develop herolib httpsig #32

Closed

sameh-farouk wants to merge 30 commits from develop-herolib-httpsig into develop

pull from: develop-herolib-httpsig

merge into: geomind_research:develop

geomind_research:develop

geomind_research:develop-crypto-consolidation

geomind_research:main-work

geomind_research:develop_podman

geomind_research:kristof

geomind_research:main

geomind_research:rpc_opapi

geomind_research:main-integration

Conversation 0 Commits 30 Files changed 87 +5368 -1

sameh-farouk commented 2025-12-31 15:59:57 +00:00

Member

Copy link

PR Description: Add herolib-httpsig Module

Summary

Implements RFC 9421 (HTTP Message Signatures) and RFC 9530 (Content-Digest) with Ed25519 cryptography for secure HTTP request/response authentication.

Features

• ✅ RFC Compliant: Full RFC 9421 & RFC 9530 implementation
• ✅ Universal HTTP Support: Works with any library using http crate (reqwest, hyper, axum, etc.)
• ✅ Ed25519 Signatures: Fast, secure cryptography via herolib-keys
• ✅ Replay Protection: Configurable timestamp tolerance (default: 60s)
• ✅ Mandatory Security: Always signs @method, @path, @authority, content-digest
• ✅ Rhai Integration: Optional scripting support with 7 tests + 2 examples

API

// Sign requests
let signer = HttpSigner::new(keypair, "key-id");
signer.sign_request(&mut request, body)?;

// Verify requests
let verifier = HttpVerifier::new().with_key(public_key);
verifier.verify_request(&request, body)?;

Testing

• 31 unit tests + 11 doc tests (Rust)
• 7 integration tests + 2 examples (Rhai)
• Zero warnings, no unsafe code

Security

• Tight 60s default tolerance (balances security & clock skew)
• Mandatory body digest (prevents tampering)
• Canonical component normalization (prevents manipulation)
• Comprehensive input validation

# PR Description: Add `herolib-httpsig` Module ## Summary Implements RFC 9421 (HTTP Message Signatures) and RFC 9530 (Content-Digest) with Ed25519 cryptography for secure HTTP request/response authentication. ## Features - ✅ **RFC Compliant**: Full RFC 9421 & RFC 9530 implementation - ✅ **Universal HTTP Support**: Works with any library using `http` crate (reqwest, hyper, axum, etc.) - ✅ **Ed25519 Signatures**: Fast, secure cryptography via `herolib-keys` - ✅ **Replay Protection**: Configurable timestamp tolerance (default: 60s) - ✅ **Mandatory Security**: Always signs `@method`, `@path`, `@authority`, `content-digest` - ✅ **Rhai Integration**: Optional scripting support with 7 tests + 2 examples ## API ```rust // Sign requests let signer = HttpSigner::new(keypair, "key-id"); signer.sign_request(&mut request, body)?; // Verify requests let verifier = HttpVerifier::new().with_key(public_key); verifier.verify_request(&request, body)?; ``` ## Testing - 31 unit tests + 11 doc tests (Rust) - 7 integration tests + 2 examples (Rhai) - Zero warnings, no unsafe code ## Security - Tight 60s default tolerance (balances security & clock skew) - Mandatory body digest (prevents tampering) - Canonical component normalization (prevents manipulation) - Comprehensive input validation

sameh-farouk added 14 commits 2025-12-31 15:59:57 +00:00

add herolib-keys package with Ed25519 cryptographic primitives 206d00784a

integrate herolib-keys module into herodo with Ed25519 cryptographic functionality and comprehensive test suite 5e46648808

Merge branch 'develop' into develop-herolib-keys 1e8c13136c

add string-based sign/verify functions for Rhai with backward-compatible byte array variants 6a36e18ff1

add herolib-httpsig package implementing RFC 9421 HTTP Message Signatures with Ed25519 support e0c2638f03

integrate herolib-httpsig into rhai module and fix test iteration compatibility 04ec2ed194

fix derive Clone attribute placement in HttpVerifier struct e2befdec0f

add herolib-httpsig dependency and register httpsig module in herodo engine 7791a7923c

update httpsig verification to return result map with verified field instead of throwing errors 96049af4c8

make Clone derive conditional on rhai feature for HttpVerifier struct b0f3324481

remove unused Ed25519Keypair import from httpsig rhai module tests 4543593ec0

fix timestamp reference in advanced_workflow.rhai example to use verify_result instead of verification 69724e8c10

remove reqwest dependency and switch to universal http crate for broader HTTP library compatibility dc10bb647f

update default timestamp tolerance from 300s to 60s across documentation and code for tighter replay protection 8753ab7264

sameh-farouk added 2 commits 2025-12-31 17:20:40 +00:00

Merge branch 'develop' into develop-herolib-keys ... 66838b9340

# Conflicts:
#	packages/herodo/src/main.rs

Merge branch 'develop-herolib-keys' into develop-herolib-httpsig 78379e9009

sameh-farouk closed this pull request 2025-12-31 17:21:21 +00:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

geomind_research/herolib_rust!32

No description provided.