< prev index next >
src/share/classes/sun/security/ec/ECDSASignature.java
Print this page
rev 13649 : 8147502: Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
Summary: Truncate the digest according to the group order, not the field size
Reviewed-by: jnimeh
*** 327,340 ****
byte[] s = privateKey.getS().toByteArray();
ECParameterSpec params = privateKey.getParams();
// DER OID
byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params);
! int keySize = params.getCurve().getField().getFieldSize();
! // seed is twice the key size (in bytes) plus 1
! byte[] seed = new byte[(((keySize + 7) >> 3) + 1) * 2];
random.nextBytes(seed);
// random bits needed for timing countermeasures
int timingArgument = random.nextInt();
--- 327,340 ----
byte[] s = privateKey.getS().toByteArray();
ECParameterSpec params = privateKey.getParams();
// DER OID
byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params);
! int orderLength = params.getOrder().bitLength();
! // seed is twice the order length (in bytes) plus 1
! byte[] seed = new byte[(((orderLength + 7) >> 3) + 1) * 2];
random.nextBytes(seed);
// random bits needed for timing countermeasures
int timingArgument = random.nextInt();
< prev index next >