Add support for P384 public key algorithm

I found that I could not use root certificates which use a P384 public key algorithm. More specifically, passing in a certificate with ``` $ openssl x509 -noout -text -in root.der … Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: … ASN1 OID: secp384r1 NIST CURVE: P-384 … ``` gives me ``` EcX509Error(UnsupportedPublicKeyAlgorithm("ObjectIdentifier(1.2.840.10045.2.1)")) ``` back. The changes here seem to fix this, but I’ll admit that they were made very mechanically based on the existing code. This would be a continuation of the work in #190.
awslabs · Jan 31, 2025 · 333aac5 · 333aac5
1 parent f7a8f87
commit 333aac5
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/mls-rs-crypto-rustcrypto/Cargo.toml b/mls-rs-crypto-rustcrypto/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mls-rs-crypto-rustcrypto"
-version = "0.13.0"
+version = "0.13.1"
 edition = "2021"
 description = "RustCrypto based CryptoProvider for mls-rs"
 homepage = "https://github.com/awslabs/mls-rs"

diff --git a/mls-rs-crypto-rustcrypto/src/ec.rs b/mls-rs-crypto-rustcrypto/src/ec.rs
@@ -39,6 +39,8 @@ pub enum EcPrivateKey {
 pub enum EcError {
     #[cfg_attr(feature = "std", error("p256 error: {0:?}"))]
     P256Error(p256::elliptic_curve::Error),
+    #[cfg_attr(feature = "std", error("p384 error: {0:?}"))]
+    P384Error(p384::elliptic_curve::Error),
     #[cfg_attr(feature = "std", error("unsupported curve type"))]
     UnsupportedCurve,
     #[cfg_attr(feature = "std", error("invalid public key data"))]

diff --git a/mls-rs-crypto-rustcrypto/src/ec_for_x509.rs b/mls-rs-crypto-rustcrypto/src/ec_for_x509.rs
@@ -22,6 +22,7 @@ use crate::{
 pub const X25519_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.101.110");
 pub const ED25519_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.101.112");
 pub const P256_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.3.1.7");
+pub const P384_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.132.0.34");
 
 #[derive(Debug)]
 #[cfg_attr(feature = "std", derive(thiserror::Error))]
@@ -68,6 +69,8 @@ pub fn curve_from_algorithm(algorithm: &AlgorithmIdentifier<Any>) -> Result<Curv
         Ok(Curve::X25519)
     } else if borrowed.parameters_oid() == Ok(P256_OID) {
         Ok(Curve::P256)
+    } else if borrowed.parameters_oid() == Ok(P384_OID) {
+        Ok(Curve::P384)
     } else {
         Err(EcX509Error::UnsupportedPublicKeyAlgorithm(format!(
             "{:?}",
@@ -82,7 +85,7 @@ pub fn signer_from_algorithm(
     let curve = curve_from_algorithm(algorithm)?;
 
     match curve {
-        Curve::Ed25519 | Curve::P256 => Ok(EcSigner::new_from_curve(curve)),
+        Curve::Ed25519 | Curve::P256 | Curve::P384 => Ok(EcSigner::new_from_curve(curve)),
         _ => Err(EcX509Error::UnsupportedPublicKeyAlgorithm(format!(
             "{:?}",
             algorithm.oid
@@ -120,6 +123,9 @@ pub fn pub_key_from_spki(
         Curve::P256 => p256::PublicKey::from_sec1_bytes(spki.subject_public_key.raw_bytes())
             .map_err(|e| EcX509Error::from(EcError::P256Error(e)))
             .map(EcPublicKey::P256),
+        Curve::P384 => p384::PublicKey::from_sec1_bytes(spki.subject_public_key.raw_bytes())
+            .map_err(|e| EcX509Error::from(EcError::P384Error(e)))
+            .map(EcPublicKey::P384),
         _ => Err(EcError::UnsupportedCurve.into()),
     }
 }