I've found that jsrsasign 8.0.16 allows a certain degree of malleability in ECDSA signatures by
not checking overflows in the length of sequence and 0s appended or prepended to an integer.
Using the secp256r1 curve it its possible to verify this issue using the following test vectors of Google Wycheproof:
Hello,
I've found that jsrsasign 8.0.16 allows a certain degree of malleability in ECDSA signatures by
not checking overflows in the length of sequence and 0s appended or prepended to an integer.
Using the secp256r1 curve it its possible to verify this issue using the following test vectors of Google Wycheproof:
Using the following proof of concept:
The output is:
However, if you use node.js crypto:
the output is:
Best regards,
Antonio
The text was updated successfully, but these errors were encountered: