Java ECDSAwithSHA256 signature with inconsistent length

Question

So I am trying to generate an ECDSAwithHA256 signature in Java, and for that, I am using the BouncyCastle provider. The curve is a secp521r1.

To initalize the signer I am using:

public static final String SIGNATURE_ALGORITHEM = "SHA256withECDSA";

public void init() {
    signer = Signature.getInstance(SIGNATURE_ALGORITHEM, BouncyCastleProvider.PROVIDER_NAME);
    signer.initSign(privKey);
}

And to sign I am using

public byte[] sign(byte[] bytes) throws SignatureException {
        signer.update(bytes);
        byte[] signature = signer.sign();
        System.out.println("Signature lenght is " + signature.length);
        return signature;
}

The only problem now is, that when I am running the code, I get signatures with a length between 137 and 139 byte. But I expected to get always the same amount of bytes. Does somebody know what I have to change, that I have always the same signature length, but still a standardized signature format?

It normal and expected that the lengths of the signatures will vary somewhat. — President James K. Polk, Sep 01 '18 at 01:47

dave_thompson_085 · Accepted Answer · 2019-10-16T12:55:16.507

4

Java crypto normally, and Bouncy by default, encodes ECDSA (also DSA) signatures using ASN.1 DER which is variable length. See neardupe ECDSA signature length and cross https://crypto.stackexchange.com/questions/33095/shouldnt-a-signature-using-ecdsa-be-exactly-96-bytes-not-102-or-103 .

Fortunately for you however, Bouncy (1.51 up) also implements P1363-style fixed-length encoding under the names {hash}withPLAIN-ECDSA or {hash}withCVC-ECDSA (and also substituting a slash for with). CVC in this context apparently means Card Verifiable Certificate, although I would not have thought the signature encoding is anywhere near the hardest part of cert verification for a limited device.

Updates: Bouncy 1.61 (2019-02) fixes the bug in 'plain' encoding mentioned in comments. Also, in Java 9 (2018-12) up the standard (Oracle) SunEC provider supports this format as {hash}withECDSAinP1363format

edited Oct 16 '19 at 12:55

answered Sep 01 '18 at 05:07

dave_thompson_085

34,712
6
50
70

Sorry for the late answer, but when I am using the recommended algorithms, I get signature lengths between 130 and 132 bytes, so its still not fixed. I just changed the SIGNATURE_ALGORITHEM Constance. Am i doing something wrong? – Pilikio Sep 02 '18 at 09:46
Plilikio: hmmm, checking the code, it uses fixed size of the larger actual value (r or s) not the group size; I can get 132 or 130 easily, and think I could get lower even lengths, but never an odd length. I think this may be a bug and will try to check with them. As a workaround when you get <132 you could split it in half and left-zero-pad each half. – dave_thompson_085 Sep 03 '18 at 03:54
Sorry I meant to update this and forgot: I checked with the Bouncy devs and they determined this is a bug and will be fixed to be const length = group. – dave_thompson_085 Sep 27 '18 at 01:59
For the moment I fixed it with adding an extra byte which tells how long the signature is... – Pilikio Sep 28 '18 at 18:08

Java ECDSAwithSHA256 signature with inconsistent length

1 Answers1

Linked