feat: initial

apskhem · apskhem · commit 85a96a3e5cb9 · 2025-08-29T18:02:42.000+07:00
diff --git a/rust/signed_doc/src/validator/mod.rs b/rust/signed_doc/src/validator/mod.rs
@@ -8,8 +8,7 @@ use std::{
     sync::{Arc, LazyLock},
 };
 
-use anyhow::Context;
-use catalyst_types::{catalyst_id::role_index::RoleId, problem_report::ProblemReport};
+use catalyst_types::catalyst_id::role_index::RoleId;
 use rules::{
     ContentEncodingRule, ContentRule, ContentSchema, ContentTypeRule, IdRule, ParametersRule,
     RefRule, ReplyRule, Rules, SectionRule, SignatureKidRule, VerRule,
@@ -22,7 +21,7 @@ use crate::{
     },
     metadata::DocType,
     providers::{CatalystSignedDocumentProvider, VerifyingKeyProvider},
-    signature::{tbs_data, Signature},
+    validator::rules::SignatureRule,
     CatalystSignedDocument, ContentEncoding, ContentType,
 };
 
@@ -62,6 +61,7 @@ fn proposal_rule() -> Rules {
         kid: SignatureKidRule {
             exp: &[RoleId::Proposer],
         },
+        signature: SignatureRule { mutlisig: true },
     }
 }
 
@@ -104,6 +104,7 @@ fn proposal_comment_rule() -> Rules {
         kid: SignatureKidRule {
             exp: &[RoleId::Role0],
         },
+        signature: SignatureRule { mutlisig: true },
     }
 }
 
@@ -152,6 +153,7 @@ fn proposal_submission_action_rule() -> Rules {
         kid: SignatureKidRule {
             exp: &[RoleId::Proposer],
         },
+        signature: SignatureRule { mutlisig: true },
     }
 }
 
@@ -185,7 +187,7 @@ pub async fn validate<Provider>(
     provider: &Provider,
 ) -> anyhow::Result<bool>
 where
-    Provider: CatalystSignedDocumentProvider,
+    Provider: CatalystSignedDocumentProvider + VerifyingKeyProvider,
 {
     let Ok(doc_type) = doc.doc_type() else {
         doc.report().missing_field(
@@ -207,82 +209,6 @@ where
     rules.check(doc, provider).await
 }
 
-/// Verify document signatures.
-/// Return true if all signatures are valid, otherwise return false.
-///
-/// # Errors
-/// If `provider` returns error, fails fast throwing that error.
-pub async fn validate_signatures(
-    doc: &CatalystSignedDocument,
-    provider: &impl VerifyingKeyProvider,
-) -> anyhow::Result<bool> {
-    if doc.signatures().is_empty() {
-        doc.report().other(
-            "Catalyst Signed Document is unsigned",
-            "During Catalyst Signed Document signature validation",
-        );
-        return Ok(false);
-    }
-
-    let sign_rules = doc
-        .signatures()
-        .iter()
-        .map(|sign| validate_signature(doc, sign, provider, doc.report()));
-
-    let res = futures::future::join_all(sign_rules)
-        .await
-        .into_iter()
-        .collect::<anyhow::Result<Vec<_>>>()?
-        .iter()
-        .all(|res| *res);
-
-    Ok(res)
-}
-
-/// A single signature validation function
-async fn validate_signature<Provider>(
-    doc: &CatalystSignedDocument,
-    sign: &Signature,
-    provider: &Provider,
-    report: &ProblemReport,
-) -> anyhow::Result<bool>
-where
-    Provider: VerifyingKeyProvider,
-{
-    let kid = sign.kid();
-
-    let Some(pk) = provider.try_get_key(kid).await? else {
-        report.other(
-            &format!("Missing public key for {kid}."),
-            "During public key extraction",
-        );
-        return Ok(false);
-    };
-
-    let tbs_data = tbs_data(kid, doc.doc_meta(), doc.content()).context("Probably a bug, cannot build CBOR COSE bytes for signature verification from the structurally valid COSE object.")?;
-
-    let Ok(signature_bytes) = sign.signature().try_into() else {
-        report.invalid_value(
-            "cose signature",
-            &format!("{}", sign.signature().len()),
-            &format!("must be {}", ed25519_dalek::Signature::BYTE_SIZE),
-            "During encoding cose signature to bytes",
-        );
-        return Ok(false);
-    };
-
-    let signature = ed25519_dalek::Signature::from_bytes(signature_bytes);
-    if pk.verify_strict(&tbs_data, &signature).is_err() {
-        report.functional_validation(
-            &format!("Verification failed for signature with Key ID {kid}"),
-            "During signature validation with verifying key",
-        );
-        return Ok(false);
-    }
-
-    Ok(true)
-}
-
 #[cfg(test)]
 mod tests {
     use crate::validator::document_rules_init;
diff --git a/rust/signed_doc/src/validator/rules/mod.rs b/rust/signed_doc/src/validator/rules/mod.rs
@@ -3,7 +3,10 @@
 
 use futures::FutureExt;
 
-use crate::{providers::CatalystSignedDocumentProvider, CatalystSignedDocument};
+use crate::{
+    providers::{CatalystSignedDocumentProvider, VerifyingKeyProvider},
+    CatalystSignedDocument,
+};
 
 mod content_encoding;
 mod content_type;
@@ -12,6 +15,7 @@ mod id;
 mod parameters;
 mod reply;
 mod section;
+mod signature;
 mod signature_kid;
 mod template;
 mod ver;
@@ -23,6 +27,7 @@ pub(crate) use id::IdRule;
 pub(crate) use parameters::ParametersRule;
 pub(crate) use reply::ReplyRule;
 pub(crate) use section::SectionRule;
+pub(crate) use signature::SignatureRule;
 pub(crate) use signature_kid::SignatureKidRule;
 pub(crate) use template::{ContentRule, ContentSchema};
 pub(crate) use ver::VerRule;
@@ -49,6 +54,8 @@ pub(crate) struct Rules {
     pub(crate) parameters: ParametersRule,
     /// `kid` field validation rule
     pub(crate) kid: SignatureKidRule,
+    /// document's signatures validation rule
+    pub(crate) signature: SignatureRule,
 }
 
 impl Rules {
@@ -59,7 +66,7 @@ impl Rules {
         provider: &Provider,
     ) -> anyhow::Result<bool>
     where
-        Provider: CatalystSignedDocumentProvider,
+        Provider: CatalystSignedDocumentProvider + VerifyingKeyProvider,
     {
         let rules = [
             self.id.check(doc, provider).boxed(),
@@ -74,12 +81,15 @@ impl Rules {
             self.kid.check(doc).boxed(),
         ];
 
-        let res = futures::future::join_all(rules)
+        let rules_res = futures::future::join_all(rules)
             .await
             .into_iter()
             .collect::<anyhow::Result<Vec<_>>>()?
             .iter()
             .all(|res| *res);
-        Ok(res)
+
+        let sig_res = self.signature.check(doc, provider).await?;
+
+        Ok(rules_res && sig_res)
     }
 }
diff --git a/rust/signed_doc/src/validator/rules/signature.rs b/rust/signed_doc/src/validator/rules/signature.rs
@@ -0,0 +1,110 @@
+//! Validator for Signatures
+
+use anyhow::Context;
+use catalyst_types::problem_report::ProblemReport;
+
+use crate::{
+    providers::{CatalystSignedDocumentProvider, VerifyingKeyProvider},
+    signature::{tbs_data, Signature},
+    CatalystSignedDocument,
+};
+
+#[derive(Debug)]
+pub(crate) struct SignatureRule {
+    /// Allows multiple signatures.
+    pub(crate) mutlisig: bool,
+}
+
+impl SignatureRule {
+    /// Verify document signatures.
+    /// Return true if all signatures are valid, otherwise return false.
+    ///
+    /// # Errors
+    /// If `provider` returns error, fails fast throwing that error.
+    pub(crate) async fn check<Provider>(
+        &self,
+        doc: &CatalystSignedDocument,
+        provider: &Provider,
+    ) -> anyhow::Result<bool>
+    where
+        Provider: CatalystSignedDocumentProvider + VerifyingKeyProvider,
+    {
+        if doc.signatures().is_empty() {
+            doc.report().other(
+                "Catalyst Signed Document is unsigned",
+                "During Catalyst Signed Document signature validation",
+            );
+            return Ok(false);
+        }
+
+        if !self.mutlisig && doc.signatures().len() > 1 {
+            doc.report().other(
+                format!(
+                    "Multi-signature is not allowed, found {} signatures",
+                    doc.signatures().len()
+                )
+                .as_str(),
+                "During Catalyst Signed Document signature validation",
+            );
+            return Ok(false);
+        }
+
+        let sign_rules = doc
+            .signatures()
+            .iter()
+            .map(|sign| validate_signature(doc, sign, provider, doc.report()));
+
+        let res = futures::future::join_all(sign_rules)
+            .await
+            .into_iter()
+            .collect::<anyhow::Result<Vec<_>>>()?
+            .iter()
+            .all(|res| *res);
+
+        Ok(res)
+    }
+}
+
+/// A single signature validation function
+async fn validate_signature<Provider>(
+    doc: &CatalystSignedDocument,
+    sign: &Signature,
+    provider: &Provider,
+    report: &ProblemReport,
+) -> anyhow::Result<bool>
+where
+    Provider: VerifyingKeyProvider,
+{
+    let kid = sign.kid();
+
+    let Some(pk) = provider.try_get_key(kid).await? else {
+        report.other(
+            &format!("Missing public key for {kid}."),
+            "During public key extraction",
+        );
+        return Ok(false);
+    };
+
+    let tbs_data = tbs_data(kid, doc.doc_meta(), doc.content()).context("Probably a bug, cannot build CBOR COSE bytes for signature verification from the structurally valid COSE object.")?;
+
+    let Ok(signature_bytes) = sign.signature().try_into() else {
+        report.invalid_value(
+            "cose signature",
+            &format!("{}", sign.signature().len()),
+            &format!("must be {}", ed25519_dalek::Signature::BYTE_SIZE),
+            "During encoding cose signature to bytes",
+        );
+        return Ok(false);
+    };
+
+    let signature = ed25519_dalek::Signature::from_bytes(signature_bytes);
+    if pk.verify_strict(&tbs_data, &signature).is_err() {
+        report.functional_validation(
+            &format!("Verification failed for signature with Key ID {kid}"),
+            "During signature validation with verifying key",
+        );
+        return Ok(false);
+    }
+
+    Ok(true)
+}
