i2d_ASN1_INTEGER zero pad
Matt Caswell
matt at openssl.org
Tue Aug 6 16:16:09 UTC 2019
On 06/08/2019 17:00, William Roberts wrote:
> On Tue, Aug 6, 2019 at 10:56 AM Matt Caswell <matt at openssl.org> wrote:
>>
>>
>>
>> On 06/08/2019 16:34, William Roberts wrote:
>>> Hi,
>>> I occasionally get spurious errors in my ECDSA signatures, and it
>>> appears that when the top byte is over 0x80 of either the R or S
>>> component, that I get a zero pad. I noticed all this when reading
>>> through the source, their was some comments (see below). I noticed a
>>> d2i_ASN1_UINTEGER, but I can't find a coresponding i2d_ version to
>>> create it. The zero pad seems to be the correct behavior, but it seems
>>> to be breaking things.
>>
>> As you note the zero pad is the correct behaviour.
>>
>>
>>> This is the link to the issue request I got filed for more details:
>>> https://github.com/tpm2-software/tpm2-pkcs11/issues/277
>>
>> This seems to be a problem in tmp2-pkcs11 and not OpenSSL. So its not clear to
>> me what your question to openssl-users is?
>
> The questions is their is a d2i_ASN1_UINTEGER exists for that zero pad
> issue, is their a i2d version, I couldn't find one.
No, an i2d version does not exists. d2i_ASN1_UINTEGER exists only for
interoperability with broken software. From the code (crypto/asn1/a_int.c):
/*
* This is a version of d2i_ASN1_INTEGER that ignores the sign bit of ASN1
* integers: some broken software can encode a positive INTEGER with its MSB
* set as negative (it doesn't add a padding zero).
*/
ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
long length)
Sine we don't want to *create* knowingly broken DER we don't provide the
equivalent function.
>
> I guess a second question is, is their a better way to build an ECDSA
> signature from the R and S components, the code
> for ASNI sequence is something I never figured out, is their an
> example in ossl somewhere?
If you have the r and s components in raw "binary" format then something like
this should create an OpenSSL ECDSA_SIG object (totally untested):
ECDSA_SIG *create_ecdsa_sig(unsigned char *r, size_t rlen, unsigned char *s,
size_t slen)
{
ECDSA_SIG *sig = ECDSA_SIG_new();
if (sig == NULL)
return NULL;
sig->r = BN_bin2bn(r, rlen, NULL);
sig->s = BN_bin2bn(s, slen, NULL);
if (sig->r == NULL || sig->s == NULL) {
ECDSA_SIG_free(sig);
return NULL;
}
return sig;
}
Once you have the ECDSA_SIG structure then encoding it as DER is simply a call
to i2d_ECDSA_SIG:
https://www.openssl.org/docs/manmaster/man3/i2d_ECDSA_SIG.html
Matt
More information about the openssl-users
mailing list