Hello.
I have noticed, the following method is used in the ECC sign/verify routines to
derive 'e' integer from a digest:
----( begin cite )----
/* In the definition of EC signing, digests are truncated
* to the length of n in bits.
* (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
if (digest->len*8 > ecParams->fieldID.size) { /* u1 = HASH(M') */
mpl_rsh( &u1, &u1, digest->len*8 - ecParams->fieldID.size );
}
----( end cite )----
See the same at cvs blame:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/ec.c&rev=1.20&mark=758-763,979-984#751
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/ec.c&rev=1.20&mark=758-763,979-984#972
In the code above, the field size is used instead of base point order length.
For most curves they are the identical, not not for all. This looks like a bug
for me.
Best regards,
--
Konstantin Andreev, software engineer.
Swemel JSC
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
