Search code examples
google-cloud-platformdigital-signatureelliptic-curvegoogle-cloud-kmskey-management

GCP KMS - Elliptic curve Signature


I am using google cloud KMS to manage my keys. Using JAVA client libs to interact with KMS. I receive byte array as a signature of a message as below

        byte[] plaintext = message.getBytes(StandardCharsets.UTF_8);

        // Calculate the digest.
        MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
        byte[] hash = sha256.digest(plaintext);

        // Build the digest object.
        Digest digest = Digest.newBuilder().setSha256(ByteString.copyFrom(hash)).build();

        // Sign the digest.
        AsymmetricSignResponse result = client.asymmetricSign(keyVersionName, digest);

        byte[] signature = result.getSignature().toByteArray();

How to get a pair to integers {r, s} as a signature as stated here


Solution

  • R and S are packed into an Ecdsa-Sig-Value ASN.1 structure. The most straightforward way to extract them would be to rely on a library like BouncyCastle that can read the ASN.1 sequence. For example

    import java.math.BigInteger;
    import org.bouncycastle.asn1.ASN1Integer;
    import org.bouncycastle.asn1.ASN1Sequence;
    
    private static BigInteger[] extractRandS(byte[] asn1EncodedSignature) {
        ASN1Sequence seq = ASN1Sequence.getInstance(asn1EncodedSignature);
        BigInteger r = ((ASN1Integer) seq.getObjectAt(0)).getValue();
        BigInteger s = ((ASN1Integer) seq.getObjectAt(1)).getValue();
        return new BigInteger[]{r, s};
    }