Trait remote_settings_client::client::Verification

source · []
pub trait Verification: Send + Sync {
    fn verify_nist384p_chain(
        &self, 
        epoch_seconds: u64, 
        pem_bytes: &[u8], 
        root_hash: &str, 
        subject_cn: &str, 
        message: &[u8], 
        signature: &[u8]
    ) -> Result<(), SignatureError>;
    fn verify_sha256_hash(
        &self, 
        content: &[u8], 
        expected: &[u8]
    ) -> Result<(), SignatureError>;

    fn fetch_certificate_chain<'life0, 'life1, 'life2, 'async_trait>(
        &'life0 self, 
        requester: &'life1 (dyn Requester + 'static), 
        collection: &'life2 Collection
    ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, SignatureError>> + Send + 'async_trait>>
    where
        'life0: 'async_trait,
        'life1: 'async_trait,
        'life2: 'async_trait,
        Self: 'async_trait,
    { ... }
    fn serialize_data(
        &self, 
        collection: &Collection
    ) -> Result<Vec<u8>, SignatureError> { ... }
    fn verify<'life0, 'life1, 'life2, 'life3, 'async_trait>(
        &'life0 self, 
        requester: &'life1 (dyn Requester + 'static), 
        collection: &'life2 Collection, 
        root_hash: &'life3 str
    ) -> Pin<Box<dyn Future<Output = Result<(), SignatureError>> + Send + 'async_trait>>
    where
        'life0: 'async_trait,
        'life1: 'async_trait,
        'life2: 'async_trait,
        'life3: 'async_trait,
        Self: 'async_trait,
    { ... }
}
Expand description

A trait for signature verification of collection data.

You may want to use your own verification implementation (eg. using OpenSSL instead of ring or rc_crypto).

How can I implement Verification?


struct SignatureVerifier {}

impl Verification for SignatureVerifier {
    fn verify_nist384p_chain(
        &self,
        epoch_seconds: u64,
        pem_bytes: &[u8],
        root_hash:&str,
        subject_cn: &str,
        message: &[u8],
        signature: &[u8],
    ) -> Result<(), SignatureError> {
        todo!()
    }

    fn verify_sha256_hash(&self, content: &[u8], hash: &[u8]) -> Result<(), SignatureError> {
        todo!()
    }
}

let client = Client::builder()
   .collection_name("cid")
   .verifier(Box::new(SignatureVerifier {}))
   .build();

Required Methods

Verify chain of trust.

  1. Parse the PEM bytes as DER-encoded X.509 Certificate.
  2. Verify that root hash matches the SHA256 fingerprint of the root certificate (DER content)
  3. Verify that each certificate of the chain is currently valid (revocation support is optional)
  4. Verify that each child signature matches its parent’s public key for each pair in the chain
  5. Verify that the subject alternate name of the end-entity certificate matches the collection signer name.
  6. Use the chain’s end-entity (leaf) certificate to verify that the “signature” property matches the contents of the data.

Provided Methods

Verifies signature for a given Collection struct.

  1. Fetch and parse the chain of PEM-format certificates linked to in the “x5u” property.
  2. Serialize the collection data in canonical JSON format.
  3. Verify the certificates chain of trust using root_hash and signer name, and that the ECDSA P384 SHA384 signature matches the data.
Errors

If all the steps are performed without errors, but the specified collection data does not match its signature, then a SignatureError::MismatchError is returned.

If errors occur during certificate download, parsing, or data serialization, then the corresponding error is returned.

Trait Implementations

Formats the value using the given formatter. Read more

Implementors