Add canonical signature/pubkey methods to ECKey and tests therefor.

2025-02-07 14:54:15 +00:00 · 2013-06-16 17:26:00 +02:00 · 2013-06-16 17:26:00 +02:00 · d6fec93be3
commit d6fec93be3
parent ec3708d159
4 changed files with 156 additions and 0 deletions
--- a/core/src/main/java/com/google/bitcoin/core/ECKey.java
+++ b/core/src/main/java/com/google/bitcoin/core/ECKey.java
@ -473,6 +473,65 @@ public class ECKey implements Serializable {
        return ECKey.verify(sigHash.getBytes(), signature, getPubKey());
    }

+    /**
+     * Returns true if the given signature is in canonical form (ie will be accepted as standard by the reference client)
+     */
+    public static boolean isSignatureCanonical(byte[] signature) {
+        // See reference client's IsCanonicalSignature, https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
+        // A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len S> <S> <hashtype>
+        // Where R and S are not negative (their first byte has its highest bit not set), and not
+        // excessively padded (do not start with a 0 byte, unless an otherwise negative number follows,
+        // in which case a single 0 byte is necessary and even required).
+        if (signature.length < 9 || signature.length > 73)
+            return false;
+
+        int hashType = signature[signature.length-1] & ((int)(~Transaction.SIGHASH_ANYONECANPAY_VALUE));
+        if (hashType < (Transaction.SigHash.ALL.ordinal() + 1) || hashType > (Transaction.SigHash.SINGLE.ordinal() + 1))
+            return false;
+
+        //                   "wrong type"                  "wrong length marker"
+        if ((signature[0] & 0xff) != 0x30 || (signature[1] & 0xff) != signature.length-3)
+            return false;
+
+        int lenR = signature[3] & 0xff;
+        if (5 + lenR >= signature.length || lenR == 0)
+            return false;
+        int lenS = signature[5+lenR] & 0xff;
+        if (lenR + lenS + 7 != signature.length || lenS == 0)
+            return false;
+
+        //    R value type mismatch          R value negative
+        if (signature[4-2] != 0x02 || (signature[4] & 0x80) == 0x80)
+            return false;
+        if (lenR > 1 && signature[4] == 0x00 && (signature[4+1] & 0x80) != 0x80)
+            return false; // R value excessively padded
+
+        //       S value type mismatch                    S value negative
+        if (signature[6 + lenR - 2] != 0x02 || (signature[6 + lenR] & 0x80) == 0x80)
+            return false;
+        if (lenS > 1 && signature[6 + lenR] == 0x00 && (signature[6 + lenR + 1] & 0x80) != 0x80)
+            return false; // S value excessively padded
+
+        return true;
+    }
+
+    /**
+     * Returns true if the given pubkey is canonical (ie the correct length for its declared type)
+     */
+    public static boolean isPubKeyCanonical(byte[] pubkey) {
+        if (pubkey.length < 33)
+            return false;
+        if (pubkey[0] == 0x04) { // Uncompressed pubkey
+            if (pubkey.length != 65)
+                return false;
+        } else if (pubkey[0] == 0x02 || pubkey[0] == 0x03) { // Compressed pubkey
+            if (pubkey.length != 33)
+                return false;
+        } else
+            return false;
+        return true;
+    }
+
    private static BigInteger extractPrivateKeyFromASN1(byte[] asn1privkey) {
        // To understand this code, see the definition of the ASN.1 format for EC private keys in the OpenSSL source
        // code in ec_asn1.c:
--- a/core/src/test/java/com/google/bitcoin/core/ECKeyTest.java
+++ b/core/src/test/java/com/google/bitcoin/core/ECKeyTest.java
@ -37,6 +37,8 @@ import java.math.BigInteger;
 import java.security.SecureRandom;
 import java.security.SignatureException;
 import java.util.Arrays;
+import java.util.Random;
+import java.io.InputStream;

 import static com.google.bitcoin.core.Utils.reverseBytes;
 import static org.junit.Assert.*;
@ -353,6 +355,7 @@ public class ECKeyTest {
        assertTrue(found);
    }

+    @Test
    public void roundTripDumpedPrivKey() throws Exception {
        ECKey key = new ECKey();
        assertTrue(key.isCompressed());
@ -385,6 +388,71 @@ public class ECKeyTest {
        checkAllBytesAreZero(encryptedKey.getEncryptedPrivateKey().getInitialisationVector());
    }

+    @Test
+    public void testCanonicalSigs() throws Exception {
+        // Tests the canonical sigs from the reference client unit tests
+        InputStream in = getClass().getResourceAsStream("sig_canonical.json");
+
+        // Poor man's JSON parser (because pulling in a lib for this is overkill)
+        while (in.available() > 0) {
+            while (in.available() > 0 && in.read() != '"') ;
+            if (in.available() < 1)
+                break;
+
+            StringBuilder sig = new StringBuilder();
+            int c;
+            while (in.available() > 0 && (c = in.read()) != '"')
+                sig.append((char)c);
+
+            assertTrue(ECKey.isSignatureCanonical(Hex.decode(sig.toString())));
+        }
+        in.close();
+    }
+
+    @Test
+    public void testNonCanonicalSigs() throws Exception {
+        // Tests the noncanonical sigs from the reference client unit tests
+        InputStream in = getClass().getResourceAsStream("sig_noncanonical.json");
+
+        // Poor man's JSON parser (because pulling in a lib for this is overkill)
+        while (in.available() > 0) {
+            while (in.available() > 0 && in.read() != '"') ;
+            if (in.available() < 1)
+                break;
+
+            StringBuilder sig = new StringBuilder();
+            int c;
+            while (in.available() > 0 && (c = in.read()) != '"')
+                sig.append((char)c);
+
+            try {
+                assertFalse(ECKey.isSignatureCanonical(Hex.decode(sig.toString())));
+            } catch (StringIndexOutOfBoundsException e) { } // Expected for non-hex strings in the JSON that we should ignore
+        }
+        in.close();
+    }
+
+    @Test
+    public void testCreatedSigAndPubkeyAreCanonical() throws Exception {
+        // Tests that we will not generate non-canonical pubkeys or signatures
+        // We dump failed data to error log because this test is not expected to be deterministic
+        ECKey key = new ECKey();
+        if (!ECKey.isPubKeyCanonical(key.getPubKey())) {
+            log.error(Utils.bytesToHexString(key.getPubKey()));
+            fail();
+        }
+
+        byte[] hash = new byte[32];
+        new Random().nextBytes(hash);
+        byte[] sigBytes = key.sign(new Sha256Hash(hash)).encodeToDER();
+        byte[] encodedSig = Arrays.copyOf(sigBytes, sigBytes.length + 1);
+        encodedSig[sigBytes.length] = (byte) (Transaction.SigHash.ALL.ordinal() + 1);
+        if (!ECKey.isSignatureCanonical(encodedSig)) {
+            log.error(Utils.bytesToHexString(sigBytes));
+            fail();
+        }
+    }
+
    private boolean checkSomeBytesAreNonZero(byte[] bytes) {
        if (bytes == null) {
            return false;
--- a/core/src/test/resources/com/google/bitcoin/core/sig_canonical.json
+++ b/core/src/test/resources/com/google/bitcoin/core/sig_canonical.json
@ -0,0 +1,7 @@
+[
+    "300602010002010001",
+    "3008020200ff020200ff01",
+    "304402203932c892e2e550f3af8ee4ce9c215a87f9bb831dcac87b2838e2c2eaa891df0c022030b61dd36543125d56b9f9f3a1f9353189e5af33cdda8d77a5209aec03978fa001",
+    "30450220076045be6f9eca28ff1ec606b833d0b87e70b2a630f5e3a496b110967a40f90a0221008fffd599910eefe00bc803c688c2eca1d2ba7f6b180620eaa03488e6585db6ba01",
+    "3046022100876045be6f9eca28ff1ec606b833d0b87e70b2a630f5e3a496b110967a40f90a0221008fffd599910eefe00bc803c688c2eca1d2ba7f6b180620eaa03488e6585db6ba01"
+]
--- a/core/src/test/resources/com/google/bitcoin/core/sig_noncanonical.json
+++ b/core/src/test/resources/com/google/bitcoin/core/sig_noncanonical.json
@ -0,0 +1,22 @@
+[
+    "non-hex strings are ignored",
+
+    "too short:",    "30050201FF020001",
+    "too long:",     "30470221005990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba6105022200002d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01",
+    "hashtype:",     "304402205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed11",
+    "type:",         "314402205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01",
+    "total length:", "304502205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01",
+    "S len oob:",    "301F01205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb101",
+    "R+S:",          "304502205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed0001",
+
+    "R type:",       "304401205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01",
+    "R len = 0:",    "3024020002202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01",
+    "R<0:",          "304402208990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01",
+    "R padded:",     "30450221005990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01",
+
+
+    "S type:",       "304402205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610501202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01",
+    "S len = 0:",    "302402205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba6105020001",
+    "S<0:",          "304402205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba61050220fd5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01",
+    "S padded:",     "304502205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba61050221002d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01"
+]