A Requests auth module for HTTP Message Signatures
Project description
requests-http-signature is a Requests authentication plugin (requests.auth.AuthBase subclass) implementing the IETF HTTP Message Signatures draft standard.
Installation
$ pip install requests-http-signature
Usage
import requests
from requests_http_signature import HTTPSignatureAuth, algorithms
preshared_key_id = 'squirrel'
preshared_secret = b'monorail_cat'
url = 'https://example.com/'
auth = HTTPSignatureAuth(key=preshared_secret,
key_id=preshared_key_id,
signature_algorithm=algorithms.HMAC_SHA256)
requests.get(url, auth=auth)By default, only the Date header and the @method, @authority, and @target-uri derived component identifiers are signed for body-less requests such as GET. The Date header is set if it is absent. In addition, the Authorization header is signed if it is present, and for requests with bodies (such as POST), the Content-Digest header is set to the SHA256 of the request body using the format described in the IETF Digest Fields draft and signed. To add other headers to the signature, pass an array of header names in the covered_component_ids keyword argument. See the API documentation for the full list of options and details.
Verifying responses
The class method HTTPSignatureAuth.verify() can be used to verify responses received back from the server:
class MyKeyResolver:
def resolve_public_key(self, key_id):
assert key_id == 'squirrel'
return 'monorail_cat'
response = requests.get(url, auth=auth)
verify_result = HTTPSignatureAuth.verify(response,
signature_algorithm=algorithms.HMAC_SHA256,
key_resolver=MyKeyResolver())More generally, you can reconstruct an arbitrary request using the Requests API and pass it to verify():
request = requests.Request(...) # Reconstruct the incoming request using the Requests API
prepared_request = request.prepare() # Generate a PreparedRequest
HTTPSignatureAuth.verify(prepared_request, ...)To verify incoming requests and sign responses in the context of an HTTP server, see the flask-http-signature and http-message-signatures packages.
See the API documentation for full details.
Asymmetric key algorithms
To sign or verify messages with an asymmetric key algorithm, set the signature_algorithm keyword argument to algorithms.ED25519, algorithms.ECDSA_P256_SHA256, algorithms.RSA_V1_5_SHA256, or algorithms.RSA_PSS_SHA512. Note that signing with rsa-pss-sha512 is not currently supported due to a limitation of the cryptography library.
For asymmetric key algorithms, you can supply the private key as the key parameter to the HTTPSignatureAuth() constructor as bytes in the PEM format, or configure the key resolver as follows:
with open('key.pem', 'rb') as fh:
auth = HTTPSignatureAuth(algorithm=algorithms.RSA_V1_5_SHA256,
key=fh.read(),
key_id=preshared_key_id)
requests.get(url, auth=auth)
class MyKeyResolver:
def resolve_public_key(self, key_id: str):
return public_key_pem_bytes[key_id]
def resolve_private_key(self, key_id: str):
return private_key_pem_bytes[key_id]
auth = HTTPSignatureAuth(algorithm=algorithms.RSA_V1_5_SHA256,
key=fh.read(),
key_resolver=MyKeyResolver())
requests.get(url, auth=auth)Digest algorithms
To generate a Content-Digest header using SHA-512 instead of the default SHA-256, subclass HTTPSignatureAuth as follows:
class MySigner(HTTPSignatureAuth):
signing_content_digest_algorithm = "sha-512"
Links
http-message-signatures - a dependency of this library that handles much of the implementation
Bugs
Please report bugs, issues, feature requests, etc. on GitHub.
License
Licensed under the terms of the Apache License, Version 2.0.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for requests-http-signature-0.7.1.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ebc5b2fbb95d4519385afd385b31a34e9bdff20fd0b3f36e8ce42945b8340997 |
|
| MD5 | 9b26352f545f64ad146877b68e81bda9 |
|
| BLAKE2b-256 | d1313e2a9e47c81636a9206e7de02b5f65c46cc9297dd4d1d02b87727ff3d232 |
Hashes for requests_http_signature-0.7.1-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 5770fa5c6cd9dd700bc2aa92d3d1dd8e26b9a7c083585d2db0c8bf9ec482c906 |
|
| MD5 | 11a385a9de30febba52e6d4a1b15d487 |
|
| BLAKE2b-256 | bb82b12255a9e7af3aa9ca387ea74c4069074b1470592d90359ed88f635be804 |
