Add signature::ParsedPublicKey

Author: justsmth

aws-lc-rs/src/ec/signature.rs

@@ -6,6 +6,7 @@ use crate::aws_lc::{
     NID_secp384r1, NID_secp521r1, BIGNUM, ECDSA_SIG, EVP_PKEY,
 };
 
+use crate::digest::Digest;
 use crate::ec::compressed_public_key_size_bytes;
 use crate::ec::encoding::parse_ec_public_key;
 use crate::ec::encoding::sec1::marshal_sec1_public_point;
@@ -15,7 +16,7 @@ use crate::encoding::{
 use crate::error::Unspecified;
 use crate::evp_pkey::No_EVP_PKEY_CTX_consumer;
 use crate::ptr::{DetachableLcPtr, LcPtr};
-use crate::signature::VerificationAlgorithm;
+use crate::signature::{ParsedPublicKey, ParsedVerificationAlgorithm, VerificationAlgorithm};
 use crate::{digest, sealed};
 use core::fmt;
 use core::fmt::{Debug, Formatter};
@@ -192,43 +193,86 @@ impl VerificationAlgorithm for EcdsaVerificationAlgorithm {
         public_key: &[u8],
         msg: &[u8],
         signature: &[u8],
+    ) -> Result<(), Unspecified> {
+        let public_key = parse_ec_public_key(public_key, self.id.nid())?;
+        self.verify_ecdsa(msg, signature, &public_key)
+    }
+
+    fn verify_digest_sig(
+        &self,
+        public_key: &[u8],
+        digest: &digest::Digest,
+        signature: &[u8],
+    ) -> Result<(), Unspecified> {
+        let public_key = parse_ec_public_key(public_key, self.id.nid())?;
+
+        self.verify_digest_ecdsa(digest, signature, &public_key)
+    }
+}
+
+impl EcdsaVerificationAlgorithm {
+    fn verify_ecdsa(
+        &self,
+        msg: &[u8],
+        signature: &[u8],
+        public_key: &LcPtr<EVP_PKEY>,
     ) -> Result<(), Unspecified> {
         match self.sig_format {
             EcdsaSignatureFormat::ASN1 => {
-                verify_asn1_signature(self.id, self.digest, public_key, msg, signature)
+                verify_asn1_signature(self.digest, public_key, msg, signature)
             }
             EcdsaSignatureFormat::Fixed => {
                 let (out_bytes, out_bytes_len) = convert_fixed_signature(self.id, signature)?;
-                verify_asn1_signature(self.id, self.digest, public_key, msg, unsafe {
+                verify_asn1_signature(self.digest, public_key, msg, unsafe {
                     out_bytes.as_slice(out_bytes_len)
                 })
             }
         }
     }
 
-    fn verify_digest_sig(
+    fn verify_digest_ecdsa(
         &self,
-        public_key: &[u8],
-        digest: &digest::Digest,
+        digest: &Digest,
         signature: &[u8],
+        public_key: &LcPtr<EVP_PKEY>,
     ) -> Result<(), Unspecified> {
         if self.digest != digest.algorithm() {
             return Err(Unspecified);
         }
         match self.sig_format {
             EcdsaSignatureFormat::ASN1 => {
-                verify_asn1_digest_signature(self.id, digest, public_key, signature)
+                verify_asn1_digest_signature(digest, public_key, signature)
             }
             EcdsaSignatureFormat::Fixed => {
                 let (out_bytes, out_bytes_len) = convert_fixed_signature(self.id, signature)?;
-                verify_asn1_digest_signature(self.id, digest, public_key, unsafe {
+                verify_asn1_digest_signature(digest, public_key, unsafe {
                     out_bytes.as_slice(out_bytes_len)
                 })
             }
         }
     }
 }
 
+impl ParsedVerificationAlgorithm for EcdsaVerificationAlgorithm {
+    fn parsed_verify_sig(
+        &self,
+        public_key: &ParsedPublicKey,
+        msg: &[u8],
+        signature: &[u8],
+    ) -> Result<(), Unspecified> {
+        self.verify_ecdsa(msg, signature, public_key.key())
+    }
+
+    fn parsed_verify_digest_sig(
+        &self,
+        public_key: &ParsedPublicKey,
+        digest: &Digest,
+        signature: &[u8],
+    ) -> Result<(), Unspecified> {
+        self.verify_digest_ecdsa(digest, signature, public_key.key())
+    }
+}
+
 fn convert_fixed_signature(
     alg: &'static AlgorithmID,
     signature: &[u8],
@@ -247,24 +291,20 @@ fn convert_fixed_signature(
 }
 
 fn verify_asn1_signature(
-    alg: &'static AlgorithmID,
     digest_alg: &'static digest::Algorithm,
-    public_key: &[u8],
+    public_key: &LcPtr<EVP_PKEY>,
     msg: &[u8],
     signature: &[u8],
 ) -> Result<(), Unspecified> {
-    let evp_pkey = parse_ec_public_key(public_key, alg.nid())?;
-    evp_pkey.verify(msg, Some(digest_alg), No_EVP_PKEY_CTX_consumer, signature)
+    public_key.verify(msg, Some(digest_alg), No_EVP_PKEY_CTX_consumer, signature)
 }
 
 fn verify_asn1_digest_signature(
-    alg: &'static AlgorithmID,
-    digest: &digest::Digest,
-    public_key: &[u8],
+    digest: &Digest,
+    public_key: &LcPtr<EVP_PKEY>,
     signature: &[u8],
 ) -> Result<(), Unspecified> {
-    let evp_pkey = parse_ec_public_key(public_key, alg.nid())?;
-    evp_pkey.verify_digest_sig(digest, No_EVP_PKEY_CTX_consumer, signature)
+    public_key.verify_digest_sig(digest, No_EVP_PKEY_CTX_consumer, signature)
 }
 
 #[inline]

aws-lc-rs/src/ed25519.rs

@@ -13,6 +13,7 @@ use untrusted::Input;
 use crate::aws_lc::{EVP_PKEY, EVP_PKEY_ED25519};
 
 use crate::buffer::Buffer;
+use crate::digest::Digest;
 use crate::encoding::{
     AsBigEndian, AsDer, Curve25519SeedBin, Pkcs8V1Der, Pkcs8V2Der, PublicKeyX509Der,
 };
@@ -21,7 +22,9 @@ use crate::evp_pkey::No_EVP_PKEY_CTX_consumer;
 use crate::pkcs8::{Document, Version};
 use crate::ptr::LcPtr;
 use crate::rand::SecureRandom;
-use crate::signature::{KeyPair, Signature, VerificationAlgorithm};
+use crate::signature::{
+    KeyPair, ParsedPublicKey, ParsedVerificationAlgorithm, Signature, VerificationAlgorithm,
+};
 use crate::{constant_time, digest, hex, sealed};
 
 /// The length of an Ed25519 public key.
@@ -35,6 +38,28 @@ pub struct EdDSAParameters;
 
 impl sealed::Sealed for EdDSAParameters {}
 
+impl ParsedVerificationAlgorithm for EdDSAParameters {
+    fn parsed_verify_sig(
+        &self,
+        public_key: &ParsedPublicKey,
+        msg: &[u8],
+        signature: &[u8],
+    ) -> Result<(), Unspecified> {
+        public_key
+            .key()
+            .verify(msg, None, No_EVP_PKEY_CTX_consumer, signature)
+    }
+
+    fn parsed_verify_digest_sig(
+        &self,
+        _public_key: &ParsedPublicKey,
+        _digest: &Digest,
+        _signature: &[u8],
+    ) -> Result<(), Unspecified> {
+        Err(Unspecified)
+    }
+}
+
 impl VerificationAlgorithm for EdDSAParameters {
     #[inline]
     #[cfg(feature = "ring-sig-verify")]
@@ -44,11 +69,9 @@ impl VerificationAlgorithm for EdDSAParameters {
         msg: Input<'_>,
         signature: Input<'_>,
     ) -> Result<(), Unspecified> {
-        let evp_pkey = try_ed25519_public_key_from_bytes(public_key.as_slice_less_safe())?;
-        evp_pkey.verify(
+        self.verify_sig(
+            public_key.as_slice_less_safe(),
             msg.as_slice_less_safe(),
-            None,
-            No_EVP_PKEY_CTX_consumer,
             signature.as_slice_less_safe(),
         )
     }
@@ -63,7 +86,7 @@ impl VerificationAlgorithm for EdDSAParameters {
         msg: &[u8],
         signature: &[u8],
     ) -> Result<(), Unspecified> {
-        let evp_pkey = try_ed25519_public_key_from_bytes(public_key)?;
+        let evp_pkey = parse_ed25519_public_key(public_key)?;
         evp_pkey.verify(msg, None, No_EVP_PKEY_CTX_consumer, signature)
     }
 
@@ -81,13 +104,14 @@ impl VerificationAlgorithm for EdDSAParameters {
     }
 }
 
-fn try_ed25519_public_key_from_bytes(key_bytes: &[u8]) -> Result<LcPtr<EVP_PKEY>, KeyRejected> {
+pub(crate) fn parse_ed25519_public_key(key_bytes: &[u8]) -> Result<LcPtr<EVP_PKEY>, KeyRejected> {
     // If the length of key bytes matches the raw public key size then it has to be that
     if key_bytes.len() == ED25519_PUBLIC_KEY_LEN {
-        return LcPtr::<EVP_PKEY>::parse_raw_public_key(key_bytes, EVP_PKEY_ED25519);
+        LcPtr::<EVP_PKEY>::parse_raw_public_key(key_bytes, EVP_PKEY_ED25519)
+    } else {
+        // Otherwise we support X.509 SubjectPublicKeyInfo formatted keys which are inherently larger
+        LcPtr::<EVP_PKEY>::parse_rfc5280_public_key(key_bytes, EVP_PKEY_ED25519)
     }
-    // Otherwise we support X.509 SubjectPublicKeyInfo formatted keys which are inherently larger
-    LcPtr::<EVP_PKEY>::parse_rfc5280_public_key(key_bytes, EVP_PKEY_ED25519)
 }
 
 /// An Ed25519 key pair, for signing.

aws-lc-rs/src/pqdsa/signature.rs

@@ -3,12 +3,13 @@
 
 use crate::aws_lc::EVP_PKEY;
 use crate::buffer::Buffer;
+use crate::digest::Digest;
 use crate::encoding::{AsDer, PublicKeyX509Der};
 use crate::error::Unspecified;
 use crate::evp_pkey::No_EVP_PKEY_CTX_consumer;
 use crate::pqdsa::{parse_pqdsa_public_key, AlgorithmID};
 use crate::ptr::LcPtr;
-use crate::signature::VerificationAlgorithm;
+use crate::signature::{ParsedPublicKey, ParsedVerificationAlgorithm, VerificationAlgorithm};
 use crate::{digest, sealed};
 use core::fmt;
 use core::fmt::{Debug, Formatter};
@@ -55,6 +56,28 @@ impl PublicKey {
     }
 }
 
+impl ParsedVerificationAlgorithm for PqdsaVerificationAlgorithm {
+    fn parsed_verify_sig(
+        &self,
+        public_key: &ParsedPublicKey,
+        msg: &[u8],
+        signature: &[u8],
+    ) -> Result<(), Unspecified> {
+        let evp_pkey = public_key.key();
+        evp_pkey.verify(msg, None, No_EVP_PKEY_CTX_consumer, signature)
+    }
+
+    fn parsed_verify_digest_sig(
+        &self,
+        public_key: &ParsedPublicKey,
+        digest: &Digest,
+        signature: &[u8],
+    ) -> Result<(), Unspecified> {
+        let evp_pkey = public_key.key();
+        evp_pkey.verify_digest_sig(digest, No_EVP_PKEY_CTX_consumer, signature)
+    }
+}
+
 impl VerificationAlgorithm for PqdsaVerificationAlgorithm {
     /// Verifies the the signature of `msg` using the public key `public_key`.
     ///

aws-lc-rs/src/rsa/key.rs

@@ -367,6 +367,10 @@ impl PublicKey {
     }
 }
 
+pub(crate) fn parse_rsa_public_key(input: &[u8]) -> Result<LcPtr<EVP_PKEY>, KeyRejected> {
+    rfc8017::decode_public_key_der(input).or(rfc5280::decode_public_key_der(input))
+}
+
 impl Debug for PublicKey {
     fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), fmt::Error> {
         f.write_str(&format!(

aws-lc-rs/src/rsa/signature.rs

@@ -13,7 +13,7 @@ use crate::digest::{self, match_digest_type, Digest};
 use crate::error::Unspecified;
 use crate::ptr::LcPtr;
 use crate::sealed::Sealed;
-use crate::signature::VerificationAlgorithm;
+use crate::signature::{ParsedPublicKey, ParsedVerificationAlgorithm, VerificationAlgorithm};
 
 use super::encoding;
 #[cfg(feature = "ring-sig-verify")]
@@ -52,6 +52,41 @@ impl RsaParameters {
     }
 }
 
+impl ParsedVerificationAlgorithm for RsaParameters {
+    fn parsed_verify_sig(
+        &self,
+        public_key: &ParsedPublicKey,
+        msg: &[u8],
+        signature: &[u8],
+    ) -> Result<(), Unspecified> {
+        let evp_pkey = public_key.key();
+        verify_rsa_signature(
+            self.digest_algorithm(),
+            self.padding(),
+            evp_pkey,
+            msg,
+            signature,
+            self.bit_size_range(),
+        )
+    }
+
+    fn parsed_verify_digest_sig(
+        &self,
+        public_key: &ParsedPublicKey,
+        digest: &Digest,
+        signature: &[u8],
+    ) -> Result<(), Unspecified> {
+        let evp_pkey = public_key.key();
+        verify_rsa_digest_signature(
+            self.padding(),
+            evp_pkey,
+            digest,
+            signature,
+            self.bit_size_range(),
+        )
+    }
+}
+
 impl VerificationAlgorithm for RsaParameters {
     #[cfg(feature = "ring-sig-verify")]
     fn verify(