Enum x509_certificate::algorithm::SignatureAlgorithm

source · 
pub enum SignatureAlgorithm {
    RsaSha1,
    RsaSha256,
    RsaSha384,
    RsaSha512,
    EcdsaSha256,
    EcdsaSha384,
    Ed25519,
}
Expand description

An algorithm used to digitally sign content.

Instances can be converted to/from Oid via From/Into.

Similarly, instances can be converted to/from an ASN.1 AlgorithmIdentifier.

It is also possible to obtain a signature::VerificationAlgorithm from an instance. This type can perform actual cryptographic verification that was signed with this algorithm.

Variants§

§

RsaSha1

SHA-1 with RSA encryption.

Corresponds to OID 1.2.840.113549.1.1.5.

§

RsaSha256

SHA-256 with RSA encryption.

Corresponds to OID 1.2.840.113549.1.1.11.

§

RsaSha384

SHA-384 with RSA encryption.

Corresponds to OID 1.2.840.113549.1.1.12.

§

RsaSha512

SHA-512 with RSA encryption.

Corresponds to OID 1.2.840.113549.1.1.13.

§

EcdsaSha256

ECDSA with SHA-256.

Corresponds to OID 1.2.840.10045.4.3.2.

§

EcdsaSha384

ECDSA with SHA-384.

Corresponds to OID 1.2.840.10045.4.3.3.

§

Ed25519

ED25519

Corresponds to OID 1.3.101.112.

Implementations§

Attempt to resolve an instance from an OID, known KeyAlgorithm, and optional DigestAlgorithm.

Signature algorithm OIDs in the wild are typically either:

a) an OID that denotes the key algorithm and corresponding digest format (what this enumeration represents) b) an OID that denotes just the key algorithm.

What this function does is attempt to construct an instance from any OID. If the OID defines a key + digest algorithm, we get a SignatureAlgorithm from that. If we get a key algorithm we combine with the provided DigestAlgorithm to resolve an appropriate SignatureAlgorithm.

Attempt to resolve the verification algorithm using info about the signing key algorithm.

Only specific combinations of methods are supported. e.g. you can only use RSA verification with RSA signing keys. Same for ECDSA and ED25519.

Examples found in repository?
src/signing.rs (line 282)
278
279
280
281
282
283
284
285

    pub fn verification_algorithm(
        &self,
    ) -> Result<&'static dyn ringsig::VerificationAlgorithm, Error> {
        Ok(self.signature_algorithm()?
            .resolve_verification_algorithm(self.key_algorithm().expect("key algorithm should be known for InMemorySigningKeyPair")).expect(
            "illegal combination of key algorithm in signature algorithm: this should not occur"
        ))
    }
More examples
Hide additional examples
src/certificate.rs (line 552)
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622

    pub fn verify_signed_data(
        &self,
        signed_data: impl AsRef<[u8]>,
        signature: impl AsRef<[u8]>,
    ) -> Result<(), Error> {
        let key_algorithm = KeyAlgorithm::try_from(self.key_algorithm_oid())?;
        let signature_algorithm = SignatureAlgorithm::try_from(self.signature_algorithm_oid())?;
        let verify_algorithm = signature_algorithm.resolve_verification_algorithm(key_algorithm)?;

        self.verify_signed_data_with_algorithm(signed_data, signature, verify_algorithm)
    }

    /// Verify a signature over signed data using an explicit verification algorithm.
    ///
    /// This is like [Self::verify_signed_data()] except the verification algorithm to use
    /// is passed in instead of derived from the default algorithm for the signing key's
    /// type.
    pub fn verify_signed_data_with_algorithm(
        &self,
        signed_data: impl AsRef<[u8]>,
        signature: impl AsRef<[u8]>,
        verify_algorithm: &'static dyn ringsig::VerificationAlgorithm,
    ) -> Result<(), Error> {
        let public_key = ringsig::UnparsedPublicKey::new(verify_algorithm, self.public_key_data());

        public_key
            .verify(signed_data.as_ref(), signature.as_ref())
            .map_err(|_| Error::CertificateSignatureVerificationFailed)
    }

    /// Verifies that this certificate was cryptographically signed using raw public key data from a signing key.
    ///
    /// This function does the low-level work of extracting the signature and
    /// verification details from the current certificate and figuring out
    /// the correct combination of cryptography settings to apply to perform
    /// signature verification.
    ///
    /// In many cases, an X.509 certificate is signed by another certificate. And
    /// since the public key is embedded in the X.509 certificate, it is easier
    /// to go through [Self::verify_signed_by_certificate] instead.
    pub fn verify_signed_by_public_key(
        &self,
        public_key_data: impl AsRef<[u8]>,
    ) -> Result<(), Error> {
        // Always verify against the original content, as the inner
        // certificate could be mutated via the mutable wrapper of this
        // type.
        let this_cert = match &self.original {
            OriginalData::Ber(data) => X509Certificate::from_ber(data),
            OriginalData::Der(data) => X509Certificate::from_der(data),
        }
        .expect("certificate re-parse should never fail");

        let signed_data = this_cert
            .0
            .tbs_certificate
            .raw_data
            .as_ref()
            .expect("original certificate data should have persisted as part of re-parse");
        let signature = this_cert.0.signature.octet_bytes();

        let key_algorithm = KeyAlgorithm::try_from(
            &this_cert
                .0
                .tbs_certificate
                .subject_public_key_info
                .algorithm,
        )?;
        let signature_algorithm = SignatureAlgorithm::try_from(&this_cert.0.signature_algorithm)?;

        let verify_algorithm = signature_algorithm.resolve_verification_algorithm(key_algorithm)?;

        let public_key = ringsig::UnparsedPublicKey::new(verify_algorithm, public_key_data);

        public_key
            .verify(signed_data, &signature)
            .map_err(|_| Error::CertificateSignatureVerificationFailed)
    }

Resolve the DigestAlgorithm for this signature algorithm.

Trait Implementations§

Returns a copy of the value. Read more
Performs copy-assignment from source. Read more
Formats the value using the given formatter. Read more
Formats the value using the given formatter. Read more
Converts to this type from the input type.
Converts to this type from the input type.
This method tests for self and other values to be equal, and is used by ==.
This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
The type returned in the event of a conversion error.
Performs the conversion.
The type returned in the event of a conversion error.
Performs the conversion.

Auto Trait Implementations§

Blanket Implementations§

Gets the TypeId of self. Read more
Immutably borrows from an owned value. Read more
Mutably borrows from an owned value. Read more

Returns the argument unchanged.

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

The resulting type after obtaining ownership.
Creates owned data from borrowed data, usually by cloning. Read more
Uses borrowed data to replace owned data, usually by cloning. Read more
Converts the given value to a String. Read more
The type returned in the event of a conversion error.
Performs the conversion.
The type returned in the event of a conversion error.
Performs the conversion.