Skip to content

conicalize DER encoded signitures#1

Open
scottwalters wants to merge 1 commit intomtve:masterfrom
scottwalters:master
Open

conicalize DER encoded signitures#1
scottwalters wants to merge 1 commit intomtve:masterfrom
scottwalters:master

Conversation

@scottwalters
Copy link

@scottwalters scottwalters commented Feb 15, 2015

bitcoind was permissive with how DER encoding was done, which lead to the transaction malliability problem.
the exact same transaction could be written multiple ways, signed, and then sent out to confuse people.
part of the fix was conicalizing DER encoded signitures. DER encoded numbers now have all leading 0 bytes
(0x00 hex) removed from the beginning except if the first byte would have its 8th bit, which would
indicate that it's negative, which s and r are never in ecdsa signitures, in which case it gets exactly one
0x00 byte stuck on to the front.

Addendum: here's an example of a 'reject' message from a bitcoind 0.9.3 upset about this:

message: f9beb4d972656a65637400000000000032000000df2fdad4027478400d6e6f6e2d63616e6f6e6963616c901bd0a0d6060fdbfca593b386000ac24374a9e6afff592a68cd697
856c578c7
in --> reject
message: tx
code: 64
reason: non-canonical

Also, awesome work on implementing ecdsa in Perl! Impressive.

@scottwalters
conicalize DER encoded signitures
3dfd6e8 
bitcoind was permissive with how DER encoding was done, which lead to the transaction malliability problem.
the exact same transaction could be written multiple ways, signed, and then sent out to confuse people.
part of the fix was conicalizing DER encoded signitures.  DER encoded numbers now have all leading 0 bytes
(0x00 hex) removed from the beginning *except* if the first byte would have its 8th bit, which would
indicate that it's negative, which s and r are never in ecdsa signitures, in which case it gets exactly one
0x00 byte stuck on to the front.
@mtve
Copy link
Owner

mtve commented Feb 16, 2015

Hello Scott!

Thank you very much for your patch!

This project was abandoned a few years ago. As i remember there was another branch called "broken" which was a bit more complete. Since then there were lots of changes in bitcoin core itself: a hardfork, new types on transactions, etc, including the problem addressed by your patch.

I guess I should resurrect this project someday, and try at least to keep up to the current block chain.

I'll merge your patch as soon as I get back to this project. Thanks again!

mtve

@scottwalters
Copy link
Author

scottwalters commented Feb 16, 2015

Hi mtve,

Indeed. After I sent that patch, I read in https://en.bitcoin.it/wiki/Protocol_rules about "compressed keys". I was trying to re-use logic from your modules to blindly generate tx transactions in the spirit of http://www.righto.com/2014/02/bitcoins-hard-way-using-raw-bitcoin.html, but with that change, it seems like it's no longer possible. One would have to actually fetch the previous tx (or txes) to see which key type was used. That seems unfortunate. BitcoinJ also doesn't seem to support compressed keys so I couldn't use it as a guide. And after a week of trying to get the network to talk to me (including using Wireshark to try to figure out why no one will answer my 'version' messages), I think I might be out of time here for now.

If you find the might, you might consider releasing your ecdsa.pm as a stand-alone pure-Perl module.

Regardless, thanks for sharing all of the work you did on this.

Cheers,
-scott

Repository owner deleted a comment from imunisasi Mar 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@scottwalters @mtve