Fix streaming validation, FFI lifetime soundness, error code alignment, and doc accuracy#183
Closed
Copilot wants to merge 3 commits intousers/jstatia/native_primitivesfrom
Closed
Fix streaming validation, FFI lifetime soundness, error code alignment, and doc accuracy#183Copilot wants to merge 3 commits intousers/jstatia/native_primitivesfrom
Copilot wants to merge 3 commits intousers/jstatia/native_primitivesfrom
Conversation
…ing support Rust crates (8): - cbor_primitives: CBOR encoding/decoding traits - cbor_primitives_everparse: EverParse backend + streaming CborStreamDecoder - crypto_primitives: Crypto signer/verifier traits, JWK types - cose_primitives: RFC 9052 COSE types, CoseData (Buffered/Streamed), LazyHeaderMap, ArcSlice/ArcStr zero-copy header values - cose_sign1_primitives: COSE_Sign1 message, builder, sig_structure, streaming parse/sign/verify - cose_sign1_crypto_openssl: OpenSSL EC/RSA/EdDSA/ML-DSA provider - cose_sign1_primitives_ffi: C-ABI for Sign1 operations - cose_sign1_crypto_openssl_ffi: C-ABI for crypto provider Zero-copy architecture: - CoseSign1Message owns single Arc<[u8]> backing buffer - Protected headers, payload, signature are Range<usize> slices - CoseHeaderValue::Bytes/Text use ArcSlice/ArcStr (share backing Arc) - LazyHeaderMap defers parsing via OnceLock until first access - Clone is O(1) for payload/signature (Arc pointer copy) Streaming support: - CborStreamDecoder: parse CBOR from Read+Seek streams - CoseData::Streamed: headers buffered (~1KB), payload by offset - parse_stream(): parse 10GB files with ~1.4KB memory - sign_streaming(): 64KB peak for detached payloads - verify_payload_streaming(): 64KB peak for ECDSA/RSA verification - Ed25519/ML-DSA fall back to buffered (documented) Single-pass sign+embed: - Detached: 64KB chunk buffer, no payload retention - Embedded: read into embed buffer, signer reads same buffer - MemoryPayload uses Arc<[u8]> (open() is pointer copy, not clone) C/C++ projections: - cose.h/.hpp, sign1.h/.hpp, crypto/openssl.h/.hpp - C/C++ API docs and architecture documentation Documentation: - native/rust/docs/memory-characteristics.md - native/docs/ARCHITECTURE.md and getting started guides - Per-crate READMEs 221 tests, 90%+ line coverage, zero clippy warnings. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
JeromySt
force-pushed
the
users/jstatia/native_primitives
branch
from
af8eac5 to
54082a8
Compare
…, docs, CI workflow_dispatch Co-authored-by: JeromySt <12549141+JeromySt@users.noreply.github.com> Agent-Logs-Url: https://github.com/microsoft/CoseSignTool/sessions/855b756d-2986-49b6-8843-1bf96ef5a6f5
Copilot
AI
changed the title
[WIP] Native Layer 1: Zero-copy COSE primitives with streaming parse/sign/verify
Fix streaming validation, FFI lifetime soundness, error code alignment, and doc accuracy
Mar 21, 2026
JeromySt
force-pushed
the
users/jstatia/native_primitives
branch
2 times, most recently
from
63ec316 to
4350e90
Compare
Member
|
Closing as duplicate. All fixes cherry-picked into PR #181: FFI lifetime soundness, overflow guard, error codes, doc corrections, cbindgen prefix. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR review identified bugs in the streaming signing path, unsound FFI lifetime annotations, misaligned C/Rust error codes, and stale documentation across the Layer 1 primitives.
Streaming payload validation (
builder.rs)usize::try_from(payload_len)overflow guard beforeVec::with_capacity— a silent truncation on 32-bit platforms would over-allocate or panicPayloadError::LengthMismatchchecks after streaming reads in both detached and embedded paths — a mismatch between the declaredsize()and bytes actually read would silently produce a signature over a truncated payloadFFI lifetime soundness (
ffi/src/types.rs,ffi/src/error.rs)*_handle_to_innerfunctions returned&'static Inner, which is an unsound claim — changed to explicit&'aso the lifetime is tied to the input pointer and not accidentally extended past the handle's validityError code fixes
PayloadError(_)was mapped toFFI_ERR_PAYLOAD_MISSING(-4), colliding withPayloadMissing— C callers had no way to distinguish "detached payload not provided" from "payload I/O / length error". Now maps toFFI_ERR_INVALID_ARGUMENT(-5)sign1.herror code values were completely out of sync with the Rust FFI exports (e.g.,INVALID_ARGUMENTwas -2 in C, -5 in Rust). Fixed to match the authoritative Rust values; added comment for the non-sequentialCOSE_SIGN1_ERR_PANIC = -99Config / packaging
cbindgen.toml: Removedprefix = "cosesign1_"— would double-prefix already-named exports likecose_sign1_error_message→cosesign1_cose_sign1_error_messageffi/Cargo.toml: Removedrlibfromcrate-type— FFI projection crates only needstaticlib+cdylib; no workspace crate depends on this as a libraryDocumentation
sign1/README.md: Rewrote — old version referenced wrong crate name (cosesign1_primitives), described a caller-suppliedCborProvidermodel that no longer exists, and showed API signatures (sign(&provider, ...)) that don't compiletroubleshooting.md:LARGE_STREAM_THRESHOLD→LARGE_PAYLOAD_THRESHOLD(actual constant name)cose.h: Removed ambiguous dual free-function reference; canonical free iscose_string_free()CI
workflow_dispatchsupport for all three jobs (dotnet,native-rust,native-c-cpp) — the prior change dropped it, causing manual CI runs to skip all jobs silently✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.