reach_signatures/

lib.rs

// SPDX-FileCopyrightText: 2024-2025 eaon <eaon@posteo.net>
// SPDX-License-Identifier: EUPL-1.2

#![cfg_attr(docsrs, feature(doc_auto_cfg))]
#![allow(clippy::needless_doctest_main)]
#![doc = include_str!("../README.md")]
#![warn(missing_docs)]

use std::ops::Deref;

use ed25519_dalek::{Context, DigestSigner, DigestVerifier};
use fn_dsa_sign::SigningKey;
use fn_dsa_vrfy::VerifyingKey;
use rand_core::CryptoRngCore;
use sha3::digest::core_api::CoreWrapper;
use sha3::{Digest, Sha3_512, Sha3_512Core, digest::consts::U64};

use reach_aliases::*;

mod aliases;
pub use aliases::*;

/// Convert data structures to SHA3-512 digests.
///
/// This trait provides a standardized way to convert any data structure into
/// a cryptographic digest suitable for signing or verification operations.
pub trait Digestible {
    /// Return a vector of byte references that represent this data structure.
    ///
    /// The returned bytes will be hashed in order to create the digest.
    fn hashable_bytes(&self) -> Vec<Box<dyn AsRef<[u8]> + '_>>;

    /// Generate a SHA3-512 digest from the hashable bytes.
    fn digest(&self) -> CoreWrapper<Sha3_512Core> {
        let mut hasher = <Sha3_512 as Digest>::new();
        for bytes in self.hashable_bytes() {
            hasher.update(bytes.deref());
        }

        hasher
    }

    /// Generate a finalized SHA3-512 digest as a 64-byte array.
    fn finalized_digest(&self) -> [u8; 64] {
        self.digest().finalize().into()
    }
}

impl Digestible for &str {
    fn hashable_bytes(&self) -> Vec<Box<dyn AsRef<[u8]> + '_>> {
        vec![Box::new(self)]
    }
}

impl<T> Digestible for [T]
where
    T: Digestible,
{
    fn hashable_bytes(&self) -> Vec<Box<dyn AsRef<[u8]> + '_>> {
        self.iter().flat_map(Digestible::hashable_bytes).collect()
    }
}

/// Sign and convert to the respective signed variant.
///
/// This trait extends [`Digestible`] to provide signing functionality, allowing
/// a type to be converted into a signed version of itself.
pub trait Signable: Digestible {
    /// The type that results from signing this data structure.
    type SignedType: Signatures;

    /// Return the signing context for domain separation.
    ///
    /// Uses the type name of the signed type to ensure different data
    /// structures have different signing domains.
    fn context() -> &'static [u8] {
        std::any::type_name::<Self::SignedType>().as_bytes()
    }

    /// Combine this with signatures to create the signed variant.
    fn with_signature(
        self,
        ec_signature: Ed25519Signature,
        pq_signature: FnDsaSignature,
    ) -> Self::SignedType;
}

/// Signing key operations.
///
/// This trait provides access to both Ed25519 and FN-DSA signing keys and
/// implements a dual-signature scheme.
pub trait Sign {
    /// Access to the Ed25519 signing key.
    fn ec_signing_key(&self) -> &Ed25519Signing;
    /// Access to the FN-DSA signing key.
    fn pq_signing_key(&self) -> &FnDsaSigning;

    /// Create an Ed25519 signing context with domain separation.
    fn ec_signing_context<'a, 'b>(&'a self, context: &'b [u8]) -> Context<'a, 'b, Ed25519Signing> {
        self.ec_signing_key()
            .with_context(context)
            .expect("Failed to set Ed25519 signing context")
    }

    /// Sign a digest using Ed25519 with the given context.
    fn ec_sign_digest<D>(&self, context: &[u8], digest: D) -> Ed25519Signature
    where
        D: Digest<OutputSize = U64>,
    {
        self.ec_signing_context(context).sign_digest(digest)
    }

    /// Sign a digest using FN-DSA with the given context.
    fn pq_sign_digest(
        &self,
        context: &FnDsaDomainContext<'_>,
        digest: &[u8],
        csprng: &mut impl CryptoRngCore,
    ) -> FnDsaSignature {
        let mut pq_signing_key =
            FnDsaSigningDecoded::decode(self.pq_signing_key().inner.as_slice())
                .expect("Failed to decode FN-DSA Signing Key");
        let mut pq_signature = FN_DSA_SIGNATURE_EMPTY;

        pq_signing_key.sign(csprng, context, &FN_DSA_HASH_ID, digest, &mut pq_signature);

        pq_signature
    }

    /// Generate both Ed25519 and FN-DSA signatures for a digest.
    fn sign_digest<D>(
        &self,
        context: &[u8],
        digest: D,
        csprng: &mut impl CryptoRngCore,
    ) -> (Ed25519Signature, FnDsaSignature)
    where
        D: Digest<OutputSize = U64> + Clone,
    {
        let digest_bytes = digest.clone().finalize();
        let ec_signature = self.ec_sign_digest(context, digest);
        let pq_signature =
            self.pq_sign_digest(&FnDsaDomainContext { 0: context }, &digest_bytes, csprng);

        (ec_signature, pq_signature)
    }

    /// Sign a [`Signable`] data structure.
    ///
    /// This is the main signing interface that combines the source type with
    /// both Ed25519 and FN-DSA signatures.
    fn sign<S, V>(&self, signable: S, csprng: &mut impl CryptoRngCore) -> S::SignedType
    where
        S: Signable + Digestible,
        V: Verifies<S::SignedType> + Verifier,
        Self: VerifyingKeys<V>,
    {
        let (ec_signature, pq_signature) =
            self.sign_digest(S::context(), signable.digest(), csprng);

        signable.with_signature(ec_signature, pq_signature)
    }
}

/// Carries signatures.
pub trait Signatures {
    /// Access to the Ed25519 signature.
    fn ec_signature(&self) -> &Ed25519Signature;
    /// Access to the FN-DSA signature.
    fn pq_signature(&self) -> &FnDsaSignature;

    /// Type name string as bytes, used for domain separation.
    fn context() -> &'static [u8] {
        std::any::type_name::<Self>().as_bytes()
    }
}

/// Links signing keys to their corresponding verifying keys.
pub trait VerifyingKeys<V: Verifier> {}

/// Indicating which types can be verified by a given verifier.
pub trait Verifies<V> {}

/// Provides verifying keys for signature verification operations.
pub trait Verifier {
    /// Access to the Ed25519 verifying key.
    fn ec_verifying_key(&self) -> &Ed25519Verifying;
    /// Access to the FN-DSA verifying key.
    fn pq_verifying_key(&self) -> &FnDsaVerifying;
}

fn ec_verifying_context<'a, 'b, V>(
    verifier: &'a V,
    context: &'b [u8],
) -> Context<'a, 'b, Ed25519Verifying>
where
    V: Verifier + ?Sized,
{
    verifier
        .ec_verifying_key()
        .with_context(context)
        .expect("Failed to set Ed25519 verifying context")
}

fn ec_verify_digest<V, D>(
    verifier: &V,
    context: &[u8],
    digest: D,
    signature: &Ed25519Signature,
) -> bool
where
    V: Verifier + ?Sized,
    D: Digest<OutputSize = U64>,
{
    ec_verifying_context(verifier, context)
        .verify_digest(digest, signature)
        .is_ok()
}

fn pq_verify_digest<V>(
    verifier: &V,
    context: &FnDsaDomainContext<'_>,
    digest: &[u8],
    signature: &FnDsaSignature,
) -> bool
where
    V: Verifier + ?Sized,
{
    let pq_verifying_key = FnDsaVerifyingDecoded::decode(verifier.pq_verifying_key().as_ref())
        .expect("Decoding of FN-DSA Verifying Key failed");

    pq_verifying_key.verify(signature, context, &FN_DSA_HASH_ID, digest)
}

/// Verify both Ed25519 and FN-DSA signatures with a digest.
///
/// Both signatures need to be valid for the verification to succeed.
pub fn verify_digest<V, D>(
    verifier: &V,
    context: &[u8],
    digest: D,
    ec_signature: &Ed25519Signature,
    pq_signature: &FnDsaSignature,
) -> bool
where
    V: Verifier + ?Sized,
    D: Digest<OutputSize = U64> + Clone,
{
    let digest_bytes = digest.clone().finalize();
    ec_verify_digest(verifier, context, digest, ec_signature)
        && pq_verify_digest(
            verifier,
            &FnDsaDomainContext { 0: context },
            &digest_bytes,
            pq_signature,
        )
}

/// Verifiable if [`Digestible`] and carrying [`Signatures`].
pub trait Verifiable: Signatures + Digestible {
    /// Verify this signed data structure with a verifier.
    ///
    /// Both Ed25519 and FN-DSA signatures need to be valid for verification to
    /// succeed.
    fn verify<V>(&self, verifier: &V) -> bool
    where
        V: Verifier + Verifies<Self>,
        Self: Sized,
    {
        verify_digest(
            verifier,
            Self::context(),
            self.digest(),
            self.ec_signature(),
            self.pq_signature(),
        )
    }
}