gsauthof
commented
6 years ago I can confirm this issue on Fedora 27. @jrconlin is right, with newer openssl versions, openssl writes the signature DER encoded. The following shows how to reproduce the issue and work around it:
OpenSSL part:
# create private key
openssl ecparam -name secp256k1 -genkey -noout -out secp256k1-key.pem
# create public key
openssl ec -in secp256k1-key.pem -pubout -noout -out secp256k1-pub-key.pem
# create signature of foo.txt
openssl dgst -sha256 -sign secp256k1-key.pem -out foo.text.sig foo.txtHow to make it work in Python ECDSA:
import ecdsa
import hashlib
key = ecdsa.VerifyingKey.from_pem(open('secp256k1-pub-key.pem').read())
msg = open('foo.txt', 'br').read()
sig = open('foo.txt.sig', 'rb').read()
if not sig[2*2]:
s = sig[5:5+32]
else:
s = sig[4:4+32]
r = sig[-32:]
sig = s + r
result = key.verify(sig, msg, hashlib.sha256)
print(result)Note that the DER encoding adds 6 to 8 bytes overhead - depending on whether the highest bit of the most significant byte of each component is set or not. Since it's such a minimal DER file using a real DER-derserializer library would be overkill.
I agree, getting an error like AssertionError: (70, 64) instead of a proper exception that contains a message like 'signature size X does match the expected size Y' is a bit confusing.
Btw, the current README has a section on openssl compatibility, but the commands listed there don't work with current openssl versions.
tomato42
Hi,
While trying to convert from ecdsa to python cryptography (which wraps OpenSSL) I discovered that the current iteration of OpenSSL (libssl 1.0.2g+) returns a DER formatted signature value instead of a raw pair of 32octect numbers. (FWIW: the signature appears to be a Sequence of NamedTypes containing Integers)
If, say, a JWT that has a signature from a direct OpenSSL wrapper that is unaware of this is attempted to be run through ecdsa, it'll fail due to the signature length check*. Folks who wish to use this library should check signature length != 64 and perform whatever transmogrification required to get the raw pair of key values that ecdsa requires.
Also: might want to update the examples in the "OpenSSL Compatibility" section of the README to reflect this.
I'm going to try to follow up with other library owners in the chain to make sure that they're aware or at least comment about this problem lest others develop the same drinking habit I seem to have.
*really wish that some of these returned more meaningful errors than "AssertionError(71, 64)"