Hello community, here is the log from the commit of package python-ecdsa for openSUSE:Factory checked in at 2019-11-04 17:08:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-ecdsa (Old) and /work/SRC/openSUSE:Factory/.python-ecdsa.new.2990 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-ecdsa" Mon Nov 4 17:08:40 2019 rev:10 rq:742539 version:0.13.3 Changes: -------- --- /work/SRC/openSUSE:Factory/python-ecdsa/python-ecdsa.changes 2019-05-17 23:36:31.954129309 +0200 +++ /work/SRC/openSUSE:Factory/.python-ecdsa.new.2990/python-ecdsa.changes 2019-11-04 17:08:44.120410412 +0100 @@ -1,0 +2,8 @@ +Mon Oct 14 21:41:55 UTC 2019 - Robert Schweikert <rjsch...@suse.com> + +- updated to 0.13.3 (bsc#1153165) + + CVE-2019-14853 DOS atack during signature decoding + + CVE-2019-14859 signature malleability caused by insufficient checks + of DER encoding + +------------------------------------------------------------------- @@ -14,0 +23,5 @@ +Fri Sep 21 12:51:24 UTC 2018 - John Paul Adrian Glaubitz <adrian.glaub...@suse.com> + +- Include in SLE-12 (fate#323875, bsc#1054413) + +------------------------------------------------------------------- @@ -23 +36 @@ -- update to 0.13 +- update to 0.13 (bsc#962291) Old: ---- ecdsa-0.13.2.tar.gz New: ---- ecdsa-0.13.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-ecdsa.spec ++++++ --- /var/tmp/diff_new_pack.0maHx4/_old 2019-11-04 17:08:44.880411224 +0100 +++ /var/tmp/diff_new_pack.0maHx4/_new 2019-11-04 17:08:44.892411237 +0100 @@ -18,7 +18,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-ecdsa -Version: 0.13.2 +Version: 0.13.3 Release: 0 Summary: ECDSA cryptographic signature library (pure python) License: MIT ++++++ ecdsa-0.13.2.tar.gz -> ecdsa-0.13.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.13.2/NEWS new/ecdsa-0.13.3/NEWS --- old/ecdsa-0.13.2/NEWS 2019-04-17 21:29:43.000000000 +0200 +++ new/ecdsa-0.13.3/NEWS 2019-10-07 15:56:15.000000000 +0200 @@ -1,3 +1,10 @@ +* Release 0.13.3 (07 Oct 2019) + +Fix CVE-2019-14853 - possible DoS caused by malformed signature decoding and +signature malleability. + +Also harden key decoding from string and DER encodings. + * Release 0.13.2 (17 Apr 2019) Restore compatibility of setup.py with Python 2.6 and 2.7. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.13.2/PKG-INFO new/ecdsa-0.13.3/PKG-INFO --- old/ecdsa-0.13.2/PKG-INFO 2019-04-17 21:33:44.000000000 +0200 +++ new/ecdsa-0.13.3/PKG-INFO 2019-10-07 16:01:32.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: ecdsa -Version: 0.13.2 +Version: 0.13.3 Summary: ECDSA cryptographic signature library (pure python) Home-page: http://github.com/warner/python-ecdsa Author: Brian Warner @@ -81,6 +81,7 @@ more for the wrapper. To run them all, do this: python setup.py test + tox -e coverage On my 2014 Mac Mini, the combined tests take about 20 seconds to run. On a 2.4GHz P4 Linux box, they take 81 seconds. @@ -126,7 +127,8 @@ `SigningKey.from_string(s, curve)` . This short form does not record the curve, so you must be sure to tell from_string() the same curve you used for the original key. The short form of a NIST192p-based signing key is just 24 - bytes long. + bytes long. If the point encoding is invalid or it does not lie on the + specified curve, `from_string()` will raise MalformedPointError. from ecdsa import SigningKey, NIST384p sk = SigningKey.generate(curve=NIST384p) @@ -140,7 +142,8 @@ is a shorter binary form of the same data. `SigningKey.from_pem()/.from_der()` will undo this serialization. These formats include the curve name, so you do not need to pass in a curve - identifier to the deserializer. + identifier to the deserializer. In case the file is malformed `from_der()` + and `from_pem()` will raise UnexpectedDER or MalformedPointError. from ecdsa import SigningKey, NIST384p sk = SigningKey.generate(curve=NIST384p) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.13.2/README.md new/ecdsa-0.13.3/README.md --- old/ecdsa-0.13.2/README.md 2019-04-17 21:23:20.000000000 +0200 +++ new/ecdsa-0.13.3/README.md 2019-10-07 15:51:57.000000000 +0200 @@ -73,6 +73,7 @@ more for the wrapper. To run them all, do this: python setup.py test + tox -e coverage On my 2014 Mac Mini, the combined tests take about 20 seconds to run. On a 2.4GHz P4 Linux box, they take 81 seconds. @@ -118,7 +119,8 @@ `SigningKey.from_string(s, curve)` . This short form does not record the curve, so you must be sure to tell from_string() the same curve you used for the original key. The short form of a NIST192p-based signing key is just 24 -bytes long. +bytes long. If the point encoding is invalid or it does not lie on the +specified curve, `from_string()` will raise MalformedPointError. from ecdsa import SigningKey, NIST384p sk = SigningKey.generate(curve=NIST384p) @@ -132,7 +134,8 @@ is a shorter binary form of the same data. `SigningKey.from_pem()/.from_der()` will undo this serialization. These formats include the curve name, so you do not need to pass in a curve -identifier to the deserializer. +identifier to the deserializer. In case the file is malformed `from_der()` +and `from_pem()` will raise UnexpectedDER or MalformedPointError. from ecdsa import SigningKey, NIST384p sk = SigningKey.generate(curve=NIST384p) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.13.2/ecdsa/__init__.py new/ecdsa-0.13.3/ecdsa/__init__.py --- old/ecdsa-0.13.2/ecdsa/__init__.py 2019-04-17 21:23:20.000000000 +0200 +++ new/ecdsa-0.13.3/ecdsa/__init__.py 2019-10-07 15:51:57.000000000 +0200 @@ -1,9 +1,12 @@ __all__ = ["curves", "der", "ecdsa", "ellipticcurve", "keys", "numbertheory", "test_pyecdsa", "util", "six"] -from .keys import SigningKey, VerifyingKey, BadSignatureError, BadDigestError +from .keys import SigningKey, VerifyingKey, BadSignatureError, BadDigestError,\ + MalformedPointError from .curves import NIST192p, NIST224p, NIST256p, NIST384p, NIST521p, SECP256k1 +from .der import UnexpectedDER _hush_pyflakes = [SigningKey, VerifyingKey, BadSignatureError, BadDigestError, + MalformedPointError, UnexpectedDER, NIST192p, NIST224p, NIST256p, NIST384p, NIST521p, SECP256k1] del _hush_pyflakes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.13.2/ecdsa/_version.py new/ecdsa-0.13.3/ecdsa/_version.py --- old/ecdsa-0.13.2/ecdsa/_version.py 2019-04-17 21:33:44.000000000 +0200 +++ new/ecdsa-0.13.3/ecdsa/_version.py 2019-10-07 16:01:32.000000000 +0200 @@ -4,8 +4,8 @@ # unpacked source archive. Distribution tarballs contain a pre-generated copy # of this file. -version_version = '0.13.2' -version_full = 'bb359d32e93acc3eb4d216aff4ba0e7531599cfb' +version_version = '0.13.3' +version_full = '7add2213c992f51267eed8288b560f3f4108a28d' def get_versions(default={}, verbose=False): return {'version': version_version, 'full': version_full} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.13.2/ecdsa/der.py new/ecdsa-0.13.3/ecdsa/der.py --- old/ecdsa-0.13.2/ecdsa/der.py 2019-04-17 21:23:20.000000000 +0200 +++ new/ecdsa-0.13.3/ecdsa/der.py 2019-10-07 15:51:57.000000000 +0200 @@ -60,10 +60,15 @@ return tag, body, rest def remove_sequence(string): + if not string: + raise UnexpectedDER("Empty string does not encode a sequence") if not string.startswith(b("\x30")): - n = string[0] if isinstance(string[0], integer_types) else ord(string[0]) - raise UnexpectedDER("wanted sequence (0x30), got 0x%02x" % n) + n = string[0] if isinstance(string[0], integer_types) else \ + ord(string[0]) + raise UnexpectedDER("wanted type 'sequence' (0x30), got 0x%02x" % n) length, lengthlength = read_length(string[1:]) + if length > len(string) - 1 - lengthlength: + raise UnexpectedDER("Length longer than the provided buffer") endseq = 1+lengthlength+length return string[1+lengthlength:endseq], string[endseq:] @@ -96,14 +101,33 @@ return tuple(numbers), rest def remove_integer(string): + if not string: + raise UnexpectedDER("Empty string is an invalid encoding of an " + "integer") if not string.startswith(b("\x02")): - n = string[0] if isinstance(string[0], integer_types) else ord(string[0]) - raise UnexpectedDER("wanted integer (0x02), got 0x%02x" % n) + n = string[0] if isinstance(string[0], integer_types) \ + else ord(string[0]) + raise UnexpectedDER("wanted type 'integer' (0x02), got 0x%02x" % n) length, llen = read_length(string[1:]) + if length > len(string) - 1 - llen: + raise UnexpectedDER("Length longer than provided buffer") + if length == 0: + raise UnexpectedDER("0-byte long encoding of integer") numberbytes = string[1+llen:1+llen+length] rest = string[1+llen+length:] - nbytes = numberbytes[0] if isinstance(numberbytes[0], integer_types) else ord(numberbytes[0]) - assert nbytes < 0x80 # can't support negative numbers yet + msb = numberbytes[0] if isinstance(numberbytes[0], integer_types) \ + else ord(numberbytes[0]) + if not msb < 0x80: + raise UnexpectedDER("Negative integers are not supported") + # check if the encoding is the minimal one (DER requirement) + if length > 1 and not msb: + # leading zero byte is allowed if the integer would have been + # considered a negative number otherwise + smsb = numberbytes[1] if isinstance(numberbytes[1], integer_types) \ + else ord(numberbytes[1]) + if smsb < 0x80: + raise UnexpectedDER("Invalid encoding of integer, unnecessary " + "zero padding bytes") return int(binascii.hexlify(numberbytes), 16), rest def read_number(string): @@ -133,6 +157,8 @@ return int2byte(0x80|llen) + s def read_length(string): + if not string: + raise UnexpectedDER("Empty string can't encode valid length value") num = string[0] if isinstance(string[0], integer_types) else ord(string[0]) if not (num & 0x80): # short form @@ -140,8 +166,14 @@ # else long-form: b0&0x7f is number of additional base256 length bytes, # big-endian llen = num & 0x7f + if not llen: + raise UnexpectedDER("Invalid length encoding, length of length is 0") if llen > len(string)-1: - raise UnexpectedDER("ran out of length bytes") + raise UnexpectedDER("Length of length longer than provided buffer") + # verify that the encoding is minimal possible (DER requirement) + msb = string[1] if isinstance(string[1], integer_types) else ord(string[1]) + if not msb or llen == 1 and msb < 0x80: + raise UnexpectedDER("Not minimal encoding of length") return int(binascii.hexlify(string[1:1+llen]), 16), 1+llen def remove_bitstring(string): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.13.2/ecdsa/keys.py new/ecdsa-0.13.3/ecdsa/keys.py --- old/ecdsa-0.13.2/ecdsa/keys.py 2019-04-17 21:23:20.000000000 +0200 +++ new/ecdsa-0.13.3/ecdsa/keys.py 2019-10-07 15:51:57.000000000 +0200 @@ -3,10 +3,11 @@ from . import ecdsa from . import der from . import rfc6979 +from . import ellipticcurve from .curves import NIST192p, find_curve from .util import string_to_number, number_to_string, randrange from .util import sigencode_string, sigdecode_string -from .util import oid_ecPublicKey, encoded_oid_ecPublicKey +from .util import oid_ecPublicKey, encoded_oid_ecPublicKey, MalformedSignature from .six import PY3, b from hashlib import sha1 @@ -15,6 +16,11 @@ class BadDigestError(Exception): pass + +class MalformedPointError(AssertionError): + pass + + class VerifyingKey: def __init__(self, _error__please_use_generate=None): if not _error__please_use_generate: @@ -33,17 +39,21 @@ def from_string(klass, string, curve=NIST192p, hashfunc=sha1, validate_point=True): order = curve.order - assert len(string) == curve.verifying_key_length, \ - (len(string), curve.verifying_key_length) + if len(string) != curve.verifying_key_length: + raise MalformedPointError( + "Malformed encoding of public point. Expected string {0} bytes" + " long, received {1} bytes long string".format( + curve.verifying_key_length, len(string))) xs = string[:curve.baselen] ys = string[curve.baselen:] - assert len(xs) == curve.baselen, (len(xs), curve.baselen) - assert len(ys) == curve.baselen, (len(ys), curve.baselen) + if len(xs) != curve.baselen: + raise MalformedPointError("Unexpected length of encoded x") + if len(ys) != curve.baselen: + raise MalformedPointError("Unexpected length of encoded y") x = string_to_number(xs) y = string_to_number(ys) - if validate_point: - assert ecdsa.point_is_valid(curve.generator, x, y) - from . import ellipticcurve + if validate_point and not ecdsa.point_is_valid(curve.generator, x, y): + raise MalformedPointError("Point does not lie on the curve") point = ellipticcurve.Point(curve.curve, x, y, order) return klass.from_public_point(point, curve, hashfunc) @@ -65,13 +75,18 @@ if empty != b(""): raise der.UnexpectedDER("trailing junk after DER pubkey objects: %s" % binascii.hexlify(empty)) - assert oid_pk == oid_ecPublicKey, (oid_pk, oid_ecPublicKey) + if oid_pk != oid_ecPublicKey: + raise der.UnexpectedDER( + "Unexpected OID in encoding, received {0}, expected {1}" + .format(oid_pk, oid_ecPublicKey)) curve = find_curve(oid_curve) point_str, empty = der.remove_bitstring(point_str_bitstring) if empty != b(""): raise der.UnexpectedDER("trailing junk after pubkey pointstring: %s" % binascii.hexlify(empty)) - assert point_str.startswith(b("\x00\x04")) + if not point_str.startswith(b("\x00\x04")): + raise der.UnexpectedDER( + "Unsupported or invalid encoding of pubcli key") return klass.from_string(point_str[2:], curve) def to_string(self): @@ -106,11 +121,14 @@ "for your digest (%d)" % (self.curve.name, 8*len(digest))) number = string_to_number(digest) - r, s = sigdecode(signature, self.pubkey.order) + try: + r, s = sigdecode(signature, self.pubkey.order) + except (der.UnexpectedDER, MalformedSignature) as e: + raise BadSignatureError("Malformed formatting of signature", e) sig = ecdsa.Signature(r, s) if self.pubkey.verifies(number, sig): return True - raise BadSignatureError + raise BadSignatureError("Signature verification failed") class SigningKey: def __init__(self, _error__please_use_generate=None): @@ -134,7 +152,10 @@ self.default_hashfunc = hashfunc self.baselen = curve.baselen n = curve.order - assert 1 <= secexp < n + if not 1 <= secexp < n: + raise MalformedPointError( + "Invalid value for secexp, expected integer between 1 and {0}" + .format(n)) pubkey_point = curve.generator*secexp pubkey = ecdsa.Public_key(curve.generator, pubkey_point) pubkey.order = n @@ -146,7 +167,10 @@ @classmethod def from_string(klass, string, curve=NIST192p, hashfunc=sha1): - assert len(string) == curve.baselen, (len(string), curve.baselen) + if len(string) != curve.baselen: + raise MalformedPointError( + "Invalid length of private key, received {0}, expected {1}" + .format(len(string), curve.baselen)) secexp = string_to_number(string) return klass.from_secret_exponent(secexp, curve, hashfunc) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.13.2/ecdsa/test_der.py new/ecdsa-0.13.3/ecdsa/test_der.py --- old/ecdsa-0.13.2/ecdsa/test_der.py 1970-01-01 01:00:00.000000000 +0100 +++ new/ecdsa-0.13.3/ecdsa/test_der.py 2019-10-07 15:51:57.000000000 +0200 @@ -0,0 +1,88 @@ + +# compatibility with Python 2.6, for that we need unittest2 package, +# which is not available on 3.3 or 3.4 +try: + import unittest2 as unittest +except ImportError: + import unittest +from .der import remove_integer, UnexpectedDER, read_length +from .six import b + +class TestRemoveInteger(unittest.TestCase): + # DER requires the integers to be 0-padded only if they would be + # interpreted as negative, check if those errors are detected + def test_non_minimal_encoding(self): + with self.assertRaises(UnexpectedDER): + remove_integer(b('\x02\x02\x00\x01')) + + def test_negative_with_high_bit_set(self): + with self.assertRaises(UnexpectedDER): + remove_integer(b('\x02\x01\x80')) + + def test_two_zero_bytes_with_high_bit_set(self): + with self.assertRaises(UnexpectedDER): + remove_integer(b('\x02\x03\x00\x00\xff')) + + def test_zero_length_integer(self): + with self.assertRaises(UnexpectedDER): + remove_integer(b('\x02\x00')) + + def test_empty_string(self): + with self.assertRaises(UnexpectedDER): + remove_integer(b('')) + + def test_encoding_of_zero(self): + val, rem = remove_integer(b('\x02\x01\x00')) + + self.assertEqual(val, 0) + self.assertFalse(rem) + + def test_encoding_of_127(self): + val, rem = remove_integer(b('\x02\x01\x7f')) + + self.assertEqual(val, 127) + self.assertFalse(rem) + + def test_encoding_of_128(self): + val, rem = remove_integer(b('\x02\x02\x00\x80')) + + self.assertEqual(val, 128) + self.assertFalse(rem) + + +class TestReadLength(unittest.TestCase): + # DER requires the lengths between 0 and 127 to be encoded using the short + # form and lengths above that encoded with minimal number of bytes + # necessary + def test_zero_length(self): + self.assertEqual((0, 1), read_length(b('\x00'))) + + def test_two_byte_zero_length(self): + with self.assertRaises(UnexpectedDER): + read_length(b('\x81\x00')) + + def test_two_byte_small_length(self): + with self.assertRaises(UnexpectedDER): + read_length(b('\x81\x7f')) + + def test_long_form_with_zero_length(self): + with self.assertRaises(UnexpectedDER): + read_length(b('\x80')) + + def test_smallest_two_byte_length(self): + self.assertEqual((128, 2), read_length(b('\x81\x80'))) + + def test_zero_padded_length(self): + with self.assertRaises(UnexpectedDER): + read_length(b('\x82\x00\x80')) + + def test_two_three_byte_length(self): + self.assertEqual((256, 3), read_length(b'\x82\x01\x00')) + + def test_empty_string(self): + with self.assertRaises(UnexpectedDER): + read_length(b('')) + + def test_length_overflow(self): + with self.assertRaises(UnexpectedDER): + read_length(b('\x83\x01\x00')) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.13.2/ecdsa/test_malformed_sigs.py new/ecdsa-0.13.3/ecdsa/test_malformed_sigs.py --- old/ecdsa-0.13.2/ecdsa/test_malformed_sigs.py 1970-01-01 01:00:00.000000000 +0100 +++ new/ecdsa-0.13.3/ecdsa/test_malformed_sigs.py 2019-10-07 15:51:57.000000000 +0200 @@ -0,0 +1,87 @@ +from __future__ import with_statement, division + +import pytest +import hashlib + +from .six import b, binary_type +from .keys import SigningKey, VerifyingKey +from .keys import BadSignatureError +from .util import sigencode_der, sigencode_string +from .util import sigdecode_der, sigdecode_string +from .curves import curves, NIST256p, NIST521p + +der_sigs = [] +example_data = b("some data to sign") + +# Just NIST256p with SHA256 is 560 test cases, all curves with all hashes is +# few thousand slow test cases; execute the most interesting only + +#for curve in curves: +for curve in [NIST521p]: + #for hash_alg in ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"]: + for hash_alg in ["sha256"]: + key = SigningKey.generate(curve) + signature = key.sign(example_data, hashfunc=getattr(hashlib, hash_alg), + sigencode=sigencode_der) + for pos in range(len(signature)): + for xor in (1<<i for i in range(8)): + der_sigs.append(pytest.param( + key.verifying_key, hash_alg, + signature, pos, xor, + id="{0}-{1}-pos-{2}-xor-{3}".format( + curve.name, hash_alg, pos, xor))) + + +@pytest.mark.parametrize("verifying_key,hash_alg,signature,pos,xor", der_sigs) +def test_fuzzed_der_signatures(verifying_key, hash_alg, signature, pos, xor): + # check if a malformed DER encoded signature causes the same exception + # to be raised irrespective of the type of error + sig = bytearray(signature) + sig[pos] ^= xor + sig = binary_type(sig) + + try: + verifying_key.verify(sig, example_data, getattr(hashlib, hash_alg), + sigdecode_der) + assert False + except BadSignatureError: + assert True + + +#### +# +# For string encoded signatures, only the length of string is important +# +#### + +str_sigs = [] + +#for curve in curves: +for curve in [NIST256p]: + #for hash_alg in ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"]: + for hash_alg in ["sha256"]: + key = SigningKey.generate(curve) + signature = key.sign(example_data, hashfunc=getattr(hashlib, hash_alg), + sigencode=sigencode_string) + for trunc in range(len(signature)): + str_sigs.append(pytest.param( + key.verifying_key, hash_alg, + signature, trunc, + id="{0}-{1}-trunc-{2}".format( + curve.name, hash_alg, trunc))) + + +@pytest.mark.parametrize("verifying_key,hash_alg,signature,trunc", str_sigs) +def test_truncated_string_signatures(verifying_key, hash_alg, signature, trunc): + # check if a malformed string encoded signature causes the same exception + # to be raised irrespective of the type of error + sig = bytearray(signature) + sig = sig[:trunc] + sig = binary_type(sig) + + try: + verifying_key.verify(sig, example_data, getattr(hashlib, hash_alg), + sigdecode_string) + assert False + except BadSignatureError: + assert True diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.13.2/ecdsa/test_pyecdsa.py new/ecdsa-0.13.3/ecdsa/test_pyecdsa.py --- old/ecdsa-0.13.2/ecdsa/test_pyecdsa.py 2019-04-17 21:23:20.000000000 +0200 +++ new/ecdsa-0.13.3/ecdsa/test_pyecdsa.py 2019-10-07 15:51:57.000000000 +0200 @@ -1,6 +1,9 @@ from __future__ import with_statement, division -import unittest +try: + import unittest2 as unittest +except ImportError: + import unittest import os import time import shutil @@ -10,15 +13,17 @@ from .six import b, print_, binary_type from .keys import SigningKey, VerifyingKey -from .keys import BadSignatureError +from .keys import BadSignatureError, MalformedPointError, BadDigestError from . import util from .util import sigencode_der, sigencode_strings from .util import sigdecode_der, sigdecode_strings +from .util import encoded_oid_ecPublicKey, MalformedSignature from .curves import Curve, UnknownCurveError from .curves import NIST192p, NIST224p, NIST256p, NIST384p, NIST521p, SECP256k1 from .ellipticcurve import Point from . import der from . import rfc6979 +from . import ecdsa class SubprocessError(Exception): pass @@ -258,6 +263,47 @@ pub2 = VerifyingKey.from_pem(pem) self.assertTruePubkeysEqual(pub1, pub2) + def test_vk_from_der_garbage_after_curve_oid(self): + type_oid_der = encoded_oid_ecPublicKey + curve_oid_der = der.encode_oid(*(1, 2, 840, 10045, 3, 1, 1)) + \ + b('garbage') + enc_type_der = der.encode_sequence(type_oid_der, curve_oid_der) + point_der = der.encode_bitstring(b'\x00\xff') + to_decode = der.encode_sequence(enc_type_der, point_der) + + with self.assertRaises(der.UnexpectedDER): + VerifyingKey.from_der(to_decode) + + def test_vk_from_der_invalid_key_type(self): + type_oid_der = der.encode_oid(*(1, 2, 3)) + curve_oid_der = der.encode_oid(*(1, 2, 840, 10045, 3, 1, 1)) + enc_type_der = der.encode_sequence(type_oid_der, curve_oid_der) + point_der = der.encode_bitstring(b'\x00\xff') + to_decode = der.encode_sequence(enc_type_der, point_der) + + with self.assertRaises(der.UnexpectedDER): + VerifyingKey.from_der(to_decode) + + def test_vk_from_der_garbage_after_point_string(self): + type_oid_der = encoded_oid_ecPublicKey + curve_oid_der = der.encode_oid(*(1, 2, 840, 10045, 3, 1, 1)) + enc_type_der = der.encode_sequence(type_oid_der, curve_oid_der) + point_der = der.encode_bitstring(b'\x00\xff') + b('garbage') + to_decode = der.encode_sequence(enc_type_der, point_der) + + with self.assertRaises(der.UnexpectedDER): + VerifyingKey.from_der(to_decode) + + def test_vk_from_der_invalid_bitstring(self): + type_oid_der = encoded_oid_ecPublicKey + curve_oid_der = der.encode_oid(*(1, 2, 840, 10045, 3, 1, 1)) + enc_type_der = der.encode_sequence(type_oid_der, curve_oid_der) + point_der = der.encode_bitstring(b'\x08\xff') + to_decode = der.encode_sequence(enc_type_der, point_der) + + with self.assertRaises(der.UnexpectedDER): + VerifyingKey.from_der(to_decode) + def test_signature_strings(self): priv1 = SigningKey.generate() pub1 = priv1.get_verifying_key() @@ -281,6 +327,86 @@ self.assertEqual(type(sig_der), binary_type) self.assertTrue(pub1.verify(sig_der, data, sigdecode=sigdecode_der)) + def test_sig_decode_strings_with_invalid_count(self): + with self.assertRaises(MalformedSignature): + sigdecode_strings([b('one'), b('two'), b('three')], 0xff) + + def test_sig_decode_strings_with_wrong_r_len(self): + with self.assertRaises(MalformedSignature): + sigdecode_strings([b('one'), b('two')], 0xff) + + def test_sig_decode_strings_with_wrong_s_len(self): + with self.assertRaises(MalformedSignature): + sigdecode_strings([b('\xa0'), b('\xb0\xff')], 0xff) + + def test_verify_with_too_long_input(self): + sk = SigningKey.generate() + vk = sk.verifying_key + + with self.assertRaises(BadDigestError): + vk.verify_digest(None, b('\x00') * 128) + + def test_sk_from_secret_exponent_with_wrong_sec_exponent(self): + with self.assertRaises(MalformedPointError): + SigningKey.from_secret_exponent(0) + + def test_sk_from_string_with_wrong_len_string(self): + with self.assertRaises(MalformedPointError): + SigningKey.from_string(b('\x01')) + + def test_sk_from_der_with_junk_after_sequence(self): + ver_der = der.encode_integer(1) + to_decode = der.encode_sequence(ver_der) + b('garbage') + + with self.assertRaises(der.UnexpectedDER): + SigningKey.from_der(to_decode) + + def test_sk_from_der_with_wrong_version(self): + ver_der = der.encode_integer(0) + to_decode = der.encode_sequence(ver_der) + + with self.assertRaises(der.UnexpectedDER): + SigningKey.from_der(to_decode) + + def test_sk_from_der_invalid_const_tag(self): + ver_der = der.encode_integer(1) + privkey_der = der.encode_octet_string(b('\x00\xff')) + curve_oid_der = der.encode_oid(*(1, 2, 3)) + const_der = der.encode_constructed(1, curve_oid_der) + to_decode = der.encode_sequence(ver_der, privkey_der, const_der, + curve_oid_der) + + with self.assertRaises(der.UnexpectedDER): + SigningKey.from_der(to_decode) + + def test_sk_from_der_garbage_after_privkey_oid(self): + ver_der = der.encode_integer(1) + privkey_der = der.encode_octet_string(b('\x00\xff')) + curve_oid_der = der.encode_oid(*(1, 2, 3)) + b('garbage') + const_der = der.encode_constructed(0, curve_oid_der) + to_decode = der.encode_sequence(ver_der, privkey_der, const_der, + curve_oid_der) + + with self.assertRaises(der.UnexpectedDER): + SigningKey.from_der(to_decode) + + def test_sk_from_der_with_short_privkey(self): + ver_der = der.encode_integer(1) + privkey_der = der.encode_octet_string(b('\x00\xff')) + curve_oid_der = der.encode_oid(*(1, 2, 840, 10045, 3, 1, 1)) + const_der = der.encode_constructed(0, curve_oid_der) + to_decode = der.encode_sequence(ver_der, privkey_der, const_der, + curve_oid_der) + + sk = SigningKey.from_der(to_decode) + self.assertEqual(sk.privkey.secret_multiplier, 255) + + def test_sign_with_too_long_hash(self): + sk = SigningKey.from_secret_exponent(12) + + with self.assertRaises(BadDigestError): + sk.sign_digest(b('\xff') * 64) + def test_hashfunc(self): sk = SigningKey.generate(curve=NIST256p, hashfunc=sha256) data = b("security level is 128 bits") @@ -299,6 +425,49 @@ curve=NIST256p) self.assertTrue(vk3.verify(sig, data, hashfunc=sha256)) + def test_decoding_with_malformed_uncompressed(self): + enc = b('\x0c\xe0\x1d\xe0d\x1c\x8eS\x8a\xc0\x9eK\xa8x !\xd5\xc2\xc3' + '\xfd\xc8\xa0c\xff\xfb\x02\xb9\xc4\x84)\x1a\x0f\x8b\x87\xa4' + 'z\x8a#\xb5\x97\xecO\xb6\xa0HQ\x89*') + + with self.assertRaises(MalformedPointError): + VerifyingKey.from_string(b('\x02') + enc) + + def test_decoding_with_point_not_on_curve(self): + enc = b('\x0c\xe0\x1d\xe0d\x1c\x8eS\x8a\xc0\x9eK\xa8x !\xd5\xc2\xc3' + '\xfd\xc8\xa0c\xff\xfb\x02\xb9\xc4\x84)\x1a\x0f\x8b\x87\xa4' + 'z\x8a#\xb5\x97\xecO\xb6\xa0HQ\x89*') + + with self.assertRaises(MalformedPointError): + VerifyingKey.from_string(enc[:47] + b('\x00')) + + def test_decoding_with_point_at_infinity(self): + # decoding it is unsupported, as it's not necessary to encode it + with self.assertRaises(MalformedPointError): + VerifyingKey.from_string(b('\x00')) + + def test_from_string_with_invalid_curve_too_short_ver_key_len(self): + # both verifying_key_length and baselen are calculated internally + # by the Curve constructor, but since we depend on them verify + # that inconsistent values are detected + curve = Curve("test", ecdsa.curve_192, ecdsa.generator_192, (1, 2)) + curve.verifying_key_length = 16 + curve.baselen = 32 + + with self.assertRaises(MalformedPointError): + VerifyingKey.from_string(b('\x00')*16, curve) + + def test_from_string_with_invalid_curve_too_long_ver_key_len(self): + # both verifying_key_length and baselen are calculated internally + # by the Curve constructor, but since we depend on them verify + # that inconsistent values are detected + curve = Curve("test", ecdsa.curve_192, ecdsa.generator_192, (1, 2)) + curve.verifying_key_length = 16 + curve.baselen = 16 + + with self.assertRaises(MalformedPointError): + VerifyingKey.from_string(b('\x00')*16, curve) + class OpenSSL(unittest.TestCase): # test interoperability with OpenSSL tools. Note that openssl's ECDSA diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.13.2/ecdsa/util.py new/ecdsa-0.13.3/ecdsa/util.py --- old/ecdsa-0.13.2/ecdsa/util.py 2019-04-17 21:23:20.000000000 +0200 +++ new/ecdsa-0.13.3/ecdsa/util.py 2019-10-07 15:51:57.000000000 +0200 @@ -216,18 +216,38 @@ return sigencode_der(r, s, order) +class MalformedSignature(Exception): + pass + + def sigdecode_string(signature, order): l = orderlen(order) - assert len(signature) == 2*l, (len(signature), 2*l) + if not len(signature) == 2 * l: + raise MalformedSignature( + "Invalid length of signature, expected {0} bytes long, " + "provided string is {1} bytes long" + .format(2 * l, len(signature))) r = string_to_number_fixedlen(signature[:l], order) s = string_to_number_fixedlen(signature[l:], order) return r, s def sigdecode_strings(rs_strings, order): + if not len(rs_strings) == 2: + raise MalformedSignature( + "Invalid number of strings provided: {0}, expected 2" + .format(len(rs_strings))) (r_str, s_str) = rs_strings l = orderlen(order) - assert len(r_str) == l, (len(r_str), l) - assert len(s_str) == l, (len(s_str), l) + if not len(r_str) == l: + raise MalformedSignature( + "Invalid length of first string ('r' parameter), " + "expected {0} bytes long, provided string is {1} bytes long" + .format(l, len(r_str))) + if not len(s_str) == l: + raise MalformedSignature( + "Invalid length of second string ('s' parameter), " + "expected {0} bytes long, provided string is {1} bytes long" + .format(l, len(s_str))) r = string_to_number_fixedlen(r_str, order) s = string_to_number_fixedlen(s_str, order) return r, s