Skip to content

Instantly share code, notes, and snippets.

@aseigler

aseigler/ECCurve.NamedCurves.nistP521.fail.why.cs

Created October 26, 2018 02:08
Show Gist options
  • Save aseigler/829da8212b0e9fe37aca82677ad024e8 to your computer and use it in GitHub Desktop.
Save aseigler/829da8212b0e9fe37aca82677ad024e8 to your computer and use it in GitHub Desktop.
Download ZIP
Fails and don't know why
Raw
ECCurve.NamedCurves.nistP521.fail.why.cs
[Fact]
public static void ValidateNistP521Sha512Bad()
{
byte[] msg = CryptoUtils.HexToByteArray(
"49960DE5880E8C687434170F6476605B8FE4AEB9A28632C7995CF3BA831D9763" +
"41000000662388AB8D8915414693BAD43E671D25380020E9820913180B0F34EF" +
"7F2B3D5A04252064CBD4BF58B3D6E169A0353EBF8E00F7A50102033823200321" +
"584201B3130CAEA43CFCBB5207B429717B083C09858146A0FAFD2B9F0A3EBE2D" +
"EBD5E7B6B01F278519BC9F4BBF190787BF23B4669DD0C8FA33B6E13DD667524C" +
"A04D663022584200A9C77DB202F6027CA5882E077968B62E1392FC9445AE3799" +
"61CC6C0D5E88BAA63D0971047AD320B323C1CF9444B312FA6AB42341A85F7D78" +
"3D89113548AA48B0BD2D802BBADF27AD276861E23DC7F27774C78BF4520B648E" +
"2F863B6EE489D5FD6E"
);
byte[] signature = CryptoUtils.HexToByteArray(
// r
"3D56BD23DF31B31FAFD8012B8DB1EF83E1B2033D4E2B6A536426A81B0B2BFFB4F3" +
"5DB76ED529A3C39CADD629682FD6A9DAD38A8C03BCAE91978E3E876CF1AAD155" +
// s
"01989B002BC07E6C01353E1CBD1DF630DBE01A27A72D79A2DAAF0CC32B5C1ABB4E" +
"327CA19F181CA34A4E147EDE5875F39FAE2656A7520FEC0F45321F27731C0715B4"
);
var cng = ECDsa.Create(new ECParameters
{
Curve = ECCurve.NamedCurves.nistP521,
Q = new ECPoint
{
X = CryptoUtils.HexToByteArray(
"01B3130CAEA43CFCBB5207B429717B083C09858146A0FAFD2B9F0A3EBE2DEBD5E7" +
"B6B01F278519BC9F4BBF190787BF23B4669DD0C8FA33B6E13DD667524CA04D6630"),
Y = CryptoUtils.HexToByteArray(
"00A9C77DB202F6027CA5882E077968B62E1392FC9445AE379961CC6C0D5E88BAA6" +
"3D0971047AD320B323C1CF9444B312FA6AB42341A85F7D783D89113548AA48B0BD"),
},
});
Assert.True(cng.VerifyData(msg, signature, HashAlgorithmName.SHA512));
byte[] tamperedSignature = (byte[])signature.Clone();
tamperedSignature[0] ^= 0xFF;
Assert.False(cng.VerifyData(msg, tamperedSignature, HashAlgorithmName.SHA512));
}
@aseigler
Copy link
Author

aseigler commented Oct 26, 2018
edited

OpenSSL is happy

$ openssl dgst -sha512 -verify bad.pem -signature bad.sig bad.bin
Verified OK
$ xxd -p -c 32 bad.bin
49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763
41000000662388ab8d8915414693bad43e671d25380020e9820913180b0f34ef
7f2b3d5a04252064cbd4bf58b3d6e169a0353ebf8e00f7a50102033823200321
584201b3130caea43cfcbb5207b429717b083c09858146a0fafd2b9f0a3ebe2d
ebd5e7b6b01f278519bc9f4bbf190787bf23b4669dd0c8fa33b6e13dd667524c
a04d663022584200a9c77db202f6027ca5882e077968b62e1392fc9445ae3799
61cc6c0d5e88baa63d0971047ad320b323c1cf9444b312fa6ab42341a85f7d78
3d89113548aa48b0bd2d802bbadf27ad276861e23dc7f27774c78bf4520b648e
2f863b6ee489d5fd6e
$ openssl asn1parse -inform DER -in bad.sig
    0:d=0  hl=3 l= 135 cons: SEQUENCE
    3:d=1  hl=2 l=  65 prim: INTEGER           :3D56BD23DF31B31FAFD8012B8DB1EF83E1B2033D4E2B6A536426A81B0B2BFFB4F35DB76ED529A3C39CADD629682FD6A9DAD38A8C03BCAE91978E3E876CF1AAD155
   70:d=1  hl=2 l=  66 prim: INTEGER           :01989B002BC07E6C01353E1CBD1DF630DBE01A27A72D79A2DAAF0CC32B5C1ABB4E327CA19F181CA34A4E147EDE5875F39FAE2656A7520FEC0F45321F27731C0715B4
$ openssl asn1parse -inform PEM -in bad.pem
    0:d=0  hl=3 l= 155 cons: SEQUENCE
    3:d=1  hl=2 l=  16 cons: SEQUENCE
    5:d=2  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
   14:d=2  hl=2 l=   5 prim: OBJECT            :secp521r1
   21:d=1  hl=3 l= 134 prim: BIT STRING
$ openssl ec -in bad.pem -pubin -text -noout
read EC key
Public-Key: (521 bit)
pub:
    04:01:b3:13:0c:ae:a4:3c:fc:bb:52:07:b4:29:71:
    7b:08:3c:09:85:81:46:a0:fa:fd:2b:9f:0a:3e:be:
    2d:eb:d5:e7:b6:b0:1f:27:85:19:bc:9f:4b:bf:19:
    07:87:bf:23:b4:66:9d:d0:c8:fa:33:b6:e1:3d:d6:
    67:52:4c:a0:4d:66:30:00:a9:c7:7d:b2:02:f6:02:
    7c:a5:88:2e:07:79:68:b6:2e:13:92:fc:94:45:ae:
    37:99:61:cc:6c:0d:5e:88:ba:a6:3d:09:71:04:7a:
    d3:20:b3:23:c1:cf:94:44:b3:12:fa:6a:b4:23:41:
    a8:5f:7d:78:3d:89:11:35:48:aa:48:b0:bd
ASN1 OID: secp521r1
NIST CURVE: P-521

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment