linzer 0.7.9.beta3 → 0.8.0.beta1

data/lib/linzer/key.rb

@@ -38,6 +38,8 @@ module Linzer
       @material = material
       @params   = Hash(params).clone.freeze
       validate
+      @is_private = compute_private?
+      @is_public  = compute_public?
       freeze
     end
 
@@ -84,14 +86,14 @@ module Linzer
     #
     # @return [Boolean] true if the key contains public key material
     def public?
-      material.public?
+      @is_public
     end
 
     # Checks if this key can be used for signing.
     #
     # @return [Boolean] true if the key contains private key material
     def private?
-      material.private?
+      @is_private
     end
 
     private
@@ -102,6 +104,22 @@ module Linzer
       !material.nil? or raise Error.new "Invalid key. No key material provided."
     end
 
+    # Computes whether the key contains private key material.
+    # Override in subclasses where the OpenSSL key object does not
+    # respond to +private?+ (e.g. Ed25519, RSA-PSS).
+    # @return [Boolean]
+    def compute_private?
+      material.respond_to?(:private?) ? material.private? : false
+    end
+
+    # Computes whether the key contains public key material.
+    # Override in subclasses where the OpenSSL key object does not
+    # respond to +public?+ (e.g. Ed25519, RSA-PSS).
+    # @return [Boolean]
+    def compute_public?
+      material.respond_to?(:public?) ? material.public? : false
+    end
+
     # Validates that a digest algorithm is configured.
     # @raise [Error] If no digest algorithm is set
     def validate_digest

data/lib/linzer/message/adapter/abstract.rb

@@ -10,8 +10,8 @@ module Linzer
       # implements field retrieval, header access, and signature attachment
       # for a specific HTTP message type.
       #
-      # @abstract Subclass and implement {#header}, {#attach!}, {#derived},
-      #   and {#field} to create a new adapter.
+      # @abstract Subclass and implement {#header}, {#derived}, and {#field}
+      #   to create a new adapter.
       #
       # @see Rack::Request Rack request adapter
       # @see Rack::Response Rack response adapter
@@ -70,7 +70,7 @@ module Linzer
         # @example With structured field parameter
         #   adapter['"example-dict";key="a"']  # => "1"
         def [](field)
-          field_id = field.is_a?(FieldId) ? field : parse_field_name(field)
+          field_id = (field.is_a?(FieldId) || field.is_a?(Field::FastIdentifier)) ? field : parse_field_name(field)
           return nil if field_id.nil? || field_id.item.nil?
           retrieve(field_id.item, field_id.derived? ? :derived : :field)
         end
@@ -84,13 +84,39 @@ module Linzer
           raise Linzer::Error, "Sub-classes are required to implement this method!"
         end
 
+        # Checks whether the request contains HTTP Message Signature headers.
+        #
+        # Returns true if either the "signature-input" or "signature" header
+        # is present.
+        #
+        # @return [Boolean] true if the request includes HTTP Message Signature headers
+        def has_signature?
+          !!header("signature-input") || !!header("signature")
+        end
+
         # Attaches a signature to the underlying HTTP message.
         #
-        # @abstract Subclasses must implement this method.
         # @param signature [Signature] The signature to attach
         # @return [Object] The underlying HTTP message
         def attach!(signature)
-          raise Linzer::Error, "Sub-classes are required to implement this method!"
+          signature_headers = signature.to_h
+
+          unless has_signature?
+            signature_headers.each { |h, v| set_header!(h, v) }
+            return @operation
+          end
+
+          signature_headers.each do |hdr, value|
+            merged = Starry.parse_dictionary(String(header(hdr)))
+            merged.merge!(Starry.parse_dictionary(value))
+            set_header!(hdr, Starry.serialize_dictionary(merged))
+          end
+
+          @operation
+        rescue Starry::ParseError => e
+          raise Error,
+                "Cannot attach signature, invalid signature header(s)!",
+                cause: e
         end
 
         private
@@ -164,10 +190,11 @@ module Linzer
         # @param method [Symbol] +:derived+ or +:field+
         # @return [String, Integer, nil] the component value
         def retrieve(name, method)
-          if !name.parameters.empty?
-            valid_params = validate_parameters(name, method)
-            return nil if !valid_params
-          end
+          # Fast path: no parameters means no special handling needed
+          return send(method, name) if name.parameters.empty?
+
+          valid_params = validate_parameters(name, method)
+          return nil if !valid_params
 
           has_req = name.parameters["req"]
           has_sf  = name.parameters["sf"] || name.parameters.key?("key")

data/lib/linzer/message/adapter/faraday/response.rb

@@ -16,15 +16,6 @@ module Linzer
         # @see Generic::Response
         # @see https://github.com/lostisland/faraday faraday gem
         class Response < Generic::Response
-          # Attaches a signature to the underlying response headers.
-          #
-          # @param signature [Linzer::Signature] the signature to attach
-          # @return [::Faraday::Response] the underlying response object
-          def attach!(signature)
-            signature.to_h.each { |h, v| @operation.headers[h] = v }
-            @operation
-          end
-
           private
 
           # Resolves a derived component value from the response.
@@ -37,6 +28,17 @@ module Linzer
             when "@status" then @operation.status.to_i
             end
           end
+
+          # Sets a header on the underlying HTTP message.
+          #
+          # If a header with the given name already exists, its value is overwritten.
+          #
+          # @param header [String] the header name
+          # @param value [String] the header value
+          # @return [String] the value assigned to the header
+          def set_header!(header, value)
+            @operation.headers[header] = value
+          end
         end
       end
     end

data/lib/linzer/message/adapter/generic/request.rb

@@ -40,14 +40,6 @@ module Linzer
             @operation[name]
           end
 
-          # Attaches a signature to the request.
-          # @param signature [Signature] The signature to attach
-          # @return [Object] The underlying request object
-          def attach!(signature)
-            signature.to_h.each { |h, v| @operation[h] = v }
-            @operation
-          end
-
           private
 
           def derived(name)
@@ -68,6 +60,17 @@ module Linzer
             end
           end
 
+          # Sets a header on the underlying HTTP message.
+          #
+          # If a header with the given name already exists, its value is overwritten.
+          #
+          # @param header [String] the header name
+          # @param value [String] the header value
+          # @return [String] the value assigned to the header
+          def set_header!(header, value)
+            @operation[header] = value
+          end
+
           def query_param(uri_query, name)
             param_name = name.parameters["name"]
             return nil if !param_name

data/lib/linzer/message/adapter/generic/response.rb

@@ -31,16 +31,19 @@ module Linzer
             @operation[name]
           end
 
-          # Attaches a signature to the response.
-          # @param signature [Signature] The signature to attach
-          # @return [Object] The underlying response object
-          def attach!(signature)
-            signature.to_h.each { |h, v| @operation[h] = v }
-            @operation
-          end
-
           private
 
+          # Sets a header on the underlying HTTP message.
+          #
+          # If a header with the given name already exists, its value is overwritten.
+          #
+          # @param header [String] the header name
+          # @param value [String] the header value
+          # @return [String] the value assigned to the header
+          def set_header!(header, value)
+            @operation[header] = value
+          end
+
           def derived(name)
             raise Linzer::Error, "Sub-classes are required to implement this method!"
           end

data/lib/linzer/message/adapter/http_gem/common.rb

@@ -20,14 +20,6 @@ module Linzer
             @operation.headers[name]
           end
 
-          # Attaches a signature to the response.
-          # @param signature [Signature] The signature to attach
-          # @return [Object] The underlying response object
-          def attach!(signature)
-            signature.to_h.each { |h, v| @operation.headers[h] = v }
-            @operation
-          end
-
           private
 
           # Retrieves an HTTP field value from the request or response headers.
@@ -41,6 +33,17 @@ module Linzer
             value = @operation.headers[name.value.to_s]
             value.dup&.strip
           end
+
+          # Sets a header on the underlying HTTP message.
+          #
+          # If a header with the given name already exists, its value is overwritten.
+          #
+          # @param header [String] the header name
+          # @param value [String] the header value
+          # @return [String] the value assigned to the header
+          def set_header!(header, value)
+            @operation.headers[header] = value
+          end
         end
       end
     end

data/lib/linzer/message/adapter/rack/request.rb

@@ -27,14 +27,17 @@ module Linzer
             @operation.get_header(rack_header_name(name))
           end
 
-          # Attaches a signature to the request.
-          # @param signature [Signature] The signature to attach
-          # @return [::Rack::Request] The request with signature headers
-          def attach!(signature)
-            signature.to_h.each do |h, v|
-              @operation.set_header(rack_header_name(h), v)
-            end
-            @operation
+          private
+
+          # Sets a header on the underlying HTTP message.
+          #
+          # If a header with the given name already exists, its value is overwritten.
+          #
+          # @param header [String] the header name
+          # @param value [String] the header value
+          # @return [String] the value assigned to the header
+          def set_header!(header, value)
+            @operation.set_header(rack_header_name(header), value)
           end
         end
       end

data/lib/linzer/message/adapter/rack/response.rb

@@ -28,14 +28,17 @@ module Linzer
             @operation.get_header(name)
           end
 
-          # Attaches a signature to the response.
-          # @param signature [Signature] The signature to attach
-          # @return [::Rack::Response] The response with signature headers
-          def attach!(signature)
-            signature.to_h.each do |h, v|
-              @operation.set_header(h, v)
-            end
-            @operation
+          private
+
+          # Sets a header on the underlying HTTP message.
+          #
+          # If a header with the given name already exists, its value is overwritten.
+          #
+          # @param header [String] the header name
+          # @param value [String] the header value
+          # @return [String] the value assigned to the header
+          def set_header!(header, value)
+            @operation.set_header(header, value)
           end
         end
       end

data/lib/linzer/message/adapter.rb

@@ -3,9 +3,6 @@
 require_relative "adapter/abstract"
 require_relative "adapter/generic/request"
 require_relative "adapter/generic/response"
-require_relative "adapter/rack/common"
-require_relative "adapter/rack/request"
-require_relative "adapter/rack/response"
 require_relative "adapter/net_http/request"
 require_relative "adapter/net_http/response"
 

data/lib/linzer/message/field.rb

@@ -34,7 +34,7 @@ module Linzer
         # @raise [Error] If the component identifier is invalid
         def serialize
           raise Error, "Invalid component identifier: '#{field_name}'!" unless item
-          Starry.serialize(@item)
+          @serialized || Starry.serialize(@item)
         end
       end
 
@@ -54,6 +54,29 @@ module Linzer
 
       Identifier.include Message::Field::IdentifierMethods
 
+      # Lightweight FieldId for simple components (no parameters).
+      # Bypasses Starry parsing entirely. Duck-types with Identifier
+      # for use in the adapter's [] method.
+      # @api private
+      class FastIdentifier
+        def initialize(serialized, item)
+          @field_name = serialized
+          @item       = item
+          @serialized = serialized
+          freeze
+        end
+
+        attr_reader :field_name, :item
+
+        def derived?
+          @item.value.start_with?("@")
+        end
+
+        def serialize
+          @serialized
+        end
+      end
+
       class Identifier
         class << self
           # Serializes a single component identifier.
@@ -70,6 +93,35 @@ module Linzer
             components.map(&method(:serialize))
           end
 
+          # Serializes an array of component identifiers, returning both
+          # the serialized strings and the FieldId objects for reuse.
+          # @param components [Array<String>] Component names
+          # @return [Array(Array<String>, Array<Identifier>)] Serialized strings and FieldId objects
+          def serialize_components_with_field_ids(components)
+            serialized = Array.new(components.size)
+            field_ids  = Array.new(components.size)
+
+            components.each_with_index do |c, i|
+              if c.include?(";") || c.include?('"')
+                # Complex component with parameters or already serialized:
+                # fall back to full Starry parsing
+                fid = new(field_name: c)
+                field_ids[i]  = fid
+                serialized[i] = fid.serialize
+              else
+                # Simple component (e.g. "@method", "content-type"):
+                # build the Item and serialized string directly,
+                # bypassing Starry.parse_item + Starry.serialize
+                quoted = "\"#{c}\""
+                item   = Starry::Item.new(c, {})
+                field_ids[i]  = FastIdentifier.new(quoted, item)
+                serialized[i] = quoted
+              end
+            end
+
+            [serialized, field_ids]
+          end
+
           # Deserializes component identifiers back to names.
           # @param components [Array<String>] Serialized identifiers
           # @return [Array<String>] Component names

data/lib/linzer/message/wrapper.rb

@@ -12,8 +12,6 @@ module Linzer
     module Wrapper
       # Default adapter mappings for built-in HTTP library support.
       @adapters = {
-        Rack::Request     => Linzer::Message::Adapter::Rack::Request,
-        Rack::Response    => Linzer::Message::Adapter::Rack::Response,
         Net::HTTPRequest  => Linzer::Message::Adapter::NetHTTP::Request,
         Net::HTTPResponse => Linzer::Message::Adapter::NetHTTP::Response
       }

data/lib/linzer/rack.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+# Rack integration for Linzer.
+#
+# Require this file to enable Rack support. It loads the Rack adapter
+# classes and registers them so that {Rack::Request} and {Rack::Response}
+# objects can be used directly with the Linzer signing and verification API.
+#
+# @example
+#   require "linzer/rack"
+#
+#   use Rack::Auth::Signature,
+#     except: "/login",
+#     default: :my_key
+
+require "rack"
+require "linzer"
+require "rack/auth/signature"
+require "linzer/message/adapter/rack/common"
+require "linzer/message/adapter/rack/request"
+require "linzer/message/adapter/rack/response"
+
+Linzer::Message.register_adapter(Rack::Request,  Linzer::Message::Adapter::Rack::Request)
+Linzer::Message.register_adapter(Rack::Response, Linzer::Message::Adapter::Rack::Response)

data/lib/linzer/rsa_pss.rb

@@ -65,18 +65,18 @@ module Linzer
         )
       end
 
+      private
+
       # @return [Boolean] true if this key contains public key material
-      def public?
+      def compute_public?
         has_pem_public?
       end
 
       # @return [Boolean] true if this key contains private key material
-      def private?
+      def compute_private?
         has_pem_private?
       end
 
-      private
-
       # Returns OpenSSL options for PSS signature operations.
       # @return [Hash] OpenSSL signature options
       def signature_options

data/lib/linzer/signature.rb

@@ -26,12 +26,14 @@ module Linzer
   # @see https://www.rfc-editor.org/rfc/rfc9421.html#section-4 RFC 9421 Section 4
   class Signature
     # @api private
-    # Use {.build} to create Signature instances.
-    def initialize(metadata, value, label, parameters = {})
-      @metadata   = metadata.clone.freeze
-      @value      = value.clone.freeze
-      @parameters = parameters.clone.freeze
-      @label      = label.clone.freeze
+    # Use {.build} or {.from_components} to create Signature instances.
+    def initialize(metadata, value, label, parameters = {}, parsed_items: nil, headers: nil)
+      @metadata     = metadata.clone.freeze
+      @value        = value.clone.freeze
+      @parameters   = parameters.clone.freeze
+      @label        = label.clone.freeze
+      @parsed_items = parsed_items&.freeze
+      @headers      = headers&.freeze
       freeze
     end
 
@@ -74,6 +76,20 @@ module Linzer
       FieldId.deserialize_components(serialized_components)
     end
 
+    # Builds FieldId objects for each covered component.
+    #
+    # Uses {parsed_items} when available to create {FastIdentifier} objects
+    # that bypass Starry re-parsing. Falls back to constructing full
+    # {FieldId} objects from the serialized strings.
+    #
+    # Returns a fresh array each time because some adapter methods may
+    # mutate item parameters during field lookup (e.g., deleting "req").
+    #
+    # @return [Array<FastIdentifier, FieldId>] FieldId objects for each component
+    def field_ids
+      build_field_ids
+    end
+
     # Returns the signature creation timestamp.
     #
     # @return [Integer, nil] Unix timestamp when the signature was created,
@@ -132,20 +148,60 @@ module Linzer
     # @example Attaching to a Net::HTTP request
     #   signature.to_h.each { |name, value| request[name] = value }
     def to_h
+      return @headers if @headers
+
+      items = @parsed_items || serialized_components.map { |c| Starry.parse_item(c) }
       {
         "signature"       => Starry.serialize({label => value}),
         "signature-input" => Starry.serialize({
-          label => Starry::InnerList.new(
-            serialized_components.map { |c| Starry.parse_item(c) },
-            parameters
-          )
+          label => Starry::InnerList.new(items, parameters)
         })
       }
     end
 
+    private
+
+    def build_field_ids
+      if @parsed_items && @parsed_items.size == @metadata.size
+        @metadata.each_with_index.map do |serialized, i|
+          item = @parsed_items[i]
+          # Clone items that have parameters since the adapter's retrieve
+          # method may mutate parameters (e.g., deleting "req").
+          unless item.parameters.empty?
+            item = Starry::Item.new(item.value, item.parameters.dup)
+          end
+          Message::Field::FastIdentifier.new(serialized, item)
+        end
+      else
+        @metadata.map { |c| FieldId.new(field_name: c) }
+      end
+    end
+
     class << self
       private :new
 
+      # Creates a Signature directly from its constituent parts.
+      #
+      # This avoids the serialize-then-parse round-trip when the caller
+      # (e.g. {Signer.sign}) already has all the data.
+      #
+      # @api private
+      # @param components [Array<String>] Serialized component identifiers
+      # @param raw_signature [String] The raw signature bytes
+      # @param label [String] The signature label
+      # @param parameters [Hash] Signature parameters (symbol keys)
+      # @param parsed_items [Array<Starry::Item>] Pre-parsed component items
+      # @param headers [Hash] Pre-serialized header strings
+      # @return [Signature] The constructed signature
+      def from_components(components:, raw_signature:, label:, parameters:, parsed_items:, headers:)
+        # Signature stores parameters with string keys (as produced by Starry
+        # parsing). Convert symbol keys from Signer to match.
+        string_params = {}
+        parameters.each { |k, v| string_params[k.to_s] = v }
+        new(components, raw_signature, label, string_params,
+            parsed_items: parsed_items, headers: headers)
+      end
+
       # Builds a Signature from HTTP headers.
       #
       # Parses the `signature` and `signature-input` headers according to
@@ -184,19 +240,15 @@ module Linzer
         reject_multiple_signatures if input.size > 1 && options[:label].nil?
         label = options[:label] || input.keys.first
 
-        signature = parse_structured_field(headers, "signature")
-        fail_with_signature_not_found label unless signature.key?(label)
-
-        raw_signature =
-          signature[label].value
-            .force_encoding(Encoding::ASCII_8BIT)
+        raw_signature = extract_raw_signature(headers["signature"], label)
 
         fail_due_invalid_components unless input[label].value.respond_to?(:each)
 
-        components = input[label].value.map { |c| Starry.serialize_item(c) }
+        parsed_items = input[label].value
+        components = serialize_parsed_items(parsed_items)
         parameters = input[label].parameters
 
-        new(components, raw_signature, label, parameters)
+        new(components, raw_signature, label, parameters, parsed_items: parsed_items)
       end
 
       private
@@ -223,6 +275,79 @@ module Linzer
         raise Error.new "Unexpected value for covered components."
       end
 
+      # Extracts the raw signature bytes for a given label from the
+      # signature header without a full Starry dictionary parse.
+      #
+      # The signature header format is: label=:base64data:
+      # For multiple signatures: label1=:b64:, label2=:b64:
+      #
+      # Falls back to full Starry parsing for non-trivial cases.
+      #
+      # @param header_value [String] the raw signature header
+      # @param label [String] the signature label to extract
+      # @return [String] the decoded signature bytes (ASCII-8BIT)
+      # @raise [Error] if the label is not found or decoding fails
+      def extract_raw_signature(header_value, label)
+        value = header_value.is_a?(String) ? header_value : header_value.to_s
+        prefix = "#{label}=:"
+
+        # Fast path: single signature (most common case)
+        if value.start_with?(prefix)
+          end_idx = value.index(":", prefix.length)
+          if end_idx
+            encoded = value[prefix.length...end_idx]
+            return Base64.strict_decode64(encoded)
+                .force_encoding(Encoding::ASCII_8BIT)
+          end
+        end
+
+        # Multi-signature or unusual format: find the right entry
+        # Split on comma-separated dictionary members
+        value.split(",").each do |entry|
+          entry = entry.strip
+          if entry.start_with?(prefix)
+            end_idx = entry.index(":", prefix.length)
+            if end_idx
+              encoded = entry[prefix.length...end_idx]
+              return Base64.strict_decode64(encoded)
+                  .force_encoding(Encoding::ASCII_8BIT)
+            end
+          end
+        end
+
+        # Label not found via fast path — fall back to Starry
+        signature = parse_structured_dictionary(
+          value.encode(Encoding::US_ASCII), "signature"
+        )
+        fail_with_signature_not_found label unless signature.key?(label)
+        signature[label].value.force_encoding(Encoding::ASCII_8BIT)
+      rescue ArgumentError
+        # Base64 decode failed — fall back to Starry
+        signature = parse_structured_dictionary(
+          value.encode(Encoding::US_ASCII), "signature"
+        )
+        fail_with_signature_not_found label unless signature.key?(label)
+        signature[label].value.force_encoding(Encoding::ASCII_8BIT)
+      end
+
+      # Serializes parsed Starry items to their string representations
+      # without going through the generic Starry.serialize_item path.
+      #
+      # For simple items (no parameters): builds '"value"' directly.
+      # For items with parameters: falls back to Starry.serialize_item.
+      #
+      # @param items [Array<Starry::Item>] parsed items from signature-input
+      # @return [Array<String>] serialized component identifiers
+      def serialize_parsed_items(items)
+        items.map do |item|
+          if item.parameters.empty?
+            "\"#{item.value}\""
+          else
+            Starry.serialize_item(item)
+          end
+        end
+      end
+
       def parse_structured_dictionary(str, field_name = nil)
         Starry.parse_dictionary(str)
       rescue Starry::ParseError => _