pub struct MultiKeyVerifier { /* private fields */ }Expand description
A JwsVerifier that holds multiple keys and applies RFC 7517 key selection semantics.
Key selection follows KeyMatchStrength priority:
- A
ByKeyIdmatch (algorithm + kid) is definitive — that key is used exclusively. - Multiple
ByAlgorithmmatches are ambiguous; returnsAmbiguousKeyMatchunlesstry_all_on_ambiguous_matchis set, in which case each candidate is tried in order. - A single
ByAlgorithmmatch is used directly.
For a JWKS-backed verifier with automatic refresh and retry wrapped around
this type, use JwksSource; construct
MultiKeyVerifier directly only for a custom stack.
Implementations§
Source§impl MultiKeyVerifier
impl MultiKeyVerifier
Sourcepub fn new(verifiers: Vec<Arc<dyn JwsVerifier>>) -> Self
pub fn new(verifiers: Vec<Arc<dyn JwsVerifier>>) -> Self
Creates a MultiKeyVerifier from an explicit list of verifiers.
Sourcepub async fn from_jwks(
jwks: &PublicJwks,
platform: &dyn JwsVerifierPlatform,
) -> Result<Self, Error>
pub async fn from_jwks( jwks: &PublicJwks, platform: &dyn JwsVerifierPlatform, ) -> Result<Self, Error>
Builds a MultiKeyVerifier from a JWKS document.
Keys with unsupported algorithms are silently skipped.
This is a general-purpose constructor with no key-count limit: it may be
fed from a trusted source (a KMS, an enclave, a local file) as well as a
remote JWKS. Bounding the key count of an untrusted, remotely-fetched
document is the fetcher’s job — see JwksSource.
§Errors
Returns ErrorKind::Crypto if a supported key fails to construct a
verifier.
Sourcepub fn try_all_on_ambiguous_match(self, value: bool) -> Self
pub fn try_all_on_ambiguous_match(self, value: bool) -> Self
Configures whether to try all matching keys when no kid is present and multiple
keys match by algorithm.
When false (the default), multiple algorithm matches without a kid return
AmbiguousKeyMatch. When true, each candidate
is tried in order and the first success is accepted.