Implementation of the server side of the IETF draft "Signing HTTP Messages"
Project description
http-signature-server 
HTTP server agnostic Python implementation of the server side of the IETF draft "Signing HTTP Messages", with no dependencies other than the Python standard library, although cryptography would typically be used in client code to verify signatures using a public key.
Usage
from http_signature_server import verify
def lookup_verifier(key_id):
# If the key_id is found, return a callable that takes the signature and
# data to verify, returning True only if the signature verifies the data
# If the key_id isn't found, return None
error, (key_id, verified_headers) = verify_headers(lookup_verifier, max_skew, method, path, headers)
if error is not None:
# Return error or raise exception as needed
What's implemented
A deliberate subset of the signature algorithm is implemented/enforced:
- the
(request-target)pseudo-header is required and verified; - the
createdparameter is required, and the corresponding(created)pseudo-header must be signed; - the
headersparameter is required; - the
expiresparameter, if sent, must not correspond to a signed(expires)pseudo-header; - the
algorithmparameter is ignored if sent.
There are a few places where the implementation is technically, and deliberately, non-conforming.
-
The
(created)pseudo-header: if this is in the future from the server's point of view, even 1 second, according to the spec verification should fail. Instead, there is a configurable maximum time skew that applies to the future as well as the past. -
The
expiresparameter: if this is sent and in the past from the server's point of view, according to the spec verification should fail. -
The
algorithmparameter: if it's sent but does not match what the server expects, according to the spec verification should fail.
It is assumed that the (created) and (request-target) pseudo-headers were prepended to the list of real HTTP headers before canonicalisation at the client. This fact only makes a difference in the edge case of real HTTP headers called (created) or (request-target).
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file http-signature-server-0.0.4.tar.gz.
File metadata
- Download URL: http-signature-server-0.0.4.tar.gz
- Upload date:
- Size: 3.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.23.0 setuptools/40.7.1 requests-toolbelt/0.8.0 tqdm/4.31.1 CPython/3.6.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7fa0638d3af6573008ce88841c3e7cc0e3c0d34bde83c997ca71ac73166d585a
|
|
| MD5 |
3d58252912bb9d36f4ad90713ca83398
|
|
| BLAKE2b-256 |
1538637153f1493c74131a2ce9a5b327fe4afaa0590a37ed9f6552735aef9c55
|
File details
Details for the file http_signature_server-0.0.4-py3-none-any.whl.
File metadata
- Download URL: http_signature_server-0.0.4-py3-none-any.whl
- Upload date:
- Size: 4.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.23.0 setuptools/40.7.1 requests-toolbelt/0.8.0 tqdm/4.31.1 CPython/3.6.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d463e2e8da327e566285e07970a35d5f3d752e290782d846df603715684411b1
|
|
| MD5 |
dfcf3bb2b6b21a784730b1c31357fc8f
|
|
| BLAKE2b-256 |
2ce19520282a4aeddc78f5f1c59efb732254eef6fb0c68a59bcc49a1820833a2
|
