forked from
zat.dev/zat
atproto utils for zig
fix integer overflow in ECDSA signature verification
Reject high-S signatures before calling Signature.fromBytes, which does
internal scalar arithmetic that overflows on out-of-range S values. The
check was previously done after fromBytes using the parsed sig.s field,
but the construction itself panicked on malformed signatures (e.g.,
high-S or DER-encoded test vectors from the interop fixtures). Now
rejectHighS operates on the raw signature bytes directly.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
+5
-2
+5
-2
src/internal/crypto/jwt.zig
+5
-2
src/internal/crypto/jwt.zig
···
288
288
/// verify an ECDSA signature, rejecting high-S
289
289
fn verifyEcdsa(comptime Scheme: type, comptime half_order: [32]u8, message: []const u8, sig_bytes: []const u8, public_key_raw: []const u8) !void {
290
290
if (sig_bytes.len != 64) return error.InvalidSignature;
291
-
const sig = Scheme.Signature.fromBytes(sig_bytes[0..64].*);
291
+
292
+
// reject high-S before constructing Signature — fromBytes does scalar
293
+
// arithmetic that can overflow on out-of-range values
294
+
rejectHighS(half_order, sig_bytes[32..64].*) catch return error.SignatureVerificationFailed;
292
295
293
-
rejectHighS(half_order, sig.s) catch return error.SignatureVerificationFailed;
296
+
const sig = Scheme.Signature.fromBytes(sig_bytes[0..64].*);
294
297
295
298
if (public_key_raw.len != 33) return error.InvalidPublicKey;
296
299
const public_key = Scheme.PublicKey.fromSec1(public_key_raw) catch return error.InvalidPublicKey;