Clarify the use of ECDSA API

In the ecdsa.c sample application we don't use hashing, we use ecdsa directly on a buffer containing plain text. Although the text explains that it should be the message hash it still can be confusing. Any misunderstandings here are potentially very dangerous, because ECDSA truncates the message hash if necessary and this can lead to trivial signature forgeries if the API is misused and the message is passed directly to the function without hashing. This commit adds a hash computation step to the ecdsa.c sample application and clarification to the doxygen documentation of the ECDSA functions involved.
2025-08-08 17:42:09 +03:00 · 2017-03-10 11:31:41 +00:00
parent b5ba28cbea
commit 0a5154b8a1
3 changed files with 56 additions and 7 deletions
--- a/programs/pkey/ecdsa.c
+++ b/programs/pkey/ecdsa.c
@@ -37,6 +37,7 @@
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/ecdsa.h"
+#include "mbedtls/sha256.h"

 #include <string.h>
 #endif
@@ -101,8 +102,10 @@ int main( int argc, char *argv[] )
    mbedtls_ecdsa_context ctx_sign, ctx_verify;
    mbedtls_entropy_context entropy;
    mbedtls_ctr_drbg_context ctr_drbg;
-    unsigned char hash[] = "This should be the hash of a message.";
-    unsigned char sig[512];
+    mbedtls_sha256_context sha256_ctx;
+    unsigned char message[100];
+    unsigned char hash[32];
+    unsigned char sig[MBEDTLS_ECDSA_MAX_LEN];
    size_t sig_len;
    const char *pers = "ecdsa";
    ((void) argv);
@@ -110,8 +113,10 @@ int main( int argc, char *argv[] )
    mbedtls_ecdsa_init( &ctx_sign );
    mbedtls_ecdsa_init( &ctx_verify );
    mbedtls_ctr_drbg_init( &ctr_drbg );
+    mbedtls_sha256_init( &sha256_ctx );

-    memset(sig, 0, sizeof( sig ) );
+    memset( sig, 0, sizeof( sig ) );
+    memset( message, 0x25, sizeof( message ) );
    ret = 1;

    if( argc != 1 )
@@ -155,9 +160,23 @@ int main( int argc, char *argv[] )
    dump_pubkey( "  + Public key: ", &ctx_sign );

    /*
-     * Sign some message hash
+     * Compute message hash
     */
-    mbedtls_printf( "  . Signing message..." );
+    mbedtls_printf( "  . Computing message hash..." );
+    fflush( stdout );
+
+    mbedtls_sha256_starts( &sha256_ctx, 0 );
+    mbedtls_sha256_update( &sha256_ctx, message, sizeof( message ) );
+    mbedtls_sha256_finish( &sha256_ctx, hash );
+
+    mbedtls_printf( " ok\n" );
+
+    dump_buf( "  + Hash: ", hash, sizeof( hash ) );
+
+    /*
+     * Sign message hash
+     */
+    mbedtls_printf( "  . Signing message hash..." );
    fflush( stdout );

    if( ( ret = mbedtls_ecdsa_write_signature( &ctx_sign, MBEDTLS_MD_SHA256,
@@ -170,7 +189,6 @@ int main( int argc, char *argv[] )
    }
    mbedtls_printf( " ok (signature length = %u)\n", (unsigned int) sig_len );

-    dump_buf( "  + Hash: ", hash, sizeof hash );
    dump_buf( "  + Signature: ", sig, sig_len );

    /*
@@ -224,6 +242,7 @@ exit:
    mbedtls_ecdsa_free( &ctx_sign );
    mbedtls_ctr_drbg_free( &ctr_drbg );
    mbedtls_entropy_free( &entropy );
+    mbedtls_sha256_free( &sha256_ctx );

    return( ret );
 }