src/share/classes/sun/security/ec/ECDSASignature.java

rev 13649 : 8147502: Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
Summary: Truncate the digest according to the group order, not the field size
Reviewed-by: jnimeh

@@ -327,14 +327,14 @@
         byte[] s = privateKey.getS().toByteArray();
         ECParameterSpec params = privateKey.getParams();
 
         // DER OID
         byte[] encodedParams = ECUtil.encodeECParameterSpec(null, params);
-        int keySize = params.getCurve().getField().getFieldSize();
+        int orderLength = params.getOrder().bitLength();
 
-        // seed is twice the key size (in bytes) plus 1
-        byte[] seed = new byte[(((keySize + 7) >> 3) + 1) * 2];
+        // seed is twice the order length (in bytes) plus 1
+        byte[] seed = new byte[(((orderLength + 7) >> 3) + 1) * 2];
 
         random.nextBytes(seed);
 
         // random bits needed for timing countermeasures
         int timingArgument = random.nextInt();