is an implementation of the IETF HTTP Message Signatures draft standard in Python.

Installation

pip3 install http-message-signatures

Synopsis

from http_message_signatures import HTTPMessageSigner, HTTPMessageVerifier, HTTPSignatureKeyResolver, algorithms
import requests, base64, hashlib, http_sfv

class MyHTTPSignatureKeyResolver(HTTPSignatureKeyResolver):
    keys = {"my-key": b"top-secret-key"}

    def resolve_public_key(self, key_id: str):
        return self.keys[key_id]

    def resolve_private_key(self, key_id: str):
        return self.keys[key_id]

request = requests.Request('POST', 'https://example.com/foo?param=Value&Pet=dog', json={"hello": "world"})
request = request.prepare()
request.headers["Content-Digest"] = str(http_sfv.Dictionary({"sha-256": hashlib.sha256(request.body).digest()}))

signer = HTTPMessageSigner(signature_algorithm=algorithms.HMAC_SHA256, key_resolver=MyHTTPSignatureKeyResolver())
signer.sign(request, key_id="my-key", covered_component_ids=("@method", "@authority", "@target-uri", "content-digest"))

verifier = HTTPMessageVerifier(signature_algorithm=algorithms.HMAC_SHA256, key_resolver=MyHTTPSignatureKeyResolver())
verifier.verify(request)

Note that verifying the body content-digest is outside the scope of this package’s functionality, so it remains the caller’s responsibility. The requests-http-signature library builds upon this package to provide integrated signing and validation of the request body.

See what is signed

It is important to understand and follow the best practice rule of “See what is signed” when verifying HTTP message signatures. The gist of this rule is: if your application neglects to verify that the information it trusts is what was actually signed, the attacker can supply a valid signature but point you to malicious data that wasn’t signed by that signature. Failure to follow this rule can lead to vulnerability against signature wrapping and substitution attacks.

In http-message-signatures, you can ensure that the information signed is what you expect to be signed by only trusting the data returned by the verify() method:

verify_result = verifier.verify(request)

This returns VerifyResult, a namedtuple with the following attributes:

label (str): The label for the signature
algorithm: (same as signature_algorithm above)
covered_components: A mapping of component names to their values, as covered by the signature
parameters: A mapping of signature parameters to their values, as covered by the signature
body: Always None (the requests-http-signature package implements returning the body upon successful digest validation).

Authors

Andrey Kislyuk

License

Licensed under the terms of the Apache License, Version 2.0.

Project details

These details have not been verified by PyPI

Project links

Homepage

Release history Release notifications | RSS feed

0.5.0

Feb 22, 2024

0.4.4

Aug 31, 2022

0.4.3

Apr 19, 2022

0.4.2

Apr 19, 2022

0.4.1

Apr 19, 2022

This version

0.4.0

Apr 14, 2022

0.3.0

Apr 12, 2022

0.2.3

Apr 12, 2022

0.2.2

Apr 11, 2022

0.2.1

Apr 10, 2022

0.2.0

Apr 10, 2022

0.1.0

Apr 9, 2022

0.0.3

Apr 4, 2022

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

http-message-signatures-0.4.0.tar.gz (23.4 kB view details)

Uploaded Apr 14, 2022 Source

Built Distribution

http_message_signatures-0.4.0-py3-none-any.whl (13.7 kB view details)

Uploaded Apr 14, 2022 Python 3

File details

Details for the file http-message-signatures-0.4.0.tar.gz.

File metadata

Download URL: http-message-signatures-0.4.0.tar.gz
Upload date: Apr 14, 2022
Size: 23.4 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.4.1 importlib_metadata/4.6.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.61.1 CPython/3.9.10

File hashes

Hashes for http-message-signatures-0.4.0.tar.gz
Algorithm	Hash digest
SHA256	`81826d5cd0c616b98aff03ae113d7c06fc6328c78c00caf361fd8a5f9399e51a`
MD5	`a68e1b3c9487040257b3010376544061`
BLAKE2b-256	`c12b8795eb96485a9d4597cab9ef4b5ce25dace65b32be3d3d1d9c4793eb7f7d`

See more details on using hashes here.

File details

Details for the file http_message_signatures-0.4.0-py3-none-any.whl.

File metadata

Download URL: http_message_signatures-0.4.0-py3-none-any.whl
Upload date: Apr 14, 2022
Size: 13.7 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.4.1 importlib_metadata/4.6.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.61.1 CPython/3.9.10

File hashes

Hashes for http_message_signatures-0.4.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`d71407389ead75ce81941e0eb25bba6e877baae4b9cc1f7154fedbbc76400bcf`
MD5	`2b98edb587a00f10020c2216409f6c57`
BLAKE2b-256	`a6f9bf5eafb7fd99198a69e8fd9ffed88aeb305a82e02719f75b9e385d58cd7b`