Hi Admin,


I use the API ecc_sign_hash() to generate digital signature with spec256r1 curve configuration.
In usual, the API generate a 64 bytes signature, but there is a very low probability to have a 63 bytes signature.
Could you kindly let me know if this is a normal output of ECDSA algorithm?
Besides, is it possible to generate 64 bytes ECDSA signature every time?

[An example of generating 63 bytes signature example for your reference]

[Input - 32 bytes]:
09 F7 82 E3 89 7B AE 5F 26 81 9B D0 BA 1D F7 E0 71 41 0E 22 92 52 DC AC 72 5B 25 60 C0 32 9E 1A

[Private key d - 32 bytes]
E3 53 EC 42 44 B1 9E 95 18 73 D1 5C 21 26 3C 95 F9 EB A6 B2 DE D0 6F F6 55 28 7C 4A CA AC 78 34

[Publick key point coordinate xD - 32 bytes]
D8 05 CF 80 C7 D8 31 B8 E4 86 81 F3 86 BD 00 78 A6 4A 95 B3 EB 43 14 69 96 D7 6B 4B 95 FA 60 D5

[Publick key point coordinate yD - 32 bytes]
15 4D 5F 35 3F 78 07 15 DA B6 86 23 61 D0 E9 79 A0 70 A5 0E D7 2E 5A 30 C5 59 01 46 C5 36 51 D2

[Randam number k - 32 bytes]
49 1D BD BB 46 09 E5 7E EF 86 A2 E4 8D AF 70 A2 48 E7 A0 8B F3 8D A3 94 4C 3E 27 C0 74 C1 67 DA

[ECDSA signature - 63 bytes]
AF 44 7F B6 76 B4 DD 8A BD B1 B4 7F 13 DA 8C 97 CD 6B 7B 6F BE 60 10 12 F5 56 07 0B 31 5B E0 97
61 1F C6 9D C2 B6 6A 47 0A F2 AB C8 4A A1 86 63 AC F3 42 E4 F6 86 02 88 A8 6B 60 11 7F D4 2D


Many thanks.  smile

Dear sir,

May I know which function in the WolfSSL library will support Certificate Path Validation following section 6.1 in RFC3280?


Many thanks!! smile

Hi Chrisc,

Thanks for your kindly comments, it is really helpful to us.  smile


Best regards,
Ryan

Hi John,

Sorry to reply you so late...
We are asked to calculate the secret number according to message payload data. This code modification had been completed by our team members in a modified wolfSSL library.

Currently, we are asked another requirement for ECDSA exception handling. There are 2 checking conditions for exception handling in ECDSA signing function[ecc_sign_hash()].

<< The request is described below: >>
When generating a digital signature, the application shall calculate a per-message Secret Number ‘k’.
1.    If the value of 'k' so calculated is zero or greater than n-1. or
2.    Results in an ‘r’ or ‘s’ value of 0.
Then, a new value for k shall be re-calculated.

After checking the source code in ecc_sign_hash() function. We think that the checking for 'r' or 's' value of 0 is included, but I am not sure if the checking for the 'k' value (0 < k <= n-1) is included.

int ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen, 
                  RNG* rng, ecc_key* key)
{
   ...

   /* make up a key and export the public copy */
   if (err == MP_OKAY) {
       ecc_key pubkey;
       ecc_init(&pubkey);
       for (;;) {
           err = ecc_make_key_ex(rng, &pubkey, key->dp, NULL);
           if (err != MP_OKAY) break;

           /* find r = x1 mod n */
           err = mp_mod(&pubkey.pubkey.x, &p, &r);
           if (err != MP_OKAY) break;

           if (mp_iszero(&r) == MP_YES)         /*** <--- check r == 0 here. ***/
               ecc_free(&pubkey);
           else { 
               /* find s = (e + xr)/k */
               err = mp_invmod(&pubkey.k, &p, &pubkey.k);
               if (err != MP_OKAY) break;

               err = mp_mulmod(&key->k, &r, &p, &s);   /* s = xr */
               if (err != MP_OKAY) break;
           
               err = mp_add(&e, &s, &s);               /* s = e +  xr */
               if (err != MP_OKAY) break;

               err = mp_mod(&s, &p, &s);               /* s = e +  xr */
               if (err != MP_OKAY) break;

               err = mp_mulmod(&s, &pubkey.k, &p, &s); /* s = (e + xr)/k */
               if (err != MP_OKAY) break;

               ecc_free(&pubkey);
               if (mp_iszero(&s) == MP_NO)          /*** <--- check s != 0 here. ***/
                   break;
            }
       }
       ecc_free(&pubkey);
   }

   ...
}

Could you please let me know if the checking of 'k' value (0 < k <=  n-1) is included in ecc_sign_hash() function?
If not included, could you kindly guide me how to modify the code for 'k' value checking with 'n' value? We would like to modify the code to implement the checking mechanism. smile

Hi John,

Thanks for your reply.
Yes, for checking with customer's requirement, we need to verify the output(signature) with the same input(per-message secret number). This is an evidence to check if the product could generate the same signature according to the crypto vectors.

Thus, could you please let me know how to get a fixed signature with a static per-message secret number in ECDSA sign API (ecc_sign_hash)?

Many thanks.  smile

Hi admin,

For clarification of ECDSA algorithm with some specific crypto vectors, I want to set a fixed per-message secret number in ECDSA algorithm.
Could you kindly let me how to set a fixed per-message secret number in ECDSA sign API (ecc_sign_hash)?

Thanks.  smile

Hi Todd,

Thanks for your answer.  smile

Hello admin,

I have 2 questions about Message Secret Number generation of ECDSA in wolfSSL.

Q1. According to Appendix B.5 in NIST FIPS.186.4, what method to be used for Message Secret Number generation in wolfSSL?
      It is generated by (1) using Extra Random Bits or (2) Testing Candidates or others?


Q2. How Message Secret Number will be handled in wolfSSL when the value of Secret Number so calculated is zero or greater than n -1? ('n' is a prime number in Secret Number generation algorithm)


I want to evaluate ECDSA algorithm with my customer's requirements.  smile

Hi Chris,

Thanks, it is really helpful for me!

Hello everyone,

Due to I want to make ECC key agreement with a certificate and a private key. But I do not know how to generate a ECC public key with a certificate? I referred to the discussed thread:Getting public key from certificate, but I cannot find a API like RsaPublicKeyDecode() to get ECC key from a certificate.

In my concept, I will use APIs to run key agreement as followings:
(This is refer to the thread: http://www.yassl.com/forums/topic513-ge … icate.html)


int ret;
int pemCertSz, derKeySz;
byte pemCert[4096];
byte derKey[1024];
byte shSecret[1024];

FILE* pubFile;
FILE* priFile;
ecc_key pubKey, priKey;
word32 idx = 0;
DecodedCert cert;

/* open and read PEM-formatted cert into buffer */
pubFile= fopen("./client-cert.pem", "rb");
if (!pubFile)
    // error reading file

pemCertSz = fread(pemCert, 1, sizeof(pemCert), pubFile);
fclose(pubFile);

/* initialize DecodedCert with PEM cert */
InitDecodedCert(&cert, pemCert, pemCertSz, 0);
ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, 0);
if (ret != 0)
    // ParseCert failed

/* extract the public key from the cert */
ecc_init(&pubKey);
idx = 0;

/* I want to use a API like this to get public key from a certificate. However, this API is not existed! */
ret = EccPublicKeyDecode(cert.publicKey, &idx, &pubKey, cert.pubKeySize);
if (ret != 0)
    // EccPublicKeyDecode failed


/* Load private key from DER-formatted file */
priFile= fopen("./ecc-key.der", "rb");
if (!priFile)
    // error reading file

derKeySz = fread(derKey, 1, sizeof(derKey), priFile);
fclose(priFile);

/* Translate buffer to ECC private key */
ecc_init(&priKey);
idx = 0;
ret = EccPrivateKeyDecode(derKey, &idx, &priKey, derKeySz);

/* run ECC Key Agreement */
idx = sizeof(shSecret);
ret = ecc_shared_secret(&priKey, &pubKey, shSecret, &idx);

Could anyone give me a hand for this issue?


windsp