@fedify/fedify 0.9.0-dev.179 → 0.9.0-dev.181

package/CHANGES.md

@@ -47,11 +47,22 @@ To be released.
      -  The signature of the `verify()` function is revamped; it now optionally
         takes a `VerifyOptions` object as the second parameter.
 
+ -  Renamed the `@fedify/fedify/httpsig` module to `@fedify/fedify/sig`, and
+    also:
+
+     -  Deprecated `sign()` function.  Use `signRequest()` instead.
+     -  Deprecated `verify()` function.  Use `verifyRequest()` instead.
+     -  Deprecated `VerifyOptions` interface.  Use `VerifyRequestOptions`
+        instead.
+
  -  Added more log messages using the [LogTape] library.  Currently the below
     logger categories are used:
 
      -  `["fedify", "federation", "actor"]`
      -  `["fedify", "federation", "http"]`
+     -  `["fedify", "sig", "http"]`
+     -  `["fedify", "sig", "key"]`
+     -  `["fedify", "sig", "owner"]`
 
 [#48]: https://github.com/dahlia/fedify/issues/48
 [#52]: https://github.com/dahlia/fedify/issues/52

package/esm/federation/middleware.js

@@ -1,7 +1,8 @@
 import * as dntShim from "../_dnt.shims.js";
 import { getLogger } from "@logtape/logtape";
-import { exportJwk, importJwk, validateCryptoKey } from "../httpsig/key.js";
-import { getKeyOwner, verify } from "../httpsig/mod.js";
+import { verifyRequest } from "../sig/http.js";
+import { exportJwk, importJwk, validateCryptoKey } from "../sig/key.js";
+import { getKeyOwner } from "../sig/owner.js";
 import { handleNodeInfo, handleNodeInfoJrd } from "../nodeinfo/handler.js";
 import { fetchDocumentLoader, getAuthenticatedDocumentLoader, kvCache, } from "../runtime/docloader.js";
 import { Activity, CryptographicKey } from "../vocab/mod.js";
@@ -381,7 +382,10 @@ export class Federation {
             async getSignedKey() {
                 if (signedKey !== undefined)
                     return signedKey;
-                return signedKey = await verify(request, { ...context, timeWindow });
+                return signedKey = await verifyRequest(request, {
+                    ...context,
+                    timeWindow,
+                });
             },
             async getSignedKeyOwner() {
                 if (signedKeyOwner !== undefined)

package/esm/httpsig/mod.js

@@ -1,18 +1,7 @@
-/**
- * The implementation of the [HTTP
- * Signatures](https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12).
- *
- * @module
- */
-import * as dntShim from "../_dnt.shims.js";
 import { getLogger } from "@logtape/logtape";
-import { equals } from "../deps/jsr.io/@std/bytes/0.224.0/mod.js";
-import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/0.224.3/base64.js";
-import { fetchDocumentLoader, } from "../runtime/docloader.js";
-import { isActor } from "../vocab/actor.js";
-import { CryptographicKey, Object as ASObject, } from "../vocab/vocab.js";
-import { validateCryptoKey } from "./key.js";
-export { exportJwk, generateCryptoKeyPair, importJwk } from "./key.js";
+import { signRequest, verifyRequest, } from "../sig/http.js";
+import { exportJwk as newExportJwk, generateCryptoKeyPair as newGenerateCryptoKeyPair, importJwk as newImportJwk, } from "../sig/key.js";
+import { doesActorOwnKey as newDoesActorOwnKey, getKeyOwner as newGetKeyOwner, } from "../sig/owner.js";
 /**
  * Signs a request using the given private key.
  * @param request The request to sign.
@@ -21,45 +10,12 @@ export { exportJwk, generateCryptoKeyPair, importJwk } from "./key.js";
  *              verifier.
  * @returns The signed request.
  * @throws {TypeError} If the private key is invalid or unsupported.
+ * @deprecated
  */
-export async function sign(request, privateKey, keyId) {
-    validateCryptoKey(privateKey, "private");
-    const url = new URL(request.url);
-    const body = request.method !== "GET" && request.method !== "HEAD"
-        ? await request.arrayBuffer()
-        : null;
-    const headers = new Headers(request.headers);
-    if (!headers.has("Host")) {
-        headers.set("Host", url.host);
-    }
-    if (!headers.has("Digest") && body != null) {
-        const digest = await dntShim.crypto.subtle.digest("SHA-256", body);
-        headers.set("Digest", `sha-256=${encodeBase64(digest)}`);
-    }
-    if (!headers.has("Date")) {
-        headers.set("Date", new Date().toUTCString());
-    }
-    const serialized = [
-        ["(request-target)", `${request.method.toLowerCase()} ${url.pathname}`],
-        ...headers,
-    ];
-    const headerNames = serialized.map(([name]) => name);
-    const message = serialized
-        .map(([name, value]) => `${name}: ${value.trim()}`).join("\n");
-    // TODO: support other than RSASSA-PKCS1-v1_5:
-    const signature = await dntShim.crypto.subtle.sign("RSASSA-PKCS1-v1_5", privateKey, new TextEncoder().encode(message));
-    const sigHeader = `keyId="${keyId.href}",headers="${headerNames.join(" ")}",signature="${encodeBase64(signature)}"`;
-    headers.set("Signature", sigHeader);
-    return new Request(request, {
-        headers,
-        body,
-    });
+export function sign(request, privateKey, keyId) {
+    getLogger(["fedify", "httpsig", "sign"]).warn("The sign() function is deprecated.  Use signRequest() instead.");
+    return signRequest(request, privateKey, keyId);
 }
-const supportedHashAlgorithms = {
-    "sha": "SHA-1",
-    "sha-256": "SHA-256",
-    "sha-512": "SHA-512",
-};
 /**
  * Verifies the signature of a request.
  *
@@ -72,167 +28,11 @@ const supportedHashAlgorithms = {
  * @param options Options for verifying the request.
  * @returns The public key of the verified signature, or `null` if the signature
  *          could not be verified.
+ * @deprecated
  */
-export async function verify(request, { documentLoader, contextLoader, timeWindow, currentTime } = {}) {
-    const logger = getLogger(["fedify", "httpsig", "verify"]);
-    request = request.clone();
-    const dateHeader = request.headers.get("Date");
-    if (dateHeader == null) {
-        logger.debug("Failed to verify; no Date header found.", { headers: Object.fromEntries(request.headers.entries()) });
-        return null;
-    }
-    const sigHeader = request.headers.get("Signature");
-    if (sigHeader == null) {
-        logger.debug("Failed to verify; no Signature header found.", { headers: Object.fromEntries(request.headers.entries()) });
-        return null;
-    }
-    const digestHeader = request.headers.get("Digest");
-    if (request.method !== "GET" && request.method !== "HEAD" &&
-        digestHeader == null) {
-        logger.debug("Failed to verify; no Digest header found.", { headers: Object.fromEntries(request.headers.entries()) });
-        return null;
-    }
-    let body = null;
-    if (digestHeader != null) {
-        body = await request.arrayBuffer();
-        const digests = digestHeader.split(",").map((pair) => pair.includes("=") ? pair.split("=", 2) : [pair, ""]);
-        let matched = false;
-        for (let [algo, digestBase64] of digests) {
-            algo = algo.trim().toLowerCase();
-            if (!(algo in supportedHashAlgorithms))
-                continue;
-            const digest = decodeBase64(digestBase64);
-            const expectedDigest = await dntShim.crypto.subtle.digest(supportedHashAlgorithms[algo], body);
-            if (!equals(digest, new Uint8Array(expectedDigest))) {
-                logger.debug("Failed to verify; digest mismatch ({algorithm}): " +
-                    "{digest} != {expectedDigest}.", {
-                    algorithm: algo,
-                    digest: digestBase64,
-                    expectedDigest: encodeBase64(expectedDigest),
-                });
-                return null;
-            }
-            matched = true;
-        }
-        if (!matched) {
-            logger.debug("Failed to verify; no supported digest algorithm found.  " +
-                "Supported: {supportedAlgorithms}; found: {algorithms}.", {
-                supportedAlgorithms: Object.keys(supportedHashAlgorithms),
-                algorithms: digests.map(([algo]) => algo),
-            });
-            return null;
-        }
-    }
-    const date = dntShim.Temporal.Instant.from(new Date(dateHeader).toISOString());
-    const now = currentTime ?? dntShim.Temporal.Now.instant();
-    const tw = timeWindow ?? { minutes: 1 };
-    if (dntShim.Temporal.Instant.compare(date, now.add(tw)) > 0) {
-        logger.debug("Failed to verify; Date is too far in the future.", { date: date.toString(), now: now.toString() });
-        return null;
-    }
-    else if (dntShim.Temporal.Instant.compare(date, now.subtract(tw)) < 0) {
-        logger.debug("Failed to verify; Date is too far in the past.", { date: date.toString(), now: now.toString() });
-        return null;
-    }
-    const sigValues = Object.fromEntries(sigHeader.split(",").map((pair) => pair.match(/^\s*([A-Za-z]+)="([^"]*)"\s*$/)).filter((m) => m != null).map((m) => m.slice(1, 3)));
-    if (!("keyId" in sigValues)) {
-        logger.debug("Failed to verify; no keyId field found in the Signature header.", { signature: sigHeader });
-        return null;
-    }
-    else if (!("headers" in sigValues)) {
-        logger.debug("Failed to verify; no headers field found in the Signature header.", { signature: sigHeader });
-        return null;
-    }
-    else if (!("signature" in sigValues)) {
-        logger.debug("Failed to verify; no signature field found in the Signature header.", { signature: sigHeader });
-        return null;
-    }
-    const { keyId, headers, signature } = sigValues;
-    logger.debug("Fetching key {keyId} to verify signature...", { keyId });
-    let document;
-    try {
-        const remoteDocument = await (documentLoader ?? fetchDocumentLoader)(keyId);
-        document = remoteDocument.document;
-    }
-    catch (_) {
-        logger.debug("Failed to fetch key {keyId}.", { keyId });
-        return null;
-    }
-    let object;
-    try {
-        object = await ASObject.fromJsonLd(document, {
-            documentLoader,
-            contextLoader,
-        });
-    }
-    catch (e) {
-        if (!(e instanceof TypeError))
-            throw e;
-        try {
-            object = await CryptographicKey.fromJsonLd(document, {
-                documentLoader,
-                contextLoader,
-            });
-        }
-        catch (e) {
-            if (e instanceof TypeError) {
-                logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
-                return null;
-            }
-            throw e;
-        }
-    }
-    let key = null;
-    if (object instanceof CryptographicKey)
-        key = object;
-    else if (isActor(object)) {
-        for await (const k of object.getPublicKeys({ documentLoader, contextLoader })) {
-            if (k.id?.href === keyId) {
-                key = k;
-                break;
-            }
-        }
-        if (key == null) {
-            logger.debug("Failed to verify; object {keyId} returned an {actorType}, " +
-                "but has no key matching {keyId}.", { keyId, actorType: object.constructor.name });
-            return null;
-        }
-    }
-    else {
-        logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
-        return null;
-    }
-    if (key.publicKey == null) {
-        logger.debug("Failed to verify; key {keyId} has no publicKeyPem field.", { keyId });
-        return null;
-    }
-    const headerNames = headers.split(/\s+/g);
-    if (!headerNames.includes("(request-target)") || !headerNames.includes("date")) {
-        logger.debug("Failed to verify; required headers missing in the Signature header: " +
-            "{headers}.", { headers });
-        return null;
-    }
-    if (body != null && !headerNames.includes("digest")) {
-        logger.debug("Failed to verify; required headers missing in the Signature header: " +
-            "{headers}.", { headers });
-        return null;
-    }
-    const message = headerNames.map((name) => `${name}: ` +
-        (name == "(request-target)"
-            ? `${request.method.toLowerCase()} ${new URL(request.url).pathname}`
-            : name == "host"
-                ? request.headers.get("host") ?? new URL(request.url).host
-                : request.headers.get(name))).join("\n");
-    const sig = decodeBase64(signature);
-    // TODO: support other than RSASSA-PKCS1-v1_5:
-    const verified = await dntShim.crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, sig, new TextEncoder().encode(message));
-    if (!verified) {
-        logger.debug("Failed to verify; signature {signature} is invalid.  " +
-            "Check if the key is correct or if the signed message is correct.  " +
-            "The message to sign is:\n{message}", { signature, message });
-        return null;
-    }
-    return key;
+export function verify(request, options = {}) {
+    getLogger(["fedify", "httpsig", "verify"]).warn("The verify() function is deprecated.  Use verifyRequest() instead.");
+    return verifyRequest(request, options);
 }
 /**
  * Checks if the actor of the given activity owns the specified key.
@@ -240,19 +40,12 @@ export async function verify(request, { documentLoader, contextLoader, timeWindo
  * @param key The public key to check.
  * @param options Options for checking the key ownership.
  * @returns Whether the actor is the owner of the key.
+ * @deprecated
  */
-export async function doesActorOwnKey(activity, key, options) {
-    if (key.ownerId != null) {
-        return key.ownerId.href === activity.actorId?.href;
-    }
-    const actor = await activity.getActor(options);
-    if (actor == null || !isActor(actor))
-        return false;
-    for (const publicKeyId of actor.publicKeyIds) {
-        if (key.id != null && publicKeyId.href === key.id.href)
-            return true;
-    }
-    return false;
+export function doesActorOwnKey(activity, key, options) {
+    getLogger(["fedify", "httpsig"]).warn("The doesActorOwnKey() function from @fedify/fedify/httpsig is deprecated.  " +
+        "Use doesActorOwnKey() from @fedify/fedify/sig instead.");
+    return newDoesActorOwnKey(activity, key, options);
 }
 /**
  * Gets the actor that owns the specified key.  Returns `null` if the key has no
@@ -263,65 +56,49 @@ export async function doesActorOwnKey(activity, key, options) {
  * @returns The actor that owns the key, or `null` if the key has no known
  *          owner.
  * @since 0.7.0
+ * @deprecated
+ */
+export function getKeyOwner(keyId, options) {
+    getLogger(["fedify", "httpsig"]).warn("The getKeyOwner() function from @fedify/fedify/httpsig is deprecated.  " +
+        "Use getKeyOwner() from @fedify/fedify/sig instead.");
+    return newGetKeyOwner(keyId, options);
+}
+/**
+ * Generates a key pair which is appropriate for Fedify.
+ * @returns The generated key pair.
+ * @since 0.3.0
+ * @deprecated
+ */
+export function generateCryptoKeyPair() {
+    getLogger(["fedify", "httpsig", "key"]).warn("The generateCryptoKeyPair() from @fedify/fedify/httpsig is deprecated.  " +
+        "Please use generateKeyPair() from @fedify/fedify/sig instead.");
+    return newGenerateCryptoKeyPair();
+}
+/**
+ * Exports a key in JWK format.
+ * @param key The key to export.  Either public or private key.
+ * @returns The exported key in JWK format.  The key is suitable for
+ *          serialization and storage.
+ * @throws {TypeError} If the key is invalid or unsupported.
+ * @since 0.3.0
+ * @deprecated
+ */
+export function exportJwk(key) {
+    getLogger(["fedify", "httpsig", "key"]).warn("The exportJwk() function from @fedify/fedify/httpsig is deprecated.  " +
+        "Please use exportJwk() from @fedify/fedify/sig instead.");
+    return newExportJwk(key);
+}
+/**
+ * Imports a key from JWK format.
+ * @param jwk The key in JWK format.
+ * @param type Which type of key to import, either `"public"`" or `"private"`".
+ * @returns The imported key.
+ * @throws {TypeError} If the key is invalid or unsupported.
+ * @since 0.3.0
+ * @deprecated
  */
-export async function getKeyOwner(keyId, options) {
-    const documentLoader = options.documentLoader ?? fetchDocumentLoader;
-    const contextLoader = options.contextLoader ?? fetchDocumentLoader;
-    let object;
-    if (keyId instanceof CryptographicKey) {
-        object = keyId;
-        if (object.id == null)
-            return null;
-        keyId = object.id;
-    }
-    else {
-        let keyDoc;
-        try {
-            const { document } = await documentLoader(keyId.href);
-            keyDoc = document;
-        }
-        catch (_) {
-            return null;
-        }
-        try {
-            object = await ASObject.fromJsonLd(keyDoc, {
-                documentLoader,
-                contextLoader,
-            });
-        }
-        catch (e) {
-            if (!(e instanceof TypeError))
-                throw e;
-            try {
-                object = await CryptographicKey.fromJsonLd(keyDoc, {
-                    documentLoader,
-                    contextLoader,
-                });
-            }
-            catch (e) {
-                if (e instanceof TypeError)
-                    return null;
-                throw e;
-            }
-        }
-    }
-    let owner = null;
-    if (object instanceof CryptographicKey) {
-        if (object.ownerId == null)
-            return null;
-        owner = await object.getOwner({ documentLoader, contextLoader });
-    }
-    else if (isActor(object)) {
-        owner = object;
-    }
-    else {
-        return null;
-    }
-    if (owner == null)
-        return null;
-    for (const kid of owner.publicKeyIds) {
-        if (kid.href === keyId.href)
-            return owner;
-    }
-    return null;
+export function importJwk(jwk, type) {
+    getLogger(["fedify", "httpsig", "key"]).warn("The importJwk() function from @fedify/fedify/httpsig is deprecated.  " +
+        "Please use importJwk() from @fedify/fedify/sig instead.");
+    return newImportJwk(jwk, type);
 }

package/esm/runtime/docloader.js

@@ -1,7 +1,7 @@
 import * as dntShim from "../_dnt.shims.js";
 import { getLogger } from "@logtape/logtape";
-import { validateCryptoKey } from "../httpsig/key.js";
-import { sign } from "../httpsig/mod.js";
+import { signRequest } from "../sig/http.js";
+import { validateCryptoKey } from "../sig/key.js";
 const logger = getLogger(["fedify", "runtime", "docloader"]);
 /**
  * Error thrown when fetching a JSON-LD document failed.
@@ -94,7 +94,7 @@ export function getAuthenticatedDocumentLoader(identity) {
     validateCryptoKey(identity.privateKey);
     async function load(url) {
         let request = createRequest(url);
-        request = await sign(request, identity.privateKey, identity.keyId);
+        request = await signRequest(request, identity.privateKey, identity.keyId);
         logRequest(request);
         const response = await fetch(request, {
             // Since Bun has a bug that ignores the `Request.redirect` option,

package/esm/sig/http.js

@@ -0,0 +1,229 @@
+import * as dntShim from "../_dnt.shims.js";
+import { getLogger } from "@logtape/logtape";
+import { equals } from "../deps/jsr.io/@std/bytes/0.224.0/mod.js";
+import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/0.224.3/base64.js";
+import { fetchDocumentLoader, } from "../runtime/docloader.js";
+import { isActor } from "../vocab/actor.js";
+import { CryptographicKey, Object as ASObject } from "../vocab/vocab.js";
+import { validateCryptoKey } from "./key.js";
+/**
+ * Signs a request using the given private key.
+ * @param request The request to sign.
+ * @param privateKey The private key to use for signing.
+ * @param keyId The key ID to use for the signature.  It will be used by the
+ *              verifier.
+ * @returns The signed request.
+ * @throws {TypeError} If the private key is invalid or unsupported.
+ */
+export async function signRequest(request, privateKey, keyId) {
+    validateCryptoKey(privateKey, "private");
+    const url = new URL(request.url);
+    const body = request.method !== "GET" && request.method !== "HEAD"
+        ? await request.arrayBuffer()
+        : null;
+    const headers = new Headers(request.headers);
+    if (!headers.has("Host")) {
+        headers.set("Host", url.host);
+    }
+    if (!headers.has("Digest") && body != null) {
+        const digest = await dntShim.crypto.subtle.digest("SHA-256", body);
+        headers.set("Digest", `sha-256=${encodeBase64(digest)}`);
+    }
+    if (!headers.has("Date")) {
+        headers.set("Date", new Date().toUTCString());
+    }
+    const serialized = [
+        ["(request-target)", `${request.method.toLowerCase()} ${url.pathname}`],
+        ...headers,
+    ];
+    const headerNames = serialized.map(([name]) => name);
+    const message = serialized
+        .map(([name, value]) => `${name}: ${value.trim()}`).join("\n");
+    // TODO: support other than RSASSA-PKCS1-v1_5:
+    const signature = await dntShim.crypto.subtle.sign("RSASSA-PKCS1-v1_5", privateKey, new TextEncoder().encode(message));
+    const sigHeader = `keyId="${keyId.href}",headers="${headerNames.join(" ")}",signature="${encodeBase64(signature)}"`;
+    headers.set("Signature", sigHeader);
+    return new Request(request, {
+        headers,
+        body,
+    });
+}
+const supportedHashAlgorithms = {
+    "sha": "SHA-1",
+    "sha-256": "SHA-256",
+    "sha-512": "SHA-512",
+};
+/**
+ * Verifies the signature of a request.
+ *
+ * Note that this function consumes the request body, so it should not be used
+ * if the request body is already consumed.  Consuming the request body after
+ * calling this function is okay, since this function clones the request
+ * under the hood.
+ *
+ * @param request The request to verify.
+ * @param options Options for verifying the request.
+ * @returns The public key of the verified signature, or `null` if the signature
+ *          could not be verified.
+ */
+export async function verifyRequest(request, { documentLoader, contextLoader, timeWindow, currentTime } = {}) {
+    const logger = getLogger(["fedify", "sig", "http"]);
+    request = request.clone();
+    const dateHeader = request.headers.get("Date");
+    if (dateHeader == null) {
+        logger.debug("Failed to verify; no Date header found.", { headers: Object.fromEntries(request.headers.entries()) });
+        return null;
+    }
+    const sigHeader = request.headers.get("Signature");
+    if (sigHeader == null) {
+        logger.debug("Failed to verify; no Signature header found.", { headers: Object.fromEntries(request.headers.entries()) });
+        return null;
+    }
+    const digestHeader = request.headers.get("Digest");
+    if (request.method !== "GET" && request.method !== "HEAD" &&
+        digestHeader == null) {
+        logger.debug("Failed to verify; no Digest header found.", { headers: Object.fromEntries(request.headers.entries()) });
+        return null;
+    }
+    let body = null;
+    if (digestHeader != null) {
+        body = await request.arrayBuffer();
+        const digests = digestHeader.split(",").map((pair) => pair.includes("=") ? pair.split("=", 2) : [pair, ""]);
+        let matched = false;
+        for (let [algo, digestBase64] of digests) {
+            algo = algo.trim().toLowerCase();
+            if (!(algo in supportedHashAlgorithms))
+                continue;
+            const digest = decodeBase64(digestBase64);
+            const expectedDigest = await dntShim.crypto.subtle.digest(supportedHashAlgorithms[algo], body);
+            if (!equals(digest, new Uint8Array(expectedDigest))) {
+                logger.debug("Failed to verify; digest mismatch ({algorithm}): " +
+                    "{digest} != {expectedDigest}.", {
+                    algorithm: algo,
+                    digest: digestBase64,
+                    expectedDigest: encodeBase64(expectedDigest),
+                });
+                return null;
+            }
+            matched = true;
+        }
+        if (!matched) {
+            logger.debug("Failed to verify; no supported digest algorithm found.  " +
+                "Supported: {supportedAlgorithms}; found: {algorithms}.", {
+                supportedAlgorithms: Object.keys(supportedHashAlgorithms),
+                algorithms: digests.map(([algo]) => algo),
+            });
+            return null;
+        }
+    }
+    const date = dntShim.Temporal.Instant.from(new Date(dateHeader).toISOString());
+    const now = currentTime ?? dntShim.Temporal.Now.instant();
+    const tw = timeWindow ?? { minutes: 1 };
+    if (dntShim.Temporal.Instant.compare(date, now.add(tw)) > 0) {
+        logger.debug("Failed to verify; Date is too far in the future.", { date: date.toString(), now: now.toString() });
+        return null;
+    }
+    else if (dntShim.Temporal.Instant.compare(date, now.subtract(tw)) < 0) {
+        logger.debug("Failed to verify; Date is too far in the past.", { date: date.toString(), now: now.toString() });
+        return null;
+    }
+    const sigValues = Object.fromEntries(sigHeader.split(",").map((pair) => pair.match(/^\s*([A-Za-z]+)="([^"]*)"\s*$/)).filter((m) => m != null).map((m) => m.slice(1, 3)));
+    if (!("keyId" in sigValues)) {
+        logger.debug("Failed to verify; no keyId field found in the Signature header.", { signature: sigHeader });
+        return null;
+    }
+    else if (!("headers" in sigValues)) {
+        logger.debug("Failed to verify; no headers field found in the Signature header.", { signature: sigHeader });
+        return null;
+    }
+    else if (!("signature" in sigValues)) {
+        logger.debug("Failed to verify; no signature field found in the Signature header.", { signature: sigHeader });
+        return null;
+    }
+    const { keyId, headers, signature } = sigValues;
+    logger.debug("Fetching key {keyId} to verify signature...", { keyId });
+    let document;
+    try {
+        const remoteDocument = await (documentLoader ?? fetchDocumentLoader)(keyId);
+        document = remoteDocument.document;
+    }
+    catch (_) {
+        logger.debug("Failed to fetch key {keyId}.", { keyId });
+        return null;
+    }
+    let object;
+    try {
+        object = await ASObject.fromJsonLd(document, {
+            documentLoader,
+            contextLoader,
+        });
+    }
+    catch (e) {
+        if (!(e instanceof TypeError))
+            throw e;
+        try {
+            object = await CryptographicKey.fromJsonLd(document, {
+                documentLoader,
+                contextLoader,
+            });
+        }
+        catch (e) {
+            if (e instanceof TypeError) {
+                logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
+                return null;
+            }
+            throw e;
+        }
+    }
+    let key = null;
+    if (object instanceof CryptographicKey)
+        key = object;
+    else if (isActor(object)) {
+        for await (const k of object.getPublicKeys({ documentLoader, contextLoader })) {
+            if (k.id?.href === keyId) {
+                key = k;
+                break;
+            }
+        }
+        if (key == null) {
+            logger.debug("Failed to verify; object {keyId} returned an {actorType}, " +
+                "but has no key matching {keyId}.", { keyId, actorType: object.constructor.name });
+            return null;
+        }
+    }
+    else {
+        logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
+        return null;
+    }
+    if (key.publicKey == null) {
+        logger.debug("Failed to verify; key {keyId} has no publicKeyPem field.", { keyId });
+        return null;
+    }
+    const headerNames = headers.split(/\s+/g);
+    if (!headerNames.includes("(request-target)") || !headerNames.includes("date")) {
+        logger.debug("Failed to verify; required headers missing in the Signature header: " +
+            "{headers}.", { headers });
+        return null;
+    }
+    if (body != null && !headerNames.includes("digest")) {
+        logger.debug("Failed to verify; required headers missing in the Signature header: " +
+            "{headers}.", { headers });
+        return null;
+    }
+    const message = headerNames.map((name) => `${name}: ` +
+        (name == "(request-target)"
+            ? `${request.method.toLowerCase()} ${new URL(request.url).pathname}`
+            : name == "host"
+                ? request.headers.get("host") ?? new URL(request.url).host
+                : request.headers.get(name))).join("\n");
+    const sig = decodeBase64(signature);
+    // TODO: support other than RSASSA-PKCS1-v1_5:
+    const verified = await dntShim.crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, sig, new TextEncoder().encode(message));
+    if (!verified) {
+        logger.debug("Failed to verify; signature {signature} is invalid.  " +
+            "Check if the key is correct or if the signed message is correct.  " +
+            "The message to sign is:\n{message}", { signature, message });
+        return null;
+    }
+    return key;
+}

package/esm/{httpsig → sig}/key.js

@@ -28,7 +28,6 @@ export function validateCryptoKey(key, type) {
 /**
  * Generates a key pair which is appropriate for Fedify.
  * @returns The generated key pair.
- * @since 0.3.0
  */
 export function generateCryptoKeyPair() {
     return dntShim.crypto.subtle.generateKey({
@@ -44,7 +43,6 @@ export function generateCryptoKeyPair() {
  * @returns The exported key in JWK format.  The key is suitable for
  *          serialization and storage.
  * @throws {TypeError} If the key is invalid or unsupported.
- * @since 0.3.0
  */
 export async function exportJwk(key) {
     validateCryptoKey(key);
@@ -56,7 +54,6 @@ export async function exportJwk(key) {
  * @param type Which type of key to import, either `"public"`" or `"private"`".
  * @returns The imported key.
  * @throws {TypeError} If the key is invalid or unsupported.
- * @since 0.3.0
  */
 export async function importJwk(jwk, type) {
     const key = await dntShim.crypto.subtle.importKey("jwk", jwk, { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" }, true, type === "public" ? ["verify"] : ["sign"]);

package/esm/sig/mod.js

@@ -0,0 +1,8 @@
+/**
+ * HTTP Signatures implementation.
+ *
+ * @module
+ */
+export { signRequest, verifyRequest, } from "./http.js";
+export { exportJwk, generateCryptoKeyPair, importJwk } from "./key.js";
+export { doesActorOwnKey, getKeyOwner, } from "./owner.js";

package/esm/sig/owner.js

@@ -0,0 +1,94 @@
+import { fetchDocumentLoader, } from "../runtime/docloader.js";
+import { isActor } from "../vocab/actor.js";
+import { CryptographicKey, Object as ASObject, } from "../vocab/vocab.js";
+export { exportJwk, generateCryptoKeyPair, importJwk } from "./key.js";
+/**
+ * Checks if the actor of the given activity owns the specified key.
+ * @param activity The activity to check.
+ * @param key The public key to check.
+ * @param options Options for checking the key ownership.
+ * @returns Whether the actor is the owner of the key.
+ */
+export async function doesActorOwnKey(activity, key, options) {
+    if (key.ownerId != null) {
+        return key.ownerId.href === activity.actorId?.href;
+    }
+    const actor = await activity.getActor(options);
+    if (actor == null || !isActor(actor))
+        return false;
+    for (const publicKeyId of actor.publicKeyIds) {
+        if (key.id != null && publicKeyId.href === key.id.href)
+            return true;
+    }
+    return false;
+}
+/**
+ * Gets the actor that owns the specified key.  Returns `null` if the key has no
+ * known owner.
+ *
+ * @param keyId The ID of the key to check, or the key itself.
+ * @param options Options for getting the key owner.
+ * @returns The actor that owns the key, or `null` if the key has no known
+ *          owner.
+ */
+export async function getKeyOwner(keyId, options) {
+    const documentLoader = options.documentLoader ?? fetchDocumentLoader;
+    const contextLoader = options.contextLoader ?? fetchDocumentLoader;
+    let object;
+    if (keyId instanceof CryptographicKey) {
+        object = keyId;
+        if (object.id == null)
+            return null;
+        keyId = object.id;
+    }
+    else {
+        let keyDoc;
+        try {
+            const { document } = await documentLoader(keyId.href);
+            keyDoc = document;
+        }
+        catch (_) {
+            return null;
+        }
+        try {
+            object = await ASObject.fromJsonLd(keyDoc, {
+                documentLoader,
+                contextLoader,
+            });
+        }
+        catch (e) {
+            if (!(e instanceof TypeError))
+                throw e;
+            try {
+                object = await CryptographicKey.fromJsonLd(keyDoc, {
+                    documentLoader,
+                    contextLoader,
+                });
+            }
+            catch (e) {
+                if (e instanceof TypeError)
+                    return null;
+                throw e;
+            }
+        }
+    }
+    let owner = null;
+    if (object instanceof CryptographicKey) {
+        if (object.ownerId == null)
+            return null;
+        owner = await object.getOwner({ documentLoader, contextLoader });
+    }
+    else if (isActor(object)) {
+        owner = object;
+    }
+    else {
+        return null;
+    }
+    if (owner == null)
+        return null;
+    for (const kid of owner.publicKeyIds) {
+        if (kid.href === keyId.href)
+            return owner;
+    }
+    return null;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/fedify",
-  "version": "0.9.0-dev.179+b03181c1",
+  "version": "0.9.0-dev.181+d5e0642c",
   "description": "An ActivityPub server framework",
   "keywords": [
     "ActivityPub",
@@ -53,6 +53,12 @@
         "default": "./esm/runtime/mod.js"
       }
     },
+    "./sig": {
+      "import": {
+        "types": "./types/sig/mod.d.ts",
+        "default": "./esm/sig/mod.js"
+      }
+    },
     "./vocab": {
       "import": {
         "types": "./types/vocab/mod.d.ts",

package/types/federation/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/federation/middleware.ts"],"names":[],"mappings":";;AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAK5C,OAAO,EACL,KAAK,kCAAkC,EACvC,KAAK,cAAc,EAIpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAoB,KAAK,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAE1E,OAAO,KAAK,EACV,eAAe,EACf,sBAAsB,EACtB,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,oBAAoB,EACpB,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,wBAAwB,EACxB,gBAAgB,EAChB,kBAAkB,EACnB,MAAM,eAAe,CAAC;AAEvB,OAAO,KAAK,EACV,OAAO,EAEP,cAAc,EACd,mBAAmB,EACpB,MAAM,cAAc,CAAC;AAQtB,OAAO,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAK5C;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,EAAE,EAAE,OAAO,CAAC;IAEZ;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAE3C;;;;OAIG;IACH,KAAK,CAAC,EAAE,YAAY,CAAC;IAErB;;;OAGG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;;;OAIG;IACH,aAAa,CAAC,EAAE,cAAc,CAAC;IAE/B;;;;;;OAMG;IACH,kCAAkC,CAAC,EAAE,kCAAkC,CAAC;IAExE;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB;;;;;;;;;OASG;IACH,aAAa,CAAC,EAAE,kBAAkB,CAAC;IAEnC;;;;;;OAMG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;IAIpD,eAAe,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;CAC/C;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,mBAAmB,EAAE,KAAK,CAAC;IAE3B;;;OAGG;IACH,cAAc,EAAE,KAAK,CAAC;CACvB;AAED;;;;;;GAMG;AACH,qBAAa,UAAU,CAAC,YAAY;;IA8BlC;;;OAGG;gBAED,EACE,EAAE,EACF,UAAU,EACV,KAAK,EACL,cAAc,EACd,aAAa,EACb,kCAAkC,EAClC,UAAU,EACV,aAAa,EACb,mBAAmB,EACnB,eAAe,GAChB,EAAE,oBAAoB;IA8GzB;;;;;;OAMG;IACH,aAAa,CAAC,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;IAE7E;;;;;OAKG;IACH,aAAa,CACX,OAAO,EAAE,OAAO,EAChB,WAAW,EAAE,YAAY,GACxB,cAAc,CAAC,YAAY,CAAC;IAuS/B;;;;;;;;;OASG;IACH,qBAAqB,CACnB,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,kBAAkB,CAAC,YAAY,CAAC;IAc9C;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACH,kBAAkB,CAChB,IAAI,EAAE,GAAG,MAAM,WAAW,MAAM,EAAE,EAClC,UAAU,EAAE,eAAe,CAAC,YAAY,CAAC,GACxC,oBAAoB,CAAC,YAAY,CAAC;IA0HrC;;;;;;;;;;;;;OAaG;IACH,mBAAmB,CAAC,OAAO,SAAS,MAAM,EAAE,MAAM,SAAS,MAAM,EAE/D,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,IAAI,EACF,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,EACrI,UAAU,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,GAC1D,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;IAEvD;;;;;;;;;;;;;OAaG;IACH,mBAAmB,CAAC,OAAO,SAAS,MAAM,EAAE,MAAM,SAAS,MAAM,EAE/D,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,IAAI,EACF,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,EACjH,UAAU,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,GAC1D,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;IAEvD;;;;;;;;;;;;;OAaG;IACH,mBAAmB,CAAC,OAAO,SAAS,MAAM,EAAE,MAAM,SAAS,MAAM,EAE/D,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,IAAI,EACF,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,EAC7F,UAAU,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,GAC1D,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;IAEvD;;;;;;;;;;;;;OAaG;IACH,mBAAmB,CAAC,OAAO,SAAS,MAAM,EAAE,MAAM,SAAS,MAAM,EAE/D,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,IAAI,EACF,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,EACzE,UAAU,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,GAC1D,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;IAEvD;;;;;;;;;;;;;OAaG;IACH,mBAAmB,CAAC,OAAO,SAAS,MAAM,EAAE,MAAM,SAAS,MAAM,EAE/D,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,IAAI,EAAE,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,EACzD,UAAU,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,GAC1D,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;IAEvD;;;;;;;;;;;;;OAaG;IACH,mBAAmB,CAAC,OAAO,SAAS,MAAM,EAAE,MAAM,SAAS,MAAM,EAE/D,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,IAAI,EAAE,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,EACrC,UAAU,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,GAC1D,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;IAiCvD;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,mBAAmB,CACjB,IAAI,EAAE,GAAG,MAAM,WAAW,MAAM,EAAE,EAClC,UAAU,EAAE,oBAAoB,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,CAAC,GAC7D,yBAAyB,CAAC,YAAY,EAAE,IAAI,CAAC;IAmChD;;;;;;;;;;OAUG;IACH,sBAAsB,CACpB,IAAI,EAAE,GAAG,MAAM,WAAW,MAAM,EAAE,EAClC,UAAU,EAAE,oBAAoB,CAAC,KAAK,GAAG,GAAG,EAAE,YAAY,EAAE,IAAI,CAAC,GAChE,yBAAyB,CAAC,YAAY,EAAE,IAAI,CAAC;IAmChD;;;;;;;;;;OAUG;IACH,sBAAsB,CACpB,IAAI,EAAE,GAAG,MAAM,WAAW,MAAM,EAAE,EAClC,UAAU,EAAE,oBAAoB,CAC9B,SAAS,EACT,YAAY,EACZ,GAAG,CACJ,GACA,yBAAyB,CAAC,YAAY,EAAE,GAAG,CAAC;IAyE/C;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IACH,iBAAiB,CACf,SAAS,EAAE,GAAG,MAAM,WAAW,MAAM,EAAE,EACvC,eAAe,CAAC,EAAE,MAAM,GACvB,mBAAmB,CAAC,YAAY,CAAC;IAyCpC;;;;;;;;;OASG;IACG,YAAY,CAChB,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE;QAAE,KAAK,EAAE,GAAG,CAAC;QAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;KAAE,EACpE,UAAU,EAAE,SAAS,GAAG,SAAS,EAAE,EACnC,QAAQ,EAAE,QAAQ,EAClB,EAAE,iBAAiB,EAAE,SAAS,EAAE,eAAe,EAAE,cAAc,EAAE,GAC/D,2BAAgC,GACjC,OAAO,CAAC,IAAI,CAAC;IA2FhB;;;;;;;;;;;OAWG;IACH,MAAM,CACJ,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,sBAAsB,CAAC,YAAY,CAAC,GAC5C,OAAO,CAAC,QAAQ,CAAC;IAOpB;;;;;;;;;;;OAWG;IACG,KAAK,CACT,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,sBAAsB,CAAC,YAAY,CAAC,GAC5C,OAAO,CAAC,QAAQ,CAAC;CA8IrB;AAED;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB,CAAC,YAAY;IAClD;;OAEG;IACH,WAAW,EAAE,YAAY,CAAC;IAE1B;;;;;OAKG;IACH,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEhE;;;;;OAKG;IACH,eAAe,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAErE;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACrE;AAQD;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,oBAAoB,CAAC,YAAY;IAChD;;;;OAIG;IACH,oBAAoB,CAClB,UAAU,EAAE,sBAAsB,CAAC,YAAY,CAAC,GAC/C,oBAAoB,CAAC,YAAY,CAAC,CAAC;IAEtC;;;;;OAKG;IACH,SAAS,CACP,SAAS,EAAE,kBAAkB,CAAC,YAAY,CAAC,GAC1C,oBAAoB,CAAC,YAAY,CAAC,CAAC;CACvC;AAQD;;GAEG;AACH,MAAM,WAAW,qBAAqB,CACpC,YAAY,EACZ,OAAO,SAAS,MAAM,EACtB,MAAM,SAAS,MAAM;IAErB;;;;;OAKG;IACH,SAAS,CACP,SAAS,EAAE,wBAAwB,CAAC,YAAY,EAAE,MAAM,CAAC,GACxD,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;CACzD;AAED;;;;;GAKG;AACH,MAAM,WAAW,yBAAyB,CAAC,YAAY,EAAE,OAAO;IAC9D;;;;OAIG;IACH,UAAU,CACR,OAAO,EAAE,iBAAiB,CAAC,YAAY,EAAE,OAAO,CAAC,GAChD,yBAAyB,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAEpD;;;;OAIG;IACH,cAAc,CACZ,MAAM,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,CAAC,GAC9C,yBAAyB,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAEpD;;;;OAIG;IACH,aAAa,CACX,MAAM,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,CAAC,GAC9C,yBAAyB,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAEpD;;;;;OAKG;IACH,SAAS,CACP,SAAS,EAAE,kBAAkB,CAAC,YAAY,CAAC,GAC1C,yBAAyB,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;CACrD;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB,CAAC,YAAY;IAC/C;;;;;;OAMG;IACH,EAAE,CAAC,SAAS,SAAS,QAAQ,EAE3B,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,SAAS,EACvC,QAAQ,EAAE,aAAa,CAAC,YAAY,EAAE,SAAS,CAAC,GAC/C,mBAAmB,CAAC,YAAY,CAAC,CAAC;IAErC;;;;;;OAMG;IACH,OAAO,CACL,OAAO,EAAE,iBAAiB,CAAC,YAAY,CAAC,GACvC,mBAAmB,CAAC,YAAY,CAAC,CAAC;CACtC;AAED,UAAU,2BAA4B,SAAQ,mBAAmB;IAC/D,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/federation/middleware.ts"],"names":[],"mappings":";;AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAM5C,OAAO,EACL,KAAK,kCAAkC,EACvC,KAAK,cAAc,EAIpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAoB,KAAK,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAE1E,OAAO,KAAK,EACV,eAAe,EACf,sBAAsB,EACtB,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,oBAAoB,EACpB,iBAAiB,EACjB,aAAa,EACb,kBAAkB,EAClB,wBAAwB,EACxB,gBAAgB,EAChB,kBAAkB,EACnB,MAAM,eAAe,CAAC;AAEvB,OAAO,KAAK,EACV,OAAO,EAEP,cAAc,EACd,mBAAmB,EACpB,MAAM,cAAc,CAAC;AAQtB,OAAO,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAK5C;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,EAAE,EAAE,OAAO,CAAC;IAEZ;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAE3C;;;;OAIG;IACH,KAAK,CAAC,EAAE,YAAY,CAAC;IAErB;;;OAGG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;;;OAIG;IACH,aAAa,CAAC,EAAE,cAAc,CAAC;IAE/B;;;;;;OAMG;IACH,kCAAkC,CAAC,EAAE,kCAAkC,CAAC;IAExE;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB;;;;;;;;;OASG;IACH,aAAa,CAAC,EAAE,kBAAkB,CAAC;IAEnC;;;;;;OAMG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;IAIpD,eAAe,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;CAC/C;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,mBAAmB,EAAE,KAAK,CAAC;IAE3B;;;OAGG;IACH,cAAc,EAAE,KAAK,CAAC;CACvB;AAED;;;;;;GAMG;AACH,qBAAa,UAAU,CAAC,YAAY;;IA8BlC;;;OAGG;gBAED,EACE,EAAE,EACF,UAAU,EACV,KAAK,EACL,cAAc,EACd,aAAa,EACb,kCAAkC,EAClC,UAAU,EACV,aAAa,EACb,mBAAmB,EACnB,eAAe,GAChB,EAAE,oBAAoB;IA8GzB;;;;;;OAMG;IACH,aAAa,CAAC,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;IAE7E;;;;;OAKG;IACH,aAAa,CACX,OAAO,EAAE,OAAO,EAChB,WAAW,EAAE,YAAY,GACxB,cAAc,CAAC,YAAY,CAAC;IA0S/B;;;;;;;;;OASG;IACH,qBAAqB,CACnB,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,kBAAkB,CAAC,YAAY,CAAC;IAc9C;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACH,kBAAkB,CAChB,IAAI,EAAE,GAAG,MAAM,WAAW,MAAM,EAAE,EAClC,UAAU,EAAE,eAAe,CAAC,YAAY,CAAC,GACxC,oBAAoB,CAAC,YAAY,CAAC;IA0HrC;;;;;;;;;;;;;OAaG;IACH,mBAAmB,CAAC,OAAO,SAAS,MAAM,EAAE,MAAM,SAAS,MAAM,EAE/D,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,IAAI,EACF,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,EACrI,UAAU,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,GAC1D,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;IAEvD;;;;;;;;;;;;;OAaG;IACH,mBAAmB,CAAC,OAAO,SAAS,MAAM,EAAE,MAAM,SAAS,MAAM,EAE/D,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,IAAI,EACF,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,EACjH,UAAU,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,GAC1D,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;IAEvD;;;;;;;;;;;;;OAaG;IACH,mBAAmB,CAAC,OAAO,SAAS,MAAM,EAAE,MAAM,SAAS,MAAM,EAE/D,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,IAAI,EACF,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,EAC7F,UAAU,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,GAC1D,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;IAEvD;;;;;;;;;;;;;OAaG;IACH,mBAAmB,CAAC,OAAO,SAAS,MAAM,EAAE,MAAM,SAAS,MAAM,EAE/D,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,IAAI,EACF,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,EACzE,UAAU,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,GAC1D,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;IAEvD;;;;;;;;;;;;;OAaG;IACH,mBAAmB,CAAC,OAAO,SAAS,MAAM,EAAE,MAAM,SAAS,MAAM,EAE/D,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,IAAI,EAAE,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,EACzD,UAAU,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,GAC1D,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;IAEvD;;;;;;;;;;;;;OAaG;IACH,mBAAmB,CAAC,OAAO,SAAS,MAAM,EAAE,MAAM,SAAS,MAAM,EAE/D,GAAG,EAAE,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,GAAG;QAAE,MAAM,EAAE,GAAG,CAAA;KAAE,EACxD,IAAI,EAAE,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,EAAE,EACrC,UAAU,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,GAC1D,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC;IAiCvD;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,mBAAmB,CACjB,IAAI,EAAE,GAAG,MAAM,WAAW,MAAM,EAAE,EAClC,UAAU,EAAE,oBAAoB,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,CAAC,GAC7D,yBAAyB,CAAC,YAAY,EAAE,IAAI,CAAC;IAmChD;;;;;;;;;;OAUG;IACH,sBAAsB,CACpB,IAAI,EAAE,GAAG,MAAM,WAAW,MAAM,EAAE,EAClC,UAAU,EAAE,oBAAoB,CAAC,KAAK,GAAG,GAAG,EAAE,YAAY,EAAE,IAAI,CAAC,GAChE,yBAAyB,CAAC,YAAY,EAAE,IAAI,CAAC;IAmChD;;;;;;;;;;OAUG;IACH,sBAAsB,CACpB,IAAI,EAAE,GAAG,MAAM,WAAW,MAAM,EAAE,EAClC,UAAU,EAAE,oBAAoB,CAC9B,SAAS,EACT,YAAY,EACZ,GAAG,CACJ,GACA,yBAAyB,CAAC,YAAY,EAAE,GAAG,CAAC;IAyE/C;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IACH,iBAAiB,CACf,SAAS,EAAE,GAAG,MAAM,WAAW,MAAM,EAAE,EACvC,eAAe,CAAC,EAAE,MAAM,GACvB,mBAAmB,CAAC,YAAY,CAAC;IAyCpC;;;;;;;;;OASG;IACG,YAAY,CAChB,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE;QAAE,KAAK,EAAE,GAAG,CAAC;QAAC,UAAU,EAAE,OAAO,CAAC,SAAS,CAAA;KAAE,EACpE,UAAU,EAAE,SAAS,GAAG,SAAS,EAAE,EACnC,QAAQ,EAAE,QAAQ,EAClB,EAAE,iBAAiB,EAAE,SAAS,EAAE,eAAe,EAAE,cAAc,EAAE,GAC/D,2BAAgC,GACjC,OAAO,CAAC,IAAI,CAAC;IA2FhB;;;;;;;;;;;OAWG;IACH,MAAM,CACJ,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,sBAAsB,CAAC,YAAY,CAAC,GAC5C,OAAO,CAAC,QAAQ,CAAC;IAOpB;;;;;;;;;;;OAWG;IACG,KAAK,CACT,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,sBAAsB,CAAC,YAAY,CAAC,GAC5C,OAAO,CAAC,QAAQ,CAAC;CA8IrB;AAED;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB,CAAC,YAAY;IAClD;;OAEG;IACH,WAAW,EAAE,YAAY,CAAC;IAE1B;;;;;OAKG;IACH,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEhE;;;;;OAKG;IACH,eAAe,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAErE;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACrE;AAQD;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,oBAAoB,CAAC,YAAY;IAChD;;;;OAIG;IACH,oBAAoB,CAClB,UAAU,EAAE,sBAAsB,CAAC,YAAY,CAAC,GAC/C,oBAAoB,CAAC,YAAY,CAAC,CAAC;IAEtC;;;;;OAKG;IACH,SAAS,CACP,SAAS,EAAE,kBAAkB,CAAC,YAAY,CAAC,GAC1C,oBAAoB,CAAC,YAAY,CAAC,CAAC;CACvC;AAQD;;GAEG;AACH,MAAM,WAAW,qBAAqB,CACpC,YAAY,EACZ,OAAO,SAAS,MAAM,EACtB,MAAM,SAAS,MAAM;IAErB;;;;;OAKG;IACH,SAAS,CACP,SAAS,EAAE,wBAAwB,CAAC,YAAY,EAAE,MAAM,CAAC,GACxD,qBAAqB,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;CACzD;AAED;;;;;GAKG;AACH,MAAM,WAAW,yBAAyB,CAAC,YAAY,EAAE,OAAO;IAC9D;;;;OAIG;IACH,UAAU,CACR,OAAO,EAAE,iBAAiB,CAAC,YAAY,EAAE,OAAO,CAAC,GAChD,yBAAyB,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAEpD;;;;OAIG;IACH,cAAc,CACZ,MAAM,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,CAAC,GAC9C,yBAAyB,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAEpD;;;;OAIG;IACH,aAAa,CACX,MAAM,EAAE,gBAAgB,CAAC,YAAY,EAAE,OAAO,CAAC,GAC9C,yBAAyB,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAEpD;;;;;OAKG;IACH,SAAS,CACP,SAAS,EAAE,kBAAkB,CAAC,YAAY,CAAC,GAC1C,yBAAyB,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;CACrD;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB,CAAC,YAAY;IAC/C;;;;;;OAMG;IACH,EAAE,CAAC,SAAS,SAAS,QAAQ,EAE3B,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,SAAS,EACvC,QAAQ,EAAE,aAAa,CAAC,YAAY,EAAE,SAAS,CAAC,GAC/C,mBAAmB,CAAC,YAAY,CAAC,CAAC;IAErC;;;;;;OAMG;IACH,OAAO,CACL,OAAO,EAAE,iBAAiB,CAAC,YAAY,CAAC,GACvC,mBAAmB,CAAC,YAAY,CAAC,CAAC;CACtC;AAED,UAAU,2BAA4B,SAAQ,mBAAmB;IAC/D,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB"}

package/types/httpsig/mod.d.ts

@@ -5,12 +5,13 @@
  * Signatures](https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12).
  *
  * @module
+ * @deprecated
  */
 import * as dntShim from "../_dnt.shims.js";
-import { type DocumentLoader } from "../runtime/docloader.js";
-import { type Actor } from "../vocab/actor.js";
-import { type Activity, CryptographicKey } from "../vocab/vocab.js";
-export { exportJwk, generateCryptoKeyPair, importJwk } from "./key.js";
+import { type VerifyRequestOptions } from "../sig/http.js";
+import { type DoesActorOwnKeyOptions as NewDoesActorOwnKeyOptions, type GetKeyOwnerOptions as NewGetKeyOwnerOptions } from "../sig/owner.js";
+import type { Actor } from "../vocab/actor.js";
+import type { Activity, CryptographicKey } from "../vocab/vocab.js";
 /**
  * Signs a request using the given private key.
  * @param request The request to sign.
@@ -19,34 +20,16 @@ export { exportJwk, generateCryptoKeyPair, importJwk } from "./key.js";
  *              verifier.
  * @returns The signed request.
  * @throws {TypeError} If the private key is invalid or unsupported.
+ * @deprecated
  */
 export declare function sign(request: Request, privateKey: dntShim.CryptoKey, keyId: URL): Promise<Request>;
 /**
  * Options for {@link verify}.
  *
  * @since 0.9.0
+ * @deprecated
  */
-export interface VerifyOptions {
-    /**
-     * The document loader to use for fetching the public key.
-     */
-    documentLoader?: DocumentLoader;
-    /**
-     * The context loader to use for JSON-LD context retrieval.
-     */
-    contextLoader?: DocumentLoader;
-    /**
-     * The time window to allow for the request date.  The actual time window is
-     * twice the value of this option, with the current time as the center.
-     * A minute by default.
-     */
-    timeWindow?: dntShim.Temporal.DurationLike;
-    /**
-     * The current time.  If not specified, the current time is used.  This is
-     * useful for testing.
-     */
-    currentTime?: dntShim.Temporal.Instant;
-}
+export type VerifyOptions = VerifyRequestOptions;
 /**
  * Verifies the signature of a request.
  *
@@ -59,44 +42,30 @@ export interface VerifyOptions {
  * @param options Options for verifying the request.
  * @returns The public key of the verified signature, or `null` if the signature
  *          could not be verified.
+ * @deprecated
  */
-export declare function verify(request: Request, { documentLoader, contextLoader, timeWindow, currentTime }?: VerifyOptions): Promise<CryptographicKey | null>;
+export declare function verify(request: Request, options?: VerifyRequestOptions): Promise<CryptographicKey | null>;
 /**
  * Options for {@link doesActorOwnKey}.
  * @since 0.8.0
+ * @deprecated
  */
-export interface DoesActorOwnKeyOptions {
-    /**
-     * The document loader to use for fetching the actor.
-     */
-    documentLoader?: DocumentLoader;
-    /**
-     * The context loader to use for JSON-LD context retrieval.
-     */
-    contextLoader?: DocumentLoader;
-}
+export type DoesActorOwnKeyOptions = NewDoesActorOwnKeyOptions;
 /**
  * Checks if the actor of the given activity owns the specified key.
  * @param activity The activity to check.
  * @param key The public key to check.
  * @param options Options for checking the key ownership.
  * @returns Whether the actor is the owner of the key.
+ * @deprecated
  */
-export declare function doesActorOwnKey(activity: Activity, key: CryptographicKey, options: DoesActorOwnKeyOptions): Promise<boolean>;
+export declare function doesActorOwnKey(activity: Activity, key: CryptographicKey, options: NewDoesActorOwnKeyOptions): Promise<boolean>;
 /**
  * Options for {@link getKeyOwner}.
  * @since 0.8.0
+ * @deprecated
  */
-export interface GetKeyOwnerOptions {
-    /**
-     * The document loader to use for fetching the key and its owner.
-     */
-    documentLoader?: DocumentLoader;
-    /**
-     * The context loader to use for JSON-LD context retrieval.
-     */
-    contextLoader?: DocumentLoader;
-}
+export type GetKeyOwnerOptions = NewGetKeyOwnerOptions;
 /**
  * Gets the actor that owns the specified key.  Returns `null` if the key has no
  * known owner.
@@ -106,6 +75,34 @@ export interface GetKeyOwnerOptions {
  * @returns The actor that owns the key, or `null` if the key has no known
  *          owner.
  * @since 0.7.0
+ * @deprecated
  */
-export declare function getKeyOwner(keyId: URL | CryptographicKey, options: GetKeyOwnerOptions): Promise<Actor | null>;
+export declare function getKeyOwner(keyId: URL | CryptographicKey, options: NewGetKeyOwnerOptions): Promise<Actor | null>;
+/**
+ * Generates a key pair which is appropriate for Fedify.
+ * @returns The generated key pair.
+ * @since 0.3.0
+ * @deprecated
+ */
+export declare function generateCryptoKeyPair(): Promise<dntShim.CryptoKeyPair>;
+/**
+ * Exports a key in JWK format.
+ * @param key The key to export.  Either public or private key.
+ * @returns The exported key in JWK format.  The key is suitable for
+ *          serialization and storage.
+ * @throws {TypeError} If the key is invalid or unsupported.
+ * @since 0.3.0
+ * @deprecated
+ */
+export declare function exportJwk(key: dntShim.CryptoKey): Promise<dntShim.JsonWebKey>;
+/**
+ * Imports a key from JWK format.
+ * @param jwk The key in JWK format.
+ * @param type Which type of key to import, either `"public"`" or `"private"`".
+ * @returns The imported key.
+ * @throws {TypeError} If the key is invalid or unsupported.
+ * @since 0.3.0
+ * @deprecated
+ */
+export declare function importJwk(jwk: dntShim.JsonWebKey, type: "public" | "private"): Promise<dntShim.CryptoKey>;
 //# sourceMappingURL=mod.d.ts.map

package/types/httpsig/mod.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../src/httpsig/mod.ts"],"names":[],"mappings":";;AAAA;;;;;GAKG;AACH,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAK5C,OAAO,EACL,KAAK,cAAc,EAEpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,KAAK,KAAK,EAAW,MAAM,mBAAmB,CAAC;AACxD,OAAO,EACL,KAAK,QAAQ,EACb,gBAAgB,EAEjB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAEvE;;;;;;;;GAQG;AACH,wBAAsB,IAAI,CACxB,OAAO,EAAE,OAAO,EAChB,UAAU,EAAE,OAAO,CAAC,SAAS,EAC7B,KAAK,EAAE,GAAG,GACT,OAAO,CAAC,OAAO,CAAC,CAuClB;AAQD;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,cAAc,CAAC;IAE/B;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;IAE3C;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;CACxC;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,MAAM,CAC1B,OAAO,EAAE,OAAO,EAChB,EAAE,cAAc,EAAE,aAAa,EAAE,UAAU,EAAE,WAAW,EAAE,GAAE,aACxD,GACH,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CA+NlC;AAED;;;GAGG;AACH,MAAM,WAAW,sBAAsB;IACrC;;OAEG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,cAAc,CAAC;CAChC;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,gBAAgB,EACrB,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,OAAO,CAAC,CAUlB;AAED;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,cAAc,CAAC;CAChC;AAED;;;;;;;;;GASG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,GAAG,GAAG,gBAAgB,EAC7B,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAgDvB"}
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../src/httpsig/mod.ts"],"names":[],"mappings":";;AAAA;;;;;;GAMG;AACH,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAG5C,OAAO,EAGL,KAAK,oBAAoB,EAC1B,MAAM,gBAAgB,CAAC;AAMxB,OAAO,EAEL,KAAK,sBAAsB,IAAI,yBAAyB,EAExD,KAAK,kBAAkB,IAAI,qBAAqB,EACjD,MAAM,iBAAiB,CAAC;AACzB,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAEpE;;;;;;;;;GASG;AACH,wBAAgB,IAAI,CAClB,OAAO,EAAE,OAAO,EAChB,UAAU,EAAE,OAAO,CAAC,SAAS,EAC7B,KAAK,EAAE,GAAG,GACT,OAAO,CAAC,OAAO,CAAC,CAKlB;AAED;;;;;GAKG;AACH,MAAM,MAAM,aAAa,GAAG,oBAAoB,CAAC;AAEjD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,MAAM,CACpB,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAKlC;AAED;;;;GAIG;AACH,MAAM,MAAM,sBAAsB,GAAG,yBAAyB,CAAC;AAE/D;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,gBAAgB,EACrB,OAAO,EAAE,yBAAyB,GACjC,OAAO,CAAC,OAAO,CAAC,CAMlB;AAED;;;;GAIG;AACH,MAAM,MAAM,kBAAkB,GAAG,qBAAqB,CAAC;AAEvD;;;;;;;;;;GAUG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,GAAG,GAAG,gBAAgB,EAC7B,OAAO,EAAE,qBAAqB,GAC7B,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAMvB;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAMtE;AAED;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAM7E;AAED;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CACvB,GAAG,EAAE,OAAO,CAAC,UAAU,EACvB,IAAI,EAAE,QAAQ,GAAG,SAAS,GACzB,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAM5B"}

package/types/sig/http.d.ts

@@ -0,0 +1,54 @@
+/// <reference types="node" />
+/// <reference types="node" />
+import * as dntShim from "../_dnt.shims.js";
+import { type DocumentLoader } from "../runtime/docloader.js";
+import { CryptographicKey } from "../vocab/vocab.js";
+/**
+ * Signs a request using the given private key.
+ * @param request The request to sign.
+ * @param privateKey The private key to use for signing.
+ * @param keyId The key ID to use for the signature.  It will be used by the
+ *              verifier.
+ * @returns The signed request.
+ * @throws {TypeError} If the private key is invalid or unsupported.
+ */
+export declare function signRequest(request: Request, privateKey: dntShim.CryptoKey, keyId: URL): Promise<Request>;
+/**
+ * Options for {@link verify}.
+ */
+export interface VerifyRequestOptions {
+    /**
+     * The document loader to use for fetching the public key.
+     */
+    documentLoader?: DocumentLoader;
+    /**
+     * The context loader to use for JSON-LD context retrieval.
+     */
+    contextLoader?: DocumentLoader;
+    /**
+     * The time window to allow for the request date.  The actual time window is
+     * twice the value of this option, with the current time as the center.
+     * A minute by default.
+     */
+    timeWindow?: dntShim.Temporal.DurationLike;
+    /**
+     * The current time.  If not specified, the current time is used.  This is
+     * useful for testing.
+     */
+    currentTime?: dntShim.Temporal.Instant;
+}
+/**
+ * Verifies the signature of a request.
+ *
+ * Note that this function consumes the request body, so it should not be used
+ * if the request body is already consumed.  Consuming the request body after
+ * calling this function is okay, since this function clones the request
+ * under the hood.
+ *
+ * @param request The request to verify.
+ * @param options Options for verifying the request.
+ * @returns The public key of the verified signature, or `null` if the signature
+ *          could not be verified.
+ */
+export declare function verifyRequest(request: Request, { documentLoader, contextLoader, timeWindow, currentTime }?: VerifyRequestOptions): Promise<CryptographicKey | null>;
+//# sourceMappingURL=http.d.ts.map

package/types/sig/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/sig/http.ts"],"names":[],"mappings":";;AAAA,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAI5C,OAAO,EACL,KAAK,cAAc,EAEpB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,gBAAgB,EAAsB,MAAM,mBAAmB,CAAC;AAGzE;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,OAAO,EAChB,UAAU,EAAE,OAAO,CAAC,SAAS,EAC7B,KAAK,EAAE,GAAG,GACT,OAAO,CAAC,OAAO,CAAC,CAuClB;AAQD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,cAAc,CAAC;IAE/B;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;IAE3C;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;CACxC;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,OAAO,EAChB,EAAE,cAAc,EAAE,aAAa,EAAE,UAAU,EAAE,WAAW,EAAE,GACxD,oBAAyB,GAC1B,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CA+NlC"}

package/types/sig/http.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.test.d.ts","sourceRoot":"","sources":["../../src/sig/http.test.ts"],"names":[],"mappings":"AAAA,OAAO,2BAA2B,CAAC"}

package/types/{httpsig → sig}/key.d.ts

@@ -11,7 +11,6 @@ export declare function validateCryptoKey(key: dntShim.CryptoKey, type?: "public
 /**
  * Generates a key pair which is appropriate for Fedify.
  * @returns The generated key pair.
- * @since 0.3.0
  */
 export declare function generateCryptoKeyPair(): Promise<dntShim.CryptoKeyPair>;
 /**
@@ -20,7 +19,6 @@ export declare function generateCryptoKeyPair(): Promise<dntShim.CryptoKeyPair>;
  * @returns The exported key in JWK format.  The key is suitable for
  *          serialization and storage.
  * @throws {TypeError} If the key is invalid or unsupported.
- * @since 0.3.0
  */
 export declare function exportJwk(key: dntShim.CryptoKey): Promise<dntShim.JsonWebKey>;
 /**
@@ -29,7 +27,6 @@ export declare function exportJwk(key: dntShim.CryptoKey): Promise<dntShim.JsonW
  * @param type Which type of key to import, either `"public"`" or `"private"`".
  * @returns The imported key.
  * @throws {TypeError} If the key is invalid or unsupported.
- * @since 0.3.0
  */
 export declare function importJwk(jwk: dntShim.JsonWebKey, type: "public" | "private"): Promise<dntShim.CryptoKey>;
 //# sourceMappingURL=key.d.ts.map

package/types/sig/key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key.d.ts","sourceRoot":"","sources":["../../src/sig/key.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAE5C,wBAAgB,iBAAiB,CAC/B,GAAG,EAAE,OAAO,CAAC,SAAS,EACtB,IAAI,CAAC,EAAE,QAAQ,GAAG,SAAS,GAC1B,IAAI,CAqBN;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAWtE;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAGnF;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,GAAG,EAAE,OAAO,CAAC,UAAU,EACvB,IAAI,EAAE,QAAQ,GAAG,SAAS,GACzB,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAU5B"}

package/types/sig/key.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key.test.d.ts","sourceRoot":"","sources":["../../src/sig/key.test.ts"],"names":[],"mappings":"AAAA,OAAO,2BAA2B,CAAC"}

package/types/sig/mod.d.ts

@@ -0,0 +1,9 @@
+/**
+ * HTTP Signatures implementation.
+ *
+ * @module
+ */
+export { signRequest, verifyRequest, type VerifyRequestOptions, } from "./http.js";
+export { exportJwk, generateCryptoKeyPair, importJwk } from "./key.js";
+export { doesActorOwnKey, type DoesActorOwnKeyOptions, getKeyOwner, type GetKeyOwnerOptions, } from "./owner.js";
+//# sourceMappingURL=mod.d.ts.map

package/types/sig/mod.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../src/sig/mod.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,WAAW,EACX,aAAa,EACb,KAAK,oBAAoB,GAC1B,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACvE,OAAO,EACL,eAAe,EACf,KAAK,sBAAsB,EAC3B,WAAW,EACX,KAAK,kBAAkB,GACxB,MAAM,YAAY,CAAC"}

package/types/sig/owner.d.ts

@@ -0,0 +1,50 @@
+/// <reference types="node" />
+import { type DocumentLoader } from "../runtime/docloader.js";
+import { type Actor } from "../vocab/actor.js";
+import { type Activity, CryptographicKey } from "../vocab/vocab.js";
+export { exportJwk, generateCryptoKeyPair, importJwk } from "./key.js";
+/**
+ * Options for {@link doesActorOwnKey}.
+ */
+export interface DoesActorOwnKeyOptions {
+    /**
+     * The document loader to use for fetching the actor.
+     */
+    documentLoader?: DocumentLoader;
+    /**
+     * The context loader to use for JSON-LD context retrieval.
+     */
+    contextLoader?: DocumentLoader;
+}
+/**
+ * Checks if the actor of the given activity owns the specified key.
+ * @param activity The activity to check.
+ * @param key The public key to check.
+ * @param options Options for checking the key ownership.
+ * @returns Whether the actor is the owner of the key.
+ */
+export declare function doesActorOwnKey(activity: Activity, key: CryptographicKey, options: DoesActorOwnKeyOptions): Promise<boolean>;
+/**
+ * Options for {@link getKeyOwner}.
+ */
+export interface GetKeyOwnerOptions {
+    /**
+     * The document loader to use for fetching the key and its owner.
+     */
+    documentLoader?: DocumentLoader;
+    /**
+     * The context loader to use for JSON-LD context retrieval.
+     */
+    contextLoader?: DocumentLoader;
+}
+/**
+ * Gets the actor that owns the specified key.  Returns `null` if the key has no
+ * known owner.
+ *
+ * @param keyId The ID of the key to check, or the key itself.
+ * @param options Options for getting the key owner.
+ * @returns The actor that owns the key, or `null` if the key has no known
+ *          owner.
+ */
+export declare function getKeyOwner(keyId: URL | CryptographicKey, options: GetKeyOwnerOptions): Promise<Actor | null>;
+//# sourceMappingURL=owner.d.ts.map

package/types/sig/owner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"owner.d.ts","sourceRoot":"","sources":["../../src/sig/owner.ts"],"names":[],"mappings":";AAAA,OAAO,EACL,KAAK,cAAc,EAEpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,KAAK,KAAK,EAAW,MAAM,mBAAmB,CAAC;AACxD,OAAO,EACL,KAAK,QAAQ,EACb,gBAAgB,EAEjB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAEvE;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;OAEG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,cAAc,CAAC;CAChC;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,gBAAgB,EACrB,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,OAAO,CAAC,CAUlB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,cAAc,CAAC;CAChC;AAED;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,GAAG,GAAG,gBAAgB,EAC7B,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAgDvB"}

package/types/sig/owner.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"owner.test.d.ts","sourceRoot":"","sources":["../../src/sig/owner.test.ts"],"names":[],"mappings":"AAAA,OAAO,2BAA2B,CAAC"}

package/types/httpsig/key.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"key.d.ts","sourceRoot":"","sources":["../../src/httpsig/key.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,OAAO,MAAM,kBAAkB,CAAC;AAE5C,wBAAgB,iBAAiB,CAC/B,GAAG,EAAE,OAAO,CAAC,SAAS,EACtB,IAAI,CAAC,EAAE,QAAQ,GAAG,SAAS,GAC1B,IAAI,CAqBN;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAWtE;AAED;;;;;;;GAOG;AACH,wBAAsB,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAGnF;AAED;;;;;;;GAOG;AACH,wBAAsB,SAAS,CAC7B,GAAG,EAAE,OAAO,CAAC,UAAU,EACvB,IAAI,EAAE,QAAQ,GAAG,SAAS,GACzB,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAU5B"}

package/types/httpsig/key.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"key.test.d.ts","sourceRoot":"","sources":["../../src/httpsig/key.test.ts"],"names":[],"mappings":"AAAA,OAAO,2BAA2B,CAAC"}