Properly specify the encoding when verifying ECDSA signatures

twiss · twiss · commit b80a630c1b39 · 2025-06-25T20:42:28.000+02:00
When verifying an ECDSA signature, properly specify how to convert
the byte sequence to a pair of integers, which RFC 6090 requires,
by referring to the Octet-String-to-Integer Conversion steps in
RFC 6090.

If the signature is of an incorrect length, return false, as the
web platform tests require and all implementations seem to do.

Similarly, when signing, refer to the Integer-to-Octet-String Conversion
steps in RFC 6090 instead of specifying our own conversion from a byte
sequence to an integer.

Also, refer to the proper sections for signing and verifying in RFC 6090.
The subsections 5.4.2 and 5.4.3 refer to "KT-I signatures", which are
equivalent to ECDSA signatures, while section 5.3 refers to "KT-IV
signatures", which are encoded differently.

Finally, harmonize the parameter names with those specified in RFC 6090.
diff --git a/spec/Overview.html b/spec/Overview.html
@@ -624,15 +624,6 @@ <h2>Terminology</h2>
           bits of value zero to |b| such that the length of the resulting bit sequence is minimal and an integer multiple of 8
           and then considering each consecutive sequence of 8 bits in that string as a byte.
         </p>
-        <p>
-          When this specification says to <dfn id="dfn-convert-integer-to-byte-sequence">convert a non-negative
-          integer |i| to a byte sequence of length |n|</dfn>, where |n| * 8
-          is greater than the logarithm to base 2 of |i|, the user agent must
-          first calculate the binary representation of |i|, most significant bit first,
-          prefix this with sufficient zero bits to form a bit sequence of length |n| * 8, and
-          then return the [= byte sequence =] formed by considering each consecutive
-          sequence of 8 bits in that bit sequence as a byte.
-        </p>
         <p>
           Comparing two strings in a <dfn id="case-sensitive">case-sensitive</dfn>
           manner means comparing them exactly, code point for code point.
@@ -7108,13 +7099,13 @@ <h5>Sign</h5>
               </li>
               <li>
                 <p>
-                  Let |M| be the result of performing the digest operation specified by
+                  Let |m| be the result of performing the digest operation specified by
                   |hashAlgorithm| using |message|.
                 </p>
               </li>
               <li>
                 <p>
-                  Let |d| be the ECDSA private key associated with |key|.
+                  Let |z| be the ECDSA private key associated with |key|.
                 </p>
               </li>
               <li>
@@ -7135,14 +7126,15 @@ <h5>Sign</h5>
                       <li>
                         <p>
                           Perform the ECDSA signing process, as specified in [[RFC6090]],
-                          Section 5.4, with |M| as the message, using |params| as the
-                          EC domain parameters, and with |d| as the private key.
+                          Section 5.4.2, with |m| as the message,
+                          and |z| as the private key,
+                          using |params| as the EC domain parameters.
                         </p>
                       </li>
                       <li>
                         <p>
-                        Let |r| and |s| be the pair of integers resulting from
-                        performing the ECDSA signing process.
+                          Let |s1| and |s2| be the pair of integers resulting from
+                          performing the ECDSA signing process.
                         </p>
                       </li>
                       <li>
@@ -7152,21 +7144,18 @@ <h5>Sign</h5>
                       </li>
                       <li>
                         <p>
-                          Let |n| be the smallest integer such that |n| * 8 is greater than
-                          the logarithm to base 2 of the order of the base point of the elliptic curve identified
-                          by |params|.
-                        </p>
-                      </li>
-                      <li>
-                        <p>
-                          <a href="#dfn-convert-integer-to-byte-sequence">Convert |r| to a byte sequence of
-                          length |n|</a> and append it to |result|.
+                          Perform the Integer-to-Octet-String Conversion,
+                          as specified in [[RFC6090]], Section 6.2,
+                          with |s1| as the integer |x|,
+                          and append the result to |result|.
                         </p>
                       </li>
                       <li>
                         <p>
-                          <a href="#dfn-convert-integer-to-byte-sequence">Convert |s| to a byte sequence of
-                          length |n|</a> and append it to |result|.
+                          Perform the Integer-to-Octet-String Conversion,
+                          as specified in [[RFC6090]], Section 6.2,
+                          with |s2| as the integer |x|,
+                          and append the result to |result|.
                         </p>
                       </li>
                     </ol>
@@ -7180,8 +7169,8 @@ <h5>Sign</h5>
                   <dd>
                     <p>
                       Perform the [= ECDSA signature steps =]
-                      specified in that specification, passing in |M|, |params|
-                      and |d| and resulting in |result|.
+                      specified in that specification, passing in |m|, |z|,
+                      and |params|, and resulting in |result|.
                     </p>
                   </dd>
                 </dl>
@@ -7212,13 +7201,13 @@ <h5>Verify</h5>
               </li>
               <li>
                 <p>
-                  Let |M| be the result of performing the digest operation specified by
+                  Let |m| be the result of performing the digest operation specified by
                   |hashAlgorithm| using |message|.
                 </p>
               </li>
               <li>
                 <p>
-                  Let |Q| be the ECDSA public key associated with |key|.
+                  Let |Y| be the ECDSA public key associated with |key|.
                 </p>
               </li>
               <li>
@@ -7235,12 +7224,46 @@ <h5>Verify</h5>
                     |key| is "`P-256`", "`P-384`" or "`P-521`":
                   </dt>
                   <dd>
-                    <p>
-                      Perform the ECDSA verifying process, as specified in [[RFC6090]], Section 5.3, with |M| as the received
-                      message, |signature| as the received signature and using
-                      |params| as the EC domain parameters, and
-                      |Q| as the public key.
-                    </p>
+                    <ol>
+                      <li>
+                        <p>
+                          Let |n| be the smallest integer such that |n| * 8 is greater than
+                          the logarithm to base 2 of the order of the base point of the elliptic curve identified
+                          by |params|.
+                        </p>
+                      </li>
+                      <li>
+                        <p>
+                          If |signature| does not have a [= byte sequence/length =] of |n| * 2 bytes,
+                          then return false.
+                        </p>
+                      </li>
+                      <li>
+                        <p>
+                          Let |s1| be the result of performing the
+                          Octet-String-to-Integer Conversion,
+                          as specified in [[RFC6090]], Section 6.1,
+                          with the first |n| bytes of |signature| as the octet string |S|.
+                        </p>
+                      </li>
+                      <li>
+                        <p>
+                          Let |s2| be the result of performing the
+                          Octet-String-to-Integer Conversion,
+                          as specified in [[RFC6090]], Section 6.1,
+                          with the last |n| bytes of |signature| as the octet string |S|.
+                        </p>
+                      </li>
+                      <li>
+                        <p>
+                          Perform the ECDSA verifying process, as specified in [[RFC6090]],
+                          Section 5.4.3, with |m| as the message,
+                          (|s1|, |s2|) as the signature,
+                          and |Y| as the public key,
+                          using |params| as the EC domain parameters.
+                        </p>
+                      </li>
+                    </ol>
                   </dd>
                   <dt>
                     Otherwise, the {{EcKeyAlgorithm/namedCurve}} attribute
@@ -7251,8 +7274,8 @@ <h5>Verify</h5>
                   <dd>
                     <p>
                       Perform the [= ECDSA verification steps =]
-                      specified in that specification passing in |M|, |signature|,
-                      |params| and |Q| and resulting in an indication of whether
+                      specified in that specification passing in |m|, |signature|,
+                      |Y|, and |params|, and resulting in an indication of whether
                       or not the purported signature is valid.
                     </p>
                   </dd>
