aws_lc_rs/signature.rs
1// Copyright 2015-2017 Brian Smith.
2// SPDX-License-Identifier: ISC
3// Modifications copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
4// SPDX-License-Identifier: Apache-2.0 OR ISC
5
6//! Public key signatures: signing and verification.
7//!
8//! Use the `verify` function to verify signatures, passing a reference to the
9//! algorithm that identifies the algorithm. See the documentation for `verify`
10//! for examples.
11//!
12//! For signature verification, this API treats each combination of parameters
13//! as a separate algorithm. For example, instead of having a single "RSA"
14//! algorithm with a verification function that takes a bunch of parameters,
15//! there are `RSA_PKCS1_2048_8192_SHA256`, `RSA_PKCS1_2048_8192_SHA384`, etc.,
16//! which encode sets of parameter choices into objects. This is designed to
17//! reduce the risks of algorithm agility and to provide consistency with ECDSA
18//! and `EdDSA`.
19//!
20//! Currently this module does not support digesting the message to be signed
21//! separately from the public key operation, as it is currently being
22//! optimized for Ed25519 and for the implementation of protocols that do not
23//! requiring signing large messages. An interface for efficiently supporting
24//! larger messages may be added later.
25//!
26//!
27//! # Algorithm Details
28//!
29//! ## `ECDSA_*_ASN1` Details: ASN.1-encoded ECDSA Signatures
30//!
31//! The signature is a ASN.1 DER-encoded `Ecdsa-Sig-Value` as described in
32//! [RFC 3279 Section 2.2.3]. This is the form of ECDSA signature used in
33//! X.509-related structures and in TLS's `ServerKeyExchange` messages.
34//!
35//! The public key is encoding in uncompressed form using the
36//! Octet-String-to-Elliptic-Curve-Point algorithm in
37//! [SEC 1: Elliptic Curve Cryptography, Version 2.0].
38//!
39//! During verification, the public key is validated using the ECC Partial
40//! Public-Key Validation Routine from Section 5.6.2.3.3 of
41//! [NIST Special Publication 800-56A, revision 2] and Appendix A.3 of the
42//! NSA's [Suite B implementer's guide to FIPS 186-3]. Note that, as explained
43//! in the NSA guide, ECC Partial Public-Key Validation is equivalent to ECC
44//! Full Public-Key Validation for prime-order curves like this one.
45//!
46//! ## `ECDSA_*_FIXED` Details: Fixed-length (PKCS#11-style) ECDSA Signatures
47//!
48//! The signature is *r*||*s*, where || denotes concatenation, and where both
49//! *r* and *s* are both big-endian-encoded values that are left-padded to the
50//! maximum length. A P-256 signature will be 64 bytes long (two 32-byte
51//! components) and a P-384 signature will be 96 bytes long (two 48-byte
52//! components). This is the form of ECDSA signature used PKCS#11 and DNSSEC.
53//!
54//! The public key is encoding in uncompressed form using the
55//! Octet-String-to-Elliptic-Curve-Point algorithm in
56//! [SEC 1: Elliptic Curve Cryptography, Version 2.0].
57//!
58//! During verification, the public key is validated using the ECC Partial
59//! Public-Key Validation Routine from Section 5.6.2.3.3 of
60//! [NIST Special Publication 800-56A, revision 2] and Appendix A.3 of the
61//! NSA's [Suite B implementer's guide to FIPS 186-3]. Note that, as explained
62//! in the NSA guide, ECC Partial Public-Key Validation is equivalent to ECC
63//! Full Public-Key Validation for prime-order curves like this one.
64//!
65//! ## `RSA_PKCS1_*` Details: RSA PKCS#1 1.5 Signatures
66//!
67//! The signature is an RSASSA-PKCS1-v1_5 signature as described in
68//! [RFC 3447 Section 8.2].
69//!
70//! The public key is encoded as an ASN.1 `RSAPublicKey` as described in
71//! [RFC 3447 Appendix-A.1.1]. The public key modulus length, rounded *up* to
72//! the nearest (larger) multiple of 8 bits, must be in the range given in the
73//! name of the algorithm. The public exponent must be an odd integer of 2-33
74//! bits, inclusive.
75//!
76//!
77//! ## `RSA_PSS_*` Details: RSA PSS Signatures
78//!
79//! The signature is an RSASSA-PSS signature as described in
80//! [RFC 3447 Section 8.1].
81//!
82//! The public key is encoded as an ASN.1 `RSAPublicKey` as described in
83//! [RFC 3447 Appendix-A.1.1]. The public key modulus length, rounded *up* to
84//! the nearest (larger) multiple of 8 bits, must be in the range given in the
85//! name of the algorithm. The public exponent must be an odd integer of 2-33
86//! bits, inclusive.
87//!
88//! During verification, signatures will only be accepted if the MGF1 digest
89//! algorithm is the same as the message digest algorithm and if the salt
90//! length is the same length as the message digest. This matches the
91//! requirements in TLS 1.3 and other recent specifications.
92//!
93//! During signing, the message digest algorithm will be used as the MGF1
94//! digest algorithm. The salt will be the same length as the message digest.
95//! This matches the requirements in TLS 1.3 and other recent specifications.
96//! Additionally, the entire salt is randomly generated separately for each
97//! signature using the secure random number generator passed to `sign()`.
98//!
99//!
100//! [SEC 1: Elliptic Curve Cryptography, Version 2.0]:
101//! http://www.secg.org/sec1-v2.pdf
102//! [NIST Special Publication 800-56A, revision 2]:
103//! http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
104//! [Suite B implementer's guide to FIPS 186-3]:
105//! https://github.com/briansmith/ring/blob/main/doc/ecdsa.pdf
106//! [RFC 3279 Section 2.2.3]:
107//! https://tools.ietf.org/html/rfc3279#section-2.2.3
108//! [RFC 3447 Section 8.2]:
109//! https://tools.ietf.org/html/rfc3447#section-7.2
110//! [RFC 3447 Section 8.1]:
111//! https://tools.ietf.org/html/rfc3447#section-8.1
112//! [RFC 3447 Appendix-A.1.1]:
113//! https://tools.ietf.org/html/rfc3447#appendix-A.1.1
114//!
115//!
116//! # Examples
117//!
118//! ## Signing and verifying with Ed25519
119//!
120//! ```
121//! use aws_lc_rs::{
122//! rand,
123//! signature::{self, KeyPair},
124//! };
125//!
126//! fn main() -> Result<(), aws_lc_rs::error::Unspecified> {
127//! // Generate a new key pair for Ed25519.
128//! let key_pair = signature::Ed25519KeyPair::generate()?;
129//!
130//! // Sign the message "hello, world".
131//! const MESSAGE: &[u8] = b"hello, world";
132//! let sig = key_pair.sign(MESSAGE);
133//!
134//! // Normally an application would extract the bytes of the signature and
135//! // send them in a protocol message to the peer(s). Here we just get the
136//! // public key key directly from the key pair.
137//! let peer_public_key_bytes = key_pair.public_key().as_ref();
138//!
139//! // Verify the signature of the message using the public key. Normally the
140//! // verifier of the message would parse the inputs to this code out of the
141//! // protocol message(s) sent by the signer.
142//! let peer_public_key =
143//! signature::UnparsedPublicKey::new(&signature::ED25519, peer_public_key_bytes);
144//! peer_public_key.verify(MESSAGE, sig.as_ref())?;
145//!
146//! Ok(())
147//! }
148//! ```
149//!
150//! ## Signing and verifying with RSA (PKCS#1 1.5 padding)
151//!
152//! By default OpenSSL writes RSA public keys in `SubjectPublicKeyInfo` format,
153//! not `RSAPublicKey` format, and Base64-encodes them (“PEM” format).
154//!
155//! To convert the PEM `SubjectPublicKeyInfo` format (“BEGIN PUBLIC KEY”) to the
156//! binary `RSAPublicKey` format needed by `verify()`, use:
157//!
158//! ```sh
159//! openssl rsa -pubin \
160//! -in public_key.pem \
161//! -inform PEM \
162//! -RSAPublicKey_out \
163//! -outform DER \
164//! -out public_key.der
165//! ```
166//!
167//! To extract the RSAPublicKey-formatted public key from an ASN.1 (binary)
168//! DER-encoded `RSAPrivateKey` format private key file, use:
169//!
170//! ```sh
171//! openssl rsa -in private_key.der \
172//! -inform DER \
173//! -RSAPublicKey_out \
174//! -outform DER \
175//! -out public_key.der
176//! ```
177//!
178//! ```
179//! use aws_lc_rs::{rand, signature};
180//!
181//! fn sign_and_verify_rsa(
182//! private_key_path: &std::path::Path,
183//! public_key_path: &std::path::Path,
184//! ) -> Result<(), MyError> {
185//! // Create an `RsaKeyPair` from the DER-encoded bytes. This example uses
186//! // a 2048-bit key, but larger keys are also supported.
187//! let private_key_der = read_file(private_key_path)?;
188//! let key_pair = signature::RsaKeyPair::from_der(&private_key_der)
189//! .map_err(|_| MyError::BadPrivateKey)?;
190//!
191//! // Sign the message "hello, world", using PKCS#1 v1.5 padding and the
192//! // SHA256 digest algorithm.
193//! const MESSAGE: &'static [u8] = b"hello, world";
194//! let rng = rand::SystemRandom::new();
195//! let mut signature = vec![0; key_pair.public_modulus_len()];
196//! key_pair
197//! .sign(&signature::RSA_PKCS1_SHA256, &rng, MESSAGE, &mut signature)
198//! .map_err(|_| MyError::OOM)?;
199//!
200//! // Verify the signature.
201//! let public_key = signature::UnparsedPublicKey::new(
202//! &signature::RSA_PKCS1_2048_8192_SHA256,
203//! read_file(public_key_path)?,
204//! );
205//! public_key
206//! .verify(MESSAGE, &signature)
207//! .map_err(|_| MyError::BadSignature)
208//! }
209//!
210//! #[derive(Debug)]
211//! enum MyError {
212//! IO(std::io::Error),
213//! BadPrivateKey,
214//! OOM,
215//! BadSignature,
216//! }
217//!
218//! fn read_file(path: &std::path::Path) -> Result<Vec<u8>, MyError> {
219//! use std::io::Read;
220//!
221//! let mut file = std::fs::File::open(path).map_err(|e| MyError::IO(e))?;
222//! let mut contents: Vec<u8> = Vec::new();
223//! file.read_to_end(&mut contents)
224//! .map_err(|e| MyError::IO(e))?;
225//! Ok(contents)
226//! }
227//!
228//! fn main() {
229//! let private_key_path =
230//! std::path::Path::new("tests/data/signature_rsa_example_private_key.der");
231//! let public_key_path =
232//! std::path::Path::new("tests/data/signature_rsa_example_public_key.der");
233//! sign_and_verify_rsa(&private_key_path, &public_key_path).unwrap()
234//! }
235//! ```
236use crate::aws_lc::EVP_PKEY;
237pub use crate::rsa::signature::{RsaEncoding, RsaSignatureEncoding};
238pub use crate::rsa::{
239 KeyPair as RsaKeyPair, PublicKey as RsaSubjectPublicKey,
240 PublicKeyComponents as RsaPublicKeyComponents, RsaParameters,
241};
242use core::fmt::{Debug, Formatter};
243use std::any::{Any, TypeId};
244#[cfg(feature = "ring-sig-verify")]
245use untrusted::Input;
246
247use crate::rsa::signature::RsaSigningAlgorithmId;
248use crate::rsa::RsaVerificationAlgorithmId;
249
250pub use crate::ec::key_pair::{EcdsaKeyPair, PrivateKey as EcdsaPrivateKey};
251use crate::ec::signature::EcdsaSignatureFormat;
252pub use crate::ec::signature::{
253 EcdsaSigningAlgorithm, EcdsaVerificationAlgorithm, PublicKey as EcdsaPublicKey,
254};
255pub use crate::ed25519::{
256 Ed25519KeyPair, EdDSAParameters, PublicKey as Ed25519PublicKey, Seed as Ed25519Seed,
257 ED25519_PUBLIC_KEY_LEN,
258};
259
260use crate::digest::Digest;
261use crate::ec::encoding::parse_ec_public_key;
262use crate::ed25519::parse_ed25519_public_key;
263use crate::encoding::{AsDer, PublicKeyX509Der};
264use crate::error::{KeyRejected, Unspecified};
265#[cfg(all(feature = "unstable", not(feature = "fips")))]
266use crate::pqdsa::{parse_pqdsa_public_key, signature::PqdsaVerificationAlgorithm};
267use crate::ptr::LcPtr;
268use crate::rsa::key::parse_rsa_public_key;
269use crate::{digest, ec, error, hex, rsa, sealed};
270
271/// The longest signature is for ML-DSA-87
272pub(crate) const MAX_LEN: usize = 4627;
273
274/// A public key signature returned from a signing operation.
275#[derive(Clone, Copy)]
276pub struct Signature {
277 value: [u8; MAX_LEN],
278 len: usize,
279}
280
281impl Signature {
282 // Panics if `value` is too long.
283 pub(crate) fn new<F>(fill: F) -> Self
284 where
285 F: FnOnce(&mut [u8; MAX_LEN]) -> usize,
286 {
287 let mut r = Self {
288 value: [0; MAX_LEN],
289 len: 0,
290 };
291 r.len = fill(&mut r.value);
292 r
293 }
294}
295
296impl AsRef<[u8]> for Signature {
297 #[inline]
298 fn as_ref(&self) -> &[u8] {
299 &self.value[..self.len]
300 }
301}
302
303/// Key pairs for signing messages (private key and public key).
304pub trait KeyPair: Debug + Send + Sized + Sync {
305 /// The type of the public key.
306 type PublicKey: AsRef<[u8]> + Debug + Clone + Send + Sized + Sync;
307
308 /// The public key for the key pair.
309 fn public_key(&self) -> &Self::PublicKey;
310}
311
312// Private trait
313pub(crate) trait ParsedVerificationAlgorithm: Debug + Sync {
314 fn parsed_verify_sig(
315 &self,
316 public_key: &ParsedPublicKey,
317 msg: &[u8],
318 signature: &[u8],
319 ) -> Result<(), error::Unspecified>;
320
321 fn parsed_verify_digest_sig(
322 &self,
323 public_key: &ParsedPublicKey,
324 digest: &Digest,
325 signature: &[u8],
326 ) -> Result<(), error::Unspecified>;
327}
328
329/// A signature verification algorithm.
330pub trait VerificationAlgorithm: Debug + Sync + Any + sealed::Sealed {
331 /// Verify the signature `signature` of message `msg` with the public key
332 /// `public_key`.
333 ///
334 // # FIPS
335 // The following conditions must be met:
336 // * RSA Key Sizes: 1024, 2048, 3072, 4096
337 // * NIST Elliptic Curves: P256, P384, P521
338 // * Digest Algorithms: SHA1, SHA256, SHA384, SHA512
339 //
340 /// # Errors
341 /// `error::Unspecified` if inputs not verified.
342 #[cfg(feature = "ring-sig-verify")]
343 #[deprecated(note = "please use `VerificationAlgorithm::verify_sig` instead")]
344 fn verify(
345 &self,
346 public_key: Input<'_>,
347 msg: Input<'_>,
348 signature: Input<'_>,
349 ) -> Result<(), error::Unspecified>;
350
351 /// Verify the signature `signature` of message `msg` with the public key
352 /// `public_key`.
353 ///
354 // # FIPS
355 // The following conditions must be met:
356 // * RSA Key Sizes: 1024, 2048, 3072, 4096
357 // * NIST Elliptic Curves: P256, P384, P521
358 // * Digest Algorithms: SHA1, SHA256, SHA384, SHA512
359 //
360 /// # Errors
361 /// `error::Unspecified` if inputs not verified.
362 fn verify_sig(
363 &self,
364 public_key: &[u8],
365 msg: &[u8],
366 signature: &[u8],
367 ) -> Result<(), error::Unspecified>;
368
369 /// Verify the signature `signature` of `digest` with the `public_key`.
370 ///
371 // # FIPS
372 // Not approved.
373 //
374 /// # Errors
375 /// `error::Unspecified` if inputs not verified.
376 fn verify_digest_sig(
377 &self,
378 public_key: &[u8],
379 digest: &Digest,
380 signature: &[u8],
381 ) -> Result<(), error::Unspecified>;
382}
383
384/// An unparsed, possibly malformed, public key for signature verification.
385#[derive(Clone)]
386pub struct UnparsedPublicKey<B: AsRef<[u8]>> {
387 algorithm: &'static dyn VerificationAlgorithm,
388 bytes: B,
389}
390/// A parsed public key for signature verification.
391///
392/// A `ParsedPublicKey` can be created in two ways:
393/// - Directly from public key bytes using [`ParsedPublicKey::new`]
394/// - By parsing an `UnparsedPublicKey` using [`UnparsedPublicKey::parse`]
395///
396/// This pre-validates the public key format and stores the parsed key material,
397/// allowing for more efficient signature verification operations compared to
398/// parsing the key on each verification.
399///
400/// See the [`crate::signature`] module-level documentation for examples.
401#[derive(Clone)]
402pub struct ParsedPublicKey {
403 algorithm: &'static dyn VerificationAlgorithm,
404 parsed_algorithm: &'static dyn ParsedVerificationAlgorithm,
405 key: LcPtr<EVP_PKEY>,
406 bytes: Box<[u8]>,
407}
408
409// See EVP_PKEY documentation here:
410// https://github.com/aws/aws-lc/blob/125af14c57451565b875fbf1282a38a6ecf83782/include/openssl/evp.h#L83-L89
411// An |EVP_PKEY| object represents a public or private key. A given object may
412// be used concurrently on multiple threads by non-mutating functions, provided
413// no other thread is concurrently calling a mutating function. Unless otherwise
414// documented, functions which take a |const| pointer are non-mutating and
415// functions which take a non-|const| pointer are mutating.
416unsafe impl Send for ParsedPublicKey {}
417unsafe impl Sync for ParsedPublicKey {}
418
419impl ParsedPublicKey {
420 /// Creates a new `ParsedPublicKey` directly from public key bytes.
421 ///
422 /// This method validates the public key format and creates a `ParsedPublicKey`
423 /// that can be used for efficient signature verification operations.
424 ///
425 /// # Errors
426 /// `KeyRejected` if the public key bytes are malformed or incompatible
427 /// with the specified algorithm.
428 ///
429 /// # Examples
430 ///
431 /// ```
432 /// use aws_lc_rs::signature::{self, ParsedPublicKey};
433 ///
434 /// # fn main() -> Result<(), Box<dyn std::error::Error>> {
435 /// let parsed_key = ParsedPublicKey::new(&signature::ED25519, include_bytes!("../tests/data/ed25519_test_public_key.bin"))?;
436 /// let signature = [
437 /// 0xED, 0xDB, 0x67, 0xE9, 0xF7, 0x8C, 0x9A, 0x0, 0xFD, 0xEE, 0x2D, 0x22, 0x21, 0xA3, 0x9A,
438 /// 0x8A, 0x79, 0xF2, 0x53, 0x88, 0x78, 0xF0, 0xA0, 0x1, 0x80, 0xA, 0x49, 0xA4, 0x17, 0x88,
439 /// 0xAB, 0x44, 0x4B, 0xD2, 0x58, 0xB0, 0x3B, 0x51, 0x8A, 0x1B, 0x61, 0x24, 0x52, 0x78, 0x48,
440 /// 0x58, 0x40, 0x5, 0xB5, 0x45, 0x22, 0xB6, 0x40, 0xBD, 0x14, 0x47, 0xB1, 0xF0, 0xDC, 0x13,
441 /// 0xB3, 0xE9, 0xD0, 0x6,
442 /// ];
443 /// assert!(parsed_key.verify_sig(b"hello world!", &signature).is_ok());
444 /// assert!(parsed_key.verify_sig(b"hello world.", &signature).is_err());
445 /// # Ok(())
446 /// # }
447 /// ```
448 pub fn new<B: AsRef<[u8]>>(
449 algorithm: &'static dyn VerificationAlgorithm,
450 bytes: B,
451 ) -> Result<Self, KeyRejected> {
452 parse_public_key(bytes.as_ref(), algorithm)
453 }
454
455 /// Returns the algorithm used by this public key.
456 #[must_use]
457 pub fn algorithm(&self) -> &'static dyn VerificationAlgorithm {
458 self.algorithm
459 }
460
461 pub(crate) fn key(&self) -> &LcPtr<EVP_PKEY> {
462 &self.key
463 }
464
465 /// Uses the public key to verify that `signature` is a valid signature of
466 /// `message`.
467 ///
468 /// This method is more efficient than [`UnparsedPublicKey::verify`] when
469 /// performing multiple signature verifications with the same public key,
470 /// as the key parsing overhead is avoided.
471 ///
472 /// See the [`crate::signature`] module-level documentation for examples.
473 ///
474 // # FIPS
475 // The following conditions must be met:
476 // * RSA Key Sizes: 1024, 2048, 3072, 4096
477 // * NIST Elliptic Curves: P256, P384, P521
478 // * Digest Algorithms: SHA1, SHA256, SHA384, SHA512
479 //
480 /// # Errors
481 /// `error::Unspecified` if the signature is invalid or verification fails.
482 #[inline]
483 pub fn verify_sig(&self, message: &[u8], signature: &[u8]) -> Result<(), error::Unspecified> {
484 self.parsed_algorithm
485 .parsed_verify_sig(self, message, signature)
486 }
487
488 /// Uses the public key to verify that `signature` is a valid signature of
489 /// `digest`.
490 ///
491 /// This method is more efficient than [`UnparsedPublicKey::verify_digest`] when
492 /// performing multiple signature verifications with the same public key,
493 /// as the key parsing overhead is avoided.
494 ///
495 /// See the [`crate::signature`] module-level documentation for examples.
496 ///
497 // # FIPS
498 // Not allowed
499 //
500 /// # Errors
501 /// `error::Unspecified` if the signature is invalid or verification fails.
502 #[inline]
503 pub fn verify_digest_sig(
504 &self,
505 digest: &Digest,
506 signature: &[u8],
507 ) -> Result<(), error::Unspecified> {
508 self.parsed_algorithm
509 .parsed_verify_digest_sig(self, digest, signature)
510 }
511}
512
513impl AsDer<PublicKeyX509Der<'static>> for ParsedPublicKey {
514 fn as_der(&self) -> Result<PublicKeyX509Der<'static>, Unspecified> {
515 Ok(PublicKeyX509Der::new(
516 self.key.as_const().marshal_rfc5280_public_key()?,
517 ))
518 }
519}
520
521/// Provides the original bytes from which this key was parsed
522impl AsRef<[u8]> for ParsedPublicKey {
523 fn as_ref(&self) -> &[u8] {
524 &self.bytes
525 }
526}
527
528impl Debug for ParsedPublicKey {
529 fn fmt(&self, f: &mut Formatter<'_>) -> core::fmt::Result {
530 f.write_str(&format!(
531 "ParsedPublicKey {{ algorithm: {:?}, bytes: \"{}\" }}",
532 self.algorithm,
533 hex::encode(self.bytes.as_ref())
534 ))
535 }
536}
537
538impl<B: AsRef<[u8]>> AsRef<[u8]> for UnparsedPublicKey<B> {
539 #[inline]
540 fn as_ref(&self) -> &[u8] {
541 self.bytes.as_ref()
542 }
543}
544
545impl<B: Copy + AsRef<[u8]>> Copy for UnparsedPublicKey<B> {}
546
547impl<B: AsRef<[u8]>> Debug for UnparsedPublicKey<B> {
548 fn fmt(&self, f: &mut Formatter<'_>) -> core::fmt::Result {
549 f.write_str(&format!(
550 "UnparsedPublicKey {{ algorithm: {:?}, bytes: \"{}\" }}",
551 self.algorithm,
552 hex::encode(self.bytes.as_ref())
553 ))
554 }
555}
556
557impl<B: AsRef<[u8]>> UnparsedPublicKey<B> {
558 /// Construct a new `UnparsedPublicKey`.
559 ///
560 /// No validation of `bytes` is done until `verify()` is called.
561 #[inline]
562 pub fn new(algorithm: &'static dyn VerificationAlgorithm, bytes: B) -> Self {
563 Self { algorithm, bytes }
564 }
565
566 /// Parses the public key and verifies `signature` is a valid signature of
567 /// `message` using it.
568 ///
569 /// See the [`crate::signature`] module-level documentation for examples.
570 ///
571 // # FIPS
572 // The following conditions must be met:
573 // * RSA Key Sizes: 1024, 2048, 3072, 4096
574 // * NIST Elliptic Curves: P256, P384, P521
575 // * Digest Algorithms: SHA1, SHA256, SHA384, SHA512
576 //
577 /// # Errors
578 /// `error::Unspecified` if inputs not verified.
579 #[inline]
580 pub fn verify(&self, message: &[u8], signature: &[u8]) -> Result<(), error::Unspecified> {
581 self.algorithm
582 .verify_sig(self.bytes.as_ref(), message, signature)
583 }
584
585 /// Parses the public key and verifies `signature` is a valid signature of
586 /// `digest` using it.
587 ///
588 /// See the [`crate::signature`] module-level documentation for examples.
589 ///
590 // # FIPS
591 // Not allowed
592 //
593 /// # Errors
594 /// `error::Unspecified` if inputs not verified.
595 #[inline]
596 pub fn verify_digest(
597 &self,
598 digest: &Digest,
599 signature: &[u8],
600 ) -> Result<(), error::Unspecified> {
601 self.algorithm
602 .verify_digest_sig(self.bytes.as_ref(), digest, signature)
603 }
604
605 /// Parses the public key bytes and returns a `ParsedPublicKey`.
606 ///
607 /// This method validates the public key format and creates a `ParsedPublicKey`
608 /// that can be used for more efficient signature verification operations.
609 /// The parsing overhead is incurred once, making subsequent verifications
610 /// faster compared to using `UnparsedPublicKey::verify` directly.
611 ///
612 /// This is equivalent to calling [`ParsedPublicKey::new`] with the same
613 /// algorithm and bytes.
614 ///
615 /// # Errors
616 /// `KeyRejected` if the public key bytes are malformed or incompatible
617 /// with the specified algorithm.
618 pub fn parse(&self) -> Result<ParsedPublicKey, KeyRejected> {
619 parse_public_key(self.bytes.as_ref(), self.algorithm)
620 }
621}
622
623pub(crate) fn parse_public_key(
624 bytes: &[u8],
625 algorithm: &'static dyn VerificationAlgorithm,
626) -> Result<ParsedPublicKey, KeyRejected> {
627 let parsed_algorithm: &'static dyn ParsedVerificationAlgorithm;
628
629 let key = if algorithm.type_id() == TypeId::of::<EcdsaVerificationAlgorithm>() {
630 #[allow(clippy::cast_ptr_alignment)]
631 let ec_alg = unsafe {
632 &*(algorithm as *const dyn VerificationAlgorithm).cast::<EcdsaVerificationAlgorithm>()
633 };
634 parsed_algorithm = ec_alg;
635 parse_ec_public_key(bytes, ec_alg.id.nid())?
636 } else if algorithm.type_id() == TypeId::of::<EdDSAParameters>() {
637 #[allow(clippy::cast_ptr_alignment)]
638 let ed_alg =
639 unsafe { &*(algorithm as *const dyn VerificationAlgorithm).cast::<EdDSAParameters>() };
640 parsed_algorithm = ed_alg;
641 parse_ed25519_public_key(bytes)?
642 } else if algorithm.type_id() == TypeId::of::<RsaParameters>() {
643 #[allow(clippy::cast_ptr_alignment)]
644 let rsa_alg =
645 unsafe { &*(algorithm as *const dyn VerificationAlgorithm).cast::<RsaParameters>() };
646 parsed_algorithm = rsa_alg;
647 parse_rsa_public_key(bytes)?
648 } else {
649 #[cfg(all(feature = "unstable", not(feature = "fips")))]
650 if algorithm.type_id() == TypeId::of::<PqdsaVerificationAlgorithm>() {
651 #[allow(clippy::cast_ptr_alignment)]
652 let pqdsa_alg = unsafe {
653 &*(algorithm as *const dyn VerificationAlgorithm)
654 .cast::<PqdsaVerificationAlgorithm>()
655 };
656 parsed_algorithm = pqdsa_alg;
657 parse_pqdsa_public_key(bytes, pqdsa_alg.id)?
658 } else {
659 unreachable!()
660 }
661 #[cfg(any(not(feature = "unstable"), feature = "fips"))]
662 unreachable!()
663 };
664
665 let bytes = bytes.to_vec().into_boxed_slice();
666 Ok(ParsedPublicKey {
667 algorithm,
668 parsed_algorithm,
669 key,
670 bytes,
671 })
672}
673
674/// Verification of signatures using RSA keys of 1024-8192 bits, PKCS#1.5 padding, and SHA-1.
675pub static RSA_PKCS1_1024_8192_SHA1_FOR_LEGACY_USE_ONLY: RsaParameters = RsaParameters::new(
676 &digest::SHA1_FOR_LEGACY_USE_ONLY,
677 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
678 1024..=8192,
679 &RsaVerificationAlgorithmId::RSA_PKCS1_1024_8192_SHA1_FOR_LEGACY_USE_ONLY,
680);
681
682/// Verification of signatures using RSA keys of 1024-8192 bits, PKCS#1.5 padding, and SHA-256.
683pub static RSA_PKCS1_1024_8192_SHA256_FOR_LEGACY_USE_ONLY: RsaParameters = RsaParameters::new(
684 &digest::SHA256,
685 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
686 1024..=8192,
687 &RsaVerificationAlgorithmId::RSA_PKCS1_1024_8192_SHA256_FOR_LEGACY_USE_ONLY,
688);
689
690/// Verification of signatures using RSA keys of 1024-8192 bits, PKCS#1.5 padding, and SHA-512.
691pub static RSA_PKCS1_1024_8192_SHA512_FOR_LEGACY_USE_ONLY: RsaParameters = RsaParameters::new(
692 &digest::SHA512,
693 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
694 1024..=8192,
695 &RsaVerificationAlgorithmId::RSA_PKCS1_1024_8192_SHA512_FOR_LEGACY_USE_ONLY,
696);
697
698/// Verification of signatures using RSA keys of 2048-8192 bits, PKCS#1.5 padding, and SHA-1.
699pub static RSA_PKCS1_2048_8192_SHA1_FOR_LEGACY_USE_ONLY: RsaParameters = RsaParameters::new(
700 &digest::SHA1_FOR_LEGACY_USE_ONLY,
701 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
702 2048..=8192,
703 &RsaVerificationAlgorithmId::RSA_PKCS1_2048_8192_SHA1_FOR_LEGACY_USE_ONLY,
704);
705
706/// Verification of signatures using RSA keys of 2048-8192 bits, PKCS#1.5 padding, and SHA-256.
707pub static RSA_PKCS1_2048_8192_SHA256: RsaParameters = RsaParameters::new(
708 &digest::SHA256,
709 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
710 2048..=8192,
711 &RsaVerificationAlgorithmId::RSA_PKCS1_2048_8192_SHA256,
712);
713
714/// Verification of signatures using RSA keys of 2048-8192 bits, PKCS#1.5 padding, and SHA-384.
715pub static RSA_PKCS1_2048_8192_SHA384: RsaParameters = RsaParameters::new(
716 &digest::SHA384,
717 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
718 2048..=8192,
719 &RsaVerificationAlgorithmId::RSA_PKCS1_2048_8192_SHA384,
720);
721
722/// Verification of signatures using RSA keys of 2048-8192 bits, PKCS#1.5 padding, and SHA-512.
723pub static RSA_PKCS1_2048_8192_SHA512: RsaParameters = RsaParameters::new(
724 &digest::SHA512,
725 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
726 2048..=8192,
727 &RsaVerificationAlgorithmId::RSA_PKCS1_2048_8192_SHA512,
728);
729
730/// Verification of signatures using RSA keys of 3072-8192 bits, PKCS#1.5 padding, and SHA-384.
731pub static RSA_PKCS1_3072_8192_SHA384: RsaParameters = RsaParameters::new(
732 &digest::SHA384,
733 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
734 3072..=8192,
735 &RsaVerificationAlgorithmId::RSA_PKCS1_3072_8192_SHA384,
736);
737
738/// Verification of signatures using RSA keys of 2048-8192 bits, PSS padding, and SHA-256.
739pub static RSA_PSS_2048_8192_SHA256: RsaParameters = RsaParameters::new(
740 &digest::SHA256,
741 &rsa::signature::RsaPadding::RSA_PKCS1_PSS_PADDING,
742 2048..=8192,
743 &RsaVerificationAlgorithmId::RSA_PSS_2048_8192_SHA256,
744);
745
746/// Verification of signatures using RSA keys of 2048-8192 bits, PSS padding, and SHA-384.
747pub static RSA_PSS_2048_8192_SHA384: RsaParameters = RsaParameters::new(
748 &digest::SHA384,
749 &rsa::signature::RsaPadding::RSA_PKCS1_PSS_PADDING,
750 2048..=8192,
751 &RsaVerificationAlgorithmId::RSA_PSS_2048_8192_SHA384,
752);
753
754/// Verification of signatures using RSA keys of 2048-8192 bits, PSS padding, and SHA-512.
755pub static RSA_PSS_2048_8192_SHA512: RsaParameters = RsaParameters::new(
756 &digest::SHA512,
757 &rsa::signature::RsaPadding::RSA_PKCS1_PSS_PADDING,
758 2048..=8192,
759 &RsaVerificationAlgorithmId::RSA_PSS_2048_8192_SHA512,
760);
761
762/// RSA PSS padding using SHA-256 for RSA signatures.
763pub static RSA_PSS_SHA256: RsaSignatureEncoding = RsaSignatureEncoding::new(
764 &digest::SHA256,
765 &rsa::signature::RsaPadding::RSA_PKCS1_PSS_PADDING,
766 &RsaSigningAlgorithmId::RSA_PSS_SHA256,
767);
768
769/// RSA PSS padding using SHA-384 for RSA signatures.
770pub static RSA_PSS_SHA384: RsaSignatureEncoding = RsaSignatureEncoding::new(
771 &digest::SHA384,
772 &rsa::signature::RsaPadding::RSA_PKCS1_PSS_PADDING,
773 &RsaSigningAlgorithmId::RSA_PSS_SHA384,
774);
775
776/// RSA PSS padding using SHA-512 for RSA signatures.
777pub static RSA_PSS_SHA512: RsaSignatureEncoding = RsaSignatureEncoding::new(
778 &digest::SHA512,
779 &rsa::signature::RsaPadding::RSA_PKCS1_PSS_PADDING,
780 &RsaSigningAlgorithmId::RSA_PSS_SHA512,
781);
782
783/// PKCS#1 1.5 padding using SHA-256 for RSA signatures.
784pub static RSA_PKCS1_SHA256: RsaSignatureEncoding = RsaSignatureEncoding::new(
785 &digest::SHA256,
786 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
787 &RsaSigningAlgorithmId::RSA_PKCS1_SHA256,
788);
789
790/// PKCS#1 1.5 padding using SHA-384 for RSA signatures.
791pub static RSA_PKCS1_SHA384: RsaSignatureEncoding = RsaSignatureEncoding::new(
792 &digest::SHA384,
793 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
794 &RsaSigningAlgorithmId::RSA_PKCS1_SHA384,
795);
796
797/// PKCS#1 1.5 padding using SHA-512 for RSA signatures.
798pub static RSA_PKCS1_SHA512: RsaSignatureEncoding = RsaSignatureEncoding::new(
799 &digest::SHA512,
800 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
801 &RsaSigningAlgorithmId::RSA_PKCS1_SHA512,
802);
803
804/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-256 curve and SHA-256.
805pub static ECDSA_P256_SHA256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
806 id: &ec::signature::AlgorithmID::ECDSA_P256,
807 digest: &digest::SHA256,
808 sig_format: EcdsaSignatureFormat::Fixed,
809};
810
811/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-384 curve and SHA-384.
812pub static ECDSA_P384_SHA384_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
813 id: &ec::signature::AlgorithmID::ECDSA_P384,
814 digest: &digest::SHA384,
815 sig_format: EcdsaSignatureFormat::Fixed,
816};
817
818/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-384 curve and SHA3-384.
819pub static ECDSA_P384_SHA3_384_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
820 id: &ec::signature::AlgorithmID::ECDSA_P384,
821 digest: &digest::SHA3_384,
822 sig_format: EcdsaSignatureFormat::Fixed,
823};
824
825/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-1.
826pub static ECDSA_P521_SHA1_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
827 id: &ec::signature::AlgorithmID::ECDSA_P521,
828 digest: &digest::SHA1_FOR_LEGACY_USE_ONLY,
829 sig_format: EcdsaSignatureFormat::Fixed,
830};
831
832/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-224.
833pub static ECDSA_P521_SHA224_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
834 id: &ec::signature::AlgorithmID::ECDSA_P521,
835 digest: &digest::SHA224,
836 sig_format: EcdsaSignatureFormat::Fixed,
837};
838
839/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-256.
840pub static ECDSA_P521_SHA256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
841 id: &ec::signature::AlgorithmID::ECDSA_P521,
842 digest: &digest::SHA256,
843 sig_format: EcdsaSignatureFormat::Fixed,
844};
845
846/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-384.
847pub static ECDSA_P521_SHA384_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
848 id: &ec::signature::AlgorithmID::ECDSA_P521,
849 digest: &digest::SHA384,
850 sig_format: EcdsaSignatureFormat::Fixed,
851};
852
853/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-512.
854pub static ECDSA_P521_SHA512_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
855 id: &ec::signature::AlgorithmID::ECDSA_P521,
856 digest: &digest::SHA512,
857 sig_format: EcdsaSignatureFormat::Fixed,
858};
859
860/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA3-512.
861pub static ECDSA_P521_SHA3_512_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
862 id: &ec::signature::AlgorithmID::ECDSA_P521,
863 digest: &digest::SHA3_512,
864 sig_format: EcdsaSignatureFormat::Fixed,
865};
866
867/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-256K1 curve and SHA-256.
868pub static ECDSA_P256K1_SHA256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
869 id: &ec::signature::AlgorithmID::ECDSA_P256K1,
870 digest: &digest::SHA256,
871 sig_format: EcdsaSignatureFormat::Fixed,
872};
873
874/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-256K1 curve and SHA3-256.
875pub static ECDSA_P256K1_SHA3_256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
876 id: &ec::signature::AlgorithmID::ECDSA_P256K1,
877 digest: &digest::SHA3_256,
878 sig_format: EcdsaSignatureFormat::Fixed,
879};
880
881/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-256 curve and SHA-256.
882pub static ECDSA_P256_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
883 id: &ec::signature::AlgorithmID::ECDSA_P256,
884 digest: &digest::SHA256,
885 sig_format: EcdsaSignatureFormat::ASN1,
886};
887
888/// *Not recommended.* Verification of ASN.1 DER-encoded ECDSA signatures using the P-256 curve and SHA-384.
889pub static ECDSA_P256_SHA384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
890 id: &ec::signature::AlgorithmID::ECDSA_P256,
891 digest: &digest::SHA384,
892 sig_format: EcdsaSignatureFormat::ASN1,
893};
894
895/// *Not recommended.* Verification of ASN.1 DER-encoded ECDSA signatures using the P-256 curve and SHA-512.
896pub static ECDSA_P256_SHA512_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
897 id: &ec::signature::AlgorithmID::ECDSA_P256,
898 digest: &digest::SHA512,
899 sig_format: EcdsaSignatureFormat::ASN1,
900};
901
902/// *Not recommended.* Verification of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA-256.
903pub static ECDSA_P384_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
904 id: &ec::signature::AlgorithmID::ECDSA_P384,
905 digest: &digest::SHA256,
906 sig_format: EcdsaSignatureFormat::ASN1,
907};
908
909/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA-384.
910pub static ECDSA_P384_SHA384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
911 id: &ec::signature::AlgorithmID::ECDSA_P384,
912 digest: &digest::SHA384,
913 sig_format: EcdsaSignatureFormat::ASN1,
914};
915
916/// *Not recommended.* Verification of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA-512.
917pub static ECDSA_P384_SHA512_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
918 id: &ec::signature::AlgorithmID::ECDSA_P384,
919 digest: &digest::SHA512,
920 sig_format: EcdsaSignatureFormat::ASN1,
921};
922
923/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA3-384.
924pub static ECDSA_P384_SHA3_384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
925 id: &ec::signature::AlgorithmID::ECDSA_P384,
926 digest: &digest::SHA3_384,
927 sig_format: EcdsaSignatureFormat::ASN1,
928};
929
930/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-1.
931pub static ECDSA_P521_SHA1_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
932 id: &ec::signature::AlgorithmID::ECDSA_P521,
933 digest: &digest::SHA1_FOR_LEGACY_USE_ONLY,
934 sig_format: EcdsaSignatureFormat::ASN1,
935};
936
937/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-224.
938pub static ECDSA_P521_SHA224_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
939 id: &ec::signature::AlgorithmID::ECDSA_P521,
940 digest: &digest::SHA224,
941 sig_format: EcdsaSignatureFormat::ASN1,
942};
943
944/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-256.
945pub static ECDSA_P521_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
946 id: &ec::signature::AlgorithmID::ECDSA_P521,
947 digest: &digest::SHA256,
948 sig_format: EcdsaSignatureFormat::ASN1,
949};
950
951/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-384.
952pub static ECDSA_P521_SHA384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
953 id: &ec::signature::AlgorithmID::ECDSA_P521,
954 digest: &digest::SHA384,
955 sig_format: EcdsaSignatureFormat::ASN1,
956};
957
958/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-512.
959pub static ECDSA_P521_SHA512_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
960 id: &ec::signature::AlgorithmID::ECDSA_P521,
961 digest: &digest::SHA512,
962 sig_format: EcdsaSignatureFormat::ASN1,
963};
964
965/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA3-512.
966pub static ECDSA_P521_SHA3_512_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
967 id: &ec::signature::AlgorithmID::ECDSA_P521,
968 digest: &digest::SHA3_512,
969 sig_format: EcdsaSignatureFormat::ASN1,
970};
971
972/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-256K1 curve and SHA-256.
973pub static ECDSA_P256K1_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
974 id: &ec::signature::AlgorithmID::ECDSA_P256K1,
975 digest: &digest::SHA256,
976 sig_format: EcdsaSignatureFormat::ASN1,
977};
978
979/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-256K1 curve and SHA3-256.
980pub static ECDSA_P256K1_SHA3_256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
981 id: &ec::signature::AlgorithmID::ECDSA_P256K1,
982 digest: &digest::SHA3_256,
983 sig_format: EcdsaSignatureFormat::ASN1,
984};
985
986/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-256 curve and SHA-256.
987pub static ECDSA_P256_SHA256_FIXED_SIGNING: EcdsaSigningAlgorithm =
988 EcdsaSigningAlgorithm(&ECDSA_P256_SHA256_FIXED);
989
990/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-384 curve and SHA-384.
991pub static ECDSA_P384_SHA384_FIXED_SIGNING: EcdsaSigningAlgorithm =
992 EcdsaSigningAlgorithm(&ECDSA_P384_SHA384_FIXED);
993
994/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-384 curve and SHA3-384.
995pub static ECDSA_P384_SHA3_384_FIXED_SIGNING: EcdsaSigningAlgorithm =
996 EcdsaSigningAlgorithm(&ECDSA_P384_SHA3_384_FIXED);
997
998/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-224.
999/// # ⚠️ Warning
1000/// The security design strength of SHA-224 digests is less then security strength of P-521.
1001/// This scheme should only be used for backwards compatibility purposes.
1002pub static ECDSA_P521_SHA224_FIXED_SIGNING: EcdsaSigningAlgorithm =
1003 EcdsaSigningAlgorithm(&ECDSA_P521_SHA224_FIXED);
1004
1005/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-256.
1006/// # ⚠️ Warning
1007/// The security design strength of SHA-256 digests is less then security strength of P-521.
1008/// This scheme should only be used for backwards compatibility purposes.
1009pub static ECDSA_P521_SHA256_FIXED_SIGNING: EcdsaSigningAlgorithm =
1010 EcdsaSigningAlgorithm(&ECDSA_P521_SHA256_FIXED);
1011
1012/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-384.
1013/// # ⚠️ Warning
1014/// The security design strength of SHA-384 digests is less then security strength of P-521.
1015/// This scheme should only be used for backwards compatibility purposes.
1016pub static ECDSA_P521_SHA384_FIXED_SIGNING: EcdsaSigningAlgorithm =
1017 EcdsaSigningAlgorithm(&ECDSA_P521_SHA384_FIXED);
1018
1019/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-512.
1020pub static ECDSA_P521_SHA512_FIXED_SIGNING: EcdsaSigningAlgorithm =
1021 EcdsaSigningAlgorithm(&ECDSA_P521_SHA512_FIXED);
1022
1023/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA3-512.
1024pub static ECDSA_P521_SHA3_512_FIXED_SIGNING: EcdsaSigningAlgorithm =
1025 EcdsaSigningAlgorithm(&ECDSA_P521_SHA3_512_FIXED);
1026
1027/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-256K1 curve and SHA-256.
1028pub static ECDSA_P256K1_SHA256_FIXED_SIGNING: EcdsaSigningAlgorithm =
1029 EcdsaSigningAlgorithm(&ECDSA_P256K1_SHA256_FIXED);
1030
1031/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-256K1 curve and SHA3-256.
1032pub static ECDSA_P256K1_SHA3_256_FIXED_SIGNING: EcdsaSigningAlgorithm =
1033 EcdsaSigningAlgorithm(&ECDSA_P256K1_SHA3_256_FIXED);
1034
1035/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-256 curve and SHA-256.
1036pub static ECDSA_P256_SHA256_ASN1_SIGNING: EcdsaSigningAlgorithm =
1037 EcdsaSigningAlgorithm(&ECDSA_P256_SHA256_ASN1);
1038
1039/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA-384.
1040pub static ECDSA_P384_SHA384_ASN1_SIGNING: EcdsaSigningAlgorithm =
1041 EcdsaSigningAlgorithm(&ECDSA_P384_SHA384_ASN1);
1042
1043/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA3-384.
1044pub static ECDSA_P384_SHA3_384_ASN1_SIGNING: EcdsaSigningAlgorithm =
1045 EcdsaSigningAlgorithm(&ECDSA_P384_SHA3_384_ASN1);
1046
1047/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-224.
1048/// # ⚠️ Warning
1049/// The security design strength of SHA-224 digests is less then security strength of P-521.
1050/// This scheme should only be used for backwards compatibility purposes.
1051pub static ECDSA_P521_SHA224_ASN1_SIGNING: EcdsaSigningAlgorithm =
1052 EcdsaSigningAlgorithm(&ECDSA_P521_SHA224_ASN1);
1053
1054/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-256.
1055/// # ⚠️ Warning
1056/// The security design strength of SHA-256 digests is less then security strength of P-521.
1057/// This scheme should only be used for backwards compatibility purposes.
1058pub static ECDSA_P521_SHA256_ASN1_SIGNING: EcdsaSigningAlgorithm =
1059 EcdsaSigningAlgorithm(&ECDSA_P521_SHA256_ASN1);
1060
1061/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-384.
1062/// # ⚠️ Warning
1063/// The security design strength of SHA-384 digests is less then security strength of P-521.
1064/// This scheme should only be used for backwards compatibility purposes.
1065pub static ECDSA_P521_SHA384_ASN1_SIGNING: EcdsaSigningAlgorithm =
1066 EcdsaSigningAlgorithm(&ECDSA_P521_SHA384_ASN1);
1067
1068/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-512.
1069pub static ECDSA_P521_SHA512_ASN1_SIGNING: EcdsaSigningAlgorithm =
1070 EcdsaSigningAlgorithm(&ECDSA_P521_SHA512_ASN1);
1071
1072/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA3-512.
1073pub static ECDSA_P521_SHA3_512_ASN1_SIGNING: EcdsaSigningAlgorithm =
1074 EcdsaSigningAlgorithm(&ECDSA_P521_SHA3_512_ASN1);
1075
1076/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-256K1 curve and SHA-256.
1077pub static ECDSA_P256K1_SHA256_ASN1_SIGNING: EcdsaSigningAlgorithm =
1078 EcdsaSigningAlgorithm(&ECDSA_P256K1_SHA256_ASN1);
1079
1080/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-256K1 curve and SHA3-256.
1081pub static ECDSA_P256K1_SHA3_256_ASN1_SIGNING: EcdsaSigningAlgorithm =
1082 EcdsaSigningAlgorithm(&ECDSA_P256K1_SHA3_256_ASN1);
1083
1084/// Verification of Ed25519 signatures.
1085pub static ED25519: EdDSAParameters = EdDSAParameters {};
1086
1087#[cfg(test)]
1088mod tests {
1089 use crate::rand::{generate, SystemRandom};
1090 use crate::signature::{ParsedPublicKey, UnparsedPublicKey, ED25519};
1091 use crate::test;
1092 use regex::Regex;
1093
1094 #[cfg(feature = "fips")]
1095 mod fips;
1096
1097 #[test]
1098 fn test_unparsed_public_key() {
1099 let random_pubkey: [u8; 32] = generate(&SystemRandom::new()).unwrap().expose();
1100 let unparsed_pubkey = UnparsedPublicKey::new(&ED25519, random_pubkey);
1101 let unparsed_pubkey_debug = format!("{:?}", &unparsed_pubkey);
1102
1103 #[allow(clippy::clone_on_copy)]
1104 let unparsed_pubkey_clone = unparsed_pubkey.clone();
1105 assert_eq!(unparsed_pubkey_debug, format!("{unparsed_pubkey_clone:?}"));
1106 let pubkey_re = Regex::new(
1107 "UnparsedPublicKey \\{ algorithm: EdDSAParameters, bytes: \"[0-9a-f]{64}\" \\}",
1108 )
1109 .unwrap();
1110
1111 assert!(pubkey_re.is_match(&unparsed_pubkey_debug));
1112 }
1113 #[test]
1114 fn test_types() {
1115 test::compile_time_assert_send::<UnparsedPublicKey<&[u8]>>();
1116 test::compile_time_assert_sync::<UnparsedPublicKey<&[u8]>>();
1117 test::compile_time_assert_send::<UnparsedPublicKey<Vec<u8>>>();
1118 test::compile_time_assert_sync::<UnparsedPublicKey<Vec<u8>>>();
1119 test::compile_time_assert_clone::<UnparsedPublicKey<&[u8]>>();
1120 test::compile_time_assert_clone::<UnparsedPublicKey<Vec<u8>>>();
1121 test::compile_time_assert_send::<ParsedPublicKey>();
1122 test::compile_time_assert_sync::<ParsedPublicKey>();
1123 test::compile_time_assert_clone::<ParsedPublicKey>();
1124 }
1125}