linzer 0.7.9 → 0.8.0.beta2

data/lib/linzer/signature.rb

@@ -26,12 +26,14 @@ module Linzer
   # @see https://www.rfc-editor.org/rfc/rfc9421.html#section-4 RFC 9421 Section 4
   class Signature
     # @api private
-    # Use {.build} to create Signature instances.
-    def initialize(metadata, value, label, parameters = {})
-      @metadata   = metadata.clone.freeze
-      @value      = value.clone.freeze
-      @parameters = parameters.clone.freeze
-      @label      = label.clone.freeze
+    # Use {.build} or {.from_components} to create Signature instances.
+    def initialize(metadata, value, label, parameters = {}, parsed_items: nil, headers: nil)
+      @metadata     = metadata.clone.freeze
+      @value        = value.clone.freeze
+      @parameters   = parameters.clone.freeze
+      @label        = label.clone.freeze
+      @parsed_items = parsed_items&.freeze
+      @headers      = headers&.freeze
       freeze
     end
 
@@ -74,6 +76,20 @@ module Linzer
       FieldId.deserialize_components(serialized_components)
     end
 
+    # Builds FieldId objects for each covered component.
+    #
+    # Uses {parsed_items} when available to create {FastIdentifier} objects
+    # that bypass Starry re-parsing. Falls back to constructing full
+    # {FieldId} objects from the serialized strings.
+    #
+    # Returns a fresh array each time because some adapter methods may
+    # mutate item parameters during field lookup (e.g., deleting "req").
+    #
+    # @return [Array<FastIdentifier, FieldId>] FieldId objects for each component
+    def field_ids
+      build_field_ids
+    end
+
     # Returns the signature creation timestamp.
     #
     # @return [Integer, nil] Unix timestamp when the signature was created,
@@ -132,20 +148,60 @@ module Linzer
     # @example Attaching to a Net::HTTP request
     #   signature.to_h.each { |name, value| request[name] = value }
     def to_h
+      return @headers if @headers
+
+      items = @parsed_items || serialized_components.map { |c| HTTP::StructuredField.parse_item(c) }
       {
-        "signature"       => Starry.serialize({label => value}),
-        "signature-input" => Starry.serialize({
-          label => Starry::InnerList.new(
-            serialized_components.map { |c| Starry.parse_item(c) },
-            parameters
-          )
+        "signature"       => HTTP::StructuredField.serialize({label => value}),
+        "signature-input" => HTTP::StructuredField.serialize({
+          label => HTTP::StructuredField::InnerList.new(items, parameters)
         })
       }
     end
 
+    private
+
+    def build_field_ids
+      if @parsed_items && @parsed_items.size == @metadata.size
+        @metadata.each_with_index.map do |serialized, i|
+          item = @parsed_items[i]
+          # Clone items that have parameters since the adapter's retrieve
+          # method may mutate parameters (e.g., deleting "req").
+          unless item.parameters.empty?
+            item = HTTP::StructuredField::Item.new(item.value, item.parameters.dup)
+          end
+          Message::Field::FastIdentifier.new(serialized, item)
+        end
+      else
+        @metadata.map { |c| FieldId.new(field_name: c) }
+      end
+    end
+
     class << self
       private :new
 
+      # Creates a Signature directly from its constituent parts.
+      #
+      # This avoids the serialize-then-parse round-trip when the caller
+      # (e.g. {Signer.sign}) already has all the data.
+      #
+      # @api private
+      # @param components [Array<String>] Serialized component identifiers
+      # @param raw_signature [String] The raw signature bytes
+      # @param label [String] The signature label
+      # @param parameters [Hash] Signature parameters (symbol keys)
+      # @param parsed_items [Array<Starry::Item>] Pre-parsed component items
+      # @param headers [Hash] Pre-serialized header strings
+      # @return [Signature] The constructed signature
+      def from_components(components:, raw_signature:, label:, parameters:, parsed_items:, headers:)
+        # Signature stores parameters with string keys (as produced by Starry
+        # parsing). Convert symbol keys from Signer to match.
+        string_params = {}
+        parameters.each { |k, v| string_params[k.to_s] = v }
+        new(components, raw_signature, label, string_params,
+            parsed_items: parsed_items, headers: headers)
+      end
+
       # Builds a Signature from HTTP headers.
       #
       # Parses the `signature` and `signature-input` headers according to
@@ -178,25 +234,26 @@ module Linzer
       def build(headers, options = {})
         basic_validate headers
         headers.transform_keys!(&:downcase)
+        headers.transform_values! { |v| v.encode(Encoding::ASCII) }
         validate headers
 
-        input = parse_structured_field(headers, "signature-input")
+        input = HTTP::StructuredField.parse_dictionary(
+          headers["signature-input"],
+          field_name: "signature-input"
+        )
+
         reject_multiple_signatures if input.size > 1 && options[:label].nil?
         label = options[:label] || input.keys.first
 
-        signature = parse_structured_field(headers, "signature")
-        fail_with_signature_not_found label unless signature.key?(label)
-
-        raw_signature =
-          signature[label].value
-            .force_encoding(Encoding::ASCII_8BIT)
+        raw_signature = extract_raw_signature(headers["signature"], label)
 
         fail_due_invalid_components unless input[label].value.respond_to?(:each)
 
-        components = input[label].value.map { |c| Starry.serialize_item(c) }
+        parsed_items = input[label].value
+        components = serialize_parsed_items(parsed_items)
         parameters = input[label].parameters
 
-        new(components, raw_signature, label, parameters)
+        new(components, raw_signature, label, parameters, parsed_items: parsed_items)
       end
 
       private
@@ -223,19 +280,77 @@ module Linzer
         raise Error.new "Unexpected value for covered components."
       end
 
-      def parse_structured_dictionary(str, field_name = nil)
-        Starry.parse_dictionary(str)
-      rescue Starry::ParseError => _
-        raise Error.new "Cannot parse \"#{field_name}\" field. Bailing out!"
+      # Extracts the raw signature bytes for a given label from the
+      # signature header without a full Starry dictionary parse.
+      #
+      # The signature header format is: label=:base64data:
+      # For multiple signatures: label1=:b64:, label2=:b64:
+      #
+      # Falls back to full Starry parsing for non-trivial cases.
+      #
+      # @param header_value [String] the raw signature header
+      # @param label [String] the signature label to extract
+      # @return [String] the decoded signature bytes (ASCII-8BIT)
+      # @raise [Error] if the label is not found or decoding fails
+      def extract_raw_signature(header_value, label)
+        value = header_value.is_a?(String) ? header_value : header_value.to_s
+        prefix = "#{label}=:"
+
+        # Fast path: single signature (most common case)
+        if value.start_with?(prefix)
+          end_idx = value.index(":", prefix.length)
+          if end_idx
+            encoded = value[prefix.length...end_idx]
+            return Base64.strict_decode64(encoded)
+                .force_encoding(Encoding::ASCII_8BIT)
+          end
+        end
+
+        # Multi-signature or unusual format: find the right entry
+        # Split on comma-separated dictionary members
+        value.split(",").each do |entry|
+          entry = entry.strip
+          if entry.start_with?(prefix)
+            end_idx = entry.index(":", prefix.length)
+            if end_idx
+              encoded = entry[prefix.length...end_idx]
+              return Base64.strict_decode64(encoded)
+                  .force_encoding(Encoding::ASCII_8BIT)
+            end
+          end
+        end
+
+        # Label not found via fast path — fall back to Starry
+        signature = HTTP::StructuredField.parse_dictionary(
+          value.encode(Encoding::US_ASCII),
+          field_name: "signature"
+        )
+        fail_with_signature_not_found label unless signature.key?(label)
+        signature[label].value.force_encoding(Encoding::ASCII_8BIT)
+      rescue ArgumentError
+        # Base64 decode failed — fall back to Starry
+        signature = HTTP::StructuredField.parse_dictionary(
+          value.encode(Encoding::US_ASCII),
+          field_name: "signature")
+        fail_with_signature_not_found label unless signature.key?(label)
+        signature[label].value.force_encoding(Encoding::ASCII_8BIT)
       end
 
-      # Parses a structured field value as a dictionary.
-      # @see https://datatracker.ietf.org/doc/html/rfc8941 RFC 8941
-      def parse_structured_field(hsh, field_name)
-        # Serialized Structured Field values for HTTP are ASCII strings.
-        # See: RFC 8941 (https://datatracker.ietf.org/doc/html/rfc8941)
-        value = hsh[field_name].encode(Encoding::US_ASCII)
-        parse_structured_dictionary(value, field_name)
+      # Serializes parsed structured field items to their RFC 8941
+      # string representations.
+      #
+      # Serialization is delegated to `Starry.serialize_item` to ensure
+      # consistent RFC-compliant formatting of structured field items and
+      # parameters.
+      #
+      # @param items [Array<Starry::Item>]
+      #   Parsed structured field items.
+      #
+      # @return [Array<String>]
+      #   The serialized structured field item representations.
+      #
+      def serialize_parsed_items(items)
+        items.map { |item| HTTP::StructuredField.serialize_item(item) }
       end
     end
   end

data/lib/linzer/signer.rb

@@ -68,16 +68,31 @@ module Linzer
       #     tag: "my-app"
       #   )
       def sign(key, message, components, options = {})
-        serialized_components = FieldId.serialize_components(Array(components))
-        validate key, message, serialized_components
+        serialized_components, field_ids =
+          FieldId.serialize_components_with_field_ids(Array(components))
+        validate key, message, serialized_components, field_ids: field_ids
+
+        # Reuse the already-parsed items from field_ids
+        parsed_items = field_ids.map(&:item)
 
         parameters = populate_parameters(key, options)
-        signature_base = signature_base(message, serialized_components, parameters)
+        signature_base = signature_base(message, serialized_components, parameters,
+                                        field_ids: field_ids)
 
-        signature = key.sign(signature_base)
+        raw_signature = key.sign(signature_base)
         label = options[:label] || DEFAULT_LABEL
 
-        Linzer::Signature.build(serialize(signature, serialized_components, parameters, label))
+        # Build the signature directly, bypassing the serialize -> parse round-trip
+        headers = serialize(raw_signature, serialized_components, parameters, label)
+
+        Linzer::Signature.from_components(
+          components:    serialized_components,
+          raw_signature: raw_signature,
+          label:         label,
+          parameters:    parameters,
+          parsed_items:  parsed_items,
+          headers:       headers
+        )
       end
 
       # Returns the default signature label.
@@ -91,19 +106,22 @@ module Linzer
 
       # Validates signing inputs.
       # @raise [SigningError] If any input is invalid
-      def validate(key, message, components)
+      def validate(key, message, components, field_ids: nil)
         msg = "Message cannot be signed with null %s"
         raise SigningError, msg % "value"     if message.nil?
         raise SigningError, msg % "key"       if key.nil?
         raise SigningError, msg % "component" if components.nil?
 
         begin
-          validate_components message, components
+          validate_components message, components, field_ids: field_ids
         rescue Error => ex
           raise SigningError, ex.message, cause: ex
         end
       end
 
+      RESERVED_OPTIONS = %i[created keyid label].freeze
+      private_constant :RESERVED_OPTIONS
+
       # Builds the signature parameters hash from options and key.
       # @return [Hash] The populated parameters
       def populate_parameters(key, options)
@@ -114,22 +132,25 @@ module Linzer
         key_id = options[:keyid] || (key.key_id if key.respond_to?(:key_id))
         parameters[:keyid] = key_id             unless key_id.nil?
 
-        (options.keys - %i[created keyid label]).each { |k| parameters[k] = options[k] }
+        options.each { |k, v| parameters[k] = v unless RESERVED_OPTIONS.include?(k) }
 
         parameters
       end
 
       # Serializes the signature into HTTP header format.
+      #
+      # Uses direct string building instead of Starry.serialize to avoid
+      # the overhead of generic structured field serialization.
+      #
       # @return [Hash] Hash with "signature" and "signature-input" keys
       def serialize(signature, components, parameters, label)
+        sig_b64 = Base64.strict_encode64(signature)
+        input_params = HTTP::StructuredField.serialize_parameters(parameters)
+        components_str = components.join(" ")
+
         {
-          "signature" => Starry.serialize({label => signature}),
-          "signature-input" =>
-            Starry.serialize(label =>
-              Starry::InnerList.new(
-                components.map { |c| Starry.parse_item(c) },
-                parameters
-              ))
+          "signature"       => "#{label}=:#{sig_b64}:",
+          "signature-input" => "#{label}=(#{components_str})#{input_params}"
         }
       end
     end

data/lib/linzer/verifier.rb

@@ -59,7 +59,12 @@ module Linzer
         parameters = signature.parameters
         serialized_components = signature.serialized_components
 
-        signature_base = signature_base(message, serialized_components, parameters)
+        # Build fresh field_ids for signature_base (validate already
+        # consumed its own set, which may have been mutated by adapters).
+        field_ids = signature.field_ids
+
+        signature_base = signature_base(message, serialized_components, parameters,
+                                        field_ids: field_ids)
 
         verify_or_fail key, signature.value, signature_base
       end
@@ -78,10 +83,11 @@ module Linzer
         end
 
         raise VerifyError, "Signature raw value to cannot be null" if signature.value.nil?
-        raise VerifyError, "Components cannot be null"             if signature.components.nil?
+        raise VerifyError, "Components cannot be null"             if signature.serialized_components.nil?
 
         begin
-          validate_components message, signature.serialized_components
+          validate_components message, signature.serialized_components,
+                             field_ids: signature.field_ids
         rescue Error => ex
           raise VerifyError, ex.message, cause: ex
         end

data/lib/linzer/version.rb

@@ -3,5 +3,5 @@
 module Linzer
   # Current version of the Linzer gem.
   # @return [String]
-  VERSION = "0.7.9"
+  VERSION = "0.8.0.beta2"
 end

data/lib/linzer.rb

@@ -2,17 +2,21 @@
 
 require "starry"
 require "openssl"
-require "rack"
 require "uri"
 require "net/http"
 
 require_relative "linzer/version"
+require_relative "linzer/http"
+require_relative "linzer/http/structured_field"
 require_relative "linzer/common"
+require_relative "linzer/signature/context"
+require_relative "linzer/signature/profile"
 require_relative "linzer/helper"
 require_relative "linzer/options"
 require_relative "linzer/message"
 require_relative "linzer/message/adapter"
 require_relative "linzer/message/wrapper"
+require_relative "linzer/message/overlay"
 require_relative "linzer/message/field"
 require_relative "linzer/message/field/parser"
 require_relative "linzer/signature"
@@ -25,7 +29,6 @@ require_relative "linzer/ecdsa"
 require_relative "linzer/key/helper"
 require_relative "linzer/signer"
 require_relative "linzer/verifier"
-require_relative "linzer/http"
 
 # Linzer is a Ruby library for HTTP Message Signatures as defined in RFC 9421.
 #
@@ -157,5 +160,3 @@ module Linzer
   # Used for serializing and deserializing component identifiers.
   FieldId = Message::Field::Identifier
 end
-
-require_relative "rack/auth/signature"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: linzer
 version: !ruby/object:Gem::Version
-  version: 0.7.9
+  version: 0.8.0.beta2
 platform: ruby
 authors:
 - Miguel Landaeta
@@ -23,26 +23,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.2'
-- !ruby/object:Gem::Dependency
-  name: rack
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '2.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '4.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '2.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: uri
   requirement: !ruby/object:Gem::Requirement
@@ -63,26 +43,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.2
-- !ruby/object:Gem::Dependency
-  name: logger
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.7'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.7.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.7'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.7.0
 - !ruby/object:Gem::Dependency
   name: forwardable
   requirement: !ruby/object:Gem::Requirement
@@ -156,6 +116,10 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- benchmarks/profile_sign_ed25519.rb
+- benchmarks/profile_verify_ed25519.rb
+- benchmarks/sign.rb
+- benchmarks/verify.rb
 - examples/sinatra/Gemfile
 - examples/sinatra/config.ru
 - examples/sinatra/http-signatures.yml
@@ -175,6 +139,7 @@ files:
 - lib/linzer/http.rb
 - lib/linzer/http/bootstrap.rb
 - lib/linzer/http/signature_feature.rb
+- lib/linzer/http/structured_field.rb
 - lib/linzer/jws.rb
 - lib/linzer/key.rb
 - lib/linzer/key/helper.rb
@@ -195,11 +160,18 @@ files:
 - lib/linzer/message/adapter/rack/response.rb
 - lib/linzer/message/field.rb
 - lib/linzer/message/field/parser.rb
+- lib/linzer/message/overlay.rb
 - lib/linzer/message/wrapper.rb
 - lib/linzer/options.rb
+- lib/linzer/rack.rb
 - lib/linzer/rsa.rb
 - lib/linzer/rsa_pss.rb
 - lib/linzer/signature.rb
+- lib/linzer/signature/context.rb
+- lib/linzer/signature/profile.rb
+- lib/linzer/signature/profile/base.rb
+- lib/linzer/signature/profile/example.rb
+- lib/linzer/signature/profile/web_bot_auth.rb
 - lib/linzer/signer.rb
 - lib/linzer/verifier.rb
 - lib/linzer/version.rb