Open kousu opened 5 years ago
I'm thinking of removing this API on Key.py (and possibly even Key.py). Signers should really be using pycoin.ecdsa.secp256k1.secp256k1_generator.sign
. This might still suffer from the same problem when val
is out of range though. I need to investigate further.
BIP32Node.verify()
allows longer signatures than it should.This is the sort of thing that isn't immediately exploitable but could be chained with other exploits to shim in unexpected data in places it's not meant for.
Here's setting up a key for basic usage:
But this is weird:
Trying to extend the message hash instead of the signature fails (as expected) but it doesn't fail in the way I expect:
because doing the same extension at signing time gives
Requests
Strongly-type the inputs to
sign()
andverify()
. They should be fixed length bytestrings.Make the exception
sign()
andverify()
give on extendingh
consistent.Do something sensible in the case of underflow. Is
key.sign(b"")
legal or illegal? What aboutkey.sign(b"abcde")
?