ecdsa: add VerifyLowS helper and tests

MPins · MPins · commit f8dfe2105186 · 2026-03-25T16:11:42.000-03:00
Introduce a VerifyLowS helper to detect non-canonical
high-S ECDSA signatures, along with unit tests.
diff --git a/btcec/ecdsa/signature.go b/btcec/ecdsa/signature.go
@@ -18,6 +18,8 @@ import (
 var (
 	errNegativeValue          = errors.New("value may be interpreted as negative")
 	errExcessivelyPaddedValue = errors.New("value is excessively padded")
+	errHighS                  = errors.New("signature is not canonical due to unnecessarily high S value")
+	errNoHeaderMagic          = errors.New("malformed signature: no header magic")
 )
 
 // Signature is a type representing an ecdsa signature.
@@ -90,7 +92,7 @@ func parseSig(sigStr []byte, der bool) (*Signature, error) {
 	// 0x30
 	index := 0
 	if sigStr[index] != 0x30 {
-		return nil, errors.New("malformed signature: no header magic")
+		return nil, errNoHeaderMagic
 	}
 	index++
 	// length of remaining message
@@ -254,3 +256,20 @@ func RecoverCompact(signature, hash []byte) (*btcec.PublicKey, bool, error) {
 func Sign(key *btcec.PrivateKey, hash []byte) *Signature {
 	return secp_ecdsa.Sign(key, hash)
 }
+
+// VerifyLowS verifies that the given ECDSA signature is strictly DER-encoded
+// and uses a canonical low-S value. It returns nil if the signature is valid;
+// otherwise it returns the encountered error.
+func VerifyLowS(sigStr []byte) error {
+	sig, err := parseSig(sigStr, true)
+	if err != nil {
+		return err
+	}
+	sValue := sig.S()
+	if sValue.IsOverHalfOrder() {
+		// High-S, s > N/2.
+		return errHighS
+	}
+	// Low-S, s <= N/2.
+	return nil
+}
diff --git a/btcec/ecdsa/signature_test.go b/btcec/ecdsa/signature_test.go
@@ -15,6 +15,7 @@ import (
 	"testing"
 
 	"github.com/btcsuite/btcd/btcec/v2"
+	"github.com/stretchr/testify/require"
 )
 
 type signatureTest struct {
@@ -800,3 +801,32 @@ func TestPrivKeys(t *testing.T) {
 		}
 	}
 }
+
+func TestVerifyLowS(t *testing.T) {
+	signatureTests := []struct {
+		name    string
+		sig     []byte
+		wantErr error
+	}{
+		{
+			name:    "Low S value",
+			sig:     hexToBytes("3045022100af340daf02cc15c8d5d08d7735dfe6b98a474ed373bdb5fbecf7571be52b384202205009fb27f37034a9b24b707b7c6b79ca23ddef9e25f7282e8a797efe53a8f124"),
+			wantErr: nil,
+		},
+		{
+			name:    "High S value",
+			sig:     hexToBytes("304502200d309104bc47fecb3e23fadbabb26d3495ae1b48c1b14e8886b3f4f1c8ab122f02210085d04c97c30f69063b820a139cf17473d8e89ed587f7fa669e78175f798431fc"),
+			wantErr: errHighS,
+		},
+		{
+			name:    "Invalid signature format",
+			sig:     hexToBytes("404502200d309104bc47fecb3e23fadbabb26d3495ae1b48c1b14e8886b3f4f1c8ab122f02210085d04c97c30f69063b820a139cf17473d8e89ed587f7fa669e78175f798431fc"),
+			wantErr: errNoHeaderMagic,
+		},
+	}
+
+	for _, test := range signatureTests {
+		err := VerifyLowS(test.sig)
+		require.ErrorIs(t, err, test.wantErr)
+	}
+}
