pub struct PublicKey { /* private fields */ }Expand description
Verification-side public key. Internally an enum over the supported
algorithm families. Construction goes through from_spki_der so the OIDs
in the SPKI header drive variant selection — there is no way to construct
a PublicKey whose algorithm tag disagrees with the underlying key
material.
Implementations§
Source§impl PublicKey
impl PublicKey
Sourcepub fn from_spki_der(spki: &[u8]) -> Result<Self, Error>
pub fn from_spki_der(spki: &[u8]) -> Result<Self, Error>
Decode a DER-encoded SubjectPublicKeyInfo and dispatch on the
algorithm OID. Unrecognized OIDs map to Error::X509Parse so callers
can treat the cert as untrusted rather than panic.
Sourcepub fn algorithm_family(&self) -> PublicKeyAlgorithm
pub fn algorithm_family(&self) -> PublicKeyAlgorithm
Algorithm family for this key, used by KeyPair::sign and the verifier
to enforce algorithm/key-family pairings.
Sourcepub fn verify_signature(
&self,
algorithm: SignatureAlgorithm,
signed_bytes: &[u8],
signature_bytes: &[u8],
) -> Result<(), Error>
pub fn verify_signature( &self, algorithm: SignatureAlgorithm, signed_bytes: &[u8], signature_bytes: &[u8], ) -> Result<(), Error>
Verify a signature against signed_bytes using this public key under
algorithm. Mismatched algorithm/key-family pairs return
Error::SignatureVerification { reason: "key/alg family mismatch" }
rather than attempting verification — this is the policy point for
rejecting RSA signatures presented with an EC key, etc.
For ECDSA, the signature is tried first as IEEE P1363 (raw r || s,
the XML-DSig encoding) and then as ASN.1 DER (the format some legacy
IdPs send). Most real-world SAML payloads use IEEE P1363.