libgcrypt P256 signature malleability via weak DER enforcement
Jake Ginesin
jakeginesin at gmail.com
Fri Jan 16 08:25:37 CET 2026
> And I don't expect that that everything is correct now. As long as we
> don't have a clear security issue here, we should not add extra
> constraints on DER or even BER parsing.
I went ahead and produced a proof-of-concept exploit for some important
downstream software using the acceptance of non-canonical DER ECDSA
encodings. Now, I believe this conversation should be transitioned to
security at gnupg.org. I will follow up there with specifics in the coming
days.
Thanks,
Jake
https://jakegines.in
On Thu, Jan 15, 2026 at 9:27 AM Werner Koch <wk at gnupg.org> wrote:
> On Wed, 14 Jan 2026 17:30, Jake Ginesin said:
>
> > understanding that non-malleability in DER parsing is important for X.509
> > certificate validation [1,2] and preventing transaction malleability [3].
>
> The first paper is on formal verifification of parsers and I don't see a
> practical application here. In particuilar because ASN.1 has in the
> real world never be used as it was designed for. It is used for data
> format description and that does work okayish. The encoding was anyway
> an afterthought and there are limitations when using DER as an encoding:
> For example you can only use definite lengths for signed data which in
> turn forbids the use of standard tools based stream processing.
>
> > Also, I went ahead and publicized my proof-of-concept for the first point
> > in this thread's initial email. [4]
>
> Which is the reason that DER encoded signatures are not used in this
> simplified way.
>
>
> Salam-Shalom,
>
> Werner
>
> --
> The pioneers of a warless world are the youth that
> refuse military service. - A. Einstein
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260116/c0e46dfe/attachment.html>
More information about the Gnupg-devel
mailing list