@dwk/http-signatures 0.1.0-beta.0

package/dist/sf.d.ts

@@ -0,0 +1,49 @@
+/**
+ * A focused RFC 8941 structured-fields parser, scoped to the two fields HTTP
+ * Message Signatures use: `Signature-Input` (a Dictionary of Inner Lists with
+ * parameters) and `Signature` (a Dictionary of Byte Sequences).
+ *
+ * It is intentionally not a general structured-fields implementation. Parsing
+ * is strict — anything malformed throws {@link SfParseError}, which the callers
+ * turn into a verification failure rather than guessing at the sender's intent.
+ */
+/** A structured-fields bare item value, as the native JS shape we use it as. */
+export type SfBareItem = string | number | boolean | Uint8Array;
+/** One member of an `Signature-Input` inner list (a covered-component id). */
+export interface SfInnerItem {
+    /** Exact source text of the item (bare item plus its parameters). */
+    raw: string;
+    /** The bare item, a string for every component identifier we accept. */
+    value: SfBareItem;
+    /** Item parameters, in source order. */
+    params: Array<[string, SfBareItem]>;
+}
+/** A parsed `Signature-Input` dictionary member. */
+export interface SfSignatureInput {
+    /** Exact source text of the member value (inner list plus its parameters). */
+    raw: string;
+    items: SfInnerItem[];
+    params: Array<[string, SfBareItem]>;
+}
+/** Thrown on any malformed structured-field input. */
+export declare class SfParseError extends Error {
+}
+/**
+ * Parse a `Signature-Input` header into its labelled inner lists, preserving
+ * for each member the exact source text of its value (the `@signature-params`
+ * value the base must reproduce byte-for-byte).
+ */
+export declare function parseSignatureInput(input: string): Map<string, SfSignatureInput>;
+/**
+ * Parse an RFC 8941 Dictionary whose member values are Byte Sequences — the
+ * shape shared by the `Signature` header and the RFC 9530 `Content-Digest` /
+ * `Want-Content-Digest` fields. Member parameters are accepted and discarded.
+ * Keys follow sf-key rules (lowercase only), so an uppercase key is a parse
+ * error rather than something silently lowercased.
+ */
+export declare function parseByteSequenceDictionary(input: string): Map<string, Uint8Array>;
+/** Parse a `Signature` header into its labelled byte sequences. */
+export declare function parseSignatureHeader(input: string): Map<string, Uint8Array>;
+/** Serialize an sf-string: double-quoted with `"` and `\` escaped. */
+export declare function serializeString(value: string): string;
+//# sourceMappingURL=sf.d.ts.map

package/dist/sf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sf.d.ts","sourceRoot":"","sources":["../src/sf.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,gFAAgF;AAChF,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,UAAU,CAAC;AAEhE,8EAA8E;AAC9E,MAAM,WAAW,WAAW;IAC1B,qEAAqE;IACrE,GAAG,EAAE,MAAM,CAAC;IACZ,wEAAwE;IACxE,KAAK,EAAE,UAAU,CAAC;IAClB,wCAAwC;IACxC,MAAM,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;CACrC;AAED,oDAAoD;AACpD,MAAM,WAAW,gBAAgB;IAC/B,8EAA8E;IAC9E,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,MAAM,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;CACrC;AAED,sDAAsD;AACtD,qBAAa,YAAa,SAAQ,KAAK;CAAG;AAiJ1C;;;;GAIG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,GACZ,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAqB/B;AAED;;;;;;GAMG;AACH,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,MAAM,GACZ,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAmBzB;AAED,mEAAmE;AACnE,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAE3E;AAED,sEAAsE;AACtE,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAErD"}

package/dist/sf.js

@@ -0,0 +1,234 @@
+/**
+ * A focused RFC 8941 structured-fields parser, scoped to the two fields HTTP
+ * Message Signatures use: `Signature-Input` (a Dictionary of Inner Lists with
+ * parameters) and `Signature` (a Dictionary of Byte Sequences).
+ *
+ * It is intentionally not a general structured-fields implementation. Parsing
+ * is strict — anything malformed throws {@link SfParseError}, which the callers
+ * turn into a verification failure rather than guessing at the sender's intent.
+ */
+/** Thrown on any malformed structured-field input. */
+export class SfParseError extends Error {
+}
+const KEY_START = /[a-z*]/;
+const KEY_CHAR = /[a-z0-9_*.-]/;
+const TOKEN_START = /[a-zA-Z*]/;
+const TOKEN_CHAR = /[a-zA-Z0-9:/!#$%&'*+\-.^_`|~]/;
+class Reader {
+    input;
+    pos = 0;
+    constructor(input) {
+        this.input = input;
+    }
+    get done() {
+        return this.pos >= this.input.length;
+    }
+    peek() {
+        return this.input[this.pos] ?? "";
+    }
+    next() {
+        const c = this.input[this.pos] ?? "";
+        this.pos++;
+        return c;
+    }
+    expect(c) {
+        if (this.next() !== c)
+            throw new SfParseError(`expected ${c}`);
+    }
+    skipSP() {
+        while (this.peek() === " ")
+            this.pos++;
+    }
+    skipOWS() {
+        while (this.peek() === " " || this.peek() === "\t")
+            this.pos++;
+    }
+}
+function parseKey(r) {
+    if (!KEY_START.test(r.peek()))
+        throw new SfParseError("invalid key");
+    let key = r.next();
+    while (!r.done && KEY_CHAR.test(r.peek()))
+        key += r.next();
+    return key;
+}
+function parseString(r) {
+    r.expect('"');
+    let out = "";
+    for (;;) {
+        if (r.done)
+            throw new SfParseError("unterminated string");
+        const c = r.next();
+        if (c === "\\") {
+            const esc = r.next();
+            if (esc !== '"' && esc !== "\\")
+                throw new SfParseError("bad escape");
+            out += esc;
+        }
+        else if (c === '"') {
+            return out;
+        }
+        else {
+            const code = c.charCodeAt(0);
+            if (code < 0x20 || code >= 0x7f)
+                throw new SfParseError("bad string char");
+            out += c;
+        }
+    }
+}
+function parseToken(r) {
+    let tok = r.next();
+    while (!r.done && TOKEN_CHAR.test(r.peek()))
+        tok += r.next();
+    return tok;
+}
+function parseNumber(r) {
+    let s = "";
+    if (r.peek() === "-")
+        s += r.next();
+    while (!r.done && /[0-9.]/.test(r.peek()))
+        s += r.next();
+    const n = Number(s);
+    if (!Number.isFinite(n))
+        throw new SfParseError("invalid number");
+    return n;
+}
+function parseByteSequence(r) {
+    r.expect(":");
+    let b64 = "";
+    while (!r.done && r.peek() !== ":")
+        b64 += r.next();
+    r.expect(":");
+    try {
+        const binary = atob(b64);
+        const bytes = new Uint8Array(binary.length);
+        for (let i = 0; i < binary.length; i++)
+            bytes[i] = binary.charCodeAt(i);
+        return bytes;
+    }
+    catch {
+        throw new SfParseError("invalid byte sequence");
+    }
+}
+function parseBareItem(r) {
+    const c = r.peek();
+    if (c === '"')
+        return parseString(r);
+    if (c === ":")
+        return parseByteSequence(r);
+    if (c === "?") {
+        r.next();
+        const b = r.next();
+        if (b === "0")
+            return false;
+        if (b === "1")
+            return true;
+        throw new SfParseError("invalid boolean");
+    }
+    if (c === "-" || /[0-9]/.test(c))
+        return parseNumber(r);
+    if (TOKEN_START.test(c))
+        return parseToken(r);
+    throw new SfParseError("invalid bare item");
+}
+function parseParameters(r) {
+    const params = [];
+    while (r.peek() === ";") {
+        r.next();
+        r.skipSP();
+        const key = parseKey(r);
+        let value = true;
+        if (r.peek() === "=") {
+            r.next();
+            value = parseBareItem(r);
+        }
+        params.push([key, value]);
+    }
+    return params;
+}
+function parseInnerList(r) {
+    r.expect("(");
+    const items = [];
+    for (;;) {
+        r.skipSP();
+        if (r.peek() === ")") {
+            r.next();
+            break;
+        }
+        if (r.done)
+            throw new SfParseError("unterminated inner list");
+        const start = r.pos;
+        const value = parseBareItem(r);
+        const params = parseParameters(r);
+        items.push({ raw: r.input.slice(start, r.pos), value, params });
+    }
+    const params = parseParameters(r);
+    return { items, params };
+}
+/**
+ * Parse a `Signature-Input` header into its labelled inner lists, preserving
+ * for each member the exact source text of its value (the `@signature-params`
+ * value the base must reproduce byte-for-byte).
+ */
+export function parseSignatureInput(input) {
+    const r = new Reader(input);
+    const out = new Map();
+    r.skipOWS();
+    if (r.done)
+        throw new SfParseError("empty dictionary");
+    for (;;) {
+        const key = parseKey(r);
+        if (r.peek() !== "=")
+            throw new SfParseError("dictionary member needs a value");
+        r.next();
+        if (r.peek() !== "(")
+            throw new SfParseError("signature-input value must be an inner list");
+        const start = r.pos;
+        const { items, params } = parseInnerList(r);
+        out.set(key, { raw: r.input.slice(start, r.pos), items, params });
+        r.skipOWS();
+        if (r.done)
+            break;
+        r.expect(",");
+        r.skipOWS();
+    }
+    return out;
+}
+/**
+ * Parse an RFC 8941 Dictionary whose member values are Byte Sequences — the
+ * shape shared by the `Signature` header and the RFC 9530 `Content-Digest` /
+ * `Want-Content-Digest` fields. Member parameters are accepted and discarded.
+ * Keys follow sf-key rules (lowercase only), so an uppercase key is a parse
+ * error rather than something silently lowercased.
+ */
+export function parseByteSequenceDictionary(input) {
+    const r = new Reader(input);
+    const out = new Map();
+    r.skipOWS();
+    if (r.done)
+        throw new SfParseError("empty dictionary");
+    for (;;) {
+        const key = parseKey(r);
+        if (r.peek() !== "=")
+            throw new SfParseError("dictionary member needs a value");
+        r.next();
+        const bytes = parseByteSequence(r);
+        parseParameters(r);
+        out.set(key, bytes);
+        r.skipOWS();
+        if (r.done)
+            break;
+        r.expect(",");
+        r.skipOWS();
+    }
+    return out;
+}
+/** Parse a `Signature` header into its labelled byte sequences. */
+export function parseSignatureHeader(input) {
+    return parseByteSequenceDictionary(input);
+}
+/** Serialize an sf-string: double-quoted with `"` and `\` escaped. */
+export function serializeString(value) {
+    return `"${value.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`;
+}
+//# sourceMappingURL=sf.js.map

package/dist/sf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sf.js","sourceRoot":"","sources":["../src/sf.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAuBH,sDAAsD;AACtD,MAAM,OAAO,YAAa,SAAQ,KAAK;CAAG;AAE1C,MAAM,SAAS,GAAG,QAAQ,CAAC;AAC3B,MAAM,QAAQ,GAAG,cAAc,CAAC;AAChC,MAAM,WAAW,GAAG,WAAW,CAAC;AAChC,MAAM,UAAU,GAAG,+BAA+B,CAAC;AAEnD,MAAM,MAAM;IAEW;IADrB,GAAG,GAAG,CAAC,CAAC;IACR,YAAqB,KAAa;QAAb,UAAK,GAAL,KAAK,CAAQ;IAAG,CAAC;IAEtC,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;IACvC,CAAC;IACD,IAAI;QACF,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IACpC,CAAC;IACD,IAAI;QACF,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACrC,IAAI,CAAC,GAAG,EAAE,CAAC;QACX,OAAO,CAAC,CAAC;IACX,CAAC;IACD,MAAM,CAAC,CAAS;QACd,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC;YAAE,MAAM,IAAI,YAAY,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;IACjE,CAAC;IACD,MAAM;QACJ,OAAO,IAAI,CAAC,IAAI,EAAE,KAAK,GAAG;YAAE,IAAI,CAAC,GAAG,EAAE,CAAC;IACzC,CAAC;IACD,OAAO;QACL,OAAO,IAAI,CAAC,IAAI,EAAE,KAAK,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,IAAI;YAAE,IAAI,CAAC,GAAG,EAAE,CAAC;IACjE,CAAC;CACF;AAED,SAAS,QAAQ,CAAC,CAAS;IACzB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAAE,MAAM,IAAI,YAAY,CAAC,aAAa,CAAC,CAAC;IACrE,IAAI,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACnB,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAAE,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;IAC3D,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACd,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,SAAS,CAAC;QACR,IAAI,CAAC,CAAC,IAAI;YAAE,MAAM,IAAI,YAAY,CAAC,qBAAqB,CAAC,CAAC;QAC1D,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACnB,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACrB,IAAI,GAAG,KAAK,GAAG,IAAI,GAAG,KAAK,IAAI;gBAAE,MAAM,IAAI,YAAY,CAAC,YAAY,CAAC,CAAC;YACtE,GAAG,IAAI,GAAG,CAAC;QACb,CAAC;aAAM,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACrB,OAAO,GAAG,CAAC;QACb,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAC7B,IAAI,IAAI,GAAG,IAAI,IAAI,IAAI,IAAI,IAAI;gBAC7B,MAAM,IAAI,YAAY,CAAC,iBAAiB,CAAC,CAAC;YAC5C,GAAG,IAAI,CAAC,CAAC;QACX,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC3B,IAAI,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACnB,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAAE,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7D,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,GAAG;QAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;IACpC,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;IACzD,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACpB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;QAAE,MAAM,IAAI,YAAY,CAAC,gBAAgB,CAAC,CAAC;IAClE,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,iBAAiB,CAAC,CAAS;IAClC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACd,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,GAAG;QAAE,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;IACpD,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACd,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;QACzB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE;YAAE,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QACxE,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,YAAY,CAAC,uBAAuB,CAAC,CAAC;IAClD,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC9B,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACnB,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,iBAAiB,CAAC,CAAC,CAAC,CAAC;IAC3C,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;QACd,CAAC,CAAC,IAAI,EAAE,CAAC;QACT,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACnB,IAAI,CAAC,KAAK,GAAG;YAAE,OAAO,KAAK,CAAC;QAC5B,IAAI,CAAC,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QAC3B,MAAM,IAAI,YAAY,CAAC,iBAAiB,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,CAAC,KAAK,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAC;IACxD,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9C,MAAM,IAAI,YAAY,CAAC,mBAAmB,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,MAAM,MAAM,GAAgC,EAAE,CAAC;IAC/C,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;QACxB,CAAC,CAAC,IAAI,EAAE,CAAC;QACT,CAAC,CAAC,MAAM,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACxB,IAAI,KAAK,GAAe,IAAI,CAAC;QAC7B,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACrB,CAAC,CAAC,IAAI,EAAE,CAAC;YACT,KAAK,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,CAAS;IAI/B,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACd,MAAM,KAAK,GAAkB,EAAE,CAAC;IAChC,SAAS,CAAC;QACR,CAAC,CAAC,MAAM,EAAE,CAAC;QACX,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACrB,CAAC,CAAC,IAAI,EAAE,CAAC;YACT,MAAM;QACR,CAAC;QACD,IAAI,CAAC,CAAC,IAAI;YAAE,MAAM,IAAI,YAAY,CAAC,yBAAyB,CAAC,CAAC;QAC9D,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC;QACpB,MAAM,KAAK,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;QAClC,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,MAAM,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;IAClC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AAC3B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAa;IAEb,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,IAAI,GAAG,EAA4B,CAAC;IAChD,CAAC,CAAC,OAAO,EAAE,CAAC;IACZ,IAAI,CAAC,CAAC,IAAI;QAAE,MAAM,IAAI,YAAY,CAAC,kBAAkB,CAAC,CAAC;IACvD,SAAS,CAAC;QACR,MAAM,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACxB,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,GAAG;YAClB,MAAM,IAAI,YAAY,CAAC,iCAAiC,CAAC,CAAC;QAC5D,CAAC,CAAC,IAAI,EAAE,CAAC;QACT,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,GAAG;YAClB,MAAM,IAAI,YAAY,CAAC,6CAA6C,CAAC,CAAC;QACxE,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC;QACpB,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;QAC5C,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAClE,CAAC,CAAC,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC,CAAC,IAAI;YAAE,MAAM;QAClB,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,OAAO,EAAE,CAAC;IACd,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,2BAA2B,CACzC,KAAa;IAEb,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC1C,CAAC,CAAC,OAAO,EAAE,CAAC;IACZ,IAAI,CAAC,CAAC,IAAI;QAAE,MAAM,IAAI,YAAY,CAAC,kBAAkB,CAAC,CAAC;IACvD,SAAS,CAAC;QACR,MAAM,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACxB,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,GAAG;YAClB,MAAM,IAAI,YAAY,CAAC,iCAAiC,CAAC,CAAC;QAC5D,CAAC,CAAC,IAAI,EAAE,CAAC;QACT,MAAM,KAAK,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;QACnC,eAAe,CAAC,CAAC,CAAC,CAAC;QACnB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACpB,CAAC,CAAC,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC,CAAC,IAAI;YAAE,MAAM;QAClB,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,OAAO,EAAE,CAAC;IACd,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,OAAO,2BAA2B,CAAC,KAAK,CAAC,CAAC;AAC5C,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC;AAClE,CAAC"}

package/dist/sign.d.ts

@@ -0,0 +1,46 @@
+/**
+ * The unified signing entry point. Dispatches on the wire profile and returns
+ * the header(s) to merge into the outbound request.
+ */
+import type { HttpMessage, SignatureAlgorithm, SignatureProfile } from "./types";
+/** Inputs for {@link signMessage}. */
+export interface SignParams {
+    /** Wire profile. Defaults to `"rfc9421"`. */
+    profile?: SignatureProfile;
+    /** The private {@link CryptoKey}, imported by the caller for `alg`. */
+    key: CryptoKey;
+    /** The `keyid` advertised so the verifier can resolve the public half. */
+    keyId: string;
+    /** Signature algorithm; must be in the allow-list. */
+    alg: SignatureAlgorithm;
+    /**
+     * Covered components, in signing order. For `"rfc9421"`: derived names like
+     * `@method`, `@target-uri`, `@authority`, plus lowercase header names. For
+     * `"cavage"`: `(request-target)`, `(created)`, `(expires)`, and lowercase
+     * header names.
+     */
+    components: string[];
+    /** Signature creation time, epoch seconds. Defaults to now. */
+    created?: number;
+    /** Signature expiry, epoch seconds. Omitted when absent. */
+    expires?: number;
+    /** Anti-replay nonce (RFC 9421 only). */
+    nonce?: string;
+    /** Application tag (RFC 9421 only). */
+    tag?: string;
+    /** Signature label (RFC 9421 only). Defaults to `"sig1"`. */
+    label?: string;
+    /** Override "now" for the `created` default, epoch seconds (deterministic tests). */
+    now?: number;
+}
+/**
+ * Sign `message`, returning the headers to add to the request. The caller is
+ * responsible for having already set (and listed among `components`) any
+ * `content-digest` / `digest` header it wants covered — see
+ * {@link createContentDigest} / {@link createDigest}.
+ *
+ * @returns A map of header name → value (RFC 9421: `Signature-Input` and
+ *   `Signature`; cavage: a single `Signature`).
+ */
+export declare function signMessage(message: HttpMessage, params: SignParams): Promise<Record<string, string>>;
+//# sourceMappingURL=sign.d.ts.map

package/dist/sign.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EACV,WAAW,EACX,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,SAAS,CAAC;AAEjB,sCAAsC;AACtC,MAAM,WAAW,UAAU;IACzB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,gBAAgB,CAAC;IAC3B,uEAAuE;IACvE,GAAG,EAAE,SAAS,CAAC;IACf,0EAA0E;IAC1E,KAAK,EAAE,MAAM,CAAC;IACd,sDAAsD;IACtD,GAAG,EAAE,kBAAkB,CAAC;IACxB;;;;;OAKG;IACH,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,+DAA+D;IAC/D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,4DAA4D;IAC5D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,qFAAqF;IACrF,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAsBjC"}

package/dist/sign.js

@@ -0,0 +1,39 @@
+/**
+ * The unified signing entry point. Dispatches on the wire profile and returns
+ * the header(s) to merge into the outbound request.
+ */
+import { signCavage } from "./cavage";
+import { signRfc9421 } from "./rfc9421";
+/**
+ * Sign `message`, returning the headers to add to the request. The caller is
+ * responsible for having already set (and listed among `components`) any
+ * `content-digest` / `digest` header it wants covered — see
+ * {@link createContentDigest} / {@link createDigest}.
+ *
+ * @returns A map of header name → value (RFC 9421: `Signature-Input` and
+ *   `Signature`; cavage: a single `Signature`).
+ */
+export function signMessage(message, params) {
+    if (params.profile === "cavage") {
+        return signCavage(message, {
+            key: params.key,
+            keyId: params.keyId,
+            alg: params.alg,
+            components: params.components,
+            created: params.created,
+            expires: params.expires,
+        });
+    }
+    return signRfc9421(message, {
+        key: params.key,
+        keyId: params.keyId,
+        alg: params.alg,
+        components: params.components,
+        created: params.created ?? params.now ?? Math.floor(Date.now() / 1000),
+        expires: params.expires,
+        nonce: params.nonce,
+        tag: params.tag,
+        label: params.label ?? "sig1",
+    });
+}
+//# sourceMappingURL=sign.js.map

package/dist/sign.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign.js","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAsCxC;;;;;;;;GAQG;AACH,MAAM,UAAU,WAAW,CACzB,OAAoB,EACpB,MAAkB;IAElB,IAAI,MAAM,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,UAAU,CAAC,OAAO,EAAE;YACzB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,OAAO,EAAE,MAAM,CAAC,OAAO;SACxB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,WAAW,CAAC,OAAO,EAAE;QAC1B,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QACtE,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,MAAM;KAC9B,CAAC,CAAC;AACL,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Shared plain-data types for {@link signMessage} and {@link verifyMessage}.
+ *
+ * The library never touches a live HTTP object: a request (or response) is
+ * described by its method, URL, and header values, so it unit-tests under Node
+ * with no Workers runtime.
+ */
+/**
+ * Asymmetric signature algorithms this library accepts, named by their RFC 9421
+ * §3.3 registry identifiers.
+ *
+ * Symmetric (`hmac-sha256`) and unsigned (`none`) algorithms are deliberately
+ * excluded: an HTTP message signature must be made by the sender's private key
+ * whose public half the verifier resolves out of band.
+ */
+export type SignatureAlgorithm = "rsa-pss-sha512" | "rsa-v1_5-sha256" | "ecdsa-p256-sha256" | "ecdsa-p384-sha384" | "ed25519";
+/**
+ * Wire profile.
+ *
+ * - `"rfc9421"` — the modern `Signature-Input` / `Signature` structured-field
+ *   pair (RFC 9421).
+ * - `"cavage"` — the legacy single `Signature` header from
+ *   `draft-cavage-http-signatures`, still emitted across the fediverse.
+ */
+export type SignatureProfile = "rfc9421" | "cavage";
+/**
+ * A request (or response) reduced to the facts a signature is computed over.
+ *
+ * `headers` keys are matched case-insensitively; a value array models a field
+ * that appears multiple times (its values are joined with `", "` per RFC 9421
+ * §2.1).
+ */
+export interface HttpMessage {
+    /** HTTP method, e.g. `"POST"`. */
+    method: string;
+    /** Absolute request URI, e.g. `"https://example.com/inbox"`. */
+    url: string;
+    /** Header field values, keyed by (case-insensitive) field name. */
+    headers: Record<string, string | string[]>;
+}
+/** Stable, locale-independent failure codes returned in {@link VerifyResult.reason}. */
+export type SignatureFailureReason = "signature_missing" | "signature_input_malformed" | "signature_malformed" | "label_ambiguous" | "label_missing" | "components_malformed" | "alg_unsupported" | "keyid_missing" | "key_unresolved" | "key_alg_mismatch" | "key_too_small" | "key_invalid" | "covered_component_missing" | "required_component_missing" | "created_invalid" | "created_required" | "signature_expired" | "signature_future" | "expires_invalid" | "signature_invalid" | "digest_missing" | "digest_unsupported" | "digest_mismatch";
+/** Result of verifying an HTTP message signature. */
+export interface VerifyResult {
+    /** Whether the signature is valid. */
+    valid: boolean;
+    /** The profile the signature was read under, when one could be identified. */
+    profile?: SignatureProfile;
+    /** The signature label that was verified (RFC 9421 only). */
+    label?: string;
+    /** The `keyid` the signature claimed (so the caller can audit the principal). */
+    keyId?: string;
+    /** The covered-component identifiers, in signing order. */
+    coveredComponents?: string[];
+    /** The signature's `created` time (epoch seconds), if present. */
+    created?: number;
+    /** The signature's `expires` time (epoch seconds), if present. */
+    expires?: number;
+    /** Stable failure code (see {@link SignatureFailureReason}) when `valid` is false. */
+    reason?: SignatureFailureReason;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;GAOG;AACH,MAAM,MAAM,kBAAkB,GAC1B,gBAAgB,GAChB,iBAAiB,GACjB,mBAAmB,GACnB,mBAAmB,GACnB,SAAS,CAAC;AAEd;;;;;;;GAOG;AACH,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,QAAQ,CAAC;AAEpD;;;;;;GAMG;AACH,MAAM,WAAW,WAAW;IAC1B,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,gEAAgE;IAChE,GAAG,EAAE,MAAM,CAAC;IACZ,mEAAmE;IACnE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;CAC5C;AAED,wFAAwF;AACxF,MAAM,MAAM,sBAAsB,GAC9B,mBAAmB,GACnB,2BAA2B,GAC3B,qBAAqB,GACrB,iBAAiB,GACjB,eAAe,GACf,sBAAsB,GACtB,iBAAiB,GACjB,eAAe,GACf,gBAAgB,GAChB,kBAAkB,GAClB,eAAe,GACf,aAAa,GACb,2BAA2B,GAC3B,4BAA4B,GAC5B,iBAAiB,GACjB,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,iBAAiB,GACjB,mBAAmB,GACnB,gBAAgB,GAChB,oBAAoB,GACpB,iBAAiB,CAAC;AAEtB,qDAAqD;AACrD,MAAM,WAAW,YAAY;IAC3B,sCAAsC;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,8EAA8E;IAC9E,OAAO,CAAC,EAAE,gBAAgB,CAAC;IAC3B,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,2DAA2D;IAC3D,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,sFAAsF;IACtF,MAAM,CAAC,EAAE,sBAAsB,CAAC;CACjC"}

package/dist/types.js

@@ -0,0 +1,9 @@
+/**
+ * Shared plain-data types for {@link signMessage} and {@link verifyMessage}.
+ *
+ * The library never touches a live HTTP object: a request (or response) is
+ * described by its method, URL, and header values, so it unit-tests under Node
+ * with no Workers runtime.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG"}

package/dist/verify.d.ts

@@ -0,0 +1,37 @@
+/**
+ * The unified verification entry point. Auto-detects the wire profile (unless
+ * one is forced), verifies the signature, and — when a body is supplied —
+ * checks any covered `content-digest` / `digest` against it so body tampering
+ * is caught alongside header tampering.
+ */
+import { type KeyResolver } from "./rfc9421";
+import type { HttpMessage, SignatureProfile, VerifyResult } from "./types";
+/** Inputs for {@link verifyMessage}. */
+export interface VerifyParams {
+    /** Resolves the public {@link CryptoKey} for a `keyid` (and, when known, `alg`). */
+    resolveKey: KeyResolver;
+    /** Force a profile. When omitted, it is detected from the present headers. */
+    profile?: SignatureProfile;
+    /** Which labelled signature to verify (RFC 9421); required if more than one. */
+    label?: string;
+    /** Component identifiers that MUST be covered (e.g. `@method`, `date`, `content-digest`). */
+    requiredComponents?: string[];
+    /** Require a `created` parameter (RFC 9421). */
+    requireCreated?: boolean;
+    /** Current time, epoch seconds. Defaults to `Date.now()`. */
+    now?: number;
+    /** Allowed clock skew, in seconds, for `created`/`expires`. Defaults to 300. */
+    toleranceSeconds?: number;
+    /**
+     * The received body. When provided and a digest component is covered, the
+     * corresponding `content-digest` / `digest` header is recomputed over it; a
+     * mismatch fails verification with a `digest_*` reason.
+     */
+    body?: Uint8Array | string;
+}
+/**
+ * Verify the HTTP message signature on `message`. Never throws — every failure
+ * is `{ valid: false, reason }` with a stable {@link SignatureFailureReason}.
+ */
+export declare function verifyMessage(message: HttpMessage, params: VerifyParams): Promise<VerifyResult>;
+//# sourceMappingURL=verify.d.ts.map

package/dist/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAiB,KAAK,WAAW,EAAE,MAAM,WAAW,CAAC;AAC5D,OAAO,KAAK,EAAE,WAAW,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE3E,wCAAwC;AACxC,MAAM,WAAW,YAAY;IAC3B,oFAAoF;IACpF,UAAU,EAAE,WAAW,CAAC;IACxB,8EAA8E;IAC9E,OAAO,CAAC,EAAE,gBAAgB,CAAC;IAC3B,gFAAgF;IAChF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6FAA6F;IAC7F,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,gDAAgD;IAChD,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,6DAA6D;IAC7D,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,gFAAgF;IAChF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;OAIG;IACH,IAAI,CAAC,EAAE,UAAU,GAAG,MAAM,CAAC;CAC5B;AAeD;;;GAGG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,YAAY,GACnB,OAAO,CAAC,YAAY,CAAC,CA6CvB"}

package/dist/verify.js

@@ -0,0 +1,60 @@
+/**
+ * The unified verification entry point. Auto-detects the wire profile (unless
+ * one is forced), verifies the signature, and — when a body is supplied —
+ * checks any covered `content-digest` / `digest` against it so body tampering
+ * is caught alongside header tampering.
+ */
+import { verifyCavage } from "./cavage";
+import { verifyContentDigest, verifyDigest } from "./digest";
+import { verifyRfc9421 } from "./rfc9421";
+function hasHeader(message, name) {
+    const lower = name.toLowerCase();
+    return Object.keys(message.headers).some((k) => k.toLowerCase() === lower);
+}
+function getHeader(message, name) {
+    const lower = name.toLowerCase();
+    for (const [k, v] of Object.entries(message.headers)) {
+        if (k.toLowerCase() === lower)
+            return Array.isArray(v) ? v.join(", ") : v;
+    }
+    return null;
+}
+/**
+ * Verify the HTTP message signature on `message`. Never throws — every failure
+ * is `{ valid: false, reason }` with a stable {@link SignatureFailureReason}.
+ */
+export async function verifyMessage(message, params) {
+    const profile = params.profile ??
+        (hasHeader(message, "signature-input") ? "rfc9421" : "cavage");
+    const result = profile === "rfc9421"
+        ? await verifyRfc9421(message, {
+            resolveKey: params.resolveKey,
+            label: params.label,
+            requiredComponents: params.requiredComponents,
+            requireCreated: params.requireCreated,
+            now: params.now,
+            toleranceSeconds: params.toleranceSeconds,
+        })
+        : await verifyCavage(message, {
+            resolveKey: params.resolveKey,
+            requiredComponents: params.requiredComponents,
+            now: params.now,
+            toleranceSeconds: params.toleranceSeconds,
+        });
+    if (!result.valid || params.body === undefined)
+        return result;
+    // Body integrity: only when a digest component was actually covered.
+    const covered = new Set((result.coveredComponents ?? []).map((c) => c.toLowerCase()));
+    if (covered.has("content-digest")) {
+        const rejection = await verifyContentDigest(getHeader(message, "content-digest"), params.body);
+        if (rejection !== null)
+            return { ...result, valid: false, reason: rejection };
+    }
+    else if (covered.has("digest")) {
+        const rejection = await verifyDigest(getHeader(message, "digest"), params.body);
+        if (rejection !== null)
+            return { ...result, valid: false, reason: rejection };
+    }
+    return result;
+}
+//# sourceMappingURL=verify.js.map

package/dist/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAoB,MAAM,WAAW,CAAC;AA2B5D,SAAS,SAAS,CAAC,OAAoB,EAAE,IAAY;IACnD,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,SAAS,CAAC,OAAoB,EAAE,IAAY;IACnD,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACrD,IAAI,CAAC,CAAC,WAAW,EAAE,KAAK,KAAK;YAAE,OAAO,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5E,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAoB,EACpB,MAAoB;IAEpB,MAAM,OAAO,GACX,MAAM,CAAC,OAAO;QACd,CAAC,SAAS,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAEjE,MAAM,MAAM,GACV,OAAO,KAAK,SAAS;QACnB,CAAC,CAAC,MAAM,aAAa,CAAC,OAAO,EAAE;YAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;YAC7C,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;SAC1C,CAAC;QACJ,CAAC,CAAC,MAAM,YAAY,CAAC,OAAO,EAAE;YAC1B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;YAC7C,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;SAC1C,CAAC,CAAC;IAET,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC;IAE9D,qEAAqE;IACrE,MAAM,OAAO,GAAG,IAAI,GAAG,CACrB,CAAC,MAAM,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAC7D,CAAC;IACF,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,MAAM,mBAAmB,CACzC,SAAS,CAAC,OAAO,EAAE,gBAAgB,CAAC,EACpC,MAAM,CAAC,IAAI,CACZ,CAAC;QACF,IAAI,SAAS,KAAK,IAAI;YACpB,OAAO,EAAE,GAAG,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1D,CAAC;SAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjC,MAAM,SAAS,GAAG,MAAM,YAAY,CAClC,SAAS,CAAC,OAAO,EAAE,QAAQ,CAAC,EAC5B,MAAM,CAAC,IAAI,CACZ,CAAC;QACF,IAAI,SAAS,KAAK,IAAI;YACpB,OAAO,EAAE,GAAG,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1D,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@dwk/http-signatures",
+  "version": "0.1.0-beta.0",
+  "description": "HTTP Message Signatures (RFC 9421) and legacy draft-cavage sign/verify. Cross-standard reusable; no Workers runtime dependency.",
+  "keywords": [
+    "http-signatures",
+    "rfc9421",
+    "cavage",
+    "message-signatures",
+    "activitypub",
+    "cloudflare-workers"
+  ],
+  "type": "module",
+  "license": "ISC",
+  "author": "David W. Keith <me@dwk.io>",
+  "homepage": "https://github.com/davidwkeith/workers/tree/main/packages/http-signatures#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/davidwkeith/workers.git",
+    "directory": "packages/http-signatures"
+  },
+  "sideEffects": false,
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "src",
+    "!src/**/*.test.ts"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "typecheck": "tsc -p tsconfig.json",
+    "clean": "rm -rf dist"
+  }
+}