Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Low-s normalization for ecdsa secp256r1 signing #9738

Merged
merged 34 commits into from
Jul 27, 2021
Merged

feat: Low-s normalization for ecdsa secp256r1 signing #9738

merged 34 commits into from
Jul 27, 2021

Conversation

frumioj
Copy link
Contributor

@frumioj frumioj commented Jul 20, 2021

Description

Closes: #9723


Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

  • included the correct type prefix in the PR title
  • added ! to the type prefix if API or client breaking change
  • targeted the correct branch (see PR Targeting)
  • provided a link to the relevant issue or specification
  • followed the guidelines for building modules
  • included the necessary unit and integration tests
  • added a changelog entry to CHANGELOG.md
  • included comments for documenting Go code
  • updated the relevant documentation or specification
  • reviewed "Files changed" and left comments if necessary
  • confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

  • confirmed the correct type prefix in the PR title
  • confirmed ! in the type prefix if API or client breaking change
  • confirmed all author checklist items have been addressed
  • reviewed state machine logic
  • reviewed API design and naming
  • reviewed documentation is accurate
  • reviewed tests and test coverage
  • manually tested (if applicable)

@frumioj frumioj changed the title Low-s normalization for ecdsa secp256r1 signing feat: Low-s normalization for ecdsa secp256r1 signing Jul 20, 2021
@codecov
Copy link

codecov bot commented Jul 20, 2021

Codecov Report

Merging #9738 (1371772) into master (f4d0682) will increase coverage by 0.00%.
The diff coverage is 62.97%.

Impacted file tree graph

@@           Coverage Diff            @@
##           master    #9738    +/-   ##
========================================
  Coverage   63.47%   63.48%            
========================================
  Files         566      566            
  Lines       52797    53065   +268     
========================================
+ Hits        33515    33687   +172     
- Misses      17379    17471    +92     
- Partials     1903     1907     +4     
Impacted Files Coverage Δ
types/events.go 82.77% <ø> (ø)
x/auth/client/cli/query.go 2.15% <6.41%> (+2.15%) ⬆️
x/auth/ante/sigverify.go 68.07% <38.00%> (-5.86%) ⬇️
crypto/keys/internal/ecdsa/privkey.go 84.21% <88.00%> (+2.39%) ⬆️
crypto/keys/internal/ecdsa/pubkey.go 77.08% <100.00%> (+9.43%) ⬆️
x/auth/client/testutil/suite.go 96.31% <100.00%> (+0.40%) ⬆️

@aaronc
Copy link
Member

aaronc commented Jul 20, 2021

@tarcieri are you able to take a look at this?

@frumioj
Copy link
Contributor Author

frumioj commented Jul 21, 2021

@alexanderbez @robert-zaremba any comments?

@frumioj frumioj marked this pull request as ready for review July 21, 2021 19:27
Copy link

@tarcieri tarcieri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it might still be good to either make functions like p256Order and p256OrderDiv2 parameterized over curves or just use vars for them instead, but otherwise this looks good to me.

@frumioj
Copy link
Contributor Author

frumioj commented Jul 21, 2021

I think it might still be good to either make functions like p256Order and p256OrderDiv2 parameterized over curves or just use vars for them instead, but otherwise this looks good to me.

I agree with you, but I think I'm going to create a new (bigger) issue which will focus on refactoring all of the ECDSA signature code so we don't have essentially 3 different code paths all using roughly the same code but in 3 different places, and all slightly differently. Then I'd want to get the Curve.Params() from the key passed in, and work with that.

frumioj and others added 2 commits July 22, 2021 10:26
…ion to fail after the valid signature was mutated by extracting and scalar negating its s value
@frumioj frumioj requested a review from amaury1093 July 22, 2021 17:32
Copy link
Contributor

@amaury1093 amaury1093 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only checked the test in crypto/keys/internal/ecdsa/privkey_internal_test.go , and it lgtm. Not super familiar with the rest of the changes.

crypto/keys/internal/ecdsa/privkey_internal_test.go Outdated Show resolved Hide resolved
Copy link
Collaborator

@robert-zaremba robert-zaremba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving, however I prefer to reuse and test a private function rather than copying it and have a test coverage miss.

crypto/keys/internal/ecdsa/privkey.go Outdated Show resolved Hide resolved
crypto/keys/internal/ecdsa/privkey.go Show resolved Hide resolved
crypto/keys/internal/ecdsa/privkey.go Outdated Show resolved Hide resolved
crypto/keys/internal/ecdsa/privkey.go Show resolved Hide resolved
crypto/keys/internal/ecdsa/privkey_internal_test.go Outdated Show resolved Hide resolved
@robert-zaremba
Copy link
Collaborator

Added backport to 0.42

@alexanderbez
Copy link
Contributor

I think @robert-zaremba left some good comments. I'll approve once addressed 🚀

Copy link
Collaborator

@robert-zaremba robert-zaremba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving. Had a chat with John to advance on this. Let's add a missing tests and go through comments to resolve them before merging.

@aaronc
Copy link
Member

aaronc commented Jul 27, 2021

Thanks @robert-zaremba. @frumioj feel free to merge when you're ready.

@frumioj frumioj added the A:automerge Automatically merge PR once all prerequisites pass. label Jul 27, 2021
@frumioj frumioj merged commit aa37ae9 into cosmos:master Jul 27, 2021
@orijbot
Copy link

orijbot commented Jul 27, 2021

Visit https://dashboard.github.orijtech.com?pr=9738&repo=cosmos%2Fcosmos-sdk to see benchmark details.

mergify bot pushed a commit that referenced this pull request Jul 27, 2021
* added low-s normalization to ecdsa secp256r1 signing

* go fmt fixes

* removed else block as golint required

* implement raw signature encoding for secp256r1

* move the creation of signature to after the check for sig string length

* fake commit to re-run checks? (move the creation of signature to after the check for sig string length)

* added a signature test for high s signature that requires sig validation to fail after the valid signature was mutated by extracting and scalar negating its s value

* reordered code to prevent mutated message from being used in sig verify

* added test for successful high_s signature with the ecdsa portion of the publicKey

* Remove comment for self-explanatory code.

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Missing quote

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Apply minor suggestions from code review

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* normalize comments for godoc

* refactored p256Order functions as private vars

* Div -> Rsh optimizing time for division

* resolve two code coverage issues; fix some small review issues

* test using private signatureRaw function instead of copying code. Added tests to improve code coverage

Co-authored-by: Aaron Craelius <aaron@regen.network>
Co-authored-by: Robert Zaremba <robert@zaremba.ch>
Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com>
(cherry picked from commit aa37ae9)
mergify bot pushed a commit that referenced this pull request Jul 27, 2021
* added low-s normalization to ecdsa secp256r1 signing

* go fmt fixes

* removed else block as golint required

* implement raw signature encoding for secp256r1

* move the creation of signature to after the check for sig string length

* fake commit to re-run checks? (move the creation of signature to after the check for sig string length)

* added a signature test for high s signature that requires sig validation to fail after the valid signature was mutated by extracting and scalar negating its s value

* reordered code to prevent mutated message from being used in sig verify

* added test for successful high_s signature with the ecdsa portion of the publicKey

* Remove comment for self-explanatory code.

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Missing quote

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Apply minor suggestions from code review

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* normalize comments for godoc

* refactored p256Order functions as private vars

* Div -> Rsh optimizing time for division

* resolve two code coverage issues; fix some small review issues

* test using private signatureRaw function instead of copying code. Added tests to improve code coverage

Co-authored-by: Aaron Craelius <aaron@regen.network>
Co-authored-by: Robert Zaremba <robert@zaremba.ch>
Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com>
(cherry picked from commit aa37ae9)

# Conflicts:
#	crypto/keys/internal/ecdsa/privkey.go
#	crypto/keys/internal/ecdsa/privkey_internal_test.go
#	crypto/keys/internal/ecdsa/pubkey.go
aaronc pushed a commit that referenced this pull request Jul 27, 2021
* added low-s normalization to ecdsa secp256r1 signing

* go fmt fixes

* removed else block as golint required

* implement raw signature encoding for secp256r1

* move the creation of signature to after the check for sig string length

* fake commit to re-run checks? (move the creation of signature to after the check for sig string length)

* added a signature test for high s signature that requires sig validation to fail after the valid signature was mutated by extracting and scalar negating its s value

* reordered code to prevent mutated message from being used in sig verify

* added test for successful high_s signature with the ecdsa portion of the publicKey

* Remove comment for self-explanatory code.

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Missing quote

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Apply minor suggestions from code review

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* normalize comments for godoc

* refactored p256Order functions as private vars

* Div -> Rsh optimizing time for division

* resolve two code coverage issues; fix some small review issues

* test using private signatureRaw function instead of copying code. Added tests to improve code coverage

Co-authored-by: Aaron Craelius <aaron@regen.network>
Co-authored-by: Robert Zaremba <robert@zaremba.ch>
Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com>
(cherry picked from commit aa37ae9)

Co-authored-by: John Kemp <frumioj@users.noreply.github.com>
evan-forbes pushed a commit to evan-forbes/cosmos-sdk that referenced this pull request Oct 12, 2021
…osmos#9793)

* added low-s normalization to ecdsa secp256r1 signing

* go fmt fixes

* removed else block as golint required

* implement raw signature encoding for secp256r1

* move the creation of signature to after the check for sig string length

* fake commit to re-run checks? (move the creation of signature to after the check for sig string length)

* added a signature test for high s signature that requires sig validation to fail after the valid signature was mutated by extracting and scalar negating its s value

* reordered code to prevent mutated message from being used in sig verify

* added test for successful high_s signature with the ecdsa portion of the publicKey

* Remove comment for self-explanatory code.

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Missing quote

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Apply minor suggestions from code review

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* normalize comments for godoc

* refactored p256Order functions as private vars

* Div -> Rsh optimizing time for division

* resolve two code coverage issues; fix some small review issues

* test using private signatureRaw function instead of copying code. Added tests to improve code coverage

Co-authored-by: Aaron Craelius <aaron@regen.network>
Co-authored-by: Robert Zaremba <robert@zaremba.ch>
Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com>
(cherry picked from commit aa37ae9)

Co-authored-by: John Kemp <frumioj@users.noreply.github.com>
evan-forbes pushed a commit to evan-forbes/cosmos-sdk that referenced this pull request Nov 1, 2021
…osmos#9793)

* added low-s normalization to ecdsa secp256r1 signing

* go fmt fixes

* removed else block as golint required

* implement raw signature encoding for secp256r1

* move the creation of signature to after the check for sig string length

* fake commit to re-run checks? (move the creation of signature to after the check for sig string length)

* added a signature test for high s signature that requires sig validation to fail after the valid signature was mutated by extracting and scalar negating its s value

* reordered code to prevent mutated message from being used in sig verify

* added test for successful high_s signature with the ecdsa portion of the publicKey

* Remove comment for self-explanatory code.

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Missing quote

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Apply minor suggestions from code review

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* normalize comments for godoc

* refactored p256Order functions as private vars

* Div -> Rsh optimizing time for division

* resolve two code coverage issues; fix some small review issues

* test using private signatureRaw function instead of copying code. Added tests to improve code coverage

Co-authored-by: Aaron Craelius <aaron@regen.network>
Co-authored-by: Robert Zaremba <robert@zaremba.ch>
Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com>
(cherry picked from commit aa37ae9)

Co-authored-by: John Kemp <frumioj@users.noreply.github.com>
JeancarloBarrios pushed a commit to agoric-labs/cosmos-sdk that referenced this pull request Sep 28, 2024
…osmos#9793)

* added low-s normalization to ecdsa secp256r1 signing

* go fmt fixes

* removed else block as golint required

* implement raw signature encoding for secp256r1

* move the creation of signature to after the check for sig string length

* fake commit to re-run checks? (move the creation of signature to after the check for sig string length)

* added a signature test for high s signature that requires sig validation to fail after the valid signature was mutated by extracting and scalar negating its s value

* reordered code to prevent mutated message from being used in sig verify

* added test for successful high_s signature with the ecdsa portion of the publicKey

* Remove comment for self-explanatory code.

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Missing quote

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* Apply minor suggestions from code review

Co-authored-by: Robert Zaremba <robert@zaremba.ch>

* normalize comments for godoc

* refactored p256Order functions as private vars

* Div -> Rsh optimizing time for division

* resolve two code coverage issues; fix some small review issues

* test using private signatureRaw function instead of copying code. Added tests to improve code coverage

Co-authored-by: Aaron Craelius <aaron@regen.network>
Co-authored-by: Robert Zaremba <robert@zaremba.ch>
Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com>
(cherry picked from commit aa37ae9)

Co-authored-by: John Kemp <frumioj@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A:automerge Automatically merge PR once all prerequisites pass.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ECDSA/secp256r1 transaction malleability
7 participants