diff options
author | Wiktor Kwapisiewicz <wiktor@metacode.biz> | 2022-10-03 11:51:41 +0200 |
---|---|---|
committer | Wiktor Kwapisiewicz <wiktor@metacode.biz> | 2022-12-22 12:46:08 +0100 |
commit | 0d0d757f90b8b49010f998435a7e295cc0719ed2 (patch) | |
tree | e064d21b27c08b7e3371a5e51e30ba92da999381 /openpgp | |
parent | 31564c1c6e5b5ff4ff3596bb755ba2f7395f83df (diff) |
openpgp: Add OpenSSL cryptographic backend.
- Adds the backend behind `crypto-openssl` feature.
- Add CI configuration to run tests with the new backend.
- See #333.
Diffstat (limited to 'openpgp')
-rw-r--r-- | openpgp/Cargo.toml | 8 | ||||
-rw-r--r-- | openpgp/README.md | 4 | ||||
-rw-r--r-- | openpgp/build.rs | 19 | ||||
-rw-r--r-- | openpgp/src/crypto/backend.rs | 5 | ||||
-rw-r--r-- | openpgp/src/crypto/backend/openssl.rs | 80 | ||||
-rw-r--r-- | openpgp/src/crypto/backend/openssl/aead.rs | 111 | ||||
-rw-r--r-- | openpgp/src/crypto/backend/openssl/asymmetric.rs | 642 | ||||
-rw-r--r-- | openpgp/src/crypto/backend/openssl/ecdh.rs | 123 | ||||
-rw-r--r-- | openpgp/src/crypto/backend/openssl/hash.rs | 99 | ||||
-rw-r--r-- | openpgp/src/crypto/backend/openssl/symmetric.rs | 193 |
10 files changed, 1284 insertions, 0 deletions
diff --git a/openpgp/Cargo.toml b/openpgp/Cargo.toml index a58a2027..a6f6b308 100644 --- a/openpgp/Cargo.toml +++ b/openpgp/Cargo.toml @@ -44,6 +44,13 @@ regex-syntax = "0.6" sha1collisiondetection = { version = "0.2.3", default-features = false, features = ["std"] } thiserror = "1.0.2" xxhash-rust = { version = "0.8", features = ["xxh3"] } +# At least 0.10.45 is needed due to CipherCtx::cipher_final_unchecked +openssl = { version = ">= 0.10.45", optional = true } +# We need to directly depend on the sys crate so that the metadata produced +# in its build script is passed to sequoia-openpgp's build script +# see: https://doc.rust-lang.org/cargo/reference/build-scripts.html#the-links-manifest-key +openssl-sys = { version = ">= 0.9.80", optional = true } +foreign-types-shared = { version = "0.1.1", optional = true } # RustCrypto crates. aes = { version = "0.6.0", optional = true } @@ -101,6 +108,7 @@ crypto-rust = [ "rand_core", "rand_core/getrandom", "ecdsa" ] crypto-cng = ["eax", "winapi", "win-crypto-ng", "ed25519-dalek", "num-bigint-dig"] +crypto-openssl = ["openssl", "openssl-sys", "foreign-types-shared"] # Experimental and variable-time cryptographic backends opt-ins allow-experimental-crypto = [] diff --git a/openpgp/README.md b/openpgp/README.md index 00512b7a..2001a8bc 100644 --- a/openpgp/README.md +++ b/openpgp/README.md @@ -88,6 +88,10 @@ at compile time. Currently, these libraries are available: cannot offer the same security guarantees as more mature cryptographic libraries. + - The OpenSSL backend. To select this backend, use + `default-features = false`, and explicitly include the + `crypto-openssl` feature to enable it. + ### Experimental and variable-time cryptographic backends Some cryptographic backends are not yet considered mature enough for diff --git a/openpgp/build.rs b/openpgp/build.rs index aabf157d..9de8fb76 100644 --- a/openpgp/build.rs +++ b/openpgp/build.rs @@ -6,10 +6,23 @@ use std::process::exit; fn main() { crypto_backends_sanity_check(); + include_openssl_conf(); lalrpop::process_root().unwrap(); include_test_data().unwrap(); } +/// Optionally include configuration passed from openssl-sys build +/// script. This configuration is then exposed as a set of `osslconf` +/// parameters and is used by OpenSSL backend to enable or disable +/// algorithms available by the current environment. +fn include_openssl_conf() { + if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { + for var in vars.split(',') { + println!("cargo:rustc-cfg=osslconf=\"{}\"", var); + } + } +} + /// Builds the index of the test data for use with the `::tests` /// module. fn include_test_data() -> io::Result<()> { @@ -68,6 +81,12 @@ fn crypto_backends_sanity_check() { production_ready: false, constant_time: false, }), + (cfg!(feature = "crypto-openssl"), + Backend { + name: "OpenSSL", + production_ready: true, + constant_time: true, + }), ].into_iter().filter_map(|(selected, backend)| { if selected { Some(backend) } else { None } }).collect::<Vec<_>>(); diff --git a/openpgp/src/crypto/backend.rs b/openpgp/src/crypto/backend.rs index c0fd883f..780b0bb1 100644 --- a/openpgp/src/crypto/backend.rs +++ b/openpgp/src/crypto/backend.rs @@ -17,3 +17,8 @@ pub use self::rust::*; mod cng; #[cfg(feature = "crypto-cng")] pub use self::cng::*; + +#[cfg(feature = "crypto-openssl")] +mod openssl; +#[cfg(feature = "crypto-openssl")] +pub use self::openssl::*; diff --git a/openpgp/src/crypto/backend/openssl.rs b/openpgp/src/crypto/backend/openssl.rs new file mode 100644 index 00000000..4e610bfe --- /dev/null +++ b/openpgp/src/crypto/backend/openssl.rs @@ -0,0 +1,80 @@ +//! Implementation of Sequoia crypto API using the OpenSSL cryptographic library. +use std::convert::TryFrom; + +use crate::types::*; + +pub mod aead; +pub mod asymmetric; +pub mod ecdh; +pub mod hash; +pub mod symmetric; + +/// Returns a short, human-readable description of the backend. +pub fn backend() -> String { + "OpenSSL".to_string() +} + +/// Fills the given buffer with random data. +pub fn random(buf: &mut [u8]) { + // random is expected to always work or panic on wrong data. + // This is similar to what other backends do like CNG or Rust + // see: https://docs.rs/rand/latest/rand/trait.RngCore.html#tymethod.fill_bytes + openssl::rand::rand_bytes(buf).expect("rand_bytes to work"); +} + +impl PublicKeyAlgorithm { + pub(crate) fn is_supported_by_backend(&self) -> bool { + use PublicKeyAlgorithm::*; + #[allow(deprecated)] + match self { + RSAEncryptSign | RSAEncrypt | RSASign => true, + DSA => true, + ECDH | ECDSA | EdDSA => true, + _ => false, + } + } +} + +impl Curve { + pub(crate) fn is_supported_by_backend(&self) -> bool { + if matches!(self, Curve::Ed25519 | Curve::Cv25519) { + // 25519-based algorithms are special-cased and supported + true + } else { + // the rest of EC algorithms are supported via the same + // codepath + openssl::nid::Nid::try_from(self).is_ok() + } + } +} + +impl AEADAlgorithm { + /// Returns the best AEAD mode supported by the backend. + /// + /// This SHOULD return OCB, which is the mandatory-to-implement + /// algorithm and the most performing one, but fall back to any + /// supported algorithm. + pub(crate) const fn const_default() -> AEADAlgorithm { + AEADAlgorithm::OCB + } + + pub(crate) fn is_supported_by_backend(&self) -> bool { + *self == AEADAlgorithm::OCB + } + + #[cfg(test)] + pub(crate) fn supports_symmetric_algo(&self, algo: &SymmetricAlgorithm) -> bool { + match &self { + AEADAlgorithm::OCB => + match algo { + // OpenSSL supports OCB only with AES + // see: https://wiki.openssl.org/index.php/OCB + SymmetricAlgorithm::AES128 | + SymmetricAlgorithm::AES192 | + SymmetricAlgorithm::AES256 => true, + _ => false, + }, + _ => false + } + } +} diff --git a/openpgp/src/crypto/backend/openssl/aead.rs b/openpgp/src/crypto/backend/openssl/aead.rs new file mode 100644 index 00000000..e56b53ec --- /dev/null +++ b/openpgp/src/crypto/backend/openssl/aead.rs @@ -0,0 +1,111 @@ +//! Implementation of AEAD using OpenSSL cryptographic library. + +use crate::{Error, Result}; + +use crate::crypto::aead::{Aead, CipherOp}; +use crate::types::{AEADAlgorithm, SymmetricAlgorithm}; + +use openssl::cipher::Cipher; +use openssl::cipher_ctx::CipherCtx; + +struct OpenSslContext { + ctx: CipherCtx, + // The last chunk to be processed does not call `encrypt` thus + // leaves the crypter in non-finalized state. This makes the + // `get_tag` function of the crypter panic when calling `digest`. + // If this flag is set to `false` it means the crypter needs to be + // finalized. + finalized: bool, +} + +impl Aead for OpenSslContext { + fn update(&mut self, ad: &[u8]) -> Result<()> { + self.ctx.cipher_update(ad, None)?; + Ok(()) + } + + fn encrypt(&mut self, dst: &mut [u8], src: &[u8]) -> Result<()> { + // SAFETY: This condition makes the unsafe calls below correct. + if dst.len() != src.len() { + return Err( + Error::InvalidArgument("src and dst need to be of the same length".into()).into(), + ); + } + + // SAFETY: Process completely one full chunk. Since `update` + // is not being called again with partial block info and the + // cipher is finalized afterwards these two calls are safe. + let size = unsafe { self.ctx.cipher_update_unchecked(src, Some(dst))? }; + unsafe { self.ctx.cipher_final_unchecked(&mut dst[size..])? }; + self.finalized = true; + Ok(()) + } + + fn decrypt_verify(&mut self, dst: &mut [u8], src: &[u8], digest: &[u8]) -> Result<()> { + // SAFETY: This condition makes the unsafe calls below correct. + if dst.len() != src.len() { + return Err( + Error::InvalidArgument("src and dst need to be of the same length".into()).into(), + ); + } + + // SAFETY: Process completely one full chunk. Since `update` + // is not being called again with partial block info and the + // cipher is finalized afterwards these two calls are safe. + let size = unsafe { self.ctx.cipher_update_unchecked(src, Some(dst))? }; + self.ctx.set_tag(digest)?; + unsafe { self.ctx.cipher_final_unchecked(&mut dst[size..])? }; + Ok(()) + } + + fn digest(&mut self, digest: &mut [u8]) -> Result<()> { + if !self.finalized { + // SAFETY: If we reach this point the `update` has not + // been called at all with chunk data (only with AAD data) + // `final` will not return any data but it must be called + // exactly once so that the `tag` function succeeds. + unsafe { self.ctx.cipher_final_unchecked(&mut [])? }; + } + self.ctx.tag(digest)?; + Ok(()) + } + + fn digest_size(&self) -> usize { + self.ctx.block_size() + } +} + +impl crate::seal::Sealed for OpenSslContext {} + +impl AEADAlgorithm { + pub(crate) fn context( + &self, + sym_algo: SymmetricAlgorithm, + key: &[u8], + nonce: &[u8], + op: CipherOp, + ) -> Result<Box<dyn Aead>> { + match self { + AEADAlgorithm::OCB => { + let cipher = match sym_algo { + SymmetricAlgorithm::AES128 => Cipher::aes_128_ocb(), + SymmetricAlgorithm::AES192 => Cipher::aes_192_ocb(), + SymmetricAlgorithm::AES256 => Cipher::aes_256_ocb(), + _ => return Err(Error::UnsupportedSymmetricAlgorithm(sym_algo).into()), + }; + let mut ctx = CipherCtx::new()?; + match op { + CipherOp::Encrypt => ctx.encrypt_init(Some(cipher), Some(key), Some(nonce))?, + + CipherOp::Decrypt => ctx.decrypt_init(Some(cipher), Some(key), Some(nonce))?, + } + ctx.set_padding(false); + Ok(Box::new(OpenSslContext { + ctx, + finalized: false, + })) + } + _ => Err(Error::UnsupportedAEADAlgorithm(*self).into()), + } + } +} diff --git a/openpgp/src/crypto/backend/openssl/asymmetric.rs b/openpgp/src/crypto/backend/openssl/asymmetric.rs new file mode 100644 index 00000000..aef777bf --- /dev/null +++ b/openpgp/src/crypto/backend/openssl/asymmetric.rs @@ -0,0 +1,642 @@ +use crate::Result; + +use crate::crypto::asymmetric::{Decryptor, KeyPair, Signer}; +use crate::crypto::mpi; +use crate::crypto::mpi::{ProtectedMPI, MPI}; +use crate::crypto::mem::Protected; +use crate::crypto::SessionKey; +use crate::packet::key::{Key4, SecretParts}; +use crate::packet::{key, Key}; +use crate::types::SymmetricAlgorithm; +use crate::types::{Curve, HashAlgorithm, PublicKeyAlgorithm}; +use std::convert::{TryFrom, TryInto}; +use std::time::SystemTime; + +use openssl::bn::{BigNum, BigNumRef, BigNumContext}; +use openssl::ec::{EcGroup, EcKey, EcPoint, PointConversionForm}; +use openssl::ecdsa::EcdsaSig; +use openssl::nid::Nid; +use openssl::pkey::PKey; +use openssl::pkey_ctx::PkeyCtx; +use openssl::rsa::{Padding, Rsa, RsaPrivateKeyBuilder}; +use openssl::sign::Signer as OpenSslSigner; +use openssl::sign::Verifier; + +impl TryFrom<&ProtectedMPI> for BigNum { + type Error = anyhow::Error; + fn try_from(mpi: &ProtectedMPI) -> std::result::Result<BigNum, anyhow::Error> { + let mut bn = BigNum::new_secure()?; + bn.copy_from_slice(mpi.value())?; + Ok(bn) + } +} + +impl From<&BigNumRef> for ProtectedMPI { + fn from(bn: &BigNumRef) -> Self { + bn.to_vec().into() + } +} + +impl From<BigNum> for ProtectedMPI { + fn from(bn: BigNum) -> Self { + bn.to_vec().into() + } +} + +impl From<BigNum> for MPI { + fn from(bn: BigNum) -> Self { + bn.to_vec().into() + } +} + +impl TryFrom<&MPI> for BigNum { + type Error = anyhow::Error; + fn try_from(mpi: &MPI) -> std::result::Result<BigNum, anyhow::Error> { + Ok(BigNum::from_slice(mpi.value())?) + } +} + +impl From<&BigNumRef> for MPI { + fn from(bn: &BigNumRef) -> Self { + bn.to_vec().into() + } +} + +impl TryFrom<&Curve> for Nid { + type Error = crate::Error; + fn try_from(curve: &Curve) -> std::result::Result<Nid, crate::Error> { + Ok(match curve { + Curve::NistP256 => Nid::X9_62_PRIME256V1, + Curve::NistP384 => Nid::SECP384R1, + Curve::NistP521 => Nid::SECP521R1, + Curve::BrainpoolP256 => Nid::BRAINPOOL_P256R1, + Curve::BrainpoolP512 => Nid::BRAINPOOL_P512R1, + _ => return Err(crate::Error::UnsupportedEllipticCurve(curve.clone()).into()), + }) + } +} + +impl Signer for KeyPair { + fn public(&self) -> &Key<key::PublicParts, key::UnspecifiedRole> { + KeyPair::public(self) + } + + fn sign(&mut self, hash_algo: HashAlgorithm, digest: &[u8]) -> Result<mpi::Signature> { + use crate::PublicKeyAlgorithm::*; + #[allow(deprecated)] + self.secret().map( + |secret| match (self.public().pk_algo(), self.public().mpis(), secret) { + ( + RSAEncryptSign, + mpi::PublicKey::RSA { e, n }, + mpi::SecretKeyMaterial::RSA { p, q, d, .. }, + ) + | ( + RSASign, + mpi::PublicKey::RSA { e, n }, + mpi::SecretKeyMaterial::RSA { p, q, d, .. }, + ) => { + let key = + RsaPrivateKeyBuilder::new(n.try_into()?, e.try_into()?, d.try_into()?)? + .set_factors(p.try_into()?, q.try_into()?)? + .build(); + + let key = PKey::from_rsa(key)?; + + let mut signature: Vec<u8> = vec![]; + + const MAX_OID_SIZE: usize = 20; + let mut v = Vec::with_capacity(MAX_OID_SIZE + digest.len()); + v.extend(hash_algo.oid()?); + v.extend(digest); + + let mut ctx = PkeyCtx::new(&key)?; + ctx.sign_init()?; + ctx.sign_to_vec(&v, &mut signature)?; + + Ok(mpi::Signature::RSA { + s: signature.into(), + }) + } + ( + PublicKeyAlgorithm::DSA, + mpi::PublicKey::DSA { p, q, g, y }, + mpi::SecretKeyMaterial::DSA { x }, + ) => { + use openssl::dsa::{Dsa, DsaSig}; + let dsa = Dsa::from_private_components( + p.try_into()?, + q.try_into()?, + g.try_into()?, + x.try_into()?, + y.try_into()?, + )?; + let key: PKey<_> = dsa.try_into()?; + let mut ctx = PkeyCtx::new(&key)?; + ctx.sign_init()?; + let mut signature = vec![]; + ctx.sign_to_vec(&digest, &mut signature)?; + let signature = DsaSig::from_der(&signature)?; + + Ok(mpi::Signature::DSA { + r: signature.r().to_vec().into(), + s: signature.s().to_vec().into(), + }) + } + ( + PublicKeyAlgorithm::ECDSA, + mpi::PublicKey::ECDSA { curve, q }, + mpi::SecretKeyMaterial::ECDSA { scalar }, + ) => { + let nid = curve.try_into()?; + let group = EcGroup::from_curve_name(nid)?; + let mut ctx = BigNumContext::new()?; + let point = EcPoint::from_bytes(&group, q.value(), &mut ctx)?; + let mut private = BigNum::new_secure()?; + private.copy_from_slice(scalar.value())?; + let key = EcKey::from_private_components(&group, &private, &point)?; + let sig = EcdsaSig::sign(digest, &key)?; + Ok(mpi::Signature::ECDSA { + r: sig.r().into(), + s: sig.s().into(), + }) + } + + ( + EdDSA, + mpi::PublicKey::EdDSA { curve, .. }, + mpi::SecretKeyMaterial::EdDSA { scalar }, + ) => match curve { + Curve::Ed25519 => { + let scalar = scalar.value_padded(32); + + let key = + PKey::private_key_from_raw_bytes(&scalar, openssl::pkey::Id::ED25519)?; + + let mut signer = OpenSslSigner::new_without_digest(&key)?; + let signature = signer.sign_oneshot_to_vec(digest)?; + + // https://tools.ietf.org/html/rfc8032#section-5.1.6 + let (r, s) = signature.split_at(signature.len() / 2); + Ok(mpi::Signature::EdDSA { + r: r.to_vec().into(), + s: s.to_vec().into(), + }) + } + _ => Err(crate::Error::UnsupportedEllipticCurve(curve.clone()).into()), + }, + + (pk_algo, _, _) => Err(crate::Error::InvalidOperation(format!( + "unsupported combination of algorithm {:?}, key {:?}, \ + and secret key {:?} by OpenSSL backend", + pk_algo, + self.public(), + self.secret() + )) + .into()), + }, + ) + } +} + +impl Decryptor for KeyPair { + fn public(&self) -> &Key<key::PublicParts, key::UnspecifiedRole> { + KeyPair::public(self) + } + + fn decrypt( + &mut self, + ciphertext: &mpi::Ciphertext, + _plaintext_len: Option<usize>, + ) -> Result<SessionKey> { + use crate::crypto::mpi::PublicKey; + + self.secret().map(|secret| { + Ok(match (self.public().mpis(), secret, ciphertext) { + ( + PublicKey::RSA { ref e, ref n }, + mpi::SecretKeyMaterial::RSA { + ref p, + ref q, + ref d, + .. + }, + mpi::Ciphertext::RSA { ref c }, + ) => { + let key = + RsaPrivateKeyBuilder::new(n.try_into()?, e.try_into()?, d.try_into()?)? + .set_factors(p.try_into()?, q.try_into()?)? + .build(); + + let mut buf: Protected = vec![0; key.size().try_into()?].into(); + let encrypted_len = key.private_decrypt(c.value(), &mut buf, Padding::PKCS1)?; + buf[..encrypted_len].into() + } + + ( + PublicKey::ECDH { .. }, + mpi::SecretKeyMaterial::ECDH { .. }, + mpi::Ciphertext::ECDH { .. }, + ) => crate::crypto::ecdh::decrypt(self.public(), secret, ciphertext)?, + + (public, secret, ciphertext) => { + return Err(crate::Error::InvalidOperation(format!( + "unsupported combination of key pair {:?}/{:?} \ + and ciphertext {:?}", + public, secret, ciphertext + )) + .into()) + } + }) + }) + } +} + +impl<P: key::KeyParts, R: key::KeyRole> Key<P, R> { + /// Encrypts the given data with this key. + pub fn encrypt(&self, data: &SessionKey) -> Result<mpi::Ciphertext> { + use PublicKeyAlgorithm::*; + #[allow(deprecated)] + match self.pk_algo() { + RSAEncryptSign | RSAEncrypt => match self.mpis() { + mpi::PublicKey::RSA { e, n } => { + // The ciphertext has the length of the modulus. + let ciphertext_len = n.value().len(); + if data.len() + 11 > ciphertext_len { + return Err(crate::Error::InvalidArgument( + "Plaintext data too large".into(), + ) + .into()); + } + + let e = BigNum::from_slice(e.value())?; + let n = BigNum::from_slice(n.value())?; + let rsa = Rsa::<openssl::pkey::Public>::from_public_components(n, e)?; + + // The ciphertext has the length of the modulus. + let mut buf = vec![0; rsa.size().try_into()?]; + rsa.public_encrypt(data, &mut buf, Padding::PKCS1)?; + Ok(mpi::Ciphertext::RSA { + c: buf.into(), + }) + } + pk => Err(crate::Error::MalformedPacket(format!( + "Key: Expected RSA public key, got {:?}", + pk + )) + .into()), + }, + ECDH => crate::crypto::ecdh::encrypt(self.parts_as_public(), data), + algo => Err(crate::Error::UnsupportedPublicKeyAlgorithm(algo).into()), + } + } + + /// Verifies the given signature. + pub fn verify( + &self, + sig: &mpi::Signature, + hash_algo: HashAlgorithm, + digest: &[u8], + ) -> Result<()> { + let ok = match (self.mpis(), sig) { + (mpi::PublicKey::RSA { e, n }, mpi::Signature::RSA { s }) => { + let e = BigNum::from_slice(e.value())?; + let n = BigNum::from_slice(n.value())?; + let keypair = Rsa::<openssl::pkey::Public>::from_public_components(n, e)?; + let keypair = PKey::from_rsa(keypair)?; + + let signature = s.value(); + let mut v = vec![]; + v.extend(hash_algo.oid()?); + v.extend(digest); + + let mut ctx = PkeyCtx::new(&keypair)?; + ctx.verify_init()?; + ctx.verify(&v, signature)? + } + (mpi::PublicKey::DSA { p, q, g, y }, mpi::Signature::DSA { r, s }) => { + use openssl::dsa::{Dsa, DsaSig}; + let dsa = Dsa::from_public_components( + p.try_into()?, + q.try_into()?, + g.try_into()?, + y.try_into()?, + )?; + let key: PKey<_> = dsa.try_into()?; + let r = r.try_into()?; + let s = s.try_into()?; + let signature = DsaSig::from_private_components(r, s)?; + let mut ctx = PkeyCtx::new(&key)?; + ctx.verify_init()?; + ctx.verify(&digest, &signature.to_der()?)? + } + (mpi::PublicKey::EdDSA { curve, q }, mpi::Signature::EdDSA { r, s }) => match curve { + Curve::Ed25519 => { + let public = q.decode_point(&Curve::Ed25519)?.0; + + let key = PKey::public_key_from_raw_bytes(public, openssl::pkey::Id::ED25519)?; + + const SIGNATURE_LENGTH: usize = 64; + + // ed25519 expects full-sized signatures but OpenPGP allows + // for stripped leading zeroes, pad each part with zeroes. + let mut sig_bytes = [0u8; SIGNATURE_LENGTH]; + + // We need to zero-pad them at the front, because + // the MPI encoding drops leading zero bytes. + let half = SIGNATURE_LENGTH / 2; + sig_bytes[..half].copy_from_slice(&r.value_padded(half)?); + sig_bytes[half..].copy_from_slice(&s.value_padded(half)?); + + let mut verifier = Verifier::new_without_digest(&key)?; + verifier.verify_oneshot(&sig_bytes, digest)? + } + _ => return Err(crate::Error::UnsupportedEllipticCurve(curve.clone()).into()), + }, + (mpi::PublicKey::ECDSA { curve, q }, mpi::Signature::ECDSA { s, r }) => { + let nid = curve.try_into()?; + let group = EcGroup::from_curve_name(nid)?; + let mut ctx = BigNumContext::new()?; + let point = EcPoint::from_bytes(&group, q.value(), &mut ctx)?; + let key = EcKey::from_public_key(&group, &point)?; + let sig = EcdsaSig: |