Skip to main content

Secure HTTP request signing using the HTTP Signature draft specification

Project description

https://travis-ci.org/ahknight/httpsig.svg?branch=master https://travis-ci.org/ahknight/httpsig.svg?branch=develop

Sign HTTP requests with secure signatures according to the current IETF HTTP Signatures draft specification. This is a fork of the original module to fully support both RSA and HMAC schemes as well as unit test both schemes to prove they work. It’s being used in production and is actively-developed.

See the original project, original Python module, original spec, and current IETF draft for more details on the signing scheme.

Requirements

Optional:

Usage

Real documentation is forthcoming, but for now this should get you started.

For simple raw signing:

import httpsig

secret = open('rsa_private.pem', 'rb').read()

sig_maker = httpsig.Signer(secret=secret, algorithm='rsa-sha256')
sig_maker.sign('hello world!')

For general use with web frameworks:

import httpsig

key_id = "Some Key ID"
secret = b'some big secret'

hs = httpsig.HeaderSigner(key_id, secret, algorithm="hmac-sha256", headers=['(request-line)', 'host', 'date'])
signed_headers_dict = hs.sign({"Date": "Tue, 01 Jan 2014 01:01:01 GMT", "Host": "example.com"}, method="GET", path="/api/1/object/1")

For use with requests:

import json
import requests
from httpsig.requests_auth import HTTPSignatureAuth

secret = open('rsa_private.pem', 'rb').read()

auth = HTTPSignatureAuth(key_id='Test', secret=secret)
z = requests.get('https://api.example.com/path/to/endpoint',
                         auth=auth, headers={'X-Api-Version': '~6.5'})

Class initialization parameters

Note that keys and secrets should be bytes objects. At attempt will be made to convert them, but if that fails then exceptions will be thrown.

httpsig.Signer(secret, algorithm='rsa-sha256')

secret, in the case of an RSA signature, is a string containing private RSA pem. In the case of HMAC, it is a secret password. algorithm is one of the six allowed signatures: rsa-sha1, rsa-sha256, rsa-sha512, hmac-sha1, hmac-sha256, hmac-sha512.

httpsig.requests_auth.HTTPSignatureAuth(key_id, secret, algorithm='rsa-sha256', headers=None)

key_id is the label by which the server system knows your RSA signature or password. headers is the list of HTTP headers that are concatenated and used as signing objects. By default it is the specification’s minimum, the Date HTTP header. secret and algorithm are as above.

Tests

To run tests:

python setup.py test

or:

tox

License

Both this module and the original module are licensed under the MIT license.

httpsig Changes

1.0.1 (2014-Jul-02)

  • Python 3 support (2.7 + 3.2-3.4)

  • Updated tox and Travis CI configs to test the supported Python versions.

  • Updated README.

1.0.0 (2014-Jul-01)

  • Written against http://tools.ietf.org/html/draft-cavage-http-signatures-02

  • Added “setup.py test” and tox support.

  • Added sign/verify unit tests for all currently-supported algorithms.

  • HeaderSigner and HeaderVerifier now share the same message-building logic.

  • The HTTP method in the message is now properly lower-case.

  • Resolved unit test failures.

  • Updated Verifier and HeaderVerifier to handle verifying both RSA and HMAC sigs.

  • Updated versioneer.

  • Updated contact/author info.

  • Removed stray keypair in test dir.

  • Removed SSH agent support.

  • Removed suport for reading keyfiles from disk as this is a huge security hole if this is used in a server framework like drf-httpsig.

1.0b1 (2014-Jun-23)

  • Removed HTTP version from request-line, per spec (breaks backwards compatability).

  • Removed auto-generation of missing Date header (ensures client compatability).

http-signature (previous)

0.2.0 (unreleased)

  • Update to newer spec (incompatible with prior version).

  • Handle request-line meta-header.

  • Allow secret to be a PEM encoded string.

  • Add test cases from spec.

0.1.4 (2012-10-03)

  • Account for ssh now being re-merged into paramiko: either package is acceptable (but paramiko should ideally be >= 1.8.0)

0.1.3 (2012-10-02)

  • Stop enabling allow_agent by default

  • Stop requiring ssh package by default – it is imported only when allow_agent=True

  • Changed logic around ssh-agent: if one key is available, don’t bother with any other authentication method

  • Changed logic around key file usage: if decryption fails, prompt for password

  • Bug fix: ssh-agent resulted in a nonsensical error if it found no correct keys (thanks, petervolpe)

  • Introduce versioneer.py

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

httpsig-1.0.2-py2.py3-none-any.whl (69.3 kB view details)

Uploaded Python 2Python 3

File details

Details for the file httpsig-1.0.2-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for httpsig-1.0.2-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 e0ccbe3ec47df6f3a60af1fa448a613174e357358b5ebbd9f96d6151642276af
MD5 cfde3203d01670f1e55da75f208151e6
BLAKE2b-256 9c08d5fc0d9ab32f807c5a212a62ea03903a85504d1c81ebdd05f51a4cb4ba11

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page