Add some tests covering edge cases in the ECDSA r <=> x comparison

This upstreams some tests from BoringSSL, though I've taken another pass
at the generation script to cover all the curves in Wycheproof. (NB:
I've only run the test vectors against an implementation for BoringSSL's
curves. It is possible I've gotten the obscure curves wrong.)

ECDSA verification involves computing some point (x, y) and then
checking if x mod n = r. x is only reduced mod p, so this leads to some
edge cases right when x does and does not need a reduction. The existing
test vectors covered some of these, but add some missing ones, so we
catch both sides of the boundary condition.

Additionally, there is an optimized variant which leads to another
boundary condition. EC points are typically implemented with Jacobian
coordinates, (X:Y:Z) => (x, y) = (X/Z², Y/Z³). This avoids expensive
inversions in the point addition formulae. Only when extracting the
final affine coordinates do you invert a field element, to divide by Z.

Naively, ECDSA verification requires one such inversion. However, this
inversion can be avoided in ECDSA verification by observing that
comparing X/Z² to r is the same as comparing X to r*Z². However, this
works mod p instead of mod n and we must deal with this mismatch. In
most cases, n < p, where we must check two cases: r == x and r == x - n.

0 <= r < n < p and 0 <= x < p, so the first case is equivalent to
checking x = r (mod p), where we can apply our optimization.

The second is equivalent to x == r + n, which in turn is equivalent to
checking that r + n < p and then x == r + n (mod p), where we can also
apply our optimization.

This leads to some other edge cases where we don't check the second case
when we should, or when we check it when we shouldn't. The latter could
happen if we reduce oversized r + n mod p, or forget a carry bit. Add
some tests for these, getting as close to the boundary conditions as we
can. Tested by simulating some bugs in BoringSSL's implementation of
this optimization and ensuring Wycheproof noticed.

(A similar optimization works for the less common p < n curves, though
it's a bit simpler.)

Author: davidben

testvectors_v1/ecdsa_brainpoolP224r1_sha224_test.json

@@ -1,7 +1,7 @@
 {
   "algorithm": "ECDSA",
   "schema": "ecdsa_verify_schema_v1.json",
-  "numberOfTests": 443,
+  "numberOfTests": 451,
   "header": [
     "Test vectors of type EcdsaVerify are meant for the verification",
     "of ASN encoded ECDSA signatures."
@@ -6486,6 +6486,246 @@
           "result": "invalid"
         }
       ]
+    },
+    {
+      "type": "EcdsaVerify",
+      "source": {
+        "name": "github/davidben/ecdsa-r-s-edge-cases",
+        "version": "0.1"
+      },
+      "publicKey": {
+        "type": "EcPublicKey",
+        "curve": "brainpoolP224r1",
+        "keySize": 224,
+        "uncompressed": "048dad1f3183a05e6027303de8da57d45177d2e2b290a9ac255137245605b078cf0cca41bf2acc824200b885cf9c9afb0f45e31dc4c49192b6",
+        "wx": "8dad1f3183a05e6027303de8da57d45177d2e2b290a9ac2551372456",
+        "wy": "05b078cf0cca41bf2acc824200b885cf9c9afb0f45e31dc4c49192b6"
+      },
+      "publicKeyDer": "3052301406072a8648ce3d020106092b2403030208010105033a00048dad1f3183a05e6027303de8da57d45177d2e2b290a9ac255137245605b078cf0cca41bf2acc824200b885cf9c9afb0f45e31dc4c49192b6",
+      "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMFIwFAYHKoZIzj0CAQYJKyQDAwIIAQEFAzoABI2tHzGDoF5gJzA96NpX1FF30uKy\nkKmsJVE3JFYFsHjPDMpBvyrMgkIAuIXPnJr7D0XjHcTEkZK2\n-----END PUBLIC KEY-----\n",
+      "sha": "SHA-224",
+      "tests": [
+        {
+          "tcId": 444,
+          "comment": "r = 1, x = 1 is valid",
+          "flags": [
+            "ValidSignature"
+          ],
+          "msg": "68656c6c6f2c20776f726c64",
+          "sig": "3022020101021d00d7c134aa264366862a18302575d0fb98d116bc4b6ddebca3a5a7939c",
+          "result": "valid"
+        }
+      ]
+    },
+    {
+      "type": "EcdsaVerify",
+      "source": {
+        "name": "github/davidben/ecdsa-r-s-edge-cases",
+        "version": "0.1"
+      },
+      "publicKey": {
+        "type": "EcPublicKey",
+        "curve": "brainpoolP224r1",
+        "keySize": 224,
+        "uncompressed": "040fb57733ac1ce9d808b78dd3a11e1da365b3fc73dcdcaa47856d482b47b95bed058d46af5bd31750be16c0f8a44819b6b66f99356f9b3420",
+        "wx": "0fb57733ac1ce9d808b78dd3a11e1da365b3fc73dcdcaa47856d482b",
+        "wy": "47b95bed058d46af5bd31750be16c0f8a44819b6b66f99356f9b3420"
+      },
+      "publicKeyDer": "3052301406072a8648ce3d020106092b2403030208010105033a00040fb57733ac1ce9d808b78dd3a11e1da365b3fc73dcdcaa47856d482b47b95bed058d46af5bd31750be16c0f8a44819b6b66f99356f9b3420",
+      "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMFIwFAYHKoZIzj0CAQYJKyQDAwIIAQEFAzoABA+1dzOsHOnYCLeN06EeHaNls/xz\n3NyqR4VtSCtHuVvtBY1Gr1vTF1C+FsD4pEgZtrZvmTVvmzQg\n-----END PUBLIC KEY-----\n",
+      "sha": "SHA-224",
+      "tests": [
+        {
+          "tcId": 445,
+          "comment": "r = 2, x = 1 is invalid",
+          "flags": [
+            "ArithmeticError"
+          ],
+          "msg": "68656c6c6f2c20776f726c64",
+          "sig": "3022020102021d00d7c134aa264366862a18302575d0fb98d116bc4b6ddebca3a5a7939c",
+          "result": "invalid"
+        }
+      ]
+    },
+    {
+      "type": "EcdsaVerify",
+      "source": {
+        "name": "github/davidben/ecdsa-r-s-edge-cases",
+        "version": "0.1"
+      },
+      "publicKey": {
+        "type": "EcPublicKey",
+        "curve": "brainpoolP224r1",
+        "keySize": 224,
+        "uncompressed": "048dad1f3183a05e6027303de8da57d45177d2e2b290a9ac255137245605b078cf0cca41bf2acc824200b885cf9c9afb0f45e31dc4c49192b6",
+        "wx": "8dad1f3183a05e6027303de8da57d45177d2e2b290a9ac2551372456",
+        "wy": "05b078cf0cca41bf2acc824200b885cf9c9afb0f45e31dc4c49192b6"
+      },
+      "publicKeyDer": "3052301406072a8648ce3d020106092b2403030208010105033a00048dad1f3183a05e6027303de8da57d45177d2e2b290a9ac255137245605b078cf0cca41bf2acc824200b885cf9c9afb0f45e31dc4c49192b6",
+      "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMFIwFAYHKoZIzj0CAQYJKyQDAwIIAQEFAzoABI2tHzGDoF5gJzA96NpX1FF30uKy\nkKmsJVE3JFYFsHjPDMpBvyrMgkIAuIXPnJr7D0XjHcTEkZK2\n-----END PUBLIC KEY-----\n",
+      "sha": "SHA-224",
+      "tests": [
+        {
+          "tcId": 446,
+          "comment": "r = 1 + n, x = 1 is invalid; r was not reduced mod n",
+          "flags": [
+            "ArithmeticError"
+          ],
+          "msg": "68656c6c6f2c20776f726c64",
+          "sig": "303e021d00d7c134aa264366862a18302575d0fb98d116bc4b6ddebca3a5a793a0021d00d7c134aa264366862a18302575d0fb98d116bc4b6ddebca3a5a7939c",
+          "result": "invalid"
+        }
+      ]
+    },
+    {
+      "type": "EcdsaVerify",
+      "source": {
+        "name": "github/davidben/ecdsa-r-s-edge-cases",
+        "version": "0.1"
+      },
+      "publicKey": {
+        "type": "EcPublicKey",
+        "curve": "brainpoolP224r1",
+        "keySize": 224,
+        "uncompressed": "0440f5a0e304c2b81540a850fcccda86ed7e2bf6020939baf335323b009a573e6852a67c44d7b2063f1be310f9aebe04b797f9021ed4762a2b",
+        "wx": "40f5a0e304c2b81540a850fcccda86ed7e2bf6020939baf335323b00",
+        "wy": "9a573e6852a67c44d7b2063f1be310f9aebe04b797f9021ed4762a2b"
+      },
+      "publicKeyDer": "3052301406072a8648ce3d020106092b2403030208010105033a000440f5a0e304c2b81540a850fcccda86ed7e2bf6020939baf335323b009a573e6852a67c44d7b2063f1be310f9aebe04b797f9021ed4762a2b",
+      "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMFIwFAYHKoZIzj0CAQYJKyQDAwIIAQEFAzoABED1oOMEwrgVQKhQ/Mzahu1+K/YC\nCTm68zUyOwCaVz5oUqZ8RNeyBj8b4xD5rr4Et5f5Ah7Udior\n-----END PUBLIC KEY-----\n",
+      "sha": "SHA-224",
+      "tests": [
+        {
+          "tcId": 447,
+          "comment": "r = n - 2, x = n - 1 is invalid",
+          "flags": [
+            "ArithmeticError"
+          ],
+          "msg": "68656c6c6f2c20776f726c64",
+          "sig": "303e021d00d7c134aa264366862a18302575d0fb98d116bc4b6ddebca3a5a7939d021d00d7c134aa264366862a18302575d0fb98d116bc4b6ddebca3a5a7939c",
+          "result": "invalid"
+        }
+      ]
+    },
+    {
+      "type": "EcdsaVerify",
+      "source": {
+        "name": "github/davidben/ecdsa-r-s-edge-cases",
+        "version": "0.1"
+      },
+      "publicKey": {
+        "type": "EcPublicKey",
+        "curve": "brainpoolP224r1",
+        "keySize": 224,
+        "uncompressed": "04c4a178ffc1460ff3aa326b45c11ac2b91c512ae644d2172be9d7b1f74ecc0e657061a0fcc086db6e7af56d3622215b2b4fa0d6fbab8ee1e7",
+        "wx": "c4a178ffc1460ff3aa326b45c11ac2b91c512ae644d2172be9d7b1f7",
+        "wy": "4ecc0e657061a0fcc086db6e7af56d3622215b2b4fa0d6fbab8ee1e7"
+      },
+      "publicKeyDer": "3052301406072a8648ce3d020106092b2403030208010105033a0004c4a178ffc1460ff3aa326b45c11ac2b91c512ae644d2172be9d7b1f74ecc0e657061a0fcc086db6e7af56d3622215b2b4fa0d6fbab8ee1e7",
+      "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMFIwFAYHKoZIzj0CAQYJKyQDAwIIAQEFAzoABMSheP/BRg/zqjJrRcEawrkcUSrm\nRNIXK+nXsfdOzA5lcGGg/MCG22569W02IiFbK0+g1vurjuHn\n-----END PUBLIC KEY-----\n",
+      "sha": "SHA-224",
+      "tests": [
+        {
+          "tcId": 448,
+          "comment": "r = 1, x = n + 1 is the smallest possible x with a reduction",
+          "flags": [
+            "ValidSignature"
+          ],
+          "msg": "68656c6c6f2c20776f726c64",
+          "sig": "3022020101021d00d7c134aa264366862a18302575d0fb98d116bc4b6ddebca3a5a7939c",
+          "result": "valid"
+        }
+      ]
+    },
+    {
+      "type": "EcdsaVerify",
+      "source": {
+        "name": "github/davidben/ecdsa-r-s-edge-cases",
+        "version": "0.1"
+      },
+      "publicKey": {
+        "type": "EcPublicKey",
+        "curve": "brainpoolP224r1",
+        "keySize": 224,
+        "uncompressed": "04345194ec8030ebc38c6b809bcf932a06032d0f810fe2cdabf463638d598beb6e07edba254054cefb2e87ce723872aea5837fc249d6e031e4",
+        "wx": "345194ec8030ebc38c6b809bcf932a06032d0f810fe2cdabf463638d",
+        "wy": "598beb6e07edba254054cefb2e87ce723872aea5837fc249d6e031e4"
+      },
+      "publicKeyDer": "3052301406072a8648ce3d020106092b2403030208010105033a0004345194ec8030ebc38c6b809bcf932a06032d0f810fe2cdabf463638d598beb6e07edba254054cefb2e87ce723872aea5837fc249d6e031e4",
+      "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMFIwFAYHKoZIzj0CAQYJKyQDAwIIAQEFAzoABDRRlOyAMOvDjGuAm8+TKgYDLQ+B\nD+LNq/RjY41Zi+tuB+26JUBUzvsuh85yOHKupYN/wknW4DHk\n-----END PUBLIC KEY-----\n",
+      "sha": "SHA-224",
+      "tests": [
+        {
+          "tcId": 449,
+          "comment": "r = 2, x = n + 1 is invalid",
+          "flags": [
+            "ArithmeticError"
+          ],
+          "msg": "68656c6c6f2c20776f726c64",
+          "sig": "3022020102021d00d7c134aa264366862a18302575d0fb98d116bc4b6ddebca3a5a7939c",
+          "result": "invalid"
+        }
+      ]
+    },
+    {
+      "type": "EcdsaVerify",
+      "source": {
+        "name": "github/davidben/ecdsa-r-s-edge-cases",
+        "version": "0.1"
+      },
+      "publicKey": {
+        "type": "EcPublicKey",
+        "curve": "brainpoolP224r1",
+        "keySize": 224,
+        "uncompressed": "0454d30d85d7fd91cb119f5da7d22e4b7ed486875d25bcbf0a7a9ab1cdbc448f9349e50319560a06edb46e26fdf9b9709169a4eb487c82f854",
+        "wx": "54d30d85d7fd91cb119f5da7d22e4b7ed486875d25bcbf0a7a9ab1cd",
+        "wy": "bc448f9349e50319560a06edb46e26fdf9b9709169a4eb487c82f854"
+      },
+      "publicKeyDer": "3052301406072a8648ce3d020106092b2403030208010105033a000454d30d85d7fd91cb119f5da7d22e4b7ed486875d25bcbf0a7a9ab1cdbc448f9349e50319560a06edb46e26fdf9b9709169a4eb487c82f854",
+      "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMFIwFAYHKoZIzj0CAQYJKyQDAwIIAQEFAzoABFTTDYXX/ZHLEZ9dp9IuS37Uhodd\nJby/Cnqasc28RI+TSeUDGVYKBu20bib9+blwkWmk60h8gvhU\n-----END PUBLIC KEY-----\n",
+      "sha": "SHA-224",
+      "tests": [
+        {
+          "tcId": 450,
+          "comment": "r = p - n + 1, x = 1 is invalid; r is too large to compare r + n with x",
+          "flags": [
+            "ArithmeticError"
+          ],
+          "msg": "68656c6c6f2c20776f726c64",
+          "sig": "3030020f00dbeedf884b0c29fbcd51d9212d61021d00d7c134aa264366862a18302575d0fb98d116bc4b6ddebca3a5a7939c",
+          "result": "invalid"
+        }
+      ]
+    },
+    {
+      "type": "EcdsaVerify",
+      "source": {
+        "name": "github/davidben/ecdsa-r-s-edge-cases",
+        "version": "0.1"
+      },
+      "publicKey": {
+        "type": "EcPublicKey",
+        "curve": "brainpoolP224r1",
+        "keySize": 224,
+        "uncompressed": "04caf06cc0a63a8fa52cbc4e7ef9eb8758f8605221ba4fe29ae74ca1f1c1ac20a1f0224206cb5c48a75d0cd8ef94b38006c082bc000d26d7ff",
+        "wx": "caf06cc0a63a8fa52cbc4e7ef9eb8758f8605221ba4fe29ae74ca1f1",
+        "wy": "c1ac20a1f0224206cb5c48a75d0cd8ef94b38006c082bc000d26d7ff"
+      },
+      "publicKeyDer": "3052301406072a8648ce3d020106092b2403030208010105033a0004caf06cc0a63a8fa52cbc4e7ef9eb8758f8605221ba4fe29ae74ca1f1c1ac20a1f0224206cb5c48a75d0cd8ef94b38006c082bc000d26d7ff",
+      "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMFIwFAYHKoZIzj0CAQYJKyQDAwIIAQEFAzoABMrwbMCmOo+lLLxOfvnrh1j4YFIh\nuk/imudMofHBrCCh8CJCBstcSKddDNjvlLOABsCCvAANJtf/\n-----END PUBLIC KEY-----\n",
+      "sha": "SHA-224",
+      "tests": [
+        {
+          "tcId": 451,
+          "comment": "r = 2^224 - n + 1, x = 1 is invalid; r + n is too large to compare r + n with x, and overflows 2^224 bits",
+          "flags": [
+            "ArithmeticError"
+          ],
+          "msg": "68656c6c6f2c20776f726c64",
+          "sig": "303d021c283ecb55d9bc9979d5e7cfda8a2f04672ee943b49221435c5a586c62021d00d7c134aa264366862a18302575d0fb98d116bc4b6ddebca3a5a7939c",
+          "result": "invalid"
+        }
+      ]
     }
   ]
 }