requests-http-signature

A Requests auth module for HTTP Message Signatures

These details have not been verified by PyPI

Project links

Homepage

Project description

requests-http-signature is a Requests authentication plugin (requests.auth.AuthBase subclass) implementing the IETF HTTP Message Signatures draft RFC.

Installation

$ pip install requests-http-signature

Usage

import requests
from requests_http_signature import HTTPSignatureAuth, algorithms

preshared_key_id = 'squirrel'
preshared_secret = b'monorail_cat'
url = 'http://example.com/path'

auth = HTTPSignatureAuth(key=preshared_secret, key_id=preshared_key_id, signature_algorithm=algorithms.HMAC_SHA256)
requests.get(url, auth=auth)

By default, only the Date header and the @method, @authority, and @target-uri derived component identifiers are signed for body-less requests such as GET. The Date header is set if it is absent. In addition, for requests with bodies (such as POST), the Content-Digest header is set to the SHA256 of the request body using the format described in the IETF Digest Fields draft RFC and signed. To add other headers to the signature, pass an array of header names in the covered_component_ids keyword argument.

In addition to signing messages in the client, the class method HTTPSignatureAuth.verify() can be used to verify incoming requests:

class key_resolver:
    def resolve_public_key(self, key_id):
        assert key_id == 'squirrel'
        return 'monorail_cat'

HTTPSignatureAuth.verify(request, signature_algorithm=algorithms.HMAC_SHA256, key_resolver=key_resolver)

See what is signed

It is important to understand and follow the best practice rule of “See what is signed” when verifying HTTP message signatures. The gist of this rule is: if your application neglects to verify that the information it trusts is what was actually signed, the attacker can supply a valid signature but point you to malicious data that wasn’t signed by that signature. Failure to follow this rule can lead to vulnerability against signature wrapping and substitution attacks.

In requests-http-signature, you can ensure that the information signed is what you expect to be signed by only trusting the data returned by the verify() method:

verify_result = HTTPSignatureAuth.verify(request, ...)

See the API documentation for full details.

Asymmetric key algorithms

To sign or verify messages with an asymmetric key algorithm, set the signature_algorithm keyword argument to algorithms.ED25519, algorithms.ECDSA_P256_SHA256, algorithms.RSA_V1_5_SHA256, or algorithms.RSA_PSS_SHA512. Note that signing with rsa-pss-sha512 is not currently supported due to a limitation of the cryptography library.

For asymmetric key algorithms, you can supply the private key as the key parameter to the HTTPSignatureAuth() constructor as bytes in the PEM format, or configure the key resolver as follows:

with open('key.pem', 'rb') as fh:
    auth = HTTPSignatureAuth(algorithm=algorithms.RSA_V1_5_SHA256, key=fh.read(), key_id=preshared_key_id)
requests.get(url, auth=auth)

class MyKeyResolver:
    def resolve_public_key(self, key_id: str):
        return public_key_pem_bytes[key_id]

    def resolve_private_key(self, key_id: str):
        return private_key_pem_bytes[key_id]

auth = HTTPSignatureAuth(algorithm=algorithms.RSA_V1_5_SHA256, key=fh.read(), key_resolver=MyKeyResolver())
requests.get(url, auth=auth)

Digest algorithms

The library supports SHA-512 digests via subclassing::

class MySigner(HTTPSignatureAuth):

def add_digest(self, request):: super().add_digest(request, algorithm=”sha-512”)

License

Licensed under the terms of the Apache License, Version 2.0.

Project details

These details have not been verified by PyPI

Project links

Homepage

Release history Release notifications | RSS feed

0.7.1

Apr 19, 2022

0.7.0

Apr 15, 2022

0.6.0

Apr 12, 2022

This version

0.5.0

Apr 11, 2022

0.4.0

Apr 11, 2022

0.3.0

Apr 10, 2022

0.2.0

Aug 29, 2020

0.1.0

Nov 6, 2018

0.0.3

Sep 19, 2017

0.0.2

Aug 22, 2017

0.0.1

Aug 22, 2017

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

requests-http-signature-0.5.0.tar.gz (17.6 kB view details)

Uploaded Apr 11, 2022 Source

Built Distribution

requests_http_signature-0.5.0-py3-none-any.whl (11.5 kB view details)

Uploaded Apr 11, 2022 Python 3

File details

Details for the file requests-http-signature-0.5.0.tar.gz.

File metadata

Download URL: requests-http-signature-0.5.0.tar.gz
Upload date: Apr 11, 2022
Size: 17.6 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.4.1 importlib_metadata/4.6.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.61.1 CPython/3.9.10

File hashes

Hashes for requests-http-signature-0.5.0.tar.gz
Algorithm	Hash digest
SHA256	`27eaa38be679a9e943399605eb19948db5c842212bbb2686ede002e7e962f94d`
MD5	`78703bef8af39ae0c632b30a764ac440`
BLAKE2b-256	`87f29f7c098b28e418d55fc811cd0fe457b11c91f1141292d8fa0d5875790170`

See more details on using hashes here.

File details

Details for the file requests_http_signature-0.5.0-py3-none-any.whl.

File metadata

Download URL: requests_http_signature-0.5.0-py3-none-any.whl
Upload date: Apr 11, 2022
Size: 11.5 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.4.1 importlib_metadata/4.6.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.61.1 CPython/3.9.10

File hashes

Hashes for requests_http_signature-0.5.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`62956e35a4086cbda52d842ed729c20644e24a541412bd053e9beacca7bcc07d`
MD5	`203dddc551a5da2a143855ef996323ed`
BLAKE2b-256	`4e9d349fe210c0842133d3dc39b02930af7afe866badc576604c35585651a349`