ring icon indicating copy to clipboard operation
ring copied to clipboard

Published 20 hours ago verified publisher icon briansmith

NIST curve P-521 SHA-512 support for generating keys and signing

Open est31 opened this issue 5 years ago • 21 comments

I'd like to have support for ECDSA_P521_SHA512_ASN1_SIGNING signing, DER export and key generation as there already is support for ECDSA_P256_SHA256_ASN1_SIGNING or ECDSA_P384_SHA384_ASN1_SIGNING.

See also: https://tools.ietf.org/html/rfc5480#section-4 for a list of possible combinations.

est31 avatar May 17 '19 20:05 est31

@est31 Which software uses p521 SHA-512?

briansmith avatar Jun 11 '19 22:06 briansmith

Which software uses p521 SHA-512?

I just wanted it for completion. If you don't feel there is a need, feel free to close this.

Openssl supports p521 but it seems to sign using SHA-256. E.g. openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-521 -pkeyopt ec_param_enc:named_curve generates a key but if you use it to sign a csr, it uses a SHA-256 hash. Firefox is at least capable of displaying the key, haven't tested more.

est31 avatar Jun 11 '19 23:06 est31

I would also like this feature, I'm trying to implement a software which is built on p521 SHA-512 and would like to use ring as a crypto library. This is a feature that cfssl does have.

EvanDarwin avatar Jul 04 '19 22:07 EvanDarwin

I would be interested in donating to help get this feature implemented. I went ahead and sent you an email @briansmith.

EvanDarwin avatar Jul 05 '19 01:07 EvanDarwin

SSH keys can be ecdsa-sha2-nistp521 as well

obelisk avatar Jan 08 '21 19:01 obelisk

ecdsa_secp521r1_sha512 is also one of the supported signature algorithms in TLS 1.3: https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3

est31 avatar Jul 14 '21 20:07 est31

P-521 is used in JOSE, COSE, as well as supported in Web Cryptography API. Developers may choose to use this curve in a variety of applications for quite some time now.

panva avatar Aug 17 '21 12:08 panva

It also gets used in Terraform plugin handshake validation which admittedly, are mostly in Go, but I ran into issues recently building one in Rust because of this lack.

palfrey avatar Nov 07 '21 16:11 palfrey

I think P-521 is also important from the post-quantum perspective. Are there any thoughts, plans for the implementation?

digitwolf avatar Jan 18 '22 22:01 digitwolf

I think P-521 is also important from the post-quantum perspective.

Note that P-521 (and all the other standard ECDSA curves) are not quantum resistant. Quantum-resistance will require a completely different signing algorithm (not ECDSA or EdDSA). See https://csrc.nist.gov/projects/post-quantum-cryptography for more information.

josephlr avatar Jan 18 '22 23:01 josephlr

FWIW, When I asked "Which software uses p521 SHA-512?," what I meant was "What software requires you to implement P-521, given that P-256 and P-384 are already available to you?" Of course I know of all the standards that provide ways to use P-521, but I don't know of any popular software that has a P-521-only configuration.

Regardless, I am more open to supporting P-521 (and P-521 SHA-512 signature algorithms) than I was in the past.

Just, I'm surprised so many people care about it. I would expect to find a lot more X448-only software than P-521-only-software.

briansmith avatar Jan 19 '22 04:01 briansmith

Any news on this?

giacomocariello avatar Jan 15 '23 13:01 giacomocariello

Of course I know of all the standards that provide ways to use P-521, but I don't know of any popular software that has a P-521-only configuration.

As near as we can tell, this software only has support for P-521. https://cert-manager.io/docs/projects/csi-driver-spiffe/

rwthompsonii avatar Feb 07 '23 23:02 rwthompsonii

I have another use case as well. Our organisation uses Cloudflare Teams and it's root cert (secp521r1 with SHA-512) cannot be verified by rust-webpki as it relies on ring.

nazure avatar Jul 01 '23 05:07 nazure

@nazure could you attach a copy of the root cert here? I'd be interested.

est31 avatar Jul 01 '23 10:07 est31

@nazure could you attach a copy of the root cert here? I'd be interested.

Yup, sure. Here's the official link to the certificate: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem

Thanks for looking at this.

nazure avatar Jul 01 '23 10:07 nazure

@nazure interesting, indeed it seems to use P-521 cryptography with SHA-512. For full transparency, I probably won't contribute code to ring, but I asked to figure out the way that the usage occurs.

est31 avatar Jul 01 '23 13:07 est31

I could look into implementing this if @briansmith is ok with it

vkrasnov avatar Jul 21 '23 13:07 vkrasnov

For anyone curious, it looks like Vlad did nearly complete this - https://github.com/briansmith/ring/pull/1631

tgross35 avatar Oct 03 '23 09:10 tgross35

Yes, I will help Vlad with this.

briansmith avatar Oct 03 '23 15:10 briansmith

To clarify the above: Vlad's work in PR #1631 will add P-521 signature verification support, whereas this issue is for the (private) keypair generation, keypair parsing, and signature generation. That is, Vlad is working on the public key operations, whereas this issue is about the private key operations, i.e. ones that would be needed by rcgen. I filed issue issue #1771 to track the work that's blocking the signature verification work.

In terms of supporting the private key operations tracked by this issue, I think we're going to block this on #1771 being completed.

briansmith avatar Oct 26 '23 18:10 briansmith