Skip to content

Properly specify the encoding when verifying ECDSA signatures #405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 27, 2025
Merged

Properly specify the encoding when verifying ECDSA signatures #405

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
14ac374
Fix section references for ECDSA
twiss Jun 25, 2025
8deea68
Specify the signature encoding in ECDSA verification
twiss Jun 25, 2025
bb8d07c
Simplify wording of function to convert an integer to a byte sequence
twiss Jun 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 46 additions & 10 deletions spec/Overview.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -625,14 +625,21 @@ <h2>Terminology</h2>
and then considering each consecutive sequence of 8 bits in that string as a byte.
</p>
<p>
When this specification says to <dfn id="dfn-convert-integer-to-byte-sequence">convert a non-negative
To <dfn id="dfn-convert-integer-to-byte-sequence">convert a non-negative
integer |i| to a byte sequence of length |n|</dfn>, where |n| * 8
is greater than the logarithm to base 2 of |i|, the user agent must
first calculate the binary representation of |i|, most significant bit first,
is greater than the logarithm to base 2 of |i|,
calculate the binary representation of |i|, most significant bit first,
prefix this with sufficient zero bits to form a bit sequence of length |n| * 8, and
then return the [= byte sequence =] formed by considering each consecutive
sequence of 8 bits in that bit sequence as a byte.
</p>
<p>
To <dfn id="dfn-convert-byte-sequence-to-integer">convert a byte sequence
to a non-negative integer</dfn>,
interpret the byte sequence as a big-endian non-negative integer
(most significant bit first),
and return that integer.
</p>
<p>
Comparing two strings in a <dfn id="case-sensitive">case-sensitive</dfn>
manner means comparing them exactly, code point for code point.
Expand Down Expand Up @@ -7135,7 +7142,7 @@ <h5>Sign</h5>
<li>
<p>
Perform the ECDSA signing process, as specified in [[RFC6090]],
Section 5.4, with |M| as the message, using |params| as the
Section 5.4.2, with |M| as the message, using |params| as the
EC domain parameters, and with |d| as the private key.
</p>
</li>
Expand Down Expand Up @@ -7235,12 +7242,41 @@ <h5>Verify</h5>
|key| is "`P-256`", "`P-384`" or "`P-521`":
</dt>
<dd>
<p>
Perform the ECDSA verifying process, as specified in [[RFC6090]], Section 5.3, with |M| as the received
message, |signature| as the received signature and using
|params| as the EC domain parameters, and
|Q| as the public key.
</p>
<ol>
<li>
<p>
Let |n| be the smallest integer such that |n| * 8 is greater than
the logarithm to base 2 of the order of the base point of the elliptic curve identified
by |params|.
</p>
</li>
<li>
<p>
If |signature| does not have a [= byte sequence/length =] of |n| * 2 bytes,
then return false.
</p>
</li>
<li>
<p>
Let |r| be the result of
<a href="#dfn-convert-byte-sequence-to-integer">converting the first |n| bytes of |signature| to an integer</a>.
</p>
</li>
<li>
<p>
Let |s| be the result of
<a href="#dfn-convert-byte-sequence-to-integer">converting the last |n| bytes of |signature| to an integer</a>.
</p>
</li>
<li>
<p>
Perform the ECDSA verifying process, as specified in [[RFC6090]], Section 5.4.3, with |M| as the received
message, (|r|, |s|) as the signature and using
|params| as the EC domain parameters, and
|Q| as the public key.
</p>
</li>
</ol>
</dd>
<dt>
Otherwise, the {{EcKeyAlgorithm/namedCurve}} attribute
Expand Down