bcx-crypto 0.3.0

Crypto-agile BCX envelope metadata and verifier traits.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315

use crate::VerificationError;
use bcx_core::Digest;
use bcx_wire::WireLimits;
use core::fmt;

/// Signature algorithms named by BCX metadata.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
pub enum SignatureAlgorithm {
    /// Ed25519 for compact classical signatures.
    Ed25519,
    /// ML-DSA-65 for post-quantum-ready deployments.
    MlDsa65,
    /// SLH-DSA-SHA2-128s for conservative stateless signatures.
    SlhDsaSha2_128s,
    /// Hybrid Ed25519 plus ML-DSA-65 signature envelope.
    ///
    /// Canonical layout is `[ed25519: 64 bytes][ml-dsa-65: 3293 bytes]`.
    /// Verifiers must verify both components before returning `Ok`.
    HybridEd25519MlDsa65,
}

impl SignatureAlgorithm {
    /// Ed25519 signature byte length.
    pub const ED25519_SIGNATURE_LEN: usize = 64;
    /// ML-DSA-65 signature byte length.
    pub const ML_DSA_65_SIGNATURE_LEN: usize = 3_293;
    /// SLH-DSA-SHA2-128s signature byte length.
    pub const SLH_DSA_SHA2_128S_SIGNATURE_LEN: usize = 7_856;
    /// Hybrid Ed25519 plus ML-DSA-65 signature byte length.
    pub const HYBRID_ED25519_ML_DSA_65_SIGNATURE_LEN: usize =
        Self::ED25519_SIGNATURE_LEN + Self::ML_DSA_65_SIGNATURE_LEN;

    /// Returns the exact signature length admitted for this algorithm.
    #[must_use]
    pub const fn expected_signature_len(self) -> usize {
        match self {
            Self::Ed25519 => Self::ED25519_SIGNATURE_LEN,
            Self::MlDsa65 => Self::ML_DSA_65_SIGNATURE_LEN,
            Self::SlhDsaSha2_128s => Self::SLH_DSA_SHA2_128S_SIGNATURE_LEN,
            Self::HybridEd25519MlDsa65 => Self::HYBRID_ED25519_ML_DSA_65_SIGNATURE_LEN,
        }
    }

    /// Splits a hybrid signature into Ed25519 and ML-DSA-65 components.
    ///
    /// Layout: `[ed25519: 64 bytes][ml-dsa-65: 3293 bytes]`. Verifiers for
    /// `HybridEd25519MlDsa65` must verify both returned components.
    #[must_use]
    pub fn split_hybrid(self, signature: &[u8]) -> Option<(&[u8], &[u8])> {
        match self {
            Self::HybridEd25519MlDsa65
                if signature.len() == Self::HYBRID_ED25519_ML_DSA_65_SIGNATURE_LEN =>
            {
                Some(signature.split_at(Self::ED25519_SIGNATURE_LEN))
            }
            Self::Ed25519 | Self::MlDsa65 | Self::SlhDsaSha2_128s | Self::HybridEd25519MlDsa65 => {
                None
            }
        }
    }
}

/// Closed algorithm admission policy for a verification context.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
pub struct AlgorithmPolicy<'a> {
    admitted: &'a [SignatureAlgorithm],
}

impl<'a> AlgorithmPolicy<'a> {
    /// Creates an algorithm admission policy from an explicit allow-list.
    ///
    /// Admitting several algorithms lets the sender choose any admitted
    /// algorithm, including the weakest one. High-assurance deployments should
    /// admit exactly one algorithm for an operation class unless downgrade
    /// behavior is explicitly part of the profile security contract.
    pub const fn new(admitted: &'a [SignatureAlgorithm]) -> Result<Self, VerificationError> {
        if admitted.is_empty() {
            Err(VerificationError::EmptyAlgorithmPolicy)
        } else {
            Ok(Self { admitted })
        }
    }

    /// Creates an explicit deny-all algorithm policy.
    #[must_use]
    pub const fn deny_all() -> Self {
        Self { admitted: &[] }
    }

    /// Returns true when the algorithm is admitted by this policy.
    #[must_use]
    pub const fn admits(&self, algorithm: SignatureAlgorithm) -> bool {
        let mut index = 0;
        while index < self.admitted.len() {
            if self.admitted[index].eq_const(algorithm) {
                return true;
            }
            index += 1;
        }
        false
    }
}

impl SignatureAlgorithm {
    const fn eq_const(self, other: Self) -> bool {
        match (self, other) {
            (Self::Ed25519, Self::Ed25519) => true,
            (Self::Ed25519, Self::MlDsa65) => false,
            (Self::Ed25519, Self::SlhDsaSha2_128s) => false,
            (Self::Ed25519, Self::HybridEd25519MlDsa65) => false,
            (Self::MlDsa65, Self::Ed25519) => false,
            (Self::MlDsa65, Self::MlDsa65) => true,
            (Self::MlDsa65, Self::SlhDsaSha2_128s) => false,
            (Self::MlDsa65, Self::HybridEd25519MlDsa65) => false,
            (Self::SlhDsaSha2_128s, Self::Ed25519) => false,
            (Self::SlhDsaSha2_128s, Self::MlDsa65) => false,
            (Self::SlhDsaSha2_128s, Self::SlhDsaSha2_128s) => true,
            (Self::SlhDsaSha2_128s, Self::HybridEd25519MlDsa65) => false,
            (Self::HybridEd25519MlDsa65, Self::Ed25519) => false,
            (Self::HybridEd25519MlDsa65, Self::MlDsa65) => false,
            (Self::HybridEd25519MlDsa65, Self::SlhDsaSha2_128s) => false,
            (Self::HybridEd25519MlDsa65, Self::HybridEd25519MlDsa65) => true,
        }
    }
}

/// Signature metadata over a canonical BCX payload.
#[derive(Clone, Copy, Eq, PartialEq)]
pub struct SignatureEnvelope<'a> {
    key_id: Digest,
    algorithm: SignatureAlgorithm,
    signature: &'a [u8],
}

impl<'a> SignatureEnvelope<'a> {
    /// Creates a validated signature envelope.
    pub fn new(
        key_id: Digest,
        algorithm: SignatureAlgorithm,
        signature: &'a [u8],
        limits: WireLimits,
    ) -> Result<Self, VerificationError> {
        let envelope = Self {
            key_id,
            algorithm,
            signature,
        };
        match envelope.validate(limits) {
            Ok(()) => Ok(envelope),
            Err(error) => Err(error),
        }
    }

    /// Validates envelope shape before algorithm dispatch.
    pub(crate) fn validate(&self, limits: WireLimits) -> Result<(), VerificationError> {
        if self.key_id.is_zero() {
            return Err(VerificationError::EmptyKeyId);
        }
        if self.signature.is_empty() {
            return Err(VerificationError::EmptySignature);
        }
        if self.signature.len() > limits.maximum_message_len() {
            return Err(VerificationError::SignatureTooLarge);
        }
        if self.signature.len() != self.algorithm.expected_signature_len() {
            return Err(VerificationError::InvalidSignature);
        }
        Ok(())
    }

    /// Returns the signing key or certificate-chain commitment.
    #[must_use]
    pub const fn key_id(&self) -> Digest {
        self.key_id
    }

    /// Returns the signature algorithm.
    #[must_use]
    pub const fn algorithm(&self) -> SignatureAlgorithm {
        self.algorithm
    }

    /// Returns raw signature bytes.
    #[must_use]
    pub const fn signature(&self) -> &'a [u8] {
        self.signature
    }
}

impl<'a> fmt::Debug for SignatureEnvelope<'a> {
    fn fmt(&self, formatter: &mut fmt::Formatter<'_>) -> fmt::Result {
        formatter
            .debug_struct("SignatureEnvelope")
            .field("key_id", &self.key_id)
            .field("algorithm", &self.algorithm)
            .field(
                "signature",
                &format_args!("[{} bytes]", self.signature.len()),
            )
            .finish()
    }
}

/// Payload paired with a signature envelope.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
pub struct SignedEnvelope<'a, T> {
    payload: T,
    signature: SignatureEnvelope<'a>,
}

impl<'a, T> SignedEnvelope<'a, T> {
    /// Creates a signed envelope from a payload and validated signature metadata.
    #[must_use]
    pub const fn new(payload: T, signature: SignatureEnvelope<'a>) -> Self {
        Self { payload, signature }
    }

    /// Verifies a detached canonical byte representation of this envelope.
    ///
    /// The caller must ensure `canonical_payload` is the exact canonical
    /// encoding of `self.payload()`. BCX will replace this detached helper with
    /// typed canonical encoding once `bcx-codec` is introduced.
    pub fn verify_detached_bytes<V: Verifier>(
        &self,
        verifier: &V,
        algorithm_policy: &AlgorithmPolicy<'_>,
        canonical_payload: &[u8],
        limits: WireLimits,
    ) -> Result<(), VerificationError> {
        if !algorithm_policy.admits(self.signature.algorithm) {
            return Err(VerificationError::AlgorithmNotAdmitted);
        }
        self.signature.validate(limits)?;
        if canonical_payload.len() > limits.maximum_message_len() {
            return Err(VerificationError::PayloadTooLarge);
        }
        match self.signature.algorithm {
            SignatureAlgorithm::HybridEd25519MlDsa65 => verifier
                .verify_hybrid(&self.signature, canonical_payload)
                .map(|_| ()),
            SignatureAlgorithm::Ed25519
            | SignatureAlgorithm::MlDsa65
            | SignatureAlgorithm::SlhDsaSha2_128s => {
                verifier.verify(&self.signature, canonical_payload)
            }
        }
    }

    /// Returns the payload value.
    #[must_use]
    pub const fn payload(&self) -> &T {
        &self.payload
    }

    /// Returns the signature envelope.
    #[must_use]
    pub const fn signature(&self) -> SignatureEnvelope<'a> {
        self.signature
    }
}

/// Proof that both components of a hybrid signature verified.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
pub struct HybridVerified(());

/// Verification backend boundary for hybrid signature components.
pub trait HybridVerifier {
    /// Verifies the Ed25519 component of a hybrid signature.
    fn verify_ed25519(
        &self,
        ed25519_signature: &[u8],
        canonical_payload: &[u8],
    ) -> Result<(), VerificationError>;

    /// Verifies the ML-DSA-65 component of a hybrid signature.
    fn verify_ml_dsa_65(
        &self,
        ml_dsa_65_signature: &[u8],
        canonical_payload: &[u8],
    ) -> Result<(), VerificationError>;

    /// Verifies both components of a hybrid signature.
    ///
    /// Implementors must run component verification to completion and must not
    /// use intermediate component failures to skip later component work. The
    /// default implementation always invokes both component methods before
    /// combining their results.
    fn verify_hybrid(
        &self,
        envelope: &SignatureEnvelope<'_>,
        canonical_payload: &[u8],
    ) -> Result<HybridVerified, VerificationError> {
        let (ed25519, ml_dsa_65) = envelope
            .algorithm()
            .split_hybrid(envelope.signature())
            .ok_or(VerificationError::InvalidSignature)?;
        let ed25519_ok = self.verify_ed25519(ed25519, canonical_payload).is_ok();
        let ml_dsa_65_ok = self.verify_ml_dsa_65(ml_dsa_65, canonical_payload).is_ok();
        if ed25519_ok & ml_dsa_65_ok {
            Ok(HybridVerified(()))
        } else {
            Err(VerificationError::InvalidSignature)
        }
    }
}

/// Signature verification backend boundary.
pub trait Verifier: HybridVerifier {
    /// Verifies one signature envelope over canonical payload bytes.
    fn verify(
        &self,
        envelope: &SignatureEnvelope<'_>,
        canonical_payload: &[u8],
    ) -> Result<(), VerificationError>;
}