[openssl-users] Certificate verification fails with latest commits (ECDSA)

jan.weil at ptb.de jan.weil at ptb.de
Tue Feb 3 14:19:50 UTC 2015

Hi Steve,

thanks a lot for your quick response and for the clarification.

> Von: "Dr. Stephen Henson" <steve at openssl.org>
> The MSB is effectively a sign bit but the explanation in the standard 
> very clear. If you take your example of GTS001.pem and do:
>   openssl asn1parse -in GTS001.pem -strparse 367 -out sig.der
> It will parse out the Ecdsa-Sig-Value field and you get:
>     0:d=0  hl=2 l=  52 cons: SEQUENCE 
>     2:d=1  hl=2 l=  24 prim: INTEGER 
> :-0739E1C1762E2E3E1D4480425633EA0BB669CE784DC3ACCB
>    28:d=1  hl=2 l=  24 prim: INTEGER 
> :-332658917A3B05831D91176C0512CF91C617819E1A7CF14B
> Note the two - signs.

> [...]

> What this is saying is that if the MSB is one you subtract that value 
> the result.
> For example 0x80 without the MSB represents '0' the MSB represents 0x80 
> you subtract that resulting in -0x80. 

Well, yes, that's how two's complement works.

> That's why you need the 0 padding byte prepended if the MSB is one.

The actual problem is that I have totally ignored the mathematics of ECs 
and it only occured to me when I read your reply that the values of r and 
s, as far as i understand now, can never be negative.

Not so good news for our certificates...

Thanks again!


Jan Weil
Physikalisch-Technische Bundesanstalt
Arbeitsgruppe 8.52 Datenkommunikation und -sicherheit
Abbestr. 2 - 12
10587 Berlin
Telefon: (+49 30) 34 81 - 77 64
Fax: (+49 30) 34 81 - 69 77 64
Email: jan.weil at ptb.de

More information about the openssl-users mailing list