Skip to content

Commit

Permalink
Interm. BLD BREAK Pad short ECDSA signature
Browse files Browse the repository at this point in the history 
big.Int.Bytes() trims MSB zeroes, put them back in depending on
EC Field length

Change-Id: I87829c0babeafc49650f408355fa8212b49b62ff
Signed-off-by: Volodymyr Paprotski <vpaprots@ca.ibm.com>
  • Loading branch information
Volodymyr Paprotski committed Jan 27, 2017
1 parent 2d7d7a7 commit a1448ea
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 10 deletions.
2 changes: 1 addition & 1 deletion bccsp/pkcs11/ecdsa.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,5 +111,5 @@ func (csp *impl) verifyECDSA(k ecdsaPublicKey, signature, digest []byte, opts bc
return false, fmt.Errorf("Invalid S. Must be smaller than half the order [%s][%s].", s, halfOrder)
}

return verifyECDSA(k.ski, digest, r, s)
return verifyECDSA(k.ski, digest, r, s, k.pub.Curve.Params().BitSize/8)
}
11 changes: 9 additions & 2 deletions bccsp/pkcs11/pkcs11.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -328,7 +328,7 @@ func signECDSA(ski []byte, msg []byte) (R, S *big.Int, err error) {
return R, S, nil
}

func verifyECDSA(ski []byte, msg []byte, R, S *big.Int) (valid bool, err error) {
func verifyECDSA(ski []byte, msg []byte, R, S *big.Int, byteSize int) (valid bool, err error) {
p11lib := ctx
session := getSession()
defer returnSession(session)
Expand All @@ -340,7 +340,14 @@ func verifyECDSA(ski []byte, msg []byte, R, S *big.Int) (valid bool, err error)
return false, fmt.Errorf("Public key not found [%s]\n", err)
}

sig := append(R.Bytes(), S.Bytes()...)
r := R.Bytes()
s := S.Bytes()

// Pad front of R and S with Zeroes if needed
sig := make([]byte, 2*byteSize)
copy(sig[byteSize-len(r):byteSize], r)
copy(sig[2*byteSize-len(s):], s)

err = p11lib.VerifyInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_ECDSA, nil)},
*publicKey)
if err != nil {
Expand Down
14 changes: 7 additions & 7 deletions bccsp/pkcs11/pkcs11_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ func TestPKCS11ECKeySignVerify(t *testing.T) {
t.Fatal("Failed signing message [%s]", err)
}

pass, err := verifyECDSA(key, hash1, R, S)
pass, err := verifyECDSA(key, hash1, R, S, currentTestConfig.securityLevel/8)
if err != nil {
t.Fatal("Error verifying message 1 [%s]", err)
}
Expand All @@ -76,7 +76,7 @@ func TestPKCS11ECKeySignVerify(t *testing.T) {
t.Fatal("Signature should match with software verification!")
}

pass, err = verifyECDSA(key, hash2, R, S)
pass, err = verifyECDSA(key, hash2, R, S, currentTestConfig.securityLevel/8)
if err != nil {
t.Fatal("Error verifying message 2 [%s]", err)
}
Expand Down Expand Up @@ -129,7 +129,7 @@ func TestPKCS11ECKeyImportSignVerify(t *testing.T) {
t.Fatal("Failed signing message [%s]", err)
}

pass, err := verifyECDSA(ski, hash1, R, S)
pass, err := verifyECDSA(ski, hash1, R, S, currentTestConfig.securityLevel/8)
if err != nil {
t.Fatalf("Error verifying message 1 [%s]\n%s\n\n%s", err, hex.Dump(R.Bytes()), hex.Dump(S.Bytes()))
}
Expand All @@ -142,7 +142,7 @@ func TestPKCS11ECKeyImportSignVerify(t *testing.T) {
t.Fatal("Signature should match with software verification!")
}

pass, err = verifyECDSA(ski, hash2, R, S)
pass, err = verifyECDSA(ski, hash2, R, S, currentTestConfig.securityLevel/8)
if err != nil {
t.Fatal("Error verifying message 2 [%s]", err)
}
Expand Down Expand Up @@ -198,15 +198,15 @@ func TestPKCS11ECKeyExport(t *testing.T) {
t.Fatalf("Failed signing message [%s]", err)
}

pass, err := verifyECDSA(key2, hash1, R, S)
pass, err := verifyECDSA(key2, hash1, R, S, currentTestConfig.securityLevel/8)
if err != nil {
t.Fatalf("Error verifying message 1 [%s]", err)
}
if pass == false {
t.Fatal("Signature should match! [1]")
}

pass, err = verifyECDSA(key, hash1, R, S)
pass, err = verifyECDSA(key, hash1, R, S, currentTestConfig.securityLevel/8)
if err != nil {
t.Fatalf("Error verifying message 2 [%s]", err)
}
Expand All @@ -219,7 +219,7 @@ func TestPKCS11ECKeyExport(t *testing.T) {
t.Fatal("Signature should match with software verification!")
}

pass, err = verifyECDSA(key, hash2, R, S)
pass, err = verifyECDSA(key, hash2, R, S, currentTestConfig.securityLevel/8)
if err != nil {
t.Fatal("Error verifying message 3 [%s]", err)
}
Expand Down

0 comments on commit a1448ea

Please sign in to comment.