Support ECDSA_P521_SHA512 when using aes_lc_rs feature

Alvenix · Abdullah Alyan · commit a5d5a33febe2 · 2024-03-13T15:29:43.000+03:00
diff --git a/rcgen/src/key_pair.rs b/rcgen/src/key_pair.rs
@@ -243,6 +243,18 @@ impl KeyPair {
 			let rsakp = RsaKeyPair::from_pkcs8(pkcs8)._err()?;
 			KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA256)
 		} else {
+			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			if alg == &PKCS_ECDSA_P521_SHA512 {
+				KeyPairKind::Ec(ecdsa_from_pkcs8(
+					&signature::ECDSA_P521_SHA512_ASN1_SIGNING,
+					pkcs8,
+					rng,
+				)?)
+			} else {
+				panic!("Unknown SignatureAlgorithm specified!");
+			}
+
+			#[cfg(not(all(feature = "aws_lc_rs", not(feature = "ring"))))]
 			panic!("Unknown SignatureAlgorithm specified!");
 		};
 
@@ -274,7 +286,19 @@ impl KeyPair {
 				&PKCS_RSA_SHA256,
 			)
 		} else {
-			return Err(Error::CouldNotParseKeyPair);
+			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			if let Ok(eckp) =
+				ecdsa_from_pkcs8(&signature::ECDSA_P521_SHA512_ASN1_SIGNING, pkcs8, &rng)
+			{
+				(KeyPairKind::Ec(eckp), &PKCS_ECDSA_P521_SHA512)
+			} else {
+				return Err(Error::CouldNotParseKeyPair);
+			}
+
+			#[cfg(not(all(feature = "aws_lc_rs", not(feature = "ring"))))]
+			{
+				return Err(Error::CouldNotParseKeyPair);
+			}
 		};
 		Ok((kind, alg))
 	}
diff --git a/rcgen/src/oid.rs b/rcgen/src/oid.rs
@@ -20,6 +20,10 @@ pub(crate) const EC_PUBLIC_KEY: &[u64] = &[1, 2, 840, 10045, 2, 1];
 pub(crate) const EC_SECP_256_R1: &[u64] = &[1, 2, 840, 10045, 3, 1, 7];
 /// secp384r1 in [RFC 5480](https://datatracker.ietf.org/doc/html/rfc5480#appendix-A)
 pub(crate) const EC_SECP_384_R1: &[u64] = &[1, 3, 132, 0, 34];
+/// secp521r1 in [RFC 5480](https://datatracker.ietf.org/doc/html/rfc5480#appendix-A)
+/// Currently this is only supported when using aws_lc_rs feature
+#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+pub(crate) const EC_SECP_521_R1: &[u64] = &[1, 3, 132, 0, 35];
 
 /// rsaEncryption in [RFC 4055](https://www.rfc-editor.org/rfc/rfc4055#section-6)
 pub(crate) const RSA_ENCRYPTION: &[u64] = &[1, 2, 840, 113549, 1, 1, 1];
diff --git a/rcgen/src/sign_algo.rs b/rcgen/src/sign_algo.rs
@@ -55,6 +55,14 @@ impl fmt::Debug for SignatureAlgorithm {
 		} else if self == &PKCS_ED25519 {
 			write!(f, "PKCS_ED25519")
 		} else {
+			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			if self == &PKCS_ECDSA_P521_SHA512 {
+				write!(f, "PKCS_ECDSA_P521_SHA512")
+			} else {
+				write!(f, "Unknown")
+			}
+
+			#[cfg(not(all(feature = "aws_lc_rs", not(feature = "ring"))))]
 			write!(f, "Unknown")
 		}
 	}
@@ -85,6 +93,8 @@ impl SignatureAlgorithm {
 			//&PKCS_RSA_PSS_SHA256,
 			&PKCS_ECDSA_P256_SHA256,
 			&PKCS_ECDSA_P384_SHA384,
+			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			&PKCS_ECDSA_P521_SHA512,
 			&PKCS_ED25519,
 		];
 		ALGORITHMS.iter()
@@ -177,8 +187,17 @@ pub(crate) mod algo {
 		oid_components: &[1, 2, 840, 10045, 4, 3, 3],
 		params: SignatureAlgorithmParams::None,
 	};
-
-	// TODO PKCS_ECDSA_P521_SHA512 https://github.com/briansmith/ring/issues/824
+	/// ECDSA signing using the P-521 curves and SHA-512 hashing as per [RFC 5758](https://tools.ietf.org/html/rfc5758#section-3.2)
+	/// Currently this is only supported when using aws_lc_rs feature
+	#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+	pub static PKCS_ECDSA_P521_SHA512: SignatureAlgorithm = SignatureAlgorithm {
+		oids_sign_alg: &[&EC_PUBLIC_KEY, &EC_SECP_521_R1],
+		#[cfg(feature = "crypto")]
+		sign_alg: SignAlgo::EcDsa(&signature::ECDSA_P521_SHA512_ASN1_SIGNING),
+		// ecdsa-with-SHA512 in RFC 5758
+		oid_components: &[1, 2, 840, 10045, 4, 3, 4],
+		params: SignatureAlgorithmParams::None,
+	};
 
 	/// ED25519 curve signing as per [RFC 8410](https://tools.ietf.org/html/rfc8410)
 	pub static PKCS_ED25519: SignatureAlgorithm = SignatureAlgorithm {
diff --git a/rcgen/tests/botan.rs b/rcgen/tests/botan.rs
@@ -76,6 +76,17 @@ fn test_botan_384() {
 	check_cert(cert.der(), &cert);
 }
 
+#[test]
+#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+fn test_botan_521() {
+	let (params, _) = default_params();
+	let key_pair = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P521_SHA512).unwrap();
+	let cert = Certificate::generate_self_signed(params, &key_pair).unwrap();
+
+	// Now verify the certificate.
+	check_cert(cert.der(), &cert);
+}
+
 #[test]
 fn test_botan_25519() {
 	let (params, _) = default_params();
diff --git a/rcgen/tests/generic.rs b/rcgen/tests/generic.rs
@@ -19,6 +19,8 @@ mod test_key_params_mismatch {
 			&rcgen::PKCS_RSA_SHA256,
 			&rcgen::PKCS_ECDSA_P256_SHA256,
 			&rcgen::PKCS_ECDSA_P384_SHA384,
+			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			&rcgen::PKCS_ECDSA_P521_SHA512,
 			&rcgen::PKCS_ED25519,
 		];
 		for (i, kalg_1) in available_key_params.iter().enumerate() {
diff --git a/rcgen/tests/openssl.rs b/rcgen/tests/openssl.rs
@@ -206,6 +206,18 @@ fn test_openssl_384() {
 	verify_csr(&cert, &key_pair);
 }
 
+#[test]
+#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+fn test_openssl_521() {
+	let (params, _) = util::default_params();
+	let key_pair = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P521_SHA512).unwrap();
+	let cert = Certificate::generate_self_signed(params, &key_pair).unwrap();
+
+	// Now verify the certificate.
+	verify_cert(&cert, &key_pair);
+	verify_csr(&cert, &key_pair);
+}
+
 #[test]
 fn test_openssl_25519() {
 	let (params, _) = util::default_params();
