From dd5970d5fcb921869a8341b5b4e49970a1032e37 Mon Sep 17 00:00:00 2001 From: Sorah Fukumori Date: Tue, 27 Sep 2022 10:03:38 +0900 Subject: [PATCH 1/3] ecdsa: prehash must receive zero-pads on left `prehash_to_field_bytes` was zero-padding on the right of the byte sequence but this must be done on the left because the output is evaluated as a big integer. This behavior is defined on various documents including RFC6979 Section 2.3.2., SEC 1 Section 2.3.8., NIST FIPS 186-4 Appendix C.2.1. https://datatracker.ietf.org/doc/html/rfc6979#section-2.3.2 https://www.secg.org/sec1-v2.pdf https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.186-4.pdf --- ecdsa/src/hazmat.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ecdsa/src/hazmat.rs b/ecdsa/src/hazmat.rs index 511b1d6a..cecbe742 100644 --- a/ecdsa/src/hazmat.rs +++ b/ecdsa/src/hazmat.rs @@ -236,7 +236,7 @@ pub trait DigestPrimitive: PrimeCurve { cmp::Ordering::Equal => field_bytes.copy_from_slice(prehash), cmp::Ordering::Less => { // If prehash is smaller than the field size, pad with zeroes - field_bytes[..prehash.len()].copy_from_slice(prehash); + field_bytes[(Self::UInt::BYTE_SIZE - prehash.len())..].copy_from_slice(prehash); } cmp::Ordering::Greater => { // If prehash is larger than the field size, truncate From fc2ab491098aead35f0ef3e8b6a5700d1d9f0225 Mon Sep 17 00:00:00 2001 From: Sorah Fukumori Date: Wed, 28 Sep 2022 01:03:22 +0900 Subject: [PATCH 2/3] ecdsa: cite rfc and sec1 for prehash_to_field_bytes --- ecdsa/src/hazmat.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ecdsa/src/hazmat.rs b/ecdsa/src/hazmat.rs index cecbe742..6415a624 100644 --- a/ecdsa/src/hazmat.rs +++ b/ecdsa/src/hazmat.rs @@ -235,7 +235,10 @@ pub trait DigestPrimitive: PrimeCurve { match prehash.len().cmp(&Self::UInt::BYTE_SIZE) { cmp::Ordering::Equal => field_bytes.copy_from_slice(prehash), cmp::Ordering::Less => { - // If prehash is smaller than the field size, pad with zeroes + // If prehash is smaller than the field size, pad with zeroes on the left, + // according to RFC6979 Section 2.3.2. and SEC1 Section 2.3.8. + // https://datatracker.ietf.org/doc/html/rfc6979#section-2.3.2 + // https://www.secg.org/sec1-v2.pdf field_bytes[(Self::UInt::BYTE_SIZE - prehash.len())..].copy_from_slice(prehash); } cmp::Ordering::Greater => { From 51c50a970e18d1a9e64c9826de5c1f3798822edc Mon Sep 17 00:00:00 2001 From: Sorah Fukumori Date: Wed, 28 Sep 2022 01:25:45 +0900 Subject: [PATCH 3/3] ecdsa(prehash_to_field_bytes): truncation is also under rfc and sec1 --- ecdsa/src/hazmat.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ecdsa/src/hazmat.rs b/ecdsa/src/hazmat.rs index 6415a624..3ca3fc4c 100644 --- a/ecdsa/src/hazmat.rs +++ b/ecdsa/src/hazmat.rs @@ -232,13 +232,13 @@ pub trait DigestPrimitive: PrimeCurve { let mut field_bytes = FieldBytes::::default(); + // This is a operation according to RFC6979 Section 2.3.2. and SEC1 Section 2.3.8. + // https://datatracker.ietf.org/doc/html/rfc6979#section-2.3.2 + // https://www.secg.org/sec1-v2.pdf match prehash.len().cmp(&Self::UInt::BYTE_SIZE) { cmp::Ordering::Equal => field_bytes.copy_from_slice(prehash), cmp::Ordering::Less => { - // If prehash is smaller than the field size, pad with zeroes on the left, - // according to RFC6979 Section 2.3.2. and SEC1 Section 2.3.8. - // https://datatracker.ietf.org/doc/html/rfc6979#section-2.3.2 - // https://www.secg.org/sec1-v2.pdf + // If prehash is smaller than the field size, pad with zeroes on the left field_bytes[(Self::UInt::BYTE_SIZE - prehash.len())..].copy_from_slice(prehash); } cmp::Ordering::Greater => {