linzer 0.7.9 → 0.8.0.beta1

data/lib/linzer/key.rb

@@ -38,6 +38,8 @@ module Linzer
       @material = material
       @params   = Hash(params).clone.freeze
       validate
+      @is_private = compute_private?
+      @is_public  = compute_public?
       freeze
     end
 
@@ -84,14 +86,14 @@ module Linzer
     #
     # @return [Boolean] true if the key contains public key material
     def public?
-      material.public?
+      @is_public
     end
 
     # Checks if this key can be used for signing.
     #
     # @return [Boolean] true if the key contains private key material
     def private?
-      material.private?
+      @is_private
     end
 
     private
@@ -102,6 +104,22 @@ module Linzer
       !material.nil? or raise Error.new "Invalid key. No key material provided."
     end
 
+    # Computes whether the key contains private key material.
+    # Override in subclasses where the OpenSSL key object does not
+    # respond to +private?+ (e.g. Ed25519, RSA-PSS).
+    # @return [Boolean]
+    def compute_private?
+      material.respond_to?(:private?) ? material.private? : false
+    end
+
+    # Computes whether the key contains public key material.
+    # Override in subclasses where the OpenSSL key object does not
+    # respond to +public?+ (e.g. Ed25519, RSA-PSS).
+    # @return [Boolean]
+    def compute_public?
+      material.respond_to?(:public?) ? material.public? : false
+    end
+
     # Validates that a digest algorithm is configured.
     # @raise [Error] If no digest algorithm is set
     def validate_digest

data/lib/linzer/message/adapter/abstract.rb

@@ -70,7 +70,7 @@ module Linzer
         # @example With structured field parameter
         #   adapter['"example-dict";key="a"']  # => "1"
         def [](field)
-          field_id = field.is_a?(FieldId) ? field : parse_field_name(field)
+          field_id = (field.is_a?(FieldId) || field.is_a?(Field::FastIdentifier)) ? field : parse_field_name(field)
           return nil if field_id.nil? || field_id.item.nil?
           retrieve(field_id.item, field_id.derived? ? :derived : :field)
         end
@@ -190,10 +190,11 @@ module Linzer
         # @param method [Symbol] +:derived+ or +:field+
         # @return [String, Integer, nil] the component value
         def retrieve(name, method)
-          if !name.parameters.empty?
-            valid_params = validate_parameters(name, method)
-            return nil if !valid_params
-          end
+          # Fast path: no parameters means no special handling needed
+          return send(method, name) if name.parameters.empty?
+
+          valid_params = validate_parameters(name, method)
+          return nil if !valid_params
 
           has_req = name.parameters["req"]
           has_sf  = name.parameters["sf"] || name.parameters.key?("key")

data/lib/linzer/message/adapter.rb

@@ -3,9 +3,6 @@
 require_relative "adapter/abstract"
 require_relative "adapter/generic/request"
 require_relative "adapter/generic/response"
-require_relative "adapter/rack/common"
-require_relative "adapter/rack/request"
-require_relative "adapter/rack/response"
 require_relative "adapter/net_http/request"
 require_relative "adapter/net_http/response"
 

data/lib/linzer/message/field.rb

@@ -34,7 +34,7 @@ module Linzer
         # @raise [Error] If the component identifier is invalid
         def serialize
           raise Error, "Invalid component identifier: '#{field_name}'!" unless item
-          Starry.serialize(@item)
+          @serialized || Starry.serialize(@item)
         end
       end
 
@@ -54,6 +54,29 @@ module Linzer
 
       Identifier.include Message::Field::IdentifierMethods
 
+      # Lightweight FieldId for simple components (no parameters).
+      # Bypasses Starry parsing entirely. Duck-types with Identifier
+      # for use in the adapter's [] method.
+      # @api private
+      class FastIdentifier
+        def initialize(serialized, item)
+          @field_name = serialized
+          @item       = item
+          @serialized = serialized
+          freeze
+        end
+
+        attr_reader :field_name, :item
+
+        def derived?
+          @item.value.start_with?("@")
+        end
+
+        def serialize
+          @serialized
+        end
+      end
+
       class Identifier
         class << self
           # Serializes a single component identifier.
@@ -70,6 +93,35 @@ module Linzer
             components.map(&method(:serialize))
           end
 
+          # Serializes an array of component identifiers, returning both
+          # the serialized strings and the FieldId objects for reuse.
+          # @param components [Array<String>] Component names
+          # @return [Array(Array<String>, Array<Identifier>)] Serialized strings and FieldId objects
+          def serialize_components_with_field_ids(components)
+            serialized = Array.new(components.size)
+            field_ids  = Array.new(components.size)
+
+            components.each_with_index do |c, i|
+              if c.include?(";") || c.include?('"')
+                # Complex component with parameters or already serialized:
+                # fall back to full Starry parsing
+                fid = new(field_name: c)
+                field_ids[i]  = fid
+                serialized[i] = fid.serialize
+              else
+                # Simple component (e.g. "@method", "content-type"):
+                # build the Item and serialized string directly,
+                # bypassing Starry.parse_item + Starry.serialize
+                quoted = "\"#{c}\""
+                item   = Starry::Item.new(c, {})
+                field_ids[i]  = FastIdentifier.new(quoted, item)
+                serialized[i] = quoted
+              end
+            end
+
+            [serialized, field_ids]
+          end
+
           # Deserializes component identifiers back to names.
           # @param components [Array<String>] Serialized identifiers
           # @return [Array<String>] Component names

data/lib/linzer/message/wrapper.rb

@@ -12,8 +12,6 @@ module Linzer
     module Wrapper
       # Default adapter mappings for built-in HTTP library support.
       @adapters = {
-        Rack::Request     => Linzer::Message::Adapter::Rack::Request,
-        Rack::Response    => Linzer::Message::Adapter::Rack::Response,
         Net::HTTPRequest  => Linzer::Message::Adapter::NetHTTP::Request,
         Net::HTTPResponse => Linzer::Message::Adapter::NetHTTP::Response
       }

data/lib/linzer/rack.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+# Rack integration for Linzer.
+#
+# Require this file to enable Rack support. It loads the Rack adapter
+# classes and registers them so that {Rack::Request} and {Rack::Response}
+# objects can be used directly with the Linzer signing and verification API.
+#
+# @example
+#   require "linzer/rack"
+#
+#   use Rack::Auth::Signature,
+#     except: "/login",
+#     default: :my_key
+
+require "rack"
+require "linzer"
+require "rack/auth/signature"
+require "linzer/message/adapter/rack/common"
+require "linzer/message/adapter/rack/request"
+require "linzer/message/adapter/rack/response"
+
+Linzer::Message.register_adapter(Rack::Request,  Linzer::Message::Adapter::Rack::Request)
+Linzer::Message.register_adapter(Rack::Response, Linzer::Message::Adapter::Rack::Response)

data/lib/linzer/rsa_pss.rb

@@ -65,18 +65,18 @@ module Linzer
         )
       end
 
+      private
+
       # @return [Boolean] true if this key contains public key material
-      def public?
+      def compute_public?
         has_pem_public?
       end
 
       # @return [Boolean] true if this key contains private key material
-      def private?
+      def compute_private?
         has_pem_private?
       end
 
-      private
-
       # Returns OpenSSL options for PSS signature operations.
       # @return [Hash] OpenSSL signature options
       def signature_options

data/lib/linzer/signature.rb

@@ -26,12 +26,14 @@ module Linzer
   # @see https://www.rfc-editor.org/rfc/rfc9421.html#section-4 RFC 9421 Section 4
   class Signature
     # @api private
-    # Use {.build} to create Signature instances.
-    def initialize(metadata, value, label, parameters = {})
-      @metadata   = metadata.clone.freeze
-      @value      = value.clone.freeze
-      @parameters = parameters.clone.freeze
-      @label      = label.clone.freeze
+    # Use {.build} or {.from_components} to create Signature instances.
+    def initialize(metadata, value, label, parameters = {}, parsed_items: nil, headers: nil)
+      @metadata     = metadata.clone.freeze
+      @value        = value.clone.freeze
+      @parameters   = parameters.clone.freeze
+      @label        = label.clone.freeze
+      @parsed_items = parsed_items&.freeze
+      @headers      = headers&.freeze
       freeze
     end
 
@@ -74,6 +76,20 @@ module Linzer
       FieldId.deserialize_components(serialized_components)
     end
 
+    # Builds FieldId objects for each covered component.
+    #
+    # Uses {parsed_items} when available to create {FastIdentifier} objects
+    # that bypass Starry re-parsing. Falls back to constructing full
+    # {FieldId} objects from the serialized strings.
+    #
+    # Returns a fresh array each time because some adapter methods may
+    # mutate item parameters during field lookup (e.g., deleting "req").
+    #
+    # @return [Array<FastIdentifier, FieldId>] FieldId objects for each component
+    def field_ids
+      build_field_ids
+    end
+
     # Returns the signature creation timestamp.
     #
     # @return [Integer, nil] Unix timestamp when the signature was created,
@@ -132,20 +148,60 @@ module Linzer
     # @example Attaching to a Net::HTTP request
     #   signature.to_h.each { |name, value| request[name] = value }
     def to_h
+      return @headers if @headers
+
+      items = @parsed_items || serialized_components.map { |c| Starry.parse_item(c) }
       {
         "signature"       => Starry.serialize({label => value}),
         "signature-input" => Starry.serialize({
-          label => Starry::InnerList.new(
-            serialized_components.map { |c| Starry.parse_item(c) },
-            parameters
-          )
+          label => Starry::InnerList.new(items, parameters)
         })
       }
     end
 
+    private
+
+    def build_field_ids
+      if @parsed_items && @parsed_items.size == @metadata.size
+        @metadata.each_with_index.map do |serialized, i|
+          item = @parsed_items[i]
+          # Clone items that have parameters since the adapter's retrieve
+          # method may mutate parameters (e.g., deleting "req").
+          unless item.parameters.empty?
+            item = Starry::Item.new(item.value, item.parameters.dup)
+          end
+          Message::Field::FastIdentifier.new(serialized, item)
+        end
+      else
+        @metadata.map { |c| FieldId.new(field_name: c) }
+      end
+    end
+
     class << self
       private :new
 
+      # Creates a Signature directly from its constituent parts.
+      #
+      # This avoids the serialize-then-parse round-trip when the caller
+      # (e.g. {Signer.sign}) already has all the data.
+      #
+      # @api private
+      # @param components [Array<String>] Serialized component identifiers
+      # @param raw_signature [String] The raw signature bytes
+      # @param label [String] The signature label
+      # @param parameters [Hash] Signature parameters (symbol keys)
+      # @param parsed_items [Array<Starry::Item>] Pre-parsed component items
+      # @param headers [Hash] Pre-serialized header strings
+      # @return [Signature] The constructed signature
+      def from_components(components:, raw_signature:, label:, parameters:, parsed_items:, headers:)
+        # Signature stores parameters with string keys (as produced by Starry
+        # parsing). Convert symbol keys from Signer to match.
+        string_params = {}
+        parameters.each { |k, v| string_params[k.to_s] = v }
+        new(components, raw_signature, label, string_params,
+            parsed_items: parsed_items, headers: headers)
+      end
+
       # Builds a Signature from HTTP headers.
       #
       # Parses the `signature` and `signature-input` headers according to
@@ -184,19 +240,15 @@ module Linzer
         reject_multiple_signatures if input.size > 1 && options[:label].nil?
         label = options[:label] || input.keys.first
 
-        signature = parse_structured_field(headers, "signature")
-        fail_with_signature_not_found label unless signature.key?(label)
-
-        raw_signature =
-          signature[label].value
-            .force_encoding(Encoding::ASCII_8BIT)
+        raw_signature = extract_raw_signature(headers["signature"], label)
 
         fail_due_invalid_components unless input[label].value.respond_to?(:each)
 
-        components = input[label].value.map { |c| Starry.serialize_item(c) }
+        parsed_items = input[label].value
+        components = serialize_parsed_items(parsed_items)
         parameters = input[label].parameters
 
-        new(components, raw_signature, label, parameters)
+        new(components, raw_signature, label, parameters, parsed_items: parsed_items)
       end
 
       private
@@ -223,6 +275,79 @@ module Linzer
         raise Error.new "Unexpected value for covered components."
       end
 
+      # Extracts the raw signature bytes for a given label from the
+      # signature header without a full Starry dictionary parse.
+      #
+      # The signature header format is: label=:base64data:
+      # For multiple signatures: label1=:b64:, label2=:b64:
+      #
+      # Falls back to full Starry parsing for non-trivial cases.
+      #
+      # @param header_value [String] the raw signature header
+      # @param label [String] the signature label to extract
+      # @return [String] the decoded signature bytes (ASCII-8BIT)
+      # @raise [Error] if the label is not found or decoding fails
+      def extract_raw_signature(header_value, label)
+        value = header_value.is_a?(String) ? header_value : header_value.to_s
+        prefix = "#{label}=:"
+
+        # Fast path: single signature (most common case)
+        if value.start_with?(prefix)
+          end_idx = value.index(":", prefix.length)
+          if end_idx
+            encoded = value[prefix.length...end_idx]
+            return Base64.strict_decode64(encoded)
+                .force_encoding(Encoding::ASCII_8BIT)
+          end
+        end
+
+        # Multi-signature or unusual format: find the right entry
+        # Split on comma-separated dictionary members
+        value.split(",").each do |entry|
+          entry = entry.strip
+          if entry.start_with?(prefix)
+            end_idx = entry.index(":", prefix.length)
+            if end_idx
+              encoded = entry[prefix.length...end_idx]
+              return Base64.strict_decode64(encoded)
+                  .force_encoding(Encoding::ASCII_8BIT)
+            end
+          end
+        end
+
+        # Label not found via fast path — fall back to Starry
+        signature = parse_structured_dictionary(
+          value.encode(Encoding::US_ASCII), "signature"
+        )
+        fail_with_signature_not_found label unless signature.key?(label)
+        signature[label].value.force_encoding(Encoding::ASCII_8BIT)
+      rescue ArgumentError
+        # Base64 decode failed — fall back to Starry
+        signature = parse_structured_dictionary(
+          value.encode(Encoding::US_ASCII), "signature"
+        )
+        fail_with_signature_not_found label unless signature.key?(label)
+        signature[label].value.force_encoding(Encoding::ASCII_8BIT)
+      end
+
+      # Serializes parsed Starry items to their string representations
+      # without going through the generic Starry.serialize_item path.
+      #
+      # For simple items (no parameters): builds '"value"' directly.
+      # For items with parameters: falls back to Starry.serialize_item.
+      #
+      # @param items [Array<Starry::Item>] parsed items from signature-input
+      # @return [Array<String>] serialized component identifiers
+      def serialize_parsed_items(items)
+        items.map do |item|
+          if item.parameters.empty?
+            "\"#{item.value}\""
+          else
+            Starry.serialize_item(item)
+          end
+        end
+      end
+
       def parse_structured_dictionary(str, field_name = nil)
         Starry.parse_dictionary(str)
       rescue Starry::ParseError => _

data/lib/linzer/signer.rb

@@ -68,16 +68,31 @@ module Linzer
       #     tag: "my-app"
       #   )
       def sign(key, message, components, options = {})
-        serialized_components = FieldId.serialize_components(Array(components))
-        validate key, message, serialized_components
+        serialized_components, field_ids =
+          FieldId.serialize_components_with_field_ids(Array(components))
+        validate key, message, serialized_components, field_ids: field_ids
+
+        # Reuse the already-parsed items from field_ids
+        parsed_items = field_ids.map(&:item)
 
         parameters = populate_parameters(key, options)
-        signature_base = signature_base(message, serialized_components, parameters)
+        signature_base = signature_base(message, serialized_components, parameters,
+                                        field_ids: field_ids)
 
-        signature = key.sign(signature_base)
+        raw_signature = key.sign(signature_base)
         label = options[:label] || DEFAULT_LABEL
 
-        Linzer::Signature.build(serialize(signature, serialized_components, parameters, label))
+        # Build the signature directly, bypassing the serialize -> parse round-trip
+        headers = serialize(raw_signature, serialized_components, parameters, label)
+
+        Linzer::Signature.from_components(
+          components:    serialized_components,
+          raw_signature: raw_signature,
+          label:         label,
+          parameters:    parameters,
+          parsed_items:  parsed_items,
+          headers:       headers
+        )
       end
 
       # Returns the default signature label.
@@ -91,19 +106,22 @@ module Linzer
 
       # Validates signing inputs.
       # @raise [SigningError] If any input is invalid
-      def validate(key, message, components)
+      def validate(key, message, components, field_ids: nil)
         msg = "Message cannot be signed with null %s"
         raise SigningError, msg % "value"     if message.nil?
         raise SigningError, msg % "key"       if key.nil?
         raise SigningError, msg % "component" if components.nil?
 
         begin
-          validate_components message, components
+          validate_components message, components, field_ids: field_ids
         rescue Error => ex
           raise SigningError, ex.message, cause: ex
         end
       end
 
+      RESERVED_OPTIONS = %i[created keyid label].freeze
+      private_constant :RESERVED_OPTIONS
+
       # Builds the signature parameters hash from options and key.
       # @return [Hash] The populated parameters
       def populate_parameters(key, options)
@@ -114,22 +132,25 @@ module Linzer
         key_id = options[:keyid] || (key.key_id if key.respond_to?(:key_id))
         parameters[:keyid] = key_id             unless key_id.nil?
 
-        (options.keys - %i[created keyid label]).each { |k| parameters[k] = options[k] }
+        options.each { |k, v| parameters[k] = v unless RESERVED_OPTIONS.include?(k) }
 
         parameters
       end
 
       # Serializes the signature into HTTP header format.
+      #
+      # Uses direct string building instead of Starry.serialize to avoid
+      # the overhead of generic structured field serialization.
+      #
       # @return [Hash] Hash with "signature" and "signature-input" keys
       def serialize(signature, components, parameters, label)
+        sig_b64 = Base64.strict_encode64(signature)
+        input_params = HTTP::StructuredField.serialize_parameters(parameters)
+        components_str = components.join(" ")
+
         {
-          "signature" => Starry.serialize({label => signature}),
-          "signature-input" =>
-            Starry.serialize(label =>
-              Starry::InnerList.new(
-                components.map { |c| Starry.parse_item(c) },
-                parameters
-              ))
+          "signature"       => "#{label}=:#{sig_b64}:",
+          "signature-input" => "#{label}=(#{components_str})#{input_params}"
         }
       end
     end

data/lib/linzer/verifier.rb

@@ -59,7 +59,12 @@ module Linzer
         parameters = signature.parameters
         serialized_components = signature.serialized_components
 
-        signature_base = signature_base(message, serialized_components, parameters)
+        # Build fresh field_ids for signature_base (validate already
+        # consumed its own set, which may have been mutated by adapters).
+        field_ids = signature.field_ids
+
+        signature_base = signature_base(message, serialized_components, parameters,
+                                        field_ids: field_ids)
 
         verify_or_fail key, signature.value, signature_base
       end
@@ -78,10 +83,11 @@ module Linzer
         end
 
         raise VerifyError, "Signature raw value to cannot be null" if signature.value.nil?
-        raise VerifyError, "Components cannot be null"             if signature.components.nil?
+        raise VerifyError, "Components cannot be null"             if signature.serialized_components.nil?
 
         begin
-          validate_components message, signature.serialized_components
+          validate_components message, signature.serialized_components,
+                             field_ids: signature.field_ids
         rescue Error => ex
           raise VerifyError, ex.message, cause: ex
         end

data/lib/linzer/version.rb

@@ -3,5 +3,5 @@
 module Linzer
   # Current version of the Linzer gem.
   # @return [String]
-  VERSION = "0.7.9"
+  VERSION = "0.8.0.beta1"
 end

data/lib/linzer.rb

@@ -2,7 +2,6 @@
 
 require "starry"
 require "openssl"
-require "rack"
 require "uri"
 require "net/http"
 
@@ -26,6 +25,7 @@ require_relative "linzer/key/helper"
 require_relative "linzer/signer"
 require_relative "linzer/verifier"
 require_relative "linzer/http"
+require_relative "linzer/http/structured_field"
 
 # Linzer is a Ruby library for HTTP Message Signatures as defined in RFC 9421.
 #
@@ -157,5 +157,3 @@ module Linzer
   # Used for serializing and deserializing component identifiers.
   FieldId = Message::Field::Identifier
 end
-
-require_relative "rack/auth/signature"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: linzer
 version: !ruby/object:Gem::Version
-  version: 0.7.9
+  version: 0.8.0.beta1
 platform: ruby
 authors:
 - Miguel Landaeta
@@ -23,26 +23,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.2'
-- !ruby/object:Gem::Dependency
-  name: rack
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '2.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '4.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '2.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: uri
   requirement: !ruby/object:Gem::Requirement
@@ -63,26 +43,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.2
-- !ruby/object:Gem::Dependency
-  name: logger
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.7'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.7.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.7'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.7.0
 - !ruby/object:Gem::Dependency
   name: forwardable
   requirement: !ruby/object:Gem::Requirement
@@ -156,6 +116,10 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- benchmarks/profile_sign_ed25519.rb
+- benchmarks/profile_verify_ed25519.rb
+- benchmarks/sign.rb
+- benchmarks/verify.rb
 - examples/sinatra/Gemfile
 - examples/sinatra/config.ru
 - examples/sinatra/http-signatures.yml
@@ -175,6 +139,7 @@ files:
 - lib/linzer/http.rb
 - lib/linzer/http/bootstrap.rb
 - lib/linzer/http/signature_feature.rb
+- lib/linzer/http/structured_field.rb
 - lib/linzer/jws.rb
 - lib/linzer/key.rb
 - lib/linzer/key/helper.rb
@@ -197,6 +162,7 @@ files:
 - lib/linzer/message/field/parser.rb
 - lib/linzer/message/wrapper.rb
 - lib/linzer/options.rb
+- lib/linzer/rack.rb
 - lib/linzer/rsa.rb
 - lib/linzer/rsa_pss.rb
 - lib/linzer/signature.rb