Added secp521r1 support

ancwrd1 · ancwrd1 · commit ed94a9b75f55 · 2025-11-21T11:39:55.000+01:00
diff --git a/README.md b/README.md
@@ -13,7 +13,7 @@ Rationale: In many situations, it is required to use non-exportable private cert
  from the Windows certificate store instead of the external PKCS8 file.
  `rustls-cng` can use such chains in the `rustls` context.
 
-Supported key/certificate types: **RSA**, **ECDSA/ECDH**. Supported elliptic curves: secp256r1 (prime256v1), secp384r1.
+Supported key/certificate types: **RSA**, **ECDSA/ECDH**. Supported elliptic curves: secp256r1 (prime256v1), secp384r1, secp521r1.
 
 [Documentation](https://docs.rs/rustls-cng).
 
diff --git a/src/signer.rs b/src/signer.rs
@@ -126,6 +126,7 @@ impl CngSigningKey {
             AlgorithmGroup::Ecdsa | AlgorithmGroup::Ecdh => match self.bits {
                 256 => &[SignatureScheme::ECDSA_NISTP256_SHA256],
                 384 => &[SignatureScheme::ECDSA_NISTP384_SHA384],
+                521 => &[SignatureScheme::ECDSA_NISTP521_SHA512],
                 _ => &[],
             },
         }
@@ -160,6 +161,9 @@ impl CngSigner {
             SignatureScheme::ECDSA_NISTP384_SHA384 => {
                 (BCRYPT_SHA384_ALG_HANDLE, SignaturePadding::None)
             }
+            SignatureScheme::ECDSA_NISTP521_SHA512 => {
+                (BCRYPT_SHA512_ALG_HANDLE, SignaturePadding::None)
+            }
             _ => return Err(Error::General("Unsupported signature scheme".to_owned())),
         };
 
diff --git a/tests/test_sign.rs b/tests/test_sign.rs
@@ -25,6 +25,7 @@ fn test_sign() {
         SignatureScheme::RSA_PSS_SHA512,
         SignatureScheme::ECDSA_NISTP256_SHA256,
         SignatureScheme::ECDSA_NISTP384_SHA384,
+        SignatureScheme::ECDSA_NISTP521_SHA512,
     ];
 
     let key = context.acquire_key(true).unwrap();
