objc: Implement the signature primitive.

- Protocols for PublicKeySign and PublicKeyVerify - Factories for both primitives - Signature config and key templates - Unit tests PiperOrigin-RevId: 200255071 GitOrigin-RevId: fc16218762a4ea2b1b2c9c548ca3a35ab0d8efe6

objc: Implement the signature primitive.
- Protocols for PublicKeySign and PublicKeyVerify - Factories for both primitives - Signature config and key templates - Unit tests PiperOrigin-RevId: 200255071 GitOrigin-RevId: fc16218762a4ea2b1b2c9c548ca3a35ab0d8efe6
d3edaea4 · Haris Andrianakis · Tink Team · ced22c14 · d3edaea4 · d3edaea4
Commit d3edaea4 authored 6 years ago by Haris Andrianakis Committed by Tink Team 6 years ago
--- a/objc/BUILD.bazel
+++ b/objc/BUILD.bazel
@@ -29,7 +29,13 @@ PUBLIC_APIS = [
    "TINKMacConfig.h",
    "TINKMacFactory.h",
    "TINKMacKeyTemplate.h",
+    "TINKPublicKeySign.h",
+    "TINKPublicKeySignFactory.h",
+    "TINKPublicKeyVerify.h",
+    "TINKPublicKeyVerifyFactory.h",
    "TINKRegistryConfig.h",
+    "TINKSignatureConfig.h",
+    "TINKSignatureKeyTemplate.h",
    "TINKVersion.h",
 ]

@@ -56,7 +62,13 @@ PUBLIC_API_DEPS = [
    ":mac_config",
    ":mac_factory",
    ":mac_key_template",
+    ":public_key_sign",
+    ":public_key_sign_factory",
+    ":public_key_verify",
+    ":public_key_verify_factory",
    ":registry_config",
+    ":signature_config",
+    ":signature_key_template",
    ":version",
    "//objc/util:errors",
    "//objc/util:strings",
@@ -485,6 +497,106 @@ cc_library(
    ],
 )

+############################
+#       Signature          #
+############################
+
+objc_library(
+    name = "public_key_sign",
+    hdrs = [
+        "TINKPublicKeySign.h",
+    ],
+)
+
+objc_library(
+    name = "public_key_verify",
+    hdrs = [
+        "TINKPublicKeyVerify.h",
+    ],
+)
+
+objc_library(
+    name = "signature_config",
+    srcs = ["signature/TINKSignatureConfig.mm"],
+    hdrs = ["TINKSignatureConfig.h"],
+    deps = [
+        ":registry_config",
+        ":version",
+        "//cc/signature:signature_config",
+        "//cc/util:errors",
+        "//objc/util:errors",
+    ],
+)
+
+objc_library(
+    name = "signature_key_template",
+    srcs = ["signature/TINKSignatureKeyTemplate.mm"],
+    hdrs = ["TINKSignatureKeyTemplate.h"],
+    deps = [
+        ":key_template",
+        ":tink_cc_pb",
+        "//cc/signature:signature_key_templates",
+        "//cc/util:status",
+        "//objc/util:errors",
+    ],
+)
+
+objc_library(
+    name = "public_key_sign_internal",
+    srcs = ["signature/TINKPublicKeySignInternal.mm"],
+    hdrs = ["signature/TINKPublicKeySignInternal.h"],
+    deps = [
+        ":public_key_sign",
+        "//cc:public_key_sign",
+        "//objc/util:errors",
+        "//objc/util:strings",
+        "@com_google_absl//absl/strings",
+    ],
+)
+
+objc_library(
+    name = "public_key_verify_internal",
+    srcs = ["signature/TINKPublicKeyVerifyInternal.mm"],
+    hdrs = ["signature/TINKPublicKeyVerifyInternal.h"],
+    deps = [
+        ":public_key_verify",
+        "//cc:public_key_verify",
+        "//objc/util:errors",
+        "//objc/util:strings",
+        "@com_google_absl//absl/strings",
+    ],
+)
+
+objc_library(
+    name = "public_key_sign_factory",
+    srcs = ["signature/TINKPublicKeySignFactory.mm"],
+    hdrs = ["TINKPublicKeySignFactory.h"],
+    deps = [
+        ":keyset_handle",
+        ":public_key_sign",
+        ":public_key_sign_internal",
+        "//cc:keyset_handle",
+        "//cc/signature:public_key_sign_factory",
+        "//cc/util:status",
+        "//objc/util:errors",
+    ],
+)
+
+objc_library(
+    name = "public_key_verify_factory",
+    srcs = ["signature/TINKPublicKeyVerifyFactory.mm"],
+    hdrs = ["TINKPublicKeyVerifyFactory.h"],
+    deps = [
+        ":keyset_handle",
+        ":public_key_verify",
+        ":public_key_verify_internal",
+        "//cc:keyset_handle",
+        "//cc/signature:public_key_verify_factory",
+        "//cc/util:status",
+        "//objc/util:errors",
+    ],
+)
+
 ############################
 #         Tests            #
 ############################

--- a/objc/TINKAeadKeyTemplate.h
+++ b/objc/TINKAeadKeyTemplate.h
@@ -96,7 +96,6 @@ NS_ASSUME_NONNULL_BEGIN

 - (nullable instancetype)init
    __attribute__((unavailable("Use -initWithKeyTemplate:error: instead.")));
-;

 /**
 * Creates a TINKAeadKeyTemplate that can be used to generate aead keysets.

--- a/objc/TINKPublicKeySign.h
+++ b/objc/TINKPublicKeySign.h
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import <Foundation/Foundation.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+/**
+ * Protocol for public key signing.
+ * Digital Signatures provide functionality of signing data and verification of the signatures.
+ * They are represented by a pair of primitives PublicKeySign for signing of data, and
+ * PublicKeyVerify for verification of signatures. Implementations of these interfaces are secure
+ * against adaptive chosen-message attacks. Signing data ensures the authenticity and the integrity
+ * of that data, but not its secrecy.
+ */
+@protocol TINKPublicKeySign <NSObject>
+
+/**
+ * Computes the signature for @c data.
+ *
+ * @param data  The data to compute the signature of.
+ * @param error non-nil in case of error.
+ * @return      The signature of data.
+ */
+- (nullable NSData *)signatureForData:(NSData *)data error:(NSError **)error;
+
+@end
+
+NS_ASSUME_NONNULL_END
--- a/objc/TINKPublicKeySignFactory.h
+++ b/objc/TINKPublicKeySignFactory.h
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import <Foundation/Foundation.h>
+
+@class TINKKeysetHandle;
+@protocol TINKPublicKeySign;
+
+NS_ASSUME_NONNULL_BEGIN;
+
+/**
+ * TINKPublicKeySignFactory allows for obtaining a TINKPublicKeySign primitive from a
+ * TINKKeysetHandle.
+ *
+ * TINKPublicKeySignFactory gets primitives from the Registry, which can be initialized via
+ * convenience methods from the TINKSignatureConfig class. Here is an example how one can obtain and
+ * use a TINKPublicKeySign primitive:
+ *
+ * NSError *error = nil;
+ * TINKSignatureConfig *signatureConfig = [TINKSignatureConfig alloc]
+ *                                            initWithVersion:TINKVersion1_1_0
+ *                                                      error:&error];
+ * if (!signatureConfig || error) {
+ *   // handle error.
+ * }
+ *
+ * if (![TINKConfig registerConfig:signatureConfig error:&error]) {
+ *   // handle error.
+ * }
+ *
+ * TINKKeysetHandle keysetHandle = ...;
+ * id<TINKPublicKeySign> publicKeySign = [TINKPublicKeySignFactory
+ *                                            primitiveWithKeysetHandle:keysetHandle
+ *                                                                error:&error];
+ * if (!publicKeySign || error) {
+ *   // handle error.
+ * }
+ *
+ * NSData *data = ...;
+ * NSData *signature = [publicKeySign computeSignature:data error:&error];
+ */
+@interface TINKPublicKeySignFactory : NSObject
+/**
+ * Returns an object that conforms to the TINKPublicKeySign protocol. It uses key material from the
+ * keyset specified via @c keysetHandle.
+ */
+ (nullable id<TINKPublicKeySign>)primitiveWithKeysetHandle:(TINKKeysetHandle *)keysetHandle
+                                                      error:(NSError **)error;
+@end
+
+NS_ASSUME_NONNULL_END;
--- a/objc/TINKPublicKeyVerify.h
+++ b/objc/TINKPublicKeyVerify.h
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import <Foundation/Foundation.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+/**
+ * Protocol for public key verifying.
+ * Digital Signatures provide functionality of signing data and verification of the signatures.
+ * They are represented by a pair of primitives PublicKeySign for signing of data, and
+ * PublicKeyVerify for verification of signatures. Implementations of these interfaces are secure
+ * against adaptive chosen-message attacks. Signing data ensures the authenticity and the integrity
+ * of that data, but not its secrecy.
+ */
+@protocol TINKPublicKeyVerify <NSObject>
+
+/**
+ * Verifies that @c signature is a digital signature for @c data.
+ *
+ * @param signature  The signature to be verified.
+ * @param data       The data for which to verify the signature.
+ * @param error      non-nil in case of error.
+ * @return           YES if the signature is valid, NO otherwise.
+ */
+- (BOOL)verifySignature:(NSData *)signature forData:(NSData *)data error:(NSError **)error;
+
+@end
+
+NS_ASSUME_NONNULL_END
--- a/objc/TINKPublicKeyVerifyFactory.h
+++ b/objc/TINKPublicKeyVerifyFactory.h
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import <Foundation/Foundation.h>
+
+@class TINKKeysetHandle;
+@protocol TINKPublicKeyVerify;
+
+NS_ASSUME_NONNULL_BEGIN;
+
+/**
+ * TINKPublicKeyVerifyFactory allows for obtaining a TINKPublicKeyVerify primitive from a
+ * TINKKeysetHandle.
+ *
+ * TINKPublicKeyVerifyFactory gets primitives from the Registry, which can be initialized via
+ * convenience methods from the TINKSignatureConfig class. Here is an example how one can obtain and
+ * use a TINKPublicKeyVerify primitive:
+ *
+ * NSError *error = nil;
+ * TINKSignatureConfig *signatureConfig = [TINKSignatureConfig alloc]
+ *                                            initWithVersion:TINKVersion1_1_0
+ *                                                      error:&error];
+ * if (!signatureConfig || error) {
+ *   // handle error.
+ * }
+ *
+ * if (![TINKConfig registerConfig:signatureConfig error:&error]) {
+ *   // handle error.
+ * }
+ *
+ * TINKKeysetHandle keysetHandle = ...;
+ * id<TINKPublicKeyVerify> publicKeyVerify = [TINKPublicKeyVerifyFactory
+ *                                               primitiveWithKeysetHandle:keysetHandle
+ *                                                                   error:&error];
+ * if (!publicKeyVerify || error) {
+ *   // handle error.
+ * }
+ *
+ * NSData *data = ...;
+ * NSData *signature = ...;
+ * BOOL result = [publicKeyVerify verifySignature:signature forData:data error:&error];
+ * if (!result) {
+ *   // Signature was not correct.
+ *   // ...
+ * }
+ */
+@interface TINKPublicKeyVerifyFactory : NSObject
+/**
+ * Returns an object that conforms to the TINKPublicKeyVerify protocol. It uses key material from
+ * the keyset specified via @c keysetHandle.
+ */
+ (nullable id<TINKPublicKeyVerify>)primitiveWithKeysetHandle:(TINKKeysetHandle *)keysetHandle
+                                                        error:(NSError **)error;
+@end
+
+NS_ASSUME_NONNULL_END;
--- a/objc/TINKSignatureConfig.h
+++ b/objc/TINKSignatureConfig.h
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import <Foundation/Foundation.h>
+
+#import "objc/TINKRegistryConfig.h"
+#import "objc/TINKVersion.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+/**
+ * This class is used for registering with the Registry all instances of Signautre key types
+ * supported in a particular release of Tink.
+ *
+ * To register all Signature key types provided in Tink release 1.1.0 one can do:
+ *
+ * NSError *error = nil;
+ * TINKSignatureConfig *config = [TINKSignatureConfig alloc] initWithVersion:TINKVersion1_1_0
+ *                                                                     error:&error];
+ * if (!config || error) {
+ *   // handle error.
+ * }
+ *
+ * if (![TINKConfig registerConfig:config error:&error]) {
+ *   // handle error.
+ * }
+ *
+ * For more information on the creation and usage of TINKSignature instances see
+ * TINKPublicKeySignFactory and TINKPublicKeyVerifyFactory.
+ */
+@interface TINKSignatureConfig : TINKRegistryConfig
+
+/* Use initWithVersion:error: to get an instance of TINKSignatureConfig. */
+- (nullable instancetype)init NS_UNAVAILABLE;
+
+/* Returns config of Signature implementations supported in given @c version of Tink. */
+- (nullable instancetype)initWithVersion:(TINKVersion)version
+                                   error:(NSError **)error NS_DESIGNATED_INITIALIZER;
+
+@end
+
+NS_ASSUME_NONNULL_END
--- a/objc/TINKSignatureKeyTemplate.h
+++ b/objc/TINKSignatureKeyTemplate.h
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import <Foundation/Foundation.h>
+
+#import "objc/TINKKeyTemplate.h"
+
+typedef NS_ENUM(NSInteger, TINKSignatureKeyTemplates) {
+  /**
+   * EcdsaPrivateKey with the following parameters:
+   *   - EC curve: NIST P-256
+   *   - hash function: SHA256
+   *   - signature endocding: DER
+   *   - OutputPrefixType: TINK
+   */
+  TINKEcdsaP256 = 1,
+
+  /**
+   * EcdsaPrivateKey with the following parameters:
+   *   - EC curve: NIST P-384
+   *   - hash function: SHA512
+   *   - signature endocding: DER
+   *   - OutputPrefixType: TINK
+   */
+  TINKEcdsaP384 = 2,
+
+  /**
+   * EcdsaPrivateKey with the following parameters:
+   *   - EC curve: NIST P-521
+   *   - hash function: SHA512
+   *   - signature endocding: DER
+   *   - OutputPrefixType: TINK
+   */
+  TINKEcdsaP521 = 3,
+};
+
+NS_ASSUME_NONNULL_BEGIN
+
+/**
+ * Pre-generated key templates for signature key types.
+ * One can use these templates to generate new TINKKeysetHandle object with fresh keys.
+ *
+ * Example:
+ *
+ * NSError *error = nil;
+ * TINKSignatureConfig *config = [[TINKSignatureConfig alloc] initWithVersion:TINKVersion1_1_0
+ *                                                                      error:&error];
+ * if (!config || error) {
+ *   // handle error.
+ * }
+ *
+ * if (![TINKConfig registerConfig:config error:&error]) {
+ *   // handle error.
+ * }
+ *
+ * TINKSignatureKeyTemplate *tpl = [TINSignatureKeyTemplate initWithKeyTemplate:TINKEcdsaP521
+ *                                                                        error:&error];
+ * if (!tpl || error) {
+ *   // handle error.
+ * }
+ *
+ * TINKKeysetHandle *handle = [[TINKKeysetHandle alloc] initWithKeyTemplate:tpl error:&error];
+ * if (!handle || error) {
+ *   // handle error.
+ * }
+ *
+ */
+@interface TINKSignatureKeyTemplate : TINKKeyTemplate
+
+- (nullable instancetype)init
+    __attribute__((unavailable("Use -initWithKeyTemplate:error: instead.")));
+
+/**
+ * Creates a TINKSignatureKeyTemplate that can be used to generate signature keysets.
+ *
+ * @param keyTemplate The signature key template to use.
+ * @param error       If non-nil it will be populated with a descriptive error when the operation
+ *                    fails.
+ * @return            A TINKSignatureKeyTemplate or nil in case of error.
+ */
+- (nullable instancetype)initWithKeyTemplate:(TINKSignatureKeyTemplates)keyTemplate
+                                       error:(NSError **)error NS_DESIGNATED_INITIALIZER;
+
+@end
+
+NS_ASSUME_NONNULL_END
--- a/objc/Tests/UnitTests/signature/TINKPublicKeySignFactory.mm
+++ b/objc/Tests/UnitTests/signature/TINKPublicKeySignFactory.mm
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/TINKPublicKeySignFactory.h"
+
+#import <XCTest/XCTest.h>
+
+#import "objc/TINKKeysetHandle.h"
+#import "objc/TINKPublicKeySign.h"
+#import "objc/TINKPublicKeySignFactory.h"
+#import "objc/TINKSignatureConfig.h"
+#import "objc/core/TINKKeysetHandle_Internal.h"
+#import "objc/signature/TINKPublicKeySignInternal.h"
+#import "objc/util/TINKStrings.h"
+
+#include "tink/crypto_format.h"
+#include "tink/keyset_handle.h"
+#include "tink/signature/ecdsa_sign_key_manager.h"
+#include "tink/signature/signature_config.h"
+#include "tink/util/status.h"
+#include "tink/util/test_util.h"
+#include "proto/ecdsa.pb.h"
+#include "proto/tink.pb.h"
+
+using crypto::tink::EcdsaSignKeyManager;
+using crypto::tink::KeyFactory;
+using crypto::tink::TestUtil;
+using crypto::tink::test::AddRawKey;
+using crypto::tink::test::AddTinkKey;
+using google::crypto::tink::EcdsaPrivateKey;
+using google::crypto::tink::EllipticCurveType;
+using google::crypto::tink::HashType;
+using google::crypto::tink::KeyData;
+using google::crypto::tink::Keyset;
+using google::crypto::tink::KeyStatusType;
+
+static EcdsaPrivateKey GetNewEcdsaPrivateKey() {
+  return crypto::tink::test::GetEcdsaTestPrivateKey(EllipticCurveType::NIST_P256, HashType::SHA256);
+}
+
+@interface TINKPublicKeySignFactoryTest : XCTestCase
+@end
+
+@implementation TINKPublicKeySignFactoryTest
+
+- (void)testEmptyKeyset {
+  Keyset keyset;
+  TINKKeysetHandle *handle =
+      [[TINKKeysetHandle alloc] initWithCCKeysetHandle:TestUtil::GetKeysetHandle(keyset)];
+  XCTAssertNotNil(handle);
+
+  NSError *error = nil;
+  id<TINKPublicKeySign> publicKeySign =
+      [TINKPublicKeySignFactory primitiveWithKeysetHandle:handle error:&error];
+  XCTAssertNil(publicKeySign);
+  XCTAssertNotNil(error);
+  XCTAssertTrue(error.code == crypto::tink::util::error::INVALID_ARGUMENT);
+  XCTAssertTrue([error.localizedFailureReason containsString:@"at least one key"]);
+}
+
+- (void)testPrimitive {
+  // Prepare a Keyset.
+  Keyset keyset;
+  string key_type = "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey";
+
+  uint32_t key_id_1 = 1234543;
+  AddTinkKey(key_type, key_id_1, GetNewEcdsaPrivateKey(), KeyStatusType::ENABLED,
+             KeyData::ASYMMETRIC_PUBLIC, &keyset);
+
+  uint32_t key_id_2 = 726329;
+  AddTinkKey(key_type, key_id_2, GetNewEcdsaPrivateKey(), KeyStatusType::ENABLED,
+             KeyData::ASYMMETRIC_PUBLIC, &keyset);
+
+  uint32_t key_id_3 = 7213743;
+  AddTinkKey(key_type, key_id_3, GetNewEcdsaPrivateKey(), KeyStatusType::ENABLED,
+             KeyData::ASYMMETRIC_PUBLIC, &keyset);
+
+  keyset.set_primary_key_id(key_id_3);
+
+  NSError *error = nil;
+  TINKSignatureConfig *signatureConfig =
+      [[TINKSignatureConfig alloc] initWithVersion:TINKVersion1_1_0 error:&error];
+  XCTAssertNotNil(signatureConfig);
+  XCTAssertNil(error);
+
+  TINKKeysetHandle *handle =
+      [[TINKKeysetHandle alloc] initWithCCKeysetHandle:TestUtil::GetKeysetHandle(keyset)];
+  XCTAssertNotNil(handle);
+
+  id<TINKPublicKeySign> publicKeySign =
+      [TINKPublicKeySignFactory primitiveWithKeysetHandle:handle error:&error];
+  XCTAssertNotNil(publicKeySign);
+  XCTAssertNil(error);
+  TINKPublicKeySignInternal *publicKeySignInternal = (TINKPublicKeySignInternal *)publicKeySign;
+  XCTAssertTrue(publicKeySignInternal.ccPublicKeySign != NULL);
+
+  // Test the PublicKeySign primitive.
+  NSData *data = [@"some data to sign" dataUsingEncoding:NSUTF8StringEncoding];
+  NSData *signature = [publicKeySign signatureForData:data error:&error];
+  XCTAssertNil(error);
+  XCTAssertFalse([signature isEqualToData:data]);
+}
+
+@end
--- a/objc/Tests/UnitTests/signature/TINKPublicKeyVerifyFactory.mm
+++ b/objc/Tests/UnitTests/signature/TINKPublicKeyVerifyFactory.mm
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/TINKPublicKeyVerifyFactory.h"
+
+#import <Foundation/Foundation.h>
+#import <XCTest/XCTest.h>
+
+#import "objc/TINKKeysetHandle.h"
+#import "objc/TINKPublicKeySign.h"
+#import "objc/TINKPublicKeySignFactory.h"
+#import "objc/TINKPublicKeyVerify.h"
+#import "objc/TINKPublicKeyVerifyFactory.h"
+#import "objc/TINKSignatureConfig.h"
+#import "objc/core/TINKKeysetHandle_Internal.h"
+#import "objc/signature/TINKPublicKeyVerifyInternal.h"
+#import "objc/util/TINKStrings.h"
+
+#include "tink/crypto_format.h"
+#include "tink/keyset_handle.h"
+#include "tink/signature/ecdsa_sign_key_manager.h"
+#include "tink/signature/signature_config.h"
+#include "tink/util/status.h"
+#include "tink/util/test_util.h"
+#include "proto/ecdsa.pb.h"
+#include "proto/tink.pb.h"
+
+using crypto::tink::EcdsaSignKeyManager;
+using crypto::tink::KeyFactory;
+using crypto::tink::TestUtil;
+using crypto::tink::test::AddRawKey;
+using crypto::tink::test::AddTinkKey;
+using google::crypto::tink::EcdsaPublicKey;
+using google::crypto::tink::EcdsaPrivateKey;
+using google::crypto::tink::EllipticCurveType;
+using google::crypto::tink::HashType;
+using google::crypto::tink::KeyData;
+using google::crypto::tink::Keyset;
+using google::crypto::tink::KeyStatusType;
+
+static EcdsaPrivateKey GetNewEcdsaPrivateKey() {
+  return crypto::tink::test::GetEcdsaTestPrivateKey(EllipticCurveType::NIST_P256, HashType::SHA256);
+}
+
+static EcdsaPublicKey GetEcdsaPublicKeyFromPrivate(EcdsaPrivateKey &privateKey) {
+  return privateKey.public_key();
+}
+
+@interface TINKPublicKeyVerifyFactoryTest : XCTestCase
+@end
+
+static Keyset privateKeyset;
+static Keyset publicKeyset;
+
+@implementation TINKPublicKeyVerifyFactoryTest
+
+ (void)setUp {
+  [super setUp];
+
+  EcdsaPrivateKey keys[3] = {GetNewEcdsaPrivateKey(), GetNewEcdsaPrivateKey(),
+                             GetNewEcdsaPrivateKey()};
+
+  // Prepare a private keyset.
+  string key_type = "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey";
+
+  uint32_t key_id_1 = 1234543;
+  AddTinkKey(key_type, key_id_1, keys[0], KeyStatusType::ENABLED, KeyData::ASYMMETRIC_PUBLIC,
+             &privateKeyset);
+
+  uint32_t key_id_2 = 726329;
+  AddTinkKey(key_type, key_id_2, keys[1], KeyStatusType::ENABLED, KeyData::ASYMMETRIC_PUBLIC,
+             &privateKeyset);
+
+  uint32_t key_id_3 = 7213743;
+  AddTinkKey(key_type, key_id_3, keys[2], KeyStatusType::ENABLED, KeyData::ASYMMETRIC_PUBLIC,
+             &privateKeyset);
+
+  privateKeyset.set_primary_key_id(key_id_3);
+
+  // Prepare the equivalent public keyset.
+  string public_key_type = "type.googleapis.com/google.crypto.tink.EcdsaPublicKey";
+
+  AddTinkKey(public_key_type, key_id_1, GetEcdsaPublicKeyFromPrivate(keys[0]),
+             KeyStatusType::ENABLED, KeyData::ASYMMETRIC_PUBLIC, &publicKeyset);
+
+  AddTinkKey(public_key_type, key_id_2, GetEcdsaPublicKeyFromPrivate(keys[1]),
+             KeyStatusType::ENABLED, KeyData::ASYMMETRIC_PUBLIC, &publicKeyset);
+
+  AddTinkKey(public_key_type, key_id_3, GetEcdsaPublicKeyFromPrivate(keys[2]),
+             KeyStatusType::ENABLED, KeyData::ASYMMETRIC_PUBLIC, &publicKeyset);
+
+  publicKeyset.set_primary_key_id(key_id_3);
+}
+
+- (void)testEmptyKeyset {
+  Keyset keyset;
+  TINKKeysetHandle *handle =
+      [[TINKKeysetHandle alloc] initWithCCKeysetHandle:TestUtil::GetKeysetHandle(keyset)];
+  XCTAssertNotNil(handle);
+
+  NSError *error = nil;
+  id<TINKPublicKeyVerify> publicKeyVerify =
+      [TINKPublicKeyVerifyFactory primitiveWithKeysetHandle:handle error:&error];
+  XCTAssertNil(publicKeyVerify);
+  XCTAssertNotNil(error);
+  XCTAssertTrue(error.code == crypto::tink::util::error::INVALID_ARGUMENT);
+  XCTAssertTrue([error.localizedFailureReason containsString:@"at least one key"]);
+}
+
+- (void)testPrimitive {
+  NSError *error = nil;
+  TINKSignatureConfig *signatureConfig =
+      [[TINKSignatureConfig alloc] initWithVersion:TINKVersion1_1_0 error:&error];
+  XCTAssertNotNil(signatureConfig);
+  XCTAssertNil(error);
+
+  TINKKeysetHandle *handlePrivate =
+      [[TINKKeysetHandle alloc] initWithCCKeysetHandle:TestUtil::GetKeysetHandle(privateKeyset)];
+  XCTAssertNotNil(handlePrivate);
+
+  TINKKeysetHandle *handlePublic =
+      [[TINKKeysetHandle alloc] initWithCCKeysetHandle:TestUtil::GetKeysetHandle(publicKeyset)];
+  XCTAssertNotNil(handlePublic);
+
+  id<TINKPublicKeySign> publicKeySign =
+      [TINKPublicKeySignFactory primitiveWithKeysetHandle:handlePrivate error:&error];
+  XCTAssertNotNil(publicKeySign);
+  XCTAssertNil(error);
+
+  // Sign something so we can test the verify primitive.
+  NSData *data = [@"some data to sign" dataUsingEncoding:NSUTF8StringEncoding];
+  NSData *signature = [publicKeySign signatureForData:data error:&error];
+  XCTAssertNil(error);
+  XCTAssertNotNil(signature);
+
+  id<TINKPublicKeyVerify> publicKeyVerify =
+      [TINKPublicKeyVerifyFactory primitiveWithKeysetHandle:handlePublic error:&error];
+  XCTAssertNotNil(publicKeyVerify);
+  XCTAssertNil(error);
+  TINKPublicKeyVerifyInternal *publicKeyVerifyInternal =
+      (TINKPublicKeyVerifyInternal *)publicKeyVerify;
+  XCTAssertTrue(publicKeyVerifyInternal.ccPublicKeyVerify != NULL);
+
+  // Test verification.
+  XCTAssertTrue([publicKeyVerify verifySignature:signature forData:data error:&error]);
+  XCTAssertNil(error);
+
+  // Flip every bit of the signature.
+  const char *signatureBytes = (const char *)signature.bytes;
+  for (NSUInteger byteIndex = 0; byteIndex < signature.length; byteIndex++) {
+    const char currentByte = signatureBytes[byteIndex];
+
+    for (NSUInteger bitIndex = 0; bitIndex < 8; bitIndex++) {
+      // Flip every bit on this byte.
+      char flippedByte = (currentByte ^ (1 << bitIndex));
+      XCTAssertTrue(flippedByte != currentByte);
+
+      // Replace the mutated byte in the original data.
+      NSMutableData *mutableSignature = signature.mutableCopy;
+      char *mutableBytes = (char *)mutableSignature.mutableBytes;
+      mutableBytes[byteIndex] = flippedByte;
+
+      error = nil;
+      XCTAssertFalse([mutableSignature isEqualToData:signature]);
+      XCTAssertFalse([publicKeyVerify verifySignature:mutableSignature forData:data error:&error]);
+      XCTAssertTrue(error.code == crypto::tink::util::error::INVALID_ARGUMENT);
+      XCTAssertTrue([error.localizedFailureReason containsString:@"Invalid signature."]);
+    }
+  }
+
+  // Flip every bit of the data.
+  const char *dataBytes = (const char *)data.bytes;
+  for (NSUInteger byteIndex = 0; byteIndex < data.length; byteIndex++) {
+    const char currentByte = dataBytes[byteIndex];
+
+    for (NSUInteger bitIndex = 0; bitIndex < 8; bitIndex++) {
+      // Flip every bit on this byte.
+      char flippedByte = (currentByte ^ (1 << bitIndex));
+      XCTAssertTrue(flippedByte != currentByte);
+
+      // Replace the mutated byte in the original data.
+      NSMutableData *mutableData = data.mutableCopy;
+      char *mutableBytes = (char *)mutableData.mutableBytes;
+      mutableBytes[byteIndex] = flippedByte;
+
+      error = nil;
+      XCTAssertFalse([mutableData isEqualToData:data]);
+      XCTAssertFalse([publicKeyVerify verifySignature:signature forData:mutableData error:&error]);
+      XCTAssertTrue(error.code == crypto::tink::util::error::INVALID_ARGUMENT);
+      XCTAssertTrue([error.localizedFailureReason containsString:@"Invalid signature."]);
+    }
+  }
+}
+
+@end
--- a/objc/Tests/UnitTests/signature/TINKSignatureConfigTest.mm
+++ b/objc/Tests/UnitTests/signature/TINKSignatureConfigTest.mm
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/TINKSignatureConfig.h"
+
+#import <XCTest/XCTest.h>
+
+#import "objc/TINKConfig.h"
+#import "objc/TINKRegistryConfig.h"
+#import "objc/core/TINKRegistryConfig_Internal.h"
+
+#include "tink/signature/signature_config.h"
+#include "proto/config.pb.h"
+
+@interface TINKSignatureConfigTest : XCTestCase
+@end
+
+@implementation TINKSignatureConfigTest
+
+- (void)testConfigContents {
+  std::string sign_key_type = "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey";
+  std::string verify_key_type = "type.googleapis.com/google.crypto.tink.EcdsaPublicKey";
+
+  NSError *error = nil;
+  TINKSignatureConfig *signatureConfig =
+      [[TINKSignatureConfig alloc] initWithVersion:TINKVersion1_1_0 error:&error];
+  XCTAssertNotNil(signatureConfig);
+  XCTAssertNil(error);
+
+  google::crypto::tink::RegistryConfig config = signatureConfig.ccConfig;
+  XCTAssertEqual(config.entry_size(), 2);
+
+  XCTAssertTrue("TinkPublicKeySign" == config.entry(0).catalogue_name());
+  XCTAssertTrue("PublicKeySign" == config.entry(0).primitive_name());
+  XCTAssertTrue(sign_key_type == config.entry(0).type_url());
+  XCTAssertTrue(config.entry(0).new_key_allowed());
+  XCTAssertEqual(config.entry(0).key_manager_version(), 0);
+
+  XCTAssertTrue("TinkPublicKeyVerify" == config.entry(1).catalogue_name());
+  XCTAssertTrue("PublicKeyVerify" == config.entry(1).primitive_name());
+  XCTAssertTrue(verify_key_type == config.entry(1).type_url());
+  XCTAssertTrue(config.entry(1).new_key_allowed());
+  XCTAssertEqual(config.entry(1).key_manager_version(), 0);
+
+  // Registration of standard key types works.
+  error = nil;
+  XCTAssertTrue([TINKConfig registerConfig:signatureConfig error:&error]);
+  XCTAssertNil(error);
+}
+
+- (void)testConfigInvalidVersion {
+  NSError *error = nil;
+  TINKSignatureConfig *signatureConfig =
+      [[TINKSignatureConfig alloc] initWithVersion:(TINKVersion)-1 error:&error];
+  XCTAssertNil(signatureConfig);
+  XCTAssertNotNil(error);
+  XCTAssertTrue(error.code == crypto::tink::util::error::INVALID_ARGUMENT);
+  XCTAssertTrue([error.localizedFailureReason containsString:@"Unsupported Tink version."]);
+}
+
+@end
--- a/objc/Tests/UnitTests/signature/TINKSignatureKeyTemplateTest.mm
+++ b/objc/Tests/UnitTests/signature/TINKSignatureKeyTemplateTest.mm
+/**
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/TINKSignatureKeyTemplate.h"
+
+#import <XCTest/XCTest.h>
+
+#import "objc/TINKKeyTemplate.h"
+#import "objc/core/TINKKeyTemplate_Internal.h"
+#import "objc/util/TINKProtoHelpers.h"
+#import "proto/Common.pbobjc.h"
+#import "proto/Ecdsa.pbobjc.h"
+#import "proto/Tink.pbobjc.h"
+
+#include "tink/util/status.h"
+
+@interface TINKSignatureKeyTemplatesTest : XCTestCase
+@end
+
+static NSString *const kTypeURL = @"type.googleapis.com/google.crypto.tink.EcdsaPrivateKey";
+
+@implementation TINKSignatureKeyTemplatesTest
+
+- (void)testEcdsaP256KeyTemplate {
+  NSError *error = nil;
+  TINKSignatureKeyTemplate *tpl =
+      [[TINKSignatureKeyTemplate alloc] initWithKeyTemplate:TINKEcdsaP256 error:&error];
+  XCTAssertNil(error);
+  XCTAssertNotNil(tpl);
+
+  error = nil;
+  TINKPBKeyTemplate *keyTemplate = TINKKeyTemplateToObjc(tpl.ccKeyTemplate, &error);
+  XCTAssertNil(error);
+  XCTAssertNotNil(keyTemplate);
+
+  XCTAssertTrue([kTypeURL isEqualToString:keyTemplate.typeURL]);
+  XCTAssertTrue(keyTemplate.outputPrefixType == TINKPBOutputPrefixType_Tink);
+
+  error = nil;
+  TINKPBEcdsaKeyFormat *keyFormat =
+      [TINKPBEcdsaKeyFormat parseFromData:keyTemplate.value error:&error];
+  XCTAssertNil(error);
+  XCTAssertNotNil(keyFormat);
+
+  XCTAssertEqual(keyFormat.params.hashType, TINKPBHashType_Sha256);
+  XCTAssertEqual(keyFormat.params.curve, TINKPBEllipticCurveType_NistP256);
+  XCTAssertEqual(keyFormat.params.encoding, TINKPBEcdsaSignatureEncoding_Der);
+}
+
+- (void)testEcdsaP384KeyTemplate {
+  NSError *error = nil;
+  TINKSignatureKeyTemplate *tpl =
+      [[TINKSignatureKeyTemplate alloc] initWithKeyTemplate:TINKEcdsaP384 error:&error];
+  XCTAssertNil(error);
+  XCTAssertNotNil(tpl);
+
+  error = nil;
+  TINKPBKeyTemplate *keyTemplate = TINKKeyTemplateToObjc(tpl.ccKeyTemplate, &error);
+  XCTAssertNil(error);
+  XCTAssertNotNil(keyTemplate);
+
+  XCTAssertTrue([kTypeURL isEqualToString:keyTemplate.typeURL]);
+  XCTAssertTrue(keyTemplate.outputPrefixType == TINKPBOutputPrefixType_Tink);
+
+  error = nil;
+  TINKPBEcdsaKeyFormat *keyFormat =
+      [TINKPBEcdsaKeyFormat parseFromData:keyTemplate.value error:&error];
+  XCTAssertNil(error);
+  XCTAssertNotNil(keyFormat);
+
+  XCTAssertEqual(keyFormat.params.hashType, TINKPBHashType_Sha512);
+  XCTAssertEqual(keyFormat.params.curve, TINKPBEllipticCurveType_NistP384);
+  XCTAssertEqual(keyFormat.params.encoding, TINKPBEcdsaSignatureEncoding_Der);
+}
+
+- (void)testEcdsaP521KeyTemplate {
+  NSError *error = nil;
+  TINKSignatureKeyTemplate *tpl =
+      [[TINKSignatureKeyTemplate alloc] initWithKeyTemplate:TINKEcdsaP521 error:&error];
+  XCTAssertNil(error);
+  XCTAssertNotNil(tpl);
+
+  error = nil;
+  TINKPBKeyTemplate *keyTemplate = TINKKeyTemplateToObjc(tpl.ccKeyTemplate, &error);
+  XCTAssertNil(error);
+  XCTAssertNotNil(keyTemplate);
+
+  XCTAssertTrue([kTypeURL isEqualToString:keyTemplate.typeURL]);
+  XCTAssertTrue(keyTemplate.outputPrefixType == TINKPBOutputPrefixType_Tink);
+
+  error = nil;
+  TINKPBEcdsaKeyFormat *keyFormat =
+      [TINKPBEcdsaKeyFormat parseFromData:keyTemplate.value error:&error];
+  XCTAssertNil(error);
+  XCTAssertNotNil(keyFormat);
+
+  XCTAssertEqual(keyFormat.params.hashType, TINKPBHashType_Sha512);
+  XCTAssertEqual(keyFormat.params.curve, TINKPBEllipticCurveType_NistP521);
+  XCTAssertEqual(keyFormat.params.encoding, TINKPBEcdsaSignatureEncoding_Der);
+}
+
+- (void)testInvalidKeyTemplate {
+  NSError *error = nil;
+  TINKSignatureKeyTemplate *tpl =
+      [[TINKSignatureKeyTemplate alloc] initWithKeyTemplate:(TINKSignatureKeyTemplates)-1
+                                                      error:&error];
+  XCTAssertNil(tpl);
+  XCTAssertNotNil(error);
+  XCTAssertTrue(error.code == crypto::tink::util::error::INVALID_ARGUMENT);
+  XCTAssertTrue([error.localizedFailureReason containsString:@"Invalid TINKSignatureKeyTemplate"]);
+}
+
+@end
--- a/objc/signature/TINKPublicKeySignFactory.mm
+++ b/objc/signature/TINKPublicKeySignFactory.mm
+/**
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/TINKPublicKeySignFactory.h"
+
+#import <Foundation/Foundation.h>
+
+#import "objc/TINKKeysetHandle.h"
+#import "objc/TINKPublicKeySign.h"
+#import "objc/core/TINKKeysetHandle_Internal.h"
+#import "objc/signature/TINKPublicKeySignInternal.h"
+#import "objc/util/TINKErrors.h"
+
+#include "tink/keyset_handle.h"
+#include "tink/signature/public_key_sign_factory.h"
+#include "tink/util/status.h"
+
+@implementation TINKPublicKeySignFactory
+
+ (id<TINKPublicKeySign>)primitiveWithKeysetHandle:(TINKKeysetHandle *)keysetHandle
+                                             error:(NSError **)error {
+  crypto::tink::KeysetHandle *handle = [keysetHandle ccKeysetHandle];
+
+  auto st = crypto::tink::PublicKeySignFactory::GetPrimitive(*handle);
+  if (!st.ok()) {
+    if (error) {
+      *error = TINKStatusToError(st.status());
+    }
+    return nil;
+  }
+  id<TINKPublicKeySign> publicKeySign =
+      [[TINKPublicKeySignInternal alloc] initWithCCPublicKeySign:std::move(st.ValueOrDie())];
+  if (!publicKeySign) {
+    if (error) {
+      *error = TINKStatusToError(crypto::tink::util::Status(
+          crypto::tink::util::error::RESOURCE_EXHAUSTED, "Cannot initialize TINKPublicKeySign"));
+    }
+    return nil;
+  }
+
+  return publicKeySign;
+}
+
+@end
--- a/objc/signature/TINKPublicKeySignInternal.h
+++ b/objc/signature/TINKPublicKeySignInternal.h
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/TINKPublicKeySign.h"
+
+#import <Foundation/Foundation.h>
+
+#include "tink/public_key_sign.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+/**
+ * This interface is internal-only. Use TINKPublicKeySignFactory to get an instance that conforms to
+ * TINKPublicKeySign.
+ */
+@interface TINKPublicKeySignInternal : NSObject <TINKPublicKeySign>
+
+- (nullable instancetype)init NS_UNAVAILABLE;
+
+- (nullable instancetype)initWithCCPublicKeySign:
+    (std::unique_ptr<crypto::tink::PublicKeySign>)ccPublicKeySign NS_DESIGNATED_INITIALIZER;
+
+- (nullable crypto::tink::PublicKeySign *)ccPublicKeySign;
+
+@end
+
+NS_ASSUME_NONNULL_END
--- a/objc/signature/TINKPublicKeySignInternal.mm
+++ b/objc/signature/TINKPublicKeySignInternal.mm
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/signature/TINKPublicKeySignInternal.h"
+
+#import "objc/TINKPublicKeySign.h"
+#import "objc/util/TINKErrors.h"
+#import "objc/util/TINKStrings.h"
+
+#include "absl/strings/string_view.h"
+#include "tink/public_key_sign.h"
+
+@implementation TINKPublicKeySignInternal {
+  std::unique_ptr<crypto::tink::PublicKeySign> _ccPublicKeySign;
+}
+
+- (instancetype)initWithCCPublicKeySign:
+    (std::unique_ptr<crypto::tink::PublicKeySign>)ccPublicKeySign {
+  if (self = [super init]) {
+    _ccPublicKeySign = std::move(ccPublicKeySign);
+  }
+  return self;
+}
+
+- (void)dealloc {
+  _ccPublicKeySign.reset();
+}
+
+- (NSData *)signatureForData:(NSData *)data error:(NSError **)error {
+  auto st =
+      _ccPublicKeySign->Sign(absl::string_view(static_cast<const char *>(data.bytes), data.length));
+  if (!st.ok()) {
+    if (error) {
+      *error = TINKStatusToError(st.status());
+    }
+    return nil;
+  }
+
+  return TINKStringToNSData(st.ValueOrDie());
+}
+
+- (crypto::tink::PublicKeySign *)ccPublicKeySign {
+  if (!_ccPublicKeySign) {
+    return nil;
+  }
+  return _ccPublicKeySign.get();
+}
+
+@end
--- a/objc/signature/TINKPublicKeyVerifyFactory.mm
+++ b/objc/signature/TINKPublicKeyVerifyFactory.mm
+/**
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/TINKPublicKeyVerifyFactory.h"
+
+#import <Foundation/Foundation.h>
+
+#import "objc/TINKKeysetHandle.h"
+#import "objc/TINKPublicKeyVerify.h"
+#import "objc/core/TINKKeysetHandle_Internal.h"
+#import "objc/signature/TINKPublicKeyVerifyInternal.h"
+#import "objc/util/TINKErrors.h"
+
+#include "tink/keyset_handle.h"
+#include "tink/signature/public_key_verify_factory.h"
+#include "tink/util/status.h"
+
+@implementation TINKPublicKeyVerifyFactory
+
+ (id<TINKPublicKeyVerify>)primitiveWithKeysetHandle:(TINKKeysetHandle *)keysetHandle
+                                               error:(NSError **)error {
+  crypto::tink::KeysetHandle *handle = [keysetHandle ccKeysetHandle];
+
+  auto st = crypto::tink::PublicKeyVerifyFactory::GetPrimitive(*handle);
+  if (!st.ok()) {
+    if (error) {
+      *error = TINKStatusToError(st.status());
+    }
+    return nil;
+  }
+  id<TINKPublicKeyVerify> publicKeyVerify =
+      [[TINKPublicKeyVerifyInternal alloc] initWithCCPublicKeyVerify:std::move(st.ValueOrDie())];
+  if (!publicKeyVerify) {
+    if (error) {
+      *error = TINKStatusToError(crypto::tink::util::Status(
+          crypto::tink::util::error::RESOURCE_EXHAUSTED, "Cannot initialize TINKPublicKeyVerify"));
+    }
+    return nil;
+  }
+
+  return publicKeyVerify;
+}
+
+@end
--- a/objc/signature/TINKPublicKeyVerifyInternal.h
+++ b/objc/signature/TINKPublicKeyVerifyInternal.h
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/TINKPublicKeyVerify.h"
+
+#import <Foundation/Foundation.h>
+
+#include "tink/public_key_verify.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+/**
+ * This interface is internal-only. Use TINKPublicKeyVerifyFactory to get an instance that conforms
+ * to TINKPublicKeyVerify.
+ */
+@interface TINKPublicKeyVerifyInternal : NSObject <TINKPublicKeyVerify>
+
+- (nullable instancetype)init NS_UNAVAILABLE;
+
+- (nullable instancetype)initWithCCPublicKeyVerify:
+    (std::unique_ptr<crypto::tink::PublicKeyVerify>)ccPublicKeyVerify NS_DESIGNATED_INITIALIZER;
+
+- (nullable crypto::tink::PublicKeyVerify *)ccPublicKeyVerify;
+
+@end
+
+NS_ASSUME_NONNULL_END
--- a/objc/signature/TINKPublicKeyVerifyInternal.mm
+++ b/objc/signature/TINKPublicKeyVerifyInternal.mm
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/signature/TINKPublicKeyVerifyInternal.h"
+
+#import "objc/TINKPublicKeyVerify.h"
+#import "objc/util/TINKErrors.h"
+#import "objc/util/TINKStrings.h"
+
+#include "absl/strings/string_view.h"
+#include "tink/public_key_verify.h"
+
+@implementation TINKPublicKeyVerifyInternal {
+  std::unique_ptr<crypto::tink::PublicKeyVerify> _ccPublicKeyVerify;
+}
+
+- (instancetype)initWithCCPublicKeyVerify:
+    (std::unique_ptr<crypto::tink::PublicKeyVerify>)ccPublicKeyVerify {
+  if (self = [super init]) {
+    _ccPublicKeyVerify = std::move(ccPublicKeyVerify);
+  }
+  return self;
+}
+
+- (void)dealloc {
+  _ccPublicKeyVerify.reset();
+}
+
+- (BOOL)verifySignature:(NSData *)signature forData:(NSData *)data error:(NSError **)error {
+  auto st = _ccPublicKeyVerify->Verify(
+      absl::string_view(static_cast<const char *>(signature.bytes), signature.length),
+      absl::string_view(static_cast<const char *>(data.bytes), data.length));
+  if (!st.ok()) {
+    if (error) {
+      *error = TINKStatusToError(st);
+    }
+  }
+  return st.ok();
+}
+
+- (crypto::tink::PublicKeyVerify *)ccPublicKeyVerify {
+  if (!_ccPublicKeyVerify) {
+    return nil;
+  }
+  return _ccPublicKeyVerify.get();
+}
+
+@end
--- a/objc/signature/TINKSignatureConfig.mm
+++ b/objc/signature/TINKSignatureConfig.mm
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/TINKSignatureConfig.h"
+
+#import "objc/TINKRegistryConfig.h"
+#import "objc/TINKVersion.h"
+#import "objc/core/TINKRegistryConfig_Internal.h"
+#import "objc/util/TINKErrors.h"
+
+#include "tink/signature/signature_config.h"
+#include "tink/util/status.h"
+#include "proto/config.pb.h"
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wobjc-designated-initializers"
+@implementation TINKSignatureConfig
+
+- (instancetype)initWithVersion:(TINKVersion)version error:(NSError **)error {
+  auto st = crypto::tink::SignatureConfig::Init();
+  if (!st.ok()) {
+    if (error) {
+      *error = TINKStatusToError(st);
+    }
+    return nil;
+  }
+
+  google::crypto::tink::RegistryConfig ccConfig;
+  switch (version) {
+    case TINKVersion1_1_0:
+      ccConfig = crypto::tink::SignatureConfig::Tink_1_1_0();
+      break;
+    default:
+      if (error) {
+        *error = TINKStatusToError(crypto::tink::util::Status(
+            crypto::tink::util::error::INVALID_ARGUMENT, "Unsupported Tink version."));
+      }
+      return nil;
+  }
+
+  return (self = [super initWithCcConfig:ccConfig]);
+}
+
+@end
+#pragma clang diagnostic pop
--- a/objc/signature/TINKSignatureKeyTemplate.mm
+++ b/objc/signature/TINKSignatureKeyTemplate.mm
+/**
+ * Copyright 2018 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ **************************************************************************
+ */
+
+#import "objc/TINKSignatureKeyTemplate.h"
+
+#import "objc/TINKKeyTemplate.h"
+#import "objc/core/TINKKeyTemplate_Internal.h"
+#import "objc/util/TINKErrors.h"
+
+#include "tink/signature/signature_key_templates.h"
+#include "tink/util/status.h"
+#include "proto/tink.pb.h"
+
+@implementation TINKSignatureKeyTemplate
+
+- (nullable instancetype)initWithKeyTemplate:(TINKSignatureKeyTemplates)keyTemplate
+                                       error:(NSError **)error {
+  google::crypto::tink::KeyTemplate *ccKeyTemplate = NULL;
+  switch (keyTemplate) {
+    case TINKEcdsaP256:
+      ccKeyTemplate = const_cast<google::crypto::tink::KeyTemplate *>(
+          &crypto::tink::SignatureKeyTemplates::EcdsaP256());
+      break;
+    case TINKEcdsaP384:
+      ccKeyTemplate = const_cast<google::crypto::tink::KeyTemplate *>(
+          &crypto::tink::SignatureKeyTemplates::EcdsaP384());
+      break;
+    case TINKEcdsaP521:
+      ccKeyTemplate = const_cast<google::crypto::tink::KeyTemplate *>(
+          &crypto::tink::SignatureKeyTemplates::EcdsaP521());
+      break;
+    default:
+      if (error) {
+        *error = TINKStatusToError(crypto::tink::util::Status(
+            crypto::tink::util::error::INVALID_ARGUMENT, "Invalid TINKSignatureKeyTemplate"));
+      }
+      return nil;
+  }
+  return (self = [super initWithCcKeyTemplate:ccKeyTemplate]);
+}
+
+@end