crypto: support pre-hashed signing/verify

[MichaelMure]

Note

Medium Risk
Touches signature option parsing and hash selection, which can subtly affect signing/verification behavior across algorithms. RSA explicitly rejects PREHASHED, but other key types now exercise new code paths that must be validated for correctness and interoperability.

Overview
Introduces a new crypto.PREHASHED hash mode plus WithSigningPreHashed() to allow signing/verification when the caller provides an already-hashed digest (no additional hashing applied).

Updates the shared crypto test harness to run a prehashed sign/verify scenario and adds per-algorithm support flags (ECDSA curves and secp256k1 enabled; ed25519 and rsa disabled). RSA SignToASN1/VerifyASN1 now explicitly error/return false when PREHASHED is requested.

^{Reviewed by Cursor Bugbot for commit 1700a13. Bugbot is set up for automated code reviews on this repo. Configure here.}

[Copilot]

Pull request overview

This PR introduces a “pre-hashed” signing/verification mode to the crypto abstraction by adding a new crypto.PREHASHED hash value, a convenience signing option to select it, and expanding the shared testsuite to validate behavior across key types.

Changes:

• Add crypto.PREHASHED and wire it into crypto.Hash as an “identity” hash implementation.
• Add crypto.WithSigningPreHashed() and extend the testsuite/harness to run pre-hashed sign/verify cases.
• Explicitly reject PREHASHED for RSA sign/verify paths, while enabling it for ECDSA-based keys in tests.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
crypto/hash.go	Adds PREHASHED to the Hash enum and hooks it into String(), New(), and varsig mapping.
crypto/internal/hash.go	Introduces an identity hash.Hash implementation used for PREHASHED.
crypto/options.go	Adds WithSigningPreHashed() signing option.
crypto/_testsuite/testsuite.go	Extends harness + suite to test pre-hashed signing/verification behavior.
crypto/rsa/private.go	Rejects PREHASHED in RSA signing with an error.
crypto/rsa/public.go	Rejects PREHASHED in RSA verification by returning false.
crypto/*/key_test.go	Sets SupportsPrehashed for each algorithm’s harness (true for ECDSA curves/secp256k1; false for RSA/ed25519).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1700a13. Configure here.}