Hi,
What you are seeing here is actually the combination of two issues :
- First, there is a bug in the function pkey_ec_sign (ec_pmeth.c
line 146): the error code returned by ECDSA_sign is not correctly
handled. The line should be "if (ret <= 0)" instead of "if (ret < 0)".
- Secondly, the current implementation of ECDSA in OpenSSL doesn't
handle the case where the digest is bigger the EC field size. In the
function ecdsa_do_sign (ecs_ossl.c line 256), a commentary is there
saying that the digest should be truncated in this case but apparently
no decision have been already made for this corner case and an error
code is returned.
If you correct the bug in the pkey_ec_sign, you will get the following
error message in the cases where you had empty output :
Error Signing Data
5052:error:2A065065:lib(42):ECDSA_do_sign:data too large for key
size:.\crypto\ecdsa\ecs_ossl.c:265:
From this point, we have to push for a decision from the OpenSSL team
about the digest truncation and its implementation in ecdsa_do_sign
which seems necessary to have a fully compliant ECDSA implementation.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
Michael Smith via RT wrote:
Operating System: Ubuntu 9.10
OpenSSL is openssl-1.0.0-stable-SNAP-20091122
A blank result is returned for ECDSA signatures using SHA-256 and
112-level and below curves. 128-level and above curves work. SHA-1
with these curves works. I'm guessing that this is this part isn't yet
built into OpenSSL. I'm submitting a bug report to get this into the
roadmap and in case I'm wrong and did find a hard-limit on something.
=)
These curves and SHA-256 are specified in NIST 186-3 as part of the
ECDSA standard and as part of RFC 5480.
>From RFC 5480:
To promote interoperability, the following choices are RECOMMENDED:
Minimum | ECDSA | Message | Curves
Bits of | Key Size | Digest |
Security | | Algorithms |
---------+----------+------------+-----------
80 | 192 | SHA-256 | secp192r1
---------+----------+------------+-----------
112 | 224 | SHA-256 | secp224r1
---------+----------+------------+-----------
128 | 256 | SHA-256 | secp256r1
---------+----------+------------+-----------
192 | 384 | SHA-384 | secp384r1
---------+----------+------------+-----------
256 | 512 | SHA-512 | secp521r1
---------+----------+------------+-----------
The process to recreate:
Create P-192 private key
Create P-224 private key
Create P-256 private key
Create P-384 private key
Validate all keys
Create digital signature in hex output using each key
The private keys are attached.
The output from each process is attached.
A strace from each signature creation is attached.
I've repeated this process with the following curves and results:
B-233/sect223r1 No output with SHA-256
K-233/sect223k1 No output with SHA-256
B-283/sect283r1 Works
K-283/sect283k1 Works
I've also used the -sign without -hex with the same result.
Thanks Much, you guys are great!
Cheers
--Mike
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
