From 506691955bd177996864c8ac2c40039b50c1f537 Mon Sep 17 00:00:00 2001
From: yacovm <yacovm@il.ibm.com>
Date: Thu, 23 Apr 2020 00:59:12 +0300
Subject: [PATCH] [FAB-17778] Force sanitized signatures be canonically built

This change set forces sanitized signatures to be built via ASN1 marshaling regardless of their S is in the low or high half of the curve order.

More details in the JIRA.

Change-Id: Ife9c033d72fc0faa4cc808109dff71a7bf444c92
Signed-off-by: yacovm <yacovm@il.ibm.com>
---
 bccsp/pkcs11/ecdsa.go              |  2 +-
 bccsp/sw/ecdsa.go                  |  2 +-
 bccsp/utils/ecdsa.go               | 16 ++++++----------
 bccsp/utils/ecdsa_test.go          |  3 +--
 cmd/common/signer/signer.go        |  2 +-
 discovery/test/integration_test.go |  4 ++--
 6 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/bccsp/pkcs11/ecdsa.go b/bccsp/pkcs11/ecdsa.go
index 32ed4441d91..a7166725e26 100644
--- a/bccsp/pkcs11/ecdsa.go
+++ b/bccsp/pkcs11/ecdsa.go
@@ -20,7 +20,7 @@ func (csp *impl) signECDSA(k ecdsaPrivateKey, digest []byte, opts bccsp.SignerOp
 		return nil, err
 	}
 
-	s, _, err = utils.ToLowS(k.pub.pub, s)
+	s, err = utils.ToLowS(k.pub.pub, s)
 	if err != nil {
 		return nil, err
 	}
diff --git a/bccsp/sw/ecdsa.go b/bccsp/sw/ecdsa.go
index b88fd719d51..5d116f187a8 100644
--- a/bccsp/sw/ecdsa.go
+++ b/bccsp/sw/ecdsa.go
@@ -30,7 +30,7 @@ func signECDSA(k *ecdsa.PrivateKey, digest []byte, opts bccsp.SignerOpts) ([]byt
 		return nil, err
 	}
 
-	s, _, err = utils.ToLowS(&k.PublicKey, s)
+	s, err = utils.ToLowS(&k.PublicKey, s)
 	if err != nil {
 		return nil, err
 	}
diff --git a/bccsp/utils/ecdsa.go b/bccsp/utils/ecdsa.go
index 690dc8ed8b9..caf9cb21c2b 100644
--- a/bccsp/utils/ecdsa.go
+++ b/bccsp/utils/ecdsa.go
@@ -72,16 +72,12 @@ func SignatureToLowS(k *ecdsa.PublicKey, signature []byte) ([]byte, error) {
 		return nil, err
 	}
 
-	s, modified, err := ToLowS(k, s)
+	s, err = ToLowS(k, s)
 	if err != nil {
 		return nil, err
 	}
 
-	if modified {
-		return MarshalECDSASignature(r, s)
-	}
-
-	return signature, nil
+	return MarshalECDSASignature(r, s)
 }
 
 // IsLow checks that s is a low-S
@@ -95,10 +91,10 @@ func IsLowS(k *ecdsa.PublicKey, s *big.Int) (bool, error) {
 
 }
 
-func ToLowS(k *ecdsa.PublicKey, s *big.Int) (*big.Int, bool, error) {
+func ToLowS(k *ecdsa.PublicKey, s *big.Int) (*big.Int, error) {
 	lowS, err := IsLowS(k, s)
 	if err != nil {
-		return nil, false, err
+		return nil, err
 	}
 
 	if !lowS {
@@ -106,8 +102,8 @@ func ToLowS(k *ecdsa.PublicKey, s *big.Int) (*big.Int, bool, error) {
 		// less or equal to half order
 		s.Sub(k.Params().N, s)
 
-		return s, true, nil
+		return s, nil
 	}
 
-	return s, false, nil
+	return s, nil
 }
diff --git a/bccsp/utils/ecdsa_test.go b/bccsp/utils/ecdsa_test.go
index 26cfbd7cc92..7f3b03484dd 100644
--- a/bccsp/utils/ecdsa_test.go
+++ b/bccsp/utils/ecdsa_test.go
@@ -80,9 +80,8 @@ func TestIsLowS(t *testing.T) {
 	lowS, err = IsLowS(&lowLevelKey.PublicKey, s)
 	assert.NoError(t, err)
 	assert.False(t, lowS)
-	s, modified, err := ToLowS(&lowLevelKey.PublicKey, s)
+	s, err = ToLowS(&lowLevelKey.PublicKey, s)
 	assert.NoError(t, err)
-	assert.True(t, modified)
 	lowS, err = IsLowS(&lowLevelKey.PublicKey, s)
 	assert.NoError(t, err)
 	assert.True(t, lowS)
diff --git a/cmd/common/signer/signer.go b/cmd/common/signer/signer.go
index 1559863dac3..24fd3fe3a6f 100644
--- a/cmd/common/signer/signer.go
+++ b/cmd/common/signer/signer.go
@@ -107,7 +107,7 @@ func signECDSA(k *ecdsa.PrivateKey, digest []byte) (signature []byte, err error)
 		return nil, err
 	}
 
-	s, _, err = utils.ToLowS(&k.PublicKey, s)
+	s, err = utils.ToLowS(&k.PublicKey, s)
 	if err != nil {
 		return nil, err
 	}
diff --git a/discovery/test/integration_test.go b/discovery/test/integration_test.go
index bff876c26d4..02445670716 100644
--- a/discovery/test/integration_test.go
+++ b/discovery/test/integration_test.go
@@ -33,7 +33,7 @@ import (
 	"github.com/hyperledger/fabric/common/tools/configtxgen/encoder"
 	genesisconfig "github.com/hyperledger/fabric/common/tools/configtxgen/localconfig"
 	"github.com/hyperledger/fabric/common/util"
-	"github.com/hyperledger/fabric/core/cclifecycle"
+	cc "github.com/hyperledger/fabric/core/cclifecycle"
 	lifecyclemocks "github.com/hyperledger/fabric/core/cclifecycle/mocks"
 	"github.com/hyperledger/fabric/core/comm"
 	"github.com/hyperledger/fabric/core/common/ccprovider"
@@ -939,7 +939,7 @@ func signECDSA(k *ecdsa.PrivateKey, digest []byte) (signature []byte, err error)
 		return nil, err
 	}
 
-	s, _, err = bccsp.ToLowS(&k.PublicKey, s)
+	s, err = bccsp.ToLowS(&k.PublicKey, s)
 	if err != nil {
 		return nil, err
 	}