Ok, I found the problem:
mbedtls_base64_encode(hash_b64, sizeof(hash_b64), (size_t *) &len_b64, hash, 32);
&len_b64 is a pointer to uint16_t. Casting the pointer to size_t* doesn't give you a pointer to a size_t object, it gives you an invalid pointer since it isn't pointing to a size_t object. When mbedtls_base64_encode writes through that pointer, it overwrites
whatever is next on the stack. Other calls with a size_t* cast have the same problem. Depending on exactly how your compiler lays out the stack, this might part of the message, or part of the pk structure, or part of the result...
I found this problem because I massaged your code until it ran on Linux, and it crashed during mbedtls_pk_sign because the pk structure had been corrupted. Other potential ways to find such problems include static analysis (Coverity is good but very expensive),
AddressSanitizer (if you can build your code on a platform that has enough space), and of course code review (any cast is suspicious: most of the times, when a compiler complains about something, a cast will silence the compiler but not actually fix the problem).
Best regards,
--
Gilles Peskine
Mbed TLS developer
On 21/04/2021 09:43, stefano664 wrote:
Hi Gilles,
thanks for your reply.
The posted code is without error checks to be smaller. The complete code is here:
All error checks pass true than all functions seems ok.
In this version I added also the verify, that fail.
Here you can find the output with all prints, messages and datas:
As you can see my signature is 71 byte wide, a bit too little even after zeroes removing. The same made with openSSL is 104 byte wide.
I've checked my keys, and I confirm it is 384 bit. You can check, it is printed during process.
Thanks a lot for your help!
Hi Stefano,
Assuming that the key is in PEM format and that the buffers (hash, tmp)
are large enough, I don't see anything wrong in the part of the code you
posted.
You posted code without error checking. Can you confirm that all
functions return 0?
mbedtls_pk_sign produces ECDSA signatures in ASN.1 format. The size of
the signature can be up to 104 bytes, and is often a few bytes shorter
because it consists of numbers in which leading zeros are omitted. Make
sure the tmp buffer is large enough. You can use
MBEDTLS_ECDSA_MAX_SIG_LEN(384) or MBEDTLS_ECDSA_MAX_LEN (from
mbedtls/ecdsa.h) as the signature buffer size.
72 bytes is the maximum size of a signature for a 256-bit key, reached
about 25% of the time. Are you sure you're signing with the key you
intended?
People may be able to help more if you post complete code that we can
run on our machine.
Best regards,
--
Gilles Peskine
Mbed TLS developer
On 20/04/2021 16:49, stefano664 via mbed-tls wrote:
> Hi all,
> I have some problems with mbedTLS during ECDSA signing process.
>
> I followed the example supplied with the source code and write this code:
>
> mbedtls_pk_init(&pk);
> mbedtls_pk_parse_key(&pk, (const unsigned char *)
> flash.flash_ver0.ecc_priv_key, strlen(flash.flash_ver0.ecc_priv_key) +
> 1, (const unsigned char *)CA_DEF_ISSUER_PWD, CA_DEF_ISSUER_PWD_LEN);
> mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), msg, msg_len,
> hash);
> mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, hash, 0, tmp, (size_t *)&len,
> mbedtls_ctr_drbg_random, &ctr_drbg);
>
> The private key is an ECC key with 384 bit. I have two issue:
>
> 1) In tmp variable I found the signature, but it is 72 byte, instead
> of 96 (384*2/87);
> 2) On this signature I try to make a verify, but fails.
>
> Where I'm wrong?
>
> Best regards,
> Stefano
>
--
mbed-tls mailing list
mbed-tls@lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose,
or store or copy the information in any medium. Thank you.