aws_lc_rs/signature.rs
1// Copyright 2015-2017 Brian Smith.
2// SPDX-License-Identifier: ISC
3// Modifications copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
4// SPDX-License-Identifier: Apache-2.0 OR ISC
5
6//! Public key signatures: signing and verification.
7//!
8//! Use the `verify` function to verify signatures, passing a reference to the
9//! algorithm that identifies the algorithm. See the documentation for `verify`
10//! for examples.
11//!
12//! For signature verification, this API treats each combination of parameters
13//! as a separate algorithm. For example, instead of having a single "RSA"
14//! algorithm with a verification function that takes a bunch of parameters,
15//! there are `RSA_PKCS1_2048_8192_SHA256`, `RSA_PKCS1_2048_8192_SHA384`, etc.,
16//! which encode sets of parameter choices into objects. This is designed to
17//! reduce the risks of algorithm agility and to provide consistency with ECDSA
18//! and `EdDSA`.
19//!
20//! Currently this module does not support digesting the message to be signed
21//! separately from the public key operation, as it is currently being
22//! optimized for Ed25519 and for the implementation of protocols that do not
23//! requiring signing large messages. An interface for efficiently supporting
24//! larger messages may be added later.
25//!
26//!
27//! # Algorithm Details
28//!
29//! ## `ECDSA_*_ASN1` Details: ASN.1-encoded ECDSA Signatures
30//!
31//! The signature is a ASN.1 DER-encoded `Ecdsa-Sig-Value` as described in
32//! [RFC 3279 Section 2.2.3]. This is the form of ECDSA signature used in
33//! X.509-related structures and in TLS's `ServerKeyExchange` messages.
34//!
35//! The public key is encoding in uncompressed form using the
36//! Octet-String-to-Elliptic-Curve-Point algorithm in
37//! [SEC 1: Elliptic Curve Cryptography, Version 2.0].
38//!
39//! During verification, the public key is validated using the ECC Partial
40//! Public-Key Validation Routine from Section 5.6.2.3.3 of
41//! [NIST Special Publication 800-56A, revision 2] and Appendix A.3 of the
42//! NSA's [Suite B implementer's guide to FIPS 186-3]. Note that, as explained
43//! in the NSA guide, ECC Partial Public-Key Validation is equivalent to ECC
44//! Full Public-Key Validation for prime-order curves like this one.
45//!
46//! ## `ECDSA_*_FIXED` Details: Fixed-length (PKCS#11-style) ECDSA Signatures
47//!
48//! The signature is *r*||*s*, where || denotes concatenation, and where both
49//! *r* and *s* are both big-endian-encoded values that are left-padded to the
50//! maximum length. A P-256 signature will be 64 bytes long (two 32-byte
51//! components) and a P-384 signature will be 96 bytes long (two 48-byte
52//! components). This is the form of ECDSA signature used PKCS#11 and DNSSEC.
53//!
54//! The public key is encoding in uncompressed form using the
55//! Octet-String-to-Elliptic-Curve-Point algorithm in
56//! [SEC 1: Elliptic Curve Cryptography, Version 2.0].
57//!
58//! During verification, the public key is validated using the ECC Partial
59//! Public-Key Validation Routine from Section 5.6.2.3.3 of
60//! [NIST Special Publication 800-56A, revision 2] and Appendix A.3 of the
61//! NSA's [Suite B implementer's guide to FIPS 186-3]. Note that, as explained
62//! in the NSA guide, ECC Partial Public-Key Validation is equivalent to ECC
63//! Full Public-Key Validation for prime-order curves like this one.
64//!
65//! ## `RSA_PKCS1_*` Details: RSA PKCS#1 1.5 Signatures
66//!
67//! The signature is an RSASSA-PKCS1-v1_5 signature as described in
68//! [RFC 3447 Section 8.2].
69//!
70//! The public key is encoded as an ASN.1 `RSAPublicKey` as described in
71//! [RFC 3447 Appendix-A.1.1]. The public key modulus length, rounded *up* to
72//! the nearest (larger) multiple of 8 bits, must be in the range given in the
73//! name of the algorithm. The public exponent must be an odd integer of 2-33
74//! bits, inclusive.
75//!
76//!
77//! ## `RSA_PSS_*` Details: RSA PSS Signatures
78//!
79//! The signature is an RSASSA-PSS signature as described in
80//! [RFC 3447 Section 8.1].
81//!
82//! The public key is encoded as an ASN.1 `RSAPublicKey` as described in
83//! [RFC 3447 Appendix-A.1.1]. The public key modulus length, rounded *up* to
84//! the nearest (larger) multiple of 8 bits, must be in the range given in the
85//! name of the algorithm. The public exponent must be an odd integer of 2-33
86//! bits, inclusive.
87//!
88//! During verification, signatures will only be accepted if the MGF1 digest
89//! algorithm is the same as the message digest algorithm and if the salt
90//! length is the same length as the message digest. This matches the
91//! requirements in TLS 1.3 and other recent specifications.
92//!
93//! During signing, the message digest algorithm will be used as the MGF1
94//! digest algorithm. The salt will be the same length as the message digest.
95//! This matches the requirements in TLS 1.3 and other recent specifications.
96//! Additionally, the entire salt is randomly generated separately for each
97//! signature using the secure random number generator passed to `sign()`.
98//!
99//!
100//! [SEC 1: Elliptic Curve Cryptography, Version 2.0]:
101//! http://www.secg.org/sec1-v2.pdf
102//! [NIST Special Publication 800-56A, revision 2]:
103//! http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
104//! [Suite B implementer's guide to FIPS 186-3]:
105//! https://github.com/briansmith/ring/blob/main/doc/ecdsa.pdf
106//! [RFC 3279 Section 2.2.3]:
107//! https://tools.ietf.org/html/rfc3279#section-2.2.3
108//! [RFC 3447 Section 8.2]:
109//! https://tools.ietf.org/html/rfc3447#section-7.2
110//! [RFC 3447 Section 8.1]:
111//! https://tools.ietf.org/html/rfc3447#section-8.1
112//! [RFC 3447 Appendix-A.1.1]:
113//! https://tools.ietf.org/html/rfc3447#appendix-A.1.1
114//!
115//!
116//! # Examples
117//!
118//! ## Signing and verifying with Ed25519
119//!
120//! ```
121//! use aws_lc_rs::{
122//! rand,
123//! signature::{self, KeyPair},
124//! };
125//!
126//! fn main() -> Result<(), aws_lc_rs::error::Unspecified> {
127//! // Generate a new key pair for Ed25519.
128//! let key_pair = signature::Ed25519KeyPair::generate()?;
129//!
130//! // Sign the message "hello, world".
131//! const MESSAGE: &[u8] = b"hello, world";
132//! let sig = key_pair.sign(MESSAGE);
133//!
134//! // Normally an application would extract the bytes of the signature and
135//! // send them in a protocol message to the peer(s). Here we just get the
136//! // public key key directly from the key pair.
137//! let peer_public_key_bytes = key_pair.public_key().as_ref();
138//!
139//! // Verify the signature of the message using the public key. Normally the
140//! // verifier of the message would parse the inputs to this code out of the
141//! // protocol message(s) sent by the signer.
142//! let peer_public_key =
143//! signature::UnparsedPublicKey::new(&signature::ED25519, peer_public_key_bytes);
144//! peer_public_key.verify(MESSAGE, sig.as_ref())?;
145//!
146//! Ok(())
147//! }
148//! ```
149//!
150//! ## Signing and verifying with RSA (PKCS#1 1.5 padding)
151//!
152//! By default OpenSSL writes RSA public keys in `SubjectPublicKeyInfo` format,
153//! not `RSAPublicKey` format, and Base64-encodes them (“PEM” format).
154//!
155//! To convert the PEM `SubjectPublicKeyInfo` format (“BEGIN PUBLIC KEY”) to the
156//! binary `RSAPublicKey` format needed by `verify()`, use:
157//!
158//! ```sh
159//! openssl rsa -pubin \
160//! -in public_key.pem \
161//! -inform PEM \
162//! -RSAPublicKey_out \
163//! -outform DER \
164//! -out public_key.der
165//! ```
166//!
167//! To extract the RSAPublicKey-formatted public key from an ASN.1 (binary)
168//! DER-encoded `RSAPrivateKey` format private key file, use:
169//!
170//! ```sh
171//! openssl rsa -in private_key.der \
172//! -inform DER \
173//! -RSAPublicKey_out \
174//! -outform DER \
175//! -out public_key.der
176//! ```
177//!
178//! ```
179//! use aws_lc_rs::{rand, signature};
180//!
181//! fn sign_and_verify_rsa(
182//! private_key_path: &std::path::Path,
183//! public_key_path: &std::path::Path,
184//! ) -> Result<(), MyError> {
185//! // Create an `RsaKeyPair` from the DER-encoded bytes. This example uses
186//! // a 2048-bit key, but larger keys are also supported.
187//! let private_key_der = read_file(private_key_path)?;
188//! let key_pair = signature::RsaKeyPair::from_der(&private_key_der)
189//! .map_err(|_| MyError::BadPrivateKey)?;
190//!
191//! // Sign the message "hello, world", using PKCS#1 v1.5 padding and the
192//! // SHA256 digest algorithm.
193//! const MESSAGE: &'static [u8] = b"hello, world";
194//! let rng = rand::SystemRandom::new();
195//! let mut signature = vec![0; key_pair.public_modulus_len()];
196//! key_pair
197//! .sign(&signature::RSA_PKCS1_SHA256, &rng, MESSAGE, &mut signature)
198//! .map_err(|_| MyError::OOM)?;
199//!
200//! // Verify the signature.
201//! let public_key = signature::UnparsedPublicKey::new(
202//! &signature::RSA_PKCS1_2048_8192_SHA256,
203//! read_file(public_key_path)?,
204//! );
205//! public_key
206//! .verify(MESSAGE, &signature)
207//! .map_err(|_| MyError::BadSignature)
208//! }
209//!
210//! #[derive(Debug)]
211//! enum MyError {
212//! IO(std::io::Error),
213//! BadPrivateKey,
214//! OOM,
215//! BadSignature,
216//! }
217//!
218//! fn read_file(path: &std::path::Path) -> Result<Vec<u8>, MyError> {
219//! use std::io::Read;
220//!
221//! let mut file = std::fs::File::open(path).map_err(|e| MyError::IO(e))?;
222//! let mut contents: Vec<u8> = Vec::new();
223//! file.read_to_end(&mut contents)
224//! .map_err(|e| MyError::IO(e))?;
225//! Ok(contents)
226//! }
227//!
228//! fn main() {
229//! let private_key_path =
230//! std::path::Path::new("tests/data/signature_rsa_example_private_key.der");
231//! let public_key_path =
232//! std::path::Path::new("tests/data/signature_rsa_example_public_key.der");
233//! sign_and_verify_rsa(&private_key_path, &public_key_path).unwrap()
234//! }
235//! ```
236use core::fmt::{Debug, Formatter};
237
238#[cfg(feature = "ring-sig-verify")]
239use untrusted::Input;
240
241pub use crate::rsa::signature::RsaEncoding;
242pub use crate::rsa::{
243 KeyPair as RsaKeyPair, PublicKey as RsaSubjectPublicKey,
244 PublicKeyComponents as RsaPublicKeyComponents, RsaParameters,
245};
246
247use crate::rsa::signature::{RsaSignatureEncoding, RsaSigningAlgorithmId};
248use crate::rsa::RsaVerificationAlgorithmId;
249
250pub use crate::ec::key_pair::{EcdsaKeyPair, PrivateKey as EcdsaPrivateKey};
251use crate::ec::signature::EcdsaSignatureFormat;
252pub use crate::ec::signature::{
253 EcdsaSigningAlgorithm, EcdsaVerificationAlgorithm, PublicKey as EcdsaPublicKey,
254};
255pub use crate::ed25519::{
256 Ed25519KeyPair, EdDSAParameters, PublicKey as Ed25519PublicKey, Seed as Ed25519Seed,
257 ED25519_PUBLIC_KEY_LEN,
258};
259use crate::{digest, ec, error, hex, rsa, sealed};
260
261/// The longest signature is an ASN.1 P-384 signature where *r* and *s* are of
262/// maximum length with the leading high bit set on each. Then each component
263/// will have a tag, a one-byte length, and a one-byte “I'm not negative”
264/// prefix, and the outer sequence will have a two-byte length.
265pub(crate) const MAX_LEN: usize = 1/*tag:SEQUENCE*/ + 2/*len*/ +
266 (2 * (1/*tag:INTEGER*/ + 1/*len*/ + 1/*zero*/ + ec::SCALAR_MAX_BYTES));
267
268/// A public key signature returned from a signing operation.
269#[derive(Clone, Copy)]
270pub struct Signature {
271 value: [u8; MAX_LEN],
272 len: usize,
273}
274
275impl Signature {
276 // Panics if `value` is too long.
277 pub(crate) fn new<F>(fill: F) -> Self
278 where
279 F: FnOnce(&mut [u8; MAX_LEN]) -> usize,
280 {
281 let mut r = Self {
282 value: [0; MAX_LEN],
283 len: 0,
284 };
285 r.len = fill(&mut r.value);
286 r
287 }
288}
289
290impl AsRef<[u8]> for Signature {
291 #[inline]
292 fn as_ref(&self) -> &[u8] {
293 &self.value[..self.len]
294 }
295}
296
297/// Key pairs for signing messages (private key and public key).
298pub trait KeyPair: Debug + Send + Sized + Sync {
299 /// The type of the public key.
300 type PublicKey: AsRef<[u8]> + Debug + Clone + Send + Sized + Sync;
301
302 /// The public key for the key pair.
303 fn public_key(&self) -> &Self::PublicKey;
304}
305
306/// A signature verification algorithm.
307pub trait VerificationAlgorithm: Debug + Sync + sealed::Sealed {
308 /// Verify the signature `signature` of message `msg` with the public key
309 /// `public_key`.
310 ///
311 // # FIPS
312 // The following conditions must be met:
313 // * RSA Key Sizes: 1024, 2048, 3072, 4096
314 // * NIST Elliptic Curves: P256, P384, P521
315 // * Digest Algorithms: SHA1, SHA256, SHA384, SHA512
316 //
317 /// # Errors
318 /// `error::Unspecified` if inputs not verified.
319 #[cfg(feature = "ring-sig-verify")]
320 #[deprecated(note = "please use `VerificationAlgorithm::verify_sig` instead")]
321 fn verify(
322 &self,
323 public_key: Input<'_>,
324 msg: Input<'_>,
325 signature: Input<'_>,
326 ) -> Result<(), error::Unspecified>;
327
328 /// Verify the signature `signature` of message `msg` with the public key
329 /// `public_key`.
330 ///
331 // # FIPS
332 // The following conditions must be met:
333 // * RSA Key Sizes: 1024, 2048, 3072, 4096
334 // * NIST Elliptic Curves: P256, P384, P521
335 // * Digest Algorithms: SHA1, SHA256, SHA384, SHA512
336 //
337 /// # Errors
338 /// `error::Unspecified` if inputs not verified.
339 fn verify_sig(
340 &self,
341 public_key: &[u8],
342 msg: &[u8],
343 signature: &[u8],
344 ) -> Result<(), error::Unspecified>;
345}
346
347/// An unparsed, possibly malformed, public key for signature verification.
348#[derive(Clone)]
349pub struct UnparsedPublicKey<B: AsRef<[u8]>> {
350 algorithm: &'static dyn VerificationAlgorithm,
351 bytes: B,
352}
353
354impl<B: Copy + AsRef<[u8]>> Copy for UnparsedPublicKey<B> {}
355
356impl<B: AsRef<[u8]>> Debug for UnparsedPublicKey<B> {
357 fn fmt(&self, f: &mut Formatter<'_>) -> core::fmt::Result {
358 f.write_str(&format!(
359 "UnparsedPublicKey {{ algorithm: {:?}, bytes: \"{}\" }}",
360 self.algorithm,
361 hex::encode(self.bytes.as_ref())
362 ))
363 }
364}
365
366impl<B: AsRef<[u8]>> UnparsedPublicKey<B> {
367 /// Construct a new `UnparsedPublicKey`.
368 ///
369 /// No validation of `bytes` is done until `verify()` is called.
370 #[inline]
371 pub fn new(algorithm: &'static dyn VerificationAlgorithm, bytes: B) -> Self {
372 Self { algorithm, bytes }
373 }
374
375 /// Parses the public key and verifies `signature` is a valid signature of
376 /// `message` using it.
377 ///
378 /// See the [`crate::signature`] module-level documentation for examples.
379 ///
380 // # FIPS
381 // The following conditions must be met:
382 // * RSA Key Sizes: 1024, 2048, 3072, 4096
383 // * NIST Elliptic Curves: P256, P384, P521
384 // * Digest Algorithms: SHA1, SHA256, SHA384, SHA512
385 //
386 /// # Errors
387 /// `error::Unspecified` if inputs not verified.
388 #[inline]
389 pub fn verify(&self, message: &[u8], signature: &[u8]) -> Result<(), error::Unspecified> {
390 self.algorithm
391 .verify_sig(self.bytes.as_ref(), message, signature)
392 }
393}
394
395/// Verification of signatures using RSA keys of 1024-8192 bits, PKCS#1.5 padding, and SHA-1.
396pub static RSA_PKCS1_1024_8192_SHA1_FOR_LEGACY_USE_ONLY: RsaParameters = RsaParameters::new(
397 &digest::SHA1_FOR_LEGACY_USE_ONLY,
398 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
399 1024..=8192,
400 &RsaVerificationAlgorithmId::RSA_PKCS1_1024_8192_SHA1_FOR_LEGACY_USE_ONLY,
401);
402
403/// Verification of signatures using RSA keys of 1024-8192 bits, PKCS#1.5 padding, and SHA-256.
404pub static RSA_PKCS1_1024_8192_SHA256_FOR_LEGACY_USE_ONLY: RsaParameters = RsaParameters::new(
405 &digest::SHA256,
406 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
407 1024..=8192,
408 &RsaVerificationAlgorithmId::RSA_PKCS1_1024_8192_SHA256_FOR_LEGACY_USE_ONLY,
409);
410
411/// Verification of signatures using RSA keys of 1024-8192 bits, PKCS#1.5 padding, and SHA-512.
412pub static RSA_PKCS1_1024_8192_SHA512_FOR_LEGACY_USE_ONLY: RsaParameters = RsaParameters::new(
413 &digest::SHA512,
414 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
415 1024..=8192,
416 &RsaVerificationAlgorithmId::RSA_PKCS1_1024_8192_SHA512_FOR_LEGACY_USE_ONLY,
417);
418
419/// Verification of signatures using RSA keys of 2048-8192 bits, PKCS#1.5 padding, and SHA-1.
420pub static RSA_PKCS1_2048_8192_SHA1_FOR_LEGACY_USE_ONLY: RsaParameters = RsaParameters::new(
421 &digest::SHA1_FOR_LEGACY_USE_ONLY,
422 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
423 2048..=8192,
424 &RsaVerificationAlgorithmId::RSA_PKCS1_2048_8192_SHA1_FOR_LEGACY_USE_ONLY,
425);
426
427/// Verification of signatures using RSA keys of 2048-8192 bits, PKCS#1.5 padding, and SHA-256.
428pub static RSA_PKCS1_2048_8192_SHA256: RsaParameters = RsaParameters::new(
429 &digest::SHA256,
430 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
431 2048..=8192,
432 &RsaVerificationAlgorithmId::RSA_PKCS1_2048_8192_SHA256,
433);
434
435/// Verification of signatures using RSA keys of 2048-8192 bits, PKCS#1.5 padding, and SHA-384.
436pub static RSA_PKCS1_2048_8192_SHA384: RsaParameters = RsaParameters::new(
437 &digest::SHA384,
438 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
439 2048..=8192,
440 &RsaVerificationAlgorithmId::RSA_PKCS1_2048_8192_SHA384,
441);
442
443/// Verification of signatures using RSA keys of 2048-8192 bits, PKCS#1.5 padding, and SHA-512.
444pub static RSA_PKCS1_2048_8192_SHA512: RsaParameters = RsaParameters::new(
445 &digest::SHA512,
446 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
447 2048..=8192,
448 &RsaVerificationAlgorithmId::RSA_PKCS1_2048_8192_SHA512,
449);
450
451/// Verification of signatures using RSA keys of 3072-8192 bits, PKCS#1.5 padding, and SHA-384.
452pub static RSA_PKCS1_3072_8192_SHA384: RsaParameters = RsaParameters::new(
453 &digest::SHA384,
454 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
455 3072..=8192,
456 &RsaVerificationAlgorithmId::RSA_PKCS1_3072_8192_SHA384,
457);
458
459/// Verification of signatures using RSA keys of 2048-8192 bits, PSS padding, and SHA-256.
460pub static RSA_PSS_2048_8192_SHA256: RsaParameters = RsaParameters::new(
461 &digest::SHA256,
462 &rsa::signature::RsaPadding::RSA_PKCS1_PSS_PADDING,
463 2048..=8192,
464 &RsaVerificationAlgorithmId::RSA_PSS_2048_8192_SHA256,
465);
466
467/// Verification of signatures using RSA keys of 2048-8192 bits, PSS padding, and SHA-384.
468pub static RSA_PSS_2048_8192_SHA384: RsaParameters = RsaParameters::new(
469 &digest::SHA384,
470 &rsa::signature::RsaPadding::RSA_PKCS1_PSS_PADDING,
471 2048..=8192,
472 &RsaVerificationAlgorithmId::RSA_PSS_2048_8192_SHA384,
473);
474
475/// Verification of signatures using RSA keys of 2048-8192 bits, PSS padding, and SHA-512.
476pub static RSA_PSS_2048_8192_SHA512: RsaParameters = RsaParameters::new(
477 &digest::SHA512,
478 &rsa::signature::RsaPadding::RSA_PKCS1_PSS_PADDING,
479 2048..=8192,
480 &RsaVerificationAlgorithmId::RSA_PSS_2048_8192_SHA512,
481);
482
483/// RSA PSS padding using SHA-256 for RSA signatures.
484pub static RSA_PSS_SHA256: RsaSignatureEncoding = RsaSignatureEncoding::new(
485 &digest::SHA256,
486 &rsa::signature::RsaPadding::RSA_PKCS1_PSS_PADDING,
487 &RsaSigningAlgorithmId::RSA_PSS_SHA256,
488);
489
490/// RSA PSS padding using SHA-384 for RSA signatures.
491pub static RSA_PSS_SHA384: RsaSignatureEncoding = RsaSignatureEncoding::new(
492 &digest::SHA384,
493 &rsa::signature::RsaPadding::RSA_PKCS1_PSS_PADDING,
494 &RsaSigningAlgorithmId::RSA_PSS_SHA384,
495);
496
497/// RSA PSS padding using SHA-512 for RSA signatures.
498pub static RSA_PSS_SHA512: RsaSignatureEncoding = RsaSignatureEncoding::new(
499 &digest::SHA512,
500 &rsa::signature::RsaPadding::RSA_PKCS1_PSS_PADDING,
501 &RsaSigningAlgorithmId::RSA_PSS_SHA512,
502);
503
504/// PKCS#1 1.5 padding using SHA-256 for RSA signatures.
505pub static RSA_PKCS1_SHA256: RsaSignatureEncoding = RsaSignatureEncoding::new(
506 &digest::SHA256,
507 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
508 &RsaSigningAlgorithmId::RSA_PKCS1_SHA256,
509);
510
511/// PKCS#1 1.5 padding using SHA-384 for RSA signatures.
512pub static RSA_PKCS1_SHA384: RsaSignatureEncoding = RsaSignatureEncoding::new(
513 &digest::SHA384,
514 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
515 &RsaSigningAlgorithmId::RSA_PKCS1_SHA384,
516);
517
518/// PKCS#1 1.5 padding using SHA-512 for RSA signatures.
519pub static RSA_PKCS1_SHA512: RsaSignatureEncoding = RsaSignatureEncoding::new(
520 &digest::SHA512,
521 &rsa::signature::RsaPadding::RSA_PKCS1_PADDING,
522 &RsaSigningAlgorithmId::RSA_PKCS1_SHA512,
523);
524
525/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-256 curve and SHA-256.
526pub static ECDSA_P256_SHA256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
527 id: &ec::signature::AlgorithmID::ECDSA_P256,
528 digest: &digest::SHA256,
529 sig_format: EcdsaSignatureFormat::Fixed,
530};
531
532/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-384 curve and SHA-384.
533pub static ECDSA_P384_SHA384_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
534 id: &ec::signature::AlgorithmID::ECDSA_P384,
535 digest: &digest::SHA384,
536 sig_format: EcdsaSignatureFormat::Fixed,
537};
538
539/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-384 curve and SHA3-384.
540pub static ECDSA_P384_SHA3_384_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
541 id: &ec::signature::AlgorithmID::ECDSA_P384,
542 digest: &digest::SHA3_384,
543 sig_format: EcdsaSignatureFormat::Fixed,
544};
545
546/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-1.
547pub static ECDSA_P521_SHA1_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
548 id: &ec::signature::AlgorithmID::ECDSA_P521,
549 digest: &digest::SHA1_FOR_LEGACY_USE_ONLY,
550 sig_format: EcdsaSignatureFormat::Fixed,
551};
552
553/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-224.
554pub static ECDSA_P521_SHA224_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
555 id: &ec::signature::AlgorithmID::ECDSA_P521,
556 digest: &digest::SHA224,
557 sig_format: EcdsaSignatureFormat::Fixed,
558};
559
560/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-256.
561pub static ECDSA_P521_SHA256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
562 id: &ec::signature::AlgorithmID::ECDSA_P521,
563 digest: &digest::SHA256,
564 sig_format: EcdsaSignatureFormat::Fixed,
565};
566
567/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-384.
568pub static ECDSA_P521_SHA384_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
569 id: &ec::signature::AlgorithmID::ECDSA_P521,
570 digest: &digest::SHA384,
571 sig_format: EcdsaSignatureFormat::Fixed,
572};
573
574/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-512.
575pub static ECDSA_P521_SHA512_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
576 id: &ec::signature::AlgorithmID::ECDSA_P521,
577 digest: &digest::SHA512,
578 sig_format: EcdsaSignatureFormat::Fixed,
579};
580
581/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA3-512.
582pub static ECDSA_P521_SHA3_512_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
583 id: &ec::signature::AlgorithmID::ECDSA_P521,
584 digest: &digest::SHA3_512,
585 sig_format: EcdsaSignatureFormat::Fixed,
586};
587
588/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-256K1 curve and SHA-256.
589pub static ECDSA_P256K1_SHA256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
590 id: &ec::signature::AlgorithmID::ECDSA_P256K1,
591 digest: &digest::SHA256,
592 sig_format: EcdsaSignatureFormat::Fixed,
593};
594
595/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-256K1 curve and SHA3-256.
596pub static ECDSA_P256K1_SHA3_256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
597 id: &ec::signature::AlgorithmID::ECDSA_P256K1,
598 digest: &digest::SHA3_256,
599 sig_format: EcdsaSignatureFormat::Fixed,
600};
601
602/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-256 curve and SHA-256.
603pub static ECDSA_P256_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
604 id: &ec::signature::AlgorithmID::ECDSA_P256,
605 digest: &digest::SHA256,
606 sig_format: EcdsaSignatureFormat::ASN1,
607};
608
609/// *Not recommended.* Verification of ASN.1 DER-encoded ECDSA signatures using the P-256 curve and SHA-384.
610pub static ECDSA_P256_SHA384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
611 id: &ec::signature::AlgorithmID::ECDSA_P256,
612 digest: &digest::SHA384,
613 sig_format: EcdsaSignatureFormat::ASN1,
614};
615
616/// *Not recommended.* Verification of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA-256.
617pub static ECDSA_P384_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
618 id: &ec::signature::AlgorithmID::ECDSA_P384,
619 digest: &digest::SHA256,
620 sig_format: EcdsaSignatureFormat::ASN1,
621};
622
623/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA-384.
624pub static ECDSA_P384_SHA384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
625 id: &ec::signature::AlgorithmID::ECDSA_P384,
626 digest: &digest::SHA384,
627 sig_format: EcdsaSignatureFormat::ASN1,
628};
629
630/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA3-384.
631pub static ECDSA_P384_SHA3_384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
632 id: &ec::signature::AlgorithmID::ECDSA_P384,
633 digest: &digest::SHA3_384,
634 sig_format: EcdsaSignatureFormat::ASN1,
635};
636
637/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-1.
638pub static ECDSA_P521_SHA1_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
639 id: &ec::signature::AlgorithmID::ECDSA_P521,
640 digest: &digest::SHA1_FOR_LEGACY_USE_ONLY,
641 sig_format: EcdsaSignatureFormat::ASN1,
642};
643
644/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-224.
645pub static ECDSA_P521_SHA224_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
646 id: &ec::signature::AlgorithmID::ECDSA_P521,
647 digest: &digest::SHA224,
648 sig_format: EcdsaSignatureFormat::ASN1,
649};
650
651/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-256.
652pub static ECDSA_P521_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
653 id: &ec::signature::AlgorithmID::ECDSA_P521,
654 digest: &digest::SHA256,
655 sig_format: EcdsaSignatureFormat::ASN1,
656};
657
658/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-384.
659pub static ECDSA_P521_SHA384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
660 id: &ec::signature::AlgorithmID::ECDSA_P521,
661 digest: &digest::SHA384,
662 sig_format: EcdsaSignatureFormat::ASN1,
663};
664
665/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-512.
666pub static ECDSA_P521_SHA512_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
667 id: &ec::signature::AlgorithmID::ECDSA_P521,
668 digest: &digest::SHA512,
669 sig_format: EcdsaSignatureFormat::ASN1,
670};
671
672/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA3-512.
673pub static ECDSA_P521_SHA3_512_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
674 id: &ec::signature::AlgorithmID::ECDSA_P521,
675 digest: &digest::SHA3_512,
676 sig_format: EcdsaSignatureFormat::ASN1,
677};
678
679/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-256K1 curve and SHA-256.
680pub static ECDSA_P256K1_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
681 id: &ec::signature::AlgorithmID::ECDSA_P256K1,
682 digest: &digest::SHA256,
683 sig_format: EcdsaSignatureFormat::ASN1,
684};
685
686/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-256K1 curve and SHA3-256.
687pub static ECDSA_P256K1_SHA3_256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
688 id: &ec::signature::AlgorithmID::ECDSA_P256K1,
689 digest: &digest::SHA3_256,
690 sig_format: EcdsaSignatureFormat::ASN1,
691};
692
693/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-256 curve and SHA-256.
694pub static ECDSA_P256_SHA256_FIXED_SIGNING: EcdsaSigningAlgorithm =
695 EcdsaSigningAlgorithm(&ECDSA_P256_SHA256_FIXED);
696
697/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-384 curve and SHA-384.
698pub static ECDSA_P384_SHA384_FIXED_SIGNING: EcdsaSigningAlgorithm =
699 EcdsaSigningAlgorithm(&ECDSA_P384_SHA384_FIXED);
700
701/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-384 curve and SHA3-384.
702pub static ECDSA_P384_SHA3_384_FIXED_SIGNING: EcdsaSigningAlgorithm =
703 EcdsaSigningAlgorithm(&ECDSA_P384_SHA3_384_FIXED);
704
705/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-224.
706/// # ⚠️ Warning
707/// The security design strength of SHA-224 digests is less then security strength of P-521.
708/// This scheme should only be used for backwards compatibility purposes.
709pub static ECDSA_P521_SHA224_FIXED_SIGNING: EcdsaSigningAlgorithm =
710 EcdsaSigningAlgorithm(&ECDSA_P521_SHA224_FIXED);
711
712/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-256.
713/// # ⚠️ Warning
714/// The security design strength of SHA-256 digests is less then security strength of P-521.
715/// This scheme should only be used for backwards compatibility purposes.
716pub static ECDSA_P521_SHA256_FIXED_SIGNING: EcdsaSigningAlgorithm =
717 EcdsaSigningAlgorithm(&ECDSA_P521_SHA256_FIXED);
718
719/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-384.
720/// # ⚠️ Warning
721/// The security design strength of SHA-384 digests is less then security strength of P-521.
722/// This scheme should only be used for backwards compatibility purposes.
723pub static ECDSA_P521_SHA384_FIXED_SIGNING: EcdsaSigningAlgorithm =
724 EcdsaSigningAlgorithm(&ECDSA_P521_SHA384_FIXED);
725
726/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-512.
727pub static ECDSA_P521_SHA512_FIXED_SIGNING: EcdsaSigningAlgorithm =
728 EcdsaSigningAlgorithm(&ECDSA_P521_SHA512_FIXED);
729
730/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA3-512.
731pub static ECDSA_P521_SHA3_512_FIXED_SIGNING: EcdsaSigningAlgorithm =
732 EcdsaSigningAlgorithm(&ECDSA_P521_SHA3_512_FIXED);
733
734/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-256K1 curve and SHA-256.
735pub static ECDSA_P256K1_SHA256_FIXED_SIGNING: EcdsaSigningAlgorithm =
736 EcdsaSigningAlgorithm(&ECDSA_P256K1_SHA256_FIXED);
737
738/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-256K1 curve and SHA3-256.
739pub static ECDSA_P256K1_SHA3_256_FIXED_SIGNING: EcdsaSigningAlgorithm =
740 EcdsaSigningAlgorithm(&ECDSA_P256K1_SHA3_256_FIXED);
741
742/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-256 curve and SHA-256.
743pub static ECDSA_P256_SHA256_ASN1_SIGNING: EcdsaSigningAlgorithm =
744 EcdsaSigningAlgorithm(&ECDSA_P256_SHA256_ASN1);
745
746/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA-384.
747pub static ECDSA_P384_SHA384_ASN1_SIGNING: EcdsaSigningAlgorithm =
748 EcdsaSigningAlgorithm(&ECDSA_P384_SHA384_ASN1);
749
750/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA3-384.
751pub static ECDSA_P384_SHA3_384_ASN1_SIGNING: EcdsaSigningAlgorithm =
752 EcdsaSigningAlgorithm(&ECDSA_P384_SHA3_384_ASN1);
753
754/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-224.
755/// # ⚠️ Warning
756/// The security design strength of SHA-224 digests is less then security strength of P-521.
757/// This scheme should only be used for backwards compatibility purposes.
758pub static ECDSA_P521_SHA224_ASN1_SIGNING: EcdsaSigningAlgorithm =
759 EcdsaSigningAlgorithm(&ECDSA_P521_SHA224_ASN1);
760
761/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-256.
762/// # ⚠️ Warning
763/// The security design strength of SHA-256 digests is less then security strength of P-521.
764/// This scheme should only be used for backwards compatibility purposes.
765pub static ECDSA_P521_SHA256_ASN1_SIGNING: EcdsaSigningAlgorithm =
766 EcdsaSigningAlgorithm(&ECDSA_P521_SHA256_ASN1);
767
768/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-384.
769/// # ⚠️ Warning
770/// The security design strength of SHA-384 digests is less then security strength of P-521.
771/// This scheme should only be used for backwards compatibility purposes.
772pub static ECDSA_P521_SHA384_ASN1_SIGNING: EcdsaSigningAlgorithm =
773 EcdsaSigningAlgorithm(&ECDSA_P521_SHA384_ASN1);
774
775/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-512.
776pub static ECDSA_P521_SHA512_ASN1_SIGNING: EcdsaSigningAlgorithm =
777 EcdsaSigningAlgorithm(&ECDSA_P521_SHA512_ASN1);
778
779/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA3-512.
780pub static ECDSA_P521_SHA3_512_ASN1_SIGNING: EcdsaSigningAlgorithm =
781 EcdsaSigningAlgorithm(&ECDSA_P521_SHA3_512_ASN1);
782
783/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-256K1 curve and SHA-256.
784pub static ECDSA_P256K1_SHA256_ASN1_SIGNING: EcdsaSigningAlgorithm =
785 EcdsaSigningAlgorithm(&ECDSA_P256K1_SHA256_ASN1);
786
787/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-256K1 curve and SHA3-256.
788pub static ECDSA_P256K1_SHA3_256_ASN1_SIGNING: EcdsaSigningAlgorithm =
789 EcdsaSigningAlgorithm(&ECDSA_P256K1_SHA3_256_ASN1);
790
791/// Verification of Ed25519 signatures.
792pub static ED25519: EdDSAParameters = EdDSAParameters {};
793
794#[cfg(test)]
795mod tests {
796 use regex::Regex;
797
798 use crate::rand::{generate, SystemRandom};
799 use crate::signature::{UnparsedPublicKey, ED25519};
800
801 #[cfg(feature = "fips")]
802 mod fips;
803
804 #[test]
805 fn test_unparsed_public_key() {
806 let random_pubkey: [u8; 32] = generate(&SystemRandom::new()).unwrap().expose();
807 let unparsed_pubkey = UnparsedPublicKey::new(&ED25519, random_pubkey);
808 let unparsed_pubkey_debug = format!("{:?}", &unparsed_pubkey);
809
810 #[allow(clippy::clone_on_copy)]
811 let unparsed_pubkey_clone = unparsed_pubkey.clone();
812 assert_eq!(unparsed_pubkey_debug, format!("{unparsed_pubkey_clone:?}"));
813 let pubkey_re = Regex::new(
814 "UnparsedPublicKey \\{ algorithm: EdDSAParameters, bytes: \"[0-9a-f]{64}\" \\}",
815 )
816 .unwrap();
817
818 assert!(pubkey_re.is_match(&unparsed_pubkey_debug));
819 }
820}