Determine ECDSA curve from certificate, not hash algorithm

Author: algesten

CHANGELOG.md

@@ -1,5 +1,7 @@
 # Unreleased
 
+  * DTLS 1.2 ECDSA determine curve from certificate, not hash algorithm #57
+
 # 0.3.0
 
   * DTLS 1.3 (breaking) #53

src/crypto/aws_lc_rs/sign.rs

@@ -2,16 +2,19 @@
 
 use std::str;
 
-use aws_lc_rs::signature::{EcdsaKeyPair, EcdsaSigningAlgorithm, UnparsedPublicKey};
-use aws_lc_rs::signature::{ECDSA_P256_SHA256_ASN1, ECDSA_P256_SHA256_ASN1_SIGNING};
-use aws_lc_rs::signature::{ECDSA_P384_SHA384_ASN1, ECDSA_P384_SHA384_ASN1_SIGNING};
+use aws_lc_rs::signature::ECDSA_P384_SHA384_ASN1_SIGNING;
+use aws_lc_rs::signature::{EcdsaKeyPair, EcdsaSigningAlgorithm, EcdsaVerificationAlgorithm};
+use aws_lc_rs::signature::{UnparsedPublicKey, ECDSA_P256_SHA256_ASN1_SIGNING};
+use aws_lc_rs::signature::{ECDSA_P256_SHA256_ASN1, ECDSA_P256_SHA384_ASN1};
+use aws_lc_rs::signature::{ECDSA_P384_SHA256_ASN1, ECDSA_P384_SHA384_ASN1};
 use der::{Decode, Encode};
 use spki::ObjectIdentifier;
 use x509_cert::Certificate as X509Certificate;
 
-use super::super::{KeyProvider, SignatureVerifier, SigningKey};
+use super::super::{check_verify_scheme, KeyProvider, SignatureVerifier, SigningKey};
+use super::super::{OID_P256, OID_P384};
 use crate::buffer::Buf;
-use crate::types::{HashAlgorithm, SignatureAlgorithm};
+use crate::types::{HashAlgorithm, NamedGroup, SignatureAlgorithm};
 
 /// ECDSA signing key implementation.
 struct EcdsaSigningKey {
@@ -188,21 +191,38 @@ impl SignatureVerifier for AwsLcSignatureVerifier {
             .as_bytes()
             .ok_or_else(|| "Invalid EC subject_public_key bitstring".to_string())?;
 
-        let algorithm = match hash_alg {
-            HashAlgorithm::SHA256 => &ECDSA_P256_SHA256_ASN1,
-            HashAlgorithm::SHA384 => &ECDSA_P384_SHA384_ASN1,
-            _ => {
-                return Err(format!(
-                    "Unsupported hash algorithm for ECDSA: {:?}",
-                    hash_alg
-                ));
-            }
+        let curve_oid: ObjectIdentifier = spki
+            .algorithm
+            .parameters
+            .as_ref()
+            .ok_or("Missing EC curve parameter in certificate")?
+            .decode_as()
+            .map_err(|_| "Invalid EC curve parameter in certificate".to_string())?;
+
+        let group = match curve_oid {
+            OID_P256 => NamedGroup::Secp256r1,
+            OID_P384 => NamedGroup::Secp384r1,
+            _ => return Err(format!("Unsupported EC curve: {}", curve_oid)),
+        };
+
+        check_verify_scheme(sig_alg, hash_alg, group)?;
+
+        let algorithm: &EcdsaVerificationAlgorithm = match (group, hash_alg) {
+            (NamedGroup::Secp256r1, HashAlgorithm::SHA256) => &ECDSA_P256_SHA256_ASN1,
+            (NamedGroup::Secp256r1, HashAlgorithm::SHA384) => &ECDSA_P256_SHA384_ASN1,
+            (NamedGroup::Secp384r1, HashAlgorithm::SHA256) => &ECDSA_P384_SHA256_ASN1,
+            (NamedGroup::Secp384r1, HashAlgorithm::SHA384) => &ECDSA_P384_SHA384_ASN1,
+            // unreachable: check_verify_scheme already validated
+            _ => unreachable!(),
         };
 
         let public_key = UnparsedPublicKey::new(algorithm, pubkey_bytes);
-        public_key
-            .verify(data, signature)
-            .map_err(|_| format!("ECDSA signature verification failed for {:?}", hash_alg))
+        public_key.verify(data, signature).map_err(|_| {
+            format!(
+                "ECDSA signature verification failed for {:?} {:?}",
+                hash_alg, group
+            )
+        })
     }
 }
 

src/crypto/mod.rs

@@ -30,10 +30,13 @@ pub use crate::buffer::{Buf, TmpBuf};
 // Re-export all provider traits and types (similar to rustls structure)
 // This allows users to do: use dimpl::crypto::{CryptoProvider, SupportedDtls12CipherSuite, ...};
 pub use provider::{
-    ActiveKeyExchange, Cipher, CryptoProvider, CryptoSafe, HashContext, HashProvider, HkdfProvider,
-    HmacProvider, KeyProvider, PrfProvider, SecureRandom, SignatureVerifier, SigningKey,
-    SupportedDtls12CipherSuite, SupportedDtls13CipherSuite, SupportedKxGroup,
+    check_verify_scheme, ActiveKeyExchange, Cipher, CryptoProvider, CryptoSafe, HashContext,
+    HashProvider, HkdfProvider, HmacProvider, KeyProvider, PrfProvider, SecureRandom,
+    SignatureVerifier, SigningKey, SupportedDtls12CipherSuite, SupportedDtls13CipherSuite,
+    SupportedKxGroup,
 };
+#[cfg(feature = "_crypto-common")]
+pub use provider::{OID_P256, OID_P384};
 
 // Re-export shared types for provider trait implementations
 pub use crate::dtls12::message::Dtls12CipherSuite;

src/crypto/provider.rs

@@ -143,6 +143,15 @@ use crate::crypto::{Aad, Nonce};
 use crate::dtls12::message::Dtls12CipherSuite;
 use crate::types::{Dtls13CipherSuite, HashAlgorithm, NamedGroup, SignatureAlgorithm};
 
+/// OID for the P-256 elliptic curve (secp256r1 / prime256v1).
+#[cfg(feature = "_crypto-common")]
+pub const OID_P256: spki::ObjectIdentifier =
+    spki::ObjectIdentifier::new_unwrap("1.2.840.10045.3.1.7");
+
+/// OID for the P-384 elliptic curve (secp384r1).
+#[cfg(feature = "_crypto-common")]
+pub const OID_P384: spki::ObjectIdentifier = spki::ObjectIdentifier::new_unwrap("1.3.132.0.34");
+
 // ============================================================================
 // Marker Trait
 // ============================================================================
@@ -249,6 +258,60 @@ pub trait SignatureVerifier: CryptoSafe {
     ) -> Result<(), String>;
 }
 
+/// Allow-list of supported (signature, hash, curve) combinations for
+/// DTLS 1.2 signature verification.
+///
+/// In DTLS 1.2 the hash algorithm and the certificate's curve are
+/// independent choices, so all cross-combinations are valid.
+///
+///  Signature | Hash    | Curve
+/// -----------+---------+-----------
+///  ECDSA     | SHA-256 | P-256
+///  ECDSA     | SHA-256 | P-384
+///  ECDSA     | SHA-384 | P-256
+///  ECDSA     | SHA-384 | P-384
+const SUPPORTED_VERIFY_SCHEMES: &[(SignatureAlgorithm, HashAlgorithm, NamedGroup)] = &[
+    (
+        SignatureAlgorithm::ECDSA,
+        HashAlgorithm::SHA256,
+        NamedGroup::Secp256r1,
+    ),
+    (
+        SignatureAlgorithm::ECDSA,
+        HashAlgorithm::SHA256,
+        NamedGroup::Secp384r1,
+    ),
+    (
+        SignatureAlgorithm::ECDSA,
+        HashAlgorithm::SHA384,
+        NamedGroup::Secp256r1,
+    ),
+    (
+        SignatureAlgorithm::ECDSA,
+        HashAlgorithm::SHA384,
+        NamedGroup::Secp384r1,
+    ),
+];
+
+/// Check that a (signature, hash, curve) combination is in the allow-list.
+pub fn check_verify_scheme(
+    sig_alg: SignatureAlgorithm,
+    hash_alg: HashAlgorithm,
+    group: NamedGroup,
+) -> Result<(), String> {
+    if SUPPORTED_VERIFY_SCHEMES
+        .iter()
+        .any(|(s, h, g)| *s == sig_alg && *h == hash_alg && *g == group)
+    {
+        Ok(())
+    } else {
+        Err(format!(
+            "Unsupported signature verification: {:?} + {:?} + {:?}",
+            sig_alg, hash_alg, group
+        ))
+    }
+}
+
 /// Private key parser (factory for SigningKey).
 pub trait KeyProvider: CryptoSafe {
     /// Parse and load a private key from DER/PEM bytes.

src/crypto/rust_crypto/sign.rs

@@ -10,9 +10,11 @@ use pkcs8::DecodePrivateKey;
 use spki::ObjectIdentifier;
 use x509_cert::Certificate as X509Certificate;
 
+use super::super::check_verify_scheme;
 use super::super::{KeyProvider, SignatureVerifier, SigningKey as SigningKeyTrait};
+use super::super::{OID_P256, OID_P384};
 use crate::buffer::Buf;
-use crate::types::{HashAlgorithm, SignatureAlgorithm};
+use crate::types::{HashAlgorithm, NamedGroup, SignatureAlgorithm};
 
 /// ECDSA signing key implementation.
 enum EcdsaSigningKey {
@@ -201,47 +203,60 @@ impl SignatureVerifier for RustCryptoSignatureVerifier {
             .as_bytes()
             .ok_or_else(|| "Invalid EC subject_public_key bitstring".to_string())?;
 
-        match hash_alg {
-            HashAlgorithm::SHA256 => {
-                use ecdsa::signature::hazmat::PrehashVerifier;
-                use sha2::{Digest, Sha256};
-
+        let curve_oid: ObjectIdentifier = spki
+            .algorithm
+            .parameters
+            .as_ref()
+            .ok_or("Missing EC curve parameter in certificate")?
+            .decode_as()
+            .map_err(|_| "Invalid EC curve parameter in certificate".to_string())?;
+
+        let group = match curve_oid {
+            OID_P256 => NamedGroup::Secp256r1,
+            OID_P384 => NamedGroup::Secp384r1,
+            _ => return Err(format!("Unsupported EC curve: {}", curve_oid)),
+        };
+
+        check_verify_scheme(sig_alg, hash_alg, group)?;
+
+        use ecdsa::signature::hazmat::PrehashVerifier;
+        use sha2::Digest;
+
+        // Hash the data before verification (PrehashVerifier expects a hash digest)
+        let hash: Box<[u8]> = match hash_alg {
+            HashAlgorithm::SHA256 => Box::from(sha2::Sha256::digest(data).as_slice()),
+            HashAlgorithm::SHA384 => Box::from(sha2::Sha384::digest(data).as_slice()),
+            // unreachable: check_verify_scheme already validated
+            _ => unreachable!(),
+        };
+
+        match group {
+            NamedGroup::Secp256r1 => {
                 let verifying_key = VerifyingKey::<NistP256>::from_sec1_bytes(pubkey_bytes)
                     .map_err(|_| "Invalid P-256 public key".to_string())?;
-                let signature = Signature::<NistP256>::from_der(signature)
+                let sig = Signature::<NistP256>::from_der(signature)
                     .map_err(|_| "Invalid signature format".to_string())?;
-
-                // Hash the data before verification (PrehashVerifier expects a hash digest)
-                let mut hasher = Sha256::new();
-                hasher.update(data);
-                let hash = hasher.finalize();
-
-                verifying_key
-                    .verify_prehash(&hash, &signature)
-                    .map_err(|_| format!("ECDSA signature verification failed for {:?}", hash_alg))
+                verifying_key.verify_prehash(&hash, &sig).map_err(|_| {
+                    format!(
+                        "ECDSA signature verification failed for {:?} {:?}",
+                        hash_alg, group
+                    )
+                })
             }
-            HashAlgorithm::SHA384 => {
-                use ecdsa::signature::hazmat::PrehashVerifier;
-                use sha2::{Digest, Sha384};
-
+            NamedGroup::Secp384r1 => {
                 let verifying_key = VerifyingKey::<NistP384>::from_sec1_bytes(pubkey_bytes)
                     .map_err(|_| "Invalid P-384 public key".to_string())?;
-                let signature = Signature::<NistP384>::from_der(signature)
+                let sig = Signature::<NistP384>::from_der(signature)
                     .map_err(|_| "Invalid signature format".to_string())?;
-
-                // Hash the data before verification (PrehashVerifier expects a hash digest)
-                let mut hasher = Sha384::new();
-                hasher.update(data);
-                let hash = hasher.finalize();
-
-                verifying_key
-                    .verify_prehash(&hash, &signature)
-                    .map_err(|_| format!("ECDSA signature verification failed for {:?}", hash_alg))
+                verifying_key.verify_prehash(&hash, &sig).map_err(|_| {
+                    format!(
+                        "ECDSA signature verification failed for {:?} {:?}",
+                        hash_alg, group
+                    )
+                })
             }
-            _ => Err(format!(
-                "Unsupported hash algorithm for ECDSA: {:?}",
-                hash_alg
-            )),
+            // unreachable: OID match above only produces Secp256r1/Secp384r1
+            _ => unreachable!(),
         }
     }
 }