Yes, you're correct that it should be done with respect to the size of the
group order. If you file a Bugzilla report, you can add me to and I'll put
together a patch if no one else does.
Douglas
On 2009-Dec-18, at 10:51 PM, Konstantin Andreev wrote:
> Hello.
>
> I have noticed, the following method is used in the ECC sign/verify routines
> to derive 'e' integer from a digest:
>
> ----( begin cite )----
> /* In the definition of EC signing, digests are truncated
> * to the length of n in bits.
> * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
> if (digest->len*8 > ecParams->fieldID.size) { /* u1 = HASH(M') */
> mpl_rsh( &u1, &u1, digest->len*8 - ecParams->fieldID.size );
> }
> ----( end cite )----
>
> See the same at cvs blame:
>
>
> http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/ec.c&rev=1.20&mark=758-763,979-984#751
>
> http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/ec.c&rev=1.20&mark=758-763,979-984#972
>
> In the code above, the field size is used instead of base point order length.
> For most curves they are the identical, not not for all. This looks like a
> bug for me.
>
> Best regards,
> --
> Konstantin Andreev, software engineer.
> Swemel JSC
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
