Support draft-directory-04 with sf-dictionary signature-agent

packages/http-message-sig/src/build.ts

@@ -1,4 +1,27 @@
-import { Component, Parameters, RequestLike, ResponseLike } from "./types";
+import {
+  Component,
+  Parameters,
+  RequestLike,
+  ResponseLike,
+  StructuredFieldComponent,
+} from "./types";
+
+export function extractStructuredFieldDictionaryHeader(
+  r: RequestLike | ResponseLike,
+  component: StructuredFieldComponent
+): string {
+  const headerValue = extractHeader(r, component.header);
+  if (!headerValue) return headerValue;
+
+  const items = headerValue.split(",").map((item) => item.trim());
+  for (const item of items) {
+    const [key, ...rest] = item.split("=");
+    if (key === component.key) {
+      return rest.join("=").replace(/^"|"$/g, "");
+    }
+  }
+  return "";
+}
 
 export function extractHeader(
   { headers }: RequestLike | ResponseLike,
@@ -74,13 +97,18 @@ export function extractComponent(
   }
 }
 
+const componentToString = (component: Component): string => {
+  if (typeof component === "string") {
+    return `"${component}"`.toLowerCase();
+  }
+  return `"${component.header}";key="${component.key}"`.toLocaleLowerCase();
+};
+
 export function buildSignatureInputString(
   componentNames: Component[],
   parameters: Parameters
 ): string {
-  const components = componentNames
-    .map((name) => `"${name.toLowerCase()}"`)
-    .join(" ");
+  const components = componentNames.map(componentToString).join(" ");
   const values = Object.entries(parameters)
     .map(([parameter, value]) => {
       if (typeof value === "number") return `;${parameter}=${value}`;
@@ -99,10 +127,15 @@ export function buildSignedData(
   signatureInputString: string
 ): string {
   const parts = components.map((component) => {
-    const value = component.startsWith("@")
-      ? extractComponent(request, component)
-      : extractHeader(request, component);
-    return `"${component.toLowerCase()}": ${value}`;
+    let value: string;
+    if (typeof component !== "string") {
+      value = extractStructuredFieldDictionaryHeader(request, component);
+    } else if (component.startsWith("@")) {
+      value = extractComponent(request, component);
+    } else {
+      value = extractHeader(request, component);
+    }
+    return `${componentToString(component)}: ${value}`;
   });
   parts.push(`"@signature-params": ${signatureInputString}`);
   return parts.join("\n");

packages/http-message-sig/src/directory.ts

@@ -20,7 +20,7 @@ export async function directoryResponseHeaders<T1 extends RequestLike>(
 
   // TODO: consider validating the directory structure, and confirm we have one signer per key
 
-  const components: string[] = RESPONSE_COMPONENTS;
+  const components = RESPONSE_COMPONENTS;
 
   const headers = new Map<string, SignatureHeaders>();
 

packages/http-message-sig/src/parse.ts

@@ -1,10 +1,19 @@
-import { Component, HeaderValue, Parameter, Parameters } from "./types";
+import {
+  Component,
+  HeaderValue,
+  Parameter,
+  Parameters,
+  StructuredFieldComponent,
+} from "./types";
 import { decode as base64Decode } from "./base64";
 
 function parseEntry(
   headerName: string,
   entry: string
-): [string, string | number | true | (string | number)[]] {
+): [
+  string,
+  string | number | true | (string | number | StructuredFieldComponent)[],
+] {
   // this is wrong. it should only split the first `=`
   const equalsIndex = entry.indexOf("=");
   if (equalsIndex === -1) {
@@ -19,19 +28,34 @@ function parseEntry(
   if (value.match(/^".*"$/)) return [key.trim(), value.slice(1, -1)];
   if (value.match(/^\d+$/)) return [key.trim(), parseInt(value)];
 
+  // TODO: this is restricted to components array. Per RFC9421, there could be more
   if (value.match(/^\(.*\)$/)) {
-    const arr = value
-      .slice(1, -1)
-      .split(/\s+/)
-      .map((entry) => entry.match(/^"(.*)"$/)?.[1] ?? parseInt(entry));
+    const arr = value.slice(1, -1).split(/\s+/);
+
+    const res = [];
+    for (const item of arr) {
+      const match = item.match(/^"(.*)"$/);
+      let toPush;
+      if (!match) {
+        toPush = parseInt(item);
+      } else if (match[1].includes('";key="')) {
+        toPush = {
+          key: match[1].split('";key="')[1],
+          header: match[1].split('";key="')[0],
+        };
+      } else {
+        toPush = match[1];
+      }
+      res.push(toPush);
+    }
 
-    if (arr.some((value) => typeof value === "number" && isNaN(value))) {
+    if (res.some((value) => typeof value === "number" && isNaN(value))) {
       throw new Error(
         `Invalid ${headerName} header. Invalid value ${key}=${value}`
       );
     }
 
-    return [key.trim(), arr];
+    return [key.trim(), res];
   }
 
   throw new Error(
@@ -43,27 +67,20 @@ function parseParametersHeader(
   name: string,
   header: HeaderValue
 ): { key: string; components: Component[]; parameters: Parameters } {
-  const entries = header
-    .toString()
+  const rawHeader = header.toString();
+  const [rawComponents, rawParameters] = rawHeader.split(/(?<=\))/, 2);
+  const [key, components] = parseEntry(name, rawComponents.trim()) as [
+    string,
+    Component[],
+  ];
+
+  const entries = rawParameters
     // eslint-disable-next-line security/detect-unsafe-regex
     .match(/(?:[^;"]+|"[^"]+")+/g)
     ?.map((entry) => parseEntry(name, entry.trim()));
 
   if (!entries) throw new Error(`Invalid ${name} header. Invalid value`);
 
-  const componentsIndex = entries.findIndex(([, value]) =>
-    Array.isArray(value)
-  );
-  if (componentsIndex === -1)
-    throw new Error(`Invalid ${name} header. Missing components`);
-  const [[key, components]] = entries.splice(componentsIndex, 1) as [
-    [string, Component[]],
-  ];
-
-  if (entries.some(([, value]) => Array.isArray(value))) {
-    throw new Error(`Multiple signatures is not supported`);
-  }
-
   const parameters = Object.fromEntries(entries) as Record<
     Parameter,
     string | number | Date

packages/http-message-sig/src/types.ts

@@ -56,6 +56,11 @@ export type Parameter =
   | "keyid"
   | string;
 
+export interface StructuredFieldComponent {
+  header: string;
+  key: string;
+}
+
 export type Component =
   | "@method"
   | "@target-uri"
@@ -67,7 +72,8 @@ export type Component =
   | "@query-param"
   | "@status"
   | "@request-response"
-  | string;
+  | string
+  | StructuredFieldComponent;
 
 interface StandardParameters {
   expires?: Date;

packages/http-message-sig/test/build.spec.ts

@@ -209,6 +209,8 @@ describe("build", () => {
         "Content-Type": "application/json",
         Digest: "SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=",
         "Content-Length": "18",
+        "Test-Structured-Field":
+          'one-key="random", test-key="test-value", another-key=42',
       },
     };
 
@@ -238,6 +240,21 @@ describe("build", () => {
       );
     });
 
+    it("constructs structured-field dictionary example", () => {
+      const components: Component[] = [
+        { header: "Test-Structured-Field", key: "test-key" },
+      ];
+      const data = buildSignedData(
+        testRequest,
+        components,
+        '("test-structured-field";key="test-key");created=1618884475;keyid="test-key-rsa-pss"'
+      );
+      expect(data).to.equal(
+        '"test-structured-field";key="test-key": test-value\n' +
+          '"@signature-params": ("test-structured-field";key="test-key");created=1618884475;keyid="test-key-rsa-pss"'
+      );
+    });
+
     it("constructs full example", () => {
       const components: Component[] = [
         "Date",

packages/web-bot-auth/package.json

@@ -23,7 +23,7 @@
   },
   "scripts": {
     "build": "tsup src/index.ts src/crypto.ts --format cjs,esm --dts --clean",
-    "generate-test-vectors": "node --experimental-transform-types scripts/test-vectors.ts test/test_data/web_bot_auth_architecture_v1.json",
+    "generate-test-vectors": "npm run build && node --experimental-transform-types scripts/test-vectors.ts test/test_data/web_bot_auth_architecture_v2.json",
     "prepublishOnly": "npm run build",
     "test": "vitest",
     "watch": "npm run build -- --watch src"

packages/web-bot-auth/scripts/test-vectors.ts

@@ -3,9 +3,11 @@
 ///
 /// It takes one positional argument: [path] which is where the vectors should be written in JSON
 
-const { generateNonce, signatureHeaders } = await import("../src/index.ts");
+const { generateNonce, recommendedComponents, signatureHeaders } = await import(
+  "../dist/index.mjs"
+);
 
-const { signerFromJWK } = await import("../src/crypto.ts");
+const { signerFromJWK } = await import("../dist/crypto.mjs");
 
 const fs = await import("fs");
 
@@ -22,18 +24,20 @@ interface TestVector {
   signature: string;
   signature_input: string;
   signature_agent?: string;
+  signature_agent_key?: string;
 }
 
 async function generateTestVectors(jwk: JsonWebKey): Promise<TestVector[]> {
   const now = new Date("2025-01-01T00:00:00Z");
   const created = now;
-  const expires = new Date(now.getTime() + 3_600_000);
+  const expires = new Date(now.getTime() + 3_153_600_000_000);
   const signer = await signerFromJWK(jwk);
 
   const nonce = generateNonce();
   const label = "sig1";
   let request = new Request(ORIGIN_URL);
   const signedHeaders = await signatureHeaders(request, signer, {
+    components: recommendedComponents(),
     created,
     expires,
     nonce,
@@ -42,10 +46,14 @@ async function generateTestVectors(jwk: JsonWebKey): Promise<TestVector[]> {
 
   const nonceWithAgent = generateNonce();
   const labelWithAgent = "sig2";
+  const signatureAgentKey = "agent2";
   request = new Request(ORIGIN_URL, {
-    headers: { "Signature-Agent": JSON.stringify(SIGNATURE_AGENT_HEADER) },
+    headers: {
+      "Signature-Agent": `${signatureAgentKey}="${SIGNATURE_AGENT_HEADER}"`,
+    },
   });
   const signedHeadersWithAgent = await signatureHeaders(request, signer, {
+    components: recommendedComponents(signatureAgentKey),
     created,
     expires,
     nonce: nonceWithAgent,
@@ -73,6 +81,7 @@ async function generateTestVectors(jwk: JsonWebKey): Promise<TestVector[]> {
       signature: signedHeadersWithAgent["Signature"],
       signature_input: signedHeadersWithAgent["Signature-Input"],
       signature_agent: request.headers.get("Signature-Agent"),
+      signature_agent_key: signatureAgentKey,
     },
   ];
 }
@@ -110,10 +119,11 @@ NOTE: '\\' line wrapping per RFC 8792
 `);
   console.log(`"@authority": ${new URL(vector.target_url).host}`);
   if (vector.signature_agent) {
-    console.log(`"signature-agent": ${vector.signature_agent}`);
+    const split = vector.signature_agent.split("=");
+    console.log(`"signature-agent";key="${split[0]}": ${split[1]}`);
   }
   console.log(
-    `"@signature-params": ${vector.signature_input.slice(`${vector.label}=`.length).replaceAll(";", "\\\n ;")}`
+    `"@signature-params": ${vector.signature_input.slice(`${vector.label}=`.length).replaceAll(";", "\\\n ;").replaceAll("\\\n ;key=", ";key=")}`
   );
   console.log("");
 
@@ -125,7 +135,7 @@ NOTE: '\\' line wrapping per RFC 8792
     console.log(`Signature-Agent: ${vector.signature_agent}`);
   }
   console.log(
-    `Signature-Input: ${vector.signature_input.replaceAll(";", "\\\n ;")}`
+    `Signature-Input: ${vector.signature_input.replaceAll(";", "\\\n ;").replaceAll("\\\n ;key=", ";key=")}`
   );
   console.log(`Signature: ${vector.signature}`);
   console.log("");