diff options
| author | Justus Winter <justus@sequoia-pgp.org> | 2024-03-24 14:19:06 +0100 |
|---|---|---|
| committer | Justus Winter <justus@sequoia-pgp.org> | 2024-03-24 14:21:03 +0100 |
| commit | 5bb60918f51b6c50f39b102156cdf010da8eb5dc (patch) | |
| tree | 1f47ac97fa0c9fbaf78b20d964c9e735f06f65e0 | |
| parent | 585e5675b9e97063058e5481b4682dbe520e2fca (diff) | |
openpgp: Add Signature::verify_signature.justus/faster-3rd-party-certifications
- Similar to Signature::verify, but doesn't constrain to document
signatures. This allows for faster verification of third-party
signatures on certs, taking advantage of the fact that we computed
the digest during certificate canonicalization.
| -rw-r--r-- | openpgp/NEWS | 3 | ||||
| -rw-r--r-- | openpgp/src/packet/signature.rs | 21 |
2 files changed, 24 insertions, 0 deletions
diff --git a/openpgp/NEWS b/openpgp/NEWS index 3524af4b..7b0d62f9 100644 --- a/openpgp/NEWS +++ b/openpgp/NEWS @@ -3,6 +3,9 @@ #+TITLE: sequoia-openpgp NEWS – history of user-visible changes #+STARTUP: content hidestars +* Changes in 1.20.0 +** New functionality + - Signature::verify_signature * Changes in 1.19.0 ** Notable fixes - Key4::import_secret_cv25519 will now clamp some bits of the given diff --git a/openpgp/src/packet/signature.rs b/openpgp/src/packet/signature.rs index ed0dfaec..ba1a01ed 100644 --- a/openpgp/src/packet/signature.rs +++ b/openpgp/src/packet/signature.rs @@ -2659,6 +2659,27 @@ impl crate::packet::Signature { /// /// <a id="verification-functions"></a> impl Signature { + /// Verifies the signature using `key`. + /// + /// Note: Due to limited context, this only verifies the + /// cryptographic signature, and checks that the key predates the + /// signature. Further constraints on the signature, like + /// signature type, creation and expiration time, or signature + /// revocations must be checked by the caller. + /// + /// Likewise, this function does not check whether `key` can make + /// valid signatures; it is up to the caller to make sure the key + /// is not revoked, not expired, has a valid self-signature, has a + /// subkey binding signature (if appropriate), has the signing + /// capability, etc. + pub fn verify_signature<P, R>(&mut self, key: &Key<P, R>) -> Result<()> + where P: key::KeyParts, + R: key::KeyRole, + { + self.verify_digest_internal( + key.parts_as_public().role_as_unspecified(), None) + } + /// Verifies the signature against `hash`. /// /// The `hash` should only be computed over the payload, this |