Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buggy ECDSA implementation #53

Closed
jfinkhaeuser opened this issue Jan 16, 2020 · 7 comments
Closed

Buggy ECDSA implementation #53

jfinkhaeuser opened this issue Jan 16, 2020 · 7 comments
Labels
enhancement information needed

Comments

@jfinkhaeuser
Copy link

This vaguely relates to #49.

There's an issue with the ECDSA implementation, that took me some time to debug. Unfortunately, due to the nature of my contract, I can't submit a fix. But I can provide an explanation.

The TL;DR is, that for SHA-256, you need a key from the P-256 curve, for SHA-384 from the P-384 curve, and for SHA-512 from the P-521 curve. The current implementation allows using SHA-512 with a P-256 curve key, which leads to signatures that may not be verifiable by other implementations.

Now... there are concerns with using NIST's curves. But you can get EC groups with the same output lengths from different groups, so what I'd base this on is the EC_GROUP_order_bits() function - that has to be larger or equal to the SHA output bits (or you match them exactly as I described above, as you wish).

When you use matching sizes, you'll see that the zero-padding you do in the sign() method doesn't produce endless AAAAAA... prefixes, but will typically pad no more than a byte.

For reading up, I'll refer you to RFC7519 Section 8, which refers to encryption algorithms, particularly the ECDSA usage, from RFC7518 Section 3.4, which in turn lists the permissible curve + SHA combinations. It also lists that the curves to be used are from NIST's FIPS PUB 186-4 aka the Digital Signature Standard.

Hope that helps!
@jfinkhaeuser jfinkhaeuser mentioned this issue Jan 16, 2020
Closed
@Thalhammer
Copy link
Owner

Sorry for the late reply.
If I understand correctly, the "bug" is that the library does not protect you against using the wrong input key ?
Or is there also an issue if you use it correctly ?

@jfinkhaeuser
Copy link
Author

The bug is in the invalid padding. The trigger are the mismatching keys.

@Thalhammer
Copy link
Owner

Yeah but the bug regarding invalid padding was fixed in the other issue. So this is only about it not complaining about the user doing something wrong?

@jfinkhaeuser
Copy link
Author

The code or the documentation.

I'm not trying to tell you what you should do, mind you. But I also have a quality management background, and my preference is that invalid inputs should not look like they succeed. Currently that's the case.

Personal preference would be to error out and document how to avoid it.

@Thalhammer
Copy link
Owner

@jfinkhaeuser Of course it should be fixed to error out. But since this is not a hard bug I will fix it once I come around to do so and consider it an improvement.

Thalhammer added a commit that referenced this issue Mar 11, 2020
@Thalhammer
Add check for correct key size passed to ecdsa
da58b49 
see #53
@Thalhammer
Copy link
Owner

@jfinkhaeuser
I believe it should no behave correctly. You may check over it though.

@Thalhammer
Copy link
Owner

Behaviour should be fixed by fae2875.

@Thalhammer Thalhammer mentioned this issue Aug 4, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement information needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jfinkhaeuser @Thalhammer