Support for HTTP Signatures

[jricher]

Support for the HTTP Message Signatures draft specification would require the specification of the algorithms, key types, and required covered content for a signature. The following examples show what a possible syntax could look like for the new OAS security model proposed in OAI/OpenAPI-Specification#2582.

This example shows how it could be defined for an example API requiring signed requests with an RSA PSS signature and the caller's key identifier and a set of required components on the request including the method, url, and several headers.

components:
  securitySchemes:
    photoApi:
      type: httpsig
      credentials:
      - in: header
        name: signature-input
      - in: header
        name: signature
      config:
      - alg: rsa-pss-sha512
        keyid: <your key id here>
        coveredComponents:
        - @method
        - content-digest
        - content-type
        - target-uri
        requiredParameters:
        - nonce
        - created

As I'm not sure how to show placeholder values, I'm using things like <your key id> here.

As a corrollary, it would be useful to specify the algorithm and use of digest headers like Content-Digest, which protects the body, and Client-Cert, which contains the TLS client certificate.

This proposed syntax is just one possible idea, and I'm looking for feedback on how this could be made to fit the OAS model better.

Addresses #6