From 333aac513957228158b73a826a345f58c4f6fbc0 Mon Sep 17 00:00:00 2001 From: Martin Geisler Date: Fri, 31 Jan 2025 17:40:10 +0100 Subject: [PATCH] Add support for P384 public key algorithm MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I found that I could not use root certificates which use a P384 public key algorithm. More specifically, passing in a certificate with ``` $ openssl x509 -noout -text -in root.der … Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: … ASN1 OID: secp384r1 NIST CURVE: P-384 … ``` gives me ``` EcX509Error(UnsupportedPublicKeyAlgorithm("ObjectIdentifier(1.2.840.10045.2.1)")) ``` back. The changes here seem to fix this, but I’ll admit that they were made very mechanically based on the existing code. This would be a continuation of the work in #190. --- mls-rs-crypto-rustcrypto/Cargo.toml | 2 +- mls-rs-crypto-rustcrypto/src/ec.rs | 2 ++ mls-rs-crypto-rustcrypto/src/ec_for_x509.rs | 8 +++++++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/mls-rs-crypto-rustcrypto/Cargo.toml b/mls-rs-crypto-rustcrypto/Cargo.toml index dbb85a15..5836fdba 100644 --- a/mls-rs-crypto-rustcrypto/Cargo.toml +++ b/mls-rs-crypto-rustcrypto/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "mls-rs-crypto-rustcrypto" -version = "0.13.0" +version = "0.13.1" edition = "2021" description = "RustCrypto based CryptoProvider for mls-rs" homepage = "https://github.com/awslabs/mls-rs" diff --git a/mls-rs-crypto-rustcrypto/src/ec.rs b/mls-rs-crypto-rustcrypto/src/ec.rs index c3c4b056..ea2e62f8 100644 --- a/mls-rs-crypto-rustcrypto/src/ec.rs +++ b/mls-rs-crypto-rustcrypto/src/ec.rs @@ -39,6 +39,8 @@ pub enum EcPrivateKey { pub enum EcError { #[cfg_attr(feature = "std", error("p256 error: {0:?}"))] P256Error(p256::elliptic_curve::Error), + #[cfg_attr(feature = "std", error("p384 error: {0:?}"))] + P384Error(p384::elliptic_curve::Error), #[cfg_attr(feature = "std", error("unsupported curve type"))] UnsupportedCurve, #[cfg_attr(feature = "std", error("invalid public key data"))] diff --git a/mls-rs-crypto-rustcrypto/src/ec_for_x509.rs b/mls-rs-crypto-rustcrypto/src/ec_for_x509.rs index dd9a7111..8e3e34b2 100644 --- a/mls-rs-crypto-rustcrypto/src/ec_for_x509.rs +++ b/mls-rs-crypto-rustcrypto/src/ec_for_x509.rs @@ -22,6 +22,7 @@ use crate::{ pub const X25519_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.101.110"); pub const ED25519_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.101.112"); pub const P256_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.3.1.7"); +pub const P384_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.132.0.34"); #[derive(Debug)] #[cfg_attr(feature = "std", derive(thiserror::Error))] @@ -68,6 +69,8 @@ pub fn curve_from_algorithm(algorithm: &AlgorithmIdentifier) -> Result Ok(EcSigner::new_from_curve(curve)), + Curve::Ed25519 | Curve::P256 | Curve::P384 => Ok(EcSigner::new_from_curve(curve)), _ => Err(EcX509Error::UnsupportedPublicKeyAlgorithm(format!( "{:?}", algorithm.oid @@ -120,6 +123,9 @@ pub fn pub_key_from_spki( Curve::P256 => p256::PublicKey::from_sec1_bytes(spki.subject_public_key.raw_bytes()) .map_err(|e| EcX509Error::from(EcError::P256Error(e))) .map(EcPublicKey::P256), + Curve::P384 => p384::PublicKey::from_sec1_bytes(spki.subject_public_key.raw_bytes()) + .map_err(|e| EcX509Error::from(EcError::P384Error(e))) + .map(EcPublicKey::P384), _ => Err(EcError::UnsupportedCurve.into()), } }