httpsig_cffi

Secure HTTP request signing using the HTTP Signature draft specification


Keywords
http, authorization, api, web
License
MIT
Install
pip install httpsig_cffi==15.0.0

Documentation

httpsig_cffi

https://travis-ci.org/hawkowl/httpsig_cffi.svg?branch=master

Sign HTTP requests with secure signatures according to the IETF HTTP Signatures specification (Draft 3). This is a fork of the fork of the original module that was made to fully support both RSA and HMAC schemes as well as unit test both schemes to prove they work. This particular fork moves from PyCrypto to Cryptography, which provides PyPy support.

See the original project, original Python module, original spec, and current IETF draft for more details on the signing scheme.

Requirements

Optional:

Usage

Real documentation is forthcoming, but for now this should get you started.

For simple raw signing:

import httpsig_cffi as httpsig

secret = open('rsa_private.pem', 'rb').read()

sig_maker = httpsig.Signer(secret=secret, algorithm='rsa-sha256')
sig_maker.sign('hello world!')

For general use with web frameworks:

import httpsig_cffi as httpsig

key_id = "Some Key ID"
secret = b'some big secret'

hs = httpsig.HeaderSigner(key_id, secret, algorithm="hmac-sha256", headers=['(request-target)', 'host', 'date'])
signed_headers_dict = hs.sign({"Date": "Tue, 01 Jan 2014 01:01:01 GMT", "Host": "example.com"}, method="GET", path="/api/1/object/1")

For use with requests:

import json
import requests
from httpsig_cffi.requests_auth import HTTPSignatureAuth

secret = open('rsa_private.pem', 'rb').read()

auth = HTTPSignatureAuth(key_id='Test', secret=secret)
z = requests.get('https://api.example.com/path/to/endpoint',
                         auth=auth, headers={'X-Api-Version': '~6.5'})

Class initialization parameters

Note that keys and secrets should be bytes objects. At attempt will be made to convert them, but if that fails then exceptions will be thrown.

httpsig_cffi.Signer(secret, algorithm='rsa-sha256')

secret, in the case of an RSA signature, is a string containing private RSA pem. In the case of HMAC, it is a secret password. algorithm is one of the six allowed signatures: rsa-sha1, rsa-sha256, rsa-sha512, hmac-sha1, hmac-sha256, hmac-sha512.

httpsig_cffi.requests_auth.HTTPSignatureAuth(key_id, secret, algorithm='rsa-sha256', headers=None)

key_id is the label by which the server system knows your RSA signature or password. headers is the list of HTTP headers that are concatenated and used as signing objects. By default it is the specification's minimum, the Date HTTP header. secret and algorithm are as above.

Tests

To run tests:

tox

License

Both this module and the original module are licensed under the MIT license.