Hello > As I mentioned before, I am using the openSSL directory for its > support for the ECDSA. Which I need to implement the AACS standard. I > am not sure you are familiar with it, but in short the problem I am > encountering right now is that in the AACS Std the signatures are > represented as 40 bytes number (2 BN of size 20). It has been working > good, but I have encountered a case where the ecdsa_do_sign function > returns a signature where the r and s (the 2 big numbers) are not of > size 20 bytes, which as you can imagine can damage the AACS protocol. > I was wondering why this could happen? should not this size be set > according to the dgst len size? Is there a way to set this size to 20? r and s in DSA or ECDSA are result of modular exponentation or point addition in finite filed (modulo 160 bit prime number in DSA and modulo n in ECDSA where n is elliptic curve base poit order), not SHA1 calculation. Therefore there are some cases where big number length in bytes may be for example 19 bytes, not 20. The same situation you may observe in RSA signing. For example when you generate many ECDSA signatures using secp224r1 with command: $ openssl dgst -sign ec-key.pem -ecdsa-with-SHA1 -out file.sig < file.txt > /dev/null
you will quickly find signature: $ openssl asn1parse -in file.sig1 -inform der 0:d=0 hl=2 l= 60 cons: SEQUENCE 2:d=1 hl=2 l= 29 prim: INTEGER :AB5D2B5B3152AE92C169CEF7967F5F194FA74A535AE93F8E9B9E783D 33:d=1 hl=2 l= 27 prim: INTEGER :50D88DDACCA3FF8CF44CE82D5E2A6B5E9C885E609ABA3554D45667 which has r of 27 bytes length, but verifies ok: $ openssl dgst -verify ec-key-pub.pem -ecdsa-with-SHA1 -signature file.sig < file.txt Verified OK In ASN.1 notation there is no problem because INTERGER's are well defined but if you are going not to use ASN.1 you may pad with 0x00 binary representations of r and s (if they are too short). This method is used in RSA signatures, for example if you use 1024 bit key then signature (not in ASN.1 notation) should be 128 bytes length. If after modular exponentation length of signature (big number) is for example 127 bytes then leading 0x00 is added. During the verification this 0x00 has no meaning of course. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]