2012-08-22 22:33:21 +02:00
|
|
|
//
|
|
|
|
// Unit tests for canonical signatures
|
|
|
|
|
|
|
|
#include "json/json_spirit_writer_template.h"
|
|
|
|
#include <boost/test/unit_test.hpp>
|
|
|
|
#include <openssl/ecdsa.h>
|
|
|
|
|
|
|
|
#include "key.h"
|
|
|
|
#include "script.h"
|
|
|
|
#include "util.h"
|
2013-09-10 21:18:09 +02:00
|
|
|
#include "data/sig_noncanonical.json.h"
|
|
|
|
#include "data/sig_canonical.json.h"
|
2012-08-22 22:33:21 +02:00
|
|
|
|
|
|
|
using namespace std;
|
|
|
|
using namespace json_spirit;
|
|
|
|
|
|
|
|
|
|
|
|
// In script_tests.cpp
|
2013-09-10 21:18:09 +02:00
|
|
|
extern Array read_json(const std::string& jsondata);
|
2012-08-22 22:33:21 +02:00
|
|
|
|
|
|
|
BOOST_AUTO_TEST_SUITE(canonical_tests)
|
|
|
|
|
|
|
|
// OpenSSL-based test for canonical signature (without test for hashtype byte)
|
|
|
|
bool static IsCanonicalSignature_OpenSSL_inner(const std::vector<unsigned char>& vchSig)
|
|
|
|
{
|
|
|
|
if (vchSig.size() == 0)
|
|
|
|
return false;
|
|
|
|
const unsigned char *input = &vchSig[0];
|
|
|
|
ECDSA_SIG *psig = NULL;
|
|
|
|
d2i_ECDSA_SIG(&psig, &input, vchSig.size());
|
|
|
|
if (psig == NULL)
|
|
|
|
return false;
|
|
|
|
unsigned char buf[256];
|
|
|
|
unsigned char *pbuf = buf;
|
|
|
|
unsigned int nLen = i2d_ECDSA_SIG(psig, NULL);
|
|
|
|
if (nLen != vchSig.size()) {
|
|
|
|
ECDSA_SIG_free(psig);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
nLen = i2d_ECDSA_SIG(psig, &pbuf);
|
|
|
|
ECDSA_SIG_free(psig);
|
|
|
|
return (memcmp(&vchSig[0], &buf[0], nLen) == 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
// OpenSSL-based test for canonical signature
|
|
|
|
bool static IsCanonicalSignature_OpenSSL(const std::vector<unsigned char> &vchSignature) {
|
|
|
|
if (vchSignature.size() < 1)
|
|
|
|
return false;
|
|
|
|
if (vchSignature.size() > 127)
|
|
|
|
return false;
|
|
|
|
if (vchSignature[vchSignature.size() - 1] & 0x7C)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
std::vector<unsigned char> vchSig(vchSignature);
|
|
|
|
vchSig.pop_back();
|
|
|
|
if (!IsCanonicalSignature_OpenSSL_inner(vchSig))
|
|
|
|
return false;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
BOOST_AUTO_TEST_CASE(script_canon)
|
|
|
|
{
|
2013-09-10 21:18:09 +02:00
|
|
|
Array tests = read_json(std::string(json_tests::sig_canonical, json_tests::sig_canonical + sizeof(json_tests::sig_canonical)));
|
2012-08-22 22:33:21 +02:00
|
|
|
|
|
|
|
BOOST_FOREACH(Value &tv, tests) {
|
|
|
|
string test = tv.get_str();
|
|
|
|
if (IsHex(test)) {
|
|
|
|
std::vector<unsigned char> sig = ParseHex(test);
|
Only create signatures with even S, and verification mode to check.
To fix a minor malleability found by Sergio Lerner (reported here:
https://bitcointalk.org/index.php?topic=8392.msg1245898#msg1245898)
The problem is that if (R,S) is a valid ECDSA signature for a given
message and public key, (R,-S) is also valid. Modulo N (the order
of the secp256k1 curve), this means that both (R,S) and (R,N-S) are
valid. Given that N is odd, S and N-S have a different lowest bit.
We solve the problem by forcing signatures to have an even S value,
excluding one of the alternatives.
This commit just changes the signing code to always produce even S
values, and adds a verification mode to check it. This code is not
enabled anywhere yet. Existing tests in key_tests.cpp verify that
the produced signatures are still valid.
2012-12-26 21:10:49 +01:00
|
|
|
BOOST_CHECK_MESSAGE(IsCanonicalSignature(sig, SCRIPT_VERIFY_STRICTENC), test);
|
2012-08-22 22:33:21 +02:00
|
|
|
BOOST_CHECK_MESSAGE(IsCanonicalSignature_OpenSSL(sig), test);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
BOOST_AUTO_TEST_CASE(script_noncanon)
|
|
|
|
{
|
2013-09-10 21:18:09 +02:00
|
|
|
Array tests = read_json(std::string(json_tests::sig_noncanonical, json_tests::sig_noncanonical + sizeof(json_tests::sig_noncanonical)));
|
2012-08-22 22:33:21 +02:00
|
|
|
|
|
|
|
BOOST_FOREACH(Value &tv, tests) {
|
|
|
|
string test = tv.get_str();
|
|
|
|
if (IsHex(test)) {
|
|
|
|
std::vector<unsigned char> sig = ParseHex(test);
|
Only create signatures with even S, and verification mode to check.
To fix a minor malleability found by Sergio Lerner (reported here:
https://bitcointalk.org/index.php?topic=8392.msg1245898#msg1245898)
The problem is that if (R,S) is a valid ECDSA signature for a given
message and public key, (R,-S) is also valid. Modulo N (the order
of the secp256k1 curve), this means that both (R,S) and (R,N-S) are
valid. Given that N is odd, S and N-S have a different lowest bit.
We solve the problem by forcing signatures to have an even S value,
excluding one of the alternatives.
This commit just changes the signing code to always produce even S
values, and adds a verification mode to check it. This code is not
enabled anywhere yet. Existing tests in key_tests.cpp verify that
the produced signatures are still valid.
2012-12-26 21:10:49 +01:00
|
|
|
BOOST_CHECK_MESSAGE(!IsCanonicalSignature(sig, SCRIPT_VERIFY_STRICTENC), test);
|
2012-08-22 22:33:21 +02:00
|
|
|
BOOST_CHECK_MESSAGE(!IsCanonicalSignature_OpenSSL(sig), test);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
BOOST_AUTO_TEST_SUITE_END()
|