| master: | 
|
|---|---|
| dev: | 
|
Sign HTTP requests with secure signatures according to the IETF HTTP Signatures specification from draft 00 to 07. This is a fork of the original module to fully support both RSA and HMAC schemes as well as unit test both schemes to prove they work. It's being used in production and is actively-developed.
See the original project, original Python module, original spec, and current IETF draft for more details on the signing scheme.
- Python 2.7, 3.3, 3.4, 3.5, 3.6
- PyCrypto
Optional:
Real documentation is forthcoming, but for now this should get you started.
For simple raw signing:
import httpsig
secret = open('rsa_private.pem', 'rb').read()
sig_maker = httpsig.Signer(secret=secret, algorithm='rsa-sha256')
sig_maker.sign('hello world!')For general use with web frameworks:
import httpsig
key_id = 'some key ID'
secret = 'some big secret'
hs = httpsig.HeaderSigner(key_id, secret, algorithm='hmac-sha256', headers=['(request-target)', 'host', 'date'])
signed_headers_dict = hs.sign({'Date': 'Tue, 01 Jan 2014 01:01:01 GMT', 'Host': 'example.com'}, method='GET', path='/api/1/object/1')For use with requests:
import json
import requests
from httpsig.requests_auth import HTTPSignatureAuth
secret = open('rsa_private.pem', 'rb').read()
auth = HTTPSignatureAuth(key_id='Test', secret=secret)
z = requests.get('https://api.example.com/path/to/endpoint',
auth=auth, headers={'X-Api-Version': '~6.5'})Note that keys and secrets should be bytes objects. At attempt will be made to convert them, but if that fails then exceptions will be thrown.
httpsig.Signer(secret, algorithm='rsa-sha256')| secret: | in the case of an RSA signature, is a string containing private RSA pem. In the case of HMAC, it is a secret password. |
|---|---|
| algorithm: | is one of the six allowed hash-sign algorithm combinations: rsa-sha1, rsa-sha256, rsa-sha512, hmac-sha1, hmac-sha256, hmac-sha512. |
httpsig.requests_auth.HTTPSignatureAuth(key_id, secret, algorithm='rsa-sha256', headers=None, httpsig_version=None)| key_id: | is the label by which the server system knows your RSA signature or password. |
|---|---|
| headers: | is the list of HTTP headers that are concatenated and used as signing objects. By default it is the specification's minimum, the Date HTTP header. |
| httpsig_version: | is the IEFT version. By default it is draft-07 and allowed: draft-00 to draft-07. |
| secret: | as above. |
| algorithm: | as above. |
To run tests:
python setup.py test
or:
tox
Both this module and the original module are licensed under the MIT license.