From ce55e0e93dddb820ae6291cd3229a3858aab1690 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Mon, 19 Jan 2026 13:24:29 +0100 Subject: [PATCH 1/2] Add P521-SHA256 and P521-SHA384 signing algorithms --- rcgen/src/key_pair.rs | 14 ++++++++++- rcgen/src/sign_algo.rs | 46 ++++++++++++++++++++++++++++++++++- verify-tests/tests/generic.rs | 15 +++++++++++- 3 files changed, 72 insertions(+), 3 deletions(-) diff --git a/rcgen/src/key_pair.rs b/rcgen/src/key_pair.rs index a1bc1a48..102cd4df 100644 --- a/rcgen/src/key_pair.rs +++ b/rcgen/src/key_pair.rs @@ -264,7 +264,19 @@ impl KeyPair { KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA256) } else { #[cfg(feature = "aws_lc_rs")] - if alg == &PKCS_ECDSA_P521_SHA512 { + if alg == &PKCS_ECDSA_P521_SHA256 { + KeyPairKind::Ec(ecdsa_from_pkcs8( + &signature::ECDSA_P521_SHA256_ASN1_SIGNING, + &serialized_der, + rng, + )?) + } else if alg == &PKCS_ECDSA_P521_SHA384 { + KeyPairKind::Ec(ecdsa_from_pkcs8( + &signature::ECDSA_P521_SHA384_ASN1_SIGNING, + &serialized_der, + rng, + )?) + } else if alg == &PKCS_ECDSA_P521_SHA512 { KeyPairKind::Ec(ecdsa_from_pkcs8( &signature::ECDSA_P521_SHA512_ASN1_SIGNING, &serialized_der, diff --git a/rcgen/src/sign_algo.rs b/rcgen/src/sign_algo.rs index bc9d18b3..a14f7ae0 100644 --- a/rcgen/src/sign_algo.rs +++ b/rcgen/src/sign_algo.rs @@ -63,6 +63,14 @@ impl fmt::Debug for SignatureAlgorithm { } else if self == &PKCS_ED25519 { write!(f, "PKCS_ED25519") } else { + #[cfg(feature = "aws_lc_rs")] + if self == &PKCS_ECDSA_P521_SHA256 { + return write!(f, "PKCS_ECDSA_P521_SHA256"); + } + #[cfg(feature = "aws_lc_rs")] + if self == &PKCS_ECDSA_P521_SHA384 { + return write!(f, "PKCS_ECDSA_P521_SHA384"); + } #[cfg(feature = "aws_lc_rs")] if self == &PKCS_ECDSA_P521_SHA512 { return write!(f, "PKCS_ECDSA_P521_SHA512"); @@ -99,6 +107,10 @@ impl SignatureAlgorithm { &PKCS_ECDSA_P256_SHA256, &PKCS_ECDSA_P384_SHA384, #[cfg(feature = "aws_lc_rs")] + &PKCS_ECDSA_P521_SHA256, + #[cfg(feature = "aws_lc_rs")] + &PKCS_ECDSA_P521_SHA384, + #[cfg(feature = "aws_lc_rs")] &PKCS_ECDSA_P521_SHA512, &PKCS_ED25519, ]; @@ -191,8 +203,40 @@ pub(crate) mod algo { oid_components: &[1, 2, 840, 10045, 4, 3, 3], params: SignatureAlgorithmParams::None, }; + + /// ECDSA signing using the P-521 curves and SHA-256 hashing as per [RFC 5758](https://tools.ietf.org/html/rfc5758#section-3.2) + /// + /// Note that this algorithm is not widely supported, and is not supported in TLS 1.3. + /// + /// Only supported with the `aws_lc_rs` backend. + #[cfg(feature = "aws_lc_rs")] + pub static PKCS_ECDSA_P521_SHA256: SignatureAlgorithm = SignatureAlgorithm { + oids_sign_alg: &[EC_PUBLIC_KEY, EC_SECP_521_R1], + #[cfg(feature = "crypto")] + sign_alg: SignAlgo::EcDsa(&signature::ECDSA_P521_SHA256_ASN1_SIGNING), + // ecdsa-with-SHA256 in RFC 5758 + oid_components: &[1, 2, 840, 10045, 4, 3, 2], + params: SignatureAlgorithmParams::None, + }; + + /// ECDSA signing using the P-521 curves and SHA-384 hashing as per [RFC 5758](https://tools.ietf.org/html/rfc5758#section-3.2) + /// + /// Note that this algorithm is not widely supported, and is not supported in TLS 1.3. + /// + /// Only supported with the `aws_lc_rs` backend. + #[cfg(feature = "aws_lc_rs")] + pub static PKCS_ECDSA_P521_SHA384: SignatureAlgorithm = SignatureAlgorithm { + oids_sign_alg: &[EC_PUBLIC_KEY, EC_SECP_521_R1], + #[cfg(feature = "crypto")] + sign_alg: SignAlgo::EcDsa(&signature::ECDSA_P521_SHA384_ASN1_SIGNING), + // ecdsa-with-SHA384 in RFC 5758 + oid_components: &[1, 2, 840, 10045, 4, 3, 3], + params: SignatureAlgorithmParams::None, + }; + /// ECDSA signing using the P-521 curves and SHA-512 hashing as per [RFC 5758](https://tools.ietf.org/html/rfc5758#section-3.2) - /// Currently this is only supported with the `aws_lc_rs` feature + /// + /// Only supported with the `aws_lc_rs` backend. #[cfg(feature = "aws_lc_rs")] pub static PKCS_ECDSA_P521_SHA512: SignatureAlgorithm = SignatureAlgorithm { oids_sign_alg: &[EC_PUBLIC_KEY, EC_SECP_521_R1], diff --git a/verify-tests/tests/generic.rs b/verify-tests/tests/generic.rs index 3b6f668e..84b6feaf 100644 --- a/verify-tests/tests/generic.rs +++ b/verify-tests/tests/generic.rs @@ -16,6 +16,10 @@ mod test_key_params_mismatch { &rcgen::PKCS_ECDSA_P256_SHA256, &rcgen::PKCS_ECDSA_P384_SHA384, #[cfg(feature = "aws_lc_rs")] + &rcgen::PKCS_ECDSA_P521_SHA256, + #[cfg(feature = "aws_lc_rs")] + &rcgen::PKCS_ECDSA_P521_SHA384, + #[cfg(feature = "aws_lc_rs")] &rcgen::PKCS_ECDSA_P521_SHA512, &rcgen::PKCS_ED25519, ]; @@ -28,7 +32,16 @@ mod test_key_params_mismatch { } assert_ne!(*kalg_1, *kalg_2); - assert_ne!(generate_hash(*kalg_1), generate_hash(*kalg_2)); + let names = [format!("{kalg_1:?}"), format!("{kalg_2:?}")]; + if names.into_iter().all(|n| n.starts_with("PKCS_ECDSA_P521")) { + continue; + } + + assert_ne!( + generate_hash(*kalg_1), + generate_hash(*kalg_2), + "{kalg_1:?} vs {kalg_2:?}", + ); } } } From fba2a54d17bc88dd4ae6ab3c350fe738bd2cf61f Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Mon, 19 Jan 2026 13:25:14 +0100 Subject: [PATCH 2/2] Bump version to 0.14.7 --- Cargo.lock | 2 +- rcgen/Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 1ea24f0a..c4eb5d9a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -727,7 +727,7 @@ checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f" [[package]] name = "rcgen" -version = "0.14.6" +version = "0.14.7" dependencies = [ "aws-lc-rs", "openssl", diff --git a/rcgen/Cargo.toml b/rcgen/Cargo.toml index 331abacc..8d1ab2da 100644 --- a/rcgen/Cargo.toml +++ b/rcgen/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "rcgen" -version = "0.14.6" +version = "0.14.7" documentation = "https://docs.rs/rcgen" description.workspace = true repository.workspace = true