Secure HTTP request signing using the HTTP Signature draft specification
Project description
Sign HTTP requests with secure signatures. See the original project, original Python module, original spec, and IETF draft for details.
Requirements
Optional:
Usage
for simple raw signing:
import httpsig secret = open('rsa_private.pem', 'r').read() sig_maker = httpsig.Signer(secret=secret, algorithm='rsa-sha256') sig_maker.sign('hello world!')
for use with requests:
import json import requests from httpsig.requests_auth import HTTPSignatureAuth secret = open('rsa_private.pem', 'r').read() auth = HTTPSignatureAuth(key_id='Test', secret=secret) z = requests.get('https://api.example.com/path/to/endpoint', auth=auth, headers={'X-Api-Version': '~6.5'})
Class initialization parameters
httpsig.Signer(secret, algorithm='rsa-sha256')
secret, in the case of an RSA signature, is a string containing private RSA pem. In the case of HMAC, it is a secret password. algorithm is one of the six allowed signatures: rsa-sha1, rsa-sha256, rsa-sha512, hmac-sha1, hmac-sha256, hmac-sha512.
httpsig.requests_auth.HTTPSignatureAuth(key_id, secret, algorithm='rsa-sha256', headers=None)
key_id is the label by which the server system knows your RSA signature or password. headers is the list of HTTP headers that are concatenated and used as signing objects. By default it is the specification’s minimum, the Date HTTP header. secret and algorithm are as above.
Tests
To run tests:
python setup.py test
License
MIT
httpsig Changes
1.0b2 (2014-Jul-01)
Written against http://tools.ietf.org/html/draft-cavage-http-signatures-02
Added “setup.py test” and tox support.
Added sign/verify unit tests for all currently-supported algorithms.
HeaderSigner and HeaderVerifier now share the same message-building logic.
The HTTP method in the message is now properly lower-case.
Resolved unit test failures.
Updated Verifier and HeaderVerifier to handle verifying both RSA and HMAC sigs.
Updated versioneer.
Updated contact/author info.
Removed stray keypair in test dir.
Removed SSH agent support.
Removed suport for reading keyfiles from disk as this is a huge security hole if this is used in a server framework like drf-httpsig.
1.0b1 (2014-Jun-23)
Removed HTTP version from request-line, per spec (breaks backwards compatability).
Removed auto-generation of missing Date header (ensures client compatability).
http-signature (previous)
0.2.0 (unreleased)
Update to newer spec (incompatible with prior version).
Handle request-line meta-header.
Allow secret to be a PEM encoded string.
Add test cases from spec.
0.1.4 (2012-10-03)
Account for ssh now being re-merged into paramiko: either package is acceptable (but paramiko should ideally be >= 1.8.0)
0.1.3 (2012-10-02)
Stop enabling allow_agent by default
Stop requiring ssh package by default – it is imported only when allow_agent=True
Changed logic around ssh-agent: if one key is available, don’t bother with any other authentication method
Changed logic around key file usage: if decryption fails, prompt for password
Bug fix: ssh-agent resulted in a nonsensical error if it found no correct keys (thanks, petervolpe)
Introduce versioneer.py
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for httpsig-1.0.0-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5a0510222ea13ac46f4d622344d386c9025e346c3bb990749e9dc6aab0ec55b1 |
|
MD5 | d533f276af5c9a5fbd049e75a296823e |
|
BLAKE2b-256 | 0ea331efeaeeb2a35119f5e4644e408abe7410bbf6506fe5d7f289a1c82a486f |