diff --git a/core/src/main/java/com/google/bitcoin/core/ECKey.java b/core/src/main/java/com/google/bitcoin/core/ECKey.java index 7fb2176e..4394e781 100644 --- a/core/src/main/java/com/google/bitcoin/core/ECKey.java +++ b/core/src/main/java/com/google/bitcoin/core/ECKey.java @@ -473,6 +473,65 @@ public class ECKey implements Serializable { return ECKey.verify(sigHash.getBytes(), signature, getPubKey()); } + /** + * Returns true if the given signature is in canonical form (ie will be accepted as standard by the reference client) + */ + public static boolean isSignatureCanonical(byte[] signature) { + // See reference client's IsCanonicalSignature, https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623 + // A canonical signature exists of: <30> <02> <02> + // Where R and S are not negative (their first byte has its highest bit not set), and not + // excessively padded (do not start with a 0 byte, unless an otherwise negative number follows, + // in which case a single 0 byte is necessary and even required). + if (signature.length < 9 || signature.length > 73) + return false; + + int hashType = signature[signature.length-1] & ((int)(~Transaction.SIGHASH_ANYONECANPAY_VALUE)); + if (hashType < (Transaction.SigHash.ALL.ordinal() + 1) || hashType > (Transaction.SigHash.SINGLE.ordinal() + 1)) + return false; + + // "wrong type" "wrong length marker" + if ((signature[0] & 0xff) != 0x30 || (signature[1] & 0xff) != signature.length-3) + return false; + + int lenR = signature[3] & 0xff; + if (5 + lenR >= signature.length || lenR == 0) + return false; + int lenS = signature[5+lenR] & 0xff; + if (lenR + lenS + 7 != signature.length || lenS == 0) + return false; + + // R value type mismatch R value negative + if (signature[4-2] != 0x02 || (signature[4] & 0x80) == 0x80) + return false; + if (lenR > 1 && signature[4] == 0x00 && (signature[4+1] & 0x80) != 0x80) + return false; // R value excessively padded + + // S value type mismatch S value negative + if (signature[6 + lenR - 2] != 0x02 || (signature[6 + lenR] & 0x80) == 0x80) + return false; + if (lenS > 1 && signature[6 + lenR] == 0x00 && (signature[6 + lenR + 1] & 0x80) != 0x80) + return false; // S value excessively padded + + return true; + } + + /** + * Returns true if the given pubkey is canonical (ie the correct length for its declared type) + */ + public static boolean isPubKeyCanonical(byte[] pubkey) { + if (pubkey.length < 33) + return false; + if (pubkey[0] == 0x04) { // Uncompressed pubkey + if (pubkey.length != 65) + return false; + } else if (pubkey[0] == 0x02 || pubkey[0] == 0x03) { // Compressed pubkey + if (pubkey.length != 33) + return false; + } else + return false; + return true; + } + private static BigInteger extractPrivateKeyFromASN1(byte[] asn1privkey) { // To understand this code, see the definition of the ASN.1 format for EC private keys in the OpenSSL source // code in ec_asn1.c: diff --git a/core/src/test/java/com/google/bitcoin/core/ECKeyTest.java b/core/src/test/java/com/google/bitcoin/core/ECKeyTest.java index 6a82f59e..20addb62 100644 --- a/core/src/test/java/com/google/bitcoin/core/ECKeyTest.java +++ b/core/src/test/java/com/google/bitcoin/core/ECKeyTest.java @@ -37,6 +37,8 @@ import java.math.BigInteger; import java.security.SecureRandom; import java.security.SignatureException; import java.util.Arrays; +import java.util.Random; +import java.io.InputStream; import static com.google.bitcoin.core.Utils.reverseBytes; import static org.junit.Assert.*; @@ -353,6 +355,7 @@ public class ECKeyTest { assertTrue(found); } + @Test public void roundTripDumpedPrivKey() throws Exception { ECKey key = new ECKey(); assertTrue(key.isCompressed()); @@ -385,6 +388,71 @@ public class ECKeyTest { checkAllBytesAreZero(encryptedKey.getEncryptedPrivateKey().getInitialisationVector()); } + @Test + public void testCanonicalSigs() throws Exception { + // Tests the canonical sigs from the reference client unit tests + InputStream in = getClass().getResourceAsStream("sig_canonical.json"); + + // Poor man's JSON parser (because pulling in a lib for this is overkill) + while (in.available() > 0) { + while (in.available() > 0 && in.read() != '"') ; + if (in.available() < 1) + break; + + StringBuilder sig = new StringBuilder(); + int c; + while (in.available() > 0 && (c = in.read()) != '"') + sig.append((char)c); + + assertTrue(ECKey.isSignatureCanonical(Hex.decode(sig.toString()))); + } + in.close(); + } + + @Test + public void testNonCanonicalSigs() throws Exception { + // Tests the noncanonical sigs from the reference client unit tests + InputStream in = getClass().getResourceAsStream("sig_noncanonical.json"); + + // Poor man's JSON parser (because pulling in a lib for this is overkill) + while (in.available() > 0) { + while (in.available() > 0 && in.read() != '"') ; + if (in.available() < 1) + break; + + StringBuilder sig = new StringBuilder(); + int c; + while (in.available() > 0 && (c = in.read()) != '"') + sig.append((char)c); + + try { + assertFalse(ECKey.isSignatureCanonical(Hex.decode(sig.toString()))); + } catch (StringIndexOutOfBoundsException e) { } // Expected for non-hex strings in the JSON that we should ignore + } + in.close(); + } + + @Test + public void testCreatedSigAndPubkeyAreCanonical() throws Exception { + // Tests that we will not generate non-canonical pubkeys or signatures + // We dump failed data to error log because this test is not expected to be deterministic + ECKey key = new ECKey(); + if (!ECKey.isPubKeyCanonical(key.getPubKey())) { + log.error(Utils.bytesToHexString(key.getPubKey())); + fail(); + } + + byte[] hash = new byte[32]; + new Random().nextBytes(hash); + byte[] sigBytes = key.sign(new Sha256Hash(hash)).encodeToDER(); + byte[] encodedSig = Arrays.copyOf(sigBytes, sigBytes.length + 1); + encodedSig[sigBytes.length] = (byte) (Transaction.SigHash.ALL.ordinal() + 1); + if (!ECKey.isSignatureCanonical(encodedSig)) { + log.error(Utils.bytesToHexString(sigBytes)); + fail(); + } + } + private boolean checkSomeBytesAreNonZero(byte[] bytes) { if (bytes == null) { return false; diff --git a/core/src/test/resources/com/google/bitcoin/core/sig_canonical.json b/core/src/test/resources/com/google/bitcoin/core/sig_canonical.json new file mode 100644 index 00000000..e43a0862 --- /dev/null +++ b/core/src/test/resources/com/google/bitcoin/core/sig_canonical.json @@ -0,0 +1,7 @@ +[ + "300602010002010001", + "3008020200ff020200ff01", + "304402203932c892e2e550f3af8ee4ce9c215a87f9bb831dcac87b2838e2c2eaa891df0c022030b61dd36543125d56b9f9f3a1f9353189e5af33cdda8d77a5209aec03978fa001", + "30450220076045be6f9eca28ff1ec606b833d0b87e70b2a630f5e3a496b110967a40f90a0221008fffd599910eefe00bc803c688c2eca1d2ba7f6b180620eaa03488e6585db6ba01", + "3046022100876045be6f9eca28ff1ec606b833d0b87e70b2a630f5e3a496b110967a40f90a0221008fffd599910eefe00bc803c688c2eca1d2ba7f6b180620eaa03488e6585db6ba01" +] diff --git a/core/src/test/resources/com/google/bitcoin/core/sig_noncanonical.json b/core/src/test/resources/com/google/bitcoin/core/sig_noncanonical.json new file mode 100644 index 00000000..d9a6c1cd --- /dev/null +++ b/core/src/test/resources/com/google/bitcoin/core/sig_noncanonical.json @@ -0,0 +1,22 @@ +[ + "non-hex strings are ignored", + + "too short:", "30050201FF020001", + "too long:", "30470221005990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba6105022200002d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01", + "hashtype:", "304402205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed11", + "type:", "314402205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01", + "total length:", "304502205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01", + "S len oob:", "301F01205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb101", + "R+S:", "304502205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed0001", + + "R type:", "304401205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01", + "R len = 0:", "3024020002202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01", + "R<0:", "304402208990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01", + "R padded:", "30450221005990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610502202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01", + + + "S type:", "304402205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba610501202d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01", + "S len = 0:", "302402205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba6105020001", + "S<0:", "304402205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba61050220fd5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01", + "S padded:", "304502205990e0584b2b238e1dfaad8d6ed69ecc1a4a13ac85fc0b31d0df395eb1ba61050221002d5876262c288beb511d061691bf26777344b702b00f8fe28621fe4e566695ed01" +]