Skip to main content

VerifyPolicy

actpub_httpsig

Struct VerifyPolicy 

Source 
#[non_exhaustive]
pub struct VerifyPolicy {
    pub max_age: Option<Duration>,
    pub max_clock_skew_future: Option<Duration>,
    pub require_timestamp: bool,
    pub cavage_required_headers: &'static [&'static str],
    pub allow_multiple_signatures: bool,
}
Expand description

Tunables governing which signed requests are accepted at verification time.

A max_age of None disables the past-side check and a max_clock_skew_future of None disables the future-side check; both default to Some(...) in the presets. cavage_required_headers defaults to CAVAGE_REQUIRED_HEADERS, and allow_multiple_signatures defaults to false — callers that need the historical permissive behaviour can flip either knob.

Fields (Non-exhaustive)§

This struct is marked as non-exhaustive
Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.
§max_age: Option<Duration>

Maximum permissible age of a signature. A created (or Date) timestamp older than now - max_age is rejected. None disables the past-side check.

§max_clock_skew_future: Option<Duration>

Maximum permissible future skew. A timestamp claimed to be more than max_clock_skew_future ahead of the verifier’s clock is rejected, to catch badly-set signer clocks and straight-out forgeries. None disables the future-side check.

§require_timestamp: bool

If true, a request carrying neither a created parameter nor a Date header is rejected. Defaults to false to stay compatible with servers that only emit one of the two.

§cavage_required_headers: &'static [&'static str]

Cavage-specific: the list of header names whose presence in the headers= parameter is mandatory. A signature whose coverage does not include every name listed here is rejected with Error::RequiredHeaderAbsent. The names are compared case-insensitively.

§allow_multiple_signatures: bool

If false (the default), a Signature-Input: header containing more than one label is rejected outright. Mastodon and the RFC 9421 interop profile both expect exactly one signature per request; permitting additional labels opens a fallback channel an attacker can use to bypass policy by attaching a second signature of their own.

Implementations§

Source§

impl VerifyPolicy

Source

pub const fn mastodon() -> Self

Returns the policy Mastodon applies to inbound federated requests: 12 hours past, 5 minutes future, timestamps optional, and the Cavage minimum header set enforced.

See https://docs.joinmastodon.org/spec/security/.

Source

pub const fn strict() -> Self

Returns a tight policy appropriate for internal services where every hop has NTP-synchronised clocks: 5 minutes past, 1 minute future, timestamps mandatory, Cavage minimum header set enforced, and multi-signature requests rejected.

Source

pub const fn no_freshness_check() -> Self

Returns a policy that disables freshness checking entirely.

Only intended for byte-level conformance tests against static RFC 9421 / Cavage fixtures that bake fixed timestamps into their inputs. Do not use in production.

Source

pub fn check( &self, created_unix: Option<i64>, expires_unix: Option<i64>, date_header: Option<&str>, now: DateTime<Utc>, ) -> Result<(), Error>

Evaluates the policy against a signature whose created parameter is created_unix (seconds since epoch), expires parameter is expires_unix, and whose companion Date header (if any) contained date_header. Returns Ok when the signature is fresh, or a specific error otherwise.

§Errors

Returns Error::TimestampMissing when require_timestamp is on and no source is available, Error::TimestampTooOld when now - source > max_age, Error::TimestampInFuture when the source is too far ahead of now, and Error::TimestampExpired when expires is already in the past.

Trait Implementations§

Source§

impl Clone for VerifyPolicy

Source§

fn clone(&self) -> VerifyPolicy

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for VerifyPolicy

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for VerifyPolicy

Source§

fn default() -> Self

Returns Self::mastodon — the Fediverse-compatible default.

Source§

impl PartialEq for VerifyPolicy

Source§

fn eq(&self, other: &VerifyPolicy) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Copy for VerifyPolicy

Source§

impl Eq for VerifyPolicy

Source§

impl StructuralPartialEq for VerifyPolicy

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Checks if this value is equivalent to the given key. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Compare self to key and return true if they are equal.
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more