Close the three review-gap holes in ECDSA malleability tests

Self-review flagged three blind spots in the original malleability
regression suite:

- No test exercised the r ∈ [1, n-1] bounds check on verify — only
  the s-side high-S rejection was covered. Added
  ecdsaVerificationShouldRejectOutOfRangeR to forge r == 0 and r == n
  via byte-level tampering and confirm both are rejected.

- The DER fallback path in signEcdsaP256Raw/verifyEcdsaP256Raw is
  effectively dead on modern JDKs, leaving derToP1363/p1363ToDer
  untested. Added a direct round-trip test against a real JDK DER
  signature plus a crafted high-bit-set input that exercises the
  DER sign-extension branch of p1363ToDer.

- SelectiveDisclosure.signEcdsaP256 shares the low-S normalization
  contract with CredentialSigner but had no test locking it in.
  Added selectiveDisclosureBaseSignatureIsAlwaysLowS, which reads
  the 64-byte base signature out of the fixed CBOR prefix emitted
  by CborEncoder and asserts s <= n/2 across 20 iterations.

The new tests live in src/test/java/work/brodykim/signet/credential/
so they can reach the package-private helpers (derToP1363,
p1363ToDer, normalizeToLowS, P256_* constants) without widening
production visibility.

https://claude.ai/code/session_011UnXmEtWXkFn8sz5bnNkUT

Author: claude

src/test/java/work/brodykim/signet/CredentialSignerTest.java

@@ -275,6 +275,45 @@ void ecdsaVerificationShouldRejectMalformedSignatureLength() {
                 "Verifier must reject signatures that are not 64 bytes");
     }
 
+    @Test
+    @SuppressWarnings("unchecked")
+    void ecdsaVerificationShouldRejectOutOfRangeR() {
+        // Locks in the r ∈ [1, n-1] range check. The verifier pre-rejects r == 0
+        // and r >= n before delegating to the underlying ECDSA verifier — without
+        // this, a subsequent implementation change that skipped the range check
+        // would go unnoticed.
+        ECKey keyPair = KeyPairManager.generateP256KeyPair();
+        Map<String, Object> credential = buildSampleCredential();
+
+        Map<String, Object> signed = signer.signWithEcdsaDataIntegrity(
+                credential, keyPair, "https://example.com/issuers/1#key-1");
+        byte[] origSig = Multibase.decodeBase58Btc(
+                (String) ((Map<String, Object>) signed.get("proof")).get("proofValue"));
+
+        // Forge r = 0 (zero out the first 32 bytes).
+        byte[] zeroR = origSig.clone();
+        Arrays.fill(zeroR, 0, 32, (byte) 0);
+        assertFalse(verifyWithForgedSignature(signed, keyPair, zeroR),
+                "Verifier must reject r == 0");
+
+        // Forge r = n (encode the curve order directly in the r slot).
+        byte[] rEqualsN = origSig.clone();
+        byte[] nBytes = P256_N.toByteArray();
+        // P256_N.toByteArray() may return 33 bytes (leading 0x00 sign byte) since n > 2^255.
+        System.arraycopy(nBytes, nBytes.length - 32, rEqualsN, 0, 32);
+        assertFalse(verifyWithForgedSignature(signed, keyPair, rEqualsN),
+                "Verifier must reject r == n (r must be strictly less than n)");
+    }
+
+    @SuppressWarnings("unchecked")
+    private boolean verifyWithForgedSignature(Map<String, Object> signed, ECKey keyPair, byte[] forgedSig) {
+        Map<String, Object> proof = new LinkedHashMap<>((Map<String, Object>) signed.get("proof"));
+        proof.put("proofValue", Multibase.encodeBase58Btc(forgedSig));
+        Map<String, Object> tampered = new LinkedHashMap<>(signed);
+        tampered.put("proof", proof);
+        return signer.verifyEcdsaDataIntegrity(tampered, keyPair.toPublicJWK());
+    }
+
     /** Flip s to n - s in an IEEE P1363 (r || s) signature, keeping r intact. */
     private static byte[] flipS(byte[] p1363, BigInteger n) {
         int half = p1363.length / 2;

src/test/java/work/brodykim/signet/credential/EcdsaInternalsTest.java

@@ -0,0 +1,172 @@
+package work.brodykim.signet.credential;
+
+import work.brodykim.signet.jsonld.CachedDocumentLoader;
+import work.brodykim.signet.jsonld.JsonLdProcessor;
+import com.nimbusds.jose.jwk.ECKey;
+import org.junit.jupiter.api.Test;
+
+import java.math.BigInteger;
+import java.security.Signature;
+import java.security.interfaces.ECPrivateKey;
+import java.util.Arrays;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * Tests that need package-level access to low-level ECDSA helpers and the
+ * CBOR-encoded ecdsa-sd-2023 proof value. Package is intentionally
+ * {@code work.brodykim.signet.credential} to reach the package-private
+ * {@code derToP1363}, {@code p1363ToDer}, and {@code P256_*} constants in
+ * {@link CredentialSigner} without widening production visibility.
+ */
+class EcdsaInternalsTest {
+
+    private final JsonLdProcessor jsonLdProcessor = new JsonLdProcessor(new CachedDocumentLoader());
+    private final SelectiveDisclosure selectiveDisclosure = new SelectiveDisclosure(jsonLdProcessor);
+
+    // ── DER ⇄ P1363 round-trip coverage (exercises the DER fallback path) ──
+
+    @Test
+    void derToP1363RoundTripsForRealJdkDerSignature() throws Exception {
+        // The JDK DER path in signEcdsaP256Raw/verifyEcdsaP256Raw is only reached
+        // when SHA256withECDSAinP1363Format is absent. Modern JDKs always ship
+        // it, so the fallback is effectively never exercised at runtime. Test
+        // the conversion directly against a real DER signature produced by the
+        // JDK so a regression in derToP1363/p1363ToDer would still be caught.
+        ECKey jwk = KeyPairManager.generateP256KeyPair();
+        ECPrivateKey privateKey = jwk.toECPrivateKey();
+
+        byte[] data = "payload under test".getBytes();
+        Signature sig = Signature.getInstance(CredentialSigner.ALGO_ECDSA_DER);
+        sig.initSign(privateKey);
+        sig.update(data);
+        byte[] derSig = sig.sign();
+
+        byte[] p1363 = CredentialSigner.derToP1363(derSig, CredentialSigner.P256_COMPONENT_LEN);
+        assertEquals(64, p1363.length, "P-256 P1363 must be 64 bytes");
+
+        byte[] derAgain = CredentialSigner.p1363ToDer(p1363);
+
+        // Verifier must accept either form for the same (key, data).
+        Signature verifyDer = Signature.getInstance(CredentialSigner.ALGO_ECDSA_DER);
+        verifyDer.initVerify(jwk.toECPublicKey());
+        verifyDer.update(data);
+        assertTrue(verifyDer.verify(derAgain),
+                "DER → P1363 → DER round-trip must produce a DER signature that verifies");
+    }
+
+    @Test
+    void p1363ToDerHandlesHighBitSetOnBothComponents() {
+        // DER integer encoding requires a leading 0x00 when the MSB is set
+        // (otherwise the value would be interpreted as negative). Exercise that
+        // branch by crafting P1363 bytes with 0x80 in both r and s.
+        byte[] p1363 = new byte[64];
+        p1363[0] = (byte) 0x80;   // r has MSB set
+        p1363[1] = 0x01;
+        p1363[32] = (byte) 0x80;  // s has MSB set
+        p1363[33] = 0x02;
+        // Fill the rest with non-zero so the values are full-length.
+        for (int i = 2; i < 32; i++) p1363[i] = (byte) 0x11;
+        for (int i = 34; i < 64; i++) p1363[i] = (byte) 0x22;
+
+        byte[] der = CredentialSigner.p1363ToDer(p1363);
+        // 0x30 | total-len | 0x02 | 33 | 0x00 | 32 r-bytes | 0x02 | 33 | 0x00 | 32 s-bytes
+        assertEquals(0x30, der[0] & 0xFF, "DER SEQUENCE marker");
+        assertEquals(0x02, der[2] & 0xFF, "DER INTEGER marker for r");
+        assertEquals(33, der[3] & 0xFF, "r must be padded to 33 bytes (leading 0x00)");
+        assertEquals(0x00, der[4] & 0xFF, "r padding byte");
+        assertEquals(0x02, der[37] & 0xFF, "DER INTEGER marker for s");
+        assertEquals(33, der[38] & 0xFF, "s must be padded to 33 bytes");
+        assertEquals(0x00, der[39] & 0xFF, "s padding byte");
+
+        byte[] backToP1363 = CredentialSigner.derToP1363(der, CredentialSigner.P256_COMPONENT_LEN);
+        assertArrayEquals(p1363, backToP1363,
+                "DER → P1363 → DER → P1363 must be a no-op for fully-populated inputs");
+    }
+
+    // ── normalizeToLowS direct unit coverage ──────────────────────────────
+
+    @Test
+    void normalizeToLowSFlipsExactlyWhenSExceedsHalfN() {
+        byte[] lowS = new byte[64];
+        Arrays.fill(lowS, 0, 32, (byte) 0x11);  // arbitrary r
+        // s = 1 (low)
+        lowS[63] = 0x01;
+        assertSame(lowS, CredentialSigner.normalizeToLowS(lowS),
+                "s already low → must return input unchanged (same reference)");
+
+        byte[] highS = new byte[64];
+        Arrays.fill(highS, 0, 32, (byte) 0x11);
+        // s = n - 1 (definitely > n/2)
+        byte[] nMinus1 = CredentialSigner.P256_N.subtract(BigInteger.ONE).toByteArray();
+        System.arraycopy(nMinus1, nMinus1.length - 32, highS, 32, 32);
+
+        byte[] normalized = CredentialSigner.normalizeToLowS(highS);
+        assertNotSame(highS, normalized, "high-S path must allocate a new array");
+        BigInteger normalizedS = new BigInteger(1, Arrays.copyOfRange(normalized, 32, 64));
+        assertEquals(BigInteger.ONE, normalizedS,
+                "n - (n - 1) must equal 1");
+        assertArrayEquals(Arrays.copyOfRange(highS, 0, 32), Arrays.copyOfRange(normalized, 0, 32),
+                "r must be preserved during low-S normalization");
+    }
+
+    // ── ecdsa-sd-2023 base signature low-S invariant ──────────────────────
+
+    @Test
+    void selectiveDisclosureBaseSignatureIsAlwaysLowS() {
+        // Mirror of the ecdsa-rdfc-2022 low-S invariant, but for ecdsa-sd-2023.
+        // Without direct access to the signEcdsaP256 helper we read the base
+        // signature straight out of the CBOR prefix emitted by CborEncoder:
+        //
+        //   [0..2]  = 0xd9 0x5d 0x02         (CBOR tag)
+        //   [3]     = 0x85                   (array(5) header)
+        //   [4..5]  = 0x58 0x40              (byte string, length 64)
+        //   [6..69] = 64-byte base signature
+        //
+        // This layout is stable for P-256 base proofs.
+        ECKey keyPair = KeyPairManager.generateP256KeyPair();
+
+        for (int i = 0; i < 20; i++) {
+            Map<String, Object> credential = buildSampleCredential();
+            credential.put("id", "https://example.com/cred/" + i);
+
+            Map<String, Object> signed = selectiveDisclosure.createBaseProof(
+                    credential, keyPair,
+                    "https://example.com/issuers/1#key-1",
+                    List.of("/issuer"));
+
+            @SuppressWarnings("unchecked")
+            Map<String, Object> proof = (Map<String, Object>) signed.get("proof");
+            byte[] cbor = Multibase.decodeBase58Btc((String) proof.get("proofValue"));
+
+            assertEquals((byte) 0xd9, cbor[0]);
+            assertEquals((byte) 0x5d, cbor[1]);
+            assertEquals((byte) 0x02, cbor[2]);
+            assertEquals((byte) 0x85, cbor[3]);
+            assertEquals((byte) 0x58, cbor[4]);
+            assertEquals((byte) 0x40, cbor[5]);
+
+            byte[] baseSig = Arrays.copyOfRange(cbor, 6, 70);
+            BigInteger s = new BigInteger(1, Arrays.copyOfRange(baseSig, 32, 64));
+            assertTrue(s.signum() > 0, "s must be positive on iteration " + i);
+            assertTrue(s.compareTo(CredentialSigner.P256_HALF_N) <= 0,
+                    "ecdsa-sd-2023 base signature must be low-S on iteration " + i
+                            + " (got s=" + s.toString(16) + ")");
+        }
+    }
+
+    private Map<String, Object> buildSampleCredential() {
+        Map<String, Object> credential = new LinkedHashMap<>();
+        credential.put("@context", List.of("https://www.w3.org/ns/credentials/v2",
+                "https://purl.imsglobal.org/spec/ob/v3p0/context-3.0.3.json"));
+        credential.put("type", List.of("VerifiableCredential", "OpenBadgeCredential"));
+        credential.put("id", "https://example.com/cred/1");
+        credential.put("issuer", Map.of("id", "https://example.com/issuers/1", "type", "Profile", "name", "Test"));
+        credential.put("validFrom", "2026-01-01T00:00:00Z");
+        credential.put("name", "Test Badge");
+        return credential;
+    }
+}