cdx-core 0.7.1

Core library for reading, writing, and validating Codex Document Format (.cdx) files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293

//! ML-DSA-65 post-quantum signature implementation (FIPS-204).
//!
//! ML-DSA (Module-Lattice Digital Signature Algorithm) is a post-quantum
//! cryptographic signature scheme standardized in FIPS-204. This module
//! implements the ML-DSA-65 parameter set, providing 128-bit post-quantum
//! security.
//!
//! # Warning
//!
//! Post-quantum cryptography is still maturing. While ML-DSA-65 is
//! standardized by NIST, implementations should be considered experimental.

use crate::error::signature_error;
use crate::{DocumentId, Result};

use super::signature::{Signature, SignatureAlgorithm, SignatureVerification, SignerInfo};
use super::signer::{Signer, Verifier};

/// ML-DSA-65 signer.
///
/// Uses the FIPS-204 ML-DSA-65 parameter set for post-quantum digital signatures.
///
/// # Key Format
///
/// Keys are represented as 32-byte seeds. A seed deterministically derives
/// both the signing and verifying keys via ML-DSA.KeyGen_internal (FIPS 204).
#[cfg(feature = "ml-dsa")]
pub struct MlDsaSigner {
    signing_key: ml_dsa::SigningKey<ml_dsa::MlDsa65>,
    seed: zeroize::Zeroizing<[u8; 32]>,
    signer_info: SignerInfo,
}

#[cfg(feature = "ml-dsa")]
impl MlDsaSigner {
    /// Create a signer from a 32-byte seed.
    ///
    /// The seed deterministically derives the full signing and verifying keys.
    ///
    /// # Arguments
    ///
    /// * `seed_bytes` - The 32-byte seed
    /// * `signer_info` - Information about the signer
    ///
    /// # Errors
    ///
    /// Returns an error if the seed is not exactly 32 bytes.
    pub fn from_bytes(seed_bytes: &[u8], signer_info: SignerInfo) -> Result<Self> {
        use ml_dsa::KeyGen;

        let seed: [u8; 32] = seed_bytes.try_into().map_err(|_| {
            signature_error(format!(
                "Invalid ML-DSA-65 seed length: expected 32, got {}",
                seed_bytes.len()
            ))
        })?;

        let kp = ml_dsa::MlDsa65::from_seed(&seed.into());

        Ok(Self {
            signing_key: kp.signing_key().clone(),
            seed: zeroize::Zeroizing::new(seed),
            signer_info,
        })
    }

    /// Generate a new random ML-DSA-65 key pair.
    ///
    /// Returns the signer and the encoded public (verifying) key bytes.
    ///
    /// # Errors
    ///
    /// Returns an error if key generation fails.
    #[allow(clippy::missing_panics_doc)] // getrandom::SysRng only fails on misconfigured systems
    pub fn generate(signer_info: SignerInfo) -> Result<(Self, Vec<u8>)> {
        use ml_dsa::KeyGen;

        let kp = ml_dsa::MlDsa65::key_gen(&mut rand_core::UnwrapErr(getrandom::SysRng));
        let seed: [u8; 32] = kp.to_seed().into();
        let public_key_bytes = kp.verifying_key().encode().to_vec();

        Ok((
            Self {
                signing_key: kp.signing_key().clone(),
                seed: zeroize::Zeroizing::new(seed),
                signer_info,
            },
            public_key_bytes,
        ))
    }

    /// Get the public (verifying) key bytes.
    #[must_use]
    pub fn public_key_bytes(&self) -> Vec<u8> {
        self.signing_key.verifying_key().encode().to_vec()
    }

    /// Get the secret key seed (32 bytes).
    ///
    /// # Security Warning
    ///
    /// Handle seed bytes with care. Do not log or expose them.
    #[must_use]
    pub fn secret_key_bytes(&self) -> Vec<u8> {
        self.seed.to_vec()
    }
}

#[cfg(feature = "ml-dsa")]
impl Signer for MlDsaSigner {
    fn algorithm(&self) -> SignatureAlgorithm {
        SignatureAlgorithm::MlDsa65
    }

    fn signer_info(&self) -> SignerInfo {
        self.signer_info.clone()
    }

    fn sign(&self, document_id: &DocumentId) -> Result<Signature> {
        use base64::Engine;
        use ml_dsa::signature::Signer as MlDsaSignerTrait;

        if document_id.is_pending() {
            return Err(crate::Error::InvalidManifest {
                reason: "Cannot sign a pending document ID".to_string(),
            });
        }

        // Sign the document ID bytes
        let signature = self.signing_key.sign(document_id.digest());

        // Encode as base64
        let value = base64::engine::general_purpose::STANDARD.encode(signature.encode());

        // Generate signature ID
        let sig_id = format!(
            "sig-{}",
            &crate::Hasher::hash(crate::HashAlgorithm::Sha256, value.as_bytes()).hex_digest()[..8]
        );

        Ok(Signature::new(
            sig_id,
            SignatureAlgorithm::MlDsa65,
            self.signer_info.clone(),
            value,
        ))
    }
}

/// ML-DSA-65 verifier.
#[cfg(feature = "ml-dsa")]
pub struct MlDsaVerifier {
    verifying_key: ml_dsa::VerifyingKey<ml_dsa::MlDsa65>,
}

#[cfg(feature = "ml-dsa")]
impl MlDsaVerifier {
    /// Create a verifier from encoded public key bytes.
    ///
    /// # Arguments
    ///
    /// * `public_key_bytes` - The encoded verifying key bytes
    ///
    /// # Errors
    ///
    /// Returns an error if the key bytes are invalid.
    pub fn from_bytes(public_key_bytes: &[u8]) -> Result<Self> {
        let verifying_key =
            ml_dsa::VerifyingKey::decode(public_key_bytes.try_into().map_err(|_| {
                signature_error(format!(
                    "Invalid ML-DSA-65 public key length: got {}",
                    public_key_bytes.len()
                ))
            })?);

        Ok(Self { verifying_key })
    }
}

#[cfg(feature = "ml-dsa")]
impl Verifier for MlDsaVerifier {
    fn verify(
        &self,
        document_id: &DocumentId,
        signature: &Signature,
    ) -> Result<SignatureVerification> {
        use base64::Engine;
        use ml_dsa::signature::Verifier as MlDsaVerifierTrait;

        if signature.algorithm != SignatureAlgorithm::MlDsa65 {
            return Ok(SignatureVerification::invalid(
                &signature.id,
                format!(
                    "Algorithm mismatch: expected ML-DSA-65, got {}",
                    signature.algorithm
                ),
            ));
        }

        // Decode signature from base64
        let sig_bytes = base64::engine::general_purpose::STANDARD
            .decode(&signature.value)
            .map_err(|e| signature_error(format!("Failed to decode signature: {e}")))?;

        // Parse ML-DSA signature
        let ml_sig =
            ml_dsa::Signature::<ml_dsa::MlDsa65>::try_from(sig_bytes.as_slice()).map_err(|_| {
                signature_error(format!(
                    "Invalid ML-DSA-65 signature length: got {}",
                    sig_bytes.len()
                ))
            })?;

        // Verify
        match self.verifying_key.verify(document_id.digest(), &ml_sig) {
            Ok(()) => Ok(SignatureVerification::valid(&signature.id)),
            Err(e) => Ok(SignatureVerification::invalid(
                &signature.id,
                format!("ML-DSA-65 signature verification failed: {e}"),
            )),
        }
    }
}

#[cfg(all(test, feature = "ml-dsa"))]
mod tests {
    use super::*;
    use crate::security::test_helpers;

    fn generate_keypair() -> (MlDsaSigner, MlDsaVerifier) {
        let signer_info = SignerInfo::new("Test ML-DSA Signer");
        let (signer, public_key_bytes) = MlDsaSigner::generate(signer_info).unwrap();
        let verifier = MlDsaVerifier::from_bytes(&public_key_bytes).unwrap();
        (signer, verifier)
    }

    #[test]
    fn test_generate_and_sign() {
        let signer_info = SignerInfo::new("Test ML-DSA Signer");
        let (signer, public_key_bytes) = MlDsaSigner::generate(signer_info).unwrap();

        assert!(!public_key_bytes.is_empty());

        test_helpers::assert_sign_produces_valid_signature(&signer, SignatureAlgorithm::MlDsa65);
    }

    #[test]
    fn test_sign_and_verify() {
        let (signer, verifier) = generate_keypair();
        test_helpers::assert_sign_verify_roundtrip(&signer, &verifier);
    }

    #[test]
    fn test_verify_wrong_document() {
        let (signer, verifier) = generate_keypair();
        test_helpers::assert_verify_wrong_document_fails(&signer, &verifier);
    }

    #[test]
    fn test_cannot_sign_pending_id() {
        let (signer, _) = generate_keypair();
        test_helpers::assert_cannot_sign_pending_id(&signer);
    }

    #[test]
    fn test_algorithm_mismatch() {
        let (signer, verifier) = generate_keypair();
        test_helpers::assert_algorithm_mismatch_rejected(
            &signer,
            &verifier,
            SignatureAlgorithm::ES256,
        );
    }

    #[test]
    fn test_key_round_trip() {
        let signer_info = SignerInfo::new("Test Signer");
        let (original_signer, _) = MlDsaSigner::generate(signer_info.clone()).unwrap();

        let secret_bytes = original_signer.secret_key_bytes();
        let public_bytes = original_signer.public_key_bytes();

        let restored_signer = MlDsaSigner::from_bytes(&secret_bytes, signer_info).unwrap();

        let doc_id = crate::Hasher::hash(crate::HashAlgorithm::Sha256, b"test document");
        let sig1 = original_signer.sign(&doc_id).unwrap();
        let sig2 = restored_signer.sign(&doc_id).unwrap();

        let verifier = MlDsaVerifier::from_bytes(&public_bytes).unwrap();
        assert!(verifier.verify(&doc_id, &sig1).unwrap().is_valid());
        assert!(verifier.verify(&doc_id, &sig2).unwrap().is_valid());
    }
}