Skip to main content

DPoP signer/verifier for Swarmauri

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_signing_dpop Discord

Swarmauri Signing DPoP

DPoP proof signer/verifier implementing RFC 9449 for proof-of-possession over HTTP requests.

Features:

  • Creates and validates dpop+jwt proofs with embedded public JWK thumbprints.
  • Supports ES256, RS256, and EdDSA algorithms through the SigningBase interface.
  • Optional access-token hash binding (ath), nonce enforcement, and replay-protection hooks.

Installation

The package is published on PyPI together with the dependencies required to sign and verify DPoP proofs.

pip

pip install swarmauri_signing_dpop

uv

uv add swarmauri_signing_dpop

Poetry

poetry add swarmauri_signing_dpop

Usage

DpopSigner implements the asynchronous SigningBase / ISigning interface. Signing requires the HTTP method and URL (opts['htm'] and opts['htu']), and verification requires the same data passed via require.

Signing and verifying a request

import asyncio

from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ed25519

from swarmauri_signing_dpop import DpopSigner


async def main() -> None:
    signer = DpopSigner()

    private_key = ed25519.Ed25519PrivateKey.generate()
    priv_pem = private_key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.PKCS8,
        encryption_algorithm=serialization.NoEncryption(),
    )
    key = {"kind": "pem", "priv": priv_pem, "alg": "EdDSA"}

    signatures = await signer.sign_bytes(
        key,
        b"",
        opts={"htm": "GET", "htu": "https://api.example/x"},
    )

    is_valid = await signer.verify_bytes(
        b"",
        signatures,
        require={"htm": "GET", "htu": "https://api.example/x"},
    )
    assert is_valid
    print("DPoP proof valid:", is_valid)


asyncio.run(main())

Signature format

sign_bytes and sign_envelope return a sequence with a single detached signature entry:

{
    "alg": "EdDSA",            # JWS algorithm used
    "format": "dpop+jwt",      # proof media type
    "sig": "<compact JWT>",    # DPoP proof token containing the claims
    "jkt": "<thumbprint>",     # SHA-256 JWK thumbprint for cnf.jkt binding
}

Use the jkt helper when comparing against cnf.jkt values embedded in access tokens.

Key references

Keys are provided using the KeyRef mapping expected by other Swarmauri signing packages:

  • { "kind": "pem", "priv": <PEM bytes|str> } ? RSA/EC keys and Ed25519 PKCS8 PEM.
  • { "kind": "jwk", "priv": <private JWK dict> } ? accepts EC, RSA, or OKP keys with private fields.

For Ed25519 material, both formats are supported; the signer derives and embeds the public JWK automatically.

Options reference

  • opts['htm'] / opts['htu']: HTTP method and URL that will be bound in the proof (required for signing).
  • opts['nonce']: Optional server-issued DPoP-Nonce to include in the proof.
  • opts['access_token']: Optional access token to derive the ath confirmation hash.
  • require['htm'] / require['htu']: Expected method and URL (required for verification).
  • require['max_skew_s']: IAT skew tolerance (defaults to 300 seconds).
  • require['algs']: Allowed signing algorithms. Defaults to all supported values.
  • require['nonce']: Expected nonce when enforcing a server challenge.
  • require['access_token']: Expected bearer token when validating ath.
  • require['replay']: Mapping with seen(jti) -> bool and mark(jti, ttl_s) callables for replay prevention.

sign_envelope and verify_envelope reuse the same logic after canonicalizing the envelope to bytes (raw or json). Payload bytes are otherwise unused because the DPoP proof binds request metadata instead of message content.

Entry Point

The signer registers under the swarmauri.signings entry point as DpopSigner.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_signing_dpop-0.11.0.dev1.tar.gz (11.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

swarmauri_signing_dpop-0.11.0.dev1-py3-none-any.whl (13.5 kB view details)

Uploaded Python 3

File details

Details for the file swarmauri_signing_dpop-0.11.0.dev1.tar.gz.

File metadata

  • Download URL: swarmauri_signing_dpop-0.11.0.dev1.tar.gz
  • Upload date:
  • Size: 11.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_signing_dpop-0.11.0.dev1.tar.gz
Algorithm Hash digest
SHA256 3af51cf1bd34adbaaa596016f6cb727774e076f063e5e61633e0f4da8b883740
MD5 9da75b3deeb718aa474dcc12bcd9970e
BLAKE2b-256 516b28cae9c2c4445adf9d3b545578dd4f976a751dc354670300f5dc9d121613

See more details on using hashes here.

File details

Details for the file swarmauri_signing_dpop-0.11.0.dev1-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_signing_dpop-0.11.0.dev1-py3-none-any.whl
  • Upload date:
  • Size: 13.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_signing_dpop-0.11.0.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 5e0c798a1d61401ca0e2cc7771fdfe02b8e1c6d1795b055b53c3675ee5e97aa6
MD5 0e4f57e60ec0abb72747d0a3174920a6
BLAKE2b-256 28e861dd5028df6bad353d9391765e42302c12493e70c1c7e7dcfaf5a645d639

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page