From ba51f6ad16559e4448aea38c47444ab353833e46 Mon Sep 17 00:00:00 2001 From: Robin Lambertz Date: Mon, 11 May 2026 20:37:15 +0200 Subject: [PATCH] Implement PrehashSigner on yubikey::Signer. (#656) Co-authored-by: roblabla --- src/certificate.rs | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/src/certificate.rs b/src/certificate.rs index ad41689..132c474 100644 --- a/src/certificate.rs +++ b/src/certificate.rs @@ -309,6 +309,10 @@ pub mod yubikey_signer { /// Prepare buffer before submitting it for signature fn prepare(input: &[u8]) -> SigResult>; + + /// Prepare a prehashed message before submitting it for signature + fn prepare_prehash(hashed: &[u8]) -> SigResult>; + /// Read back the signature from the device fn read_signature(input: &[u8]) -> SigResult; } @@ -340,6 +344,10 @@ pub mod yubikey_signer { Ok(Sha256::digest(input).to_vec()) } + fn prepare_prehash(hashed: &[u8]) -> SigResult> { + Ok(hashed.to_vec()) + } + fn read_signature(input: &[u8]) -> SigResult { Self::Signature::from_bytes(input) } @@ -356,6 +364,10 @@ pub mod yubikey_signer { Ok(Sha384::digest(input).to_vec()) } + fn prepare_prehash(hashed: &[u8]) -> SigResult> { + Ok(hashed.to_vec()) + } + fn read_signature(input: &[u8]) -> SigResult { Self::Signature::from_bytes(input) } @@ -415,7 +427,10 @@ pub mod yubikey_signer { fn prepare(input: &[u8]) -> SigResult> { let hashed = Sha256::digest(input).to_vec(); + Self::prepare_prehash(&hashed) + } + fn prepare_prehash(hashed: &[u8]) -> SigResult> { OctetString::new(hashed) .map_err(|e| e.into()) .and_then(Self::emsa_pkcs1_1_5) @@ -515,4 +530,20 @@ pub mod yubikey_signer { Ok(out) } } + + impl signature::hazmat::PrehashSigner for Signer<'_, KT> { + fn sign_prehash(&self, hashed: &[u8]) -> SigResult { + let data = KT::prepare_prehash(hashed)?; + + let out = sign_data( + &mut self.yubikey.borrow_mut(), + &data, + KT::ALGORITHM, + self.key, + ) + .map_err(signature::Error::from_source)?; + let out = KT::read_signature(&out)?; + Ok(out) + } + } }