From 775c098a02e74ff21cfc9770189ac7c370363623 Mon Sep 17 00:00:00 2001 From: Justin Smith Date: Thu, 20 Feb 2025 16:45:12 -0500 Subject: [PATCH] Verify nid after parsing EC --- aws-lc-rs/src/ec/key_pair.rs | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/aws-lc-rs/src/ec/key_pair.rs b/aws-lc-rs/src/ec/key_pair.rs index 7310692f4bc..718cd80732d 100644 --- a/aws-lc-rs/src/ec/key_pair.rs +++ b/aws-lc-rs/src/ec/key_pair.rs @@ -185,6 +185,10 @@ impl EcdsaKeyPair { ) -> Result { let evp_pkey = LcPtr::::parse_rfc5208_private_key(private_key, EVP_PKEY_EC) .or(parse_rfc5915_private_key(private_key, alg.id.nid()))?; + #[cfg(not(feature = "fips"))] + verify_evp_key_nid(&evp_pkey.as_const(), alg.id.nid())?; + #[cfg(feature = "fips")] + validate_evp_key(&evp_pkey.as_const(), alg.id.nid())?; Ok(Self::new(alg, evp_pkey)?) } @@ -261,7 +265,35 @@ impl AsDer> for PrivateKey<'_> { #[cfg(test)] mod tests { use crate::encoding::AsDer; - use crate::signature::{EcdsaKeyPair, ECDSA_P256_SHA256_FIXED_SIGNING}; + use crate::signature::{ + EcdsaKeyPair, ECDSA_P256K1_SHA256_ASN1_SIGNING, ECDSA_P256_SHA256_FIXED_SIGNING, + ECDSA_P384_SHA3_384_FIXED_SIGNING, ECDSA_P521_SHA512_FIXED_SIGNING, + }; + + #[test] + fn test_reject_wrong_curve() { + let supported_algs = [ + &ECDSA_P256_SHA256_FIXED_SIGNING, + &ECDSA_P384_SHA3_384_FIXED_SIGNING, + &ECDSA_P521_SHA512_FIXED_SIGNING, + &ECDSA_P256K1_SHA256_ASN1_SIGNING, + ]; + + for marshal_alg in supported_algs { + let key_pair = EcdsaKeyPair::generate(marshal_alg).unwrap(); + let key_pair_doc = key_pair.to_pkcs8v1().unwrap(); + let key_pair_bytes = key_pair_doc.as_ref(); + + for parse_alg in supported_algs { + if parse_alg == marshal_alg { + continue; + } + + let result = EcdsaKeyPair::from_private_key_der(parse_alg, key_pair_bytes); + assert!(result.is_err()); + } + } + } #[test] fn test_from_private_key_der() {