tasign 0.2.0

//! PKIX signature verification: SM2 via `crate::crypto`, RSA/P-256 via embedded `pkix_path`.

use der::asn1::ObjectIdentifier;
use spki::{AlgorithmIdentifierRef, SubjectPublicKeyInfoRef};

use crate::crypto::cert_sm2::verify_cert_signature_sec1;
use super::pkix_path::{DefaultVerifier, SignatureVerifier};

/// sm2sign-with-sm3: 1.2.156.10197.1.501
pub const OID_SM2_SIGN_SM3: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.156.10197.1.501");

/// Verify X.509 certificate signatures using SM2 ZA||M semantics (`tasign::crypto`).
#[derive(Debug, Default, Clone, Copy)]
pub struct Sm2SignatureVerifier;

impl SignatureVerifier for Sm2SignatureVerifier {
    fn verify_signature(
        &self,
        algorithm: AlgorithmIdentifierRef<'_>,
        issuer_spki: SubjectPublicKeyInfoRef<'_>,
        message: &[u8],
        signature: &[u8],
    ) -> core::result::Result<(), signature::Error> {
        if algorithm.oid != OID_SM2_SIGN_SM3 {
            return Err(signature::Error::new());
        }
        let sec1 = issuer_spki.subject_public_key.raw_bytes();
        verify_cert_signature_sec1(sec1, message, signature)
            .map_err(|_| signature::Error::new())
    }
}

/// SM2 + RSA/ECDSA (RustCrypto backends wired in `pkix-path`).
#[derive(Debug, Default, Clone, Copy)]
pub struct TasignSignatureVerifier;

impl SignatureVerifier for TasignSignatureVerifier {
    fn verify_signature(
        &self,
        algorithm: AlgorithmIdentifierRef<'_>,
        issuer_spki: SubjectPublicKeyInfoRef<'_>,
        message: &[u8],
        signature: &[u8],
    ) -> core::result::Result<(), signature::Error> {
        if algorithm.oid == OID_SM2_SIGN_SM3 {
            Sm2SignatureVerifier.verify_signature(algorithm, issuer_spki, message, signature)
        } else {
            DefaultVerifier.verify_signature(algorithm, issuer_spki, message, signature)
        }
    }
}