cms: add callbacks to the SignerInfo builder

baloo · baloo · commit 3382819c4639 · 2025-08-08T05:33:33.000Z
This is used to add countersignatures/timestamps to a SignerInfo.

Countersignatures are attached as unsigned attributes after the signature is emitted (input to the countersignature is the signature itself).
diff --git a/cms/src/builder.rs b/cms/src/builder.rs
@@ -25,6 +25,7 @@ use cipher::{
 use const_oid::ObjectIdentifier;
 use core::cmp::Ordering;
 use core::fmt;
+use core::future::ready;
 use core::marker::PhantomData;
 use der::asn1::{BitString, Null, OctetString, OctetStringRef, SetOfVec};
 use der::oid::db::DB;
@@ -410,9 +411,30 @@ impl<'s> SignedDataBuilder<'s> {
         S::VerifyingKey: EncodePublicKey,
         Signature: SignatureBitStringEncoding,
     {
-        let signer_info = signer_info_builder
+        self.add_signer_info_cb::<S, Signature, _>(signer_info_builder, signer, |_| Ok(()))
+    }
+
+    /// Add a signer info. The signature will be calculated. Note that the encapsulated content
+    /// must not be changed after the first signer info was added.
+    pub fn add_signer_info_cb<S, Signature, CB>(
+        &mut self,
+        signer_info_builder: SignerInfoBuilder<'_>,
+        signer: &S,
+        callback: CB,
+    ) -> Result<&mut Self>
+    where
+        S: Keypair + DynSignatureAlgorithmIdentifier,
+        S: Signer<Signature>,
+        S::VerifyingKey: EncodePublicKey,
+        Signature: SignatureBitStringEncoding,
+        CB: FnOnce(&mut SignerInfo) -> Result<()>,
+    {
+        let mut signer_info = signer_info_builder
             .build::<S, Signature>(signer)
             .map_err(|_| der::Error::from(ErrorKind::Failed))?;
+
+        callback(&mut signer_info)?;
+
         self.signer_infos.push(signer_info);
 
         Ok(self)
@@ -433,9 +455,37 @@ impl<'s> SignedDataBuilder<'s> {
         Signature: SignatureBitStringEncoding,
         R: CryptoRng + ?Sized,
     {
-        let signer_info = signer_info_builder
+        self.add_signer_info_with_rng_cb::<S, Signature, _, R>(
+            signer_info_builder,
+            signer,
+            |_| Ok(()),
+            rng,
+        )
+    }
+
+    /// Add a signer info. The signature will be calculated. Note that the encapsulated content
+    /// must not be changed after the first signer info was added.
+    pub fn add_signer_info_with_rng_cb<S, Signature, CB, R>(
+        &mut self,
+        signer_info_builder: SignerInfoBuilder<'_>,
+        signer: &S,
+        callback: CB,
+        rng: &mut R,
+    ) -> Result<&mut Self>
+    where
+        S: Keypair + DynSignatureAlgorithmIdentifier,
+        S: RandomizedSigner<Signature>,
+        S::VerifyingKey: EncodePublicKey,
+        Signature: SignatureBitStringEncoding,
+        CB: FnOnce(&mut SignerInfo) -> Result<()>,
+        R: CryptoRng + ?Sized,
+    {
+        let mut signer_info = signer_info_builder
             .build_with_rng::<S, Signature, R>(signer, rng)
             .map_err(|_| der::Error::from(ErrorKind::Failed))?;
+
+        callback(&mut signer_info)?;
+
         self.signer_infos.push(signer_info);
 
         Ok(self)
@@ -454,10 +504,33 @@ impl<'s> SignedDataBuilder<'s> {
         S::VerifyingKey: EncodePublicKey,
         Signature: SignatureBitStringEncoding,
     {
-        let signer_info = signer_info_builder
+        self.add_signer_info_cb_async(signer_info_builder, signer, |_| ready(Ok(())))
+            .await
+    }
+
+    /// Add a signer info. The signature will be calculated. Note that the encapsulated content
+    /// must not be changed after the first signer info was added.
+    pub async fn add_signer_info_cb_async<S, Signature, F, CB>(
+        &mut self,
+        signer_info_builder: SignerInfoBuilder<'_>,
+        signer: &S,
+        callback: CB,
+    ) -> Result<&mut Self>
+    where
+        S: Keypair + DynSignatureAlgorithmIdentifier,
+        S: AsyncSigner<Signature>,
+        S::VerifyingKey: EncodePublicKey,
+        Signature: SignatureBitStringEncoding,
+        F: Future<Output = Result<()>>,
+        CB: FnOnce(&mut SignerInfo) -> F,
+    {
+        let mut signer_info = signer_info_builder
             .build_async::<S, Signature>(signer)
             .await
             .map_err(|_| der::Error::from(ErrorKind::Failed))?;
+
+        callback(&mut signer_info).await?;
+
         self.signer_infos.push(signer_info);
 
         Ok(self)
@@ -478,10 +551,35 @@ impl<'s> SignedDataBuilder<'s> {
         Signature: SignatureBitStringEncoding,
         R: CryptoRng + ?Sized,
     {
-        let signer_info = signer_info_builder
+        self.add_signer_info_with_rng_cb_async(signer_info_builder, signer, rng, |_| ready(Ok(())))
+            .await
+    }
+
+    /// Add a signer info. The signature will be calculated. Note that the encapsulated content
+    /// must not be changed after the first signer info was added.
+    pub async fn add_signer_info_with_rng_cb_async<S, Signature, R, F, CB>(
+        &mut self,
+        signer_info_builder: SignerInfoBuilder<'_>,
+        signer: &S,
+        rng: &mut R,
+        callback: CB,
+    ) -> Result<&mut Self>
+    where
+        S: Keypair + DynSignatureAlgorithmIdentifier,
+        S: AsyncRandomizedSigner<Signature>,
+        S::VerifyingKey: EncodePublicKey,
+        Signature: SignatureBitStringEncoding,
+        R: CryptoRng + ?Sized,
+        F: Future<Output = Result<()>>,
+        CB: FnOnce(&mut SignerInfo) -> F,
+    {
+        let mut signer_info = signer_info_builder
             .build_with_rng_async::<S, Signature, R>(signer, rng)
             .await
             .map_err(|_| der::Error::from(ErrorKind::Failed))?;
+
+        callback(&mut signer_info).await?;
+
         self.signer_infos.push(signer_info);
 
         Ok(self)
