--- ./gtests/pk11_gtest/pk11_ecdsa_vectors.h.ecdsa-sign-padding-fix 2024-04-04 21:20:23.166838534 +0200 +++ ./gtests/pk11_gtest/pk11_ecdsa_vectors.h 2024-04-10 09:05:12.664050773 +0200 @@ -280,4 +280,101 @@ const uint8_t kP256SpkiPointNotOnCurve[] 0x28, 0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77, 0xa3, 0xc2, 0x94, 0x00, 0x33, 0x11, 0x77}; +const uint8_t kP521DataUnpaddedSigLong[] = {'W', 'T', 'F', '6', '0', 'M', 'W', 'M', 'N', '3'}; +const uint8_t kP521DataUnpaddedSigShort[] = { 'M', 'I', '6', '3', 'V', 'N', 'G', 'L', 'F', 'R',}; +const uint8_t kP521SpkiUnpaddedSig[] = { + 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86, + 0x00, 0x04, 0x01, 0xd2, 0x37, 0xeb, 0x78, 0xc7, 0x9b, 0x86, 0xff, 0x29, + 0x7b, 0x55, 0x4d, 0x11, 0xc7, 0x9c, 0x2d, 0xc1, 0x67, 0x9f, 0xad, 0x2a, + 0xa9, 0xb9, 0x51, 0x30, 0x6d, 0xde, 0x14, 0x16, 0xea, 0xb3, 0x9d, 0x18, + 0xfc, 0xf0, 0x38, 0x6e, 0x7f, 0xa6, 0x82, 0xb9, 0x19, 0x01, 0xaf, 0xe7, + 0xc3, 0xd8, 0xec, 0x9a, 0x62, 0x7b, 0xbf, 0x41, 0xc7, 0x86, 0x89, 0x52, + 0x76, 0x8e, 0x01, 0x97, 0x1b, 0x16, 0x97, 0x69, 0x01, 0x2d, 0x07, 0x88, + 0x6f, 0xe0, 0x17, 0xbe, 0x82, 0xc4, 0x12, 0xd6, 0x16, 0x72, 0xf8, 0x57, + 0x75, 0x5c, 0x69, 0x79, 0xd0, 0x11, 0x05, 0x96, 0x2f, 0xa4, 0x61, 0xcd, + 0x8f, 0x54, 0x95, 0x58, 0xbd, 0x7d, 0x71, 0x84, 0x63, 0x18, 0xb8, 0x5b, + 0xaa, 0x1b, 0xd2, 0xe9, 0x65, 0x63, 0x15, 0x34, 0x25, 0x35, 0x2f, 0x35, + 0x27, 0x3a, 0x84, 0x42, 0x7a, 0x42, 0x8e, 0xfd, 0x15, 0xbe, 0x0c, 0x0c, + 0xe2, 0x9f}; +const uint8_t kP521SignatureUnpaddedSigLong[] = { + 0x01, 0xa7, 0x3a, 0x14, 0x79, 0x77, 0x9e, 0x48, 0xb0, 0xff, 0xb5, 0xbe, + 0xfb, 0xfa, 0x7a, 0x84, 0x24, 0xb3, 0x5c, 0xf0, 0xfd, 0x77, 0x9d, 0xd4, + 0x66, 0x49, 0xfd, 0xbf, 0x04, 0xbf, 0xbb, 0x75, 0x22, 0xbb, 0x35, 0x42, + 0xdb, 0xe7, 0xed, 0x5a, 0x8f, 0x15, 0xf3, 0xa9, 0x0e, 0xb6, 0x5b, 0xde, + 0x23, 0x79, 0x47, 0xa7, 0x1d, 0x25, 0x24, 0x68, 0x63, 0xf6, 0x9c, 0x2e, + 0x21, 0xe0, 0x30, 0xfc, 0xd3, 0x65, 0x01, 0x12, 0x4e, 0xf0, 0xbb, 0x89, + 0xec, 0xec, 0x4f, 0xef, 0xbe, 0xdc, 0xd6, 0xac, 0xa4, 0x16, 0x68, 0x2b, + 0x78, 0xdf, 0x6c, 0x6e, 0xb8, 0xf4, 0x5b, 0x45, 0x1b, 0xdd, 0x84, 0x40, + 0x94, 0x07, 0xc7, 0xbc, 0xb6, 0x57, 0x92, 0xf1, 0x64, 0xb9, 0x2c, 0xcb, + 0x1d, 0xbe, 0x1c, 0x93, 0x78, 0x97, 0x8b, 0x84, 0x4e, 0x69, 0x6d, 0x0b, + 0xb0, 0x5f, 0xf1, 0x84, 0x18, 0x82, 0x8d, 0x55, 0xdf, 0x36, 0x43, 0x8a}; +const uint8_t kP521SignatureUnpaddedSigShort[] = { + 0x40, 0x12, 0xa7, 0x96, 0x5d, 0x77, 0xba, 0x8a, 0x90, 0x57, 0x52, 0x11, + 0xad, 0x72, 0x21, 0xd6, 0x6c, 0x73, 0x81, 0x43, 0x5d, 0x09, 0xe4, 0xde, + 0xee, 0xc2, 0xb5, 0x03, 0x1f, 0x0f, 0xd1, 0x6a, 0xfc, 0x26, 0x6d, 0x99, + 0x6d, 0x84, 0x32, 0x05, 0x56, 0x66, 0xe3, 0x6b, 0xf7, 0xf2, 0x04, 0xc9, + 0x44, 0x17, 0xaa, 0xbd, 0x24, 0xd8, 0x87, 0x4e, 0x53, 0x9d, 0x08, 0x65, + 0x91, 0x95, 0xeb, 0xeb, 0x92, 0x0b, 0xdb, 0x34, 0x80, 0xe8, 0x9f, 0x38, + 0x73, 0x00, 0x7c, 0xfc, 0x2b, 0xfa, 0xcf, 0xa6, 0x6c, 0x1c, 0xb0, 0x75, + 0x76, 0x01, 0x22, 0xe7, 0x3c, 0xd8, 0xc4, 0x1f, 0x5e, 0xde, 0x0b, 0x95, + 0x7a, 0x50, 0x2b, 0x8c, 0x87, 0xc4, 0x12, 0x8e, 0x00, 0x09, 0x29, 0x2c, + 0x21, 0xd1, 0x96, 0xa0, 0xf3, 0x0f, 0x54, 0xdb, 0x6a, 0xbb, 0x90, 0xf5, + 0x5c, 0x7a, 0x8d, 0x83, 0x9c, 0x39, 0x38, 0x58, 0x5a, 0x0e}; +const uint8_t kP384DataUnpaddedSigLong[] = {'L', 'T', 'N', '4', 'B', 'P', 'X', 'Y', '5', 'N'}; +const uint8_t kP384DataUnpaddedSigShort[] = {'3', 'U', 'S', 'N', 'N', 'U', '6', 'E', 'E', '0'}; +const uint8_t kP384SpkiUnpaddedSig[] = { + 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, + 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, + 0x1e, 0x98, 0x4c, 0xcf, 0x05, 0xd4, 0x9b, 0x98, 0x11, 0xae, 0xa1, 0xaa, + 0x72, 0x27, 0xac, 0xde, 0x7f, 0xe8, 0x4d, 0xda, 0xaa, 0x67, 0x51, 0x2e, + 0x0b, 0x30, 0x31, 0xab, 0x05, 0xac, 0x95, 0xdf, 0x09, 0x96, 0xcf, 0xe3, + 0xf5, 0xfa, 0x30, 0xad, 0x43, 0x0b, 0xa5, 0x7e, 0xd7, 0xd1, 0xee, 0x4e, + 0x83, 0x53, 0xe3, 0x26, 0xeb, 0xc1, 0xc9, 0xe5, 0x35, 0x36, 0x1a, 0xbf, + 0xbf, 0x99, 0xd6, 0xe2, 0x14, 0x43, 0xcb, 0x54, 0xde, 0x06, 0xb5, 0x7d, + 0x27, 0xb7, 0xc2, 0x27, 0xaf, 0xb6, 0x12, 0x4f, 0x47, 0xa0, 0xdb, 0xb5, + 0x6e, 0x7b, 0x44, 0x0d, 0xc8, 0xbd, 0x13, 0x3c, 0x27, 0x7c, 0xf2, 0x3a}; +const uint8_t kP384SignatureUnpaddedSigLong[] = { + 0x19, 0x22, 0x21, 0x72, 0x8a, 0xa4, 0x22, 0x26, 0x75, 0x16, 0x9c, 0x58, + 0x93, 0xd8, 0x43, 0xac, 0x28, 0x78, 0xe7, 0xe2, 0xf2, 0x5d, 0xa6, 0x59, + 0x74, 0x6d, 0x55, 0x95, 0xe1, 0xa8, 0xc9, 0x18, 0x54, 0x5d, 0x03, 0xa0, + 0xb0, 0x90, 0xe9, 0xf1, 0xc5, 0xf6, 0x29, 0x1a, 0x50, 0x9d, 0xe3, 0xde, + 0x4a, 0x69, 0xdf, 0x1b, 0xe5, 0x53, 0xd7, 0xe8, 0xd4, 0xbf, 0x8c, 0xfc, + 0x07, 0x66, 0xbc, 0xa7, 0xb5, 0x47, 0x29, 0xbd, 0x15, 0x8c, 0x57, 0x6c, + 0xde, 0x37, 0x57, 0xa4, 0xd4, 0x61, 0x79, 0x92, 0x67, 0x25, 0x2e, 0xbc, + 0x8b, 0x88, 0x6a, 0xfa, 0xa5, 0x00, 0x19, 0x11, 0x64, 0x69, 0x7b, 0xf6}; +const uint8_t kP384SignatureUnpaddedSigShort[] = { + 0x69, 0xe6, 0xc2, 0xd0, 0xb0, 0x59, 0xca, 0x1f, 0x07, 0x4c, 0x90, 0x13, + 0x75, 0xe0, 0xc5, 0xb9, 0x38, 0xf2, 0xd8, 0x55, 0xf7, 0x08, 0xbd, 0x8e, + 0x61, 0xbd, 0x50, 0x7e, 0xb6, 0xb5, 0xea, 0xbc, 0xa4, 0xa0, 0x18, 0x9b, + 0x63, 0x6b, 0x8a, 0x91, 0x88, 0x39, 0x0a, 0xbe, 0x6a, 0xb6, 0x4b, 0xaf, + 0xcb, 0x31, 0x89, 0xcf, 0x43, 0x28, 0x4b, 0x04, 0x6a, 0xe0, 0x8d, 0xbc, + 0xbf, 0xa2, 0x45, 0xdf, 0x1c, 0x83, 0x82, 0x3e, 0x2b, 0xa3, 0xea, 0x50, + 0x80, 0xec, 0x31, 0x48, 0x20, 0x30, 0x75, 0x94, 0xd9, 0x08, 0x9f, 0x6f, + 0x53, 0x21, 0x6f, 0x72, 0x74, 0x0c, 0xc4, 0x21, 0x28, 0xc9}; +const uint8_t kP256DataUnpaddedSigLong[] = {'J', '5', 'C', 'N', 'Q', 'T', 'F', 'A', 'J', 'T'}; +const uint8_t kP256DataUnpaddedSigShort[] = {'K', 'O', 'S', '9', '4', 'F', 'V', 'C', 'Y', 'C'}; +const uint8_t kP256SpkiUnpaddedSig[] = { + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, + 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, + 0x42, 0x00, 0x04, 0x30, 0x40, 0x9d, 0x57, 0xdd, 0xd0, 0x70, 0x1d, 0x4b, + 0x40, 0x84, 0xd4, 0x7a, 0xc0, 0x30, 0x68, 0x33, 0xf1, 0x1d, 0x47, 0xaa, + 0x37, 0x4d, 0xe2, 0xc8, 0xce, 0xdc, 0x82, 0x1d, 0xf7, 0xcf, 0xdd, 0x9e, + 0xb6, 0x6c, 0x85, 0x87, 0x9d, 0x31, 0x79, 0x7e, 0xe4, 0xe9, 0xc7, 0x4f, + 0xd6, 0x07, 0x1d, 0x2f, 0x54, 0x82, 0x5d, 0x22, 0xbf, 0xbc, 0xf0, 0x75, + 0x01, 0x09, 0x43, 0xc6, 0x52, 0xcb, 0x45 }; +const uint8_t kP256SignatureUnpaddedSigLong[] = { + 0xad, 0x6f, 0xcf, 0x41, 0xc1, 0x83, 0xe3, 0x6f, 0xe0, 0x2c, 0x9f, 0x56, + 0xa5, 0x17, 0x60, 0xbf, 0x80, 0x71, 0x18, 0x54, 0x1d, 0x82, 0xdb, 0xe6, + 0xc2, 0x4e, 0x60, 0x4a, 0xa6, 0x0c, 0xed, 0xcf, 0xe9, 0xbf, 0xda, 0x11, + 0xc2, 0x0a, 0x9c, 0x02, 0x5f, 0xb6, 0xa0, 0xb8, 0xbc, 0xda, 0xbf, 0x80, + 0xb4, 0xfb, 0x68, 0xab, 0xc8, 0xa8, 0x07, 0xeb, 0x50, 0x5c, 0x8a, 0x47, + 0xcf, 0x61, 0x91, 0x5f}; +const uint8_t kP256SignatureUnpaddedSigShort[] = { + 0x3d, 0x99, 0x94, 0xa9, 0x80, 0x12, 0x43, 0x27, 0xde, 0x78, 0x9e, 0x61, + 0xaf, 0x10, 0xee, 0xd2, 0x22, 0xc6, 0x6e, 0x1c, 0xdf, 0xe7, 0x75, 0x28, + 0x84, 0xae, 0xb8, 0xdb, 0x7b, 0xf1, 0x91, 0x86, 0x5b, 0x5a, 0x28, 0x16, + 0x15, 0xfe, 0xd9, 0x48, 0x33, 0x95, 0xa8, 0x8f, 0x92, 0xbb, 0xe3, 0x9c, + 0xca, 0x04, 0xef, 0x56, 0x48, 0x16, 0x73, 0xa6, 0xb6, 0x6a, 0x38, 0xc9, + 0x78, 0xc4}; } // namespace nss_test --- ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc.ecdsa-sign-padding-fix 2024-04-04 21:19:59.583677319 +0200 +++ ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc 2024-04-10 17:03:24.202133898 +0200 @@ -326,4 +326,47 @@ INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoun SEC_OID_SECG_EC_SECP521R1, SEC_OID_CURVE25519)); +class Pkcs11EcdsaUnpaddedSignatureTest + : public Pkcs11EcdsaTestBase, + public ::testing::WithParamInterface { + public: + Pkcs11EcdsaUnpaddedSignatureTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {} +}; + +static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = { + {SEC_OID_SHA512, + {DataBuffer(NULL, 0), + DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)), + DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)), + DataBuffer(kP256SignatureUnpaddedSigLong, sizeof(kP256SignatureUnpaddedSigLong))}}, + {SEC_OID_SHA512, + {DataBuffer(NULL, 0), + DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)), + DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)), + DataBuffer(kP256SignatureUnpaddedSigShort, sizeof(kP256SignatureUnpaddedSigShort))}}, + {SEC_OID_SHA512, + {DataBuffer(NULL, 0), + DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)), + DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)), + DataBuffer(kP384SignatureUnpaddedSigLong, sizeof(kP384SignatureUnpaddedSigLong))}}, + {SEC_OID_SHA512, + {DataBuffer(NULL, 0), + DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)), + DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)), + DataBuffer(kP384SignatureUnpaddedSigShort, sizeof(kP384SignatureUnpaddedSigShort))}}, + {SEC_OID_SHA512, + {DataBuffer(NULL, 0), + DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)), + DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)), + DataBuffer(kP521SignatureUnpaddedSigLong, sizeof(kP521SignatureUnpaddedSigLong))}}, + {SEC_OID_SHA512, + {DataBuffer(NULL, 0), + DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)), + DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)), + DataBuffer(kP521SignatureUnpaddedSigShort, sizeof(kP521SignatureUnpaddedSigShort))}} +}; + +TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) { Verify(GetParam().sig_params_); } +INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures, Pkcs11EcdsaUnpaddedSignatureTest, + ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors)); } // namespace nss_test --- ./lib/freebl/ecl/ecp_secp256r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:28.413482715 +0200 +++ ./lib/freebl/ecl/ecp_secp256r1.c 2024-04-09 21:15:23.717222679 +0200 @@ -214,6 +214,9 @@ ec_secp256r1_verify_digest(ECPublicKey * { SECStatus res = SECSuccess; + unsigned char _padded_sig_data[64] = { 0 }; + unsigned char *sig_r, *sig_s; + if (!key || !signature || !digest || !key->publicValue.data || !signature->data || !digest->data || @@ -223,9 +226,10 @@ ec_secp256r1_verify_digest(ECPublicKey * return res; } - if (key->publicValue.len != 65 || - digest->len == 0 || - signature->len != 64) { + unsigned int olen = key->ecParams.order.len; + if (signature->len == 0 || signature->len % 2 != 0 || + signature->len > 2 * olen || + digest->len == 0 || key->publicValue.len != 65) { PORT_SetError(SEC_ERROR_INPUT_LEN); res = SECFailure; return res; @@ -237,6 +241,25 @@ ec_secp256r1_verify_digest(ECPublicKey * return res; } + /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */ + if (signature->len != 64) { + unsigned split = signature->len / 2; + unsigned pad = 32 - split; + + unsigned char *o_sig = signature->data; + unsigned char *p_sig = _padded_sig_data; + + memcpy(p_sig + pad, o_sig, split); + memcpy(p_sig + 32 + pad, o_sig + split, split); + + sig_r = p_sig; + sig_s = p_sig + 32; + } else { + sig_r = signature->data; + sig_s = signature->data + 32; + } + + uint8_t hash[32] = { 0 }; if (digest->len < 32) { memcpy(hash + 32 - digest->len, digest->data, digest->len); @@ -247,7 +270,7 @@ ec_secp256r1_verify_digest(ECPublicKey * bool b = Hacl_P256_ecdsa_verif_without_hash( 32, hash, key->publicValue.data + 1, - signature->data, signature->data + 32); + sig_r, sig_s); if (!b) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); res = SECFailure; --- ./lib/freebl/ecl/ecp_secp384r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:12.726377972 +0200 +++ ./lib/freebl/ecl/ecp_secp384r1.c 2024-04-09 14:50:47.932425779 +0200 @@ -185,6 +185,9 @@ ec_secp384r1_verify_digest(ECPublicKey * { SECStatus res = SECSuccess; + unsigned char _padded_sig_data[96] = { 0 }; + unsigned char *sig_r, *sig_s; + if (!key || !signature || !digest || !key->publicValue.data || !signature->data || !digest->data || @@ -194,9 +197,10 @@ ec_secp384r1_verify_digest(ECPublicKey * return res; } - if (key->publicValue.len != 97 || - digest->len == 0 || - signature->len != 96) { + unsigned int olen = key->ecParams.order.len; + if (signature->len == 0 || signature->len % 2 != 0 || + signature->len > 2 * olen || + digest->len == 0 || key->publicValue.len != 97) { PORT_SetError(SEC_ERROR_INPUT_LEN); res = SECFailure; return res; @@ -208,6 +212,24 @@ ec_secp384r1_verify_digest(ECPublicKey * return res; } + /* P-384 signature has to be 96 bytes long, pad it with 0s if it isn't */ + if (signature->len != 96) { + unsigned split = signature->len / 2; + unsigned pad = 48 - split; + + unsigned char *o_sig = signature->data; + unsigned char *p_sig = _padded_sig_data; + + memcpy(p_sig + pad, o_sig, split); + memcpy(p_sig + 48 + pad, o_sig + split, split); + + sig_r = p_sig; + sig_s = p_sig + 48; + } else { + sig_r = signature->data; + sig_s = signature->data + 48; + } + uint8_t hash[48] = { 0 }; if (digest->len < 48) { memcpy(hash + 48 - digest->len, digest->data, digest->len); @@ -218,7 +240,7 @@ ec_secp384r1_verify_digest(ECPublicKey * bool b = Hacl_P384_ecdsa_verif_without_hash( 48, hash, key->publicValue.data + 1, - signature->data, signature->data + 48); + sig_r, sig_s); if (!b) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); res = SECFailure; --- ./lib/freebl/ecl/ecp_secp521r1.c.ecdsa-sign-padding-fix 2024-04-05 22:42:26.553728340 +0200 +++ ./lib/freebl/ecl/ecp_secp521r1.c 2024-04-09 13:02:14.821865860 +0200 @@ -189,6 +189,9 @@ ec_secp521r1_verify_digest(ECPublicKey * { SECStatus res = SECSuccess; + unsigned char _padded_sig_data[132] = { 0 }; + unsigned char *sig_r, *sig_s; + if (!key || !signature || !digest || !key->publicValue.data || !signature->data || !digest->data || @@ -198,9 +201,10 @@ ec_secp521r1_verify_digest(ECPublicKey * return res; } - if (key->publicValue.len != 133 || - digest->len == 0 || - signature->len != 132) { + unsigned int olen = key->ecParams.order.len; + if (signature->len == 0 || signature->len % 2 != 0 || + signature->len > 2 * olen || + digest->len == 0 || key->publicValue.len != 133) { PORT_SetError(SEC_ERROR_INPUT_LEN); res = SECFailure; return res; @@ -212,6 +216,24 @@ ec_secp521r1_verify_digest(ECPublicKey * return res; } + /* P-521 signature has to be 132 bytes long, pad it with 0s if it isn't */ + if (signature->len != 132) { + unsigned split = signature->len / 2; + unsigned pad = 66 - split; + + unsigned char *o_sig = signature->data; + unsigned char *p_sig = _padded_sig_data; + + memcpy(p_sig + pad, o_sig, split); + memcpy(p_sig + 66 + pad, o_sig + split, split); + + sig_r = p_sig; + sig_s = p_sig + 66; + } else { + sig_r = signature->data; + sig_s = signature->data + 66; + } + uint8_t hash[66] = { 0 }; if (digest->len < 66) { memcpy(hash + 66 - digest->len, digest->data, digest->len); @@ -227,7 +249,7 @@ ec_secp521r1_verify_digest(ECPublicKey * bool b = Hacl_P521_ecdsa_verif_without_hash( 66, hash, key->publicValue.data + 1, - signature->data, signature->data + 66); + sig_r, sig_s); if (!b) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); res = SECFailure;