http-message-signatures 0.4.4__tar.gz → 0.6.1__tar.gz

http_message_signatures-0.6.1/.github/workflows/ci.yml

@@ -0,0 +1,38 @@
+name: Test
+
+on: [push, pull_request]
+
+jobs:
+  CI:
+    name: Python ${{ matrix.python-version }}
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      max-parallel: 8
+      matrix:
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install build dependencies
+        run: pip install build wheel
+      - name: Install package
+        run: pip install .[tests]
+      - name: Test
+        run: make test
+  isort:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: isort/isort-action@v1.1.0
+  ruff:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/ruff-action@v3
+      - uses: astral-sh/ruff-action@v3
+        with:
+          args: "format --check"

http_message_signatures-0.6.1/.github/workflows/release.yml

@@ -0,0 +1,21 @@
+name: Publish release to PyPI
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+jobs:
+  pypi-publish:
+    name: Build and upload release to PyPI
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+      - run: pip install build
+      - run: python -m build
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/.gitignore

@@ -10,7 +10,7 @@ __pycache__/
 /build/
 /dist/
 /.eggs/
-/yq/version.py
+/*/version.py
 
 # IDE project files
 /.pydevproject

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/Changes.rst

@@ -1,3 +1,21 @@
+Changes for v0.6.1 (2025-05-29)
+===============================
+
+- Switch to trusted publishing
+
+Changes for v0.6.0 (2025-05-29)
+===============================
+
+- [http-message-signatures-add] Add support for ‘tag’ signature
+  parameter (#17)
+
+Changes for v0.5.0 (2024-02-21)
+===============================
+
+-  Add max_clock_skew to HTTPMessageVerifier (#11)
+
+-  Documentation and test infrastructure improvements
+
 Changes for v0.4.4 (2022-08-31)
 ===============================
 

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/LICENSE

@@ -165,27 +165,3 @@ incurred by, or claims asserted against, such Contributor by reason of your
 accepting any such warranty or additional liability.
 
 END OF TERMS AND CONDITIONS
-
-APPENDIX: How to apply the Apache License to your work
-
-To apply the Apache License to your work, attach the following boilerplate
-notice, with the fields enclosed by brackets "[]" replaced with your own
-identifying information. (Don't include the brackets!) The text should be
-enclosed in the appropriate comment syntax for the file format. We also
-recommend that a file or class name and description of purpose be included on
-the same "printed page" as the copyright notice for easier identification within
-third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/Makefile

@@ -1,7 +1,7 @@
 SHELL=/bin/bash
 
 lint:
-	flake8
+	ruff check http_message_signatures
 	mypy --check-untyped-defs http_message_signatures
 
 test: lint

http_message_signatures-0.6.1/NOTICE

@@ -0,0 +1,10 @@
+http-message-signatures is a free open source implementation of the
+IETF HTTP Message Signatures standard, RFC 9421.  This project is
+staffed by volunteers. If you are using http-message-signatures in a
+for-profit project, please contribute to its development and
+maintenance using the "Sponsor" button on the GitHub project page,
+https://github.com/pyauth/http-message-signatures. If you are looking
+for support with commercial applications based on
+http-message-signatures, please donate and contact its developers
+using the issue tracker on the http-message-signatures project page or
+the contact information listed in README.rst.

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/PKG-INFO

@@ -1,31 +1,45 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.4
 Name: http-message-signatures
-Version: 0.4.4
+Version: 0.6.1
 Summary: An implementation of the IETF HTTP Message Signatures draft standard
-Home-page: https://github.com/pyauth/http-message-signatures
+Project-URL: Homepage, https://github.com/pyauth/http-message-signatures
 Author: Andrey Kislyuk
 Author-email: kislyuk@gmail.com
+Maintainer: Andrey Kislyuk
+Maintainer-email: kislyuk@gmail.com
 License: Apache Software License
-Platform: MacOS X
-Platform: Posix
+License-File: LICENSE
+License-File: NOTICE
 Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: Apache Software License
 Classifier: Operating System :: MacOS :: MacOS X
 Classifier: Operating System :: POSIX
 Classifier: Programming Language :: Python
-Classifier: Programming Language :: Python :: 3.7
 Classifier: Programming Language :: Python :: 3.8
 Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.8
+Requires-Dist: cryptography>=36.0.2
+Requires-Dist: http-sfv>=0.9.3
 Provides-Extra: tests
-License-File: LICENSE
-
-http-message-signatures: An implementation of the IETF HTTP Message Signatures draft standard
-=============================================================================================
+Requires-Dist: build; extra == 'tests'
+Requires-Dist: coverage; extra == 'tests'
+Requires-Dist: flake8; extra == 'tests'
+Requires-Dist: mypy; extra == 'tests'
+Requires-Dist: requests; extra == 'tests'
+Requires-Dist: ruff; extra == 'tests'
+Requires-Dist: wheel; extra == 'tests'
+Description-Content-Type: text/x-rst
+
+http-message-signatures: An implementation of RFC 9421, the IETF HTTP Message Signatures standard
+=================================================================================================
 
 *http-message-signatures* is an implementation of the IETF
-`HTTP Message Signatures <https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures>`_ draft standard in
+`RFC 9421 HTTP Message Signatures <https://datatracker.ietf.org/doc/rfc9421/>`_ standard in
 Python.
 
 Installation
@@ -76,9 +90,9 @@ builds upon this package to provide integrated signing and validation of the req
  In http-message-signatures, you can ensure that the information signed is what you expect to be signed by only trusting the
  data returned by the ``verify()`` method::
 
-   verify_result = verifier.verify(request)
+   verify_results = verifier.verify(request)
 
- This returns VerifyResult, a namedtuple with the following attributes:
+ This returns a list of ``VerifyResult`` s, which are ``namedtuple`` s with the following attributes:
 
  * label (str): The label for the signature
  * algorithm: (same as signature_algorithm above)
@@ -87,9 +101,17 @@ builds upon this package to provide integrated signing and validation of the req
  * body: Always ``None`` (the `requests-http-signature <https://github.com/pyauth/requests-http-signature>`_ package
    implements returning the body upon successful digest validation).
 
+Given an HTTP request can potentially have multiple signatures the ``verify()`` method returns a list of ``VerifyResult`` s.
+However, the implementation currently supports just one signature, so the returned list currently contains just one element.
+If more signatures are found in the request then ``InvalidSignature`` is raised.
+
+Additionally, the ``verify()`` method raises ``HTTPMessageSignaturesException`` or an exception derived from this class in
+case an error occurs (unable to load PEM key, unsupported algorithm specified in signature input, signature doesn't match
+digest etc.)
+
 Authors
 -------
-* Andrey Kislyuk
+* `Andrey Kislyuk <https://kislyuk.com>`
 
 Links
 -----
@@ -97,7 +119,7 @@ Links
 * `Documentation <https://FIXME>`_
 * `Package distribution (PyPI) <https://pypi.python.org/pypi/http-message-signatures>`_
 * `Change log <https://github.com/pyauth/http-message-signatures/blob/master/Changes.rst>`_
-* `IETF HTTP Message Signatures standard tracker <https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/>`_
+* `IETF HTTP Message Signatures standard tracker <https://datatracker.ietf.org/doc/rfc9421/>`_
 * `OWASP Top Ten <https://owasp.org/www-project-top-ten/>`_
 
 Bugs
@@ -106,4 +128,7 @@ Please report bugs, issues, feature requests, etc. on `GitHub <https://github.co
 
 License
 -------
-Licensed under the terms of the `Apache License, Version 2.0 <http://www.apache.org/licenses/LICENSE-2.0>`_.
+Copyright 2017-2024, Andrey Kislyuk and http-message-signatures contributors. Licensed under the terms of the
+`Apache License, Version 2.0 <http://www.apache.org/licenses/LICENSE-2.0>`_. Distribution of attribution information,
+LICENSE and NOTICE files with source copies of this package and derivative works is **REQUIRED** as specified by the
+Apache License.

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/README.rst

@@ -1,8 +1,8 @@
-http-message-signatures: An implementation of the IETF HTTP Message Signatures draft standard
-=============================================================================================
+http-message-signatures: An implementation of RFC 9421, the IETF HTTP Message Signatures standard
+=================================================================================================
 
 *http-message-signatures* is an implementation of the IETF
-`HTTP Message Signatures <https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures>`_ draft standard in
+`RFC 9421 HTTP Message Signatures <https://datatracker.ietf.org/doc/rfc9421/>`_ standard in
 Python.
 
 Installation
@@ -53,9 +53,9 @@ builds upon this package to provide integrated signing and validation of the req
  In http-message-signatures, you can ensure that the information signed is what you expect to be signed by only trusting the
  data returned by the ``verify()`` method::
 
-   verify_result = verifier.verify(request)
+   verify_results = verifier.verify(request)
 
- This returns VerifyResult, a namedtuple with the following attributes:
+ This returns a list of ``VerifyResult`` s, which are ``namedtuple`` s with the following attributes:
 
  * label (str): The label for the signature
  * algorithm: (same as signature_algorithm above)
@@ -64,9 +64,17 @@ builds upon this package to provide integrated signing and validation of the req
  * body: Always ``None`` (the `requests-http-signature <https://github.com/pyauth/requests-http-signature>`_ package
    implements returning the body upon successful digest validation).
 
+Given an HTTP request can potentially have multiple signatures the ``verify()`` method returns a list of ``VerifyResult`` s.
+However, the implementation currently supports just one signature, so the returned list currently contains just one element.
+If more signatures are found in the request then ``InvalidSignature`` is raised.
+
+Additionally, the ``verify()`` method raises ``HTTPMessageSignaturesException`` or an exception derived from this class in
+case an error occurs (unable to load PEM key, unsupported algorithm specified in signature input, signature doesn't match
+digest etc.)
+
 Authors
 -------
-* Andrey Kislyuk
+* `Andrey Kislyuk <https://kislyuk.com>`
 
 Links
 -----
@@ -74,7 +82,7 @@ Links
 * `Documentation <https://FIXME>`_
 * `Package distribution (PyPI) <https://pypi.python.org/pypi/http-message-signatures>`_
 * `Change log <https://github.com/pyauth/http-message-signatures/blob/master/Changes.rst>`_
-* `IETF HTTP Message Signatures standard tracker <https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/>`_
+* `IETF HTTP Message Signatures standard tracker <https://datatracker.ietf.org/doc/rfc9421/>`_
 * `OWASP Top Ten <https://owasp.org/www-project-top-ten/>`_
 
 Bugs
@@ -83,4 +91,7 @@ Please report bugs, issues, feature requests, etc. on `GitHub <https://github.co
 
 License
 -------
-Licensed under the terms of the `Apache License, Version 2.0 <http://www.apache.org/licenses/LICENSE-2.0>`_.
+Copyright 2017-2024, Andrey Kislyuk and http-message-signatures contributors. Licensed under the terms of the
+`Apache License, Version 2.0 <http://www.apache.org/licenses/LICENSE-2.0>`_. Distribution of attribution information,
+LICENSE and NOTICE files with source copies of this package and derivative works is **REQUIRED** as specified by the
+Apache License.

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/common.mk

@@ -17,15 +17,9 @@ release:
 	@if [[ -z $$TAG ]]; then echo "Use release-{major,minor,patch}"; exit 1; fi
 	@if ! type -P pandoc; then echo "Please install pandoc"; exit 1; fi
 	@if ! type -P sponge; then echo "Please install moreutils"; exit 1; fi
-	@if ! type -P http; then echo "Please install httpie"; exit 1; fi
-	@if ! type -P twine; then echo "Please install twine"; exit 1; fi
-	$(eval REMOTE=$(shell git remote get-url origin | perl -ne '/([^\/\:]+\/[^\/\:]+?)(\.git)?$$/; print $$1'))
-	$(eval GIT_USER=$(shell git config --get user.email))
-	$(eval GH_AUTH=$(shell if grep -q '@github.com' ~/.git-credentials; then echo $$(grep '@github.com' ~/.git-credentials | python3 -c 'import sys, urllib.parse as p; print(p.urlparse(sys.stdin.read()).netloc.split("@")[0])'); else echo $(GIT_USER); fi))
-	$(eval RELEASES_API=https://api.github.com/repos/${REMOTE}/releases)
-	$(eval UPLOADS_API=https://uploads.github.com/repos/${REMOTE}/releases)
+	@if ! type -P gh; then echo "Please install gh"; exit 1; fi
 	git pull
-	git clean -x --force $$(python setup.py --name)
+	git clean -x --force $$(ls */__init__.py | xargs dirname)
 	TAG_MSG=$$(mktemp); \
 	    echo "# Changes for ${TAG} ($$(date +%Y-%m-%d))" > $$TAG_MSG; \
 	    git log --pretty=format:%s $$(git describe --abbrev=0)..HEAD >> $$TAG_MSG; \
@@ -33,17 +27,9 @@ release:
 	    if [[ -f Changes.md ]]; then cat $$TAG_MSG <(echo) Changes.md | sponge Changes.md; git add Changes.md; fi; \
 	    if [[ -f Changes.rst ]]; then cat <(pandoc --from markdown --to rst $$TAG_MSG) <(echo) Changes.rst | sponge Changes.rst; git add Changes.rst; fi; \
 	    git commit -m ${TAG}; \
-	    git tag --sign --annotate --file $$TAG_MSG ${TAG}
+	    git tag --annotate --file $$TAG_MSG ${TAG}
 	git push --follow-tags
-	http --check-status --auth ${GH_AUTH} ${RELEASES_API} tag_name=${TAG} name=${TAG} \
-	    body="$$(git tag --list ${TAG} -n99 | perl -pe 's/^\S+\s*// if $$. == 1' | sed 's/^\s\s\s\s//')"
 	$(MAKE) install
-	http --check-status --auth ${GH_AUTH} POST ${UPLOADS_API}/$$(http --auth ${GH_AUTH} ${RELEASES_API}/latest | jq .id)/assets \
-	    name==$$(basename dist/*.whl) label=="Python Wheel" < dist/*.whl
-	$(MAKE) release-pypi
-
-release-pypi:
-	python -m build
-	twine upload dist/*.tar.gz dist/*.whl --sign --verbose
+	gh release create ${TAG} dist/*.whl --notes="$$(git tag --list ${TAG} -n99 | perl -pe 's/^\S+\s*// if $$. == 1' | sed 's/^\s\s\s\s//')"
 
 .PHONY: release

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/docs/conf.py

@@ -24,6 +24,6 @@ html_sidebars = {
         "logo-text.html",
         # "globaltoc.html",
         "localtoc.html",
-        "searchbox.html"
+        "searchbox.html",
     ]
 }

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/http_message_signatures/__init__.py

@@ -1,6 +1,7 @@
 from . import algorithms  # noqa:F401
 from .algorithms import HTTPSignatureAlgorithm  # noqa:F401
 from .exceptions import HTTPMessageSignaturesException, InvalidSignature  # noqa:F401
-from .resolvers import HTTPSignatureComponentResolver, HTTPSignatureKeyResolver  # noqa:F401
+from .resolvers import HTTPSignatureComponentResolver  # noqa:F401
+from .resolvers import HTTPSignatureKeyResolver  # noqa: F401
 from .signatures import HTTPMessageSigner, HTTPMessageVerifier  # noqa:F401
 from .structures import VerifyResult  # noqa:F401

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/http_message_signatures/_algorithms.py

@@ -1,7 +1,13 @@
 from cryptography.hazmat.primitives import hashes, hmac
 from cryptography.hazmat.primitives.asymmetric import ec, ed25519, padding, rsa
-from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, encode_dss_signature
-from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key
+from cryptography.hazmat.primitives.asymmetric.utils import (
+    decode_dss_signature,
+    encode_dss_signature,
+)
+from cryptography.hazmat.primitives.serialization import (
+    load_pem_private_key,
+    load_pem_public_key,
+)
 
 from .exceptions import HTTPMessageSignaturesException
 
@@ -41,15 +47,10 @@ class RSA_PSS_SHA512(HTTPSignatureAlgorithm, PEMKeyLoader):
         self.hash_algorithm: hashes.HashAlgorithm = hashes.SHA512()
 
     def sign(self, message: bytes):
-        return self.private_key.sign(data=message,
-                                     padding=self.padding,
-                                     algorithm=self.hash_algorithm)
+        return self.private_key.sign(data=message, padding=self.padding, algorithm=self.hash_algorithm)
 
     def verify(self, signature: bytes, message: bytes):
-        self.public_key.verify(signature=signature,
-                               data=message,
-                               padding=self.padding,
-                               algorithm=self.hash_algorithm)
+        self.public_key.verify(signature=signature, data=message, padding=self.padding, algorithm=self.hash_algorithm)
 
 
 class RSA_V1_5_SHA256(RSA_PSS_SHA512):
@@ -90,27 +91,24 @@ class ECDSA_P256_SHA256(HTTPSignatureAlgorithm, PEMKeyLoader):
             raise HTTPMessageSignaturesException("Unexpected public key type")
         if self.private_key and not isinstance(self.private_key, ec.EllipticCurvePrivateKey):
             raise HTTPMessageSignaturesException("Unexpected private key type")
-        if self.public_key and type(self.public_key.curve) != ec.SECP256R1:
+        if self.public_key and not isinstance(self.public_key.curve, ec.SECP256R1):
             raise HTTPMessageSignaturesException("Unexpected elliptic curve type in public key")
-        if self.private_key and type(self.private_key.curve) != ec.SECP256R1:
+        if self.private_key and not isinstance(self.private_key.curve, ec.SECP256R1):
             raise HTTPMessageSignaturesException("Unexpected elliptic curve type in private key")
         self.signature_algorithm = ec.ECDSA(hashes.SHA256())
 
     def sign(self, message: bytes):
-        der_sig = self.private_key.sign(message,
-                                        signature_algorithm=self.signature_algorithm)
+        der_sig = self.private_key.sign(message, signature_algorithm=self.signature_algorithm)
         r, s = decode_dss_signature(der_sig)
-        return r.to_bytes(32, byteorder='big') + s.to_bytes(32, byteorder='big')
+        return r.to_bytes(32, byteorder="big") + s.to_bytes(32, byteorder="big")
 
     def verify(self, signature: bytes, message: bytes):
         if len(signature) != 64:
             raise HTTPMessageSignaturesException("Unexpected signature length")
-        r = int.from_bytes(signature[:32], byteorder='big')
-        s = int.from_bytes(signature[32:], byteorder='big')
+        r = int.from_bytes(signature[:32], byteorder="big")
+        s = int.from_bytes(signature[32:], byteorder="big")
         der_sig = encode_dss_signature(r, s)
-        self.public_key.verify(signature=der_sig,
-                               data=message,
-                               signature_algorithm=self.signature_algorithm)
+        self.public_key.verify(signature=der_sig, data=message, signature_algorithm=self.signature_algorithm)
 
 
 class ED25519(HTTPSignatureAlgorithm, PEMKeyLoader):

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/http_message_signatures/exceptions.py

@@ -2,5 +2,5 @@ class HTTPMessageSignaturesException(Exception):
     "Base class for exceptions raised by http_message_signatures"
 
 
-class InvalidSignature(Exception):
+class InvalidSignature(HTTPMessageSignaturesException):
     "Class for exceptions raised in the course of verifying an HTTP message signature"

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/http_message_signatures/resolvers.py

@@ -17,7 +17,7 @@ class HTTPSignatureComponentResolver:
         "@query",
         "@query-params",
         "@status",
-        "@request-response"
+        "@request-response",
     }
 
     # TODO: describe interface
@@ -33,7 +33,7 @@ class HTTPSignatureComponentResolver:
         component_id = str(component_node.value)
         if component_id.startswith("@"):  # derived component
             if component_id not in self.derived_component_names:
-                raise HTTPMessageSignaturesException(f'Unknown covered derived component name {component_id}')
+                raise HTTPMessageSignaturesException(f"Unknown covered derived component name {component_id}")
             resolver = getattr(self, "get_" + component_id[1:].replace("-", "_"))
             return resolver(**component_node.params)
         if component_id not in self.headers:
@@ -68,7 +68,7 @@ class HTTPSignatureComponentResolver:
         if name not in query:
             raise HTTPMessageSignaturesException(f'Query parameter "{name}" not found in the message URL')
         if len(query[name]) != 1:
-            raise HTTPMessageSignaturesException('Query parameters with multiple values are not supported.')
+            raise HTTPMessageSignaturesException("Query parameters with multiple values are not supported.")
         return query[name][0]
 
     def get_status(self):

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/http_message_signatures/signatures.py

@@ -1,7 +1,7 @@
 import collections
 import datetime
 import logging
-from typing import Any, Dict, List, Sequence, Tuple, Type
+from typing import Any, Dict, List, Optional, Sequence, Tuple, Type
 
 import http_sfv
 
@@ -14,27 +14,24 @@ logger = logging.getLogger(__name__)
 
 
 class HTTPSignatureHandler:
-    signature_metadata_parameters = {
-        "alg",
-        "created",
-        "expires",
-        "keyid",
-        "nonce"
-    }
-
-    def __init__(self, *,
-                 signature_algorithm: Type[HTTPSignatureAlgorithm],
-                 key_resolver: HTTPSignatureKeyResolver,
-                 component_resolver_class: type = HTTPSignatureComponentResolver):
+    signature_metadata_parameters = {"alg", "created", "expires", "keyid", "nonce", "tag"}
+
+    def __init__(
+        self,
+        *,
+        signature_algorithm: Type[HTTPSignatureAlgorithm],
+        key_resolver: HTTPSignatureKeyResolver,
+        component_resolver_class: type = HTTPSignatureComponentResolver,
+    ):
         if signature_algorithm not in signature_algorithms.values():
             raise HTTPMessageSignaturesException(f"Unknown signature algorithm {signature_algorithm}")
         self.signature_algorithm = signature_algorithm
         self.key_resolver = key_resolver
         self.component_resolver_class = component_resolver_class
 
-    def _build_signature_base(self, message, *,
-                              covered_component_ids: List[Any],
-                              signature_params: Dict[str, str]) -> Tuple:
+    def _build_signature_base(
+        self, message, *, covered_component_ids: List[Any], signature_params: Dict[str, str]
+    ) -> Tuple:
         assert "@signature-params" not in covered_component_ids
         sig_elements = collections.OrderedDict()
         component_resolver = self.component_resolver_class(message)
@@ -48,8 +45,9 @@ class HTTPSignatureHandler:
             if "\n" in component_key:
                 raise HTTPMessageSignaturesException(f'Component ID "{component_key}" contains newline character')
             if component_key in sig_elements:
-                raise HTTPMessageSignaturesException(f'Component ID "{component_key}" appeared multiple times in '
-                                                     'signature input')
+                raise HTTPMessageSignaturesException(
+                    f'Component ID "{component_key}" appeared multiple times in signature input'
+                )
             sig_elements[component_key] = component_value
         sig_params_node = http_sfv.InnerList(covered_component_ids)
         sig_params_node.params.update(signature_params)
@@ -72,14 +70,19 @@ class HTTPMessageSigner(HTTPSignatureHandler):
             covered_component_nodes.append(component_name_node)
         return covered_component_nodes
 
-    def sign(self, message, *,
-             key_id: str,
-             created: datetime.datetime = None,
-             expires: datetime.datetime = None,
-             nonce: str = None,
-             label: str = None,
-             include_alg: bool = True,
-             covered_component_ids: Sequence[str] = ("@method", "@authority", "@target-uri")):
+    def sign(
+        self,
+        message,
+        *,
+        key_id: str,
+        created: Optional[datetime.datetime] = None,
+        expires: Optional[datetime.datetime] = None,
+        nonce: Optional[str] = None,
+        label: Optional[str] = None,
+        tag: Optional[str] = None,
+        include_alg: bool = True,
+        covered_component_ids: Sequence[str] = ("@method", "@authority", "@target-uri"),
+    ):
         # TODO: Accept-Signature autonegotiation
         key = self.key_resolver.resolve_private_key(key_id)
         if created is None:
@@ -91,13 +94,13 @@ class HTTPMessageSigner(HTTPSignatureHandler):
             signature_params["expires"] = int(expires.timestamp())
         if nonce:
             signature_params["nonce"] = nonce
+        if tag:
+            signature_params["tag"] = tag
         if include_alg:
             signature_params["alg"] = self.signature_algorithm.algorithm_id
         covered_component_nodes = self._parse_covered_component_ids(covered_component_ids)
         sig_base, sig_params_node, _ = self._build_signature_base(
-            message,
-            covered_component_ids=covered_component_nodes,
-            signature_params=signature_params
+            message, covered_component_ids=covered_component_nodes, signature_params=signature_params
         )
         signer = self.signature_algorithm(private_key=key)
         signature = signer.sign(sig_base.encode())
@@ -111,6 +114,7 @@ class HTTPMessageSigner(HTTPSignatureHandler):
 
 
 class HTTPMessageVerifier(HTTPSignatureHandler):
+    max_clock_skew: datetime.timedelta = datetime.timedelta(seconds=5)
     require_created: bool = True
 
     def _parse_dict_header(self, header_name, headers):
@@ -133,17 +137,19 @@ class HTTPMessageVerifier(HTTPSignatureHandler):
 
     def validate_created_and_expires(self, sig_input, max_age=None):
         now = datetime.datetime.now()
+        min_time = now - self.max_clock_skew
+        max_time = now + self.max_clock_skew
         if "created" in sig_input.params:
-            if self._parse_integer_timestamp(sig_input.params["created"], field_name="created") > now:
+            if self._parse_integer_timestamp(sig_input.params["created"], field_name="created") > max_time:
                 raise InvalidSignature('Signature "created" parameter is set to a time in the future')
         elif self.require_created:
             raise InvalidSignature('Signature is missing a required "created" parameter')
         if "expires" in sig_input.params:
-            if self._parse_integer_timestamp(sig_input.params["expires"], field_name="expires") < now:
+            if self._parse_integer_timestamp(sig_input.params["expires"], field_name="expires") < min_time:
                 raise InvalidSignature('Signature "expires" parameter is set to a time in the past')
         if max_age is not None:
-            if self._parse_integer_timestamp(sig_input.params["created"], field_name="created") + max_age < now:
-                raise InvalidSignature(f'Signature age exceeds maximum allowable age {max_age}')
+            if self._parse_integer_timestamp(sig_input.params["created"], field_name="created") + max_age < min_time:
+                raise InvalidSignature(f"Signature age exceeds maximum allowable age {max_age}")
 
     def verify(self, message, *, max_age: datetime.timedelta = datetime.timedelta(days=1)) -> List[VerifyResult]:
         sig_inputs = self._parse_dict_header("Signature-Input", message.headers)
@@ -165,9 +171,7 @@ class HTTPMessageVerifier(HTTPSignatureHandler):
                     raise InvalidSignature(f'Unexpected signature metadata parameter "{param}"')
             try:
                 sig_base, sig_params_node, sig_elements = self._build_signature_base(
-                    message,
-                    covered_component_ids=list(sig_input),
-                    signature_params=sig_input.params
+                    message, covered_component_ids=list(sig_input), signature_params=sig_input.params
                 )
             except Exception as e:
                 raise InvalidSignature(e) from e
@@ -177,10 +181,12 @@ class HTTPMessageVerifier(HTTPSignatureHandler):
                 verifier.verify(signature=raw_signature, message=sig_base.encode())
             except Exception as e:
                 raise InvalidSignature(e) from e
-            verify_result = VerifyResult(label=label,
-                                         algorithm=self.signature_algorithm,
-                                         covered_components=sig_elements,
-                                         parameters=dict(sig_params_node.params),
-                                         body=None)
+            verify_result = VerifyResult(
+                label=label,
+                algorithm=self.signature_algorithm,
+                covered_components=sig_elements,
+                parameters=dict(sig_params_node.params),
+                body=None,
+            )
             verify_results.append(verify_result)
         return verify_results

{http-message-signatures-0.4.4 → http_message_signatures-0.6.1}/http_message_signatures/structures.py

@@ -34,11 +34,7 @@ class CaseInsensitiveDict(MutableMapping):
 
     def lower_items(self):
         """Like iteritems(), but with all lowercase keys."""
-        return (
-            (lowerkey, keyval[1])
-            for (lowerkey, keyval)
-            in self._store.items()
-        )
+        return ((lowerkey, keyval[1]) for (lowerkey, keyval) in self._store.items())
 
     def __eq__(self, other):
         if isinstance(other, Mapping):