[Bug 27602] New: ECDSA's Sign operation is not explicit about how r and s are concatenated (padding) from bugzilla@jessica.w3.org on 2014-12-13 (public-webcrypto@w3.org from December 2014)

From: <bugzilla@jessica.w3.org>
Date: Sat, 13 Dec 2014 02:12:07 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-27602-7213@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=27602

            Bug ID: 27602
           Summary: ECDSA's Sign operation is not explicit about how r and
                    s are concatenated (padding)
           Product: Web Cryptography
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: ericroman@google.com
                CC: public-webcrypto@w3.org

The spec says the following:

---------------------
2. Let r and s be the pair of integers resulting from performing the ECDSA
signing process.
3. Let result be a new ArrayBuffer.
4. Convert r to a bitstring and append the sequence of bytes to result.
5. Convert s to a bitstring and append the sequence of bytes to result.
---------------------

As I understand "r" and "s" are big integers in big-endian order.

Prior to concatenation r and s must be padded to a fixed length, otherwise when
reversing the process during verify() it is unclear unclear how to extract r
and s. I believe they should be zero-padded to the group order size in bytes.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Saturday, 13 December 2014 02:12:10 UTC