libgcrypt P256 signature malleability via weak DER enforcement
Werner Koch
wk at gnupg.org
Thu Jan 15 15:30:44 CET 2026
On Wed, 14 Jan 2026 17:30, Jake Ginesin said:
> understanding that non-malleability in DER parsing is important for X.509
> certificate validation [1,2] and preventing transaction malleability [3].
The first paper is on formal verifification of parsers and I don't see a
practical application here. In particuilar because ASN.1 has in the
real world never be used as it was designed for. It is used for data
format description and that does work okayish. The encoding was anyway
an afterthought and there are limitations when using DER as an encoding:
For example you can only use definite lengths for signed data which in
turn forbids the use of standard tools based stream processing.
> Also, I went ahead and publicized my proof-of-concept for the first point
> in this thread's initial email. [4]
Which is the reason that DER encoded signatures are not used in this
simplified way.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260115/12aea427/attachment.sig>
More information about the Gnupg-devel
mailing list