feat: put the signature cache behind a feature flag (enabled by default)

packages/ic-asset-certification/tests/large_assets.rs

@@ -26,7 +26,7 @@ fn should_certify_long_asset_chunkwise(
 ) {
     let current_time = get_current_timestamp();
     let canister_id = create_canister_id("rdmx6-jaaaa-aaaaa-aaadq-cai");
-    let req_url = format!("/{}", ASSET_ONE_NAME);
+    let req_url = format!("/{ASSET_ONE_NAME}");
 
     let mut asset_router = AssetRouter::default();
     let assets = [Asset::new(ASSET_ONE_NAME, asset_one_body)];
@@ -107,7 +107,7 @@ fn should_certify_long_asset_chunkwise(
     let chunk_two_req = HttpRequest::get(&req_url)
         .with_headers(vec![(
             "range".to_string(),
-            format!("bytes={}-", ASSET_CHUNK_SIZE),
+            format!("bytes={ASSET_CHUNK_SIZE}-"),
         )])
         .build();
     let chunk_two_res = asset_router

packages/ic-certificate-verification/Cargo.toml

@@ -22,13 +22,12 @@ homepage.workspace = true
 
 [dependencies]
 candid.workspace = true
-nom.workspace = true
 thiserror.workspace = true
 leb128.workspace = true
-cached.workspace = true
+cached = { workspace = true, optional = true }
 sha2.workspace = true
-lazy_static.workspace = true
-parking_lot.workspace = true
+lazy_static = { workspace = true, optional = true }
+parking_lot = { workspace = true, optional = true }
 
 ic-certification = { workspace = true }
 ic-cbor.workspace = true
@@ -41,3 +40,7 @@ rand.workspace = true
 rand_chacha.workspace = true
 
 ic-types.workspace = true
+
+[features]
+default = ["signature_cache"]
+signature_cache = ["dep:cached", "dep:lazy_static", "dep:parking_lot"]

packages/ic-certificate-verification/src/signature_verification/mod.rs

@@ -1,20 +1,23 @@
-use self::signature_cache::{SignatureCache, SignatureCacheEntry};
 use crate::CertificateVerificationError;
 use ic_verify_bls_signature::verify_bls_signature;
 
+#[cfg(feature = "signature_cache")]
 mod signature_cache;
 
-#[cfg(test)]
+#[cfg(all(test, feature = "signature_cache"))]
 mod reproducible_rng;
 
-#[cfg(test)]
+#[cfg(all(test, feature = "signature_cache"))]
 mod tests;
 
+#[cfg(feature = "signature_cache")]
 pub fn verify_signature(
     pk: &[u8],
     sig: &[u8],
     msg: &[u8],
 ) -> Result<(), CertificateVerificationError> {
+    use self::signature_cache::{SignatureCache, SignatureCacheEntry};
+
     let entry = SignatureCacheEntry::new(pk, sig, msg);
 
     if SignatureCache::global().contains(&entry) {
@@ -28,3 +31,13 @@ pub fn verify_signature(
     SignatureCache::global().insert(&entry);
     Ok(())
 }
+
+#[cfg(not(feature = "signature_cache"))]
+pub fn verify_signature(
+    pk: &[u8],
+    sig: &[u8],
+    msg: &[u8],
+) -> Result<(), CertificateVerificationError> {
+    verify_bls_signature(sig, msg, pk)
+        .map_err(|_| CertificateVerificationError::SignatureVerificationFailed)
+}

packages/ic-certificate-verification/src/signature_verification/tests.rs

@@ -2,6 +2,7 @@ use super::signature_cache::SignatureCacheEntry;
 use crate::signature_verification::{
     reproducible_rng::reproducible_rng,
     signature_cache::{SignatureCache, SignatureCacheStatistics},
+    verify_signature,
 };
 use rand::RngCore;
 
@@ -83,6 +84,21 @@ fn should_have_signature_cache_behave_like_a_lru_cache() {
     }
 }
 
+#[test]
+fn verify_signature_uses_cache_for_known_entries() {
+    // Pre-populate the global cache with inputs that are not valid BLS signatures.
+    // If the signature_cache feature gate is correctly applied, verify_signature
+    // returns Ok() on a cache hit without ever calling the BLS verifier.
+    // If the cfg gates are wrong and the uncached path is compiled instead,
+    // this test will fail with SignatureVerificationFailed.
+    let pk = [1u8; 96];
+    let sig = [2u8; 48];
+    let msg = [3u8; 32];
+
+    SignatureCache::global().insert(&SignatureCacheEntry::new(&pk, &sig, &msg));
+    assert!(verify_signature(&pk, &sig, &msg).is_ok());
+}
+
 #[test]
 fn should_have_signature_cache_update_lru_status_after_cache_hit() {
     let cache_size = 3;

packages/ic-response-verification-tests/src/rust-tests/src/main.rs

@@ -24,17 +24,14 @@ fn get_current_time() -> u128 {
 }
 
 fn read_file(file_path: &str) -> Result<Vec<u8>> {
-    let path = format!(
-        "packages/ic-response-verification-tests/src/frontend/{}",
-        file_path
-    );
+    let path = format!("packages/ic-response-verification-tests/src/frontend/{file_path}");
     match fs::read(path.clone()) {
         Ok(file) => {
-            println!("Read file: {}", path);
+            println!("Read file: {path}");
             Ok(file)
         }
         Err(e) => {
-            println!("Error reading file: {} from {}", e, path);
+            println!("Error reading file: {e} from {path}");
             Err(e.into())
         }
     }