feat: Make AsyncRawSignatureValidator available on all platforms (#800)

scouten-adobe · web-flow · commit 1ca698d3a4c2 · 2024-12-24T14:52:01.000-08:00
(When OpenSSL is used, it's just a wrapper around the synchronous code path.)
diff --git a/internal/crypto/src/raw_signature/mod.rs b/internal/crypto/src/raw_signature/mod.rs
@@ -23,6 +23,6 @@ pub(crate) mod oids;
 
 mod validator;
 pub use validator::{
-    validator_for_sig_and_hash_algs, validator_for_signing_alg, RawSignatureValidationError,
-    RawSignatureValidator,
+    async_validator_for_signing_alg, validator_for_sig_and_hash_algs, validator_for_signing_alg,
+    AsyncRawSignatureValidator, RawSignatureValidationError, RawSignatureValidator,
 };
diff --git a/internal/crypto/src/raw_signature/validator.rs b/internal/crypto/src/raw_signature/validator.rs
@@ -11,6 +11,7 @@
 // specific language governing permissions and limitations under
 // each license.
 
+use async_trait::async_trait;
 use bcder::Oid;
 use thiserror::Error;
 
@@ -34,6 +35,31 @@ pub trait RawSignatureValidator {
     ) -> Result<(), RawSignatureValidationError>;
 }
 
+/// An `AsyncRawSignatureValidator` implementation checks a signature encoded
+/// using a specific signature algorithm and a private/public key pair.
+///
+/// IMPORTANT: This signature is typically embedded in a wrapper provided by
+/// another signature mechanism. In the C2PA ecosystem, this wrapper is
+/// typically COSE, but `AsyncRawSignatureValidator` does not implement COSE.
+///
+/// The WASM implementation of `c2pa-crypto` also implements
+/// [`RawSignatureValidator`] (the synchronous version), but some encryption
+/// algorithms are not fully supported. When possible, it's preferable to use
+/// this implementation.
+///
+/// [`RawSignatureValidator`]: crate::raw_signature::RawSignatureValidator
+#[async_trait(?Send)]
+pub trait AsyncRawSignatureValidator {
+    /// Return `true` if the signature `sig` is valid for the raw content `data`
+    /// and the public key `public_key`.
+    async fn validate_async(
+        &self,
+        sig: &[u8],
+        data: &[u8],
+        public_key: &[u8],
+    ) -> Result<(), RawSignatureValidationError>;
+}
+
 /// Return a built-in signature validator for the requested signature
 /// algorithm.
 ///
@@ -54,6 +80,24 @@ pub fn validator_for_signing_alg(alg: SigningAlg) -> Option<Box<dyn RawSignature
     None
 }
 
+/// Return a built-in signature validator for the requested signature
+/// algorithm.
+///
+/// Which validators are available may vary depending on the platform and
+/// which crate features were enabled.
+pub fn async_validator_for_signing_alg(
+    alg: SigningAlg,
+) -> Option<Box<dyn AsyncRawSignatureValidator>> {
+    #[cfg(target_arch = "wasm32")]
+    if let Some(validator) = crate::webcrypto::async_validator_for_signing_alg(alg) {
+        return Some(validator);
+    }
+
+    Some(Box::new(AsyncValidatorAdapter(validator_for_signing_alg(
+        alg,
+    )?)))
+}
+
 /// Return a built-in signature validator for the requested signature
 /// algorithm as identified by OID.
 ///
@@ -165,3 +209,17 @@ impl From<crate::webcrypto::WasmCryptoError> for RawSignatureValidationError {
         }
     }
 }
+
+struct AsyncValidatorAdapter(Box<dyn RawSignatureValidator>);
+
+#[async_trait(?Send)]
+impl AsyncRawSignatureValidator for AsyncValidatorAdapter {
+    async fn validate_async(
+        &self,
+        sig: &[u8],
+        data: &[u8],
+        public_key: &[u8],
+    ) -> Result<(), RawSignatureValidationError> {
+        self.0.validate(sig, data, public_key)
+    }
+}
diff --git a/internal/crypto/src/webcrypto/async_validators/ecdsa_validator.rs b/internal/crypto/src/webcrypto/async_validators/ecdsa_validator.rs
@@ -18,8 +18,8 @@ use wasm_bindgen_futures::JsFuture;
 use web_sys::CryptoKey;
 
 use crate::{
-    raw_signature::RawSignatureValidationError,
-    webcrypto::{AsyncRawSignatureValidator, WindowOrWorker},
+    raw_signature::{AsyncRawSignatureValidator, RawSignatureValidationError},
+    webcrypto::WindowOrWorker,
 };
 
 /// An `EcdsaValidator` can validate raw signatures with one of the ECDSA
diff --git a/internal/crypto/src/webcrypto/async_validators/ed25519_validator.rs b/internal/crypto/src/webcrypto/async_validators/ed25519_validator.rs
@@ -13,9 +13,8 @@
 
 use async_trait::async_trait;
 
-use crate::{
-    raw_signature::{RawSignatureValidationError, RawSignatureValidator},
-    webcrypto::AsyncRawSignatureValidator,
+use crate::raw_signature::{
+    AsyncRawSignatureValidator, RawSignatureValidationError, RawSignatureValidator,
 };
 
 /// An `Ed25519Validator` can validate raw signatures with the Ed25519 signature
diff --git a/internal/crypto/src/webcrypto/async_validators/mod.rs b/internal/crypto/src/webcrypto/async_validators/mod.rs
@@ -11,39 +11,13 @@
 // specific language governing permissions and limitations under
 // each license.
 
-use async_trait::async_trait;
 use bcder::Oid;
 
 use crate::{
-    raw_signature::{oids::*, RawSignatureValidationError},
+    raw_signature::{oids::*, AsyncRawSignatureValidator},
     SigningAlg,
 };
 
-/// An `AsyncRawSignatureValidator` implementation checks a signature encoded
-/// using a specific signature algorithm and a private/public key pair.
-///
-/// IMPORTANT: This signature is typically embedded in a wrapper provided by
-/// another signature mechanism. In the C2PA ecosystem, this wrapper is
-/// typically COSE, but `AsyncRawSignatureValidator` does not implement COSE.
-///
-/// The WASM implementation of `c2pa-crypto` also implements
-/// [`RawSignatureValidator`] (the synchronous version), but some encryption
-/// algorithms are not fully supported. When possible, it's preferable to use
-/// this implementation.
-///
-/// [`RawSignatureValidator`]: crate::raw_signature::RawSignatureValidator
-#[async_trait(?Send)]
-pub trait AsyncRawSignatureValidator {
-    /// Return `true` if the signature `sig` is valid for the raw content `data`
-    /// and the public key `public_key`.
-    async fn validate_async(
-        &self,
-        sig: &[u8],
-        data: &[u8],
-        public_key: &[u8],
-    ) -> Result<(), RawSignatureValidationError>;
-}
-
 /// Return an async validator for the given signing algorithm.
 pub fn async_validator_for_signing_alg(
     alg: SigningAlg,
diff --git a/internal/crypto/src/webcrypto/async_validators/rsa_legacy_validator.rs b/internal/crypto/src/webcrypto/async_validators/rsa_legacy_validator.rs
@@ -13,9 +13,8 @@
 
 use async_trait::async_trait;
 
-use crate::{
-    raw_signature::{RawSignatureValidationError, RawSignatureValidator},
-    webcrypto::AsyncRawSignatureValidator,
+use crate::raw_signature::{
+    AsyncRawSignatureValidator, RawSignatureValidationError, RawSignatureValidator,
 };
 
 /// An `RsaLegacyValidator` can validate raw signatures with an RSA signature
diff --git a/internal/crypto/src/webcrypto/async_validators/rsa_validator.rs b/internal/crypto/src/webcrypto/async_validators/rsa_validator.rs
@@ -13,9 +13,8 @@
 
 use async_trait::async_trait;
 
-use crate::{
-    raw_signature::{RawSignatureValidationError, RawSignatureValidator},
-    webcrypto::AsyncRawSignatureValidator,
+use crate::raw_signature::{
+    AsyncRawSignatureValidator, RawSignatureValidationError, RawSignatureValidator,
 };
 
 /// An `RsaValidator` can validate raw signatures with one of the RSA-PSS
diff --git a/internal/crypto/src/webcrypto/mod.rs b/internal/crypto/src/webcrypto/mod.rs
@@ -22,7 +22,6 @@
 pub(crate) mod async_validators;
 pub use async_validators::{
     async_validator_for_sig_and_hash_algs, async_validator_for_signing_alg,
-    AsyncRawSignatureValidator,
 };
 
 pub(crate) mod check_certificate_trust;
