Add p521 to magiskboot

2025-06-12 05:07:45 +02:00 · 2024-03-29 17:52:12 +08:00
parent fb5ee86615
commit 36bd00a046
4 changed files with 44 additions and 1 deletions
--- a/native/src/boot/sign.rs
+++ b/native/src/boot/sign.rs
@ -1,6 +1,7 @@
 use der::referenced::OwnedToRef;
 use der::{Decode, DecodePem, Encode, Sequence, SliceReader};
 use digest::DynDigest;
+use ecdsa;
 use p256::ecdsa::{
    Signature as P256Signature, SigningKey as P256SigningKey, VerifyingKey as P256VerifyingKey,
 };
@ -8,6 +9,10 @@ use p256::pkcs8::DecodePrivateKey;
 use p384::ecdsa::{
    Signature as P384Signature, SigningKey as P384SigningKey, VerifyingKey as P384VerifyingKey,
 };
+use p521::{
+    ecdsa::{Signature as P521Signature, SigningKey as P521SigningKey},
+    NistP521,
+};
 use rsa::pkcs1v15::{
    Signature as RsaSignature, SigningKey as RsaSigningKey, VerifyingKey as RsaVerifyingKey,
 };
@ -16,7 +21,7 @@ use rsa::signature::hazmat::{PrehashSigner, PrehashVerifier};
 use rsa::signature::SignatureEncoding;
 use rsa::{RsaPrivateKey, RsaPublicKey};
 use sha1::Sha1;
-use sha2::{Sha256, Sha384};
+use sha2::{Sha256, Sha384, Sha512};
 use x509_cert::der::asn1::{OctetString, PrintableString};
 use x509_cert::der::Any;
 use x509_cert::spki::AlgorithmIdentifier;
@ -27,6 +32,8 @@ use base::{log_err, LoggedResult, MappedFile, ResultExt, StrErr, Utf8CStr};

 use crate::ffi::BootImage;

+type P521VerifyingKey = ecdsa::VerifyingKey<NistP521>;
+
 #[allow(clippy::upper_case_acronyms)]
 pub enum SHA {
    SHA1(Sha1),
@ -82,6 +89,7 @@ enum SigningKey {
    SHA256withRSA(RsaSigningKey<Sha256>),
    SHA256withECDSA(P256SigningKey),
    SHA384withECDSA(P384SigningKey),
+    SHA521withECDSA(P521SigningKey),
 }

 #[allow(clippy::large_enum_variant)]
@ -89,6 +97,7 @@ enum VerifyingKey {
    SHA256withRSA(RsaVerifyingKey<Sha256>),
    SHA256withECDSA(P256VerifyingKey),
    SHA384withECDSA(P384VerifyingKey),
+    SHA521withECDSA(P521VerifyingKey),
 }

 struct Verifier {
@ -108,6 +117,9 @@ impl Verifier {
        } else if let Ok(ec) = P384VerifyingKey::try_from(key.clone()) {
            digest = Box::<Sha384>::default();
            VerifyingKey::SHA384withECDSA(ec)
+        } else if let Ok(ec) = P521VerifyingKey::try_from(key.clone()) {
+            digest = Box::<Sha512>::default();
+            VerifyingKey::SHA521withECDSA(ec)
        } else {
            return Err(log_err!("Unsupported private key"));
        };
@ -133,6 +145,10 @@ impl Verifier {
                let sig = P384Signature::from_slice(signature)?;
                key.verify_prehash(hash.as_ref(), &sig).log()
            }
+            VerifyingKey::SHA521withECDSA(key) => {
+                let sig = P521Signature::from_slice(signature)?;
+                key.verify_prehash(hash.as_ref(), &sig).log()
+            }
        };
    }
 }
@ -154,6 +170,9 @@ impl Signer {
        } else if let Ok(ec) = P384SigningKey::from_pkcs8_der(key) {
            digest = Box::<Sha384>::default();
            SigningKey::SHA384withECDSA(ec)
+        } else if let Ok(ec) = ecdsa::SigningKey::<NistP521>::from_pkcs8_der(key) {
+            digest = Box::<Sha512>::default();
+            SigningKey::SHA521withECDSA(P521SigningKey::from(ec))
        } else {
            return Err(log_err!("Unsupported private key"));
        };
@ -179,6 +198,10 @@ impl Signer {
                let sig: P384Signature = key.sign_prehash(hash.as_ref())?;
                sig.to_vec()
            }
+            SigningKey::SHA521withECDSA(key) => {
+                let sig: P521Signature = key.sign_prehash(hash.as_ref())?;
+                sig.to_vec()
+            }
        };
        Ok(v)
    }