HttpMessageSigning

A C# implementation of the "Authorization" scheme of the IETF Internet-Draft Signing HTTP Messages.

It contains:

• HTTP request signing services.
• HTTP request signature verification services.
• Authentication middleware for ASP.NET Core applications.
• Authentication middleware for OWIN applications.
• Extensions for storing known clients in memory.
• Extensions for storing known clients in MongoDb.

See wiki for further details.

Motivation

When communicating over the Internet using the HTTP protocol, it can be desirable for a server or client to authenticate the sender of a particular message. It can also be desirable to ensure that the message was not tampered with during transit. The Signing HTTP Messages Internet-Draft describes a way for servers and clients to simultaneously add authentication and message integrity to HTTP messages by using a digital signature.

This repository is a C# implementation of that specification.

NuGet

Common

• 
  _{This package contains the shared components for signing and verification packages. It serves as a base-package only.}

Signing

• 
  _{This package contains the client-side services to enable Signing HTTP messages. In most cases, this is the only package that client applications will reference.}

Verification

• 
  _{This package contains the server-side services to enable verifying HTTP message signatures. It also contains the default in-memory client and nonce stores.}

• 
  _{This package contains the ASP.NET Core authentication scheme to verify signatures on signed HTTP messages.}

• 
  _{This package contains the Owin authentication middleware to verify signatures on signed HTTP messages.}

Storage

• 
  _{For persisted clients and nonces, you can use these alternative MongoDB-backed client and nonce store implementations.}

• 
  _{For persisted clients and nonces, you can use these alternative Sql Server-backed client and nonce store implementations.}

• 
  _{For persisted clients and nonces, you can use these alternative filesystem-backed client and nonce store implementations.}

See wiki for further details.

Basics

When signing a request message, an Authorization header is set in a http request. Using this header, the server can verify that it is sent by the known client, and that the content has not been tampered with.

The signing will result in a request header that will look like:

Authorization: Signature keyId="e0e8dcd638334c409e1b88daf821d135",algorithm="hs2019",created=1584806516,expires=1584806576,headers="(request-target) dalion-app-id date digest",nonce="38brRy8BLUajMbUqWumXPg",signature="DUKQVjiirGMMaMOy9qIwKMro46R3BlLsvUQkw1/8sKQ="

See the Super Duper Happy Paths for basic usage.

There is OWIN and ASP.NET Core middleware available too, for easy integration. By default, verification settings are stored in-memory. There are also extension packages to store data in Sql Server, MongoDB, ... instead.

Documentation

See Wiki.

Support

If you've got value from any of the content which I have created, but pull requests are not your thing, then I would also very much appreciate your support by buying me a coffee.

---

"Anybody can make something that works. Software craftsmanship is the ability to keep it understandable, maintainable and extensible."