Verification library for RFC Hardware-Attestation and Hardware-Trust-Proof email headers

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for AuraFriday from gravatar.com AuraFriday

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Christopher Drake
  • Requires: Python >=3.9
  • Provides-Extra: dns
Classifiers
Report project as malware

Project description

hw-attest-verify

Verification library for RFC Hardware-Attestation and Hardware-Trust-Proof email headers.

Receiving mail servers use this library to verify that an email was sent from hardware-attested identity, as defined in draft-drake-email-hardware-attestation-00.

Installation

pip install hw-attest-verify

# With DNS key discovery support (recommended):
pip install hw-attest-verify[dns]

Usage

Mode 1: Hardware-Attestation (Direct Hardware Attestation)

from hw_attest_verify import verify_hardware_attestation

result = verify_hardware_attestation(
    header_value=msg["Hardware-Attestation"],
    email_headers={
        "from": msg["From"],
        "to": msg["To"],
        "subject": msg["Subject"],
        "date": msg["Date"],
        "message-id": msg["Message-ID"],
    },
    body=msg.get_payload(decode=True),
    allow_self_signed=True,  # or provide trusted_root_certificates
)

if result.is_valid:
    print(f"Verified: trust_tier={result.trust_tier}, alg={result.alg}")
    print(f"Certificate: {result.leaf_certificate_subject}")
else:
    print(f"Verification failed: {result.failure_reason}")

Mode 2: Hardware-Trust-Proof (SD-JWT Trust Proof)

from hw_attest_verify import verify_hardware_trust_proof

result = verify_hardware_trust_proof(
    header_value=msg["Hardware-Trust-Proof"],
    email_headers={
        "from": msg["From"],
        "to": msg["To"],
        "subject": msg["Subject"],
        "date": msg["Date"],
        "message-id": msg["Message-ID"],
    },
    body=msg.get_payload(decode=True),
)

if result.is_valid:
    print(f"Verified: trust_tier={result.trust_tier}")
    print(f"Issuer: {result.issuer}")
    print(f"Disclosed claims: {result.disclosed_claims}")
else:
    print(f"Verification failed: {result.failure_reason}")

Parsing without verification

from hw_attest_verify import parse_hardware_attestation_header

parsed = parse_hardware_attestation_header(header_value)
print(f"typ={parsed.typ}, alg={parsed.alg}, trust_tier={parsed.trust_tier}")
print(f"Signed headers: {parsed.signed_header_names}")
print(f"Timestamp: {parsed.ts}")

CLI: Verify a raw email

# From stdin
python -m hw_attest_verify < email.eml

# From file
hw-attest-verify email.eml

Output is JSON with is_valid, trust_tier, failure_reasons, etc.

Issuer Key Discovery (Mode 2)

The library discovers the issuer's public key using two mechanisms:

  1. DNS TXT record (preferred): _hwattest.{domain} with format v=hwattest1; alg=ES256; p=<base64 SPKI DER>
  2. HTTPS JWKS fallback: https://{issuer}/.well-known/jwks.json

Install dnspython for DNS discovery: pip install hw-attest-verify[dns]

Trust Tiers

typ Trust Tier Hardware
TPM sovereign Discrete TPM 2.0 (Windows, Linux)
PIV portable YubiKey / PIV smartcard
ENC enclave Apple Secure Enclave
VRT virtual Firmware TPM (fTPM)
SFT declared Software key (fallback)

RFC Reference

draft-drake-email-hardware-attestation-00 -- Hardware Attestation for Email Sender Verification

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for AuraFriday from gravatar.com AuraFriday

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Christopher Drake
  • Requires: Python >=3.9
  • Provides-Extra: dns
Classifiers

Release history Release notifications | RSS feed

This version

0.2.2

0.2.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hw_attest_verify-0.2.2.tar.gz (20.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hw_attest_verify-0.2.2-py3-none-any.whl (20.9 kB view details)

Uploaded Python 3

File details

Details for the file hw_attest_verify-0.2.2.tar.gz.

File metadata

  • Download URL: hw_attest_verify-0.2.2.tar.gz
  • Upload date:
  • Size: 20.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for hw_attest_verify-0.2.2.tar.gz
Algorithm Hash digest
SHA256 d8306412bef9d19cd17b9c5ce39e0a40ae78a5fcca41b6c0814d524cc7262bba
MD5 3c4f67a2e9be80a0fdc6b9f8f44c1d30
BLAKE2b-256 d32ff7be966e0ec66d1904d0d072fd9b640afedc80c365983850652a820274e7

See more details on using hashes here.

File details

Details for the file hw_attest_verify-0.2.2-py3-none-any.whl.

File metadata

File hashes

Hashes for hw_attest_verify-0.2.2-py3-none-any.whl
Algorithm Hash digest
SHA256 ffcdd664cf323e6cec90c2e4ef852a69df4d495774381308fdf7ddd7e5ef3248
MD5 ad1e10cf2729561f4c142e931692b2f8
BLAKE2b-256 1e5df3e2fc2cd000061974db52f4ec99e05669cb1719a10219f0a127180db5cb

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page