jtooker
Reputation: 1243
How do I ECDSA verify a block of data in Java when I only have the raw signature (R, S) and raw public key point (Qx, Qy)
I've got a byte array message as well as the four 32-byte raw components to the signature: Qx, Qy, R and S. How do I format/encode these into ECPublicKey and signature byte[] that Signature::verify function expects? The signature was created with SHA-256 ECDSA.
Upvotes: 0
Views: 903
Answers (1)
jtooker
Reputation: 1243
The solution requires combining two other answers (and implementing it in Java):
- How does one convert a public EC code point and curve name into a PublicKey
- ECDSA Signature R|S to ASN1 DER Encoding question
Creating the public key involves generating a dummy key pair and using its ECParameterSpec and then substituting your raw public key point [Qx, Qy]. A BigInteger must also be created from the raw bytes. This can be seen in the createPublicKey function below.
The signature (made up of R and S) must be encoded in the DER format - I could not find an existing Java utility function to do this, so it is manually done, as seen in createDERSigniture below.
/**
* Check to see if `message` matches signature [R, S] and public key point [qx, qy]
*
* @param message device ID
* @param r first part of the ECDSA signature
* @param s second part of the ECDSA signature
* @param qx x part of the public key point
* @param qy y part of the public key point
* @return true iff the signature signed the message
* @note ECDSA SHA-256 is used - r, s, qx and qy must be 32 bytes long
*/
private static boolean ecdsaVerify(@NotNull final byte[] message, @NotNull final byte[] r, @NotNull final byte[] s,
@NotNull final byte[] qx, @NotNull final byte[] qy)
{
try
{
// convert from raw bytes to something `Signature` can understand
ECPublicKey publicKey = createPublicKey(qx, qy);
byte[] derSignature = createDERSigniture(r, s);
// do the actual verification
Signature sig = Signature.getInstance("SHA256withECDSA");
sig.initVerify(publicKey);
sig.update(message);
return sig.verify(derSignature);
}
catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidKeyException | SignatureException | InvalidAlgorithmParameterException e)
{
return false;
}
}
/**
* Format the raw elliptic curve point [qx, qy] with the NIST P-256
*
* @param qx the x coordinate - should be 32 bytes
* @param qy the y coordinate - should be 32 bytes
* @return the public key from the raw coordinates
* @see https://stackoverflow.com/a/22652372/1229250
*/
private static ECPublicKey createPublicKey(byte[] qx, byte[] qy)
throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeySpecException
{
// generate bogus keypair so we can get its spec
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
kpg.initialize(new ECGenParameterSpec("secp256r1"));// NIST P-256
ECPublicKey apub = (ECPublicKey)kpg.generateKeyPair().getPublic();
ECParameterSpec aspec = apub.getParams();
ECPoint point = new ECPoint(new BigInteger(1, qx), new BigInteger(1, qy));
ECPublicKeySpec pks = new ECPublicKeySpec(point, aspec);
return (ECPublicKey)KeyFactory.getInstance("EC").generatePublic(pks);
}
/**
* Encode a raw signature in the DER format
*
* @param r first part of the raw signature - should be 32 bytes
* @param s second part of the raw signature - should be 32 bytes
* @return a DER formatted signature
* @see https://crypto.stackexchange.com/a/57734/89173
*/
private static byte[] createDERSigniture(byte[] r, byte[] s)
{
// build backwards
byte[] der = {};
der = prependPoint(der, s);
der = prependPoint(der, r);
return prependHeader(der);
}
/**
* Take in a raw coordinate value, `p` and then wrap and prepend it to `derSig`
*
* Wrapping includes adding the header by (0x02), the length as well as a leading zero if needed.
*
* @param derSig the end of the DER formatted signature, so far (may be empty)
* @param p a part of the coordinate to prepend
* @return the signature so far with an addition component
*/
private static byte[] prependPoint(byte[] derSig, byte[] p)
{
// append a zero byte if the leading *bit* is one (so as a whole, it is a positive number)
final boolean prependZero = (p[0] & 0x80) == 0x80;
final int pointLength = p.length + (prependZero ? 1 : 0);
final int prependSize = 2 + pointLength;
final int totalNewSize = prependSize + derSig.length;
byte[] result = new byte[totalNewSize];
result[0] = 2;
result[1] = (byte) pointLength;
if (prependZero)
{
result[2] = 0;
}
System.arraycopy(p, 0, result, prependZero ? 3 : 2, p.length);
System.arraycopy(derSig, 0, result, prependSize, derSig.length);
return result;
}
/**
* Add the DER header - the 0x30 magic number and the length of the point
*
* @param derSig the DER signature so far - must have the two points
* @return the signature with the proper header
*/
private static byte[] prependHeader(byte[] derSig)
{
byte[] result = new byte[derSig.length + 2];
result[0] = 0x30;
result[1] = (byte) derSig.length;
System.arraycopy(derSig, 0, result, 2, derSig.length);
return result;
}
Upvotes: 1
Related Questions
- JAVA How to verify ECDSA signature when r or s are negative
- Validating a ECDSA P-256 signature
- Verify data with Signature public key RSA java
- How to verify ECDSA with Public Key?
- How to verify a signature in openssl consisting of ECDSA [r, s] values?
- Extracting (r,s) and Verifying ECDSA signature remotely
- How to verify a DSA signature given (R,S) pair in Java?
- Signing and verifying with java android
- Calculating ECDSA signature in Java as per an RFC test vector
- (1)Convert the ECDSA private & public key, (2)Verification by ECDSA