Verification library for RFC Hardware-Attestation and Hardware-Trust-Proof email headers

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for AuraFriday from gravatar.com AuraFriday

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Christopher Drake
  • Requires: Python >=3.9
  • Provides-Extra: dns
Classifiers
Report project as malware

Project description

hw-attest-verify

Verification library for RFC Hardware-Attestation and Hardware-Trust-Proof email headers.

Receiving mail servers use this library to verify that an email was sent from hardware-attested identity, as defined in draft-drake-email-hardware-attestation-00.

Installation

pip install hw-attest-verify

# With DNS key discovery support (recommended):
pip install hw-attest-verify[dns]

Usage

Mode 1: Hardware-Attestation (Direct Hardware Attestation)

from hw_attest_verify import verify_hardware_attestation

result = verify_hardware_attestation(
    header_value=msg["Hardware-Attestation"],
    email_headers={
        "from": msg["From"],
        "to": msg["To"],
        "subject": msg["Subject"],
        "date": msg["Date"],
        "message-id": msg["Message-ID"],
    },
    body=msg.get_payload(decode=True),
    allow_self_signed=True,  # or provide trusted_root_certificates
)

if result.is_valid:
    print(f"Verified: trust_tier={result.trust_tier}, alg={result.alg}")
    print(f"Certificate: {result.leaf_certificate_subject}")
else:
    print(f"Verification failed: {result.failure_reason}")

Mode 2: Hardware-Trust-Proof (SD-JWT Trust Proof)

from hw_attest_verify import verify_hardware_trust_proof

result = verify_hardware_trust_proof(
    header_value=msg["Hardware-Trust-Proof"],
    email_headers={
        "from": msg["From"],
        "to": msg["To"],
        "subject": msg["Subject"],
        "date": msg["Date"],
        "message-id": msg["Message-ID"],
    },
    body=msg.get_payload(decode=True),
)

if result.is_valid:
    print(f"Verified: trust_tier={result.trust_tier}")
    print(f"Issuer: {result.issuer}")
    print(f"Disclosed claims: {result.disclosed_claims}")
else:
    print(f"Verification failed: {result.failure_reason}")

Parsing without verification

from hw_attest_verify import parse_hardware_attestation_header

parsed = parse_hardware_attestation_header(header_value)
print(f"typ={parsed.typ}, alg={parsed.alg}, trust_tier={parsed.trust_tier}")
print(f"Signed headers: {parsed.signed_header_names}")
print(f"Timestamp: {parsed.ts}")

CLI: Verify a raw email

# From stdin
python -m hw_attest_verify < email.eml

# From file
hw-attest-verify email.eml

Output is JSON with is_valid, trust_tier, failure_reasons, etc.

Issuer Key Discovery (Mode 2)

The library discovers the issuer's public key using two mechanisms:

  1. DNS TXT record (preferred): _hwattest.{domain} with format v=hwattest1; alg=ES256; p=<base64 SPKI DER>
  2. HTTPS JWKS fallback: https://{issuer}/.well-known/jwks.json

Install dnspython for DNS discovery: pip install hw-attest-verify[dns]

Trust Tiers

typ Trust Tier Hardware
TPM sovereign Discrete TPM 2.0 (Windows, Linux)
PIV portable YubiKey / PIV smartcard
ENC enclave Apple Secure Enclave
VRT virtual Firmware TPM (fTPM)
SFT declared Software key (fallback)

RFC Reference

draft-drake-email-hardware-attestation-00 -- Hardware Attestation for Email Sender Verification

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for AuraFriday from gravatar.com AuraFriday

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Christopher Drake
  • Requires: Python >=3.9
  • Provides-Extra: dns
Classifiers

Release history Release notifications | RSS feed

0.2.2

0.2.1

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hw_attest_verify-0.1.0.tar.gz (18.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hw_attest_verify-0.1.0-py3-none-any.whl (17.6 kB view details)

Uploaded Python 3

File details

Details for the file hw_attest_verify-0.1.0.tar.gz.

File metadata

  • Download URL: hw_attest_verify-0.1.0.tar.gz
  • Upload date:
  • Size: 18.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.2

File hashes

Hashes for hw_attest_verify-0.1.0.tar.gz
Algorithm Hash digest
SHA256 67b9680f77ad82ecd563119451221cbd40a8e6cab4454bb379b5c9fa9483728f
MD5 1265e85f8494c90168c0bdedc9652ef9
BLAKE2b-256 9541e7ce0ab6a98ecf38ed4d3d6f9ec3f6d0d302357521d3594d8660d10b80c0

See more details on using hashes here.

File details

Details for the file hw_attest_verify-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for hw_attest_verify-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 70d9a6d00bf7e34eb69b5ccc291c90d3808a233c20ec77173145707da95ae9c6
MD5 8c4d5a31e986df2801a210f6b21625b1
BLAKE2b-256 a6e3a84b969352816b84fc44d668be05c0193900717917d2c236dfa56d793083

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page