Introduce and test ECDSA_P521_SHA512 for aws-lc-rs

rustls · Dec 6, 2023 · ace558e · ace558e
1 parent be3c2ed
commit ace558e
Show file tree

Hide file tree

Showing 13 changed files with 121 additions and 14 deletions.
diff --git a/src/alg_tests.rs b/src/alg_tests.rs
@@ -23,7 +23,7 @@ use alloc::{string::String, vec::Vec};
 
 use super::{
     INVALID_SIGNATURE_FOR_RSA_KEY, OK_IF_RSA_AVAILABLE, SUPPORTED_ALGORITHMS_IN_TESTS,
-    UNSUPPORTED_SIGNATURE_ALGORITHM_FOR_RSA_KEY,
+    UNSUPPORTED_ECDSA_SHA512_SIGNATURE, UNSUPPORTED_SIGNATURE_ALGORITHM_FOR_RSA_KEY,
 };
 
 macro_rules! test_file_bytes {
@@ -145,7 +145,7 @@ fn test_parse_spki_bad_outer(file_contents: &[u8], expected_error: Error) {
 test_verify_signed_data!(
     test_ecdsa_prime256v1_sha512_spki_params_null,
     "ecdsa-prime256v1-sha512-spki-params-null.pem",
-    Err(Error::UnsupportedSignatureAlgorithm)
+    Err(UNSUPPORTED_ECDSA_SHA512_SIGNATURE)
 );
 test_verify_signed_data_signature_outer!(
     test_ecdsa_prime256v1_sha512_unused_bits_signature,
@@ -157,14 +157,14 @@ test_verify_signed_data_signature_outer!(
 test_verify_signed_data!(
     test_ecdsa_prime256v1_sha512_using_ecdh_key,
     "ecdsa-prime256v1-sha512-using-ecdh-key.pem",
-    Err(Error::UnsupportedSignatureAlgorithm)
+    Err(UNSUPPORTED_ECDSA_SHA512_SIGNATURE)
 );
 // XXX: We should have a variant of this test with a SHA-256 digest that gives
 // `Error::UnsupportedSignatureAlgorithmForPublicKey`.
 test_verify_signed_data!(
     test_ecdsa_prime256v1_sha512_using_ecmqv_key,
     "ecdsa-prime256v1-sha512-using-ecmqv-key.pem",
-    Err(Error::UnsupportedSignatureAlgorithm)
+    Err(UNSUPPORTED_ECDSA_SHA512_SIGNATURE)
 );
 test_verify_signed_data!(
     test_ecdsa_prime256v1_sha512_using_rsa_algorithm,
@@ -176,13 +176,13 @@ test_verify_signed_data!(
 test_verify_signed_data!(
     test_ecdsa_prime256v1_sha512_wrong_signature_format,
     "ecdsa-prime256v1-sha512-wrong-signature-format.pem",
-    Err(Error::UnsupportedSignatureAlgorithm)
+    Err(UNSUPPORTED_ECDSA_SHA512_SIGNATURE)
 );
 // Differs from Chromium because we don't support P-256 with SHA-512.
 test_verify_signed_data!(
     test_ecdsa_prime256v1_sha512,
     "ecdsa-prime256v1-sha512.pem",
-    Err(Error::UnsupportedSignatureAlgorithm)
+    Err(UNSUPPORTED_ECDSA_SHA512_SIGNATURE)
 );
 test_verify_signed_data!(
     test_ecdsa_secp384r1_sha256_corrupted_data,

diff --git a/src/aws_lc_rs_algs.rs b/src/aws_lc_rs_algs.rs
@@ -63,6 +63,13 @@ pub static ECDSA_P384_SHA384: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgo
     verification_alg: &signature::ECDSA_P384_SHA384_ASN1,
 };
 
+/// ECDSA signatures using the P-521 curve and SHA-512.
+pub static ECDSA_P521_SHA512: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
+    public_key_alg_id: alg_id::ECDSA_P521,
+    signature_alg_id: alg_id::ECDSA_SHA512,
+    verification_alg: &signature::ECDSA_P521_SHA512_ASN1,
+};
+
 /// RSA PKCS#1 1.5 signatures using SHA-256 for keys of 2048-8192 bits.
 pub static RSA_PKCS1_2048_8192_SHA256: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
     public_key_alg_id: alg_id::RSA_ENCRYPTION,
@@ -140,6 +147,7 @@ mod tests {
         // Reasonable algorithms.
         super::ECDSA_P256_SHA256,
         super::ECDSA_P384_SHA384,
+        super::ECDSA_P521_SHA512,
         super::ED25519,
         super::RSA_PKCS1_2048_8192_SHA256,
         super::RSA_PKCS1_2048_8192_SHA384,
@@ -156,6 +164,9 @@ mod tests {
     const UNSUPPORTED_SIGNATURE_ALGORITHM_FOR_RSA_KEY: Error =
         Error::UnsupportedSignatureAlgorithmForPublicKey;
 
+    const UNSUPPORTED_ECDSA_SHA512_SIGNATURE: Error =
+        Error::UnsupportedSignatureAlgorithmForPublicKey;
+
     const INVALID_SIGNATURE_FOR_RSA_KEY: Error = Error::InvalidSignatureForPublicKey;
 
     const OK_IF_RSA_AVAILABLE: Result<(), Error> = Ok(());

diff --git a/src/data/alg-ecdsa-p521.der b/src/data/alg-ecdsa-p521.der
diff --git a/src/data/alg-ecdsa-sha512.der b/src/data/alg-ecdsa-sha512.der
@@ -0,0 +1 @@
+*�H�=
diff --git a/src/lib.rs b/src/lib.rs
@@ -104,10 +104,11 @@ pub mod ring {
 /// Signature verification algorithm implementations using the aws-lc-rs crypto library.
 pub mod aws_lc_rs {
     pub use super::aws_lc_rs_algs::{
-        ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519,
-        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
-        RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
-        RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
+        ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384,
+        ECDSA_P521_SHA512, ED25519, RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384,
+        RSA_PKCS1_2048_8192_SHA512, RSA_PKCS1_3072_8192_SHA384,
+        RSA_PSS_2048_8192_SHA256_LEGACY_KEY, RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
+        RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
     };
 }
 
@@ -148,6 +149,8 @@ pub static ALL_VERIFICATION_ALGS: &[&dyn types::SignatureVerificationAlgorithm]
     #[cfg(feature = "aws_lc_rs")]
     aws_lc_rs::ECDSA_P384_SHA384,
     #[cfg(feature = "aws_lc_rs")]
+    aws_lc_rs::ECDSA_P521_SHA512,
+    #[cfg(feature = "aws_lc_rs")]
     aws_lc_rs::ED25519,
     #[cfg(feature = "aws_lc_rs")]
     aws_lc_rs::RSA_PKCS1_2048_8192_SHA256,

diff --git a/src/ring_algs.rs b/src/ring_algs.rs
@@ -184,6 +184,8 @@ mod tests {
         Error::UnsupportedSignatureAlgorithm
     };
 
+    const UNSUPPORTED_ECDSA_SHA512_SIGNATURE: Error = Error::UnsupportedSignatureAlgorithm;
+
     const INVALID_SIGNATURE_FOR_RSA_KEY: Error = if cfg!(feature = "alloc") {
         Error::InvalidSignatureForPublicKey
     } else {

diff --git a/src/signed_data.rs b/src/signed_data.rs
@@ -267,6 +267,10 @@ pub mod alg_id {
     pub const ECDSA_P384: AlgorithmIdentifier =
         AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-p384.der"));
 
+    /// AlgorithmIdentifier for `id-ecPublicKey` with named curve `secp521r1`.
+    pub const ECDSA_P521: AlgorithmIdentifier =
+        AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-p521.der"));
+
     /// AlgorithmIdentifier for `ecdsa-with-SHA256`.
     pub const ECDSA_SHA256: AlgorithmIdentifier =
         AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-sha256.der"));
@@ -275,6 +279,10 @@ pub mod alg_id {
     pub const ECDSA_SHA384: AlgorithmIdentifier =
         AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-sha384.der"));
 
+    /// AlgorithmIdentifier for `ecdsa-with-SHA512`.
+    pub const ECDSA_SHA512: AlgorithmIdentifier =
+        AlgorithmIdentifier::from_slice(include_bytes!("data/alg-ecdsa-sha512.der"));
+
     /// AlgorithmIdentifier for `rsaEncryption`.
     pub const RSA_ENCRYPTION: AlgorithmIdentifier =
         AlgorithmIdentifier::from_slice(include_bytes!("data/alg-rsa-encryption.der"));

diff --git a/tests/generate.py b/tests/generate.py
@@ -550,7 +550,7 @@ def signatures(force: bool) -> None:
         "ed25519": ed25519.Ed25519PrivateKey.generate(),
         "ecdsa_p256": ec.generate_private_key(ec.SECP256R1(), backend),
         "ecdsa_p384": ec.generate_private_key(ec.SECP384R1(), backend),
-        "ecdsa_p521_not_supported": ec.generate_private_key(ec.SECP521R1(), backend),
+        "ecdsa_p521": ec.generate_private_key(ec.SECP521R1(), backend),
         "rsa_1024_not_supported": rsa.generate_private_key(
             rsa_pub_exponent, 1024, backend
         ),
@@ -559,6 +559,10 @@ def signatures(force: bool) -> None:
         "rsa_4096": rsa.generate_private_key(rsa_pub_exponent, 4096, backend),
     }
 
+    feature_gates = {
+        "ECDSA_P521_SHA512": 'all(not(feature = "ring"), feature = "aws_lc_rs")',
+    }
+
     rsa_types: list[str] = [
         "RSA_PKCS1_2048_8192_SHA256",
         "RSA_PKCS1_2048_8192_SHA384",
@@ -572,6 +576,7 @@ def signatures(force: bool) -> None:
         "ed25519": ["ED25519"],
         "ecdsa_p256": ["ECDSA_P256_SHA384", "ECDSA_P256_SHA256"],
         "ecdsa_p384": ["ECDSA_P384_SHA384", "ECDSA_P384_SHA256"],
+        "ecdsa_p521": ["ECDSA_P521_SHA512"],
         "rsa_2048": rsa_types,
         "rsa_3072": rsa_types + ["RSA_PKCS1_3072_8192_SHA384"],
         "rsa_4096": rsa_types + ["RSA_PKCS1_3072_8192_SHA384"],
@@ -601,6 +606,9 @@ def signatures(force: bool) -> None:
         "ECDSA_P384_SHA384": lambda key, message: key.sign(
             message, ec.ECDSA(hashes.SHA384())
         ),
+        "ECDSA_P521_SHA512": lambda key, message: key.sign(
+            message, ec.ECDSA(hashes.SHA512())
+        ),
         "RSA_PKCS1_2048_8192_SHA256": lambda key, message: key.sign(
             message, padding.PKCS1v15(), hashes.SHA256()
         ),
@@ -659,11 +667,12 @@ def _test(
 
         sig_path: str = os.path.join(output_dir, f"{lower_test_name}.sig.bin")
         write_der(sig_path, signature, force)
+        feature_gate = feature_gates.get(algorithm, 'feature = "alloc"')
 
         print(
             """
 #[test]
-#[cfg(feature = "alloc")]
+#[cfg(%(feature_gate)s)]
 fn %(lower_test_name)s() {
     let ee = include_bytes!("%(cert_path)s");
     let message = include_bytes!("%(message_path)s");
@@ -760,6 +769,15 @@ def bad_algorithms_for_key(
             if type == "rsa_2048":
                 unusable_algs.remove("RSA_PKCS1_3072_8192_SHA384")
 
+            unusable_algs = {
+                (
+                    "#[cfg(%s)] %s" % (feature_gates[alg], alg)
+                    if alg in feature_gates
+                    else alg
+                )
+                for alg in unusable_algs
+            }
+
             bad_algorithms_for_key(
                 type + "_key_rejected_by_other_algorithms",
                 cert_type=type,

diff --git a/tests/signatures.rs b/tests/signatures.rs
@@ -28,8 +28,8 @@ use webpki::ring::{
 
 #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
 use webpki::aws_lc_rs::{
-    ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519,
-    RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
+    ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ECDSA_P521_SHA512,
+    ED25519, RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
     RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
     RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
 };
@@ -75,6 +75,8 @@ fn ed25519_key_and_ed25519_detects_bad_signature() {
 fn ed25519_key_rejected_by_other_algorithms() {
     let ee = include_bytes!("signatures/ed25519.ee.der");
     for algorithm in &[
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA512,
         ECDSA_P256_SHA256,
         ECDSA_P256_SHA384,
         ECDSA_P384_SHA256,
@@ -147,6 +149,8 @@ fn ecdsa_p256_key_and_ecdsa_p256_sha256_detects_bad_signature() {
 fn ecdsa_p256_key_rejected_by_other_algorithms() {
     let ee = include_bytes!("signatures/ecdsa_p256.ee.der");
     for algorithm in &[
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA512,
         ECDSA_P384_SHA256,
         ECDSA_P384_SHA384,
         ED25519,
@@ -218,6 +222,8 @@ fn ecdsa_p384_key_and_ecdsa_p384_sha256_detects_bad_signature() {
 fn ecdsa_p384_key_rejected_by_other_algorithms() {
     let ee = include_bytes!("signatures/ecdsa_p384.ee.der");
     for algorithm in &[
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA512,
         ECDSA_P256_SHA256,
         ECDSA_P256_SHA384,
         ED25519,
@@ -236,6 +242,55 @@ fn ecdsa_p384_key_rejected_by_other_algorithms() {
     }
 }
 
+#[test]
+#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+fn ecdsa_p521_key_and_ecdsa_p521_sha512_good_signature() {
+    let ee = include_bytes!("signatures/ecdsa_p521.ee.der");
+    let message = include_bytes!("signatures/message.bin");
+    let signature =
+        include_bytes!("signatures/ecdsa_p521_key_and_ecdsa_p521_sha512_good_signature.sig.bin");
+    assert_eq!(check_sig(ee, ECDSA_P521_SHA512, message, signature), Ok(()));
+}
+
+#[test]
+#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+fn ecdsa_p521_key_and_ecdsa_p521_sha512_detects_bad_signature() {
+    let ee = include_bytes!("signatures/ecdsa_p521.ee.der");
+    let message = include_bytes!("signatures/message.bin");
+    let signature = include_bytes!(
+        "signatures/ecdsa_p521_key_and_ecdsa_p521_sha512_detects_bad_signature.sig.bin"
+    );
+    assert_eq!(
+        check_sig(ee, ECDSA_P521_SHA512, message, signature),
+        Err(webpki::Error::InvalidSignatureForPublicKey)
+    );
+}
+
+#[test]
+#[cfg(feature = "alloc")]
+fn ecdsa_p521_key_rejected_by_other_algorithms() {
+    let ee = include_bytes!("signatures/ecdsa_p521.ee.der");
+    for algorithm in &[
+        ECDSA_P256_SHA256,
+        ECDSA_P256_SHA384,
+        ECDSA_P384_SHA256,
+        ECDSA_P384_SHA384,
+        ED25519,
+        RSA_PKCS1_2048_8192_SHA256,
+        RSA_PKCS1_2048_8192_SHA384,
+        RSA_PKCS1_2048_8192_SHA512,
+        RSA_PKCS1_3072_8192_SHA384,
+        RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
+        RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
+        RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
+    ] {
+        assert_eq!(
+            check_sig(ee, *algorithm, b"", b""),
+            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey)
+        );
+    }
+}
+
 #[test]
 #[cfg(feature = "alloc")]
 fn rsa_2048_key_and_rsa_pkcs1_2048_8192_sha256_good_signature() {
@@ -403,6 +458,8 @@ fn rsa_2048_key_and_rsa_pss_2048_8192_sha512_legacy_key_detects_bad_signature()
 fn rsa_2048_key_rejected_by_other_algorithms() {
     let ee = include_bytes!("signatures/rsa_2048.ee.der");
     for algorithm in &[
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA512,
         ECDSA_P256_SHA256,
         ECDSA_P256_SHA384,
         ECDSA_P384_SHA256,
@@ -611,6 +668,8 @@ fn rsa_3072_key_and_rsa_pkcs1_3072_8192_sha384_detects_bad_signature() {
 fn rsa_3072_key_rejected_by_other_algorithms() {
     let ee = include_bytes!("signatures/rsa_3072.ee.der");
     for algorithm in &[
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA512,
         ECDSA_P256_SHA256,
         ECDSA_P256_SHA384,
         ECDSA_P384_SHA256,
@@ -819,6 +878,8 @@ fn rsa_4096_key_and_rsa_pkcs1_3072_8192_sha384_detects_bad_signature() {
 fn rsa_4096_key_rejected_by_other_algorithms() {
     let ee = include_bytes!("signatures/rsa_4096.ee.der");
     for algorithm in &[
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA512,
         ECDSA_P256_SHA256,
         ECDSA_P256_SHA384,
         ECDSA_P384_SHA256,

diff --git a/tests/signatures/ecdsa_p521.ee.der b/tests/signatures/ecdsa_p521.ee.der
diff --git a/tests/signatures/ecdsa_p521_key_and_ecdsa_p521_sha512_detects_bad_signature.sig.bin b/tests/signatures/ecdsa_p521_key_and_ecdsa_p521_sha512_detects_bad_signature.sig.bin
@@ -0,0 +1 @@
+0��B���*0[�^��{;���,/��z���9��`�k���I:�������E�0е���c�TbNpR�=S�AA;Z�"�t��I;�:��Q9�>�lΙ��v�0�J�*{f�ߋy���)A�lm�0�rm��L

diff --git a/tests/signatures/ecdsa_p521_key_and_ecdsa_p521_sha512_good_signature.sig.bin b/tests/signatures/ecdsa_p521_key_and_ecdsa_p521_sha512_good_signature.sig.bin
@@ -0,0 +1,2 @@
+0��B[܀��ٳ�[`/�[��1�]ߵ�����6�9`?p�W�[�帎*�˳���c؊��Fp$��\B����E,�썙�W�?�v֝��z�&�~
+5��H�'b�;�$�@Y���'B!R�>O}�

diff --git a/tests/signatures/ecdsa_p521_not_supported.ee.der b/tests/signatures/ecdsa_p521_not_supported.ee.der