All geek questions in one place

Does OpenSSL -sign for ECDSA apply ASN1 encoding to hash before signing?

This SO ECDSA question using OpenSSL without ASN1 hash encoding claims that OpenSSL performs ASN1 encoding for the hash before signing it.

In other words, he claims that OpenSSL performs the following steps when -sign is called for the key of an elliptical curve: a. Calculate H = Hash (M) b. Encode H in ASN1 - H c. H sign

And so, to avoid applying step b, you must first calculate the digest and then sign the digest using the raw signing - pkeyutl for the elliptic cursor keys

However, when I run BOTH -sign and -dgst + -pkeyutl, I can verify the signature using -verify in both cases. This means that ASN1 encoding is NOT applied to the hash.

Can anyone shed some light on this subject? I could not find the documentation in the OpenSSL documentation.

0
source share
1 answer

OpenSSL applies DER ASN.1 encoding to the signature output.

https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Signature_generation_algorithm

  • Compute e = HASH (m)where HASH is a cryptographic hash function such as SHA-2.
  • Let za Lnleftmost bits e, where Ln- the length of the bits of the group order n.
  • k [1, n - 1].
  • (x1, y1) = k x G.
  • r = x1 mod n. r = 0, 3.
  • s = (k − 1) x (z + r * dA) mod n. s = 0, 3.
  • (r, s).

, ECDSA , . , . ( RSA, , , ).

, ( secp256r1) r = 67432751043532511959904657272700966685609390316545000351652696368910338707793 s = 15800012655857962601029927988066555130680701005265153794330961.

ASN.1 DER

X.509/PKIX OpenSSL. ( , ) RFC 3279, 2.2.3:

ECDSA .     r s.     , ASN.1,     ASN.1:

Ecdsa-Sig-Value  ::=  SEQUENCE  {
     r     INTEGER,
     s     INTEGER  }

DER , , r.

r - , 67432751043532511959904657272700966685609390316545000351652696368910338707793 951595A548D156D51655159654ADA548D156D5165195159654ADA54D156D5151 hex. ITU-T-REC-X.690-201508 , . (0x95) , , 0x00, . , r 32 + 1 = 33 :

02 21 (INTEGER, 33 bytes)
   00 (padding byte)
   95 15 95 A5 48 D1 56 D5 16 55 15 96 54 AD A5 48
   D1 56 D5 16 51 95 15 96 54 AD A5 4D 15 6D 51 51

s 15800012655857962601029927988066555130680701005265153794330961 9D51655159654ADA548D156D5165195159654ADA54D156D5151. hex 9, 0x09, . s 27 , r.

02 1A (INTEGER, 26 bytes)
   09 D5 16 55 15 96 54 AD A5 48 D1 56 D5 16 51 95
   15 96 54 AD A5 4D 15 6D 51 51

SEQUENCE 63 :

30 3F (CONSTRUCTED SEQUENCE, 64 bytes)
   02 21 (INTEGER, 33 bytes)
      00 (padding byte)
      95 15 95 A5 48 D1 56 D5 16 55 15 96 54 AD A5 48
      D1 56 D5 16 51 95 15 96 54 AD A5 4D 15 6D 51 51
   02 1A (INTEGER, 26 bytes)
      09 D5 16 55 15 96 54 AD A5 48 D1 56 D5 16 51 95
      15 96 54 AD A5 4D 15 6D 51 51

:

30 3F 02 21 00 95 15 95 A5 48 D1 56 D5 16 55 15 
96 54 AD A5 48 D1 56 D5 16 51 95 15 96 54 AD A5 
4D 15 6D 51 51 02 1A 09 51 D5 16 55 15 96 54 AD 
A5 48 D1 56 D5 16 51 95 15 96 54 AD A5 4D 15 6D 
51 51

IEEE P1363

Windows.

r s , n, . r 32 , . s 26 , 6 0x00 .

// r
95 15 95 A5 48 D1 56 D5 16 55 15 96 54 AD A5 48
D1 56 D5 16 51 95 15 96 54 AD A5 4D 15 6D 51 51
// s
00 00 00 00 00 00 09 D5 16 55 15 96 54 AD A5 48
D1 56 D5 16 51 95 15 96 54 AD A5 4D 15 6D 51 51

, OpenSSL ASN.1 , . ASN.1 " " ( , ECC). Windows/IEEE . ASN.1 6 ( 7 secp521r1); (1 2 ^ 32 ) (1 2 ^ 40 ) .

, - , , , .

0

Source: https://habr.com/ru/post/1693638/

More articles:


All Articles