cloudflare
diff --git a/‎Cargo.lock‎
Lines changed: 5 additions & 4 deletions b/‎Cargo.lock‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎crates/http-signature-directory/src/main.rs‎
Lines changed: 14 additions & 11 deletions b/‎crates/http-signature-directory/src/main.rs‎
Lines changed: 14 additions & 11 deletions
diff --git a/‎crates/web-bot-auth/Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎crates/web-bot-auth/Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎crates/web-bot-auth/src/lib.rs‎
Lines changed: 97 additions & 105 deletions b/‎crates/web-bot-auth/src/lib.rs‎
Lines changed: 97 additions & 105 deletions
@@ -30,6 +30,7 @@ sha2 = "0.10.9"
 base64 = "0.22.1"
 serde_json = "1.0.140"
 data-url = "0.3.1"
+regex = "1.12.2"
 
 # workspace dependencies
 web-bot-auth = { version = "0.5.1", path = "./crates/web-bot-auth" }
@@ -11,7 +11,7 @@ use reqwest::{
 };
 use serde::{Deserialize, Serialize};
 use web_bot_auth::{
-    components::{CoveredComponent, DerivedComponent},
+    components::{CoveredComponent, DerivedComponent, HTTPField},
     keyring::{JSONWebKeySet, KeyRing, Thumbprintable},
     message_signatures::{MessageVerifier, SignedMessage},
 };
@@ -68,18 +68,21 @@ struct SignedDirectory {
 }
 
 impl SignedMessage for SignedDirectory {
-    fn fetch_all_signature_headers(&self) -> Vec<String> {
-        self.signature.clone()
-    }
-    fn fetch_all_signature_inputs(&self) -> Vec<String> {
-        self.input.clone()
-    }
-    fn lookup_component(&self, name: &CoveredComponent) -> Option<String> {
-        match *name {
+    fn lookup_component(&self, name: &CoveredComponent) -> Vec<String> {
+        match name {
             CoveredComponent::Derived(DerivedComponent::Authority { .. }) => {
-                Some(self.authority.clone())
+                vec![self.authority.clone()]
+            }
+            CoveredComponent::HTTP(HTTPField { name, .. }) => {
+                if name == "signature" {
+                    return self.signature.clone();
+                }
+                if name == "signature-input" {
+                    return self.input.clone();
+                }
+                vec![]
             }
-            _ => None,
+            _ => vec![],
         }
     }
 }
 
@@ -15,6 +15,7 @@ categories.workspace = true
 [dependencies]
 ed25519-dalek = { workspace = true }
 indexmap = { workspace = true }
+regex = { workspace = true }
 sfv = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 
@@ -32,6 +32,8 @@ use data_url::DataUrl;
 use keyring::{Algorithm, JSONWebKeySet, KeyRing};
 use std::time::SystemTimeError;
 
+use crate::components::HTTPField;
+
 /// Errors that may be thrown by this module.
 #[derive(Debug)]
 pub enum ImplementationError {
@@ -91,16 +93,6 @@ pub enum WebBotAuthError {
     /// and `creates` method.
     SignatureIsExpired,
 }
-/// A trait that messages wishing to be verified as a `web-bot-auth` method specifically
-/// must implement.
-pub trait WebBotAuthSignedMessage: SignedMessage {
-    /// Obtain every `Signature-Agent` header in the message. Despite the name, you can omit
-    /// `Signature-Agents` that are known to be invalid ahead of time. However, each `Signature-Agent`
-    /// header must be unparsed and a be a valid sfv::Item::String value (meaning it should be encased
-    /// in double quotes). You should separately implement looking this up in `SignedMessage::lookup_component`
-    /// as an HTTP header with multiple values.
-    fn fetch_all_signature_agents(&self) -> Vec<String>;
-}
 
 /// A verifier for Web Bot Auth messages specifically.
 #[derive(Clone, Debug)]
@@ -127,10 +119,14 @@ impl WebBotAuthVerifier {
     /// # Errors
     ///
     /// Returns `ImplementationErrors` relevant to verifying and parsing.
-    pub fn parse(message: &impl WebBotAuthSignedMessage) -> Result<Self, ImplementationError> {
-        let signature_agents = message.fetch_all_signature_agents();
-        let web_bot_auth_verifier = Self {
-            message_verifier: MessageVerifier::parse(message, |(_, innerlist)| {
+    pub fn parse(message: &impl SignedMessage) -> Result<Self, ImplementationError> {
+        let signature_agents = message.lookup_component(&CoveredComponent::HTTP(HTTPField {
+            name: "signature-agent".to_string(),
+            parameters: components::HTTPFieldParametersSet(vec![]),
+        }));
+
+        let message_verifier =
+            MessageVerifier::parse(message, |(_, innerlist)| {
                 innerlist.params.contains_key("keyid")
                     && innerlist.params.contains_key("tag")
                     && innerlist.params.contains_key("expires")
@@ -140,18 +136,22 @@ impl WebBotAuthVerifier {
                         .get("tag")
                         .and_then(|tag| tag.as_string())
                         .is_some_and(|tag| tag.as_str() == "web-bot-auth")
-                    && innerlist
-                        .items
-                        .iter()
-                        .any(|item| *item == sfv::Item::new(sfv::StringRef::constant("@authority")))
+                    && (innerlist.items.iter().any(|item| {
+                        *item == sfv::Item::new(sfv::StringRef::constant("@authority"))
+                    }) || innerlist.items.iter().any(|item| {
+                        *item == sfv::Item::new(sfv::StringRef::constant("@target-uri"))
+                    }))
                     && (if !signature_agents.is_empty() {
                         innerlist.items.iter().any(|item| {
                             *item == sfv::Item::new(sfv::StringRef::constant("signature-agent"))
                         })
                     } else {
                         true
                     })
-            })?,
+            })?;
+
+        let web_bot_auth_verifier = Self {
+            message_verifier,
             parsed_directories: signature_agents
                 .iter()
                 .map(|header| {
@@ -230,28 +230,26 @@ mod tests {
     struct StandardTestVector {}
 
     impl SignedMessage for StandardTestVector {
-        fn fetch_all_signature_headers(&self) -> Vec<String> {
-            vec!["sig1=:uz2SAv+VIemw+Oo890bhYh6Xf5qZdLUgv6/PbiQfCFXcX/vt1A8Pf7OcgL2yUDUYXFtffNpkEr5W6dldqFrkDg==:".to_owned()]
-        }
-        fn fetch_all_signature_inputs(&self) -> Vec<String> {
-            vec![r#"sig1=("@authority");created=1735689600;keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U";alg="ed25519";expires=1735693200;nonce="gubxywVx7hzbYKatLgzuKDllDAIXAkz41PydU7aOY7vT+Mb3GJNxW0qD4zJ+IOQ1NVtg+BNbTCRUMt1Ojr5BgA==";tag="web-bot-auth""#.to_owned()]
-        }
-        fn lookup_component(&self, name: &CoveredComponent) -> Option<String> {
-            match *name {
+        fn lookup_component(&self, name: &CoveredComponent) -> Vec<String> {
+            match name {
+                CoveredComponent::HTTP(HTTPField { name, .. }) => {
+                    if name == "signature" {
+                        return vec!["sig1=:uz2SAv+VIemw+Oo890bhYh6Xf5qZdLUgv6/PbiQfCFXcX/vt1A8Pf7OcgL2yUDUYXFtffNpkEr5W6dldqFrkDg==:".to_owned()];
+                    }
+
+                    if name == "signature-input" {
+                        return vec![r#"sig1=("@authority");created=1735689600;keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U";alg="ed25519";expires=1735693200;nonce="gubxywVx7hzbYKatLgzuKDllDAIXAkz41PydU7aOY7vT+Mb3GJNxW0qD4zJ+IOQ1NVtg+BNbTCRUMt1Ojr5BgA==";tag="web-bot-auth""#.to_owned()];
+                    }
+                    vec![]
+                }
                 CoveredComponent::Derived(DerivedComponent::Authority { .. }) => {
-                    Some("example.com".to_string())
+                    vec!["example.com".to_string()]
                 }
-                _ => None,
+                _ => vec![],
             }
         }
     }
 
-    impl WebBotAuthSignedMessage for StandardTestVector {
-        fn fetch_all_signature_agents(&self) -> Vec<String> {
-            vec![]
-        }
-    }
-
     #[test]
     fn test_verifying_as_web_bot_auth() {
         let test = StandardTestVector {};
@@ -307,28 +305,26 @@ mod tests {
         }
 
         impl SignedMessage for MyTest {
-            fn fetch_all_signature_headers(&self) -> Vec<String> {
-                vec![self.signature_header.clone()]
-            }
-            fn fetch_all_signature_inputs(&self) -> Vec<String> {
-                vec![self.signature_input.clone()]
-            }
-            fn lookup_component(&self, name: &CoveredComponent) -> Option<String> {
-                match *name {
+            fn lookup_component(&self, name: &CoveredComponent) -> Vec<String> {
+                match name {
+                    CoveredComponent::HTTP(HTTPField { name, .. }) => {
+                        if name == "signature" {
+                            return vec![self.signature_header.clone()];
+                        }
+
+                        if name == "signature-input" {
+                            return vec![self.signature_input.clone()];
+                        }
+                        vec![]
+                    }
                     CoveredComponent::Derived(DerivedComponent::Authority { .. }) => {
-                        Some("example.com".to_string())
+                        vec!["example.com".to_string()]
                     }
-                    _ => None,
+                    _ => vec![],
                 }
             }
         }
 
-        impl WebBotAuthSignedMessage for MyTest {
-            fn fetch_all_signature_agents(&self) -> Vec<String> {
-                vec![]
-            }
-        }
-
         let public_key: [u8; ed25519_dalek::PUBLIC_KEY_LENGTH] = [
             0x26, 0xb4, 0x0b, 0x8f, 0x93, 0xff, 0xf3, 0xd8, 0x97, 0x11, 0x2f, 0x7e, 0xbc, 0x58,
             0x2b, 0x23, 0x2d, 0xbd, 0x72, 0x51, 0x7d, 0x08, 0x2f, 0xe8, 0x3c, 0xfb, 0x30, 0xdd,
@@ -388,30 +384,28 @@ mod tests {
         struct MissingParametersTestVector {}
 
         impl SignedMessage for MissingParametersTestVector {
-            fn fetch_all_signature_headers(&self) -> Vec<String> {
-                vec![
-                    "sig1=:uz2SAv+VIemw+Oo890bhYh6Xf5qZdLUgv6/PbiQfCFXcX/vt1A8Pf7OcgL2yUDUYXFtffNpkEr5W6dldqFrkDg==:".to_owned()
-                ]
-            }
-            fn fetch_all_signature_inputs(&self) -> Vec<String> {
-                vec![r#"sig1=("@authority");created=1735689600;keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U";alg="ed25519";expires=1735693200;nonce="gubxywVx7hzbYKatLgzuKDllDAIXAkz41PydU7aOY7vT+Mb3GJNxW0qD4zJ+IOQ1NVtg+BNbTCRUMt1Ojr5BgA==";tag="not-web-bot-auth""#.to_owned()]
-            }
-            fn lookup_component(&self, name: &CoveredComponent) -> Option<String> {
-                match *name {
+            fn lookup_component(&self, name: &CoveredComponent) -> Vec<String> {
+                match name {
+                    CoveredComponent::HTTP(HTTPField { name, .. }) => {
+                        if name == "signature" {
+                            return vec![
+                                "sig1=:uz2SAv+VIemw+Oo890bhYh6Xf5qZdLUgv6/PbiQfCFXcX/vt1A8Pf7OcgL2yUDUYXFtffNpkEr5W6dldqFrkDg==:".to_owned()
+                            ];
+                        }
+
+                        if name == "signature-input" {
+                            return vec![r#"sig1=("@authority");created=1735689600;keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U";alg="ed25519";expires=1735693200;nonce="gubxywVx7hzbYKatLgzuKDllDAIXAkz41PydU7aOY7vT+Mb3GJNxW0qD4zJ+IOQ1NVtg+BNbTCRUMt1Ojr5BgA==";tag="not-web-bot-auth""#.to_owned()];
+                        }
+                        vec![]
+                    }
                     CoveredComponent::Derived(DerivedComponent::Authority { .. }) => {
-                        Some("example.com".to_string())
+                        vec!["example.com".to_string()]
                     }
-                    _ => None,
+                    _ => vec![],
                 }
             }
         }
 
-        impl WebBotAuthSignedMessage for MissingParametersTestVector {
-            fn fetch_all_signature_agents(&self) -> Vec<String> {
-                vec![]
-            }
-        }
-
         let test = MissingParametersTestVector {};
         WebBotAuthVerifier::parse(&test).expect_err("This should not have parsed");
     }
@@ -421,28 +415,30 @@ mod tests {
         struct MissingParametersTestVector {}
 
         impl SignedMessage for MissingParametersTestVector {
-            fn fetch_all_signature_headers(&self) -> Vec<String> {
-                vec!["sig1=:uz2SAv+VIemw+Oo890bhYh6Xf5qZdLUgv6/PbiQfCFXcX/vt1A8Pf7OcgL2yUDUYXFtffNpkEr5W6dldqFrkDg==:".to_owned()]
-            }
-            fn fetch_all_signature_inputs(&self) -> Vec<String> {
-                vec![r#"sig1=("@authority");created=1735689600;keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U";alg="ed25519";expires=1735693200;nonce="gubxywVx7hzbYKatLgzuKDllDAIXAkz41PydU7aOY7vT+Mb3GJNxW0qD4zJ+IOQ1NVtg+BNbTCRUMt1Ojr5BgA==";tag="web-bot-auth""#.to_owned()]
-            }
-            fn lookup_component(&self, name: &CoveredComponent) -> Option<String> {
-                match *name {
+            fn lookup_component(&self, name: &CoveredComponent) -> Vec<String> {
+                match name {
+                    CoveredComponent::HTTP(HTTPField { name, .. }) => {
+                        if name == "signature" {
+                            return vec!["sig1=:uz2SAv+VIemw+Oo890bhYh6Xf5qZdLUgv6/PbiQfCFXcX/vt1A8Pf7OcgL2yUDUYXFtffNpkEr5W6dldqFrkDg==:".to_owned()];
+                        }
+
+                        if name == "signature-input" {
+                            return vec![r#"sig1=("@authority");created=1735689600;keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U";alg="ed25519";expires=1735693200;nonce="gubxywVx7hzbYKatLgzuKDllDAIXAkz41PydU7aOY7vT+Mb3GJNxW0qD4zJ+IOQ1NVtg+BNbTCRUMt1Ojr5BgA==";tag="web-bot-auth""#.to_owned()];
+                        }
+
+                        if name == "signature-agent" {
+                            return vec![String::from("\"https://myexample.com\"")];
+                        }
+                        vec![]
+                    }
                     CoveredComponent::Derived(DerivedComponent::Authority { .. }) => {
-                        Some("example.com".to_string())
+                        vec!["example.com".to_string()]
                     }
-                    _ => None,
+                    _ => vec![],
                 }
             }
         }
 
-        impl WebBotAuthSignedMessage for MissingParametersTestVector {
-            fn fetch_all_signature_agents(&self) -> Vec<String> {
-                vec![String::from("\"https://myexample.com\"")]
-            }
-        }
-
         let test = MissingParametersTestVector {};
         WebBotAuthVerifier::parse(&test).expect_err("This should not have parsed");
     }
@@ -452,34 +448,30 @@ mod tests {
         struct StandardTestVector {}
 
         impl SignedMessage for StandardTestVector {
-            fn fetch_all_signature_headers(&self) -> Vec<String> {
-                vec!["sig1=:3q7S1TtbrFhQhpcZ1gZwHPCFHTvdKXNY1xngkp6lyaqqqv3QZupwpu/wQG5a7qybnrj2vZYMeVKuWepm+rNkDw==:".to_owned()]
-            }
-            fn fetch_all_signature_inputs(&self) -> Vec<String> {
-                vec![r#"sig1=("@authority" "signature-agent");alg="ed25519";keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U";nonce="ZO3/XMEZjrvSnLtAP9M7jK0WGQf3J+pbmQRUpKDhF9/jsNCWqUh2sq+TH4WTX3/GpNoSZUa8eNWMKqxWp2/c2g==";tag="web-bot-auth";created=1749331474;expires=1749331484"#.to_owned()]
-            }
-            fn lookup_component(&self, name: &CoveredComponent) -> Option<String> {
+            fn lookup_component(&self, name: &CoveredComponent) -> Vec<String> {
                 match name {
-                    CoveredComponent::Derived(DerivedComponent::Authority { .. }) => {
-                        Some("example.com".to_string())
-                    }
-                    CoveredComponent::HTTP(components::HTTPField { name, .. }) => {
+                    CoveredComponent::HTTP(HTTPField { name, .. }) => {
+                        if name == "signature" {
+                            return vec!["sig1=:3q7S1TtbrFhQhpcZ1gZwHPCFHTvdKXNY1xngkp6lyaqqqv3QZupwpu/wQG5a7qybnrj2vZYMeVKuWepm+rNkDw==:".to_owned()];
+                        }
+
+                        if name == "signature-input" {
+                            return vec![r#"sig1=("@authority" "signature-agent");alg="ed25519";keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U";nonce="ZO3/XMEZjrvSnLtAP9M7jK0WGQf3J+pbmQRUpKDhF9/jsNCWqUh2sq+TH4WTX3/GpNoSZUa8eNWMKqxWp2/c2g==";tag="web-bot-auth";created=1749331474;expires=1749331484"#.to_owned()];
+                        }
+
                         if name == "signature-agent" {
-                            return Some(String::from("\"https://myexample.com\""));
+                            return vec![String::from("\"https://myexample.com\"")];
                         }
-                        None
+                        vec![]
+                    }
+                    CoveredComponent::Derived(DerivedComponent::Authority { .. }) => {
+                        vec!["example.com".to_string()]
                     }
-                    _ => None,
+                    _ => vec![],
                 }
             }
         }
 
-        impl WebBotAuthSignedMessage for StandardTestVector {
-            fn fetch_all_signature_agents(&self) -> Vec<String> {
-                vec![String::from("\"https://myexample.com\"")]
-            }
-        }
-
         let public_key: [u8; ed25519_dalek::PUBLIC_KEY_LENGTH] = [
             0x26, 0xb4, 0x0b, 0x8f, 0x93, 0xff, 0xf3, 0xd8, 0x97, 0x11, 0x2f, 0x7e, 0xbc, 0x58,
             0x2b, 0x23, 0x2d, 0xbd, 0x72, 0x51, 0x7d, 0x08, 0x2f, 0xe8, 0x3c, 0xfb, 0x30, 0xdd,