Support ECDSA_P521_SHA512 when using aes_lc_rs feature

Author: Alvenix

.github/workflows/ci.yml

@@ -33,7 +33,8 @@ jobs:
       matrix:
         features:
           - --all-features
-          - --no-default-features
+          # rustls-cert-gen require either aws_lc_rs or ring feature
+          - -p rcgen --no-default-features
           - --no-default-features --features ring
           - --no-default-features --features aws_lc_rs
           - --no-default-features --features aws_lc_rs,pem
@@ -138,10 +139,9 @@ jobs:
       run: cargo test --verbose --features x509-parser
     - name: Run the tests with aws_lc_rs backend enabled
       run: cargo test --verbose --no-default-features --features aws_lc_rs,pem
-    - name: Run the tests with FIPS aws_lc_rs module
-      run: cargo test --verbose --no-default-features --features fips,pem
+      # rustls-cert-gen require either aws_lc_rs or ring feature
     - name: Run the tests with no features enabled
-      run: cargo test --verbose --no-default-features
+      run: cargo test -p rcgen --verbose --no-default-features
 
   build:
     strategy:
@@ -181,8 +181,6 @@ jobs:
       run: cargo test --verbose --features x509-parser
     - name: Run the tests with aws_lc_rs backend enabled
       run: cargo test --verbose --no-default-features --features aws_lc_rs,pem
-    - name: Run the tests with FIPS aws_lc_rs module
-      run: cargo test --verbose --no-default-features --features fips,pem
 
   # Build rustls-cert-gen as a standalone package, see this PR for why it's needed:
   # https://github.com/rustls/rcgen/pull/206#pullrequestreview-1816197358

Cargo.lock

@@ -3,6 +3,7 @@ members = ["rcgen", "rustls-cert-gen"]
 resolver = "2"
 
 [workspace.dependencies]
+aws-lc-rs = "1.6.0"
 pem = "3.0.2"
 pki-types = { package = "rustls-pki-types", version = "1.3.0" }
 rand = "0.8"

Cargo.toml

@@ -26,7 +26,7 @@ name = "simple"
 required-features = ["crypto"]
 
 [dependencies]
-aws-lc-rs = { version = "1.6.0", optional = true }
+aws-lc-rs = { workspace = true, optional = true }
 yasna = { version = "0.5.2", features = ["time", "std"] }
 ring = { workspace = true, optional = true }
 pem = { workspace = true, optional = true }

rcgen/Cargo.toml

@@ -249,6 +249,18 @@ impl KeyPair {
 			let rsakp = RsaKeyPair::from_pkcs8(&serialized_der)._err()?;
 			KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA256)
 		} else {
+			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			if alg == &PKCS_ECDSA_P521_SHA512 {
+				KeyPairKind::Ec(ecdsa_from_pkcs8(
+					&signature::ECDSA_P521_SHA512_ASN1_SIGNING,
+					&serialized_der,
+					rng,
+				)?)
+			} else {
+				panic!("Unknown SignatureAlgorithm specified!");
+			}
+
+			#[cfg(feature = "ring")]
 			panic!("Unknown SignatureAlgorithm specified!");
 		};
 
@@ -290,7 +302,19 @@ impl KeyPair {
 				&PKCS_RSA_SHA256,
 			)
 		} else {
-			return Err(Error::CouldNotParseKeyPair);
+			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			if let Ok(eckp) =
+				ecdsa_from_pkcs8(&signature::ECDSA_P521_SHA512_ASN1_SIGNING, pkcs8, &rng)
+			{
+				(KeyPairKind::Ec(eckp), &PKCS_ECDSA_P521_SHA512)
+			} else {
+				return Err(Error::CouldNotParseKeyPair);
+			}
+
+			#[cfg(feature = "ring")]
+			{
+				return Err(Error::CouldNotParseKeyPair);
+			}
 		};
 		Ok((kind, alg))
 	}

rcgen/src/key_pair.rs

@@ -20,6 +20,10 @@ pub(crate) const EC_PUBLIC_KEY: &[u64] = &[1, 2, 840, 10045, 2, 1];
 pub(crate) const EC_SECP_256_R1: &[u64] = &[1, 2, 840, 10045, 3, 1, 7];
 /// secp384r1 in [RFC 5480](https://datatracker.ietf.org/doc/html/rfc5480#appendix-A)
 pub(crate) const EC_SECP_384_R1: &[u64] = &[1, 3, 132, 0, 34];
+/// secp521r1 in [RFC 5480](https://datatracker.ietf.org/doc/html/rfc5480#appendix-A)
+/// Currently this is only supported with the `aws_lc_rs` feature
+#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+pub(crate) const EC_SECP_521_R1: &[u64] = &[1, 3, 132, 0, 35];
 
 /// rsaEncryption in [RFC 4055](https://www.rfc-editor.org/rfc/rfc4055#section-6)
 pub(crate) const RSA_ENCRYPTION: &[u64] = &[1, 2, 840, 113549, 1, 1, 1];

rcgen/src/oid.rs

@@ -56,6 +56,11 @@ impl fmt::Debug for SignatureAlgorithm {
 		} else if self == &PKCS_ED25519 {
 			write!(f, "PKCS_ED25519")
 		} else {
+			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			if self == &PKCS_ECDSA_P521_SHA512 {
+				return write!(f, "PKCS_ECDSA_P521_SHA512");
+			}
+
 			write!(f, "Unknown")
 		}
 	}
@@ -86,6 +91,8 @@ impl SignatureAlgorithm {
 			//&PKCS_RSA_PSS_SHA256,
 			&PKCS_ECDSA_P256_SHA256,
 			&PKCS_ECDSA_P384_SHA384,
+			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			&PKCS_ECDSA_P521_SHA512,
 			&PKCS_ED25519,
 		];
 		ALGORITHMS.iter()
@@ -178,8 +185,17 @@ pub(crate) mod algo {
 		oid_components: &[1, 2, 840, 10045, 4, 3, 3],
 		params: SignatureAlgorithmParams::None,
 	};
-
-	// TODO PKCS_ECDSA_P521_SHA512 https://github.com/briansmith/ring/issues/824
+	/// ECDSA signing using the P-521 curves and SHA-512 hashing as per [RFC 5758](https://tools.ietf.org/html/rfc5758#section-3.2)
+	/// Currently this is only supported with the `aws_lc_rs` feature
+	#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+	pub static PKCS_ECDSA_P521_SHA512: SignatureAlgorithm = SignatureAlgorithm {
+		oids_sign_alg: &[&EC_PUBLIC_KEY, &EC_SECP_521_R1],
+		#[cfg(feature = "crypto")]
+		sign_alg: SignAlgo::EcDsa(&signature::ECDSA_P521_SHA512_ASN1_SIGNING),
+		// ecdsa-with-SHA512 in RFC 5758
+		oid_components: &[1, 2, 840, 10045, 4, 3, 4],
+		params: SignatureAlgorithmParams::None,
+	};
 
 	/// ED25519 curve signing as per [RFC 8410](https://tools.ietf.org/html/rfc8410)
 	pub static PKCS_ED25519: SignatureAlgorithm = SignatureAlgorithm {

rcgen/src/sign_algo.rs

@@ -75,6 +75,17 @@ fn test_botan_384() {
 	check_cert(cert.der(), &cert);
 }
 
+#[test]
+#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+fn test_botan_521() {
+	let (params, _) = default_params();
+	let key_pair = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P521_SHA512).unwrap();
+	let cert = params.self_signed(&key_pair).unwrap();
+
+	// Now verify the certificate.
+	check_cert(cert.der(), &cert);
+}
+
 #[test]
 fn test_botan_25519() {
 	let (params, _) = default_params();

rcgen/tests/botan.rs

@@ -19,6 +19,8 @@ mod test_key_params_mismatch {
 			&rcgen::PKCS_RSA_SHA256,
 			&rcgen::PKCS_ECDSA_P256_SHA256,
 			&rcgen::PKCS_ECDSA_P384_SHA384,
+			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			&rcgen::PKCS_ECDSA_P521_SHA512,
 			&rcgen::PKCS_ED25519,
 		];
 		for (i, kalg_1) in available_key_params.iter().enumerate() {

rcgen/tests/generic.rs

@@ -213,6 +213,18 @@ fn test_openssl_384() {
 	verify_csr(&cert, &key_pair);
 }
 
+#[test]
+#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+fn test_openssl_521() {
+	let (params, _) = util::default_params();
+	let key_pair = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P521_SHA512).unwrap();
+	let cert = params.self_signed(&key_pair).unwrap();
+
+	// Now verify the certificate.
+	verify_cert(&cert, &key_pair);
+	verify_csr(&cert, &key_pair);
+}
+
 #[test]
 fn test_openssl_25519() {
 	let (params, _) = util::default_params();