Expand description
§HeroLib HTTP Signatures
RFC 9421 compliant HTTP Message Signatures with Ed25519 cryptography.
This module provides secure, standards-compliant HTTP request authentication by signing message components (method, path, headers, body) with Ed25519 keys.
§Features
- RFC 9421 Compliance: HTTP Message Signatures standard
- RFC 9530 Compliance: Content-Digest for body integrity
- Ed25519 Signatures: Via integrated keys module
- Replay Protection: Timestamp-based with configurable tolerance
- Universal Integration: Works with any HTTP library using the
httpcrate - Rhai Scripting: Optional scripting support
§Security Policy
This module enforces strict security policies:
- Always signs:
@method,@path,@authority,content-digest - Mandatory digest: Even for bodyless requests (GET, DELETE)
- Timestamp protection: Configurable replay window (default: 300s)
- Canonical authority: Normalized host:port to prevent proxy attacks
§Example: Signing a Request
use herolib_crypt::httpsig::{HttpSigner, HttpSigError};
use herolib_crypt::keys::Ed25519Keypair;
use http::Request;
// Create a signer with your keypair
let keypair = Ed25519Keypair::generate()?;
let signer = HttpSigner::new(keypair, "user-123");
// Build your HTTP request
let body = b"{\"amount\": 100}";
let mut request = Request::post("https://api.service.com/api/v1/payments")
.header("content-type", "application/json")
.body(body.to_vec())?;
// Sign the request (adds signature headers automatically)
signer.sign_request(&mut request, body)?;
// Request now has Signature-Input, Signature, and Content-Digest headers§Example: Verifying a Request
use herolib_crypt::httpsig::{HttpVerifier, HttpSigError};
use herolib_crypt::keys::Ed25519PublicKey;
use http::Request;
// Create a verifier with a public key
let verifier = HttpVerifier::new()
.with_key(public_key)
.with_tolerance(60);
// Build the request to verify (with signature headers from client)
let body = b"{\"amount\": 100}";
let request = Request::post("https://api.service.com/api/v1/payments")
.header("content-type", "application/json")
.header("signature-input", "sig1=(...)")
.header("signature", "sig1=:...:")
.header("content-digest", "sha-256=:...:")
.body(body.to_vec())?;
// Verify the request
let result = verifier.verify_request(&request, body)?;
println!("Verified! Key ID: {}", result.key_id);Structs§
- Http
Signer - HTTP request signer using Ed25519 signatures.
- Http
Verifier - HTTP request signature verifier.
- Signature
Output - Output from signing an HTTP request.
- Verification
Result - Result of successful signature verification.
Enums§
- Http
SigError - Errors that can occur during HTTP signature operations.
Functions§
- compute_
content_ digest - Compute the RFC 9530 Content-Digest for a message body.
- extract_
authority - Extract and normalize the @authority component from a Host header.
- extract_
key_ id - Extract the key ID from a Signature-Input header value.
- parse_
signature_ input - Parse a Signature-Input header value.
- verify_
content_ digest - Verify that a Content-Digest header matches the computed digest of a body.