问题
I'm generating a key pair using the secp256k1 curve. Then I'm using the private key to sign a random String:
byte[] content = "random string".getBytes();
Signature dsa = Signature.getInstance("SHA256withECDSA");
dsa.initSign(privateKey);
dsa.update(content);
byte[] signature = dsa.sign();
The signature byte array has the following content:
[48, 68, 2, 32, 11, 25, 119, -64, -107, 53, -84, 65, -18, -81, -56, 34,
11, 29, 120, 38, -102, 105, -89, -9, -46, -28, 91, 59, -74, -103, -53,
117, 81, -37, 85, 27, 2, 32, 55, 97, -11, -85, 110, -106, 81, -94, 7,
112, 125, -29, -16, -8, 121, 123, 14, -17, -7, -10, 1, -80, -117, 86,
98, -13, -47, -51, 58, -15, -48, 10]
I want to understand what is the content of the signature array. According to the ECDSA Wikipedia page the signature is the values (r, s) that were calculated, but it seems to me there's more in that array. The signature always start with the bytes
48, 68, 2, 32
Which seem to be some kind of header. Is there a specification that explains the format of that array? Specifically, I want to obtain the r and s values.
Thanks.
回答1:
I'm pretty sure this is a dupe but I don't have time to look right now.
There are a few standard representations/encodings of an ECDSA (or DSA) signature. The one Java JCE uses is an ASN.1 DER encoding -- see wikipedia for basics and details.
Specifically the ECDSA or DSA signature is an ASN.1 SEQUENCE of two INTEGER fields; see ECDSA-Sig-Value in rfc3279 section 2.2.3 or part of SEC1 appendix C.5 on page 114 or X9.62 but that costs money.
The byte 48 (0x30) is the tag for SEQUENCE (actually 0x10 for SEQUENCE plus 0x20 for 'constructed') and it is followed by one or more bytes giving the length of the body of the sequence; for EC the body is almost always short enough to use a simple one-byte length. The 2 is the tag for INTEGER and it is followed by a byte giving the length fo the first integer. After the end of the value (aka contents) of that integer there will be another 2 which is the tag for the second integer followed by a byte which is the length of the second integer. The integers for secp256k1 will usually have length of 32 or 33 octets depending on whether they need padding to ensure the sign is positive, because ASN.1 integers are signed and in DER they are two's-complement, but in rare cases less.
来源:https://stackoverflow.com/questions/48530316/what-is-the-output-format-of-the-sha256withecdsa-signature-algorithm