Security News
Maven Central Adds Sigstore Signature Validation
Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.
By Sarah Gooding - Feb 06, 2025
New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
http-message-signatures
Advanced tools
http-message-signatures
An implementation of the IETF HTTP Message Signatures draft standard
- 0.5.0
- PyPI
- Maintainers
- 1
http-message-signatures: An implementation of RFC 9421, the IETF HTTP Message Signatures standard
http-message-signatures is an implementation of the IETF
RFC 9421 HTTP Message Signatures <https://datatracker.ietf.org/doc/rfc9421/>_ draft standard in
Python.
Installation
::
pip3 install http-message-signatures
Synopsis
.. code-block:: python
from http_message_signatures import HTTPMessageSigner, HTTPMessageVerifier, HTTPSignatureKeyResolver, algorithms
import requests, base64, hashlib, http_sfv
class MyHTTPSignatureKeyResolver(HTTPSignatureKeyResolver):
keys = {"my-key": b"top-secret-key"}
def resolve_public_key(self, key_id: str):
return self.keys[key_id]
def resolve_private_key(self, key_id: str):
return self.keys[key_id]
request = requests.Request('POST', 'https://example.com/foo?param=Value&Pet=dog', json={"hello": "world"})
request = request.prepare()
request.headers["Content-Digest"] = str(http_sfv.Dictionary({"sha-256": hashlib.sha256(request.body).digest()}))
signer = HTTPMessageSigner(signature_algorithm=algorithms.HMAC_SHA256, key_resolver=MyHTTPSignatureKeyResolver())
signer.sign(request, key_id="my-key", covered_component_ids=("@method", "@authority", "@target-uri", "content-digest"))
verifier = HTTPMessageVerifier(signature_algorithm=algorithms.HMAC_SHA256, key_resolver=MyHTTPSignatureKeyResolver())
verifier.verify(request)
Note that verifying the body content-digest is outside the scope of this package's functionality, so it remains the
caller's responsibility. The requests-http-signature <https://github.com/pyauth/requests-http-signature>_ library
builds upon this package to provide integrated signing and validation of the request body.
.. admonition:: See what is signed
It is important to understand and follow the best practice rule of "See what is signed" when verifying HTTP message signatures. The gist of this rule is: if your application neglects to verify that the information it trusts is what was actually signed, the attacker can supply a valid signature but point you to malicious data that wasn't signed by that signature. Failure to follow this rule can lead to vulnerability against signature wrapping and substitution attacks.
In http-message-signatures, you can ensure that the information signed is what you expect to be signed by only trusting the
data returned by the verify() method::
verify_results = verifier.verify(request)
This returns a list of VerifyResult s, which are namedtuple s with the following attributes:
- label (str): The label for the signature
- algorithm: (same as signature_algorithm above)
- covered_components: A mapping of component names to their values, as covered by the signature
- parameters: A mapping of signature parameters to their values, as covered by the signature
- body: Always
None(therequests-http-signature <https://github.com/pyauth/requests-http-signature>_ package implements returning the body upon successful digest validation).
Given an HTTP request can potentially have multiple signatures the verify() method returns a list of VerifyResult s.
However, the implementation currently supports just one signature, so the returned list currently contains just one element.
If more signatures are found in the request then InvalidSignature is raised.
Additionally, the verify() method raises HTTPMessageSignaturesException or an exception derived from this class in
case an error occurs (unable to load PEM key, unsupported algorithm specified in signature input, signature doesn't match
digest etc.)
Authors
- Andrey Kislyuk
Links
Project home page (GitHub) <https://github.com/pyauth/http-message-signatures>_Documentation <https://FIXME>_Package distribution (PyPI) <https://pypi.python.org/pypi/http-message-signatures>_Change log <https://github.com/pyauth/http-message-signatures/blob/master/Changes.rst>_IETF HTTP Message Signatures standard tracker <https://datatracker.ietf.org/doc/rfc9421/>_OWASP Top Ten <https://owasp.org/www-project-top-ten/>_
Bugs
Please report bugs, issues, feature requests, etc. on `GitHub <https://github.com/pyauth/http-message-signatures/issues>`_.
License
-------
Licensed under the terms of the `Apache License, Version 2.0 <http://www.apache.org/licenses/LICENSE-2.0>`_.
FAQs
An implementation of the IETF HTTP Message Signatures draft standard
We found that http-message-signatures demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
38% of CISOs Fear They’re Not Moving Fast Enough on AI
CISOs are racing to adopt AI for cybersecurity, but hurdles in budgets and governance may leave some falling behind in the fight against cyber threats.
By Sarah Gooding - Feb 04, 2025
Research
Security News
Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
Socket researchers uncovered a backdoored typosquat of BoltDB in the Go ecosystem, exploiting Go Module Proxy caching to persist undetected for years.
By Kirill Boychenko - Feb 04, 2025