How to handle short hash with longer order of base point in ECDSA

Question

I am using CVC certificates (If you haven't heard about them, pretend they are X509) with Elliptic curve signature with brainpool256r1 curve and SHA1 hash. In java with bouncycastle, I simply verify them like this:

Signature sign = Signature.getInstance("SHA1withECDSA", "BC");
sign.initVerify(key);
sign.update(certificate_data_to_be_verified);
sign.verify(signature);

And everything works fine. However, I need to verify them also in an embedded device, and I have encountered a problem, because I am supposed to use leftmost 256bits of hash to get the value of z at least according to wikipedia ECDSA article. But SHA1 has only 160bits.

How is this solved by bouncycastle, and is there some general theory on how to handle this?

Answer 1

You are confusing an order of base point with a key length.

Here is how Bouncy Castle code performs ECDSA digital signature verification.

private BigInteger calculateE(BigInteger n, byte[] message)
{
    /* n is curve order value */
    int log2n = n.bitLength();
    /* and message is a hash */
    int messageBitLength = message.length * 8;

    BigInteger e = new BigInteger(1, message);
    /* If message is longer than curve order */
    if (log2n < messageBitLength)
    {
        /* only log2n bits are taken from the left */
        e = e.shiftRight(messageBitLength - log2n);
    }
    return e;
}