Updated for Draft 3.

Author: ahknight

CHANGELOG.rst

@@ -1,6 +1,23 @@
 httpsig Changes
 ---------------
 
+1.1.0 (2014-Jul-24)
+-------------------
+
+* Changed "(request-line)" to "(request-target)" to comply with Draft 3.
+
+1.0.3 (2014-Jul-09)
+-------------------
+
+* Unified the default signing algo under one setting. Setting httpsig.sign.DEFAULT_SIGN_ALGORITHM changes it for all future instances.
+* Handle invalid params a little better.
+
+1.0.2 (2014-Jul-02)
+-------------------
+
+* Ensure we treat headers as ASCII strings.
+* Handle a case in the authorization header where there's garbage (non-keypairs) after the method name.
+
 1.0.1 (2014-Jul-02)
 ~~~~~~~~~~~~~~~~~~~
 

README.rst

@@ -7,14 +7,15 @@ httpsig
 .. image:: https://travis-ci.org/ahknight/httpsig.svg?branch=develop
     :target: https://travis-ci.org/ahknight/httpsig
 
-Sign HTTP requests with secure signatures according to the current IETF HTTP Signatures draft_ specification.  This is a fork of the original module_ to fully support both RSA and HMAC schemes as well as unit test both schemes to prove they work.  It's being used in production and is actively-developed.
+Sign HTTP requests with secure signatures according to the IETF HTTP Signatures specification (`Draft 3`_).  This is a fork of the original module_ to fully support both RSA and HMAC schemes as well as unit test both schemes to prove they work.  It's being used in production and is actively-developed.
 
-See the original project_, original Python module_, original spec_, and current IETF draft_ for more details on the signing scheme.
+See the original project_, original Python module_, original spec_, and `current IETF draft`_ for more details on the signing scheme.
 
 .. _project: https://github.com/joyent/node-http-signature
 .. _module: https://github.com/zzsnzmn/py-http-signature
 .. _spec: https://github.com/joyent/node-http-signature/blob/master/http_signing.md
-.. _draft: https://datatracker.ietf.org/doc/draft-cavage-http-signatures/
+.. _`current IETF draft`: https://datatracker.ietf.org/doc/draft-cavage-http-signatures/
+.. _`Draft 3`: http://tools.ietf.org/html/draft-cavage-http-signatures-03
 
 Requirements
 ------------
@@ -54,7 +55,7 @@ For general use with web frameworks:
     key_id = "Some Key ID"
     secret = b'some big secret'
     
-    hs = httpsig.HeaderSigner(key_id, secret, algorithm="hmac-sha256", headers=['(request-line)', 'host', 'date'])
+    hs = httpsig.HeaderSigner(key_id, secret, algorithm="hmac-sha256", headers=['(request-target)', 'host', 'date'])
     signed_headers_dict = hs.sign({"Date": "Tue, 01 Jan 2014 01:01:01 GMT", "Host": "example.com"}, method="GET", path="/api/1/object/1")
 
 For use with requests:

httpsig/sign.py

@@ -92,8 +92,8 @@ def sign(self, headers, host=None, method=None, path=None):
 
         headers is a case-insensitive dict of mutable headers.
         host is a override for the 'host' header (defaults to value in headers).
-        method is the HTTP method (required when using '(request-line)').
-        path is the HTTP path (required when using '(request-line)').
+        method is the HTTP method (required when using '(request-target)').
+        path is the HTTP path (required when using '(request-target)').
         """
         headers = CaseInsensitiveDict(headers)
         required_headers = self.headers or ['date']

httpsig/tests/test_signature.py

@@ -39,7 +39,7 @@ def test_default(self):
 
     def test_all(self):
         hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[
-            '(request-line)',
+            '(request-target)',
             'host',
             'date',
             'content-type',
@@ -65,5 +65,5 @@ def test_all(self):
         self.assertIn('signature', params)
         self.assertEqual(params['keyId'], 'Test')
         self.assertEqual(params['algorithm'], 'rsa-sha256')
-        self.assertEqual(params['headers'], '(request-line) host date content-type content-md5 content-length')
-        self.assertEqual(params['signature'], 'vYJio4AxbN38TKdzE1Qk/3qXhzTaBS7zUIPCqV+NsjLSf8ZK/19L9ErTz8FYBAW8Gko2dEaU70McrIO33k0PUlPsWvbGn/IhnU14rvSPF/F+AnFVFeA9ivvvyVZQYYYp17fnNfiCzHrvUn+VnqMhRKA15Nr8KKwt9Eqi36wQ8Vg=')
+        self.assertEqual(params['headers'], '(request-target) host date content-type content-md5 content-length')
+        self.assertEqual(params['signature'], 'G8/Uh6BBDaqldRi3VfFfklHSFoq8CMt5NUZiepq0q66e+fS3Up3BmXn0NbUnr3L1WgAAZGplifRAJqp2LgeZ5gXNk6UX9zV3hw5BERLWscWXlwX/dvHQES27lGRCvyFv3djHP6Plfd5mhPWRkmjnvqeOOSS0lZJYFYHJz994s6w=')

httpsig/tests/test_verify.py

@@ -60,7 +60,7 @@ def test_signed_headers(self):
         METHOD = "POST"
         PATH = '/foo?param=value&pet=dog'
         hs = HeaderSigner(key_id="Test", secret=self.sign_secret, algorithm=self.algorithm, headers=[
-            '(request-line)',
+            '(request-target)',
             'host',
             'date',
             'content-type',
@@ -87,7 +87,7 @@ def test_incorrect_headers(self):
                           key_id="Test",
                           algorithm=self.algorithm,
                           headers=[
-                            '(request-line)',
+                            '(request-target)',
                             'host',
                             'date',
                             'content-type',
@@ -111,7 +111,7 @@ def test_extra_auth_headers(self):
         METHOD = "POST"
         PATH = '/foo?param=value&pet=dog'
         hs = HeaderSigner(key_id="Test", secret=self.sign_secret, algorithm=self.algorithm, headers=[
-            '(request-line)',
+            '(request-target)',
             'host',
             'date',
             'content-type',
@@ -126,7 +126,7 @@ def test_extra_auth_headers(self):
             'Content-Length': '18',
         }
         signed = hs.sign(unsigned, method=METHOD, path=PATH)
-        hv = HeaderVerifier(headers=signed, secret=self.verify_secret, method=METHOD, path=PATH, required_headers=['date', '(request-line)'])
+        hv = HeaderVerifier(headers=signed, secret=self.verify_secret, method=METHOD, path=PATH, required_headers=['date', '(request-target)'])
         self.assertTrue(hv.verify())
 
 

httpsig/utils.py

@@ -32,9 +32,9 @@ def generate_message(required_headers, headers, host=None, method=None, path=Non
     signable_list = []
     for h in required_headers:
         h = h.lower()
-        if h == '(request-line)':
+        if h == '(request-target)':
             if not method or not path:
-                raise Exception('method and path arguments required when using "(request-line)"')
+                raise Exception('method and path arguments required when using "(request-target)"')
             signable_list.append('%s: %s %s' % (h, method.lower(), path))
 
         elif h == 'host':

httpsig/verify.py

@@ -53,8 +53,8 @@ def __init__(self, headers, secret, required_headers=None, method=None, path=Non
         :param headers:             A dictionary of headers from the HTTP request.
         :param secret:              The HMAC secret or RSA *public* key.
         :param required_headers:    Optional. A list of headers required to be present to validate, even if the signature is otherwise valid.  Defaults to ['date'].
-        :param method:              Optional. The HTTP method used in the request (eg. "GET"). Required for the '(request-line)' header.
-        :param path:                Optional. The HTTP path requested, exactly as sent (including query arguments and fragments). Required for the '(request-line)' header.
+        :param method:              Optional. The HTTP method used in the request (eg. "GET"). Required for the '(request-target)' header.
+        :param path:                Optional. The HTTP path requested, exactly as sent (including query arguments and fragments). Required for the '(request-target)' header.
         :param host:                Optional. The value to use for the Host header, if not supplied in :param:headers.
         """
         required_headers = required_headers or ['date']