i2d_ASN1_INTEGER zero pad

Matt Caswell matt at openssl.org
Tue Aug 6 16:16:09 UTC 2019



On 06/08/2019 17:00, William Roberts wrote:
> On Tue, Aug 6, 2019 at 10:56 AM Matt Caswell <matt at openssl.org> wrote:
>>
>>
>>
>> On 06/08/2019 16:34, William Roberts wrote:
>>> Hi,
>>> I occasionally get spurious errors in my ECDSA signatures, and it
>>> appears that when the top byte is over 0x80 of either the R or S
>>> component, that I get a zero pad. I noticed all this when reading
>>> through the source, their was some comments (see below). I noticed a
>>> d2i_ASN1_UINTEGER, but I can't find a coresponding i2d_ version to
>>> create it. The zero pad seems to be the correct behavior, but it seems
>>> to be breaking things.
>>
>> As you note the zero pad is the correct behaviour.
>>
>>
>>> This is the link to the issue request I got filed for more details:
>>> https://github.com/tpm2-software/tpm2-pkcs11/issues/277
>>
>> This seems to be a problem in tmp2-pkcs11 and not OpenSSL. So its not clear to
>> me what your question to openssl-users is?
> 
> The questions is their is a d2i_ASN1_UINTEGER exists for that zero pad
> issue, is their a i2d version, I couldn't find one.

No, an i2d version does not exists. d2i_ASN1_UINTEGER exists only for
interoperability with broken software. From the code (crypto/asn1/a_int.c):

/*
 * This is a version of d2i_ASN1_INTEGER that ignores the sign bit of ASN1
 * integers: some broken software can encode a positive INTEGER with its MSB
 * set as negative (it doesn't add a padding zero).
 */

ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
                                long length)

Sine we don't want to *create* knowingly broken DER we don't provide the
equivalent function.


> 
> I guess a second question is, is their a better way to build an ECDSA
> signature from the R and S components, the code
> for ASNI sequence is something I never figured out, is their an
> example in ossl somewhere?

If you have the r and s components in raw "binary" format then something like
this should create an OpenSSL ECDSA_SIG object (totally untested):

ECDSA_SIG *create_ecdsa_sig(unsigned char *r, size_t rlen, unsigned char *s,
size_t slen)
{
    ECDSA_SIG *sig = ECDSA_SIG_new();

    if (sig == NULL)
        return NULL;

    sig->r = BN_bin2bn(r, rlen, NULL);
    sig->s = BN_bin2bn(s, slen, NULL);

    if (sig->r == NULL || sig->s == NULL) {
        ECDSA_SIG_free(sig);
        return NULL;
    }

    return sig;
}

Once you have the ECDSA_SIG structure then encoding it as DER is simply a call
to i2d_ECDSA_SIG:

https://www.openssl.org/docs/manmaster/man3/i2d_ECDSA_SIG.html


Matt








More information about the openssl-users mailing list