cloudflare
diff --git a/‎Cargo.lock‎
Lines changed: 3 additions & 3 deletions b/‎Cargo.lock‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 2 additions & 2 deletions b/‎Cargo.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎crates/http-signature-directory/src/main.rs‎
Lines changed: 1 addition & 9 deletions b/‎crates/http-signature-directory/src/main.rs‎
Lines changed: 1 addition & 9 deletions
diff --git a/‎crates/web-bot-auth/src/keyring.rs‎
Lines changed: 72 additions & 16 deletions b/‎crates/web-bot-auth/src/keyring.rs‎
Lines changed: 72 additions & 16 deletions
diff --git a/‎crates/web-bot-auth/src/lib.rs‎
Lines changed: 15 additions & 17 deletions b/‎crates/web-bot-auth/src/lib.rs‎
Lines changed: 15 additions & 17 deletions
@@ -6,7 +6,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "0.2.1"
+version = "0.3.0"
 authors = [
     "Akshat Mahajan <akshat@cloudflare.com>",
     "Gauri Baraskar <gbaraskar@cloudflare.com>",
@@ -32,4 +32,4 @@ serde_json = "1.0.140"
 data-url = "0.3.1"
 
 # workspace dependencies
-web-bot-auth = { version = "0.2.1", path = "./crates/web-bot-auth" }
+web-bot-auth = { version = "0.3.0", path = "./crates/web-bot-auth" }
@@ -12,7 +12,7 @@ use reqwest::{
 use web_bot_auth::{
     components::{CoveredComponent, DerivedComponent},
     keyring::{JSONWebKeySet, KeyRing, Thumbprintable},
-    message_signatures::{Algorithm, MessageVerifier, SignedMessage},
+    message_signatures::{MessageVerifier, SignedMessage},
 };
 
 const MIME_TYPE: &str = "application/http-message-signatures-directory+json";
@@ -148,7 +148,6 @@ fn main() -> Result<(), String> {
 
                 let verifier = MessageVerifier::parse(
                     &directory,
-                    Some(Algorithm::Ed25519),
                     |(_, innerlist)| {
                         innerlist.params.contains_key("expires")
                             && innerlist.params.contains_key("created")
@@ -159,13 +158,6 @@ fn main() -> Result<(), String> {
                                 .is_some_and(|tag| {
                                     tag.as_str() == "http-message-signatures-directory"
                                 })
-                            && innerlist
-                                .params
-                                .get("alg")
-                                .and_then(|tag| tag.as_string())
-                                .is_some_and(|tag| {
-                                    tag.as_str() == "ed25519"
-                                })
                             && innerlist
                                 .params
                                 .get("keyid")
 
@@ -7,7 +7,7 @@ use std::collections::HashMap;
 /// Errors that may be thrown by this module
 /// when importing a JWK key.
 #[derive(Debug)]
-pub enum ImportError {
+pub enum KeyringError {
     /// JWK key specified an unsupported algorithm
     UnsupportedAlgorithm,
     /// The contained parameters could not be
@@ -23,6 +23,37 @@ pub enum ImportError {
 /// Represents a public key to be consumed during the verification.
 pub type PublicKey = Vec<u8>;
 
+/// Subset of [HTTP signature algorithm](https://www.iana.org/assignments/http-message-signature/http-message-signature.xhtml)
+/// implemented in this module. In the future, we may support more.
+#[derive(Clone, Debug, PartialEq, Eq)]
+pub enum Algorithm {
+    /// [The `ed25519` algorithm](https://www.rfc-editor.org/rfc/rfc9421#name-eddsa-using-curve-edwards25)
+    Ed25519,
+    /// [The `rsa-pss-sha512` algorithm](https://www.rfc-editor.org/rfc/rfc9421.html#name-rsassa-pss-using-sha-512)
+    RsaPssSha512,
+    /// [The `rsa-v1_5-sha256` algorithm](https://www.rfc-editor.org/rfc/rfc9421.html#name-rsassa-pkcs1-v1_5-using-sha)
+    RsaV1_5Sha256,
+    /// [The `hmac-sha256` algorithm](https://www.rfc-editor.org/rfc/rfc9421.html#name-hmac-using-sha-256)
+    HmacSha256,
+    /// [The `ecdsa-p256-sha256` algorithm](https://www.rfc-editor.org/rfc/rfc9421.html#name-ecdsa-using-curve-p-256-dss)
+    EcdsaP256Sha256,
+    /// [The `ecdsa-p384-sha384` algorithm](https://www.rfc-editor.org/rfc/rfc9421.html#name-ecdsa-using-curve-p-384-dss)
+    EcdsaP384Sha384,
+}
+
+impl std::fmt::Display for Algorithm {
+    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+        match self {
+            Algorithm::Ed25519 => write!(f, "ed25519"),
+            Algorithm::RsaPssSha512 => write!(f, "rsa-pss-sha512"),
+            Algorithm::RsaV1_5Sha256 => write!(f, "rsa-pss-sha512"),
+            Algorithm::HmacSha256 => write!(f, "hmac-sha256"),
+            Algorithm::EcdsaP256Sha256 => write!(f, "ecdsa-p256-sha256"),
+            Algorithm::EcdsaP384Sha384 => write!(f, "ecdsa-p384-sha384"),
+        }
+    }
+}
+
 /// Represents a JSON Web Key containing the bare minimum that
 /// can be thumbprinted per [RFC 7638](https://www.rfc-editor.org/rfc/rfc7638.html)
 #[derive(Eq, PartialEq, Debug, Clone, Serialize, Deserialize)]
@@ -90,20 +121,35 @@ impl Thumbprintable {
     /// Today we only support importing ed25519 keys. Errors may
     /// be thrown when decoding or converting the JSON web key
     /// into an ed25519 public key.
-    pub fn public_key(&self) -> Result<Vec<u8>, ImportError> {
+    pub fn public_key(&self) -> Result<Vec<u8>, KeyringError> {
         match self {
             Thumbprintable::OKP { crv, x } => match crv.as_str() {
                 "Ed25519" => {
                     let decoded = general_purpose::URL_SAFE_NO_PAD
                         .decode(x)
-                        .map_err(ImportError::ParsingError)?;
+                        .map_err(KeyringError::ParsingError)?;
                     VerifyingKey::try_from(decoded.as_slice())
                         .map(|key| key.to_bytes().to_vec())
-                        .map_err(ImportError::ConversionError)
+                        .map_err(KeyringError::ConversionError)
                 }
-                _ => Err(ImportError::UnsupportedAlgorithm),
+                _ => Err(KeyringError::UnsupportedAlgorithm),
+            },
+            _ => Err(KeyringError::UnsupportedAlgorithm),
+        }
+    }
+
+    /// Attempt to extract algorithm.
+    ///
+    /// # Errors
+    ///
+    /// Today we only support extracting the algorithm of an ed25519 key.
+    pub fn algorithm(&self) -> Result<Algorithm, KeyringError> {
+        match self {
+            Thumbprintable::OKP { crv, .. } => match crv.as_str() {
+                "Ed25519" => Ok(Algorithm::Ed25519),
+                _ => Err(KeyringError::UnsupportedAlgorithm),
             },
-            _ => Err(ImportError::UnsupportedAlgorithm),
+            _ => Err(KeyringError::UnsupportedAlgorithm),
         }
     }
 }
@@ -112,11 +158,11 @@ impl Thumbprintable {
 /// verifying keys for verificiation.
 #[derive(Default, Debug, Clone)]
 pub struct KeyRing {
-    ring: HashMap<String, PublicKey>,
+    ring: HashMap<String, (Algorithm, PublicKey)>,
 }
 
-impl FromIterator<(String, PublicKey)> for KeyRing {
-    fn from_iter<T: IntoIterator<Item = (String, PublicKey)>>(iter: T) -> KeyRing {
+impl FromIterator<(String, (Algorithm, PublicKey))> for KeyRing {
+    fn from_iter<T: IntoIterator<Item = (String, (Algorithm, PublicKey))>>(iter: T) -> KeyRing {
         KeyRing {
             ring: HashMap::from_iter(iter),
         }
@@ -126,8 +172,17 @@ impl FromIterator<(String, PublicKey)> for KeyRing {
 impl KeyRing {
     /// Insert a raw public key under a known identifier. If an identifier is already
     /// known, it will *not* be updated and this method will return false.
-    pub fn import_raw(&mut self, identifier: String, public_key: Vec<u8>) -> bool {
-        !self.ring.contains_key(&identifier) && self.ring.insert(identifier, public_key).is_none()
+    pub fn import_raw(
+        &mut self,
+        identifier: String,
+        algorithm: Algorithm,
+        public_key: Vec<u8>,
+    ) -> bool {
+        !self.ring.contains_key(&identifier)
+            && self
+                .ring
+                .insert(identifier, (algorithm, public_key))
+                .is_none()
     }
 
     /// Rename a public key from `old_identifier` to `new_identifier`. Returns `false` if the old
@@ -140,7 +195,7 @@ impl KeyRing {
     }
 
     /// Retrieve a key. Semantics are identical to `HashMap::get`.
-    pub fn get(&self, identifier: &String) -> Option<&Vec<u8>> {
+    pub fn get(&self, identifier: &String) -> Option<&(Algorithm, Vec<u8>)> {
         self.ring.get(identifier)
     }
 
@@ -150,18 +205,19 @@ impl KeyRing {
     ///
     /// Unsupported keys will not be imported, as will keys that failed to
     /// be inserted
-    pub fn try_import_jwk(&mut self, jwk: &Thumbprintable) -> Result<(), ImportError> {
+    pub fn try_import_jwk(&mut self, jwk: &Thumbprintable) -> Result<(), KeyringError> {
         let thumbprint = jwk.b64_thumbprint();
         let public_key = jwk.public_key()?;
-        if !self.import_raw(thumbprint, public_key) {
-            return Err(ImportError::KeyAlreadyExists);
+        let algorithm = jwk.algorithm()?;
+        if !self.import_raw(thumbprint, algorithm, public_key) {
+            return Err(KeyringError::KeyAlreadyExists);
         }
         Ok(())
     }
 
     /// Import a JSON Web Key Set on a best-effort basis. This method returns a vector indicating
     /// whether or not the corresponding key in the key set could be imported.
-    pub fn import_jwks(&mut self, jwks: JSONWebKeySet) -> Vec<Option<ImportError>> {
+    pub fn import_jwks(&mut self, jwks: JSONWebKeySet) -> Vec<Option<KeyringError>> {
         jwks.keys
             .iter()
             .map(|jwk| self.try_import_jwk(jwk).err())
 
@@ -26,12 +26,10 @@ pub mod keyring;
 pub mod message_signatures;
 
 use components::CoveredComponent;
-use message_signatures::{
-    Algorithm, MessageVerifier, ParameterDetails, SignatureTiming, SignedMessage,
-};
+use message_signatures::{MessageVerifier, ParameterDetails, SignatureTiming, SignedMessage};
 
 use data_url::DataUrl;
-use keyring::{JSONWebKeySet, KeyRing};
+use keyring::{Algorithm, JSONWebKeySet, KeyRing};
 use std::time::SystemTimeError;
 
 /// Errors that may be thrown by this module.
@@ -54,7 +52,7 @@ pub enum ImplementationError {
     /// that isn't currently supported by this implementation. The subset
     /// of [registered IANA signature algorithms](https://www.iana.org/assignments/http-message-signature/http-message-signature.xhtml)
     /// implemented here is provided by `Algorithms` struct.
-    UnsupportedAlgorithm,
+    UnsupportedAlgorithm(Algorithm),
     /// An attempt to resolve key identifier to a valid public key failed.
     /// This prevents message verification.
     NoSuchKey,
@@ -129,13 +127,10 @@ impl WebBotAuthVerifier {
     /// # Errors
     ///
     /// Returns `ImplementationErrors` relevant to verifying and parsing.
-    pub fn parse(
-        message: &impl WebBotAuthSignedMessage,
-        algorithm: Option<Algorithm>,
-    ) -> Result<Self, ImplementationError> {
+    pub fn parse(message: &impl WebBotAuthSignedMessage) -> Result<Self, ImplementationError> {
         let signature_agents = message.fetch_all_signature_agents();
         let web_bot_auth_verifier = Self {
-            message_verifier: MessageVerifier::parse(message, algorithm, |(_, innerlist)| {
+            message_verifier: MessageVerifier::parse(message, |(_, innerlist)| {
                 innerlist.params.contains_key("keyid")
                     && innerlist.params.contains_key("tag")
                     && innerlist.params.contains_key("expires")
@@ -219,7 +214,7 @@ impl WebBotAuthVerifier {
 
     /// Retrieve the parsed `ParameterDetails` from the message. Useful for logging
     /// information about the message.
-    pub fn get_details(&self) -> ParameterDetails {
+    pub fn get_details(&self) -> &ParameterDetails {
         self.message_verifier.get_details()
     }
 }
@@ -268,9 +263,10 @@ mod tests {
         let mut keyring = KeyRing::default();
         keyring.import_raw(
             "poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U".to_string(),
+            Algorithm::Ed25519,
             public_key.to_vec(),
         );
-        let verifier = WebBotAuthVerifier::parse(&test, None).unwrap();
+        let verifier = WebBotAuthVerifier::parse(&test).unwrap();
         let advisory = verifier.get_details().possibly_insecure(|_| false);
         // Since the expiry date is in the past.
         assert!(advisory.is_expired.unwrap_or(true));
@@ -343,11 +339,11 @@ mod tests {
         let mut keyring = KeyRing::default();
         keyring.import_raw(
             "poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U".to_string(),
+            Algorithm::Ed25519,
             public_key.to_vec(),
         );
 
         let signer = message_signatures::MessageSigner {
-            algorithm: Algorithm::Ed25519,
             keyid: "poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U".into(),
             nonce: "end-to-end-test".into(),
             tag: "web-bot-auth".into(),
@@ -362,11 +358,12 @@ mod tests {
             .generate_signature_headers_content(
                 &mut mytest,
                 std::time::Duration::from_secs(10),
+                Algorithm::Ed25519,
                 &private_key.to_vec(),
             )
             .unwrap();
 
-        let verifier = WebBotAuthVerifier::parse(&mytest, None).unwrap();
+        let verifier = WebBotAuthVerifier::parse(&mytest).unwrap();
         let advisory = verifier.get_details().possibly_insecure(|_| false);
         assert!(!advisory.is_expired.unwrap_or(true));
         assert!(!advisory.nonce_is_invalid.unwrap_or(true));
@@ -406,7 +403,7 @@ mod tests {
         }
 
         let test = MissingParametersTestVector {};
-        WebBotAuthVerifier::parse(&test, None).expect_err("This should not have parsed");
+        WebBotAuthVerifier::parse(&test).expect_err("This should not have parsed");
     }
 
     #[test]
@@ -437,7 +434,7 @@ mod tests {
         }
 
         let test = MissingParametersTestVector {};
-        WebBotAuthVerifier::parse(&test, None).expect_err("This should not have parsed");
+        WebBotAuthVerifier::parse(&test).expect_err("This should not have parsed");
     }
 
     #[test]
@@ -481,11 +478,12 @@ mod tests {
         let mut keyring = KeyRing::default();
         keyring.import_raw(
             "poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U".to_string(),
+            Algorithm::Ed25519,
             public_key.to_vec(),
         );
 
         let test = StandardTestVector {};
-        let verifier = WebBotAuthVerifier::parse(&test, None).unwrap();
+        let verifier = WebBotAuthVerifier::parse(&test).unwrap();
         let timing = verifier.verify(&keyring, None).unwrap();
         assert!(timing.generation.as_nanos() > 0);
         assert!(timing.verification.as_nanos() > 0);