http-message-signatures
Advanced tools
An implementation of the IETF HTTP Message Signatures draft standard
http-message-signatures is an implementation of the IETF
RFC 9421 HTTP Message Signatures <https://datatracker.ietf.org/doc/rfc9421/>_ draft standard in
Python.
::
pip3 install http-message-signatures
.. code-block:: python
from http_message_signatures import HTTPMessageSigner, HTTPMessageVerifier, HTTPSignatureKeyResolver, algorithms
import requests, base64, hashlib, http_sfv
class MyHTTPSignatureKeyResolver(HTTPSignatureKeyResolver):
keys = {"my-key": b"top-secret-key"}
def resolve_public_key(self, key_id: str):
return self.keys[key_id]
def resolve_private_key(self, key_id: str):
return self.keys[key_id]
request = requests.Request('POST', 'https://example.com/foo?param=Value&Pet=dog', json={"hello": "world"})
request = request.prepare()
request.headers["Content-Digest"] = str(http_sfv.Dictionary({"sha-256": hashlib.sha256(request.body).digest()}))
signer = HTTPMessageSigner(signature_algorithm=algorithms.HMAC_SHA256, key_resolver=MyHTTPSignatureKeyResolver())
signer.sign(request, key_id="my-key", covered_component_ids=("@method", "@authority", "@target-uri", "content-digest"))
verifier = HTTPMessageVerifier(signature_algorithm=algorithms.HMAC_SHA256, key_resolver=MyHTTPSignatureKeyResolver())
verifier.verify(request)
Note that verifying the body content-digest is outside the scope of this package's functionality, so it remains the
caller's responsibility. The requests-http-signature <https://github.com/pyauth/requests-http-signature>_ library
builds upon this package to provide integrated signing and validation of the request body.
.. admonition:: See what is signed
It is important to understand and follow the best practice rule of "See what is signed" when verifying HTTP message signatures. The gist of this rule is: if your application neglects to verify that the information it trusts is what was actually signed, the attacker can supply a valid signature but point you to malicious data that wasn't signed by that signature. Failure to follow this rule can lead to vulnerability against signature wrapping and substitution attacks.
In http-message-signatures, you can ensure that the information signed is what you expect to be signed by only trusting the
data returned by the verify() method::
verify_results = verifier.verify(request)
This returns a list of VerifyResult s, which are namedtuple s with the following attributes:
None (the requests-http-signature <https://github.com/pyauth/requests-http-signature>_ package
implements returning the body upon successful digest validation).Given an HTTP request can potentially have multiple signatures the verify() method returns a list of VerifyResult s.
However, the implementation currently supports just one signature, so the returned list currently contains just one element.
If more signatures are found in the request then InvalidSignature is raised.
Additionally, the verify() method raises HTTPMessageSignaturesException or an exception derived from this class in
case an error occurs (unable to load PEM key, unsupported algorithm specified in signature input, signature doesn't match
digest etc.)
Project home page (GitHub) <https://github.com/pyauth/http-message-signatures>_Documentation <https://FIXME>_Package distribution (PyPI) <https://pypi.python.org/pypi/http-message-signatures>_Change log <https://github.com/pyauth/http-message-signatures/blob/master/Changes.rst>_IETF HTTP Message Signatures standard tracker <https://datatracker.ietf.org/doc/rfc9421/>_OWASP Top Ten <https://owasp.org/www-project-top-ten/>_Bugs
Please report bugs, issues, feature requests, etc. on `GitHub <https://github.com/pyauth/http-message-signatures/issues>`_.
License
-------
Licensed under the terms of the `Apache License, Version 2.0 <http://www.apache.org/licenses/LICENSE-2.0>`_.
FAQs
An implementation of the IETF HTTP Message Signatures draft standard
We found that http-message-signatures demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Create React App is officially deprecated due to React 19 issues and lack of maintenance—developers should switch to Vite or other modern alternatives.
Security News
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
Security News
The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.