rustls · ctz · May 3, 2024 · Apr 26, 2024
diff --git a/rustls/src/crypto/aws_lc_rs/mod.rs b/rustls/src/crypto/aws_lc_rs/mod.rs
@@ -168,10 +168,6 @@ static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms
     ],
     mapping: &[
         // Note: for TLS1.2 the curve is not fixed by SignatureScheme. For TLS1.3 it is.
-        (
-            SignatureScheme::ECDSA_NISTP521_SHA512,
-            &[webpki_algs::ECDSA_P521_SHA512],
-        ),
         (
             SignatureScheme::ECDSA_NISTP384_SHA384,
             &[
@@ -186,6 +182,10 @@ static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms
                 webpki_algs::ECDSA_P384_SHA256,
             ],
         ),
+        (
+            SignatureScheme::ECDSA_NISTP521_SHA512,
+            &[webpki_algs::ECDSA_P521_SHA512],
+        ),
         (SignatureScheme::ED25519, &[webpki_algs::ED25519]),
         (
             SignatureScheme::RSA_PSS_SHA512,

diff --git a/rustls/tests/api.rs b/rustls/tests/api.rs
@@ -1129,9 +1129,9 @@ fn server_cert_resolve_reduces_sigalgs_for_ecdsa_ciphersuite() {
         CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
         if provider_is_aws_lc_rs() {
             vec![
-                SignatureScheme::ECDSA_NISTP521_SHA512,
                 SignatureScheme::ECDSA_NISTP384_SHA384,
                 SignatureScheme::ECDSA_NISTP256_SHA256,
+                SignatureScheme::ECDSA_NISTP521_SHA512,
                 SignatureScheme::ED25519,
             ]
         } else {
@@ -1499,10 +1499,6 @@ fn test_client_cert_resolve(
 fn default_signature_schemes(version: ProtocolVersion) -> Vec<SignatureScheme> {
     let mut v = vec![];
 
-    if provider_is_aws_lc_rs() {
-        v.push(SignatureScheme::ECDSA_NISTP521_SHA512);
-    }
-
     v.extend_from_slice(&[
         SignatureScheme::ECDSA_NISTP384_SHA384,
         SignatureScheme::ECDSA_NISTP256_SHA256,
@@ -1512,6 +1508,10 @@ fn default_signature_schemes(version: ProtocolVersion) -> Vec<SignatureScheme> {
         SignatureScheme::RSA_PSS_SHA256,
     ]);
 
+    if provider_is_aws_lc_rs() {
+        v.insert(2, SignatureScheme::ECDSA_NISTP521_SHA512);
+    }
+
     if version == ProtocolVersion::TLSv1_2 {
         v.extend_from_slice(&[
             SignatureScheme::RSA_PKCS1_SHA512,