Add p521 to magiskboot

Robotition · Apr 4, 2024 · 36bd00a · 36bd00a
1 parent fb5ee86
commit 36bd00a
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 1 deletion.
diff --git a/native/src/Cargo.lock b/native/src/Cargo.lock
diff --git a/native/src/Cargo.toml b/native/src/Cargo.toml
@@ -18,6 +18,8 @@ sha2 = "0.10"
 digest = "0.10"
 p256 = "0.13"
 p384 = "0.13"
+p521 = "0.13"
+ecdsa = "0.16"
 rsa = "0.9"
 x509-cert = "0.2"
 der = "0.7"

diff --git a/native/src/boot/Cargo.toml b/native/src/boot/Cargo.toml
@@ -23,6 +23,8 @@ sha2 = { workspace = true }
 digest = { workspace = true }
 p256 = { workspace = true }
 p384 = { workspace = true }
+p521 = { workspace = true }
+ecdsa = { workspace = true }
 rsa = { workspace = true, features = ["sha2"] }
 x509-cert = { workspace = true }
 der = { workspace = true, features = ["derive"] }

diff --git a/native/src/boot/sign.rs b/native/src/boot/sign.rs
@@ -1,13 +1,18 @@
 use der::referenced::OwnedToRef;
 use der::{Decode, DecodePem, Encode, Sequence, SliceReader};
 use digest::DynDigest;
+use ecdsa;
 use p256::ecdsa::{
  Signature as P256Signature, SigningKey as P256SigningKey, VerifyingKey as P256VerifyingKey,
 };
 use p256::pkcs8::DecodePrivateKey;
 use p384::ecdsa::{
  Signature as P384Signature, SigningKey as P384SigningKey, VerifyingKey as P384VerifyingKey,
 };
+use p521::{
+ ecdsa::{Signature as P521Signature, SigningKey as P521SigningKey},
+ NistP521,
+};
 use rsa::pkcs1v15::{
  Signature as RsaSignature, SigningKey as RsaSigningKey, VerifyingKey as RsaVerifyingKey,
 };
@@ -16,7 +21,7 @@ use rsa::signature::hazmat::{PrehashSigner, PrehashVerifier};
 use rsa::signature::SignatureEncoding;
 use rsa::{RsaPrivateKey, RsaPublicKey};
 use sha1::Sha1;
-use sha2::{Sha256, Sha384};
+use sha2::{Sha256, Sha384, Sha512};
 use x509_cert::der::asn1::{OctetString, PrintableString};
 use x509_cert::der::Any;
 use x509_cert::spki::AlgorithmIdentifier;
@@ -27,6 +32,8 @@ use base::{log_err, LoggedResult, MappedFile, ResultExt, StrErr, Utf8CStr};
 
 use crate::ffi::BootImage;
 
+type P521VerifyingKey = ecdsa::VerifyingKey<NistP521>;
+
 #[allow(clippy::upper_case_acronyms)]
 pub enum SHA {
  SHA1(Sha1),
@@ -82,13 +89,15 @@ enum SigningKey {
  SHA256withRSA(RsaSigningKey<Sha256>),
  SHA256withECDSA(P256SigningKey),
  SHA384withECDSA(P384SigningKey),
+ SHA521withECDSA(P521SigningKey),
 }
 
 #[allow(clippy::large_enum_variant)]
 enum VerifyingKey {
  SHA256withRSA(RsaVerifyingKey<Sha256>),
  SHA256withECDSA(P256VerifyingKey),
  SHA384withECDSA(P384VerifyingKey),
+ SHA521withECDSA(P521VerifyingKey),
 }
 
 struct Verifier {
@@ -108,6 +117,9 @@ impl Verifier {
  } else if let Ok(ec) = P384VerifyingKey::try_from(key.clone()) {
  digest = Box::<Sha384>::default();
  VerifyingKey::SHA384withECDSA(ec)
+ } else if let Ok(ec) = P521VerifyingKey::try_from(key.clone()) {
+ digest = Box::<Sha512>::default();
+ VerifyingKey::SHA521withECDSA(ec)
  } else {
  return Err(log_err!("Unsupported private key"));
  };
@@ -133,6 +145,10 @@ impl Verifier {
  let sig = P384Signature::from_slice(signature)?;
  key.verify_prehash(hash.as_ref(), &sig).log()
  }
+ VerifyingKey::SHA521withECDSA(key) => {
+ let sig = P521Signature::from_slice(signature)?;
+ key.verify_prehash(hash.as_ref(), &sig).log()
+ }
  };
  }
 }
@@ -154,6 +170,9 @@ impl Signer {
  } else if let Ok(ec) = P384SigningKey::from_pkcs8_der(key) {
  digest = Box::<Sha384>::default();
  SigningKey::SHA384withECDSA(ec)
+ } else if let Ok(ec) = ecdsa::SigningKey::<NistP521>::from_pkcs8_der(key) {
+ digest = Box::<Sha512>::default();
+ SigningKey::SHA521withECDSA(P521SigningKey::from(ec))
  } else {
  return Err(log_err!("Unsupported private key"));
  };
@@ -179,6 +198,10 @@ impl Signer {
  let sig: P384Signature = key.sign_prehash(hash.as_ref())?;
  sig.to_vec()
  }
+ SigningKey::SHA521withECDSA(key) => {
+ let sig: P521Signature = key.sign_prehash(hash.as_ref())?;
+ sig.to_vec()
+ }
  };
  Ok(v)
  }