wip(rust/signed_doc): implement verification method

saibatizoku · saibatizoku · commit a612907f7def · 2025-01-27T18:26:35.000-06:00
* verify signatures with public (verification) key
* todo: verify UUIDs
diff --git a/rust/signed_doc/src/lib.rs b/rust/signed_doc/src/lib.rs
@@ -17,6 +17,7 @@ pub use builder::Builder;
 use catalyst_types::problem_report::ProblemReport;
 pub use content::Content;
 use coset::{CborSerializable, Header};
+use ed25519_dalek::VerifyingKey;
 use error::CatalystSignedDocError;
 pub use metadata::{DocumentRef, ExtraFields, Metadata, UuidV4, UuidV7};
 pub use minicbor::{decode, encode, Decode, Decoder, Encode};
@@ -105,6 +106,64 @@ impl CatalystSignedDocument {
     pub fn signatures(&self) -> &Signatures {
         &self.inner.signatures
     }
+
+    /// Verify document signatures and `UUID`s.
+    ///
+    /// # Errors
+    ///
+    /// Returns a report of verification failures and the source error.
+    #[allow(clippy::indexing_slicing)]
+    pub fn verify<P>(&self, pk_getter: P) -> Result<(), CatalystSignedDocError>
+    where P: Fn(&KidUri) -> VerifyingKey {
+        let error_report = ProblemReport::new("Catalyst Signed Document Verification");
+
+        match coset::CoseSign::try_from(self) {
+            Ok(cose_sign) => {
+                let signatures = self.signatures().cose_signatures();
+                for (idx, kid) in self.signatures().kids().iter().enumerate() {
+                    let pk = pk_getter(kid);
+                    let signature = &signatures[idx];
+                    let tbs_data = cose_sign.tbs_data(&[], signature);
+                    match signature.signature.as_slice().try_into() {
+                        Ok(signature_bytes) => {
+                            let signature = ed25519_dalek::Signature::from_bytes(signature_bytes);
+                            if let Err(e) = pk.verify_strict(&tbs_data, &signature) {
+                                error_report.functional_validation(
+                                    &format!(
+                                        "Verification failed for signature with Key ID {kid}: {e}"
+                                    ),
+                                    "During signature validation with verifying key",
+                                );
+                            }
+                        },
+                        Err(_) => {
+                            error_report.invalid_value(
+                                "cose signature",
+                                &format!("{}", signature.signature.len()),
+                                &format!("must be {}", ed25519_dalek::Signature::BYTE_SIZE),
+                                "During encoding cose signature to bytes",
+                            );
+                        },
+                    }
+                }
+            },
+            Err(e) => {
+                error_report.other(
+                    &format!("{e}"),
+                    "During encoding signed document as COSE SIGN",
+                );
+            },
+        }
+
+        if error_report.is_problematic() {
+            return Err(CatalystSignedDocError::new(
+                error_report,
+                anyhow::anyhow!("Verification failed for Catalyst Signed Document"),
+            ));
+        }
+
+        Ok(())
+    }
 }
 
 impl TryFrom<&[u8]> for CatalystSignedDocument {
@@ -242,6 +301,17 @@ impl Encode<()> for CatalystSignedDocument {
     }
 }
 
+impl TryFrom<&CatalystSignedDocument> for coset::CoseSign {
+    type Error = anyhow::Error;
+
+    fn try_from(signed_doc: &CatalystSignedDocument) -> Result<Self, Self::Error> {
+        let mut cose_bytes: Vec<u8> = Vec::new();
+        minicbor::encode(signed_doc, &mut cose_bytes)?;
+        coset::CoseSign::from_slice(&cose_bytes)
+            .map_err(|e| anyhow::anyhow!("encoding COSE SIGN failed: {e}"))
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use metadata::{ContentEncoding, ContentType};
