Hello
> As I mentioned before, I am using the openSSL directory for its
> support for the ECDSA. Which I need to implement the AACS standard. I
> am not sure you are familiar with it, but in short the problem I am
> encountering right now is that in the AACS Std the signatures are
> represented as 40 bytes number (2 BN of size 20). It has been working
> good, but I have encountered a case where the ecdsa_do_sign function
> returns a signature where the r and s (the 2 big numbers) are not of
> size 20 bytes, which as you can imagine can damage the AACS protocol.
> I was wondering why this could happen? should not this size be set
> according to the dgst len size? Is there a way to set this size to 20?
r and s in DSA or ECDSA are result of modular exponentation or point
addition in finite filed (modulo 160 bit prime number in DSA and modulo
n in ECDSA where n is elliptic curve base poit order), not SHA1
calculation.
Therefore there are some cases where big number length in bytes may be
for example 19 bytes, not 20.
The same situation you may observe in RSA signing.
For example when you generate many ECDSA signatures using secp224r1
with command:
$ openssl dgst -sign ec-key.pem -ecdsa-with-SHA1 -out file.sig < file.txt >
/dev/null
you will quickly find signature:
$ openssl asn1parse -in file.sig1 -inform der
0:d=0 hl=2 l= 60 cons: SEQUENCE
2:d=1 hl=2 l= 29 prim: INTEGER
:AB5D2B5B3152AE92C169CEF7967F5F194FA74A535AE93F8E9B9E783D
33:d=1 hl=2 l= 27 prim: INTEGER
:50D88DDACCA3FF8CF44CE82D5E2A6B5E9C885E609ABA3554D45667
which has r of 27 bytes length, but verifies ok:
$ openssl dgst -verify ec-key-pub.pem -ecdsa-with-SHA1 -signature file.sig <
file.txt
Verified OK
In ASN.1 notation there is no problem because INTERGER's are well
defined but if you are going not to use ASN.1 you may pad with 0x00
binary representations of r and s (if they are too short).
This method is used in RSA signatures, for example if you use 1024 bit
key then signature (not in ASN.1 notation) should be 128 bytes length.
If after modular exponentation length of signature (big number) is for
example 127 bytes then leading 0x00 is added.
During the verification this 0x00 has no meaning of course.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
