linzer 0.7.2 → 0.7.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 760341bd66c313c36150f7cb31d741c84252ffe726ecd5bc838928b5f656832f
-  data.tar.gz: 6df1c1af21e5fbadc3eb242dc84973251ddc8dd6849606a2bd213ea57ffd9d89
+  metadata.gz: 7ca1f4d456be7ceedda5bbe7cfd205e696689da336408324c6ec06ed10440d07
+  data.tar.gz: 1db3b82c5644c65b6037cb844bea963aa803dd4bf74c93673aac8473dc647d38
 SHA512:
-  metadata.gz: 899a41a945b59b368110befe463d300445d605483ef64020e1e35c12e71e0945f3b6aeb1774155cbc4919246f88fc0b77175fe16d2f4270e4bc57f861983f145
-  data.tar.gz: 8af02940869d0e451a8c45738f943cb32bdc515347d325121cafbb9c49e6e1e601d897749e2a5f9453f7c1f6a98acff59e778a5489ed70a60476f0086ab4bace
+  metadata.gz: ce767d2e1c8df88b72321e8fbb513a9dadadb6436a4cefe6caa1a873f82cd4332b4f676ca0f355170156175077af2f675dabb22fbcb16ec7984950ca826a307c
+  data.tar.gz: affedd0f107f8ae2e9073ceb007896e5de9b45d2b50086bec7ff9dc6e771d208cffa7edb1e12ff414771a13eecc2597f2559b0d9c68a1a2ddb1010732afa2663

data/CHANGELOG.md

@@ -1,5 +1,29 @@
 ## [Unreleased]
 
+## [0.7.4] - 2025-06-30
+
+- Add validation routines on key instances before performing
+  signing and verifying operations. This will catch obvious errors
+  like trying to sign a request with a public key.
+
+- Fix bug with incorrect signature generation and verification on
+  messages with HTTP field identifiers including parameters. Those
+  fields were not serialized correctly and messages were being signed
+  with incorrect signature base.
+
+## [0.7.3] - 2025-06-01
+
+- Fix broken retrieval of header names from Rack responses.
+  Previously, this caused signatures attached to Rack response instances
+  to use incorrect header names, making them unverifiable.
+
+- Add Linzer.signature_base method.
+
+- Add initial support for JWS algorithms. See Linzer::JWS module for more details.
+  In this initial preview, only EdDSA algorithm (Ed25519) is supported).
+
+- Add a simple integration test to verify signatures on HTTP responses.
+
 ## [0.7.2] - 2025-05-21
 
 - Add a few integration tests against CloudFlare test server.

data/README.md

@@ -356,6 +356,10 @@ in subsequent releases.
 
 linzer is built in [Continuous Integration](https://github.com/nomadium/linzer/actions/workflows/main.yml) on Ruby 3.0+.
 
+## Security
+
+This gem is provided “as is” without any warranties. It has not been audited for security vulnerabilities. Users are advised to review the code and assess its suitability for their use case, particularly in production environments.
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/examples/sinatra/Gemfile

@@ -6,4 +6,4 @@ gem "sinatra",      "~> 4.0"
 gem "rackup",       "~> 2.1"
 gem "webrick",      "~> 1.9"
 gem "rack-contrib", "~> 2.4"
-gem "linzer",       "~> 0.7.0.beta2"
+gem "linzer",       "~> 0.7.2"

data/lib/linzer/common.rb

@@ -2,20 +2,39 @@
 
 module Linzer
   module Common
-    def signature_base(message, components, parameters)
-      signature_base = components.each_with_object(+"") do |component, base|
-        base << "\"#{component}\": #{message[component]}\n"
-      end
+    def signature_base(message, serialized_components, parameters)
+      signature_base =
+        serialized_components.each_with_object(+"") do |component, base|
+          base << "%s\n" % signature_base_line(component, message)
+        end
 
-      signature_params =
-        Starry.serialize([Starry::InnerList.new(components, parameters)])
+      signature_base << signature_params_line(serialized_components, parameters)
 
-      signature_base << "\"@signature-params\": #{signature_params}"
       signature_base
     end
+    module_function :signature_base
+
+    def signature_base_line(component, message)
+      field_id = FieldId.new(field_name: component)
+      "%s: %s" % [field_id.serialize, message[field_id]]
+    end
+    module_function :signature_base_line
+
+    def signature_params_line(serialized_components, parameters)
+      identifiers = serialized_components.map { |c| Starry.parse_item(c) }
+
+      signature_params =
+        Starry.serialize([Starry::InnerList.new(identifiers, parameters)])
+
+      "%s: %s" % [Starry.serialize("@signature-params"), signature_params]
+    end
+    module_function :signature_params_line
+
+    private
 
     def validate_components(message, components)
-      if components.include?("@signature-params")
+      if components.include?('"@signature-params"') ||
+          components.any? { |c| c.start_with?('"@signature-params"') }
         raise Error.new "Invalid component in signature input"
       end
 

data/lib/linzer/ecdsa.rb

@@ -9,10 +9,12 @@ module Linzer
       end
 
       def sign(data)
+        validate_signing_key
         decode_der_signature(material.sign(@params[:digest], data))
       end
 
       def verify(signature, data)
+        validate_verify_key
         material.verify(@params[:digest], der_signature(signature), data)
       end
 

data/lib/linzer/ed25519.rb

@@ -4,12 +4,22 @@ module Linzer
   module Ed25519
     class Key < Linzer::Key
       def sign(data)
+        validate_signing_key
         material.sign(nil, data)
       end
 
       def verify(signature, data)
+        validate_verify_key
         material.verify(nil, signature, data)
       end
+
+      def public?
+        has_pem_public?
+      end
+
+      def private?
+        has_pem_private?
+      end
     end
   end
 end

data/lib/linzer/helper.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Linzer
+  module Helper
+    def sign!(request_or_response, **args)
+      message = Message.new(request_or_response)
+      options = {}
+
+      label = args[:label]
+      options[:label] = label if label
+      options.merge!(args.fetch(:params, {}))
+
+      key = args.fetch(:key)
+      signature = Linzer::Signer.sign(key, message, args.fetch(:components), options)
+      message.attach!(signature)
+    end
+
+    def verify!(request_or_response, key: nil, no_older_than: 900)
+      message = Message.new(request_or_response)
+      signature_headers = {}
+      %w[signature-input signature].each do |name|
+        value = message.header(name)
+        signature_headers[name] = value if value
+      end
+      signature = Signature.build(signature_headers)
+      keyid = signature.parameters["keyid"]
+      raise Linzer::Error, "key not found" if !key && !keyid
+      verify_key = block_given? ? (yield keyid) : key
+      Linzer.verify(verify_key, message, signature, no_older_than: no_older_than)
+    end
+  end
+end

data/lib/linzer/hmac.rb

@@ -18,6 +18,14 @@ module Linzer
         signature == sign(data)
       end
 
+      def private?
+        !material.nil?
+      end
+
+      def public?
+        false
+      end
+
       def inspect
         vars =
           instance_variables

data/lib/linzer/jws.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require "jwt"
+require "jwt/eddsa"
+require "ed25519"
+
+module Linzer
+  module JWS
+    def jwk_import(key, params = {})
+      material = JWT::JWK.import(key)
+      Linzer::JWS::Key.new(material, params)
+    end
+    module_function :jwk_import
+
+    def generate_key(algorithm:)
+      case String(algorithm)
+      when "EdDSA"
+        ed25519_keypair = ::Ed25519::SigningKey.generate
+        material = JWT::JWK.new(ed25519_keypair)
+        Linzer::JWS::Key.new(material)
+      else
+        err_msg = "Algorithm '#{algorithm}' is unsupported or not implemented yet."
+        raise Linzer::Error, err_msg
+      end
+    end
+    module_function :generate_key
+
+    class Key < Linzer::Key
+      def sign(data)
+        validate_signing_key
+        algo = resolve_algorithm
+        algo.sign(data: data, signing_key: signing_key)
+      end
+
+      def verify(signature, data)
+        validate_verify_key
+        algo = resolve_algorithm
+        algo.verify(data: data, signature: signature, verification_key: verify_key)
+      end
+
+      def public?
+        !!verify_key
+      end
+
+      private
+
+      def resolve_algorithm
+        case
+        when material.verify_key.is_a?(::Ed25519::VerifyKey)
+          JWT::JWA.resolve("EdDSA")
+        else
+          raise Linzer::Error, "Unknown/unsupported algorithm"
+        end
+      end
+
+      def verify_key
+        material.verify_key
+      end
+
+      def signing_key
+        material.signing_key
+      end
+    end
+  end
+end

data/lib/linzer/key/helper.rb

@@ -85,6 +85,14 @@ module Linzer
         key = OpenSSL::PKey::EC.new(material)
         Linzer::ECDSA::Key.new(key, id: key_id, digest: "SHA384")
       end
+
+      def generate_jws_key(algorithm:)
+        Linzer::JWS.generate_key(algorithm: algorithm)
+      end
+
+      def jwk_import(key, params = {})
+        Linzer::JWS.jwk_import(key, params)
+      end
     end
   end
 end

data/lib/linzer/key.rb

@@ -17,12 +17,20 @@ module Linzer
 
     def sign(*args)
       abstract_error = "Cannot sign data, \"#{self.class}\" is an abstract class."
-      raise Error.new abstract_error
+      raise Error, abstract_error
     end
 
     def verify(*args)
       abstract_error = "Cannot verify signature, \"#{self.class}\" is an abstract class."
-      raise Error.new abstract_error
+      raise Error, abstract_error
+    end
+
+    def public?
+      material.public?
+    end
+
+    def private?
+      material.private?
     end
 
     private
@@ -34,7 +42,25 @@ module Linzer
     def validate_digest
       no_digest = !@params.key?(:digest) || @params[:digest].nil? || String(@params[:digest]).empty?
       no_digest_error = "Invalid key definition, no digest algorithm was selected."
-      raise Linzer::Error.new no_digest_error if no_digest
+      raise Error, no_digest_error if no_digest
+    end
+
+    def validate_signing_key
+      raise SigningError, "Private key is needed!" unless private?
+    end
+
+    def validate_verify_key
+      raise VerifyError, "Public key is needed!" unless public?
+    end
+
+    def has_pem_public?
+      material.public_to_pem.match?(/^-----BEGIN PUBLIC KEY-----/)
+    end
+
+    def has_pem_private?
+      material.private_to_pem.match?(/^-----BEGIN PRIVATE KEY-----/)
+    rescue
+      false
     end
   end
 end

data/lib/linzer/message/adapter/abstract.rb

@@ -26,15 +26,10 @@ module Linzer
           !!self[f]
         end
 
-        def [](field_name)
-          name = parse_field_name(field_name)
-          return nil if name.nil?
-
-          if field_name.start_with?("@")
-            retrieve(name, :derived)
-          else
-            retrieve(name, :field)
-          end
+        def [](field)
+          field_id = field.is_a?(FieldId) ? field : parse_field_name(field)
+          return nil if field_id.nil? || field_id.item.nil?
+          retrieve(field_id.item, field_id.derived? ? :derived : :field)
         end
 
         def header(name)
@@ -48,13 +43,16 @@ module Linzer
         private
 
         def parse_field_name(field_name)
-          if field_name&.start_with?("@")
-            Starry.parse_item(field_name[1..])
-          else
-            Starry.parse_item(field_name)
-          end
-        rescue => _
-          nil
+          field_id  = FieldId.new(field_name: field_name)
+          component = field_id.item
+
+          return nil if component.nil?
+
+          # 2.2.9
+          invalid = "@status component identifier is invalid in a request message"
+          raise Error, invalid if request? && component.value == "@status"
+
+          field_id
         end
 
         def validate_attached_request(message)
@@ -73,7 +71,7 @@ module Linzer
           value    = name.value
 
           # Section 2.2.8 of RFC 9421
-          return nil if has_name && value != :"query-param"
+          return nil if has_name && value != "@query-param"
 
           # No derived values come from trailers section
           return nil if method == :derived && name.parameters["tr"]
@@ -141,10 +139,7 @@ module Linzer
         end
 
         def req(field, method)
-          case method
-          when :derived then @attached_request["@#{field}"]
-          when :field   then @attached_request[field.to_s]
-          end
+          attached_request? ? @attached_request[String(field)] : nil
         end
       end
     end

data/lib/linzer/message/adapter/http_gem/request.rb

@@ -12,7 +12,7 @@ module Linzer
           private
 
           def derived(name)
-            return @operation.verb.to_s.upcase if name.value == :method
+            return @operation.verb.to_s.upcase if name.value == "@method"
             super
           end
         end

data/lib/linzer/message/adapter/net_http/request.rb

@@ -25,14 +25,14 @@ module Linzer
 
           def derived(name)
             case name.value
-            when :method           then @operation.method
-            when :"target-uri"     then @operation.uri.to_s
-            when :authority        then @operation.uri.authority.downcase
-            when :scheme           then @operation.uri.scheme.downcase
-            when :"request-target" then @operation.uri.request_uri
-            when :path             then @operation.uri.path
-            when :query            then "?%s" % String(@operation.uri.query)
-            when :"query-param"    then query_param(name)
+            when "@method"         then @operation.method
+            when "@target-uri"     then @operation.uri.to_s
+            when "@authority"      then @operation.uri.authority.downcase
+            when "@scheme"         then @operation.uri.scheme.downcase
+            when "@request-target" then @operation.uri.request_uri
+            when "@path"           then @operation.uri.path
+            when "@query"          then "?%s" % String(@operation.uri.query)
+            when "@query-param"    then query_param(name)
             end
           end
 

data/lib/linzer/message/adapter/net_http/response.rb

@@ -17,16 +17,26 @@ module Linzer
             @operation[name]
           end
 
-          # XXX: this implementation is incomplete, e.g.: ;tr parameter is not supported yet
-          def [](field_name)
-            return @operation.code.to_i if field_name == "@status"
-            @operation[field_name]
-          end
-
           def attach!(signature)
             signature.to_h.each { |h, v| @operation[h] = v }
             @operation
           end
+
+          private
+
+          def derived(name)
+            case name.value
+            when "@status" then @operation.code.to_i
+            end
+          end
+
+          # XXX: this implementation is incomplete, e.g.: ;bs parameter is not supported yet
+          def field(name)
+            has_tr = name.parameters["tr"]
+            return nil if has_tr # Net::HTTP doesn't support trailers
+            value = @operation[name.value.to_s]
+            value.dup&.strip
+          end
         end
       end
     end

data/lib/linzer/message/adapter/rack/common.rb

@@ -6,14 +6,14 @@ module Linzer
       module Rack
         module Common
           DERIVED_COMPONENT = {
-            method:           :request_method,
-            authority:        :authority,
-            path:             :path_info,
-            status:           :status,
-            "target-uri":     :url,
-            scheme:           :scheme,
-            "request-target": :fullpath,
-            query:            :query_string
+            "@method"         => :request_method,
+            "@authority"      => :authority,
+            "@path"           => :path_info,
+            "@status"         => :status,
+            "@target-uri"     => :url,
+            "@scheme"         => :scheme,
+            "@request-target" => :fullpath,
+            "@query"          => :query_string
           }.freeze
           private_constant :DERIVED_COMPONENT
 
@@ -28,8 +28,11 @@ module Linzer
             raise ArgumentError.new, "Blank header name." if name.empty?
             name.to_str
           rescue => ex
+            # :nocov:
+            # XXX: this block of code seems to be unreachable
             err_msg = "Invalid header name: '#{name}'"
-            raise Linzer::Error.new, err_msg, cause: ex
+            raise Linzer::Error, err_msg, cause: ex
+            # :nocov:
           end
 
           def rack_header_name(field_name)
@@ -44,25 +47,12 @@ module Linzer
             end
           end
 
-          def rack_request_headers(rack_request)
-            rack_request
-              .each_header
-              .to_h
-              .select do |k, _|
-                k.start_with?("HTTP_") || %w[CONTENT_TYPE CONTENT_LENGTH].include?(k)
-              end
-              .transform_keys { |k| k.downcase.tr("_", "-") }
-              .transform_keys do |k|
-                %w[content-type content-length].include?(k) ? k : k.gsub(/^http-/, "")
-              end
-          end
-
           def derived(name)
             method = DERIVED_COMPONENT[name.value]
 
             value = case name.value
-            when :query         then derive(@operation, method)
-            when :"query-param" then query_param(name)
+            when "@query"       then derive(@operation, method)
+            when "@query-param" then query_param(name)
             end
 
             return nil if !method && !value
@@ -76,7 +66,7 @@ module Linzer
             else
               rack_header_name = rack_header_name(name.value.to_s)
               value = @operation.env[rack_header_name] if request?
-              value = @operation.get_header(rack_header_name) if response?
+              value = @operation.get_header(name.value.to_s) if response?
             end
             value.dup&.strip
           end

data/lib/linzer/message/adapter/rack/response.rb

@@ -17,12 +17,12 @@ module Linzer
           end
 
           def header(name)
-            @operation.get_header(rack_header_name(name))
+            @operation.get_header(name)
           end
 
           def attach!(signature)
             signature.to_h.each do |h, v|
-              @operation.set_header(rack_header_name(h), v)
+              @operation.set_header(h, v)
             end
             @operation
           end

data/lib/linzer/message/field/parser.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Linzer
+  class Message
+    class Field
+      class Identifier
+        module Parser
+          extend self
+
+          def parse(field_name)
+            case
+            when field_name.match?(/";/), field_name.start_with?('"')
+              Starry.parse_item(field_name)
+            when field_name.match?(/;/)
+              parse_unserialized_input(field_name)
+            when field_name.start_with?("@"), field_name.match?(/^[a-z]/)
+              Starry.parse_item(Starry.serialize(field_name))
+            else
+              raise Error, "Invalid component identifier: '#{field_name}'!"
+            end
+          rescue Starry::ParseError => ex
+            parse_error = "Failed to parse component identifier: '#{field_name}'!"
+            raise Error, parse_error, cause: ex
+          end
+
+          private
+
+          def parse_unserialized_input(field_name)
+            field, *raw_params = field_name.split(";")
+            item               = Starry.parse_item(Starry.serialize(field))
+            item.parameters    = collect_parameters(raw_params)
+            item
+          end
+
+          def collect_parameters(str)
+            params = str.map do |param|
+              if (tokens = param.split("=")) == [param] # e.g.: ";bs"
+                {param => true}
+              else
+                Hash[*tokens.first(2)]                  # e.g.: ";key=\"foo\""
+                  .transform_values! { |v| Starry.parse_item(v).value }
+              end
+            end
+            params.reduce({}, :merge)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/linzer/message/field.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Linzer
+  class Message
+    class Field
+      module IdentifierMethods
+        def initialize(field_name:)
+          @item = Identifier::Parser.parse(field_name) rescue nil
+          super
+        end
+
+        attr_reader :item
+
+        def derived?
+          item&.value&.start_with?("@")
+        end
+
+        def serialize
+          raise Error, "Invalid component identifier: '#{field_name}'!" unless item
+          Starry.serialize(@item)
+        end
+      end
+
+      # Excluded from coverage as obviously both branches cannot be covered
+      # on a single test run.
+      # :nocov:
+      if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.2.0")
+        class Identifier < Struct.new(:field_name, keyword_init: true); end
+      else
+        class Identifier < Data.define(:field_name); end
+      end
+      # :nocov:
+
+      Identifier.include Message::Field::IdentifierMethods
+
+      class Identifier
+        class << self
+          def serialize(component)
+            new(field_name: component).serialize
+          end
+
+          def serialize_components(components)
+            components.map(&method(:serialize))
+          end
+
+          def deserialize_components(components)
+            components.map do |c|
+              item = Starry.parse_item(c)
+              item.parameters.empty? ? item.value : Starry.serialize(item)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/linzer/rsa.rb

@@ -9,14 +9,13 @@ module Linzer
       end
 
       def sign(data)
-        # XXX: should check if the key is usable for signing
-        @material.sign(@params[:digest], data)
+        validate_signing_key
+        material.sign(@params[:digest], data)
       end
 
       def verify(signature, data)
-        # XXX: should check if the key is usable for verifying
-        return true if @material.verify(@params[:digest], signature, data)
-        false
+        validate_verify_key
+        material.verify(@params[:digest], signature, data)
       end
     end
   end

data/lib/linzer/rsa_pss.rb

@@ -11,19 +11,26 @@ module Linzer
       end
 
       def sign(data)
-        # XXX: should check if the key is usable for signing
-        @material.sign(@params[:digest], data, signature_options)
+        validate_signing_key
+        material.sign(@params[:digest], data, signature_options)
       end
 
       def verify(signature, data)
-        # XXX: should check if the key is usable for verifying
-        return true if @material.verify(
+        validate_verify_key
+        material.verify(
           @params[:digest],
           signature,
           data,
           signature_options
         )
-        false
+      end
+
+      def public?
+        has_pem_public?
+      end
+
+      def private?
+        has_pem_private?
       end
 
       private

data/lib/linzer/signature.rb

@@ -11,9 +11,13 @@ module Linzer
     end
 
     attr_reader  :metadata, :value, :parameters, :label
-    alias_method :components, :metadata
+    alias_method :serialized_components, :metadata
     alias_method :bytes, :value
 
+    def components
+      FieldId.deserialize_components(serialized_components)
+    end
+
     def created
       Integer(parameters["created"])
     rescue
@@ -28,10 +32,13 @@ module Linzer
 
     def to_h
       {
-        "signature" => Starry.serialize({label => value}),
-        "signature-input" =>
-          Starry.serialize({label =>
-            Starry::InnerList.new(components, parameters)})
+        "signature"       => Starry.serialize({label => value}),
+        "signature-input" => Starry.serialize({
+          label => Starry::InnerList.new(
+            serialized_components.map { |c| Starry.parse_item(c) },
+            parameters
+          )
+        })
       }
     end
 
@@ -56,7 +63,7 @@ module Linzer
 
         fail_due_invalid_components unless input[label].value.respond_to?(:each)
 
-        components = input[label].value.map(&:value)
+        components = input[label].value.map { |c| Starry.serialize_item(c) }
         parameters = input[label].parameters
 
         new(components, raw_signature, label, parameters)

data/lib/linzer/signer.rb

@@ -8,15 +8,16 @@ module Linzer
       include Common
 
       def sign(key, message, components, options = {})
-        validate key, message, components
+        serialized_components = FieldId.serialize_components(Array(components))
+        validate key, message, serialized_components
 
         parameters = populate_parameters(key, options)
-        signature_base = signature_base(message, components, parameters)
+        signature_base = signature_base(message, serialized_components, parameters)
 
         signature = key.sign(signature_base)
         label = options[:label] || DEFAULT_LABEL
 
-        Linzer::Signature.build(serialize(signature, components, parameters, label))
+        Linzer::Signature.build(serialize(signature, serialized_components, parameters, label))
       end
 
       def default_label
@@ -55,8 +56,11 @@ module Linzer
         {
           "signature" => Starry.serialize({label => signature}),
           "signature-input" =>
-            Starry.serialize({label =>
-              Starry::InnerList.new(components, parameters)})
+            Starry.serialize(label =>
+              Starry::InnerList.new(
+                components.map { |c| Starry.parse_item(c) },
+                parameters
+              ))
         }
       end
     end

data/lib/linzer/verifier.rb

@@ -9,9 +9,9 @@ module Linzer
         validate message, key, signature, no_older_than: no_older_than
 
         parameters = signature.parameters
-        components = signature.components
+        serialized_components = signature.serialized_components
 
-        signature_base = signature_base(message, components, parameters)
+        signature_base = signature_base(message, serialized_components, parameters)
 
         verify_or_fail key, signature.value, signature_base
       end
@@ -31,7 +31,7 @@ module Linzer
         raise VerifyError, "Components cannot be null"             if signature.components.nil?
 
         begin
-          validate_components message, signature.components
+          validate_components message, signature.serialized_components
         rescue Error => ex
           raise VerifyError, ex.message, cause: ex
         end

data/lib/linzer/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Linzer
-  VERSION = "0.7.2"
+  VERSION = "0.7.4"
 end

data/lib/linzer.rb

@@ -9,10 +9,13 @@ require "net/http"
 
 require_relative "linzer/version"
 require_relative "linzer/common"
+require_relative "linzer/helper"
 require_relative "linzer/options"
 require_relative "linzer/message"
 require_relative "linzer/message/adapter"
 require_relative "linzer/message/wrapper"
+require_relative "linzer/message/field"
+require_relative "linzer/message/field/parser"
 require_relative "linzer/signature"
 require_relative "linzer/key"
 require_relative "linzer/rsa"
@@ -24,7 +27,6 @@ require_relative "linzer/key/helper"
 require_relative "linzer/signer"
 require_relative "linzer/verifier"
 require_relative "linzer/http"
-require_relative "rack/auth/signature"
 
 module Linzer
   class Error < StandardError; end
@@ -35,6 +37,7 @@ module Linzer
 
   class << self
     include Key::Helper
+    include Helper
 
     def verify(pubkey, message, signature, no_older_than: nil)
       Linzer::Verifier.verify(pubkey, message, signature, no_older_than: no_older_than)
@@ -44,31 +47,12 @@ module Linzer
       Linzer::Signer.sign(key, message, components, options)
     end
 
-    def sign!(request_or_response, **args)
-      message = Message.new(request_or_response)
-      options = {}
-
-      label = args[:label]
-      options[:label] = label if label
-      options.merge!(args.fetch(:params, {}))
-
-      key = args.fetch(:key)
-      signature = Linzer::Signer.sign(key, message, args.fetch(:components), options)
-      message.attach!(signature)
-    end
-
-    def verify!(request_or_response, key: nil, no_older_than: 900)
-      message = Message.new(request_or_response)
-      signature_headers = {}
-      %w[signature-input signature].each do |name|
-        value = message.header(name)
-        signature_headers[name] = value if value
-      end
-      signature = Signature.build(signature_headers)
-      keyid = signature.parameters["keyid"]
-      raise Linzer::Error, "key not found" if !key && !keyid
-      verify_key = block_given? ? (yield keyid) : key
-      Linzer.verify(verify_key, message, signature, no_older_than: no_older_than)
+    def signature_base(message, components, parameters)
+      Linzer::Common.signature_base(message, components, parameters)
     end
   end
+
+  FieldId = Message::Field::Identifier
 end
+
+require_relative "rack/auth/signature"

data/lib/rack/auth/signature/helpers.rb

@@ -36,6 +36,11 @@ module Rack
         end
 
         module Configuration
+          def default_covered_components
+            Linzer::Options::DEFAULT[:covered_components]
+          end
+          module_function :default_covered_components
+
           DEFAULT_OPTIONS = {
             signatures: {
               reject_older_than:  900,
@@ -45,7 +50,9 @@ module Rack
               tag_required:       false,
               expires_required:   false,
               keyid_required:     false,
-              covered_components: %w[@method @request-target @authority date],
+              covered_components:
+                Linzer::FieldId
+                  .serialize_components(default_covered_components),
               error_response:     {body: [], status: 401, headers: {}}
             },
             keys: {}

data/lib/rack/auth/signature.rb

@@ -85,7 +85,7 @@ module Rack
       end
 
       def has_required_components?
-        components         = @signature.components || []
+        components         = @signature.serialized_components || []
         covered_components = options[:signatures][:covered_components]
         warning = "Insufficient coverage by signature. Consult S 7.2.1. in RFC"
         logger.warn warning if covered_components.empty?

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: linzer
 version: !ruby/object:Gem::Version
-  version: 0.7.2
+  version: 0.7.4
 platform: ruby
 authors:
 - Miguel Landaeta
@@ -192,10 +192,12 @@ files:
 - lib/linzer/common.rb
 - lib/linzer/ecdsa.rb
 - lib/linzer/ed25519.rb
+- lib/linzer/helper.rb
 - lib/linzer/hmac.rb
 - lib/linzer/http.rb
 - lib/linzer/http/bootstrap.rb
 - lib/linzer/http/signature_feature.rb
+- lib/linzer/jws.rb
 - lib/linzer/key.rb
 - lib/linzer/key/helper.rb
 - lib/linzer/message.rb
@@ -208,6 +210,8 @@ files:
 - lib/linzer/message/adapter/rack/common.rb
 - lib/linzer/message/adapter/rack/request.rb
 - lib/linzer/message/adapter/rack/response.rb
+- lib/linzer/message/field.rb
+- lib/linzer/message/field/parser.rb
 - lib/linzer/message/wrapper.rb
 - lib/linzer/options.rb
 - lib/linzer/rsa.rb
@@ -239,7 +243,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.6.8
 specification_version: 4
 summary: An implementation of HTTP Messages Signatures (RFC9421)
 test_files: []