1 /********************************************************************** 2 * Copyright (c) 2015 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 /**** 8 * Please do not link this file directly. It is not part of the libsecp256k1 9 * project and does not promise any stability in its API, functionality or 10 * presence. Projects which use this code should instead copy this header 11 * and its accompanying .c file directly into their codebase. 12 ****/ 13 14 /* This file defines a function that parses DER with various errors and 15 * violations. This is not a part of the library itself, because the allowed 16 * violations are chosen arbitrarily and do not follow or establish any 17 * standard. 18 * 19 * In many places it matters that different implementations do not only accept 20 * the same set of valid signatures, but also reject the same set of signatures. 21 * The only means to accomplish that is by strictly obeying a standard, and not 22 * accepting anything else. 23 * 24 * Nonetheless, sometimes there is a need for compatibility with systems that 25 * use signatures which do not strictly obey DER. The snippet below shows how 26 * certain violations are easily supported. You may need to adapt it. 27 * 28 * Do not use this for new systems. Use well-defined DER or compact signatures 29 * instead if you have the choice (see secp256k1_ecdsa_signature_parse_der and 30 * secp256k1_ecdsa_signature_parse_compact). 31 * 32 * The supported violations are: 33 * - All numbers are parsed as nonnegative integers, even though X.609-0207 34 * section 8.3.3 specifies that integers are always encoded as two's 35 * complement. 36 * - Integers can have length 0, even though section 8.3.1 says they can't. 37 * - Integers with overly long padding are accepted, violation section 38 * 8.3.2. 39 * - 127-byte long length descriptors are accepted, even though section 40 * 8.1.3.5.c says that they are not. 41 * - Trailing garbage data inside or after the signature is ignored. 42 * - The length descriptor of the sequence is ignored. 43 * 44 * Compared to for example OpenSSL, many violations are NOT supported: 45 * - Using overly long tag descriptors for the sequence or integers inside, 46 * violating section 8.1.2.2. 47 * - Encoding primitive integers as constructed values, violating section 48 * 8.3.1. 49 */ 50 51 #ifndef SECP256K1_CONTRIB_LAX_DER_PARSING_H 52 #define SECP256K1_CONTRIB_LAX_DER_PARSING_H 53 54 #include <secp256k1.h> 55 56 #ifdef __cplusplus 57 extern "C" { 58 #endif 59 60 /** Parse a signature in "lax DER" format 61 * 62 * Returns: 1 when the signature could be parsed, 0 otherwise. 63 * Args: ctx: a secp256k1 context object 64 * Out: sig: a pointer to a signature object 65 * In: input: a pointer to the signature to be parsed 66 * inputlen: the length of the array pointed to be input 67 * 68 * This function will accept any valid DER encoded signature, even if the 69 * encoded numbers are out of range. In addition, it will accept signatures 70 * which violate the DER spec in various ways. Its purpose is to allow 71 * validation of the Bitcoin blockchain, which includes non-DER signatures 72 * from before the network rules were updated to enforce DER. Note that 73 * the set of supported violations is a strict subset of what OpenSSL will 74 * accept. 75 * 76 * After the call, sig will always be initialized. If parsing failed or the 77 * encoded numbers are out of range, signature validation with it is 78 * guaranteed to fail for every message and public key. 79 */ 80 int ecdsa_signature_parse_der_lax( 81 const secp256k1_context* ctx, 82 secp256k1_ecdsa_signature* sig, 83 const unsigned char *input, 84 size_t inputlen 85 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); 86 87 #ifdef __cplusplus 88 } 89 #endif 90 91 #endif /* SECP256K1_CONTRIB_LAX_DER_PARSING_H */ 92