Implementation of the server side of the IETF draft "Signing HTTP Messages"

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for michalc from gravatar.com michalc

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: Michal Charemza

Requires: Python >=3.6.3

Classifiers

Project description

http-signature-server CircleCI Test Coverage

HTTP server agnostic Python implementation of the server side of the IETF draft "Signing HTTP Messages", with no dependencies other than the Python standard library, although cryptography would typically be used in client code to verify signatures using a public key.

Usage

from http_signature_server import verify

def lookup_verifier(key_id):
    # If the key_id is found, return a callable that takes the signature and
    # data to verify, returning True only if the signature verifies the data
    # If the key_id isn't known, return None

error, (key_id, verified_headers) = verify_headers(lookup_verifier, max_skew, method, path, headers)

What's implemented

A deliberate subset of the signature algorithm is implemented/enforced:

  • the (request-target) pseudo-header is required and verified;
  • the created parameter is required, and the corresponding (created) pseudo-header must be signed;
  • the headers parameter is required;
  • the expires parameter, if sent, must not correspond to a signed (expires) pseudo-header;
  • the algorithm parameter is ignored if sent.

There are a few places where the implementation is technically, and deliberately, non-conforming.

  • The (created) pseudo-header: if this is in the future from the server's point of view, even 1 second, according to the spec verification should fail. Instead, there is a configurable maximum time skew that applies to the future as well as the past.

  • The expires parameter: if this is sent and in the past from the server's point of view, according to the spec verification should fail.

  • The algorithm parameter: if it's sent but does not match what the server expects, according to the spec verification should fail.

It is assumed that the (created) and (request-target) pseudo-headers were prepended to the list of real HTTP headers before canonicalisation at the client. This fact only makes a difference in the edge case of real HTTP headers called (created) or (request-target).

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for michalc from gravatar.com michalc

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: Michal Charemza

Requires: Python >=3.6.3

Classifiers

Release history Release notifications | RSS feed

0.0.12

0.0.11

0.0.10

0.0.9

0.0.8

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

This version

0.0.2

0.0.1

0.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

http-signature-server-0.0.2.tar.gz (3.3 kB view hashes)

Uploaded Source

Built Distribution

http_signature_server-0.0.2-py3-none-any.whl (4.5 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page