@fedify/fedify 2.0.0-pr.412.1559 → 2.0.0-pr.412.1794

package/dist/federation/negotiation.test.js

@@ -0,0 +1,26 @@
+
+      import { Temporal } from "@js-temporal/polyfill";
+      import { URLPattern } from "urlpattern-polyfill";
+      globalThis.addEventListener = () => {};
+    
+import "../lookup-DQRtjvb1.js";
+import "../assert_equals-DSbWqCm3.js";
+import { assert } from "../assert-MZs1qjMx.js";
+import "../assert_instance_of-DHz7EHNU.js";
+import { acceptsJsonLd } from "../negotiation-C4nFufNk.js";
+import { test } from "../testing-g4UC4liW.js";
+import "../std__assert-DWivtrGR.js";
+import { assertFalse } from "../assert_rejects-Ce45JcFg.js";
+import "../assert_throws-BNXdRGWP.js";
+import "../assert_not_equals-C80BG-_5.js";
+
+//#region src/federation/negotiation.test.ts
+test("acceptsJsonLd()", () => {
+	assert(acceptsJsonLd(new Request("https://example.com/", { headers: { Accept: "application/activity+json" } })));
+	assert(acceptsJsonLd(new Request("https://example.com/", { headers: { Accept: "application/ld+json" } })));
+	assert(acceptsJsonLd(new Request("https://example.com/", { headers: { Accept: "application/json" } })));
+	assertFalse(acceptsJsonLd(new Request("https://example.com/", { headers: { Accept: "application/ld+json; q=0.5, text/html; q=0.8" } })));
+	assertFalse(acceptsJsonLd(new Request("https://example.com/", { headers: { Accept: "application/ld+json; q=0.4, application/xhtml+xml; q=0.9" } })));
+});
+
+//#endregion

package/dist/federation/retry.test.js

@@ -3,12 +3,11 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import "../type-SK-d7Tbw.js";
+import "../lookup-DQRtjvb1.js";
 import { AssertionError, assertEquals } from "../assert_equals-DSbWqCm3.js";
-import "../lookup-Bn_HEC_d.js";
-import { createExponentialBackoffPolicy } from "../retry-D4GJ670a.js";
-import { test } from "../testing-Z2omCvKy.js";
-import { assertNotEquals } from "../assert_not_equals-f3m3epl3.js";
+import { createExponentialBackoffPolicy } from "../retry-CfF8Gn4d.js";
+import { test } from "../testing-g4UC4liW.js";
+import { assertNotEquals } from "../assert_not_equals-C80BG-_5.js";
 
 //#region src/federation/retry.test.ts
 test("createExponentialBackoffPolicy()", () => {

package/dist/federation/router.test.js

@@ -3,17 +3,15 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import "../type-SK-d7Tbw.js";
+import { Router, RouterError } from "../lookup-DQRtjvb1.js";
 import { assertEquals } from "../assert_equals-DSbWqCm3.js";
 import { assert } from "../assert-MZs1qjMx.js";
 import "../assert_instance_of-DHz7EHNU.js";
-import { Router, RouterError } from "../lookup-Bn_HEC_d.js";
-import { test } from "../testing-Z2omCvKy.js";
-import "../std__assert-X-_kMxKM.js";
-import { assertFalse } from "../assert_rejects-DiIiJbZn.js";
-import "../assert_is_error-BPGph1Jx.js";
-import "../assert_not_equals-f3m3epl3.js";
-import { assertThrows } from "../assert_throws-BOO88avQ.js";
+import { test } from "../testing-g4UC4liW.js";
+import "../std__assert-DWivtrGR.js";
+import { assertFalse } from "../assert_rejects-Ce45JcFg.js";
+import { assertThrows } from "../assert_throws-BNXdRGWP.js";
+import "../assert_not_equals-C80BG-_5.js";
 
 //#region src/federation/router.test.ts
 function setUp(options = {}) {

package/dist/federation/send.test.js

@@ -3,24 +3,22 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { Activity, Application, Endpoints, Group, Person, Service } from "../type-SK-d7Tbw.js";
+import { Activity, Application, Endpoints, Group, Person, Service } from "../lookup-DQRtjvb1.js";
 import { assertEquals } from "../assert_equals-DSbWqCm3.js";
 import { assert } from "../assert-MZs1qjMx.js";
 import "../assert_instance_of-DHz7EHNU.js";
-import "../lookup-Bn_HEC_d.js";
-import "../actor-Cc6B76eG.js";
-import "../key-CzLv1phF.js";
-import { verifyRequest } from "../http-CcdM1brU.js";
-import { doesActorOwnKey } from "../owner-VEIjmR8r.js";
-import { extractInboxes, sendActivity } from "../send-BzS7w-QF.js";
-import { mockDocumentLoader, test } from "../testing-Z2omCvKy.js";
-import "../std__assert-X-_kMxKM.js";
-import { assertFalse, assertRejects } from "../assert_rejects-DiIiJbZn.js";
-import "../assert_is_error-BPGph1Jx.js";
-import { assertNotEquals } from "../assert_not_equals-f3m3epl3.js";
-import "../assert_throws-BOO88avQ.js";
-import { ed25519Multikey, ed25519PrivateKey, rsaPrivateKey2, rsaPublicKey2 } from "../keys-zZwiKkfx.js";
-import { esm_default } from "../esm-CHdxdkuH.js";
+import "../actor-BXHc5r-q.js";
+import "../key-CxdLUFS6.js";
+import { verifyRequest } from "../http-D2kIm9la.js";
+import { doesActorOwnKey } from "../owner-Dvh7mBvr.js";
+import { extractInboxes, sendActivity } from "../send-Drp20VO9.js";
+import { mockDocumentLoader, test } from "../testing-g4UC4liW.js";
+import "../std__assert-DWivtrGR.js";
+import { assertFalse, assertRejects } from "../assert_rejects-Ce45JcFg.js";
+import "../assert_throws-BNXdRGWP.js";
+import { assertNotEquals } from "../assert_not_equals-C80BG-_5.js";
+import { ed25519Multikey, ed25519PrivateKey, rsaPrivateKey2, rsaPublicKey2 } from "../keys-DMHs8XNn.js";
+import { esm_default } from "../esm-C-Qa1zEM.js";
 
 //#region src/federation/send.test.ts
 test("extractInboxes()", () => {

package/dist/federation-CRpdnOMS.cjs

@@ -0,0 +1,244 @@
+
+          const { Temporal } = require("@js-temporal/polyfill");
+          const { URLPattern } = require("urlpattern-polyfill");
+        
+const require_chunk = require('./chunk-DqRYRqnO.cjs');
+const es_toolkit = require_chunk.__toESM(require("es-toolkit"));
+
+//#region src/federation/kv.ts
+/**
+* A key–value store that stores values in memory.
+* Do not use this in production as it does not persist values.
+*
+* @since 0.5.0
+*/
+var MemoryKvStore = class {
+	#values = {};
+	#encodeKey(key) {
+		return JSON.stringify(key);
+	}
+	/**
+	* {@inheritDoc KvStore.get}
+	*/
+	get(key) {
+		const encodedKey = this.#encodeKey(key);
+		const entry = this.#values[encodedKey];
+		if (entry == null) return Promise.resolve(void 0);
+		const [value, expiration] = entry;
+		if (expiration != null && Temporal.Now.instant().until(expiration).sign < 0) {
+			delete this.#values[encodedKey];
+			return Promise.resolve(void 0);
+		}
+		return Promise.resolve(value);
+	}
+	/**
+	* {@inheritDoc KvStore.set}
+	*/
+	set(key, value, options) {
+		const encodedKey = this.#encodeKey(key);
+		const expiration = options?.ttl == null ? null : Temporal.Now.instant().add(options.ttl.round({ largestUnit: "hour" }));
+		this.#values[encodedKey] = [value, expiration];
+		return Promise.resolve();
+	}
+	/**
+	* {@inheritDoc KvStore.delete}
+	*/
+	delete(key) {
+		const encodedKey = this.#encodeKey(key);
+		delete this.#values[encodedKey];
+		return Promise.resolve();
+	}
+	/**
+	* {@inheritDoc KvStore.cas}
+	*/
+	cas(key, expectedValue, newValue, options) {
+		const encodedKey = this.#encodeKey(key);
+		const entry = this.#values[encodedKey];
+		let currentValue;
+		if (entry == null) currentValue = void 0;
+		else {
+			const [value, expiration$1] = entry;
+			if (expiration$1 != null && Temporal.Now.instant().until(expiration$1).sign < 0) {
+				delete this.#values[encodedKey];
+				currentValue = void 0;
+			} else currentValue = value;
+		}
+		if (!(0, es_toolkit.isEqual)(currentValue, expectedValue)) return Promise.resolve(false);
+		const expiration = options?.ttl == null ? null : Temporal.Now.instant().add(options.ttl.round({ largestUnit: "hour" }));
+		this.#values[encodedKey] = [newValue, expiration];
+		return Promise.resolve(true);
+	}
+};
+
+//#endregion
+//#region src/federation/mq.ts
+/**
+* A message queue that processes messages in the same process.
+* Do not use this in production as it does neither persist messages nor
+* distribute them across multiple processes.
+*
+* @since 0.5.0
+*/
+var InProcessMessageQueue = class {
+	#messages;
+	#monitors;
+	#pollIntervalMs;
+	/**
+	* In-process message queue does not provide native retry mechanisms.
+	* @since 1.7.0
+	*/
+	nativeRetrial = false;
+	/**
+	* Constructs a new {@link InProcessMessageQueue} with the given options.
+	* @param options Additional options for the in-process message queue.
+	*/
+	constructor(options = {}) {
+		this.#messages = [];
+		this.#monitors = {};
+		this.#pollIntervalMs = Temporal.Duration.from(options.pollInterval ?? { seconds: 5 }).total("millisecond");
+	}
+	enqueue(message, options) {
+		const delay = options?.delay == null ? 0 : Math.max(options.delay.total("millisecond"), 0);
+		if (delay > 0) {
+			setTimeout(() => this.enqueue(message, {
+				...options,
+				delay: void 0
+			}), delay);
+			return Promise.resolve();
+		}
+		this.#messages.push(message);
+		for (const monitorId in this.#monitors) this.#monitors[monitorId]();
+		return Promise.resolve();
+	}
+	enqueueMany(messages, options) {
+		if (messages.length === 0) return Promise.resolve();
+		const delay = options?.delay == null ? 0 : Math.max(options.delay.total("millisecond"), 0);
+		if (delay > 0) {
+			setTimeout(() => this.enqueueMany(messages, {
+				...options,
+				delay: void 0
+			}), delay);
+			return Promise.resolve();
+		}
+		this.#messages.push(...messages);
+		for (const monitorId in this.#monitors) this.#monitors[monitorId]();
+		return Promise.resolve();
+	}
+	async listen(handler, options = {}) {
+		const signal = options.signal;
+		while (signal == null || !signal.aborted) {
+			while (this.#messages.length > 0) {
+				const message = this.#messages.shift();
+				await handler(message);
+			}
+			await this.#wait(this.#pollIntervalMs, signal);
+		}
+	}
+	#wait(ms, signal) {
+		let timer = null;
+		return Promise.any([new Promise((resolve) => {
+			signal?.addEventListener("abort", () => {
+				if (timer != null) clearTimeout(timer);
+				resolve();
+			}, { once: true });
+			const monitorId = crypto.randomUUID();
+			this.#monitors[monitorId] = () => {
+				delete this.#monitors[monitorId];
+				if (timer != null) clearTimeout(timer);
+				resolve();
+			};
+		}), new Promise((resolve) => timer = setTimeout(resolve, ms))]);
+	}
+};
+/**
+* A message queue that processes messages in parallel.  It takes another
+* {@link MessageQueue}, and processes messages in parallel up to a certain
+* number of workers.
+*
+* Actually, it's rather a decorator than a queue itself.
+*
+* Note that the workers do not run in truly parallel, in the sense that they
+* are not running in separate threads or processes.  They are running in the
+* same process, but are scheduled to run in parallel.  Hence, this is useful
+* for I/O-bound tasks, but not for CPU-bound tasks, which is okay for Fedify's
+* workloads.
+*
+* @since 1.0.0
+*/
+var ParallelMessageQueue = class ParallelMessageQueue {
+	queue;
+	workers;
+	/**
+	* Inherits the native retry capability from the wrapped queue.
+	* @since 1.7.0
+	*/
+	nativeRetrial;
+	/**
+	* Constructs a new {@link ParallelMessageQueue} with the given queue and
+	* number of workers.
+	* @param queue The message queue to use under the hood.  Note that
+	*              {@link ParallelMessageQueue} cannot be nested.
+	* @param workers The number of workers to process messages in parallel.
+	* @throws {TypeError} If the given queue is an instance of
+	*                     {@link ParallelMessageQueue}.
+	*/
+	constructor(queue, workers) {
+		if (queue instanceof ParallelMessageQueue) throw new TypeError("Cannot nest ParallelMessageQueue.");
+		this.queue = queue;
+		this.workers = workers;
+		this.nativeRetrial = queue.nativeRetrial;
+	}
+	enqueue(message, options) {
+		return this.queue.enqueue(message, options);
+	}
+	async enqueueMany(messages, options) {
+		if (this.queue.enqueueMany == null) {
+			const results = await Promise.allSettled(messages.map((message) => this.queue.enqueue(message, options)));
+			const errors = results.filter((r) => r.status === "rejected").map((r) => r.reason);
+			if (errors.length > 1) throw new AggregateError(errors, "Failed to enqueue messages.");
+			else if (errors.length === 1) throw errors[0];
+			return;
+		}
+		await this.queue.enqueueMany(messages, options);
+	}
+	listen(handler, options = {}) {
+		const workers = /* @__PURE__ */ new Map();
+		return this.queue.listen(async (message) => {
+			while (workers.size >= this.workers) {
+				const consumedId = await Promise.any(workers.values());
+				workers.delete(consumedId);
+			}
+			const workerId = crypto.randomUUID();
+			const promise = this.#work(workerId, handler, message);
+			workers.set(workerId, promise);
+		}, options);
+	}
+	async #work(workerId, handler, message) {
+		await this.#sleep(0);
+		await handler(message);
+		return workerId;
+	}
+	#sleep(ms) {
+		return new Promise((resolve) => setTimeout(resolve, ms));
+	}
+};
+
+//#endregion
+Object.defineProperty(exports, 'InProcessMessageQueue', {
+  enumerable: true,
+  get: function () {
+    return InProcessMessageQueue;
+  }
+});
+Object.defineProperty(exports, 'MemoryKvStore', {
+  enumerable: true,
+  get: function () {
+    return MemoryKvStore;
+  }
+});
+Object.defineProperty(exports, 'ParallelMessageQueue', {
+  enumerable: true,
+  get: function () {
+    return ParallelMessageQueue;
+  }
+});

package/dist/{federation-CMX7WzeL.js → federation-jcR8-ZxP.js}

@@ -1,7 +1,7 @@
 
-      import { Temporal } from "@js-temporal/polyfill";
-      import { URLPattern } from "urlpattern-polyfill";
-    
+          import { Temporal } from "@js-temporal/polyfill";
+          import { URLPattern } from "urlpattern-polyfill";
+        
 import { isEqual } from "es-toolkit";
 
 //#region src/federation/kv.ts

package/dist/fixtures/media.example.com/avatars/test-avatar.jpg.json

@@ -0,0 +1,6 @@
+{
+  "@context": "https://www.w3.org/ns/activitystreams",
+  "id": "https://media.example.com/avatars/test-avatar.jpg",
+  "type": "Image",
+  "url": "/avatars/test-avatar.jpg"
+}

package/dist/{http-DqSNLFNY.d.ts → http-BbO0ejuk.d.ts}

@@ -1,8 +1,8 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { DocumentLoader } from "./docloader-CxWcuWqQ.js";
-import { CryptographicKey, Multikey } from "./vocab-SOE1ifCr.js";
+import { CryptographicKey, Multikey } from "./vocab-BCWe1Ih5.js";
 import { TracerProvider } from "@opentelemetry/api";
+import { DocumentLoader } from "@fedify/vocab-runtime";
 
 //#region src/sig/key.d.ts
 

package/dist/{http-l0TEupZK.js → http-CUVx-vzb.js}

@@ -1,17 +1,267 @@
 
-      import { Temporal } from "@js-temporal/polyfill";
-      import { URLPattern } from "urlpattern-polyfill";
-    
-import { deno_default } from "./docloader-DEhniCVa.js";
-import { CryptographicKey } from "./actor-CTAuCsWy.js";
-import { fetchKey, validateCryptoKey } from "./key-DxA6xRtZ.js";
+          import { Temporal } from "@js-temporal/polyfill";
+          import { URLPattern } from "urlpattern-polyfill";
+        
+import { deno_default } from "./lookup-CHkCVZTU.js";
+import { CryptographicKey, Object as Object$1, isActor } from "./actor-DzhunPC_.js";
 import { getLogger } from "@logtape/logtape";
-import { SpanStatusCode, trace } from "@opentelemetry/api";
-import { decodeBase64, encodeBase64 } from "byte-encodings/base64";
+import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
+import { getDocumentLoader } from "@fedify/vocab-runtime";
 import { encodeHex } from "byte-encodings/hex";
 import { ATTR_HTTP_REQUEST_HEADER, ATTR_HTTP_REQUEST_METHOD, ATTR_URL_FULL } from "@opentelemetry/semantic-conventions";
+import { decodeBase64, encodeBase64 } from "byte-encodings/base64";
 import { Item, decodeDict, encodeItem } from "structured-field-values";
 
+//#region src/sig/key.ts
+/**
+* Checks if the given key is valid and supported.  No-op if the key is valid,
+* otherwise throws an error.
+* @param key The key to check.
+* @param type Which type of key to check.  If not specified, the key can be
+*             either public or private.
+* @throws {TypeError} If the key is invalid or unsupported.
+*/
+function validateCryptoKey(key, type) {
+	if (type != null && key.type !== type) throw new TypeError(`The key is not a ${type} key.`);
+	if (!key.extractable) throw new TypeError("The key is not extractable.");
+	if (key.algorithm.name !== "RSASSA-PKCS1-v1_5" && key.algorithm.name !== "Ed25519") throw new TypeError("Currently only RSASSA-PKCS1-v1_5 and Ed25519 keys are supported.  More algorithms will be added in the future!");
+	if (key.algorithm.name === "RSASSA-PKCS1-v1_5") {
+		const algorithm = key.algorithm;
+		if (algorithm.hash.name !== "SHA-256") throw new TypeError("For compatibility with the existing Fediverse software (e.g., Mastodon), hash algorithm for RSASSA-PKCS1-v1_5 keys must be SHA-256.");
+	}
+}
+/**
+* Generates a key pair which is appropriate for Fedify.
+* @param algorithm The algorithm to use.  Currently only RSASSA-PKCS1-v1_5 and
+*                  Ed25519 are supported.
+* @returns The generated key pair.
+* @throws {TypeError} If the algorithm is unsupported.
+*/
+function generateCryptoKeyPair(algorithm) {
+	if (algorithm == null) getLogger([
+		"fedify",
+		"sig",
+		"key"
+	]).warn("No algorithm specified.  Using RSASSA-PKCS1-v1_5 by default, but it is recommended to specify the algorithm explicitly as the parameter will be required in the future.");
+	if (algorithm == null || algorithm === "RSASSA-PKCS1-v1_5") return crypto.subtle.generateKey({
+		name: "RSASSA-PKCS1-v1_5",
+		modulusLength: 4096,
+		publicExponent: new Uint8Array([
+			1,
+			0,
+			1
+		]),
+		hash: "SHA-256"
+	}, true, ["sign", "verify"]);
+	else if (algorithm === "Ed25519") return crypto.subtle.generateKey("Ed25519", true, ["sign", "verify"]);
+	throw new TypeError("Unsupported algorithm: " + algorithm);
+}
+/**
+* Exports a key in JWK format.
+* @param key The key to export.  Either public or private key.
+* @returns The exported key in JWK format.  The key is suitable for
+*          serialization and storage.
+* @throws {TypeError} If the key is invalid or unsupported.
+*/
+async function exportJwk(key) {
+	validateCryptoKey(key);
+	const jwk = await crypto.subtle.exportKey("jwk", key);
+	if (jwk.crv === "Ed25519") jwk.alg = "Ed25519";
+	return jwk;
+}
+/**
+* Imports a key from JWK format.
+* @param jwk The key in JWK format.
+* @param type Which type of key to import, either `"public"` or `"private"`.
+* @returns The imported key.
+* @throws {TypeError} If the key is invalid or unsupported.
+*/
+async function importJwk(jwk, type) {
+	let key;
+	if (jwk.kty === "RSA" && jwk.alg === "RS256") key = await crypto.subtle.importKey("jwk", jwk, {
+		name: "RSASSA-PKCS1-v1_5",
+		hash: "SHA-256"
+	}, true, type === "public" ? ["verify"] : ["sign"]);
+	else if (jwk.kty === "OKP" && jwk.crv === "Ed25519") {
+		if (navigator?.userAgent === "Cloudflare-Workers") {
+			jwk = { ...jwk };
+			delete jwk.alg;
+		}
+		key = await crypto.subtle.importKey("jwk", jwk, "Ed25519", true, type === "public" ? ["verify"] : ["sign"]);
+	} else throw new TypeError("Unsupported JWK format.");
+	validateCryptoKey(key, type);
+	return key;
+}
+/**
+* Fetches a {@link CryptographicKey} or {@link Multikey} from the given URL.
+* If the given URL contains an {@link Actor} object, it tries to find
+* the corresponding key in the `publicKey` or `assertionMethod` property.
+* @template T The type of the key to fetch.  Either {@link CryptographicKey}
+*              or {@link Multikey}.
+* @param keyId The URL of the key.
+* @param cls The class of the key to fetch.  Either {@link CryptographicKey}
+*            or {@link Multikey}.
+* @param options Options for fetching the key.  See {@link FetchKeyOptions}.
+* @returns The fetched key or `null` if the key is not found.
+* @since 1.3.0
+*/
+function fetchKey(keyId, cls, options = {}) {
+	const tracerProvider = options.tracerProvider ?? trace.getTracerProvider();
+	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
+	keyId = typeof keyId === "string" ? new URL(keyId) : keyId;
+	return tracer.startActiveSpan("activitypub.fetch_key", {
+		kind: SpanKind.CLIENT,
+		attributes: {
+			"http.method": "GET",
+			"url.full": keyId.href,
+			"url.scheme": keyId.protocol.replace(/:$/, ""),
+			"url.domain": keyId.hostname,
+			"url.path": keyId.pathname,
+			"url.query": keyId.search.replace(/^\?/, ""),
+			"url.fragment": keyId.hash.replace(/^#/, "")
+		}
+	}, async (span) => {
+		try {
+			const result = await fetchKeyInternal(keyId, cls, options);
+			span.setAttribute("activitypub.actor.key.cached", result.cached);
+			return result;
+		} catch (e) {
+			span.setStatus({
+				code: SpanStatusCode.ERROR,
+				message: String(e)
+			});
+			throw e;
+		} finally {
+			span.end();
+		}
+	});
+}
+async function fetchKeyInternal(keyId, cls, { documentLoader, contextLoader, keyCache, tracerProvider } = {}) {
+	const logger = getLogger([
+		"fedify",
+		"sig",
+		"key"
+	]);
+	const cacheKey = typeof keyId === "string" ? new URL(keyId) : keyId;
+	keyId = typeof keyId === "string" ? keyId : keyId.href;
+	if (keyCache != null) {
+		const cachedKey = await keyCache.get(cacheKey);
+		if (cachedKey instanceof cls && cachedKey.publicKey != null) {
+			logger.debug("Key {keyId} found in cache.", { keyId });
+			return {
+				key: cachedKey,
+				cached: true
+			};
+		} else if (cachedKey === null) {
+			logger.debug("Entry {keyId} found in cache, but it is unavailable.", { keyId });
+			return {
+				key: null,
+				cached: true
+			};
+		}
+	}
+	logger.debug("Fetching key {keyId} to verify signature...", { keyId });
+	let document;
+	try {
+		const remoteDocument = await (documentLoader ?? getDocumentLoader())(keyId);
+		document = remoteDocument.document;
+	} catch (_) {
+		logger.debug("Failed to fetch key {keyId}.", { keyId });
+		await keyCache?.set(cacheKey, null);
+		return {
+			key: null,
+			cached: false
+		};
+	}
+	let object;
+	try {
+		object = await Object$1.fromJsonLd(document, {
+			documentLoader,
+			contextLoader,
+			tracerProvider
+		});
+	} catch (e) {
+		if (!(e instanceof TypeError)) throw e;
+		try {
+			object = await cls.fromJsonLd(document, {
+				documentLoader,
+				contextLoader,
+				tracerProvider
+			});
+		} catch (e$1) {
+			if (e$1 instanceof TypeError) {
+				logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
+				await keyCache?.set(cacheKey, null);
+				return {
+					key: null,
+					cached: false
+				};
+			}
+			throw e$1;
+		}
+	}
+	let key = null;
+	if (object instanceof cls) key = object;
+	else if (isActor(object)) {
+		const keys = cls === CryptographicKey ? object.getPublicKeys({
+			documentLoader,
+			contextLoader,
+			tracerProvider
+		}) : object.getAssertionMethods({
+			documentLoader,
+			contextLoader,
+			tracerProvider
+		});
+		let length = 0;
+		let lastKey = null;
+		for await (const k of keys) {
+			length++;
+			lastKey = k;
+			if (k.id?.href === keyId) {
+				key = k;
+				break;
+			}
+		}
+		const keyIdUrl = new URL(keyId);
+		if (key == null && keyIdUrl.hash === "" && length === 1) key = lastKey;
+		if (key == null) {
+			logger.debug("Failed to verify; object {keyId} returned an {actorType}, but has no key matching {keyId}.", {
+				keyId,
+				actorType: object.constructor.name
+			});
+			await keyCache?.set(cacheKey, null);
+			return {
+				key: null,
+				cached: false
+			};
+		}
+	} else {
+		logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
+		await keyCache?.set(cacheKey, null);
+		return {
+			key: null,
+			cached: false
+		};
+	}
+	if (key.publicKey == null) {
+		logger.debug("Failed to verify; key {keyId} has no publicKeyPem field.", { keyId });
+		await keyCache?.set(cacheKey, null);
+		return {
+			key: null,
+			cached: false
+		};
+	}
+	if (keyCache != null) {
+		await keyCache.set(cacheKey, key);
+		logger.debug("Key {keyId} cached.", { keyId });
+	}
+	return {
+		key,
+		cached: false
+	};
+}
+
+//#endregion
 //#region src/sig/http.ts
 /**
 * Signs a request using the given private key.
@@ -658,7 +908,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 		const signatureBaseBytes = new TextEncoder().encode(signatureBase);
 		span?.setAttribute("http_signatures.signature", encodeHex(sigBytes));
 		try {
-			const verified = await crypto.subtle.verify(algorithm, key.publicKey, sigBytes, signatureBaseBytes);
+			const verified = await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes);
 			if (verified) {
 				validKey = key;
 				break;
@@ -805,4 +1055,4 @@ function timingSafeEqual(a, b) {
 }
 
 //#endregion
-export { doubleKnock, signRequest, verifyRequest };
+export { doubleKnock, exportJwk, fetchKey, generateCryptoKeyPair, importJwk, signRequest, validateCryptoKey, verifyRequest };