* A canonical signature exists of: <30> <02> <02> * Where R and S are not negative (their first byte has its highest bit not set), and not * excessively padded (do not start with a 0 byte, unless an otherwise negative number follows, * in which case a single 0 byte is necessary and even required). * * See https://bitcointalk.org/index.php?topic=8
| 187 | * This function is consensus-critical since BIP66. |
| 188 | */ |
| 189 | bool static IsValidSignatureEncoding(const std::vector<unsigned char> &sig) { |
| 190 | // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash] |
| 191 | // * total-length: 1-byte length descriptor of everything that follows, |
| 192 | // excluding the sighash byte. |
| 193 | // * R-length: 1-byte length descriptor of the R value that follows. |
| 194 | // * R: arbitrary-length big-endian encoded R value. It must use the shortest |
| 195 | // possible encoding for a positive integer (which means no null bytes at |
| 196 | // the start, except a single one when the next byte has its highest bit set). |
| 197 | // * S-length: 1-byte length descriptor of the S value that follows. |
| 198 | // * S: arbitrary-length big-endian encoded S value. The same rules apply. |
| 199 | // * sighash: 1-byte value indicating what data is hashed (not part of the DER |
| 200 | // signature) |
| 201 | |
| 202 | // Minimum and maximum size constraints. |
| 203 | if (sig.size() < 9) return false; |
| 204 | if (sig.size() > 73) return false; |
| 205 | |
| 206 | // A signature is of type 0x30 (compound). |
| 207 | if (sig[0] != 0x30) return false; |
| 208 | |
| 209 | // Make sure the length covers the entire signature. |
| 210 | if (sig[1] != sig.size() - 3) return false; |
| 211 | |
| 212 | // Extract the length of the R element. |
| 213 | unsigned int lenR = sig[3]; |
| 214 | |
| 215 | // Make sure the length of the S element is still inside the signature. |
| 216 | if (5 + lenR >= sig.size()) return false; |
| 217 | |
| 218 | // Extract the length of the S element. |
| 219 | unsigned int lenS = sig[5 + lenR]; |
| 220 | |
| 221 | // Verify that the length of the signature matches the sum of the length |
| 222 | // of the elements. |
| 223 | if ((size_t)(lenR + lenS + 7) != sig.size()) return false; |
| 224 | |
| 225 | // Check whether the R element is an integer. |
| 226 | if (sig[2] != 0x02) return false; |
| 227 | |
| 228 | // Zero-length integers are not allowed for R. |
| 229 | if (lenR == 0) return false; |
| 230 | |
| 231 | // Negative numbers are not allowed for R. |
| 232 | if (sig[4] & 0x80) return false; |
| 233 | |
| 234 | // Null bytes at the start of R are not allowed, unless R would |
| 235 | // otherwise be interpreted as a negative number. |
| 236 | if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false; |
| 237 | |
| 238 | // Check whether the S element is an integer. |
| 239 | if (sig[lenR + 4] != 0x02) return false; |
| 240 | |
| 241 | // Zero-length integers are not allowed for S. |
| 242 | if (lenS == 0) return false; |
| 243 | |
| 244 | // Negative numbers are not allowed for S. |
| 245 | if (sig[lenR + 6] & 0x80) return false; |
| 246 |
no test coverage detected