Security News
Introducing the Socket Python SDK
The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.
http-message-signatures
Advanced tools
An implementation of the IETF HTTP Message Signatures draft standard
http-message-signatures is an implementation of the IETF
RFC 9421 HTTP Message Signatures <https://datatracker.ietf.org/doc/rfc9421/>
_ draft standard in
Python.
::
pip3 install http-message-signatures
.. code-block:: python
from http_message_signatures import HTTPMessageSigner, HTTPMessageVerifier, HTTPSignatureKeyResolver, algorithms
import requests, base64, hashlib, http_sfv
class MyHTTPSignatureKeyResolver(HTTPSignatureKeyResolver):
keys = {"my-key": b"top-secret-key"}
def resolve_public_key(self, key_id: str):
return self.keys[key_id]
def resolve_private_key(self, key_id: str):
return self.keys[key_id]
request = requests.Request('POST', 'https://example.com/foo?param=Value&Pet=dog', json={"hello": "world"})
request = request.prepare()
request.headers["Content-Digest"] = str(http_sfv.Dictionary({"sha-256": hashlib.sha256(request.body).digest()}))
signer = HTTPMessageSigner(signature_algorithm=algorithms.HMAC_SHA256, key_resolver=MyHTTPSignatureKeyResolver())
signer.sign(request, key_id="my-key", covered_component_ids=("@method", "@authority", "@target-uri", "content-digest"))
verifier = HTTPMessageVerifier(signature_algorithm=algorithms.HMAC_SHA256, key_resolver=MyHTTPSignatureKeyResolver())
verifier.verify(request)
Note that verifying the body content-digest is outside the scope of this package's functionality, so it remains the
caller's responsibility. The requests-http-signature <https://github.com/pyauth/requests-http-signature>
_ library
builds upon this package to provide integrated signing and validation of the request body.
.. admonition:: See what is signed
It is important to understand and follow the best practice rule of "See what is signed" when verifying HTTP message signatures. The gist of this rule is: if your application neglects to verify that the information it trusts is what was actually signed, the attacker can supply a valid signature but point you to malicious data that wasn't signed by that signature. Failure to follow this rule can lead to vulnerability against signature wrapping and substitution attacks.
In http-message-signatures, you can ensure that the information signed is what you expect to be signed by only trusting the
data returned by the verify()
method::
verify_results = verifier.verify(request)
This returns a list of VerifyResult
s, which are namedtuple
s with the following attributes:
None
(the requests-http-signature <https://github.com/pyauth/requests-http-signature>
_ package
implements returning the body upon successful digest validation).Given an HTTP request can potentially have multiple signatures the verify()
method returns a list of VerifyResult
s.
However, the implementation currently supports just one signature, so the returned list currently contains just one element.
If more signatures are found in the request then InvalidSignature
is raised.
Additionally, the verify()
method raises HTTPMessageSignaturesException
or an exception derived from this class in
case an error occurs (unable to load PEM key, unsupported algorithm specified in signature input, signature doesn't match
digest etc.)
Project home page (GitHub) <https://github.com/pyauth/http-message-signatures>
_Documentation <https://FIXME>
_Package distribution (PyPI) <https://pypi.python.org/pypi/http-message-signatures>
_Change log <https://github.com/pyauth/http-message-signatures/blob/master/Changes.rst>
_IETF HTTP Message Signatures standard tracker <https://datatracker.ietf.org/doc/rfc9421/>
_OWASP Top Ten <https://owasp.org/www-project-top-ten/>
_Bugs
Please report bugs, issues, feature requests, etc. on `GitHub <https://github.com/pyauth/http-message-signatures/issues>`_.
License
-------
Licensed under the terms of the `Apache License, Version 2.0 <http://www.apache.org/licenses/LICENSE-2.0>`_.
FAQs
An implementation of the IETF HTTP Message Signatures draft standard
We found that http-message-signatures demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.
Security News
Floating dependency ranges in npm can introduce instability and security risks into your project by allowing unverified or incompatible versions to be installed automatically, leading to unpredictable behavior and potential conflicts.
Security News
A new Rust RFC proposes "Trusted Publishing" for Crates.io, introducing short-lived access tokens via OIDC to improve security and reduce risks associated with long-lived API tokens.