Skip to content

bonfire-networks/http_signatures

BranchesTags

Repository files navigation

HttpSignatures

Elixir library for manipulating and validating HTTP signatures, supporting both draft-cavage and RFC 9421 formats.

Supported Formats

Draft-Cavage (original)

The original HTTP Signatures draft used by most ActivityPub implementations. Uses a single Signature header with keyId, algorithm, headers, and signature fields.

RFC 9421 (newer)

The standardized HTTP Message Signatures format, used by newer implementations such as Fedify and Mitra 4.4+. Uses two headers:

  • Signature-Input — describes what was signed (covered components and parameters), encoded as RFC 8941 Structured Fields
  • Signature — the actual signature bytes, also as an RFC 8941 Structured Field

Format detection is automatic: when both Signature-Input and Signature headers are present, the library uses RFC 9421 verification. When only Signature is present, it uses draft-cavage.

Note: Currently only incoming signature verification is currently implemented for RFC 9421. Outgoing signing still uses draft-cavage. RFC 9421 signing support is planned for future work.

Installation

The package can be installed by adding http_signatures to your list of dependencies in mix.exs:

def deps do
  [
    {:http_signatures, "~> 0.1.0"}
  ]
end

Configuration

You will need to write an adapter module that implements the HTTPSignatures.Adapter behaviour. This is used to fetch public keys when verifying signatures. The adapter is configured like so:

config :http_signatures, adapter: YourAdapter

Usage

Validating incoming requests

# Automatic format detection and validation (draft-cavage or RFC 9421)
HTTPSignatures.validate(conn)

# Or with pre-extracted headers and key
HTTPSignatures.validate(headers, signature_map, public_key)

Signing outgoing requests (draft-cavage)

HTTPSignatures.sign(private_key, key_id, headers)

RFC 9421 module

The HTTPSignatures.RFC9421 module can also be used directly:

# Parse RFC 9421 headers into a signature map
signature_map = HTTPSignatures.RFC9421.parse(signature_input_header, signature_header)

# Build the signature base string for verification
sigstring = HTTPSignatures.RFC9421.build_signature_base(headers, components, raw_params)

# Verify a parsed RFC 9421 signature
HTTPSignatures.RFC9421.verify(headers, signature_map, public_key)

Supported algorithms

  • rsa-v1_5-sha256 — RSA PKCS#1 v1.5 with SHA-256 (default, most common in ActivityPub)
  • ed25519 — Ed25519 (EdDSA)

Documentation

Published at https://hexdocs.pm/http_signatures.

About

Mirror of https://git.pleroma.social/pleroma/elixir-libraries/http_signatures

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Contributors 6

Languages