S256Point.verify and Signature class in ecc.py do not issue warning if "s" value is high

When an ECDSA signature is made with this library using [`PrivateKey.sign`](https://github.com/jimmysong/programmingbitcoin/blob/3fba6b992ece443e4256df057595cfbe91edda75/code-ch13/ecc.py#L620) it is canonicalized so the `s` value is low, ie. so (& see [Issue #296](https://github.com/jimmysong/programmingbitcoin/issues/296)) :

```
s < N // 2

where

N = order of secp256k1 generator point G =
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

N // 2 = 
7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0        (exact)
```

However if a signature with high `s` that was obtained from some other cryptography library (eg. openssl or Python ecdsa package) is verified using [`S256Point.verify`](https://github.com/jimmysong/programmingbitcoin/blob/3fba6b992ece443e4256df057595cfbe91edda75/code-ch13/ecc.py#L394) then no warning is issued that the `s` value is high and needs to be replaced with `N - s` to be accepted by the Bitcoin network.

Likewise in the `Signature` class, in the [constructor](https://github.com/jimmysong/programmingbitcoin/blob/3fba6b992ece443e4256df057595cfbe91edda75/code-ch13/ecc.py#L547) and the [`parse`](https://github.com/jimmysong/programmingbitcoin/blob/3fba6b992ece443e4256df057595cfbe91edda75/code-ch13/ecc.py#L572) method, no warning is issued if the `s` value is high.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

S256Point.verify and Signature class in ecc.py do not issue warning if "s" value is high #297

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

S256Point.verify and Signature class in ecc.py do not issue warning if "s" value is high #297

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions