Skip to main content

SignatureVerifier

pkix_path

Trait SignatureVerifier 

Source 
pub trait SignatureVerifier {
    // Required method
    fn verify_signature(
        &self,
        algorithm: AlgorithmIdentifierRef<'_>,
        issuer_spki: SubjectPublicKeyInfoRef<'_>,
        message: &[u8],
        signature: &[u8],
    ) -> Result<(), SignatureError>;
}
Expand description

Pluggable signature verification backend.

Implement this trait to provide algorithm-specific signature verification. The trait is OID-dispatched: the algorithm argument carries the OID and any parameters from the certificate’s signatureAlgorithm field.

This trait is object-safe and can be used as dyn SignatureVerifier. All method arguments are either &self or borrows, so no Sized bound is implied.

§Implementing a custom backend

use der::asn1::ObjectIdentifier;
const MY_RSA_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.11");
const MY_ECDSA_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.4.3.2");

struct MyVerifier;

impl pkix_path::SignatureVerifier for MyVerifier {
    fn verify_signature(
        &self,
        algorithm: spki::AlgorithmIdentifierRef<'_>,
        _issuer_spki: spki::SubjectPublicKeyInfoRef<'_>,
        _message: &[u8],
        _signature: &[u8],
    ) -> core::result::Result<(), signature::Error> {
        match algorithm.oid {
            MY_RSA_OID => { Ok(()) /* RSA verification */ }
            MY_ECDSA_OID => { Ok(()) /* ECDSA verification */ }
            _ => Err(signature::Error::new()),
        }
    }
}

Required Methods§

Source

fn verify_signature( &self, algorithm: AlgorithmIdentifierRef<'_>, issuer_spki: SubjectPublicKeyInfoRef<'_>, message: &[u8], signature: &[u8], ) -> Result<(), SignatureError>

Verify signature over message.

  • algorithm — from the subject cert’s signatureAlgorithm field
  • issuer_spki — SPKI extracted from the issuer or trust anchor cert
  • message — DER-encoded TBSCertificate (the bytes that were signed)
  • signature — raw signature bytes (BitString content, not the wrapper)

Returns Ok(()) on success or Err(signature::Error) on failure. The caller (validate_path) maps the error to Error::SignatureInvalid with the correct chain index — the verifier does not need to know it.

§Errors

Returns Err(signature::Error) if the signature does not verify against the given public key and data.

Dyn Compatibility§

This trait is dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety".

Implementors§

Source§

impl SignatureVerifier for DefaultVerifier

Available on crate features p256 or p384 or rsa only.
Source§

impl SignatureVerifier for EcdsaP256Verifier

Available on crate feature p256 only.
Source§

impl SignatureVerifier for EcdsaP384Verifier

Available on crate feature p384 only.
Source§

impl SignatureVerifier for RsaPkcs1v15Sha256Verifier

Available on crate feature rsa only.
Source§

impl SignatureVerifier for RsaPkcs1v15Sha384Verifier

Available on crate feature rsa only.
Source§

impl SignatureVerifier for RsaPkcs1v15Sha512Verifier

Available on crate feature rsa only.