Trait SignatureVerifier

Source

pub trait SignatureVerifier {
    // Required method
    fn verify_signature(
        &self,
        algorithm: AlgorithmIdentifierRef<'_>,
        issuer_spki: SubjectPublicKeyInfoRef<'_>,
        message: &[u8],
        signature: &[u8],
    ) -> Result<(), SignatureError>;
}

Expand description

Pluggable signature verification backend.

Implement this trait to provide algorithm-specific signature verification. The trait is OID-dispatched: the algorithm argument carries the OID and any parameters from the certificate’s signatureAlgorithm field.

§Implementing a custom backend

struct MyVerifier;

impl pkix_path::SignatureVerifier for MyVerifier {
    fn verify_signature(
        &self,
        algorithm: spki::AlgorithmIdentifierRef<'_>,
        issuer_spki: spki::SubjectPublicKeyInfoRef<'_>,
        message: &[u8],
        signature: &[u8],
    ) -> core::result::Result<(), signature::Error> {
        match algorithm.oid {
            MY_RSA_OID => { /* ... */ }
            MY_ECDSA_OID => { /* ... */ }
            _ => Err(signature::Error::new()),
        }
    }
}

Required Methods§

Source

fn verify_signature( &self, algorithm: AlgorithmIdentifierRef<'_>, issuer_spki: SubjectPublicKeyInfoRef<'_>, message: &[u8], signature: &[u8], ) -> Result<(), SignatureError>

Verify signature over message.

algorithm — from the subject cert’s signatureAlgorithm field
issuer_spki — SPKI extracted from the issuer or trust anchor cert
message — DER-encoded TBSCertificate (the bytes that were signed)
signature — raw signature bytes (BitString content, not the wrapper)

Returns Ok(()) on success or Err(signature::Error) on failure. The caller (validate_path) maps the error to Error::SignatureInvalid with the correct chain index — the verifier does not need to know it.