TrueLayer · tl-Roberto-Mancinelli · Nov 23, 2025 · Nov 23, 2025 · Nov 23, 2025 · Nov 23, 2025
@@ -17,10 +17,6 @@
         case "verifier":
             BenchmarkRunner.Run<VerifierBenchmarks>(config);
             break;
-        case "jws":
-        case "jws-verify":
-            BenchmarkRunner.Run<JwsVerificationBenchmarks>(config);
-            break;
         case "all":
         default:
             BenchmarkSwitcher.FromAssembly(typeof(Program).Assembly).Run(args, config);

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>net9.0</TargetFramework>
+    <TargetFramework>net10.0</TargetFramework>
     <Nullable>enable</Nullable>
     <AssemblyName>TrueLayer.Signing.Benchmarks</AssemblyName>
     <RootNamespace>TrueLayer.Signing.Benchmarks</RootNamespace>

@@ -0,0 +1,23 @@
+using System;
+
+namespace TrueLayer.Signing
+{
+    /// <summary>Internal Base64Url encoding/decoding for AOT compatibility.</summary>
+    internal static class Base64Url
+    {
+        /// <summary>Encode bytes to base64url string.</summary>
+        public static string Encode(byte[] input) => Convert.ToBase64String(input).TrimEnd('=').Replace('+', '-').Replace('/', '_');
+
+        /// <summary>Decode base64url string to bytes.</summary>
+        public static byte[] Decode(string input)
+        {
+            var base64 = input.Replace('-', '+').Replace('_', '/');
+            switch (input.Length % 4)
+            {
+                case 2: base64 += "=="; break;
+                case 3: base64 += "="; break;
+            }
+            return Convert.FromBase64String(base64);
+        }
+    }
+}
@@ -5,7 +5,6 @@
 using System.Text;
 using System.Text.Json;
 using System.Threading.Tasks;
-using Jose;
 
 namespace TrueLayer.Signing
 {
@@ -39,10 +38,13 @@ public static Signer SignWithPem(string kid, ReadOnlySpan<byte> privateKeyPem)
 
         /// <summary>
         /// Start building a request Tl-Signature header value using the key ID of the signing key (kid)
-        /// and a function that accepts the payload to sign and returns the signature in IEEE P1363 format. 
+        /// and a function that accepts the payload to sign and returns the signature in IEEE P1363 format.
         /// </summary>
         public static AsyncSigner SignWithFunction(string kid, Func<string, Task<string>> signAsync) => new FunctionSigner(kid, signAsync);
-
+
+        /// <summary>
+        /// Initializes a new instance of the Signer class with the specified key ID.
+        /// </summary>
         protected internal Signer(string kid) : base(kid)
         {
         }
@@ -51,16 +53,27 @@ protected internal Signer(string kid) : base(kid)
         public abstract string Sign();
     }
 
+    /// <summary>
+    /// Base class for signature builders with fluent API support.
+    /// </summary>
     public abstract class Signer<TSigner> where TSigner : Signer<TSigner>
     {
         private readonly string _kid;
         private readonly TSigner _this;
+        /// <summary>HTTP method for the request.</summary>
         protected internal string _method = "POST";
+        /// <summary>Request path.</summary>
         protected internal string _path = "";
+        /// <summary>Request headers to include in the signature.</summary>
         protected internal readonly Dictionary<string, byte[]> _headers = new(StringComparer.OrdinalIgnoreCase);
+        /// <summary>Request body.</summary>
         protected internal byte[] _body = Array.Empty<byte>();
+        /// <summary>JSON Web Key Set URL.</summary>
         protected internal string? _jku;
 
+        /// <summary>
+        /// Initializes a new instance of the Signer class with the specified key ID.
+        /// </summary>
         protected internal Signer(string kid)
         {
             _kid = kid;
@@ -157,14 +170,17 @@ public TSigner Body(byte[] body)
         public TSigner Body(string body) => Body(body.ToUtf8());
 
         /// <summary>
-        /// Sets the jku (JSON Web Key Set URL) in the JWS headers of the signature. 
+        /// Sets the jku (JSON Web Key Set URL) in the JWS headers of the signature.
         /// </summary>
         public TSigner Jku(string jku)
         {
             _jku = jku;
             return _this;
         }
 
+        /// <summary>
+        /// Creates the JWS headers for the signature.
+        /// </summary>
         protected internal Dictionary<string, object> CreateJwsHeaders()
         {
             var jwsHeaders = new Dictionary<string, object>
@@ -189,6 +205,9 @@ protected internal Dictionary<string, object> CreateJwsHeaders()
     /// </summary>
     public abstract class AsyncSigner : Signer<AsyncSigner>
     {
+        /// <summary>
+        /// Initializes a new instance of the AsyncSigner class with the specified key ID.
+        /// </summary>
         protected internal AsyncSigner(string kid) : base(kid)
         {
         }
@@ -209,15 +228,47 @@ internal PrivateKeySigner(string kid, ECDsa privateKey) : base(kid)
         public override string Sign()
         {
             var jwsHeaders = CreateJwsHeaders();
+#if NET5_0_OR_GREATER
+            var serializedJwsHeaders = JsonSerializer.SerializeToUtf8Bytes(jwsHeaders, SigningJsonContext.Default.DictionaryStringObject);
+#else
+            var serializedJwsHeaders = JsonSerializer.SerializeToUtf8Bytes(jwsHeaders);
+#endif
+            var serializedJwsHeadersB64 = Base64Url.Encode(serializedJwsHeaders);
+
             var headerList = _headers.Select(e => (e.Key, e.Value));
             var signingPayload = Util.BuildV2SigningPayload(_method, _path, headerList, _body);
+            var signingPayloadB64 = Base64Url.Encode(signingPayload);
+
+            // Efficiently build the signing message bytes without intermediate string allocation
+            var signingMessageBytes = new byte[serializedJwsHeadersB64.Length + 1 + signingPayloadB64.Length];
+#if NET5_0_OR_GREATER
+            // Use Span-based API for better performance on modern .NET
+            Encoding.ASCII.GetBytes(serializedJwsHeadersB64, signingMessageBytes.AsSpan(0, serializedJwsHeadersB64.Length));
+            signingMessageBytes[serializedJwsHeadersB64.Length] = (byte)'.';
+            Encoding.ASCII.GetBytes(signingPayloadB64, signingMessageBytes.AsSpan(serializedJwsHeadersB64.Length + 1));
+#else
+            Encoding.UTF8.GetBytes(serializedJwsHeadersB64, 0, serializedJwsHeadersB64.Length, signingMessageBytes, 0);
+            signingMessageBytes[serializedJwsHeadersB64.Length] = (byte)'.';
+            Encoding.UTF8.GetBytes(signingPayloadB64, 0, signingPayloadB64.Length, signingMessageBytes, serializedJwsHeadersB64.Length + 1);
+#endif
+
+            // Compute SHA-512 hash (ES512 uses SHA-512)
+#if NET5_0_OR_GREATER
+            var hash = SHA512.HashData(signingMessageBytes);
+#else
+            byte[] hash;
+            using (var sha512 = SHA512.Create())
+            {
+                hash = sha512.ComputeHash(signingMessageBytes);
+            }
+#endif
 
-            return JWT.EncodeBytes(
-                signingPayload,
-                _key,
-                JwsAlgorithm.ES512,
-                jwsHeaders,
-                options: new JwtOptions {DetachPayload = true});
+            // Sign the hash using ECDSA - signature will be in IEEE P1363 format (r||s)
+            var signature = _key.SignHash(hash);
+            var signatureB64 = Base64Url.Encode(signature);
+
+            // Return detached JWS format: header..signature (empty payload)
+            return $"{serializedJwsHeadersB64}..{signatureB64}";
         }
     }
 
@@ -233,7 +284,11 @@ internal FunctionSigner(string kid, Func<string, Task<string>> signAsync) : base
         public override async Task<string> SignAsync()
         {
             var jwsHeaders = CreateJwsHeaders();
+#if NET5_0_OR_GREATER
+            var serializedJwsHeaders = JsonSerializer.SerializeToUtf8Bytes(jwsHeaders, SigningJsonContext.Default.DictionaryStringObject);
+#else
             var serializedJwsHeaders = JsonSerializer.SerializeToUtf8Bytes(jwsHeaders);
+#endif
             var serializedJwsHeadersB64 = Base64Url.Encode(serializedJwsHeaders);
 
             var headerList = _headers.Select(e => (e.Key, e.Value));

@@ -3,6 +3,8 @@
 using System.IO;
 using System.Security.Cryptography;
 using System.Text;
+using System.Text.Json;
+using System.Text.Json.Serialization;
 
 namespace TrueLayer.Signing
 {
@@ -140,10 +142,19 @@ private static void PreNet5ImportPem(this ECDsa key, ReadOnlySpan<char> pem)
         }
 
         /// <summary>Gets a value from the map as a string or null.</summary>
-        public static string? GetString(this IDictionary<string, object> dict, string key)
+        public static string? GetString(this Dictionary<string, JsonElement> dict, string key)
         {
-            dict.TryGetValue(key, out var value);
-            return value as string;
+            if (!dict.TryGetValue(key, out var element))
+            {
+                return null;
+            }
+
+            if (element.ValueKind == JsonValueKind.String)
+            {
+                return element.GetString();
+            }
+
+            return null;
         }
 
         /// <summary>
@@ -178,4 +189,18 @@ internal class Jwk
         public string X { get; set; } = "";
         public string Y { get; set; } = "";
     }
+
+#if NET5_0_OR_GREATER
+    /// <summary>AOT-compatible JSON serialization context for JWKS.</summary>
+    [JsonSourceGenerationOptions(
+        PropertyNamingPolicy = JsonKnownNamingPolicy.CamelCase,
+        DefaultIgnoreCondition = JsonIgnoreCondition.Never)]
+    [JsonSerializable(typeof(Jwks))]
+    [JsonSerializable(typeof(Jwk))]
+    [JsonSerializable(typeof(Dictionary<string, object>))]
+    [JsonSerializable(typeof(Dictionary<string, JsonElement>))]
+    internal partial class SigningJsonContext : JsonSerializerContext
+    {
+    }
+#endif
 }