1 /***********************************************************************
2 * Copyright (c) 2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
8 * Please do not link this file directly. It is not part of the libsecp256k1
9 * project and does not promise any stability in its API, functionality or
10 * presence. Projects which use this code should instead copy this header
11 * and its accompanying .c file directly into their codebase.
14 /* This file defines a function that parses DER with various errors and
15 * violations. This is not a part of the library itself, because the allowed
16 * violations are chosen arbitrarily and do not follow or establish any
19 * In many places it matters that different implementations do not only accept
20 * the same set of valid signatures, but also reject the same set of signatures.
21 * The only means to accomplish that is by strictly obeying a standard, and not
22 * accepting anything else.
24 * Nonetheless, sometimes there is a need for compatibility with systems that
25 * use signatures which do not strictly obey DER. The snippet below shows how
26 * certain violations are easily supported. You may need to adapt it.
28 * Do not use this for new systems. Use well-defined DER or compact signatures
29 * instead if you have the choice (see secp256k1_ecdsa_signature_parse_der and
30 * secp256k1_ecdsa_signature_parse_compact).
32 * The supported violations are:
33 * - All numbers are parsed as nonnegative integers, even though X.609-0207
34 * section 8.3.3 specifies that integers are always encoded as two's
36 * - Integers can have length 0, even though section 8.3.1 says they can't.
37 * - Integers with overly long padding are accepted, violation section
39 * - 127-byte long length descriptors are accepted, even though section
40 * 8.1.3.5.c says that they are not.
41 * - Trailing garbage data inside or after the signature is ignored.
42 * - The length descriptor of the sequence is ignored.
44 * Compared to for example OpenSSL, many violations are NOT supported:
45 * - Using overly long tag descriptors for the sequence or integers inside,
46 * violating section 8.1.2.2.
47 * - Encoding primitive integers as constructed values, violating section
51 #ifndef SECP256K1_CONTRIB_LAX_DER_PARSING_H
52 #define SECP256K1_CONTRIB_LAX_DER_PARSING_H
54 /* #include secp256k1.h only when it hasn't been included yet.
55 This enables this file to be #included directly in other project
56 files (such as tests.c) without the need to set an explicit -I flag,
57 which would be necessary to locate secp256k1.h. */
59 #include <secp256k1.h>
66 /** Parse a signature in "lax DER" format
68 * Returns: 1 when the signature could be parsed, 0 otherwise.
69 * Args: ctx: a secp256k1 context object
70 * Out: sig: a pointer to a signature object
71 * In: input: a pointer to the signature to be parsed
72 * inputlen: the length of the array pointed to be input
74 * This function will accept any valid DER encoded signature, even if the
75 * encoded numbers are out of range. In addition, it will accept signatures
76 * which violate the DER spec in various ways. Its purpose is to allow
77 * validation of the Bitcoin blockchain, which includes non-DER signatures
78 * from before the network rules were updated to enforce DER. Note that
79 * the set of supported violations is a strict subset of what OpenSSL will
82 * After the call, sig will always be initialized. If parsing failed or the
83 * encoded numbers are out of range, signature validation with it is
84 * guaranteed to fail for every message and public key.
86 int ecdsa_signature_parse_der_lax(
87 const secp256k1_context* ctx,
88 secp256k1_ecdsa_signature* sig,
89 const unsigned char *input,
91 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
97 #endif /* SECP256K1_CONTRIB_LAX_DER_PARSING_H */
projects / secp256k1.git / blob