Files

addr2line

lazy.rslib.rs

adler

algo.rslib.rs

aho_corasick

packed

teddy

compile.rsmod.rsruntime.rs

api.rsmod.rspattern.rsrabinkarp.rsvector.rs

ahocorasick.rsautomaton.rsbuffer.rsbyte_frequencies.rsclasses.rsdfa.rserror.rslib.rsnfa.rsprefilter.rsstate_id.rs

ansi_term

ansi.rsdebug.rsdifference.rsdisplay.rslib.rsstyle.rswindows.rswrite.rs

arraydeque

maybe_uninit

maybe_uninit.rsmod.rs

array.rsbehavior.rserror.rslib.rsrange.rs

as_slice

lib.rs

atty

lib.rs

backtrace

backtrace

libunwind.rsmod.rs

symbolize

gimli

elf.rsmmap_unix.rsstash.rs

gimli.rsmod.rs

capture.rslib.rsprint.rstypes.rs

base64

read

decoder.rsmod.rs

write

encoder.rsmod.rs

chunked_encoder.rsdecode.rsdisplay.rsencode.rslib.rstables.rs

bincode_core

config

endian.rsint.rsinternal.rslimit.rsmod.rstrailing.rs

traits

core_read.rscore_write.rsmod.rs

buffer_writer.rsdeserialize.rslib.rsserialize.rssize_checker.rs

bitflags

lib.rs

byteorder

io.rslib.rs

bytes

buf

ext

chain.rslimit.rsmod.rsreader.rstake.rswriter.rs

buf_impl.rsbuf_mut.rsiter.rsmod.rsvec_deque.rs

fmt

debug.rshex.rsmod.rs

bytes.rsbytes_mut.rslib.rsloom.rs

capnp

private

arena.rscapability.rslayout.rsmask.rsmod.rsprimitive.rsunits.rszero.rs

any_pointer.rsany_pointer_list.rscapability.rscapability_list.rsconstant.rsdata.rsdata_list.rsenum_list.rsio.rslib.rslist_list.rsmessage.rsprimitive_list.rsraw.rsserialize.rsserialize_packed.rsstruct_list.rstext.rstext_list.rstraits.rs

capnp_futures

lib.rsread_stream.rsserialize.rswrite_queue.rs

capnp_rpc

attach.rsbroken.rslib.rslocal.rsqueued.rsrpc.rsrpc_capnp.rsrpc_twoparty_capnp.rssender_queue.rssplit.rstask_set.rstwoparty.rs

cfg_if

lib.rs

chrono

format

mod.rsparse.rsparsed.rsscan.rsstrftime.rs

naive

date.rsdatetime.rsinternals.rsisoweek.rstime.rs

offset

fixed.rslocal.rsmod.rsutc.rs

sys

unix.rs

date.rsdatetime.rsdiv.rslib.rsround.rssys.rs

clap

app

help.rsmeta.rsmod.rsparser.rssettings.rsusage.rsvalidator.rs

args

arg_builder

base.rsflag.rsmod.rsoption.rspositional.rsswitched.rsvalued.rs

any_arg.rsarg.rsarg_matcher.rsarg_matches.rsgroup.rsmacros.rsmatched_arg.rsmod.rssettings.rssubcommand.rs

completions

bash.rselvish.rsfish.rsmacros.rsmod.rspowershell.rsshell.rszsh.rs

errors.rsfmt.rslib.rsmacros.rsmap.rsosstringext.rsstrext.rssuggestions.rsusage_parser.rs

ctrlc

platform

unix

mod.rs

mod.rs

error.rslib.rssignal.rs

derivative

ast.rsattr.rsbound.rsclone.rscmp.rsdebug.rsdefault.rshash.rslib.rsmatcher.rspaths.rsutils.rs

dlib

lib.rs

downcast_rs

lib.rs

enumflags2

fallible.rsformatting.rslib.rs

enumflags2_derive

lib.rs

evdev_rs

device.rsenums.rslib.rslogging.rsmacros.rsuinput.rsutil.rs

evdev_sys

lib.rs

failure

backtrace

internal.rsmod.rs

error

error_impl.rsmod.rs

as_fail.rsbox_std.rscompat.rscontext.rserror_message.rslib.rsmacros.rsresult_ext.rssync_failure.rs

failure_derive

lib.rs

flexi_logger

writers

file_log_writer

builder.rsconfig.rsstate.rs

file_log_writer.rslog_writer.rs

code_examples.rsdeferred_now.rsflexi_error.rsflexi_logger.rsformats.rslib.rslog_specification.rslogger.rslogger_handle.rsparameters.rsprimary_writer.rswriters.rs

futures

lib.rs

futures_channel

mpsc

mod.rsqueue.rssink_impl.rs

lib.rslock.rsoneshot.rs

futures_core

task

__internal

atomic_waker.rsmod.rs

mod.rspoll.rs

future.rslib.rsstream.rs

futures_executor

enter.rslib.rslocal_pool.rs

futures_io

lib.rs

futures_macro

join.rslib.rsselect.rs

futures_sink

lib.rs

futures_task

arc_wake.rsfuture_obj.rslib.rsnoop_waker.rsspawn.rswaker.rswaker_ref.rs

futures_util

async_await

join_mod.rsmod.rspending.rspoll.rsrandom.rsselect_mod.rs

future

future

catch_unwind.rsflatten.rsfuse.rsmap.rsmod.rsremote_handle.rsshared.rs

try_future

into_future.rsmod.rstry_flatten.rstry_flatten_err.rs

abortable.rseither.rsjoin.rsjoin_all.rslazy.rsmaybe_done.rsmod.rsoption.rspending.rspoll_fn.rsready.rsselect.rsselect_all.rsselect_ok.rstry_join.rstry_join_all.rstry_maybe_done.rstry_select.rs

io

allow_std.rsbuf_reader.rsbuf_writer.rschain.rsclose.rscopy.rscopy_buf.rscursor.rsempty.rsfill_buf.rsflush.rsinto_sink.rslines.rsmod.rsread.rsread_exact.rsread_line.rsread_to_end.rsread_to_string.rsread_until.rsread_vectored.rsrepeat.rsseek.rssink.rssplit.rstake.rswindow.rswrite.rswrite_all.rswrite_vectored.rs

lock

bilock.rsmod.rsmutex.rs

sink

buffer.rsclose.rsdrain.rserr_into.rsfanout.rsfeed.rsflush.rsmap_err.rsmod.rssend.rssend_all.rsunfold.rswith.rswith_flat_map.rs

stream

futures_unordered

abort.rsiter.rsmod.rsready_to_run_queue.rstask.rs

stream

buffer_unordered.rsbuffered.rscatch_unwind.rschain.rschunks.rscollect.rsconcat.rscycle.rsenumerate.rsfilter.rsfilter_map.rsflatten.rsfold.rsfor_each.rsfor_each_concurrent.rsforward.rsfuse.rsinto_future.rsmap.rsmod.rsnext.rspeek.rsready_chunks.rsscan.rsselect_next_some.rsskip.rsskip_while.rssplit.rstake.rstake_until.rstake_while.rsthen.rsunzip.rszip.rs

try_stream

and_then.rsinto_async_read.rsinto_stream.rsmod.rsor_else.rstry_buffer_unordered.rstry_buffered.rstry_collect.rstry_concat.rstry_filter.rstry_filter_map.rstry_flatten.rstry_fold.rstry_for_each.rstry_for_each_concurrent.rstry_next.rstry_skip_while.rstry_take_while.rstry_unfold.rs

empty.rsfutures_ordered.rsiter.rsmod.rsonce.rspending.rspoll_fn.rsrepeat.rsrepeat_with.rsselect.rsselect_all.rsunfold.rs

task

mod.rsspawn.rs

fns.rslib.rsnever.rsunfold_state.rs

generic_array

arr.rsfunctional.rshex.rsimpls.rsiter.rslib.rssequence.rs

getrandom

error.rserror_impls.rslib.rslinux_android.rsuse_file.rsutil.rsutil_libc.rs

gimli

read

abbrev.rsaddr.rsaranges.rscfi.rsdwarf.rsendian_slice.rsline.rslists.rsloclists.rslookup.rsmod.rsop.rspubnames.rspubtypes.rsreader.rsrnglists.rsstr.rsunit.rsvalue.rs

arch.rscommon.rsconstants.rsendianity.rsleb128.rslib.rs

glob

lib.rs

hash32

fnv.rslib.rsmurmur3.rs

heapless

pool

cas.rsmod.rssingleton.rs

spsc

mod.rssplit.rs

binary_heap.rshistbuf.rsi.rsindexmap.rsindexset.rslib.rslinear_map.rsmpmc.rssealed.rsstring.rsvec.rs

hid_io_core

api

capnp.rsmod.rs

device

evdev

mod.rs

hidapi

mod.rs

mod.rs

module

displayserver

mod.rswayland.rsx11.rs

vhid

uhid

mod.rs

mod.rs

daemonnode.rsmod.rs

lib.rslogging.rsmailbox.rs

hid_io_protocol

commands

mod.rs

buffer.rslib.rs

hidapi

error.rsffi.rslib.rs

install_service

install_service.rs

lazy_static

inline_lazy.rslib.rs

libc

unix

linux_like

linux

gnu

b64

x86_64

align.rsmod.rsnot_x32.rs

mod.rs

align.rsmod.rs

align.rsmod.rs

mod.rs

align.rsmod.rs

fixed_width_ints.rslib.rsmacros.rs

libloading

os

unix

consts.rsmod.rs

mod.rs

changelog.rserror.rslib.rsutil.rs

libudev_sys

lib.rs

log

lib.rsmacros.rs

memchr

x86

avx.rsmod.rssse2.rs

fallback.rsiter.rslib.rsnaive.rs

memmap

lib.rsunix.rs

miniz_oxide

deflate

buffer.rscore.rsmod.rsstream.rs

inflate

core.rsmod.rsoutput_buffer.rsstream.rs

lib.rsshared.rs

mio

event

event.rsevents.rsmod.rssource.rs

net

tcp

listener.rsmod.rssocket.rsstream.rs

uds

datagram.rslistener.rsmod.rsstream.rs

mod.rsudp.rs

sys

unix

selector

epoll.rsmod.rs

uds

datagram.rslistener.rsmod.rssocketaddr.rsstream.rs

mod.rsnet.rspipe.rssourcefd.rstcp.rsudp.rswaker.rs

mod.rs

interest.rsio_source.rslib.rsmacros.rspoll.rstoken.rswaker.rs

nanoid

alphabet.rslib.rsrngs.rs

nix

net

if_.rsmod.rs

sys

ioctl

linux.rsmod.rs

ptrace

linux.rsmod.rs

socket

addr.rsmod.rssockopt.rs

aio.rsepoll.rseventfd.rsinotify.rsmemfd.rsmman.rsmod.rspersonality.rspthread.rsquota.rsreboot.rsselect.rssendfile.rssignal.rssignalfd.rsstat.rsstatfs.rsstatvfs.rssysinfo.rstermios.rstime.rstimerfd.rsuio.rsutsname.rswait.rs

dir.rsenv.rserrno.rsfcntl.rsfeatures.rsifaddrs.rskmod.rslib.rsmacros.rsmount.rsmqueue.rspoll.rspty.rssched.rstime.rsucontext.rsunistd.rs

num_cpus

lib.rslinux.rs

num_enum

lib.rs

num_enum_derive

lib.rs

num_integer

average.rslib.rsroots.rs

num_traits

ops

checked.rsinv.rsmod.rsmul_add.rsoverflowing.rssaturating.rswrapping.rs

bounds.rscast.rsfloat.rsidentities.rsint.rslib.rsmacros.rspow.rssign.rs

object

read

coff

comdat.rsfile.rsmod.rsrelocation.rssection.rssymbol.rs

elf

comdat.rscompression.rsdynamic.rsfile.rsmod.rsnote.rsrelocation.rssection.rssegment.rssymbol.rs

macho

fat.rsfile.rsload_command.rsmod.rsrelocation.rssection.rssegment.rssymbol.rs

pe

file.rsmod.rssection.rs

any.rsarchive.rsmod.rstraits.rsutil.rs

archive.rscommon.rself.rsendian.rslib.rsmacho.rspe.rspod.rs

once_cell

imp_std.rslib.rsrace.rs

open

lib.rs

pem

errors.rslib.rs

pin_project_lite

lib.rs

pin_utils

lib.rsprojection.rsstack_pin.rs

ppv_lite86

x86_64

mod.rssse2.rs

lib.rssoft.rstypes.rs

proc_macro2

detection.rsfallback.rslib.rsmarker.rsparse.rswrapper.rs

proc_macro_hack

error.rsiter.rslib.rsparse.rsquote.rs

proc_macro_nested

lib.rs

quote

ext.rsformat.rsident_fragment.rslib.rsruntime.rsspanned.rsto_tokens.rs

rand

distributions

weighted

alias_method.rsmod.rs

bernoulli.rsbinomial.rscauchy.rsdirichlet.rsexponential.rsfloat.rsgamma.rsinteger.rsmod.rsnormal.rsother.rspareto.rspoisson.rstriangular.rsuniform.rsunit_circle.rsunit_sphere.rsutils.rsweibull.rsziggurat_tables.rs

rngs

adapter

mod.rsread.rsreseeding.rs

entropy.rsmock.rsmod.rsstd.rsthread.rs

seq

index.rsmod.rs

lib.rsprelude.rs

rand_chacha

chacha.rsguts.rslib.rs

rand_core

block.rserror.rsimpls.rsle.rslib.rsos.rs

rcgen

lib.rs

regex

literal

imp.rsmod.rs

backtrack.rscompile.rsdfa.rserror.rsexec.rsexpand.rsfind_byte.rsfreqs.rsinput.rslib.rspikevm.rspool.rsprog.rsre_builder.rsre_bytes.rsre_set.rsre_trait.rsre_unicode.rssparse.rsutf8.rs

regex_syntax

ast

mod.rsparse.rsprint.rsvisitor.rs

hir

literal

mod.rs

interval.rsmod.rsprint.rstranslate.rsvisitor.rs

unicode_tables

age.rscase_folding_simple.rsgeneral_category.rsgrapheme_cluster_break.rsmod.rsperl_word.rsproperty_bool.rsproperty_names.rsproperty_values.rsscript.rsscript_extension.rssentence_break.rsword_break.rs

either.rserror.rslib.rsparser.rsunicode.rsutf8.rs

remove_dir_all

lib.rs

ring

aead

gcm

gcm_nohw.rs

aes.rsaes_gcm.rsblock.rschacha.rschacha20_poly1305.rschacha20_poly1305_openssh.rscounter.rsgcm.rsiv.rsnonce.rspoly1305.rsquic.rsshift.rs

arithmetic

bigint.rsconstant.rsmontgomery.rs

digest

sha1.rssha2.rs

ec

curve25519

ed25519

signing.rsverification.rs

ed25519.rsops.rsscalar.rsx25519.rs

suite_b

ecdsa

digest_scalar.rssigning.rsverification.rs

ops

elem.rsp256.rsp384.rs

curve.rsecdh.rsecdsa.rsops.rsprivate_key.rspublic_key.rs

curve25519.rskeys.rssuite_b.rs

io

der.rsder_writer.rspositive.rswriter.rs

rsa

padding.rssigning.rsverification.rs

aead.rsagreement.rsarithmetic.rsbits.rsbssl.rsc.rsconstant_time.rscpu.rsdebug.rsdigest.rsec.rsendian.rserror.rshkdf.rshmac.rsio.rslib.rslimb.rspbkdf2.rspkcs8.rspolyfill.rsrand.rsrsa.rssignature.rstest.rs

rustc_demangle

legacy.rslib.rsv0.rs

rustls

client

common.rshandy.rshs.rsmod.rstls12.rstls13.rs

manual

features.rshowto.rsimplvulns.rsmod.rstlsvulns.rs

msgs

alert.rsbase.rsccs.rscodec.rsdeframer.rsenums.rsfragmenter.rshandshake.rshsjoiner.rsmacros.rsmessage.rsmod.rspersist.rs

server

common.rshandy.rshs.rsmod.rstls12.rstls13.rs

anchors.rsbs_debug.rscheck.rscipher.rserror.rshash_hs.rskey.rskey_schedule.rskeylog.rslib.rspemfile.rsprf.rsrand.rsrecord_layer.rssession.rssign.rsstream.rssuites.rsticketer.rsvecbuf.rsverify.rsx509.rs

scoped_tls

lib.rs

sct

lib.rs

serde

de

ignored_any.rsimpls.rsmod.rsseed.rsutf8.rsvalue.rs

private

de.rsdoc.rsmod.rsser.rssize_hint.rs

ser

fmt.rsimpls.rsimpossible.rsmod.rs

integer128.rslib.rsmacros.rs

serde_derive

internals

ast.rsattr.rscase.rscheck.rsctxt.rsmod.rsreceiver.rsrespan.rssymbol.rs

bound.rsde.rsdummy.rsfragment.rslib.rspretend.rsser.rstry.rs

slab

lib.rs

smallvec

lib.rs

spin

lib.rsmutex.rsonce.rsrw_lock.rs

stable_deref_trait

lib.rs

strsim

lib.rs

syn

gen

clone.rsdebug.rseq.rsgen_helper.rshash.rsvisit.rs

attr.rsawait.rsbigint.rsbuffer.rscustom_keyword.rscustom_punctuation.rsdata.rsderive.rsdiscouraged.rserror.rsexport.rsexpr.rsext.rsfile.rsgenerics.rsgroup.rsident.rsitem.rslib.rslifetime.rslit.rslookahead.rsmac.rsmacros.rsop.rsparse.rsparse_macro_input.rsparse_quote.rspat.rspath.rsprint.rspunctuated.rsreserved.rssealed.rsspan.rsspanned.rsstmt.rsthread.rstoken.rstt.rsty.rsverbatim.rswhitespace.rs

synstructure

lib.rsmacros.rs

sys_info

lib.rs

tempfile

file

imp

mod.rsunix.rs

mod.rs

dir.rserror.rslib.rsspooled.rsutil.rs

textwrap

indentation.rslib.rssplitting.rs

thiserror

aserror.rsdisplay.rslib.rs

thiserror_impl

ast.rsattr.rsexpand.rsfmt.rslib.rsprop.rsvalid.rs

time

display.rsduration.rslib.rsparse.rssys.rs

tokio

future

block_on.rsmaybe_done.rsmod.rspoll_fn.rsready.rs

io

driver

interest.rsmod.rsready.rsregistration.rsscheduled_io.rs

async_buf_read.rsasync_fd.rsasync_read.rsasync_seek.rsasync_write.rsmod.rspoll_evented.rsread_buf.rs

loom

std

atomic_ptr.rsatomic_u16.rsatomic_u32.rsatomic_u64.rsatomic_u8.rsatomic_usize.rsmod.rsmutex.rsunsafe_cell.rs

mod.rs

macros

cfg.rsjoin.rsloom.rsmod.rspin.rsready.rsscoped_tls.rsselect.rssupport.rsthread_local.rstry_join.rs

net

tcp

listener.rsmod.rssocket.rssplit.rssplit_owned.rsstream.rs

udp

mod.rssocket.rs

unix

datagram

mod.rssocket.rs

listener.rsmod.rssocketaddr.rssplit.rssplit_owned.rsstream.rsucred.rs

addr.rslookup_host.rsmod.rs

park

either.rsmod.rsthread.rs

runtime

blocking

mod.rspool.rsschedule.rsshutdown.rstask.rs

task

core.rserror.rsharness.rsjoin.rsmod.rsraw.rsstack.rsstate.rswaker.rs

thread_pool

atomic_cell.rsidle.rsmod.rsworker.rs

basic_scheduler.rsbuilder.rscontext.rsdriver.rsenter.rshandle.rsmod.rspark.rsqueue.rsspawner.rs

stream

all.rsany.rschain.rscollect.rsempty.rsfilter.rsfilter_map.rsfold.rsfuse.rsiter.rsmap.rsmerge.rsmod.rsnext.rsonce.rspending.rsskip.rsskip_while.rsstream_map.rstake.rstake_while.rsthrottle.rstimeout.rstry_next.rs

sync

mpsc

block.rsbounded.rschan.rserror.rslist.rsmod.rsunbounded.rs

task

atomic_waker.rsmod.rs

barrier.rsbatch_semaphore.rsbroadcast.rsmod.rsmutex.rsnotify.rsoneshot.rsrwlock.rssemaphore.rswatch.rs

task

blocking.rslocal.rsmod.rsspawn.rstask_local.rsyield_now.rs

time

driver

wheel

level.rsmod.rs

entry.rshandle.rsmod.rssleep.rs

clock.rserror.rsinstant.rsinterval.rsmod.rstimeout.rs

util

bit.rslinked_list.rsmod.rsrand.rsslab.rstrace.rstry_lock.rswake.rs

blocking.rscoop.rslib.rsprelude.rs

tokio_macros

entry.rslib.rsselect.rs

tokio_rustls

common

handshake.rsmod.rs

client.rslib.rsserver.rs

tokio_util

sync

cancellation_token.rsintrusive_double_linked_list.rsmod.rs

cfg.rscompat.rseither.rslib.rsloom.rs

typenum

array.rsbit.rsint.rslib.rsmarker_traits.rsoperator_aliases.rsprivate.rstype_operators.rsuint.rs

udev

device.rsenumerator.rslib.rsmonitor.rsudev.rsutil.rs

uhid_virt

codec.rslib.rsuhid_device.rs

uhidrs_sys

lib.rs

unicode_width

lib.rstables.rs

unicode_xid

lib.rstables.rs

untrusted

untrusted.rs

vec_map

lib.rs

wayland_client

native_lib

display.rsevent_queue.rsmod.rsproxy.rs

display.rsevent_queue.rsglobals.rslib.rsproxy.rs

wayland_commons

debug.rsfilter.rslib.rsmap.rssocket.rsuser_data.rswire.rs

wayland_sys

client.rscommon.rslib.rsserver.rs

webpki

calendar.rscert.rsder.rserror.rsname.rssigned_data.rstime.rstrust_anchor_util.rsverify_cert.rswebpki.rs

which

checker.rserror.rsfinder.rslib.rs

x11

dpms.rsglx.rsinternal.rskeysym.rslib.rslink.rsxcursor.rsxf86vmode.rsxfixes.rsxft.rsxinerama.rsxinput.rsxinput2.rsxlib.rsxlib_xcb.rsxmd.rsxmu.rsxrandr.rsxrecord.rsxrender.rsxss.rsxt.rsxtest.rs

xcb

ffi

base.rsbig_requests.rsxc_misc.rsxkb.rsxproto.rs

base.rsbig_requests.rslib.rsxc_misc.rsxkb.rsxproto.rs

xkbcommon

xkb

x11

ffi.rsmod.rs

compose.rsffi.rskeysyms.rsmod.rs

lib.rs

yansi

color.rsdocify.rslib.rsmacros.rspaint.rsstyle.rswindows.rs

yasna

deserializer

mod.rs

models

der.rsmod.rsoid.rstime.rs

reader

error.rsmod.rs

serializer

mod.rs

tags

mod.rs

writer

mod.rs

lib.rs

zwp_virtual_keyboard

lib.rs

>

// Copyright 2015-2016 Brian Smith.
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

//! ECDSA Signatures using the P-256 and P-384 curves.

use super::digest_scalar::digest_scalar;
use crate::{
    arithmetic::montgomery::*,
    digest,
    ec::suite_b::{ops::*, public_key::*, verify_jacobian_point_is_on_the_curve},
    error,
    io::der,
    limb, sealed, signature,
};

/// An ECDSA verification algorithm.
pub struct EcdsaVerificationAlgorithm {
    ops: &'static PublicScalarOps,
    digest_alg: &'static digest::Algorithm,
    split_rs:
        for<'a> fn(
            ops: &'static ScalarOps,
            input: &mut untrusted::Reader<'a>,
        )
            -> Result<(untrusted::Input<'a>, untrusted::Input<'a>), error::Unspecified>,
    id: AlgorithmID,
}

#[derive(Debug)]
enum AlgorithmID {
    ECDSA_P256_SHA256_ASN1,
    ECDSA_P256_SHA256_FIXED,
    ECDSA_P256_SHA384_ASN1,
    ECDSA_P384_SHA256_ASN1,
    ECDSA_P384_SHA384_ASN1,
    ECDSA_P384_SHA384_FIXED,
}

derive_debug_via_id!(EcdsaVerificationAlgorithm);

impl signature::VerificationAlgorithm for EcdsaVerificationAlgorithm {
    fn verify(
        &self,
        public_key: untrusted::Input,
        msg: untrusted::Input,
        signature: untrusted::Input,
    ) -> Result<(), error::Unspecified> {
        let e = {
            // NSA Guide Step 2: "Use the selected hash function to compute H =
            // Hash(M)."
            let h = digest::digest(self.digest_alg, msg.as_slice_less_safe());

            // NSA Guide Step 3: "Convert the bit string H to an integer e as
            // described in Appendix B.2."
            digest_scalar(self.ops.scalar_ops, h)
        };

        self.verify_digest(public_key, e, signature)
    }
}

impl EcdsaVerificationAlgorithm {
    /// This is intentionally not public.
    fn verify_digest(
        &self,
        public_key: untrusted::Input,
        e: Scalar,
        signature: untrusted::Input,
    ) -> Result<(), error::Unspecified> {
        // NSA Suite B Implementer's Guide to ECDSA Section 3.4.2.

        let public_key_ops = self.ops.public_key_ops;
        let scalar_ops = self.ops.scalar_ops;

        // NSA Guide Prerequisites:
        //
        //    Prior to accepting a verified digital signature as valid the
        //    verifier shall have:
        //
        //    1. assurance of the signatory’s claimed identity,
        //    2. an authentic copy of the domain parameters, (q, FR, a, b, SEED,
        //       G, n, h),
        //    3. assurance of the validity of the public key, and
        //    4. assurance that the claimed signatory actually possessed the
        //       private key that was used to generate the digital signature at
        //       the time that the signature was generated.
        //
        // Prerequisites #1 and #4 are outside the scope of what this function
        // can do. Prerequisite #2 is handled implicitly as the domain
        // parameters are hard-coded into the source. Prerequisite #3 is
        // handled by `parse_uncompressed_point`.
        let peer_pub_key = parse_uncompressed_point(public_key_ops, public_key)?;

        let (r, s) = signature.read_all(error::Unspecified, |input| {
            (self.split_rs)(scalar_ops, input)
        })?;

        // NSA Guide Step 1: "If r and s are not both integers in the interval
        // [1, n − 1], output INVALID."
        let r = scalar_parse_big_endian_variable(public_key_ops.common, limb::AllowZero::No, r)?;
        let s = scalar_parse_big_endian_variable(public_key_ops.common, limb::AllowZero::No, s)?;

        // NSA Guide Step 4: "Compute w = s**−1 mod n, using the routine in
        // Appendix B.1."
        let w = scalar_ops.scalar_inv_to_mont(&s);

        // NSA Guide Step 5: "Compute u1 = (e * w) mod n, and compute
        // u2 = (r * w) mod n."
        let u1 = scalar_ops.scalar_product(&e, &w);
        let u2 = scalar_ops.scalar_product(&r, &w);

        // NSA Guide Step 6: "Compute the elliptic curve point
        // R = (xR, yR) = u1*G + u2*Q, using EC scalar multiplication and EC
        // addition. If R is equal to the point at infinity, output INVALID."
        let product = twin_mul(self.ops.private_key_ops, &u1, &u2, &peer_pub_key);

        // Verify that the point we computed is on the curve; see
        // `verify_affine_point_is_on_the_curve_scaled` for details on why. It
        // would be more secure to do the check on the affine coordinates if we
        // were going to convert to affine form (again, see
        // `verify_affine_point_is_on_the_curve_scaled` for details on why).
        // But, we're going to avoid converting to affine for performance
        // reasons, so we do the verification using the Jacobian coordinates.
        let z2 = verify_jacobian_point_is_on_the_curve(public_key_ops.common, &product)?;

        // NSA Guide Step 7: "Compute v = xR mod n."
        // NSA Guide Step 8: "Compare v and r0. If v = r0, output VALID;
        // otherwise, output INVALID."
        //
        // Instead, we use Greg Maxwell's trick to avoid the inversion mod `q`
        // that would be necessary to compute the affine X coordinate.
        let x = public_key_ops.common.point_x(&product);
        fn sig_r_equals_x(
            ops: &PublicScalarOps,
            r: &Elem<Unencoded>,
            x: &Elem<R>,
            z2: &Elem<R>,
        ) -> bool {
            let cops = ops.public_key_ops.common;
            let r_jacobian = cops.elem_product(z2, r);
            let x = cops.elem_unencoded(x);
            ops.elem_equals(&r_jacobian, &x)
        }
        let r = self.ops.scalar_as_elem(&r);
        if sig_r_equals_x(self.ops, &r, &x, &z2) {
            return Ok(());
        }
        if self.ops.elem_less_than(&r, &self.ops.q_minus_n) {
            let r_plus_n = self.ops.elem_sum(&r, &public_key_ops.common.n);
            if sig_r_equals_x(self.ops, &r_plus_n, &x, &z2) {
                return Ok(());
            }
        }

        Err(error::Unspecified)
    }
}

impl sealed::Sealed for EcdsaVerificationAlgorithm {}

fn split_rs_fixed<'a>(
    ops: &'static ScalarOps,
    input: &mut untrusted::Reader<'a>,
) -> Result<(untrusted::Input<'a>, untrusted::Input<'a>), error::Unspecified> {
    let scalar_len = ops.scalar_bytes_len();
    let r = input.read_bytes(scalar_len)?;
    let s = input.read_bytes(scalar_len)?;
    Ok((r, s))
}

fn split_rs_asn1<'a>(
    _ops: &'static ScalarOps,
    input: &mut untrusted::Reader<'a>,
) -> Result<(untrusted::Input<'a>, untrusted::Input<'a>), error::Unspecified> {
    der::nested(input, der::Tag::Sequence, error::Unspecified, |input| {
        let r = der::positive_integer(input)?.big_endian_without_leading_zero_as_input();
        let s = der::positive_integer(input)?.big_endian_without_leading_zero_as_input();
        Ok((r, s))
    })
}

fn twin_mul(
    ops: &PrivateKeyOps,
    g_scalar: &Scalar,
    p_scalar: &Scalar,
    p_xy: &(Elem<R>, Elem<R>),
) -> Point {
    // XXX: Inefficient. TODO: implement interleaved wNAF multiplication.
    let scaled_g = ops.point_mul_base(g_scalar);
    let scaled_p = ops.point_mul(p_scalar, p_xy);
    ops.common.point_sum(&scaled_g, &scaled_p)
}

/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the
/// P-256 curve and SHA-256.
///
/// See "`ECDSA_*_FIXED` Details" in `ring::signature`'s module-level
/// documentation for more details.
pub static ECDSA_P256_SHA256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
    ops: &p256::PUBLIC_SCALAR_OPS,
    digest_alg: &digest::SHA256,
    split_rs: split_rs_fixed,
    id: AlgorithmID::ECDSA_P256_SHA256_FIXED,
};

/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the
/// P-384 curve and SHA-384.
///
/// See "`ECDSA_*_FIXED` Details" in `ring::signature`'s module-level
/// documentation for more details.
pub static ECDSA_P384_SHA384_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
    ops: &p384::PUBLIC_SCALAR_OPS,
    digest_alg: &digest::SHA384,
    split_rs: split_rs_fixed,
    id: AlgorithmID::ECDSA_P384_SHA384_FIXED,
};

/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-256 curve
/// and SHA-256.
///
/// See "`ECDSA_*_ASN1` Details" in `ring::signature`'s module-level
/// documentation for more details.
pub static ECDSA_P256_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
    ops: &p256::PUBLIC_SCALAR_OPS,
    digest_alg: &digest::SHA256,
    split_rs: split_rs_asn1,
    id: AlgorithmID::ECDSA_P256_SHA256_ASN1,
};

/// *Not recommended*. Verification of ASN.1 DER-encoded ECDSA signatures using
/// the P-256 curve and SHA-384.
///
/// In most situations, P-256 should be used only with SHA-256 and P-384
/// should be used only with SHA-384. However, in some cases, particularly TLS
/// on the web, it is necessary to support P-256 with SHA-384 for compatibility
/// with widely-deployed implementations that do not follow these guidelines.
///
/// See "`ECDSA_*_ASN1` Details" in `ring::signature`'s module-level
/// documentation for more details.
pub static ECDSA_P256_SHA384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
    ops: &p256::PUBLIC_SCALAR_OPS,
    digest_alg: &digest::SHA384,
    split_rs: split_rs_asn1,
    id: AlgorithmID::ECDSA_P256_SHA384_ASN1,
};

/// *Not recommended*. Verification of ASN.1 DER-encoded ECDSA signatures using
/// the P-384 curve and SHA-256.
///
/// In most situations, P-256 should be used only with SHA-256 and P-384
/// should be used only with SHA-384. However, in some cases, particularly TLS
/// on the web, it is necessary to support P-256 with SHA-384 for compatibility
/// with widely-deployed implementations that do not follow these guidelines.
///
/// See "`ECDSA_*_ASN1` Details" in `ring::signature`'s module-level
/// documentation for more details.
pub static ECDSA_P384_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
    ops: &p384::PUBLIC_SCALAR_OPS,
    digest_alg: &digest::SHA256,
    split_rs: split_rs_asn1,
    id: AlgorithmID::ECDSA_P384_SHA256_ASN1,
};

/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-384 curve
/// and SHA-384.
///
/// See "`ECDSA_*_ASN1` Details" in `ring::signature`'s module-level
/// documentation for more details.
pub static ECDSA_P384_SHA384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
    ops: &p384::PUBLIC_SCALAR_OPS,
    digest_alg: &digest::SHA384,
    split_rs: split_rs_asn1,
    id: AlgorithmID::ECDSA_P384_SHA384_ASN1,
};

#[cfg(test)]
mod tests {
    use super::*;
    use crate::test;
    use alloc::vec::Vec;

    #[test]
    fn test_digest_based_test_vectors() {
        test::run(
            test_file!("../../../../crypto/fipsmodule/ecdsa/ecdsa_verify_tests.txt"),
            |section, test_case| {
                assert_eq!(section, "");

                let curve_name = test_case.consume_string("Curve");

                let public_key = {
                    let mut public_key = Vec::new();
                    public_key.push(0x04);
                    public_key.extend(&test_case.consume_bytes("X"));
                    public_key.extend(&test_case.consume_bytes("Y"));
                    public_key
                };

                let digest = test_case.consume_bytes("Digest");

                let sig = {
                    let mut sig = Vec::new();
                    sig.extend(&test_case.consume_bytes("R"));
                    sig.extend(&test_case.consume_bytes("S"));
                    sig
                };

                let invalid = test_case.consume_optional_string("Invalid");

                let alg = match curve_name.as_str() {
                    "P-256" => &ECDSA_P256_SHA256_FIXED,
                    "P-384" => &ECDSA_P384_SHA384_FIXED,
                    _ => {
                        panic!("Unsupported curve: {}", curve_name);
                    }
                };

                let digest = super::super::digest_scalar::digest_bytes_scalar(
                    &alg.ops.scalar_ops,
                    &digest[..],
                );
                let actual_result = alg.verify_digest(
                    untrusted::Input::from(&public_key[..]),
                    digest,
                    untrusted::Input::from(&sig[..]),
                );
                assert_eq!(actual_result.is_ok(), invalid.is_none());

                Ok(())
            },
        );
    }
}