httpsig
=======
.. image:: https://travis-ci.org/ahknight/httpsig.svg?branch=master
:target: https://travis-ci.org/ahknight/httpsig
.. image:: https://travis-ci.org/ahknight/httpsig.svg?branch=develop
:target: https://travis-ci.org/ahknight/httpsig
Sign HTTP requests with secure signatures according to the IETF HTTP Signatures specification (`Draft 8`_). This is a fork of the original module_ to fully support both RSA and HMAC schemes as well as unit test both schemes to prove they work. It's being used in production and is actively-developed.
See the original project_, original Python module_, original spec_, and `current IETF draft`_ for more details on the signing scheme.
.. _project: https://github.com/joyent/node-http-signature
.. _module: https://github.com/zzsnzmn/py-http-signature
.. _spec: https://github.com/joyent/node-http-signature/blob/master/http_signing.md
.. _`current IETF draft`: https://datatracker.ietf.org/doc/draft-cavage-http-signatures/
.. _`Draft 8`: http://tools.ietf.org/html/draft-cavage-http-signatures-08
Requirements
------------
* Python 2.7, 3.4-3.7
* PyCryptodome_
Optional:
* requests_
.. _PyCryptodome: https://pypi.python.org/pypi/pycryptodome
.. _requests: https://pypi.python.org/pypi/requests
For testing:
* tox
* pyenv (optional, handy way to access multiple versions)
$ for VERS in 2.7.15 3.4.9 3.5.6 3.6.7 3.7.1; do pyenv install -s $VERS; done
Usage
-----
Real documentation is forthcoming, but for now this should get you started.
For simple raw signing:
.. code:: python
import httpsig
secret = open('rsa_private.pem', 'rb').read()
sig_maker = httpsig.Signer(secret=secret, algorithm='rsa-sha256')
sig_maker.sign('hello world!')
For general use with web frameworks:
.. code:: python
import httpsig
key_id = "Some Key ID"
secret = b'some big secret'
hs = httpsig.HeaderSigner(key_id, secret, algorithm="hmac-sha256", headers=['(request-target)', 'host', 'date'])
signed_headers_dict = hs.sign({"Date": "Tue, 01 Jan 2014 01:01:01 GMT", "Host": "example.com"}, method="GET", path="/api/1/object/1")
For use with requests:
.. code:: python
import json
import requests
from httpsig.requests_auth import HTTPSignatureAuth
secret = open('rsa_private.pem', 'rb').read()
auth = HTTPSignatureAuth(key_id='Test', secret=secret)
z = requests.get('https://api.example.com/path/to/endpoint',
auth=auth, headers={'X-Api-Version': '~6.5'})
Class initialization parameters
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note that keys and secrets should be bytes objects. At attempt will be made to convert them, but if that fails then exceptions will be thrown.
.. code:: python
httpsig.Signer(secret, algorithm='rsa-sha256')
``secret``, in the case of an RSA signature, is a string containing private RSA pem. In the case of HMAC, it is a secret password.
``algorithm`` is one of the six allowed signatures: ``rsa-sha1``, ``rsa-sha256``, ``rsa-sha512``, ``hmac-sha1``, ``hmac-sha256``,
``hmac-sha512``.
.. code:: python
httpsig.requests_auth.HTTPSignatureAuth(key_id, secret, algorithm='rsa-sha256', headers=None)
``key_id`` is the label by which the server system knows your RSA signature or password.
``headers`` is the list of HTTP headers that are concatenated and used as signing objects. By default it is the specification's minimum, the ``Date`` HTTP header.
``secret`` and ``algorithm`` are as above.
Tests
-----
To run tests::
python setup.py test
or::
tox
Known Limitations
-----------------
1. Multiple values for the same header are not supported. New headers with the same name will overwrite the previous header. It might be possible to replace the CaseInsensitiveDict with the collection that the email package uses for headers to overcome this limitation.
2. Keyfiles with passwords are not supported. There has been zero vocal demand for this so if you would like it, a PR would be a good way to get it in.
3. Draft 2 added support for ecdsa-sha256. This is available in PyCryptodome but has not been added to httpsig. PRs welcome.
License
-------
Both this module and the original module_ are licensed under the MIT license.
httpsig Changes
---------------
1.3.0 (2019-Nov-28)
-------------------
* Relax pycryptodome requirements (PR#14 by cveilleux)
* Ability to supply another signature header like Signature (PR#15 by rbignon)
* Fixed #2; made Signer.sign() public
* Dropped Python 3.3, added Python 3.7.
1.2.0 (2018-Mar-28)
-------------------
* Switched to pycryptodome instead of PyCrypto (PR#11 by iandouglas)
* Updated tests with the test data from Draft 8 and verified it still passes.
* Dropped official Python 3.2 support (pip dropped it so it can't be properly tested)
* Cleaned up the code to be more PEP8-like.
1.1.2 (2015-Feb-11)
-------------------
* HMAC verification is now constant-time.
1.1.1 (2015-Feb-11)
-------------------
* (pulled)
1.1.0 (2014-Jul-24)
-------------------
* Changed "(request-line)" to "(request-target)" to comply with Draft 3.
1.0.3 (2014-Jul-09)
-------------------
* Unified the default signing algo under one setting. Setting httpsig.sign.DEFAULT_SIGN_ALGORITHM changes it for all future instances.
* Handle invalid params a little better.
1.0.2 (2014-Jul-02)
-------------------
* Ensure we treat headers as ASCII strings.
* Handle a case in the authorization header where there's garbage (non-keypairs) after the method name.
1.0.1 (2014-Jul-02)
~~~~~~~~~~~~~~~~~~~
* Python 3 support (2.7 + 3.2-3.4)
* Updated tox and Travis CI configs to test the supported Python versions.
* Updated README.
1.0.0 (2014-Jul-01)
~~~~~~~~~~~~~~~~~~~
* Written against http://tools.ietf.org/html/draft-cavage-http-signatures-02
* Added "setup.py test" and tox support.
* Added sign/verify unit tests for all currently-supported algorithms.
* HeaderSigner and HeaderVerifier now share the same message-building logic.
* The HTTP method in the message is now properly lower-case.
* Resolved unit test failures.
* Updated Verifier and HeaderVerifier to handle verifying both RSA and HMAC sigs.
* Updated versioneer.
* Updated contact/author info.
* Removed stray keypair in test dir.
* Removed SSH agent support.
* Removed suport for reading keyfiles from disk as this is a huge security hole if this is used in a server framework like drf-httpsig.
1.0b1 (2014-Jun-23)
~~~~~~~~~~~~~~~~~~~~~~
* Removed HTTP version from request-line, per spec (breaks backwards compatability).
* Removed auto-generation of missing Date header (ensures client compatability).
http-signature (previous)
-------------------------
0.2.0 (unreleased)
~~~~~~~~~~~~~~~~~~
* Update to newer spec (incompatible with prior version).
* Handle `request-line` meta-header.
* Allow secret to be a PEM encoded string.
* Add test cases from spec.
0.1.4 (2012-10-03)
~~~~~~~~~~~~~~~~~~
* Account for ssh now being re-merged into paramiko: either package is acceptable (but paramiko should ideally be >= 1.8.0)
0.1.3 (2012-10-02)
~~~~~~~~~~~~~~~~~~
* Stop enabling `allow_agent` by default
* Stop requiring `ssh` package by default -- it is imported only when `allow_agent=True`
* Changed logic around ssh-agent: if one key is available, don't bother with any other authentication method
* Changed logic around key file usage: if decryption fails, prompt for password
* Bug fix: ssh-agent resulted in a nonsensical error if it found no correct keys (thanks, petervolpe)
* Introduce versioneer.py
Raw data
{
"_id": null,
"home_page": "https://github.com/ahknight/httpsig",
"name": "httpsig",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "http,authorization,api,web",
"author": "Adam Knight",
"author_email": "adam@movq.us",
"download_url": "https://files.pythonhosted.org/packages/b8/e4/78a5e0c8f2a47efb7083f393655730031e711051119ccb6501396a9d50b5/httpsig-1.3.0.tar.gz",
"platform": "",
"description": "httpsig\n=======\n\n.. image:: https://travis-ci.org/ahknight/httpsig.svg?branch=master\n :target: https://travis-ci.org/ahknight/httpsig\n\n.. image:: https://travis-ci.org/ahknight/httpsig.svg?branch=develop\n :target: https://travis-ci.org/ahknight/httpsig\n\nSign HTTP requests with secure signatures according to the IETF HTTP Signatures specification (`Draft 8`_). This is a fork of the original module_ to fully support both RSA and HMAC schemes as well as unit test both schemes to prove they work. It's being used in production and is actively-developed.\n\nSee the original project_, original Python module_, original spec_, and `current IETF draft`_ for more details on the signing scheme.\n\n.. _project: https://github.com/joyent/node-http-signature\n.. _module: https://github.com/zzsnzmn/py-http-signature\n.. _spec: https://github.com/joyent/node-http-signature/blob/master/http_signing.md\n.. _`current IETF draft`: https://datatracker.ietf.org/doc/draft-cavage-http-signatures/\n.. _`Draft 8`: http://tools.ietf.org/html/draft-cavage-http-signatures-08\n\nRequirements\n------------\n\n* Python 2.7, 3.4-3.7\n* PyCryptodome_\n\nOptional:\n\n* requests_\n\n.. _PyCryptodome: https://pypi.python.org/pypi/pycryptodome\n.. _requests: https://pypi.python.org/pypi/requests\n\nFor testing:\n\n* tox\n* pyenv (optional, handy way to access multiple versions)\n $ for VERS in 2.7.15 3.4.9 3.5.6 3.6.7 3.7.1; do pyenv install -s $VERS; done\n\nUsage\n-----\n\nReal documentation is forthcoming, but for now this should get you started.\n\nFor simple raw signing:\n\n.. code:: python\n\n import httpsig\n\n secret = open('rsa_private.pem', 'rb').read()\n\n sig_maker = httpsig.Signer(secret=secret, algorithm='rsa-sha256')\n sig_maker.sign('hello world!')\n\nFor general use with web frameworks:\n\n.. code:: python\n\n import httpsig\n\n key_id = \"Some Key ID\"\n secret = b'some big secret'\n\n hs = httpsig.HeaderSigner(key_id, secret, algorithm=\"hmac-sha256\", headers=['(request-target)', 'host', 'date'])\n signed_headers_dict = hs.sign({\"Date\": \"Tue, 01 Jan 2014 01:01:01 GMT\", \"Host\": \"example.com\"}, method=\"GET\", path=\"/api/1/object/1\")\n\nFor use with requests:\n\n.. code:: python\n\n import json\n import requests\n from httpsig.requests_auth import HTTPSignatureAuth\n\n secret = open('rsa_private.pem', 'rb').read()\n\n auth = HTTPSignatureAuth(key_id='Test', secret=secret)\n z = requests.get('https://api.example.com/path/to/endpoint', \n auth=auth, headers={'X-Api-Version': '~6.5'})\n\nClass initialization parameters\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nNote that keys and secrets should be bytes objects. At attempt will be made to convert them, but if that fails then exceptions will be thrown.\n\n.. code:: python\n\n httpsig.Signer(secret, algorithm='rsa-sha256')\n\n``secret``, in the case of an RSA signature, is a string containing private RSA pem. In the case of HMAC, it is a secret password. \n``algorithm`` is one of the six allowed signatures: ``rsa-sha1``, ``rsa-sha256``, ``rsa-sha512``, ``hmac-sha1``, ``hmac-sha256``, \n``hmac-sha512``.\n\n\n.. code:: python\n\n httpsig.requests_auth.HTTPSignatureAuth(key_id, secret, algorithm='rsa-sha256', headers=None)\n\n``key_id`` is the label by which the server system knows your RSA signature or password. \n``headers`` is the list of HTTP headers that are concatenated and used as signing objects. By default it is the specification's minimum, the ``Date`` HTTP header. \n``secret`` and ``algorithm`` are as above.\n\nTests\n-----\n\nTo run tests::\n\n python setup.py test\n\nor::\n\n tox\n\nKnown Limitations\n-----------------\n\n1. Multiple values for the same header are not supported. New headers with the same name will overwrite the previous header. It might be possible to replace the CaseInsensitiveDict with the collection that the email package uses for headers to overcome this limitation.\n2. Keyfiles with passwords are not supported. There has been zero vocal demand for this so if you would like it, a PR would be a good way to get it in.\n3. Draft 2 added support for ecdsa-sha256. This is available in PyCryptodome but has not been added to httpsig. PRs welcome.\n\n\nLicense\n-------\n\nBoth this module and the original module_ are licensed under the MIT license.\n\n\nhttpsig Changes\n---------------\n\n1.3.0 (2019-Nov-28)\n-------------------\n\n* Relax pycryptodome requirements (PR#14 by cveilleux)\n* Ability to supply another signature header like Signature (PR#15 by rbignon)\n* Fixed #2; made Signer.sign() public\n* Dropped Python 3.3, added Python 3.7.\n\n1.2.0 (2018-Mar-28)\n-------------------\n\n* Switched to pycryptodome instead of PyCrypto (PR#11 by iandouglas)\n* Updated tests with the test data from Draft 8 and verified it still passes.\n* Dropped official Python 3.2 support (pip dropped it so it can't be properly tested)\n* Cleaned up the code to be more PEP8-like.\n\n1.1.2 (2015-Feb-11)\n-------------------\n\n* HMAC verification is now constant-time.\n\n1.1.1 (2015-Feb-11)\n-------------------\n\n* (pulled)\n\n1.1.0 (2014-Jul-24)\n-------------------\n\n* Changed \"(request-line)\" to \"(request-target)\" to comply with Draft 3.\n\n1.0.3 (2014-Jul-09)\n-------------------\n\n* Unified the default signing algo under one setting. Setting httpsig.sign.DEFAULT_SIGN_ALGORITHM changes it for all future instances.\n* Handle invalid params a little better.\n\n1.0.2 (2014-Jul-02)\n-------------------\n\n* Ensure we treat headers as ASCII strings.\n* Handle a case in the authorization header where there's garbage (non-keypairs) after the method name.\n\n1.0.1 (2014-Jul-02)\n~~~~~~~~~~~~~~~~~~~\n\n* Python 3 support (2.7 + 3.2-3.4)\n* Updated tox and Travis CI configs to test the supported Python versions.\n* Updated README.\n\n1.0.0 (2014-Jul-01)\n~~~~~~~~~~~~~~~~~~~\n* Written against http://tools.ietf.org/html/draft-cavage-http-signatures-02\n* Added \"setup.py test\" and tox support.\n* Added sign/verify unit tests for all currently-supported algorithms.\n* HeaderSigner and HeaderVerifier now share the same message-building logic.\n* The HTTP method in the message is now properly lower-case.\n* Resolved unit test failures.\n* Updated Verifier and HeaderVerifier to handle verifying both RSA and HMAC sigs.\n* Updated versioneer.\n* Updated contact/author info.\n* Removed stray keypair in test dir.\n* Removed SSH agent support.\n* Removed suport for reading keyfiles from disk as this is a huge security hole if this is used in a server framework like drf-httpsig.\n\n1.0b1 (2014-Jun-23)\n~~~~~~~~~~~~~~~~~~~~~~\n* Removed HTTP version from request-line, per spec (breaks backwards compatability).\n* Removed auto-generation of missing Date header (ensures client compatability).\n\n\nhttp-signature (previous)\n-------------------------\n\n0.2.0 (unreleased)\n~~~~~~~~~~~~~~~~~~\n\n* Update to newer spec (incompatible with prior version).\n* Handle `request-line` meta-header.\n* Allow secret to be a PEM encoded string.\n* Add test cases from spec.\n\n0.1.4 (2012-10-03)\n~~~~~~~~~~~~~~~~~~\n\n* Account for ssh now being re-merged into paramiko: either package is acceptable (but paramiko should ideally be >= 1.8.0)\n\n0.1.3 (2012-10-02)\n~~~~~~~~~~~~~~~~~~\n\n* Stop enabling `allow_agent` by default\n* Stop requiring `ssh` package by default -- it is imported only when `allow_agent=True`\n* Changed logic around ssh-agent: if one key is available, don't bother with any other authentication method\n* Changed logic around key file usage: if decryption fails, prompt for password\n* Bug fix: ssh-agent resulted in a nonsensical error if it found no correct keys (thanks, petervolpe)\n* Introduce versioneer.py\n\n\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Secure HTTP request signing using the HTTP Signature draft specification",
"version": "1.3.0",
"split_keywords": [
"http",
"authorization",
"api",
"web"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "16934ac4548fccfc3d530ac9dcd2c5cfec087b41004a16b85c33e670b786a565",
"md5": "6943ea244d63ae2acad3f62ac326f492",
"sha256": "ce3ebd489a9b3325810adf0f4992718a3c931d026fe04cafc1177c24be1ec4d3"
},
"downloads": -1,
"filename": "httpsig-1.3.0-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "6943ea244d63ae2acad3f62ac326f492",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": null,
"size": 17363,
"upload_time": "2018-11-28T21:17:14",
"upload_time_iso_8601": "2018-11-28T21:17:14.342956Z",
"url": "https://files.pythonhosted.org/packages/16/93/4ac4548fccfc3d530ac9dcd2c5cfec087b41004a16b85c33e670b786a565/httpsig-1.3.0-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "b8e478a5e0c8f2a47efb7083f393655730031e711051119ccb6501396a9d50b5",
"md5": "eb5ec4c73fd84ae0a1374034d51d3256",
"sha256": "71d6d50246129c4f7cfec20f5e57e351d2b8492d631cc2aa967914acf91f6ce6"
},
"downloads": -1,
"filename": "httpsig-1.3.0.tar.gz",
"has_sig": false,
"md5_digest": "eb5ec4c73fd84ae0a1374034d51d3256",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 17856,
"upload_time": "2018-11-28T21:17:17",
"upload_time_iso_8601": "2018-11-28T21:17:17.836264Z",
"url": "https://files.pythonhosted.org/packages/b8/e4/78a5e0c8f2a47efb7083f393655730031e711051119ccb6501396a9d50b5/httpsig-1.3.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2018-11-28 21:17:17",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "ahknight",
"github_project": "httpsig",
"travis_ci": true,
"coveralls": false,
"github_actions": false,
"requirements": [
{
"name": "pycryptodome",
"specs": [
[
"==",
"3.6.1"
]
]
},
{
"name": "six",
"specs": []
}
],
"tox": true,
"lcname": "httpsig"
}