Skip to main content

Secure HTTP request signing using the HTTP Signature draft specification

Project description

https://travis-ci.org/ahknight/httpsig.svg?branch=master https://travis-ci.org/ahknight/httpsig.svg?branch=develop

Sign HTTP requests with secure signatures according to the IETF HTTP Signatures specification (Draft 15). This is a fork of module to fully support both RSA and HMAC schemes as well as unit test both schemes to prove they work. It was updated from draft 12 to 15 for the sole purpose of being used with the federation project in supporting http signatures used by most Activitypub platforms. Note that the implementation may not be fully compliant with Draft 15.

See the original project, original Python module, original spec, and current IETF draft for more details on the signing scheme.

Requirements

Optional:

For testing:

  • tox

  • pyenv (optional, handy way to access multiple versions)

    $ for VERS in 2.7.15 3.4.9 3.5.6 3.6.7 3.7.1; do pyenv install -s $VERS; done

Usage

Real documentation is forthcoming, but for now this should get you started.

For simple raw signing:

import httpsig

secret = open('rsa_private.pem', 'rb').read()

sig_maker = httpsig.Signer(secret=secret, algorithm='hs2019', sign_algorithm=httpsig.PSS())
sig_maker.sign('hello world!')

For general use with web frameworks:

import httpsig

key_id = "Some Key ID"
secret = open('rsa_private.pem', 'rb').read()

hs = httpsig.HeaderSigner(key_id, secret, algorithm="hs2019", sign_algorithm=httpsig.PSS(), headers=['(request-target)', 'host', 'date'])
signed_headers_dict = hs.sign({"Date": "Tue, 01 Jan 2014 01:01:01 GMT", "Host": "example.com"}, method="GET", path="/api/1/object/1")

For use with requests:

import json
import requests
from httpsig.requests_auth import HTTPSignatureAuth

secret = open('rsa_private.pem', 'rb').read()

auth = HTTPSignatureAuth(key_id='Test', secret=secret, sign_algorithm=httpsig.PSS())
z = requests.get('https://api.example.com/path/to/endpoint',
                         auth=auth, headers={'X-Api-Version': '~6.5', 'Date': 'Tue, 01 Jan 2014 01:01:01 GMT')

Class initialization parameters

Note that keys and secrets should be bytes objects. At attempt will be made to convert them, but if that fails then exceptions will be thrown.

httpsig.Signer(secret, algorithm='hs2019', sign_algorithm=httpsig.PSS())

secret, in the case of an RSA signature, is a string containing private RSA pem. In the case of HMAC, it is a secret password. algorithm should be set to ‘hs2019’ the other six signatures are now deprecated: rsa-sha1, rsa-sha256, rsa-sha512, hmac-sha1, hmac-sha256, hmac-sha512. sign_algorithm The digital signature algorithm derived from keyId. Currently supported algorithms: httpsig.PSS

httpsig.requests_auth.HTTPSignatureAuth(key_id, secret, algorithm='hs2019', sign_algorithm=httpsig.PSS(), headers=None)

key_id is the label by which the server system knows your secret. headers is the list of HTTP headers that are concatenated and used as signing objects. By default it is the specification’s minimum, the Date HTTP header. secret and algorithm are as above. sign_algorithm The digital signature algorithm derived from keyId. Currently supported algorithms: httpsig.PSS

Tests

To run tests:

python setup.py test

or:

tox

Known Limitations

  1. Multiple values for the same header are not supported. New headers with the same name will overwrite the previous header. It might be possible to replace the CaseInsensitiveDict with the collection that the email package uses for headers to overcome this limitation.

  2. Keyfiles with passwords are not supported. There has been zero vocal demand for this so if you would like it, a PR would be a good way to get it in.

  3. Draft 2 added support for ecdsa-sha256. This is available in PyCryptodome but has not been added to httpsig. PRs welcome.

License

Both this module and the original module are licensed under the MIT license.

httpsig Changes

1.6.0 (2023-Feb-8)

  • Added support for the created and expires headers

1.3.0 (2019-Nov-28)

  • Relax pycryptodome requirements (PR#14 by cveilleux)

  • Ability to supply another signature header like Signature (PR#15 by rbignon)

  • Fixed #2; made Signer.sign() public

  • Dropped Python 3.3, added Python 3.7.

1.2.0 (2018-Mar-28)

  • Switched to pycryptodome instead of PyCrypto (PR#11 by iandouglas)

  • Updated tests with the test data from Draft 8 and verified it still passes.

  • Dropped official Python 3.2 support (pip dropped it so it can’t be properly tested)

  • Cleaned up the code to be more PEP8-like.

1.1.2 (2015-Feb-11)

  • HMAC verification is now constant-time.

1.1.1 (2015-Feb-11)

  • (pulled)

1.1.0 (2014-Jul-24)

  • Changed “(request-line)” to “(request-target)” to comply with Draft 3.

1.0.3 (2014-Jul-09)

  • Unified the default signing algo under one setting. Setting httpsig.sign.DEFAULT_SIGN_ALGORITHM changes it for all future instances.

  • Handle invalid params a little better.

1.0.2 (2014-Jul-02)

  • Ensure we treat headers as ASCII strings.

  • Handle a case in the authorization header where there’s garbage (non-keypairs) after the method name.

1.0.1 (2014-Jul-02)

  • Python 3 support (2.7 + 3.2-3.4)

  • Updated tox and Travis CI configs to test the supported Python versions.

  • Updated README.

1.0.0 (2014-Jul-01)

  • Written against http://tools.ietf.org/html/draft-cavage-http-signatures-02

  • Added “setup.py test” and tox support.

  • Added sign/verify unit tests for all currently-supported algorithms.

  • HeaderSigner and HeaderVerifier now share the same message-building logic.

  • The HTTP method in the message is now properly lower-case.

  • Resolved unit test failures.

  • Updated Verifier and HeaderVerifier to handle verifying both RSA and HMAC sigs.

  • Updated versioneer.

  • Updated contact/author info.

  • Removed stray keypair in test dir.

  • Removed SSH agent support.

  • Removed suport for reading keyfiles from disk as this is a huge security hole if this is used in a server framework like drf-httpsig.

1.0b1 (2014-Jun-23)

  • Removed HTTP version from request-line, per spec (breaks backwards compatability).

  • Removed auto-generation of missing Date header (ensures client compatability).

http-signature (previous)

0.2.0 (unreleased)

  • Update to newer spec (incompatible with prior version).

  • Handle request-line meta-header.

  • Allow secret to be a PEM encoded string.

  • Add test cases from spec.

0.1.4 (2012-10-03)

  • Account for ssh now being re-merged into paramiko: either package is acceptable (but paramiko should ideally be >= 1.8.0)

0.1.3 (2012-10-02)

  • Stop enabling allow_agent by default

  • Stop requiring ssh package by default – it is imported only when allow_agent=True

  • Changed logic around ssh-agent: if one key is available, don’t bother with any other authentication method

  • Changed logic around key file usage: if decryption fails, prompt for password

  • Bug fix: ssh-agent resulted in a nonsensical error if it found no correct keys (thanks, petervolpe)

  • Introduce versioneer.py

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

python-httpsig-socialhome-1.6.0.tar.gz (23.5 kB view details)

Uploaded Source

Built Distribution

python_httpsig_socialhome-1.6.0-py2.py3-none-any.whl (23.5 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file python-httpsig-socialhome-1.6.0.tar.gz.

File metadata

File hashes

Hashes for python-httpsig-socialhome-1.6.0.tar.gz
Algorithm Hash digest
SHA256 3e1db35a061627d45c47dae80e8378bd98fb105b16dcc129e423ee0d35601903
MD5 0922a2f5e5dafcc53ce9c3b251f83e7b
BLAKE2b-256 f04635a96cb4a6aa314720bb289b8a7c24662ed35870ca309b6d39006318d676

See more details on using hashes here.

File details

Details for the file python_httpsig_socialhome-1.6.0-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for python_httpsig_socialhome-1.6.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 7bc7c6a352373e39ef62f9d258e42e69a52aad9e3fe2cfd8d9424eacad64a467
MD5 fe5c7d3823cb93756aa36b37a7e3c618
BLAKE2b-256 5a2279a69f49acc565c2a84e3af052540e16fd0e1bb75364105a45b0473d871a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page