Verification library for RFC Hardware-Attestation and Hardware-Trust-Proof email headers

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for AuraFriday from gravatar.com AuraFriday

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Christopher Drake
  • Requires: Python >=3.9
  • Provides-Extra: dns
Classifiers
Report project as malware

Project description

hw-attest-verify

Verification library for RFC Hardware-Attestation and Hardware-Trust-Proof email headers.

Receiving mail servers use this library to verify that an email was sent from hardware-attested identity, as defined in draft-drake-email-hardware-attestation-00.

Installation

pip install hw-attest-verify

# With DNS key discovery support (recommended):
pip install hw-attest-verify[dns]

Usage

Mode 1: Hardware-Attestation (Direct Hardware Attestation)

from hw_attest_verify import verify_hardware_attestation

result = verify_hardware_attestation(
    header_value=msg["Hardware-Attestation"],
    email_headers={
        "from": msg["From"],
        "to": msg["To"],
        "subject": msg["Subject"],
        "date": msg["Date"],
        "message-id": msg["Message-ID"],
    },
    body=msg.get_payload(decode=True),
    allow_self_signed=True,  # or provide trusted_root_certificates
)

if result.is_valid:
    print(f"Verified: trust_tier={result.trust_tier}, alg={result.alg}")
    print(f"Certificate: {result.leaf_certificate_subject}")
else:
    print(f"Verification failed: {result.failure_reason}")

Mode 2: Hardware-Trust-Proof (SD-JWT Trust Proof)

from hw_attest_verify import verify_hardware_trust_proof

result = verify_hardware_trust_proof(
    header_value=msg["Hardware-Trust-Proof"],
    email_headers={
        "from": msg["From"],
        "to": msg["To"],
        "subject": msg["Subject"],
        "date": msg["Date"],
        "message-id": msg["Message-ID"],
    },
    body=msg.get_payload(decode=True),
)

if result.is_valid:
    print(f"Verified: trust_tier={result.trust_tier}")
    print(f"Issuer: {result.issuer}")
    print(f"Disclosed claims: {result.disclosed_claims}")
else:
    print(f"Verification failed: {result.failure_reason}")

Parsing without verification

from hw_attest_verify import parse_hardware_attestation_header

parsed = parse_hardware_attestation_header(header_value)
print(f"typ={parsed.typ}, alg={parsed.alg}, trust_tier={parsed.trust_tier}")
print(f"Signed headers: {parsed.signed_header_names}")
print(f"Timestamp: {parsed.ts}")

CLI: Verify a raw email

# From stdin
python -m hw_attest_verify < email.eml

# From file
hw-attest-verify email.eml

Output is JSON with is_valid, trust_tier, failure_reasons, etc.

Issuer Key Discovery (Mode 2)

The library discovers the issuer's public key using two mechanisms:

  1. DNS TXT record (preferred): _hwattest.{domain} with format v=hwattest1; alg=ES256; p=<base64 SPKI DER>
  2. HTTPS JWKS fallback: https://{issuer}/.well-known/jwks.json

Install dnspython for DNS discovery: pip install hw-attest-verify[dns]

Trust Tiers

typ Trust Tier Hardware
TPM sovereign Discrete TPM 2.0 (Windows, Linux)
PIV portable YubiKey / PIV smartcard
ENC enclave Apple Secure Enclave
VRT virtual Firmware TPM (fTPM)
SFT declared Software key (fallback)

RFC Reference

draft-drake-email-hardware-attestation-00 -- Hardware Attestation for Email Sender Verification

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for AuraFriday from gravatar.com AuraFriday

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Christopher Drake
  • Requires: Python >=3.9
  • Provides-Extra: dns
Classifiers

Release history Release notifications | RSS feed

0.2.2

This version

0.2.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hw_attest_verify-0.2.1.tar.gz (20.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hw_attest_verify-0.2.1-py3-none-any.whl (20.6 kB view details)

Uploaded Python 3

File details

Details for the file hw_attest_verify-0.2.1.tar.gz.

File metadata

  • Download URL: hw_attest_verify-0.2.1.tar.gz
  • Upload date:
  • Size: 20.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.8.10

File hashes

Hashes for hw_attest_verify-0.2.1.tar.gz
Algorithm Hash digest
SHA256 54dea7089da28c796e554b36b20469e18e109d060ff33170a6d77918077f2f64
MD5 1a97b138de377e0698c0a0f5037d103e
BLAKE2b-256 987a0ffa9619f410c3ba77a865806646ac166832ca0507023e06b965d7dfbd09

See more details on using hashes here.

File details

Details for the file hw_attest_verify-0.2.1-py3-none-any.whl.

File metadata

File hashes

Hashes for hw_attest_verify-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 71abe90fbb53157927d081bf65ef40f9381868e3c8c08568930bfed08598b8d7
MD5 6a252548c367cff3aa2d4181d14cfcd5
BLAKE2b-256 5f29a60b9e7c7116fc2f487a4c2cc693086f0a238f0037cc97f8bae21ed2d9fa

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page