From 8d68bd174226685089410517d58f8c95c625d2f6 Mon Sep 17 00:00:00 2001
From: Hamish Peebles <hamishpeebles@gmail.com>
Date: Tue, 3 Mar 2026 09:41:42 +0000
Subject: [PATCH] Put the signature cache behind a feature flag (enabled by
 default)

---
 Cargo.lock                                         |  1 -
 packages/ic-certificate-verification/Cargo.toml    | 11 +++++++----
 .../src/signature_verification/mod.rs              | 14 +++++++++++++-
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 1b612c0e..1441ded2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1539,7 +1539,6 @@ dependencies = [
  "ic-verify-bls-signature",
  "lazy_static",
  "leb128",
- "nom",
  "parking_lot",
  "rand 0.8.5",
  "rand_chacha 0.3.1",
diff --git a/packages/ic-certificate-verification/Cargo.toml b/packages/ic-certificate-verification/Cargo.toml
index 180f36bc..0c26c115 100644
--- a/packages/ic-certificate-verification/Cargo.toml
+++ b/packages/ic-certificate-verification/Cargo.toml
@@ -22,13 +22,12 @@ homepage.workspace = true
 
 [dependencies]
 candid.workspace = true
-nom.workspace = true
 thiserror.workspace = true
 leb128.workspace = true
-cached.workspace = true
+cached = { workspace = true, optional = true }
 sha2.workspace = true
-lazy_static.workspace = true
-parking_lot.workspace = true
+lazy_static = { workspace = true, optional = true }
+parking_lot = { workspace = true, optional = true }
 
 ic-certification = { workspace = true }
 ic-cbor.workspace = true
@@ -41,3 +40,7 @@ rand.workspace = true
 rand_chacha.workspace = true
 
 ic-types.workspace = true
+
+[features]
+default = ["signature_cache"]
+signature_cache = ["cached", "lazy_static", "parking_lot"]
diff --git a/packages/ic-certificate-verification/src/signature_verification/mod.rs b/packages/ic-certificate-verification/src/signature_verification/mod.rs
index f0911e70..ce7950bf 100644
--- a/packages/ic-certificate-verification/src/signature_verification/mod.rs
+++ b/packages/ic-certificate-verification/src/signature_verification/mod.rs
@@ -1,7 +1,7 @@
-use self::signature_cache::{SignatureCache, SignatureCacheEntry};
 use crate::CertificateVerificationError;
 use ic_verify_bls_signature::verify_bls_signature;
 
+#[cfg(feature = "cached")]
 mod signature_cache;
 
 #[cfg(test)]
@@ -10,11 +10,14 @@ mod reproducible_rng;
 #[cfg(test)]
 mod tests;
 
+#[cfg(feature = "cached")]
 pub fn verify_signature(
     pk: &[u8],
     sig: &[u8],
     msg: &[u8],
 ) -> Result<(), CertificateVerificationError> {
+    use self::signature_cache::{SignatureCache, SignatureCacheEntry};
+
     let entry = SignatureCacheEntry::new(pk, sig, msg);
 
     if SignatureCache::global().contains(&entry) {
@@ -28,3 +31,12 @@ pub fn verify_signature(
     SignatureCache::global().insert(&entry);
     Ok(())
 }
+
+#[cfg(not(feature = "cached"))]
+pub fn verify_signature(
+    pk: &[u8],
+    sig: &[u8],
+    msg: &[u8],
+) -> Result<(), CertificateVerificationError> {
+    verify_bls_signature(sig, msg, pk).map_err(|_| CertificateVerificationError::SignatureVerificationFailed)
+}