npm.io
0.3.1 • Published yesterday

@algovoi/rfc9421-verifier

Licence
Apache-2.0
Version
0.3.1
Deps
1
Size
62 kB
Vulns
0
Weekly
0

AlgoVoi is available for acquisitiondocs.algovoi.co.uk/acquisition


algovoi-rfc9421-verifier

PyPI npm Apache 2.0 IETF I-D

AlgoVoi-authored reference verifier for RFC 9421 (HTTP Message Signatures) plus RFC 9530 (Digest Fields for HTTP). Python and TypeScript, byte-for-byte parity, Apache 2.0.

Use cases:

  • Verify an incoming RFC 9421-signed HTTP request against a known public key.
  • Re-validate a captured request after it traverses a TLS-re-terminating proxy chain (the property pinned in the rfc9421_proxy_chain_v0 conformance fixture).
  • Build conformance test harnesses anchored to the RFC 8032 Section 7.1 deterministic Ed25519 reference keypair.

Packages

Language Package Install
Python algovoi-rfc9421-verifier pip install algovoi-rfc9421-verifier
TypeScript @algovoi/rfc9421-verifier npm install @algovoi/rfc9421-verifier

Both packages are byte-deterministic on identical inputs and tested against the same RFC 8032 Section 7.1 Test 1 reference fixture.

Hosted verification endpoint

AlgoVoi runs a public hosted instance of this verifier at verify.algovoi.co.uk/rfc9421. No installation required — POST a captured request and get back a full VerifyResult including the reconstructed signing base:

curl -X POST https://verify.algovoi.co.uk/rfc9421 \
  -H "Content-Type: application/json" \
  -d '{
    "method": "POST",
    "authority": "api.algovoi.co.uk",
    "path": "/checkout",
    "headers": {
      "signature-input": "sig=(\"@method\" \"@authority\" \"@path\" \"content-digest\" \"created\");created=1748534400;keyid=\"test\";alg=\"ed25519\"",
      "signature": "sig=:<base64-signature>:",
      "content-digest": "sha-256=:<base64-sha256>:"
    },
    "body_b64": "<base64-body>",
    "public_key_hex": "<64-char hex>",
    "require_content_digest": true
  }'

Rate limit: 60 req/min per IP. No authentication required.

Quick start

Python
from algovoi_rfc9421_verifier import verify_request

result = verify_request(
    method="GET",
    authority="api.algovoi.co.uk",
    path="/compliance/attestation",
    headers={
        "content-digest": "sha-256=:47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=:",
        "signature-input": (
            'sig=("@method" "@authority" "@path" "content-digest" "created");'
            'created=1778955520;keyid="did:web:api.algovoi.co.uk";alg="ed25519"'
        ),
        "signature": (
            "sig=:Xj1peMjEYi75R/QQFYpU9q/gHwQKYwgt1etjAX1qc0zugTMJoJ86Uhy/jTZ175b3"
            "zFhp0j8cLjmDJvGmySDBAQ==:"
        ),
    },
    body=b"",
    public_key="d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
)
assert result.valid
TypeScript
import { verifyRequest } from "@algovoi/rfc9421-verifier";

const result = await verifyRequest({
  method: "GET",
  authority: "api.algovoi.co.uk",
  path: "/compliance/attestation",
  headers: {
    "content-digest": "sha-256=:47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=:",
    "signature-input":
      'sig=("@method" "@authority" "@path" "content-digest" "created");created=1778955520;keyid="did:web:api.algovoi.co.uk";alg="ed25519"',
    signature:
      "sig=:Xj1peMjEYi75R/QQFYpU9q/gHwQKYwgt1etjAX1qc0zugTMJoJ86Uhy/jTZ175b3zFhp0j8cLjmDJvGmySDBAQ==:",
  },
  body: new Uint8Array(),
  publicKey:
    "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
});
if (result.valid) console.log("verified");

API surface (v0.1.0)

Function Purpose
verify_request / verifyRequest High-level: parse all headers, build signing base, verify Content-Digest, verify Ed25519 signature, return a VerifyResult with per-step success flags.
verify_signature / verifySignature Lower-level: caller supplies the signing base; library verifies Ed25519 only.
verify_content_digest / verifyContentDigest Validate RFC 9530 Content-Digest header against a body. SHA-256 and SHA-512 supported.
build_signing_base / buildSigningBase Construct the RFC 9421 §2.5 signing base from covered components + values.
parse_signature_input / parseSignatureInput Parse a Signature-Input header. Accepts the strict labelled form and the unlabelled real-world form.
parse_signature_value / parseSignatureValue Parse a Signature header.
compute_content_digest / computeContentDigest Compute a Content-Digest header value for a body.

Scope (v0.1.0)

  • Algorithms: Ed25519 only. ECDSA-P256 and RSA-PSS are roadmap.
  • Derived components: @method, @authority, @path, @target-uri, @scheme, @status, plus created and expires parameters. @request-target, @query, @query-param are roadmap.
  • Header forms: strict labelled <label>=(...) and unlabelled (...);created=... real-world forms both accepted.
  • Content-Digest: SHA-256 (mandatory per RFC 9530) and SHA-512. Other algorithms in the IANA registry are roadmap.

The v0.1.0 surface is sufficient to verify any AlgoVoi production compliance receipt and the rfc9421_proxy_chain_v0 conformance fixture. Multi-algorithm + multi-label support arrives in v0.2.0.

Conformance fixture

The reference fixture for the verifier is at chopmob-cloud/algovoi-jcs-conformance-vectors/vectors/rfc9421_proxy_chain_v0/. It uses the RFC 8032 Section 7.1 Test 1 deterministic Ed25519 keypair and includes a tcpdump wire-capture record (E2E_PROOF.md) demonstrating that the RFC 9421 headers survive a 3-hop TLS-re-terminating proxy chain (Cloudflare edge → nginx → FastAPI) byte-identical.

Companion IETF Internet-Draft

This library is part of the AlgoVoi substrate that anchors draft-hopley-x402-compliance-receipt-00 (Independent Submission, Informational; posted 2026-05-23). The receipt-format audit-chain property in the I-D assumes signed receipts can be transported and re-verified independently of the originating gateway — exactly the property this verifier checks.

Package Purpose
algovoi-substrate / @algovoi/substrate JCS RFC 8785 canonicalisation, action_ref, transactional lifecycle, compliance receipt builder
algovoi-audit-verifier / @algovoi/audit-verifier Selective-disclosure audit bundle verifier; consumes substrate output
algovoi-rfc9421-verifier / @algovoi/rfc9421-verifier This package. RFC 9421/9530 HTTP signature verifier

Relationship to the canonicalisation discipline

This package verifies HTTP message signatures per RFC 9421 + RFC 9530 -- a different canonicalisation surface from the AlgoVoi JCS RFC 8785 receipt-body discipline at docs.algovoi.co.uk/canonicalisation-substrate. HTTP signature verification (this package) and receipt-content verification (algovoi-audit-verifier + the receipt-format packages) are complementary surfaces: this verifier confirms wire-level message integrity; the AlgoVoi JCS substrate confirms receipt-body canonical integrity. Both are AlgoVoi-authored under sole authorship.

Parties anchoring to the AlgoVoi canonicalisation discipline are recorded in the Substrate Adopters Registry; the registry's canon_version pin criterion applies to receipt-body artefacts, not to HTTP signatures as such.

Tests

# Python (23 tests)
pip install -e python/[dev]
python -m pytest python/tests/ -v

# TypeScript (18 tests)
cd typescript && npm install && npm test

Both suites cover:

  • Signature-Input / Signature header parsing
  • build_signing_base for both algovoi-v0 and rfc9421 modes
  • Content-Digest (RFC 9530) computation and verification
  • verify_signature (Ed25519 / PyNaCl + @noble/ed25519)
  • verify_request end-to-end against the rfc9421_proxy_chain_v0 corpus fixture
  • Tamper-detection (wrong path, wrong key, bad body)

Licence

Apache 2.0. See LICENSE.

Author

AlgoVoi (Christopher Hopley, GitHub chopmob-cloud).

Attribution

This package is Apache-2.0. Use it freely and build whatever you are building on top of it. The only ask is the one the licence already makes: keep the NOTICE, and name who authored the substrate. To attribute it in your own product, add this to your NOTICE file:

This product includes the AlgoVoi substrate,
authored by Christopher Hopley / AlgoVoi (chopmob-cloud), Apache-2.0.
https://docs.algovoi.co.uk/canonicalisation-substrate

The full invitation is at https://docs.algovoi.co.uk/canonicalisation-substrate#adopt-the-substrate

Keywords