ECDSA when the hash length is greater than the group's order

[rgeslain-ledger]

The library does not support the case where, either for ECDSA sign or ECDSA verify, the hash length is greater than the group's order.

As an example, it can be (not the optimal way) implemented like this:

• In ecdsa.py#_do_sign, right after msg = int.from_bytes(msg, 'big'):

nbyteslen = (n.bit_length() + 7) // 8
mbyteslen = (msg.bit_length() + 7) // 8

if nbyteslen < mbyteslen:
    # msg is the 'n.bit_length()' leftmost bits of the received msg.
    msg = int(hex(msg)[2:2*nbyteslen + 2], 16)

• In ecdsa.py#verify, right after h = int.from_bytes(msg,'big'):

nbyteslen = (n.bit_length() + 7) // 8
hbyteslen = (h.bit_length() + 7) // 8
if nbyteslen < hbyteslen:
    # h is the 'n.bit_length()' leftmost bits of the received h value.
    h = int(hex(h)[2:2*nbyteslen + 2], 16)

[cslashm]

Thanks for reporting. You're right.
Feel free to make a PR, else I will work on it this week.

[rgeslain-ledger]

Should be fixed by #18.

[matbok]

Should be fixed by #18.

No, There is a bug if hash has at least 8 zero bits leading: indeed, in the #18 fix, it's checked the real bit length, not the byte length multiplied by 8 (to obtain the "full bytes" bit length), and mbyteslen must be len(msg) (before making it integer)

[cslashm]

hmmm I'll check against RFC and internal Ledger OS code

[cslashm]

should be fixed in 1.2.4 @matbok