Crypto and SSL questions
4 stars based on
66 reviews
For background to this see picocoin issue 7picocoin pull request 25 and PolarSSL issue A rough draft of what I've done so far in polarssl bitcoin. Relevant tests are in the keyset. I just did a polarssl bitcoin reading of the PolarSSL-based key. Here are the issues I noticed:. By the way, a more general point, which may or mey not be relevant to your use case: In the same line, you might want to disable other curves in PolarSSL's config. If you looked at our example ECDSA app for inspiration, then probably I didn't make it clear enough in the app's source that I'm using a different context for verification only to emphasize that we polarssl bitcoin need the private key for verification, but of course if your context has the private key too it doesn't hurt.
Thanks very much Manuel for taking the time to write such a long and detailed reply. It was very helpful. I have implemented polarssl bitcoin suggestions and got the code to compile. Latest attempt has been pushed to my PolarSSL branch. The test on this function is failing. I have uploaded my latest attempt to github. If you get a chance can you have a look. OpenSSL does not have a problem polarssl bitcoin the format of the same key. This leads me to believe that there may be an issue with PolarSSL parsing.
I will raise an issue on Github. Support for this format was added in 1. I seem to have gotten over the bump caused by use of non-compliant RFC keys, thanks for the fix. Older bitcoin clients used a byte polarssl bitcoin key but more recent clients use a byte compressed one.
See " What is a compressed Bitcoin key? As polarssl bitcoin aside, Polarssl bitcoin seems to store the point conversion polarssl bitcoin i. As stated by Jeff Garzik, bitcoin is sadly! The following is of particular polarssl bitcoin because it contains an invalidly-encoded signature which OpenSSL and thus bitcoin accepts:.
This polarssl bitcoin an example of improperly encoded DER that just happens to validate polarssl bitcoin thanks to OpenSSL internal implementation details, rather than correctness.
This behaviour then went on to result in a change of the 'transaction id'. It looks very similar to me although I don't polarssl bitcoin enough about the polarssl bitcoin algorithm itself polarssl bitcoin transaction processing at this stage to determine this for myself.
It may be better to ask about bitcoin transaction malleability on the picocoin thread of bitcointalk forum. ASN1 tag is of an unexpected value. It seems polarssl bitcoin me that the data from the file 0x04cc71eb30d One polarssl bitcoin would be:. We're totally prepared to adapt our parser to accept signatures whose encoding is slightly invalid if it's needed to validate bitcoin chains.
Does it mean that PolarSSL also accepts invalidly-encoded signatures? Test 2 which fails is polarssl bitcoin tweaked form of test 1. It has polarssl bitcoin arbitrary extra byte stuffed into the signature at pos length - 2. I'm not yet sure what OpenSSL bug this is testing. I checked the signature from the first test as well as the link.
True, its encoding is incorrect as per the ASN. However, in the context of an ECDSA signature over a prime fieldwe're always talking about positive integers so it makes sense not to nitpick about the exact rules of DER encoding.
Which polarssl bitcoin to say, I agree with the comments in the OpenSSL code and mostly disagree with the blog post. I'm confident that being permissive about a missing initial 00 byte in the DER encoding of integers that are positive from the context can't lead to security issues. It doesn't make signatures easier to forge, nor does it make any kind of buffer overflow polarssl bitcoin anything else easier.
IMO, accepting those polarssl bitcoin of encoding errors are an instance of the "be liberal in what you accept, conservative in what you send" principle. And btw, the signatures we write are correctly encoded of course. For the second test the problem is different. Which is not the intented use. Besides, the encoding of the length of the signature polarssl bitcoin 00 47 bytes at positions in the first example, that become 00 48 in the second example are not part of the signature itself but of the enveloppe.
At least if my understanding is correct, here it is an encoding error in bitcoin transaction format. I'd be curious to have the opinion of someone more versed in bitcoin about why this test is here.
Meanwhile, I'll be discussing with Paul polarssl bitcoin there is something we can do to help here. Yes, Polarssl bitcoin was also trying to figure out polarssl bitcoin the purpose of test 2 is. I polarssl bitcoin Jeff Garzik what it's purpose is. Awaiting response PolarSSL Well, I haven't purposely made polarssl bitcoin at least. Let me rephrase what I said. It's not a bug either side, it's a different choice of API design. Polarssl bitcoin, I stand by my statement that test 2 should be considered invalid: Unfortunately here, for some reason, it's not.
Otherwise, it is quite fast since the length is checked before the actual ECDSA operation is done, so there is at most one costly operation in the loop. Options 2 and 3 polarssl bitcoin look a bit dirty, but after all you're trying polarssl bitcoin accept something whose encoding is polarssl bitcoin at best. Although option 2 seems to be working, a more efficient solution may be option 1.
Something similar to the following may stop unnecessary looping:. I am currently reading the SEC1 documentation to understand if points beginning with 0x03 are valid or not. They are valid, points starting with 0x02 or 0x03 are in compressed format. Currently Polarssl bitcoin can't read them. We'll keep you updated soon on when we'll polarssl bitcoin able to implement them.
Regarded you message of April 6: Btw, do you have other issues besides points in compressed format? I'm not sure if the problem with test 4 is compressed format or something else.
I just wasn't sure if it was test 4 or some other test which would have meant test 4 might have been an additional issue. The most important PolarSSL changes in picocoin were made to the key. If any PolarSSL experts want to look polarssl bitcoin these and give constructive criticism I would again be grateful.
Hopefully there are not any glaring mistakes in these. You seem to have disabled Javascript. This page relies on Javascript for logging in, searching, etc. Without it, elements of this site might not work as expected. Register or Log in to mbed TLS. PolarSSL in bitcoin projects. Feb 9, I have a few issues around this which maybe someone can help.
Feel free to add comments here or to each Gist. We'll have a look at your code somewhere in the next few days. That's very decent of you. Feb 14, Here are the issues I noticed: None of the above code is tested, but except typos it should be correct. Feb 15, There are still a few tests that fail but I think I am now on the right track. Looking at the tests that fail it seems that I may polarssl bitcoin to use the PK module. Polarssl bitcoin 17, Mar 6, I left this issue for a while but I'm now back working on it again.
I still can't figure where I'm going wrong. Any suggestions would be very much appreciated. Mar 11, The output from this test is: Mar 28, I'm interested as I'd like to store keys in a database and parse them.
