Struct VerifyPolicy 

#[non_exhaustive]
pub struct VerifyPolicy {
    pub max_age: Option<Duration>,
    pub max_clock_skew_future: Option<Duration>,
    pub require_timestamp: bool,
    pub cavage_required_headers: &'static [&'static str],
    pub rfc9421_required_components: &'static [&'static str],
    pub allow_multiple_signatures: bool,
}

Tunables governing which signed requests are accepted at verification time.

A max_age of None disables the past-side check and a max_clock_skew_future of None disables the future-side check; both default to Some(...) in the presets. cavage_required_headers defaults to CAVAGE_REQUIRED_HEADERS, rfc9421_required_components defaults to RFC9421_REQUIRED_COMPONENTS, and allow_multiple_signatures defaults to false — callers that need the historical permissive behaviour can flip any of these knobs.

Fields (Non-exhaustive)

Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.

max_age: Option<Duration>

Maximum permissible age of a signature. A created (or Date) timestamp older than now - max_age is rejected. None disables the past-side check.

max_clock_skew_future: Option<Duration>

Maximum permissible future skew. A timestamp claimed to be more than max_clock_skew_future ahead of the verifier’s clock is rejected, to catch badly-set signer clocks and straight-out forgeries. None disables the future-side check.

require_timestamp: bool

If true, a request carrying neither a created parameter nor a Date header is rejected. Defaults to false to stay compatible with servers that only emit one of the two.

cavage_required_headers: &'static [&'static str]

Cavage-specific: the list of header names whose presence in the headers= parameter is mandatory. A signature whose coverage does not include every name listed here is rejected with Error::RequiredHeaderAbsent. The names are compared case-insensitively.

rfc9421_required_components: &'static [&'static str]

RFC 9421-specific: the list of component identifiers whose presence in the Signature-Input: inner list is mandatory. Matches the spelling returned by Component::identifier — derived components are written with a leading @ (e.g. "@method", "@target-uri"), header components appear lower-cased (e.g. "content-digest"). Names are compared case-insensitively.

allow_multiple_signatures: bool

If false (the default), a Signature-Input: header containing more than one label is rejected outright. Mastodon and the RFC 9421 interop profile both expect exactly one signature per request; permitting additional labels opens a fallback channel an attacker can use to bypass policy by attaching a second signature of their own.

Implementations

impl VerifyPolicy

pub const fn mastodon() -> Self

Returns the policy Mastodon applies to inbound federated requests: 12 hours past, 5 minutes future, timestamps optional, and the Cavage / RFC 9421 minimum component sets enforced.

See https://docs.joinmastodon.org/spec/security/.

pub const fn strict() -> Self

Returns a tight policy appropriate for internal services where every hop has NTP-synchronised clocks: 5 minutes past, 1 minute future, timestamps mandatory, Cavage / RFC 9421 minimum component sets enforced, and multi-signature requests rejected.

pub const fn no_freshness_check() -> Self

Returns a policy that disables freshness and required-component checking entirely.

Only intended for byte-level conformance tests against static RFC 9421 / Cavage fixtures that bake fixed timestamps and minimal component lists into their inputs. Do not use in production.

pub fn check( &self, created_unix: Option<i64>, expires_unix: Option<i64>, date_header: Option<&str>, now: DateTime<Utc>, ) -> Result<(), Error>

Evaluates the policy against a signature whose created parameter is created_unix (seconds since epoch), expires parameter is expires_unix, and whose companion Date header (if any) contained date_header. Returns Ok when the signature is fresh, or a specific error otherwise.

Errors

Returns Error::TimestampMissing when require_timestamp is on and no source is available, Error::TimestampTooOld when now - source > max_age, Error::TimestampInFuture when the source is too far ahead of now, and Error::TimestampExpired when expires is already in the past.

Trait Implementations

impl Clone for VerifyPolicy

fn clone(&self) -> VerifyPolicy

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Copy for VerifyPolicy

impl Debug for VerifyPolicy

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for VerifyPolicy

fn default() -> Self

Returns Self::mastodon — the Fediverse-compatible default.

impl Eq for VerifyPolicy

impl PartialEq for VerifyPolicy

fn eq(&self, other: &VerifyPolicy) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl StructuralPartialEq for VerifyPolicy