Add support for P-521 curve with SHA-256/SHA-384 digests

src/aws_lc_rs_algs.rs

@@ -67,6 +67,20 @@ pub static ECDSA_P384_SHA384: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgo
     verification_alg: &signature::ECDSA_P384_SHA384_ASN1,
 };
 
+/// ECDSA signatures using the P-521 curve and SHA-256.
+pub static ECDSA_P521_SHA256: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
+    public_key_alg_id: alg_id::ECDSA_P521,
+    signature_alg_id: alg_id::ECDSA_SHA256,
+    verification_alg: &signature::ECDSA_P521_SHA256_ASN1,
+};
+
+/// ECDSA signatures using the P-521 curve and SHA-384.
+pub static ECDSA_P521_SHA384: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
+    public_key_alg_id: alg_id::ECDSA_P521,
+    signature_alg_id: alg_id::ECDSA_SHA384,
+    verification_alg: &signature::ECDSA_P521_SHA384_ASN1,
+};
+
 /// ECDSA signatures using the P-521 curve and SHA-512.
 pub static ECDSA_P521_SHA512: &dyn SignatureVerificationAlgorithm = &AwsLcRsAlgorithm {
     public_key_alg_id: alg_id::ECDSA_P521,
@@ -151,6 +165,8 @@ mod tests {
         // Reasonable algorithms.
         super::ECDSA_P256_SHA256,
         super::ECDSA_P384_SHA384,
+        super::ECDSA_P521_SHA256,
+        super::ECDSA_P521_SHA384,
         super::ECDSA_P521_SHA512,
         super::ED25519,
         super::RSA_PKCS1_2048_8192_SHA256,

src/lib.rs

@@ -109,10 +109,10 @@ pub mod ring {
 pub mod aws_lc_rs {
     pub use super::aws_lc_rs_algs::{
         ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384,
-        ECDSA_P521_SHA512, ED25519, RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384,
-        RSA_PKCS1_2048_8192_SHA512, RSA_PKCS1_3072_8192_SHA384,
-        RSA_PSS_2048_8192_SHA256_LEGACY_KEY, RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
-        RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
+        ECDSA_P521_SHA256, ECDSA_P521_SHA384, ECDSA_P521_SHA512, ED25519,
+        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
+        RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
+        RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
     };
 }
 
@@ -153,6 +153,10 @@ pub static ALL_VERIFICATION_ALGS: &[&dyn types::SignatureVerificationAlgorithm]
     #[cfg(feature = "aws_lc_rs")]
     aws_lc_rs::ECDSA_P384_SHA384,
     #[cfg(feature = "aws_lc_rs")]
+    aws_lc_rs::ECDSA_P521_SHA256,
+    #[cfg(feature = "aws_lc_rs")]
+    aws_lc_rs::ECDSA_P521_SHA384,
+    #[cfg(feature = "aws_lc_rs")]
     aws_lc_rs::ECDSA_P521_SHA512,
     #[cfg(feature = "aws_lc_rs")]
     aws_lc_rs::ED25519,

tests/generate.py

@@ -7,6 +7,7 @@
 Run this script from tests/.  It edits the bottom part of some .rs files and
 drops testcase data into subdirectories as required.
 """
+
 import argparse
 import enum
 import os
@@ -561,6 +562,8 @@ def signatures(force: bool) -> None:
 
     feature_gates = {
         "ECDSA_P521_SHA512": 'all(not(feature = "ring"), feature = "aws_lc_rs")',
+        "ECDSA_P521_SHA256": 'all(not(feature = "ring"), feature = "aws_lc_rs")',
+        "ECDSA_P521_SHA384": 'all(not(feature = "ring"), feature = "aws_lc_rs")',
     }
 
     rsa_types: list[str] = [
@@ -576,7 +579,7 @@ def signatures(force: bool) -> None:
         "ed25519": ["ED25519"],
         "ecdsa_p256": ["ECDSA_P256_SHA384", "ECDSA_P256_SHA256"],
         "ecdsa_p384": ["ECDSA_P384_SHA384", "ECDSA_P384_SHA256"],
-        "ecdsa_p521": ["ECDSA_P521_SHA512"],
+        "ecdsa_p521": ["ECDSA_P521_SHA512", "ECDSA_P521_SHA256", "ECDSA_P521_SHA384"],
         "rsa_2048": rsa_types,
         "rsa_3072": rsa_types + ["RSA_PKCS1_3072_8192_SHA384"],
         "rsa_4096": rsa_types + ["RSA_PKCS1_3072_8192_SHA384"],
@@ -606,6 +609,12 @@ def signatures(force: bool) -> None:
         "ECDSA_P384_SHA384": lambda key, message: key.sign(
             message, ec.ECDSA(hashes.SHA384())
         ),
+        "ECDSA_P521_SHA256": lambda key, message: key.sign(
+            message, ec.ECDSA(hashes.SHA256())
+        ),
+        "ECDSA_P521_SHA384": lambda key, message: key.sign(
+            message, ec.ECDSA(hashes.SHA384())
+        ),
         "ECDSA_P521_SHA512": lambda key, message: key.sign(
             message, ec.ECDSA(hashes.SHA512())
         ),
@@ -1126,7 +1135,13 @@ def _revocation_test(
         intermediates_str: str = f"&[{int_a_str}, {int_b_str}]"
 
         def _write_revocation_test(*, owned: bool) -> None:
-            nonlocal crl_paths, expected_error, intermediates_str, test_name, ee_cert_path, root_cert_path
+            nonlocal \
+                crl_paths, \
+                expected_error, \
+                intermediates_str, \
+                test_name, \
+                ee_cert_path, \
+                root_cert_path
 
             test_name = test_name if not owned else test_name + "_owned"
 

tests/signatures.rs

@@ -28,10 +28,11 @@ use webpki::ring::{
 
 #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
 use webpki::aws_lc_rs::{
-    ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ECDSA_P521_SHA512,
-    ED25519, RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
-    RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
-    RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
+    ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ECDSA_P521_SHA256,
+    ECDSA_P521_SHA384, ECDSA_P521_SHA512, ED25519, RSA_PKCS1_2048_8192_SHA256,
+    RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512, RSA_PKCS1_3072_8192_SHA384,
+    RSA_PSS_2048_8192_SHA256_LEGACY_KEY, RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
+    RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
 };
 
 #[cfg(feature = "alloc")]
@@ -75,6 +76,10 @@ fn ed25519_key_and_ed25519_detects_bad_signature() {
 fn ed25519_key_rejected_by_other_algorithms() {
     let ee = include_bytes!("signatures/ed25519.ee.der");
     for algorithm in &[
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA256,
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA384,
         #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
         ECDSA_P521_SHA512,
         ECDSA_P256_SHA256,
@@ -149,6 +154,10 @@ fn ecdsa_p256_key_and_ecdsa_p256_sha256_detects_bad_signature() {
 fn ecdsa_p256_key_rejected_by_other_algorithms() {
     let ee = include_bytes!("signatures/ecdsa_p256.ee.der");
     for algorithm in &[
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA256,
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA384,
         #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
         ECDSA_P521_SHA512,
         ECDSA_P384_SHA256,
@@ -222,6 +231,10 @@ fn ecdsa_p384_key_and_ecdsa_p384_sha256_detects_bad_signature() {
 fn ecdsa_p384_key_rejected_by_other_algorithms() {
     let ee = include_bytes!("signatures/ecdsa_p384.ee.der");
     for algorithm in &[
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA256,
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA384,
         #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
         ECDSA_P521_SHA512,
         ECDSA_P256_SHA256,
@@ -266,6 +279,54 @@ fn ecdsa_p521_key_and_ecdsa_p521_sha512_detects_bad_signature() {
     );
 }
 
+#[test]
+#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+fn ecdsa_p521_key_and_ecdsa_p521_sha256_good_signature() {
+    let ee = include_bytes!("signatures/ecdsa_p521.ee.der");
+    let message = include_bytes!("signatures/message.bin");
+    let signature =
+        include_bytes!("signatures/ecdsa_p521_key_and_ecdsa_p521_sha256_good_signature.sig.bin");
+    assert_eq!(check_sig(ee, ECDSA_P521_SHA256, message, signature), Ok(()));
+}
+
+#[test]
+#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+fn ecdsa_p521_key_and_ecdsa_p521_sha256_detects_bad_signature() {
+    let ee = include_bytes!("signatures/ecdsa_p521.ee.der");
+    let message = include_bytes!("signatures/message.bin");
+    let signature = include_bytes!(
+        "signatures/ecdsa_p521_key_and_ecdsa_p521_sha256_detects_bad_signature.sig.bin"
+    );
+    assert_eq!(
+        check_sig(ee, ECDSA_P521_SHA256, message, signature),
+        Err(webpki::Error::InvalidSignatureForPublicKey)
+    );
+}
+
+#[test]
+#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+fn ecdsa_p521_key_and_ecdsa_p521_sha384_good_signature() {
+    let ee = include_bytes!("signatures/ecdsa_p521.ee.der");
+    let message = include_bytes!("signatures/message.bin");
+    let signature =
+        include_bytes!("signatures/ecdsa_p521_key_and_ecdsa_p521_sha384_good_signature.sig.bin");
+    assert_eq!(check_sig(ee, ECDSA_P521_SHA384, message, signature), Ok(()));
+}
+
+#[test]
+#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+fn ecdsa_p521_key_and_ecdsa_p521_sha384_detects_bad_signature() {
+    let ee = include_bytes!("signatures/ecdsa_p521.ee.der");
+    let message = include_bytes!("signatures/message.bin");
+    let signature = include_bytes!(
+        "signatures/ecdsa_p521_key_and_ecdsa_p521_sha384_detects_bad_signature.sig.bin"
+    );
+    assert_eq!(
+        check_sig(ee, ECDSA_P521_SHA384, message, signature),
+        Err(webpki::Error::InvalidSignatureForPublicKey)
+    );
+}
+
 #[test]
 #[cfg(feature = "alloc")]
 fn ecdsa_p521_key_rejected_by_other_algorithms() {
@@ -458,6 +519,10 @@ fn rsa_2048_key_and_rsa_pss_2048_8192_sha512_legacy_key_detects_bad_signature()
 fn rsa_2048_key_rejected_by_other_algorithms() {
     let ee = include_bytes!("signatures/rsa_2048.ee.der");
     for algorithm in &[
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA256,
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA384,
         #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
         ECDSA_P521_SHA512,
         ECDSA_P256_SHA256,
@@ -668,6 +733,10 @@ fn rsa_3072_key_and_rsa_pkcs1_3072_8192_sha384_detects_bad_signature() {
 fn rsa_3072_key_rejected_by_other_algorithms() {
     let ee = include_bytes!("signatures/rsa_3072.ee.der");
     for algorithm in &[
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA256,
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA384,
         #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
         ECDSA_P521_SHA512,
         ECDSA_P256_SHA256,
@@ -878,6 +947,10 @@ fn rsa_4096_key_and_rsa_pkcs1_3072_8192_sha384_detects_bad_signature() {
 fn rsa_4096_key_rejected_by_other_algorithms() {
     let ee = include_bytes!("signatures/rsa_4096.ee.der");
     for algorithm in &[
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA256,
+        #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+        ECDSA_P521_SHA384,
         #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
         ECDSA_P521_SHA512,
         ECDSA_P256_SHA256,

tests/signatures/ecdsa_p521_key_and_ecdsa_p521_sha256_detects_bad_signature.sig.bin

@@ -0,0 +1,3 @@
+0ˆB
Y8¥#ä$¢cŽŒ_¶PEï$TVfªÙ–ü0h‡I˜ð?›@~9~XuŸzݺÞZÝúK¡—©üP…{Ï@zƒB
G]³¹—'rU
q’QÅè:Š,Œ£t¥Ðë‰$ȦðÑ\ۀ
+~…ºÐôi
+[d9#”)¬Û™™‚;	

tests/signatures/ecdsa_p521_key_and_ecdsa_p521_sha384_good_signature.sig.bin

@@ -0,0 +1,2 @@
+0‡Am§µÒ±'½î¿nìMù6r¹yîŸÍô}ÑHèð¹	0tOo™Ñ(v@ËH·^lú$ª~ÉûK™s-B
C
+âZžK¤€Ë#ù50'»"kiñwÄ¢Fz¿ØYÅÆãuf˜è#5V–kG”Ÿ—oVÏMõòÐ4‡ë¥g