ECDSA P-521 with SHA1, SHA224, SHA256, SHA384

aws · Jul 17, 2024 · a95804b · a95804b
1 parent eeac93b
commit a95804b
Show file tree

Hide file tree

Showing 7 changed files with 1,851 additions and 20 deletions.
diff --git a/aws-lc-rs/src/ec.rs b/aws-lc-rs/src/ec.rs
@@ -10,8 +10,8 @@ use core::ops::Deref;
 use core::ptr::null;
 use core::ptr::null_mut;
 // TODO: Uncomment when MSRV >= 1.64
-// use core::ffi::{c_int, c_uint};
-use std::os::raw::{c_int, c_uint};
+// use core::ffi::c_int;
+use std::os::raw::c_int;
 
 #[cfg(feature = "ring-sig-verify")]
 use untrusted::Input;
@@ -67,7 +67,6 @@ pub const PKCS8_DOCUMENT_MAX_LEN: usize = 42 + SCALAR_MAX_BYTES + PUBLIC_KEY_MAX
 pub struct EcdsaVerificationAlgorithm {
     pub(super) id: &'static AlgorithmID,
     pub(super) digest: &'static digest::Algorithm,
-    pub(super) bits: c_uint,
     pub(super) sig_format: EcdsaSignatureFormat,
 }
 

diff --git a/aws-lc-rs/src/signature.rs b/aws-lc-rs/src/signature.rs
@@ -533,127 +533,167 @@ pub static RSA_PKCS1_SHA512: RsaSignatureEncoding = RsaSignatureEncoding::new(
 pub static ECDSA_P256_SHA256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P256,
     digest: &digest::SHA256,
-    bits: 256,
     sig_format: EcdsaSignatureFormat::Fixed,
 };
 
 /// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-384 curve and SHA-384.
 pub static ECDSA_P384_SHA384_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P384,
     digest: &digest::SHA384,
-    bits: 384,
     sig_format: EcdsaSignatureFormat::Fixed,
 };
 
 /// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-384 curve and SHA3-384.
 pub static ECDSA_P384_SHA3_384_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P384,
     digest: &digest::SHA3_384,
-    bits: 384,
+    sig_format: EcdsaSignatureFormat::Fixed,
+};
+
+/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-1.
+pub static ECDSA_P521_SHA1_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
+    id: &ec::AlgorithmID::ECDSA_P521,
+    digest: &digest::SHA1_FOR_LEGACY_USE_ONLY,
+    sig_format: EcdsaSignatureFormat::Fixed,
+};
+
+/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-224.
+pub static ECDSA_P521_SHA224_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
+    id: &ec::AlgorithmID::ECDSA_P521,
+    digest: &digest::SHA224,
+    sig_format: EcdsaSignatureFormat::Fixed,
+};
+
+/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-256.
+pub static ECDSA_P521_SHA256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
+    id: &ec::AlgorithmID::ECDSA_P521,
+    digest: &digest::SHA256,
+    sig_format: EcdsaSignatureFormat::Fixed,
+};
+
+/// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-384.
+pub static ECDSA_P521_SHA384_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
+    id: &ec::AlgorithmID::ECDSA_P521,
+    digest: &digest::SHA384,
     sig_format: EcdsaSignatureFormat::Fixed,
 };
 
 /// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-512.
 pub static ECDSA_P521_SHA512_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P521,
     digest: &digest::SHA512,
-    bits: 521,
     sig_format: EcdsaSignatureFormat::Fixed,
 };
 
 /// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA3-512.
 pub static ECDSA_P521_SHA3_512_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P521,
     digest: &digest::SHA3_512,
-    bits: 521,
     sig_format: EcdsaSignatureFormat::Fixed,
 };
 
 /// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-256K1 curve and SHA-256.
 pub static ECDSA_P256K1_SHA256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P256K1,
     digest: &digest::SHA256,
-    bits: 256,
     sig_format: EcdsaSignatureFormat::Fixed,
 };
 
 /// Verification of fixed-length (PKCS#11 style) ECDSA signatures using the P-256K1 curve and SHA3-256.
 pub static ECDSA_P256K1_SHA3_256_FIXED: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P256K1,
     digest: &digest::SHA3_256,
-    bits: 256,
     sig_format: EcdsaSignatureFormat::Fixed,
 };
 
 /// Verification of ASN.1 DER-encoded ECDSA signatures using the P-256 curve and SHA-256.
 pub static ECDSA_P256_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P256,
     digest: &digest::SHA256,
-    bits: 256,
     sig_format: EcdsaSignatureFormat::ASN1,
 };
 
 /// *Not recommended.* Verification of ASN.1 DER-encoded ECDSA signatures using the P-256 curve and SHA-384.
 pub static ECDSA_P256_SHA384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P256,
     digest: &digest::SHA384,
-    bits: 256,
     sig_format: EcdsaSignatureFormat::ASN1,
 };
 
 /// *Not recommended.* Verification of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA-256.
 pub static ECDSA_P384_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P384,
     digest: &digest::SHA256,
-    bits: 256,
     sig_format: EcdsaSignatureFormat::ASN1,
 };
 
 /// Verification of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA-384.
 pub static ECDSA_P384_SHA384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P384,
     digest: &digest::SHA384,
-    bits: 384,
     sig_format: EcdsaSignatureFormat::ASN1,
 };
 
 /// Verification of ASN.1 DER-encoded ECDSA signatures using the P-384 curve and SHA3-384.
 pub static ECDSA_P384_SHA3_384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P384,
     digest: &digest::SHA3_384,
-    bits: 384,
+    sig_format: EcdsaSignatureFormat::ASN1,
+};
+
+/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-1.
+pub static ECDSA_P521_SHA1_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
+    id: &ec::AlgorithmID::ECDSA_P521,
+    digest: &digest::SHA1_FOR_LEGACY_USE_ONLY,
+    sig_format: EcdsaSignatureFormat::ASN1,
+};
+
+/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-224.
+pub static ECDSA_P521_SHA224_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
+    id: &ec::AlgorithmID::ECDSA_P521,
+    digest: &digest::SHA224,
+    sig_format: EcdsaSignatureFormat::ASN1,
+};
+
+/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-256.
+pub static ECDSA_P521_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
+    id: &ec::AlgorithmID::ECDSA_P521,
+    digest: &digest::SHA256,
+    sig_format: EcdsaSignatureFormat::ASN1,
+};
+
+/// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-384.
+pub static ECDSA_P521_SHA384_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
+    id: &ec::AlgorithmID::ECDSA_P521,
+    digest: &digest::SHA384,
     sig_format: EcdsaSignatureFormat::ASN1,
 };
 
 /// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-512.
 pub static ECDSA_P521_SHA512_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P521,
     digest: &digest::SHA512,
-    bits: 521,
     sig_format: EcdsaSignatureFormat::ASN1,
 };
 
 /// Verification of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA3-512.
 pub static ECDSA_P521_SHA3_512_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P521,
     digest: &digest::SHA3_512,
-    bits: 521,
     sig_format: EcdsaSignatureFormat::ASN1,
 };
 
 /// Verification of ASN.1 DER-encoded ECDSA signatures using the P-256K1 curve and SHA-256.
 pub static ECDSA_P256K1_SHA256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P256K1,
     digest: &digest::SHA256,
-    bits: 256,
     sig_format: EcdsaSignatureFormat::ASN1,
 };
 
 /// Verification of ASN.1 DER-encoded ECDSA signatures using the P-256K1 curve and SHA3-256.
 pub static ECDSA_P256K1_SHA3_256_ASN1: EcdsaVerificationAlgorithm = EcdsaVerificationAlgorithm {
     id: &ec::AlgorithmID::ECDSA_P256K1,
     digest: &digest::SHA3_256,
-    bits: 256,
     sig_format: EcdsaSignatureFormat::ASN1,
 };
 
@@ -669,6 +709,27 @@ pub static ECDSA_P384_SHA384_FIXED_SIGNING: EcdsaSigningAlgorithm =
 pub static ECDSA_P384_SHA3_384_FIXED_SIGNING: EcdsaSigningAlgorithm =
     EcdsaSigningAlgorithm(&ECDSA_P384_SHA3_384_FIXED);
 
+/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-224.
+/// # ⚠️ Warning
+/// The security design strength of SHA-224 digests is less then security strength of P-521.
+/// This scheme should only be used for backwards compatibility purposes.
+pub static ECDSA_P521_SHA224_FIXED_SIGNING: EcdsaSigningAlgorithm =
+    EcdsaSigningAlgorithm(&ECDSA_P521_SHA224_FIXED);
+
+/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-256.
+/// # ⚠️ Warning
+/// The security design strength of SHA-256 digests is less then security strength of P-521.
+/// This scheme should only be used for backwards compatibility purposes.
+pub static ECDSA_P521_SHA256_FIXED_SIGNING: EcdsaSigningAlgorithm =
+    EcdsaSigningAlgorithm(&ECDSA_P521_SHA256_FIXED);
+
+/// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-384.
+/// # ⚠️ Warning
+/// The security design strength of SHA-384 digests is less then security strength of P-521.
+/// This scheme should only be used for backwards compatibility purposes.
+pub static ECDSA_P521_SHA384_FIXED_SIGNING: EcdsaSigningAlgorithm =
+    EcdsaSigningAlgorithm(&ECDSA_P521_SHA384_FIXED);
+
 /// Signing of fixed-length (PKCS#11 style) ECDSA signatures using the P-521 curve and SHA-512.
 pub static ECDSA_P521_SHA512_FIXED_SIGNING: EcdsaSigningAlgorithm =
     EcdsaSigningAlgorithm(&ECDSA_P521_SHA512_FIXED);
@@ -697,6 +758,27 @@ pub static ECDSA_P384_SHA384_ASN1_SIGNING: EcdsaSigningAlgorithm =
 pub static ECDSA_P384_SHA3_384_ASN1_SIGNING: EcdsaSigningAlgorithm =
     EcdsaSigningAlgorithm(&ECDSA_P384_SHA3_384_ASN1);
 
+/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-224.
+/// # ⚠️ Warning
+/// The security design strength of SHA-224 digests is less then security strength of P-521.
+/// This scheme should only be used for backwards compatibility purposes.
+pub static ECDSA_P521_SHA224_ASN1_SIGNING: EcdsaSigningAlgorithm =
+    EcdsaSigningAlgorithm(&ECDSA_P521_SHA224_ASN1);
+
+/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-256.
+/// # ⚠️ Warning
+/// The security design strength of SHA-256 digests is less then security strength of P-521.
+/// This scheme should only be used for backwards compatibility purposes.
+pub static ECDSA_P521_SHA256_ASN1_SIGNING: EcdsaSigningAlgorithm =
+    EcdsaSigningAlgorithm(&ECDSA_P521_SHA256_ASN1);
+
+/// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-384.
+/// # ⚠️ Warning
+/// The security design strength of SHA-384 digests is less then security strength of P-521.
+/// This scheme should only be used for backwards compatibility purposes.
+pub static ECDSA_P521_SHA384_ASN1_SIGNING: EcdsaSigningAlgorithm =
+    EcdsaSigningAlgorithm(&ECDSA_P521_SHA384_ASN1);
+
 /// Signing of ASN.1 DER-encoded ECDSA signatures using the P-521 curve and SHA-512.
 pub static ECDSA_P521_SHA512_ASN1_SIGNING: EcdsaSigningAlgorithm =
     EcdsaSigningAlgorithm(&ECDSA_P521_SHA512_ASN1);