Skip to main content

3.3.4. ECDSA Using Curve P-256 DSS and SHA-256

3.3.4. ECDSA Using Curve P-256 DSS and SHA-256

To sign using this algorithm, the signer applies the ECDSA signature algorithm defined in [FIPS186-5] using curve P-256 with the signer's private signing key and the signature base (Section 2.5). The hash SHA-256 [RFC6234] is applied to the signature base to create the digest content to which the digital signature is applied (M). The signature algorithm returns two integer values: r and s. These are both encoded as big-endian unsigned integers, zero-padded to 32 octets each. These encoded values are concatenated into a single 64-octet array consisting of the encoded value of r followed by the encoded value of s. The resulting concatenation of (r, s) is a byte array of the HTTP message signature output used in Section 3.1.

To verify using this algorithm, the verifier applies the ECDSA signature algorithm defined in [FIPS186-5] using the public key portion of the verification key material and the signature base recreated as described in Section 3.2. The hash function SHA-256 [RFC6234] is applied to the signature base to create the digest content to which the signature verification function is applied (M). The verifier extracts the HTTP message signature to be verified (S) as described in Section 3.2. This value is a 64-octet array consisting of the encoded values of r and s concatenated in order. These are both encoded as big-endian unsigned integers, zero-padded to 32 octets each. The resulting signature value (r, s) is used as input to the signature verification function. The results of the verification function indicate whether the signature presented is valid.

Note that the output of ECDSA signature algorithms is non- deterministic; therefore, it is not correct to recalculate a new signature on the signature base and compare the results to an existing signature. Instead, the verification algorithm defined here needs to be used. See Section 7.3.5.

The use of this algorithm can be indicated at runtime using the ecdsa-p256-sha256 value for the alg signature parameter.

Last updated on