-
Notifications
You must be signed in to change notification settings - Fork 170
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
signature: add
hazmat-preview
feature (#1099)
Adds a `hazmat` module gated under a newly added `hazmat-preview` feature which calls out the relevant functionality as subject to change with minor versions. It adds the following traits: - `PrehashSigner` - `PrehashVerifier` These APIs accept the digest to be signed/verified as a raw byte slice. This comes with potential misuses like failing to use a cryptographically secure hash function as the `prehash`, which could enable existential forgeries of signatures, hence gating it under a `hazmat-preview` feature and placing it in a `hazmat` module. Note that we previously explored APIs like this for `DigestSigner`. They were removed in RustCrypto/signatures#17 due to the afforementioned misuse potential. However, these APIs are occasionally needed for implementing protocols that use special rules for computing hashes (e.g. EIP-712 structured hashes), or for implementing things like network signing services which want to accept a prehash of a message to be signed rather than the full message (to cut down on network bandwidth). The traits accept a byte slice `prehash`, which permits multiple lengths and allows the implementation to decide which lengths are valid. This makes it possible for e.g. ECDSA implementations to automatically truncate message prehashes which are larger than the field size.
- Loading branch information
Showing
4 changed files
with
65 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
//! Hazardous Materials: low-level APIs which can be insecure if misused. | ||
//! | ||
//! The traits in this module are not generally recommended, and should only be | ||
//! used in special cases where they are specifically needed. | ||
//! | ||
//! Using them incorrectly can introduce security vulnerabilities. Please | ||
//! carefully read the documentation before attempting to use them. | ||
//! | ||
//! To use them, enable the `hazmat-preview` crate feature. Note that this | ||
//! feature is semi-unstable and not subject to regular 1.x SemVer guarantees. | ||
//! However, any breaking changes will be accompanied with a minor version bump. | ||
|
||
use crate::{Error, Signature}; | ||
|
||
/// Sign the provided message prehash, returning a digital signature. | ||
pub trait PrehashSigner<S: Signature> { | ||
/// Attempt to sign the given message digest, returning a digital signature | ||
/// on success, or an error if something went wrong. | ||
/// | ||
/// The `prehash` parameter should be the output of a secure cryptographic | ||
/// hash function. | ||
/// | ||
/// This API takes a `prehash` byte slice as there can potentially be many | ||
/// compatible lengths for the message digest for a given concrete signature | ||
/// algorithm. | ||
/// | ||
/// Allowed lengths are algorithm-dependent and up to a particular | ||
/// implementation to decide. | ||
fn try_sign_prehash(&self, prehash: &[u8]) -> Result<S, Error>; | ||
} | ||
|
||
/// Verify the provided message prehash using `Self` (e.g. a public key) | ||
pub trait PrehashVerifier<S: Signature> { | ||
/// Use `Self` to verify that the provided signature for a given message | ||
/// `prehash` is authentic. | ||
/// | ||
/// The `prehash` parameter should be the output of a secure cryptographic | ||
/// hash function. | ||
/// | ||
/// Returns `Error` if it is inauthentic or some other error occurred, or | ||
/// otherwise returns `Ok(())`. | ||
/// | ||
/// # ⚠️ Security Warning | ||
/// | ||
/// If `prehash` is something other than the output of a cryptographically | ||
/// secure hash function, an attacker can potentially forge signatures by | ||
/// solving a system of linear equations. | ||
fn verify_prehash(&self, prehash: &[u8], signature: &S) -> Result<(), Error>; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters