ofek/coincurve

ECDSA signature verification fails with large values of r and s

adelapie opened this issue · 1 comments

adelapie commented

coincurve 13.0.0 fails when verifying a signature with large values of r
and s. You can check this with the following test
vectors from Google Wycheproof:

{
  "algorithm" : "ECDSA",
  "generatorVersion" : "0.8r12",
  "numberOfTests" : 380,
  "header" : [
    "Test vectors of type EcdsaVerify are meant for the verification",
    "of ASN encoded ECDSA signatures."
  ],
  "notes" : {
    "BER" : "This is a signature with correct values for (r, s) but using some alternative BER encoding instead of DER encoding. Implementations should not accept such signatures to limit signature malleability.",
    "EdgeCase" : "Edge case values such as r=1 and s=0 can lead to forgeries if the ECDSA implementation does not check boundaries and computes s^(-1)==0.",
    "MissingZero" : "Some implementations of ECDSA and DSA incorrectly encode r and s by not including leading zeros in the ASN encoding of integers when necessary. Hence, some implementations (e.g. jdk) allow signatures with incorrect ASN encodings assuming that the signature is otherwise valid.",
    "PointDuplication" : "Some implementations of ECDSA do not handle duplication and points at infinity correctly. This is a test vector that has been specially crafted to check for such an omission."
  },
  "schema" : "ecdsa_verify_schema.json",
  "testGroups" : [
    {
      "key" : {
        "curve" : "secp256k1",
        "keySize" : 256,
        "type" : "EcPublicKey",
        "uncompressed" : "04bc97e7585eecad48e16683bc4091708e1a930c683fc47001d4b383594f2c4e22705989cf69daeadd4e4e4b8151ed888dfec20fb01728d89d56b3f38f2ae9c8c5",
        "wx" : "00bc97e7585eecad48e16683bc4091708e1a930c683fc47001d4b383594f2c4e22",
        "wy" : "705989cf69daeadd4e4e4b8151ed888dfec20fb01728d89d56b3f38f2ae9c8c5"
      },
      "keyDer" : "3056301006072a8648ce3d020106052b8104000a03420004bc97e7585eecad48e16683bc4091708e1a930c683fc47001d4b383594f2c4e22705989cf69daeadd4e4e4b8151ed888dfec20fb01728d89d56b3f38f2ae9c8c5",
      "keyPem" : "-----BEGIN PUBLIC KEY-----\nMFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEvJfnWF7srUjhZoO8QJFwjhqTDGg/xHAB\n1LODWU8sTiJwWYnPadrq3U5OS4FR7YiN/sIPsBco2J1Ws/OPKunIxQ==\n-----END PUBLIC KEY-----",
      "sha" : "SHA-256",
      "type" : "EcdsaVerify",
      "tests" : [
        {
          "tcId" : 287,
          "comment" : "r,s are large",
          "msg" : "313233343030",
          "sig" : "3046022100fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd036413f022100fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd036413e",
          "result" : "valid",
          "flags" : []
        }
      ]
    }
  ]
}

and proof of concept:

from coincurve.keys import PrivateKey, PublicKey
from coincurve.utils import bytes_to_int, int_to_bytes_padded, verify_signature

from cryptography import exceptions
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.asymmetric import utils

from hashlib import sha256


import json


def main():

    with open("ecdsa_secp256k1_sha256_test_large_r_s.json", "r") as read_file:
        secp256k1_sha256_test = json.load(read_file)

    for test_group in secp256k1_sha256_test["testGroups"]:
        comp_str = test_group["key"]["uncompressed"]
        co_x = test_group["key"]["wx"]
        co_y = test_group["key"]["wy"]

        public_key = PublicKey(bytes.fromhex(comp_str))

    
        for test in test_group["tests"]:
            print("Loading test", test["tcId"], "with result:", test["result"], "\n")

            ### using python coincurve

            signature = bytes.fromhex(test["sig"])
            message = bytes.fromhex(test["msg"])
            print("\tcoincurve: ", public_key.verify(signature, message))

            ### using python cryptography 

            curve = ec.SECP256K1()
            algo = ec.ECDSA(hashes.SHA256())

            pubnum = ec.EllipticCurvePublicNumbers(int(co_x, 16), int(co_y, 16), curve)
            
            data = bytes(bytearray.fromhex(test["msg"]))
            public_key_2 = pubnum.public_key(default_backend())
            signature = bytes(bytearray.fromhex(test["sig"]))
            
            try:
                public_key_2.verify(signature, data, ec.ECDSA(hashes.SHA256()))

            except exceptions.InvalidSignature:
                print("\tcryptography.io: False")
            else:
                print("\tcryptography.io: True")
  
if __name__ == "__main__":
    main()

where I compare the output of coincurve with the python cryptography library (ecdsa_secp256k1_sha256_test_large_r_s.json contains the test vectors described above).