< prev index next >
src/share/classes/sun/security/ec/ECDSASignature.java
Print this page
rev 13649 : 8147502: Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
Summary: Truncate the digest according to the group order, not the field size
Reviewed-by: jnimeh
@@ -327,14 +327,14 @@
byte[] s = privateKey.getS().toByteArray();
ECParameterSpec params = privateKey.getParams();
// DER OID
byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params);
- int keySize = params.getCurve().getField().getFieldSize();
+ int orderLength = params.getOrder().bitLength();
- // seed is twice the key size (in bytes) plus 1
- byte[] seed = new byte[(((keySize + 7) >> 3) + 1) * 2];
+ // seed is twice the order length (in bytes) plus 1
+ byte[] seed = new byte[(((orderLength + 7) >> 3) + 1) * 2];
random.nextBytes(seed);
// random bits needed for timing countermeasures
int timingArgument = random.nextInt();
< prev index next >