From a46348437eb485240e20f3a43c9f2dbec9761adf Mon Sep 17 00:00:00 2001 From: Sylvain Bellemare Date: Sun, 19 Oct 2025 17:24:17 +0900 Subject: [PATCH] Add ECDSA signature verification for curve P521 --- assets/p521-selfsigned.der | Bin 0 -> 605 bytes src/verify.rs | 26 ++++++++++++++++++++++---- tests/verify.rs | 12 ++++++++++++ 3 files changed, 34 insertions(+), 4 deletions(-) create mode 100644 assets/p521-selfsigned.der diff --git a/assets/p521-selfsigned.der b/assets/p521-selfsigned.der new file mode 100644 index 0000000000000000000000000000000000000000..f79839d1f8bab4a153709844d1d3a1e8fe5498b6 GIT binary patch literal 605 zcmXqLVv00qV%)WWnTe5!iBZUai;Y98&EuRc3p0y>zah5)CmVAp3!5;LbCjX1fi#H2 z#Um0@lwXjUtPosSnpl*oP^?#^m#=52Xdn-gX6BJVl@7|!FHvxIR46kvP!Q)eGBq?X zGBhwVHZd@ZlHfNoFb4`4SV9G;Z)M|b0|7R6u$Pz^*;ut3Ss0X=8`~II7?*Rn6hB`+ zHOk<2X13j4!=s=1lyCKKyD&SZV5-pv3DFN_9vXSP59FUXYQ48f{q6Q|?)Ecto0~kJ zPDweJdLURt{~km8-(1X0L_6F7`d*KNVNK*vY`bfFBrYvcimv|5;cKn1Pf5A4q^7 zB)|fU6*dD|5TB1lj7220Z}~fwD=M+p(`Tq%FGy##`SI!#a*Q!I_AnSUb}%_Hv@~Cx z?z47cq3W(fqW-gluLOO&Q~pTk+icrcVF_!_2Vb+XHWit!CE9TCM-HQ+`JX*06IZ-l zcY9Qf%|G l31R&6Z}e8$-P=+9@`7ZB-Uil|)rVLu=e)LOy|T%W4FD{!(jou= literal 0 HcmV?d00001 diff --git a/src/verify.rs b/src/verify.rs index 6a73604..f8a66bb 100644 --- a/src/verify.rs +++ b/src/verify.rs @@ -2,10 +2,10 @@ use crate::prelude::*; use crate::signature_algorithm::RsaSsaPssParams; use asn1_rs::{Any, BitString, DerParser}; use oid_registry::{ - OID_EC_P256, OID_NIST_EC_P384, OID_NIST_HASH_SHA256, OID_NIST_HASH_SHA384, + OID_EC_P256, OID_NIST_EC_P384, OID_NIST_EC_P521, OID_NIST_HASH_SHA256, OID_NIST_HASH_SHA384, OID_NIST_HASH_SHA512, OID_PKCS1_RSASSAPSS, OID_PKCS1_SHA1WITHRSA, OID_PKCS1_SHA256WITHRSA, OID_PKCS1_SHA384WITHRSA, OID_PKCS1_SHA512WITHRSA, OID_SHA1_WITH_RSA, OID_SIG_ECDSA_WITH_SHA256, - OID_SIG_ECDSA_WITH_SHA384, OID_SIG_ED25519, + OID_SIG_ECDSA_WITH_SHA384, OID_SIG_ECDSA_WITH_SHA512, OID_SIG_ED25519, }; // Since the `signature` object is similar in ring and in aws-lc-rs, we just use simple logic @@ -53,6 +53,9 @@ pub fn verify_signature( } else if *signature_algorithm == OID_SIG_ECDSA_WITH_SHA384 { get_ec_curve_sha(&public_key.algorithm, 384) .ok_or(X509Error::SignatureUnsupportedAlgorithm)? + } else if *signature_algorithm == OID_SIG_ECDSA_WITH_SHA512 { + get_ec_curve_sha(&public_key.algorithm, 512) + .ok_or(X509Error::SignatureUnsupportedAlgorithm)? } else if *signature_algorithm == OID_SIG_ED25519 { &signature::ED25519 } else { @@ -76,7 +79,6 @@ fn get_ec_curve_sha( sha_len: usize, ) -> Option<&'static dyn signature::VerificationAlgorithm> { let curve_oid = pubkey_alg.parameters.as_ref()?.as_oid().ok()?; - // let curve_oid = pubkey_alg.parameters.as_ref()?.as_oid().ok()?; if curve_oid == OID_EC_P256 { match sha_len { 256 => Some(&signature::ECDSA_P256_SHA256_ASN1), @@ -90,7 +92,23 @@ fn get_ec_curve_sha( _ => None, } } else { - None + #[cfg(feature = "verify-aws")] + { + if curve_oid == OID_NIST_EC_P521 { + match sha_len { + 256 => Some(&signature::ECDSA_P521_SHA256_ASN1), + 384 => Some(&signature::ECDSA_P521_SHA384_ASN1), + 512 => Some(&signature::ECDSA_P521_SHA512_ASN1), + _ => None, + } + } else { + None + } + } + #[cfg(not(feature = "verify-aws"))] + { + None + } } } diff --git a/tests/verify.rs b/tests/verify.rs index d376aee..867d4ea 100644 --- a/tests/verify.rs +++ b/tests/verify.rs @@ -67,3 +67,15 @@ fn test_signature_verification_rsa_pss_sha512() { eprintln!("Verification: {res:?}"); assert!(res.is_ok()); } + +static P521_SELF_SIGNED_DER: &[u8] = include_bytes!("../assets/p521-selfsigned.der"); + +#[cfg(feature = "verify-aws")] +#[test] +fn test_signature_verification_p521() { + let (_, x509_ca) = + parse_x509_certificate(P521_SELF_SIGNED_DER).expect("could not parse certificate"); + let res = x509_ca.verify_signature(None); + eprintln!("Verification: {res:?}"); + assert!(res.is_ok()); +}