W3C home > Mailing lists > Public > public-xmlsec@w3.org > May 2009

Size of r and s in ECDSA

From: Pratik Datta <pratik.datta@oracle.com>
Date: Fri, 22 May 2009 15:15:47 -0700
Message-ID: <4A172413.3010907@oracle.com>
To: XMLSec WG Public List <public-xmlsec@w3.org>
Currently the XML Signature 1.1 spec says:

The output of the ECDSA algorithm consists of a pair of integers usually 
referred by the pair (r, s). The signature value consists of the base64 
encoding of the concatenation of two octet-streams that respectively 
result from the octet-encoding of the values r and s in that order. 
Integer to octet-stream conversion must be done according to the I2OSP 
operation defined in the RFC 2437 <http://www.ietf.org/rfc/rfc2437.txt> 
[ PKCS1 <#ref-PKCS1> ] specification with the |l| parameter equal to the 
size of the output of the digest function in bytes (e.g. 32 for SHA-256).

But shouldn't the length of r and s be dependent on the length of the 
key, not the length of digest function?

E.g. if you are using "ecdsa-sha256",  with P521 curve, then the length 
of r and s should not be 32, but should be 66 
(521 ; round up to multiple of 8 and get 528 bits = 66 bytes)

Received on Friday, 22 May 2009 22:16:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:42:18 UTC