Crate http_signatures [] [src]

HTTP Signatures, an implementation of the http signatures specification

The base crate provides types for creating and verifying signatures, and the features use_hyper, use_reqwest, and use_rocket provide implementations of required traits for easily using HTTP Signatures with web applications.

Creating an HTTP Signature

To get a string that would be the contents of an HTTP Request's Authorization header, a few steps must be taken. The method, path, and query must be known, furthermore, there must be at least one item in the headers hashmap, if there is not, the HTTP Signature creation will fail.

use http_signatures::{HttpSignature, SignatureAlgorithm, ShaSize};
use http_signatures::REQUEST_TARGET;

let method = "GET";
let path = "/test";
let query = "key=value";

let mut headers: HashMap<String, Vec<String>> = HashMap::new();
headers.insert("Accept".into(), vec!["application/json".into()]);
    vec![format!("{} {}?{}", method.to_lowercase(), path, query)],

let algorithm = SignatureAlgorithm::RSA(ShaSize::FiveTwelve);
let key_id = "1".into();

let auth_header = HttpSignature::new(key_id, priv_key, algorithm, headers)?

println!("Authorization: {}", auth_header);

Verifying an HTTP Signature

To verify a header, one must implement a type called GetKey. This type is imporant because it contains the information required to convert a key id, represented as &str, into a Key. This can be done by accessing some external state, or by storing the required state in the struct that implements GetKey.

use http_signatures::{GetKey, AuthorizationHeader};

struct MyKeyGetter;

impl GetKey for MyKeyGetter {
    type Key = File;
    type Error = Error;

    fn get_key(self, _key_id: &str) -> Result<Self::Key, Self::Error> {

let mut headers = Vec::new();
headers.push(("Accept".into(), "application/json".into()));

let method = "GET";
let path = "/test";
let query = "key=value";

let key_getter = MyKeyGetter;

let auth_header = AuthorizationHeader::new(&auth_header)?;
    .verify(&headers, method, path, Some(query), key_getter)?;



The AuthorizationHeader struct is the direct reasult of reading in the Authorization header from a given request.


The HttpSignature struct, this is the entry point for creating an Authorization header. It contains all the values required for generation.



The root Error


Variations of the Sha hashing function.


Which algorithm should be used to create an HTTP header.





AsHttpSignature defines a trait for getting an Authorization Header string from any type that implements it. It provides two methods: as_http_signature, which implementors must define, and authorization_header, which uses as_http_signature to create the header string.


The GetKey trait is used during HTTP Signature verification to access the required decryption key based on a given key_id.


The VerifyAuthorizationHeader trait is meant to be implemented for the request types from http libraries (such as Hyper and Rocket). This trait makes verifying requests much easier, since the verify_authorization_header() method can be called directly on a Request type.


WithHttpSignature defines a trait for adding an Authorization header to another library's request or response object.