diff --git a/Cargo.toml b/Cargo.toml index d2eadc39..96cd4b09 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -23,6 +23,6 @@ pki-types = { package = "rustls-pki-types", version = "1.4.1" } ring = "0.17" rustls-webpki = { version = "0.103", features = ["ring", "std"] } time = { version = "0.3.6", default-features = false } -x509-parser = "0.18" +x509-parser = { version = "0.18", features = ["verify"] } yasna = { version = "0.5.2", features = ["time", "std"] } zeroize = { version = "1.2" } diff --git a/rcgen/src/key_pair.rs b/rcgen/src/key_pair.rs index a1bc1a48..ec919c4f 100644 --- a/rcgen/src/key_pair.rs +++ b/rcgen/src/key_pair.rs @@ -264,7 +264,13 @@ impl KeyPair { KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA256) } else { #[cfg(feature = "aws_lc_rs")] - if alg == &PKCS_ECDSA_P521_SHA512 { + if alg == &PKCS_ECDSA_P256K1_SHA256 { + KeyPairKind::Ec(ecdsa_from_pkcs8( + &signature::ECDSA_P256K1_SHA256_ASN1_SIGNING, + &serialized_der, + rng, + )?) + } else if alg == &PKCS_ECDSA_P521_SHA512 { KeyPairKind::Ec(ecdsa_from_pkcs8( &signature::ECDSA_P521_SHA512_ASN1_SIGNING, &serialized_der, @@ -784,6 +790,8 @@ mod test { for alg in [ &PKCS_ED25519, &PKCS_ECDSA_P256_SHA256, + #[cfg(feature = "aws_lc_rs")] + &PKCS_ECDSA_P256K1_SHA256, &PKCS_ECDSA_P384_SHA384, #[cfg(feature = "aws_lc_rs")] &PKCS_ECDSA_P521_SHA512, diff --git a/rcgen/src/oid.rs b/rcgen/src/oid.rs index 3b1c0eb9..2d9dc570 100644 --- a/rcgen/src/oid.rs +++ b/rcgen/src/oid.rs @@ -16,6 +16,10 @@ pub(crate) const COMMON_NAME: &[u64] = &[2, 5, 4, 3]; /// id-ecPublicKey in [RFC 5480](https://datatracker.ietf.org/doc/html/rfc5480#appendix-A) pub(crate) const EC_PUBLIC_KEY: &[u64] = &[1, 2, 840, 10045, 2, 1]; +/// secp256k1 in [SEC 2, Appendix A.2.1](https://www.secg.org/sec2-v2.pdf) +/// Currently this is only supported with the `aws_lc_rs` feature +#[cfg(feature = "aws_lc_rs")] +pub(crate) const EC_SECP_256_K1: &[u64] = &[1, 3, 132, 0, 10]; /// secp256r1 in [RFC 5480](https://datatracker.ietf.org/doc/html/rfc5480#appendix-A) pub(crate) const EC_SECP_256_R1: &[u64] = &[1, 2, 840, 10045, 3, 1, 7]; /// secp384r1 in [RFC 5480](https://datatracker.ietf.org/doc/html/rfc5480#appendix-A) diff --git a/rcgen/src/sign_algo.rs b/rcgen/src/sign_algo.rs index bc9d18b3..689635ab 100644 --- a/rcgen/src/sign_algo.rs +++ b/rcgen/src/sign_algo.rs @@ -64,7 +64,9 @@ impl fmt::Debug for SignatureAlgorithm { write!(f, "PKCS_ED25519") } else { #[cfg(feature = "aws_lc_rs")] - if self == &PKCS_ECDSA_P521_SHA512 { + if self == &PKCS_ECDSA_P256K1_SHA256 { + return write!(f, "PKCS_ECDSA_P256K1_SHA256"); + } else if self == &PKCS_ECDSA_P521_SHA512 { return write!(f, "PKCS_ECDSA_P521_SHA512"); } @@ -97,6 +99,8 @@ impl SignatureAlgorithm { &PKCS_RSA_SHA512, //&PKCS_RSA_PSS_SHA256, &PKCS_ECDSA_P256_SHA256, + #[cfg(feature = "aws_lc_rs")] + &PKCS_ECDSA_P256K1_SHA256, &PKCS_ECDSA_P384_SHA384, #[cfg(feature = "aws_lc_rs")] &PKCS_ECDSA_P521_SHA512, @@ -172,7 +176,19 @@ pub(crate) mod algo { }, }; - /// ECDSA signing using the P-256 curves and SHA-256 hashing as per [RFC 5758](https://tools.ietf.org/html/rfc5758#section-3.2) + /// ECDSA signing using the K-256 curves and SHA-256 hashing as per [SEC 2, Section 2.4.1](https://www.secg.org/sec2-v2.pdf) + /// Currently this is only supported with the `aws_lc_rs` feature + #[cfg(feature = "aws_lc_rs")] + pub static PKCS_ECDSA_P256K1_SHA256: SignatureAlgorithm = SignatureAlgorithm { + oids_sign_alg: &[EC_PUBLIC_KEY, EC_SECP_256_K1], + #[cfg(feature = "crypto")] + sign_alg: SignAlgo::EcDsa(&signature::ECDSA_P256K1_SHA256_ASN1_SIGNING), + // ecdsa-with-SHA256 in RFC 5758 + oid_components: &[1, 2, 840, 10045, 4, 3, 2], + params: SignatureAlgorithmParams::None, + }; + + /// ECDSA signing using the P-256 curves with verifiably random parameters and SHA-256 hashing as per [RFC 5758](https://tools.ietf.org/html/rfc5758#section-3.2) pub static PKCS_ECDSA_P256_SHA256: SignatureAlgorithm = SignatureAlgorithm { oids_sign_alg: &[EC_PUBLIC_KEY, EC_SECP_256_R1], #[cfg(feature = "crypto")]