Merge pull request #250 from dcousens/negrs

Negative R,S value checking
2014-07-30 10:00:35 +08:00 · 2014-07-30 10:00:35 +08:00 · c73ab8c816
commit c73ab8c816
parent 05237f4248 5657dcf2aa
2 changed files with 77 additions and 6 deletions
--- a/src/ecdsa.js
+++ b/src/ecdsa.js
@ -86,8 +86,8 @@ function verifyRaw(curve, e, signature, Q) {
  var r = signature.r
  var s = signature.s

-  if (r.signum() === 0 || r.compareTo(n) >= 0) return false
-  if (s.signum() === 0 || s.compareTo(n) >= 0) return false
+  if (r.signum() <= 0 || r.compareTo(n) >= 0) return false
+  if (s.signum() <= 0 || s.compareTo(n) >= 0) return false

  var c = s.modInverse(n)

@ -111,9 +111,15 @@ function verifyRaw(curve, e, signature, Q) {
 function recoverPubKey(curve, e, signature, i) {
  assert.strictEqual(i & 3, i, 'Recovery param is more than two bits')

+  var n = curve.n
+  var G = curve.G
+
  var r = signature.r
  var s = signature.s

+  assert(r.signum() > 0 && r.compareTo(n) < 0, 'Invalid r value')
+  assert(s.signum() > 0 && s.compareTo(n) < 0, 'Invalid s value')
+
  // A set LSB signifies that the y-coordinate is odd
  var isYOdd = i & 1

@ -121,9 +127,6 @@ function recoverPubKey(curve, e, signature, i) {
  // first or second candidate key.
  var isSecondKey = i >> 1

-  var n = curve.n
-  var G = curve.G
-
  // 1.1 Let x = r + jn
  var x = isSecondKey ? r.add(n) : r
  var R = curve.pointFromX(isYOdd, x)
--- a/test/fixtures/ecdsa.json
+++ b/test/fixtures/ecdsa.json
@ -73,9 +73,19 @@
  ],
  "invalid": {
    "recoverPubKey": [
+      {
+        "description": "Invalid r value (< 0)",
+        "exception": "Invalid r value",
+        "e": "01",
+        "signature": {
+          "r": "-01",
+          "s": "02"
+        },
+        "i": 0
+      },
      {
        "description": "Invalid r value (== 0)",
-        "exception": "nR is not a valid curve point",
+        "exception": "Invalid r value",
        "e": "01",
        "signature": {
          "r": "00",
@ -83,6 +93,46 @@
        },
        "i": 0
      },
+      {
+        "description": "Invalid s value (< 0)",
+        "exception": "Invalid s value",
+        "e": "01",
+        "signature": {
+          "r": "02",
+          "s": "-01"
+        },
+        "i": 0
+      },
+      {
+        "description": "Invalid s value (== 0)",
+        "exception": "Invalid s value",
+        "e": "01",
+        "signature": {
+          "r": "02",
+          "s": "00"
+        },
+        "i": 0
+      },
+      {
+        "description": "Invalid r value (nR is infinity)",
+        "exception": "nR is not a valid curve point",
+        "e": "01",
+        "signature": {
+          "r": "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141",
+          "s": "01"
+        },
+        "i": 0
+      },
+      {
+        "description": "Invalid curve point",
+        "exception": "Point is not on the curve",
+        "e": "01",
+        "signature": {
+          "r": "99999999999999999999999999999999999999",
+          "s": "01"
+        },
+        "i": 0
+      },
      {
        "description": "Invalid i value (> 3)",
        "exception": "Recovery param is more than two bits",
@ -104,6 +154,15 @@
          "s": "3180566392414476763164587487324397066658063772201694230600609996154610926757"
        }
      },
+      {
+        "description": "Invalid r value (< 0)",
+        "d": "01",
+        "e": "01",
+        "signature": {
+          "r": "-01",
+          "s": "02"
+        }
+      },
      {
        "description": "Invalid r value (== 0)",
        "d": "01",
@ -122,6 +181,15 @@
          "s": "02"
        }
      },
+      {
+        "description": "Invalid s value (< 0)",
+        "d": "01",
+        "e": "01",
+        "signature": {
+          "r": "02",
+          "s": "-01"
+        }
+      },
      {
        "description": "Invalid s value (== 0)",
        "d": "01",