openssl icon indicating copy to clipboard operation
openssl copied to clipboard
verified publisher icon ruby

There is no way to perform ECDSA with raw OpenSSL::BN pairs

Open rickmark opened this issue 5 years ago • 2 comments

Marshaling back and forth from ASN1 is difficult as the handling of BN integers requires it have a non leading 1 to prevent the number being read as negative.

We should add OpenSSL::PKey::EC#dsa_sign(hash: String, k: , r:) => [ r: OpenSSL:BN, s: OpenSSL:BN ] and OpenSSL::PKey::EC#dsa_verify(r: OpenSSL:BN, s: OpenSSL:BN) => bool to support these operations.

The native methods would be ECDSA_do_sign_ex and ECDSA_do_verify

rickmark avatar Mar 30 '21 21:03 rickmark

Because this API should support deterministic K values, placing work on this as dependent on resolving #426 first

rickmark avatar Mar 30 '21 22:03 rickmark

The simple implementation might be to parse the ASN1 and return the two BN values as a helper method as this is a stable OpenSSL API surface. Will implement as a pure Ruby convenance method now that a deterministic k implementation is complete.

Conversely a verify that takes r and s as OpenSSL::BN and then calls the ASN1 function by encoding a signature is the opposite of that.

rickmark avatar Apr 02 '21 07:04 rickmark