HTTP Signatures

Ruby implementation of HTTP Signatures draft specification; cryptographically sign and verify HTTP requests and responses.

See also:

• https://github.com/99designs/http-signatures-php

Usage

Add http_signatures to your Gemfile.

Configure a context with your algorithm, keys, headers to sign. In Rails, this is best placed in an initializer.

require "http_signatures"

$context = HttpSignatures::Context.new(
  keys: {"examplekey" => "secret-key-here"},
  algorithm: "hmac-sha256",
  headers: ["(request-target)", "Date", "Content-Length"],
)

If there's only one key in the keys hash, that will be used for signing. Otherwise, specify one via signing_key_id: "examplekey".

Messages

A message is an HTTP request or response. A subset of the interface of Ruby's Net::HTTPRequest and Net::HTTPResponse is expected; the ability to set/read headers via message["name"], and for requests, the presence of message#method and message#path for (request-target) support.

require "net/http"
require "time"

message = Net::HTTP::Get.new(
  "/path?query=123",
  "Date" => Time.now.rfc822,
  "Content-Length" => "0",
)

Signing a message

$context.signer.sign(message)

Now message contains the signature headers:

message["Signature"]
# keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

message["Authorization"]
# Signature keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

Verifying a signed message

$context.verifier.valid?(message)  # => true or false

Contributing

Pull Requests are welcome.