Add support for Ed25519 to CMS

Sources/X509/CertificatePrivateKey.swift

@@ -91,32 +91,23 @@ extension Certificate {
             bytes: Bytes,
             signatureAlgorithm: SignatureAlgorithm
         ) throws -> Signature {
-            try self.validateAlgorithmForKey(algorithm: signatureAlgorithm)
-
             switch self.backing {
             case .p256(let p256):
-                let digestAlgorithm = try AlgorithmIdentifier(digestAlgorithmFor: signatureAlgorithm)
-                return try p256.signature(for: bytes, digestAlgorithm: digestAlgorithm)
+                return try p256.signature(for: bytes, signatureAlgorithm: signatureAlgorithm)
             case .p384(let p384):
-                let digestAlgorithm = try AlgorithmIdentifier(digestAlgorithmFor: signatureAlgorithm)
-                return try p384.signature(for: bytes, digestAlgorithm: digestAlgorithm)
+                return try p384.signature(for: bytes, signatureAlgorithm: signatureAlgorithm)
             case .p521(let p521):
-                let digestAlgorithm = try AlgorithmIdentifier(digestAlgorithmFor: signatureAlgorithm)
-                return try p521.signature(for: bytes, digestAlgorithm: digestAlgorithm)
+                return try p521.signature(for: bytes, signatureAlgorithm: signatureAlgorithm)
             case .rsa(let rsa):
-                let digestAlgorithm = try AlgorithmIdentifier(digestAlgorithmFor: signatureAlgorithm)
-                let padding = try _RSA.Signing.Padding(forSignatureAlgorithm: signatureAlgorithm)
-                return try rsa.signature(for: bytes, digestAlgorithm: digestAlgorithm, padding: padding)
+                return try rsa.signature(for: bytes, signatureAlgorithm: signatureAlgorithm)
             #if canImport(Darwin)
             case .secureEnclaveP256(let secureEnclaveP256):
-                let digestAlgorithm = try AlgorithmIdentifier(digestAlgorithmFor: signatureAlgorithm)
-                return try secureEnclaveP256.signature(for: bytes, digestAlgorithm: digestAlgorithm)
+                return try secureEnclaveP256.signature(for: bytes, signatureAlgorithm: signatureAlgorithm)
             case .secKey(let secKeyWrapper):
-                let digestAlgorithm = try AlgorithmIdentifier(digestAlgorithmFor: signatureAlgorithm)
-                return try secKeyWrapper.signature(for: bytes, digestAlgorithm: digestAlgorithm)
+                return try secKeyWrapper.signature(for: bytes, signatureAlgorithm: signatureAlgorithm)
             #endif
             case .ed25519(let ed25519):
-                return try ed25519.signature(for: bytes)
+                return try ed25519.signature(for: bytes, signatureAlgorithm: signatureAlgorithm)
             }
         }
 
@@ -143,54 +134,6 @@ extension Certificate {
                 return PublicKey(ed25519.publicKey)
             }
         }
-
-        @inlinable
-        func validateAlgorithmForKey(algorithm: SignatureAlgorithm) throws {
-            switch self.backing {
-            case .p256, .p384, .p521:
-                if !algorithm.isECDSA {
-                    throw CertificateError.unsupportedSignatureAlgorithm(
-                        reason: "Cannot use \(algorithm) with ECDSA key \(self)"
-                    )
-                }
-            case .rsa:
-                if !algorithm.isRSA {
-                    throw CertificateError.unsupportedSignatureAlgorithm(
-                        reason: "Cannot use \(algorithm) with RSA key \(self)"
-                    )
-                }
-            #if canImport(Darwin)
-            case .secureEnclaveP256:
-                if !algorithm.isECDSA {
-                    throw CertificateError.unsupportedSignatureAlgorithm(
-                        reason: "Cannot use \(algorithm) with ECDSA key \(self)"
-                    )
-                }
-            case .secKey(let key):
-                switch key.type {
-                case .ECDSA:
-                    if !algorithm.isECDSA {
-                        throw CertificateError.unsupportedSignatureAlgorithm(
-                            reason: "Cannot use \(algorithm) with ECDSA key \(self)"
-                        )
-                    }
-                case .RSA:
-                    if !algorithm.isRSA {
-                        throw CertificateError.unsupportedSignatureAlgorithm(
-                            reason: "Cannot use \(algorithm) with RSA key \(self)"
-                        )
-                    }
-                }
-            #endif
-            case .ed25519:
-                if algorithm != .ed25519 {
-                    throw CertificateError.unsupportedSignatureAlgorithm(
-                        reason: "Cannot use \(algorithm) with Ed25519 key \(self)"
-                    )
-                }
-            }
-
-        }
     }
 }
 

Sources/X509/CertificatePublicKey.swift

@@ -137,32 +137,17 @@ extension Certificate.PublicKey {
         for bytes: Bytes,
         signatureAlgorithm: Certificate.SignatureAlgorithm
     ) -> Bool {
-        var digest: Digest?
-
-        if let digestAlgorithm = try? AlgorithmIdentifier(digestAlgorithmFor: signatureAlgorithm) {
-            digest = try? Digest.computeDigest(for: bytes, using: digestAlgorithm)
-        }
-
-        switch (self.backing, digest) {
-        case (.p256(let p256), .some(let digest)):
-            return p256.isValidSignature(signature, for: digest)
-        case (.p384(let p384), .some(let digest)):
-            return p384.isValidSignature(signature, for: digest)
-        case (.p521(let p521), .some(let digest)):
-            return p521.isValidSignature(signature, for: digest)
-        case (.rsa(let rsa), .some(let digest)):
-            // For now we don't support RSA PSS, as it's not deployed in the WebPKI.
-            // We could, if there are sufficient user needs.
-            do {
-                let padding = try _RSA.Signing.Padding(forSignatureAlgorithm: signatureAlgorithm)
-                return rsa.isValidSignature(signature, for: digest, padding: padding)
-            } catch {
-                return false
-            }
-        case (.ed25519(let ed25519), .none):
-            return ed25519.isValidSignature(signature, for: bytes)
-        default:
-            return false
+        switch self.backing {
+        case .p256(let p256):
+            return p256.isValidSignature(signature, for: bytes, signatureAlgorithm: signatureAlgorithm)
+        case .p384(let p384):
+            return p384.isValidSignature(signature, for: bytes, signatureAlgorithm: signatureAlgorithm)
+        case .p521(let p521):
+            return p521.isValidSignature(signature, for: bytes, signatureAlgorithm: signatureAlgorithm)
+        case .rsa(let rsa):
+            return rsa.isValidSignature(signature, for: bytes, signatureAlgorithm: signatureAlgorithm)
+        case .ed25519(let ed25519):
+            return ed25519.isValidSignature(signature, for: bytes, signatureAlgorithm: signatureAlgorithm)
         }
     }
 }
@@ -277,21 +262,6 @@ extension Certificate.PublicKey {
     }
 }
 
-extension _RSA.Signing.Padding {
-    @inlinable
-    init(forSignatureAlgorithm signatureAlgorithm: Certificate.SignatureAlgorithm) throws {
-        switch signatureAlgorithm {
-        case .sha1WithRSAEncryption, .sha256WithRSAEncryption, .sha384WithRSAEncryption, .sha512WithRSAEncryption:
-            self = .insecurePKCS1v1_5
-        default:
-            // Either this is RSA PSS, or we hit a bug. Either way, unsupported.
-            throw CertificateError.unsupportedSignatureAlgorithm(
-                reason: "Unable to determine RSA padding mode for \(signatureAlgorithm)"
-            )
-        }
-    }
-}
-
 extension P256.Signing.PublicKey {
     /// Create a P256 Public Key from a given ``Certificate/PublicKey-swift.struct``.
     ///