junkurihara · junkurihara · Feb 13, 2026 · Feb 13, 2026 · Feb 13, 2026 · Feb 13, 2026
diff --git a/Cargo.toml b/Cargo.toml
@@ -4,7 +4,7 @@ resolver = "2"
 
 [workspace.package]
 edition = "2021"
-version = "0.0.21"
+version = "0.0.22"
 authors = ["Jun Kurihara"]
 homepage = "https://github.com/junkurihara/httpsig-rs"
 repository = "https://github.com/junkurihara/httpsig-rs"

diff --git a/README.md b/README.md
@@ -16,13 +16,11 @@ This crates provides a basic library [httpsig](./httpsig) and [its extension](./
 - [x] HMAC using SHA-256
 - [x] Ed25519
 - [x] ECDSA-P256 using SHA-256
-- [ ] ECDSA-P384 using SHA-384
+- [x] ECDSA-P384 using SHA-384
+- [x] RSASSA-PSS using SHA-512
+- [x] RSASSA-PKCS1-v1_5 using SHA-256
 
-~~- [ ] RSASSA-PSS using SHA-512~~
-
-~~- [ ] RSASSA-PKCS1-v1_5 using SHA-256~~
-
-At this point, we have no plan to support RSA signature due to [the problem related to the non-constant time operation](https://github.com/RustCrypto/RSA/issues/19), i.e., [Mervin Attack](https://people.redhat.com/~hkario/marvin/).
+At this point, **RSA signature is non-default** due to [the problem related to the non-constant time operation](https://github.com/RustCrypto/RSA/issues/19), i.e., [Marvin Attack](https://people.redhat.com/~hkario/marvin/). If you want to use RSA signature, please enable the `rsa-signature` feature flag in your `Cargo.toml`.
 
 ## Usage of Extension for `hyper` (`httpsig-hyper`)
 
@@ -48,8 +46,11 @@ async fn signer<B>(&mut req: Request<B>) -> HttpSigResult<()> {
     .unwrap();
   let mut signature_params = HttpSignatureParams::try_new(&covered_components).unwrap();
 
+  // specify algorithm name since we cannot always infer it from key info
+  let alg = AlgorithmName::Ed25519;
+
   // set signing/verifying key information, alg and keyid
-  let secret_key = SecretKey::from_pem(SECRET_KEY_STRING).unwrap();
+  let secret_key = SecretKey::from_pem(&alg, SECRET_KEY_STRING).unwrap();
   signature_params.set_key_info(&secret_key);
 
   req
@@ -59,7 +60,11 @@ async fn signer<B>(&mut req: Request<B>) -> HttpSigResult<()> {
 
 /// Validation function that verifies a request with a signature
 async fn verifier<B>(req: &Request<B>) -> HttpSigResult<SignatureName> {
-  let public_key = PublicKey::from_pem(PUBLIC_KEY_STRING).unwrap();
+  // specify algorithm name since we cannot always infer it from key info
+  let alg = AlgorithmName::Ed25519; // directly use Ed25519 algorithm
+  // or else infer it from the request. Find your public key from IndexMap with alg and key_id pairs
+  // let alg_key_id_map = req.get_alg_key_ids().unwrap();
+  let public_key = PublicKey::from_pem(&alg, PUBLIC_KEY_STRING).unwrap();
   let key_id = public_key.key_id();
 
   // verify signature with checking key_id
@@ -105,8 +110,11 @@ async fn signer<B>(&mut res: Response<B>, corresponding_req: &Request<B>) -> Htt
     .unwrap();
   let mut signature_params = HttpSignatureParams::try_new(&covered_components).unwrap();
 
+  // specify algorithm name since we cannot always infer it from key info
+  let alg = AlgorithmName::Ed25519;
+
   // set signing/verifying key information, alg and keyid
-  let secret_key = SecretKey::from_pem(SECRET_KEY_STRING).unwrap();
+  let secret_key = SecretKey::from_pem(&alg, SECRET_KEY_STRING).unwrap();
   signature_params.set_key_info(&secret_key);
 
   req
@@ -116,7 +124,11 @@ async fn signer<B>(&mut res: Response<B>, corresponding_req: &Request<B>) -> Htt
 
 /// Validation function that verifies a response with a signature from response itself and sent request
 async fn verifier<B>(res: &Response<B>, sent_req: &Request<B>) -> HttpSigResult<SignatureName> {
-  let public_key = PublicKey::from_pem(PUBLIC_KEY_STRING).unwrap();
+  // specify algorithm name since we cannot always infer it from key info
+  let alg = AlgorithmName::Ed25519; // directly use Ed25519 algorithm
+  // or else infer it from the response. Find your public key from IndexMap with alg and key_id pairs
+  // let alg_key_id_map = res.get_alg_key_ids().unwrap();
+  let public_key = PublicKey::from_pem(&alg, PUBLIC_KEY_STRING).unwrap();
   let key_id = public_key.key_id();
 
   // verify signature with checking key_id

diff --git a/httpsig-hyper/Cargo.toml b/httpsig-hyper/Cargo.toml
@@ -15,10 +15,11 @@ rust-version.workspace = true
 [features]
 default = ["blocking"]
 blocking = ["futures/executor"]
+rsa-signature = ["httpsig/rsa-signature"]
 
 
 [dependencies]
-httpsig = { path = "../httpsig", version = "0.0.21" }
+httpsig = { path = "../httpsig", version = "0.0.22" }
 
 thiserror = { version = "2.0.18" }
 tracing = { version = "0.1.44" }

diff --git a/httpsig-hyper/README.md b/httpsig-hyper/README.md
@@ -27,7 +27,8 @@ If you need to verify the body of a given message when `content-digest` is cover
 
 ```rust
 // first verifies the signature according to `signature-input` header
-let public_key = PublicKey::from_pem(EDDSA_PUBLIC_KEY).unwrap();
+let alg = AlgorithmName::Ed25519;
+let public_key = PublicKey::from_pem(&alg, EDDSA_PUBLIC_KEY).unwrap();
 let signature_verification = req.verify_message_signature(&public_key, None).await;
 assert!(verification_res.is_ok());
 

diff --git a/httpsig-hyper/examples/hyper-request.rs b/httpsig-hyper/examples/hyper-request.rs
@@ -43,7 +43,7 @@ async fn sender_ed25519(req: &mut Request<BoxBody>) {
   let mut signature_params = HttpSignatureParams::try_new(&covered_components).unwrap();
 
   // set signing/verifying key information, alg and keyid with ed25519
-  let secret_key = SecretKey::from_pem(EDDSA_SECRET_KEY).unwrap();
+  let secret_key = SecretKey::from_pem(&AlgorithmName::Ed25519, EDDSA_SECRET_KEY).unwrap();
   signature_params.set_key_info(&secret_key);
 
   // set signature with custom signature name
@@ -65,7 +65,7 @@ async fn sender_hs256(req: &mut Request<BoxBody>) {
   let mut signature_params = HttpSignatureParams::try_new(&covered_components).unwrap();
 
   // set signing/verifying key information, alg and keyid and random noce with hmac-sha256
-  let shared_key = SharedKey::from_base64(HMACSHA256_SECRET_KEY).unwrap();
+  let shared_key = SharedKey::from_base64(&AlgorithmName::HmacSha256, HMACSHA256_SECRET_KEY).unwrap();
   signature_params.set_key_info(&shared_key);
   signature_params.set_random_nonce();
 
@@ -81,7 +81,7 @@ where
   B: http_body::Body + Send + Sync,
 {
   println!("Verifying ED25519 signature");
-  let public_key = PublicKey::from_pem(EDDSA_PUBLIC_KEY).unwrap();
+  let public_key = PublicKey::from_pem(&AlgorithmName::Ed25519, EDDSA_PUBLIC_KEY).unwrap();
   let key_id = public_key.key_id();
 
   // verify signature with checking key_id
@@ -94,7 +94,7 @@ where
   B: http_body::Body + Send + Sync,
 {
   println!("Verifying HMAC-SHA256 signature");
-  let shared_key = SharedKey::from_base64(HMACSHA256_SECRET_KEY).unwrap();
+  let shared_key = SharedKey::from_base64(&AlgorithmName::HmacSha256, HMACSHA256_SECRET_KEY).unwrap();
   let key_id = VerifyingKey::key_id(&shared_key);
 
   // verify signature with checking key_id

diff --git a/httpsig-hyper/examples/hyper-response.rs b/httpsig-hyper/examples/hyper-response.rs
@@ -55,7 +55,7 @@ async fn sender_ed25519(res: &mut Response<BoxBody>, received_req: &Request<BoxB
   let mut signature_params = HttpSignatureParams::try_new(&covered_components).unwrap();
 
   // set signing/verifying key information, alg and keyid with ed25519
-  let secret_key = SecretKey::from_pem(EDDSA_SECRET_KEY).unwrap();
+  let secret_key = SecretKey::from_pem(&AlgorithmName::Ed25519, EDDSA_SECRET_KEY).unwrap();
   signature_params.set_key_info(&secret_key);
 
   // set signature with custom signature name
@@ -77,7 +77,7 @@ async fn sender_hs256(res: &mut Response<BoxBody>, received_req: &Request<BoxBod
   let mut signature_params = HttpSignatureParams::try_new(&covered_components).unwrap();
 
   // set signing/verifying key information, alg and keyid and random noce with hmac-sha256
-  let shared_key = SharedKey::from_base64(HMACSHA256_SECRET_KEY).unwrap();
+  let shared_key = SharedKey::from_base64(&AlgorithmName::HmacSha256, HMACSHA256_SECRET_KEY).unwrap();
   signature_params.set_key_info(&shared_key);
   signature_params.set_random_nonce();
 
@@ -93,7 +93,7 @@ where
   B: http_body::Body + Send + Sync,
 {
   println!("Verifying ED25519 signature");
-  let public_key = PublicKey::from_pem(EDDSA_PUBLIC_KEY).unwrap();
+  let public_key = PublicKey::from_pem(&AlgorithmName::Ed25519, EDDSA_PUBLIC_KEY).unwrap();
   let key_id = public_key.key_id();
 
   // verify signature with checking key_id
@@ -106,7 +106,7 @@ where
   B: http_body::Body + Send + Sync,
 {
   println!("Verifying HMAC-SHA256 signature");
-  let shared_key = SharedKey::from_base64(HMACSHA256_SECRET_KEY).unwrap();
+  let shared_key = SharedKey::from_base64(&AlgorithmName::HmacSha256, HMACSHA256_SECRET_KEY).unwrap();
   let key_id = VerifyingKey::key_id(&shared_key);
 
   // verify signature with checking key_id