net.http.signature: pad ECDSA private scalar to curve width when parsing PEM

Author: davlgd

vlib/net/http/signature/key.v

@@ -261,17 +261,21 @@ fn ecdsa_key_from_xy_d(xy []u8, d []u8, is_priv bool) !Key {
 	coord := (xy.len - 1) / 2
 	x := xy[1..1 + coord]
 	y := xy[1 + coord..1 + coord * 2]
+	// `ecdsa.PrivateKey.bytes()` returns the scalar in minimal-length form
+	// (no leading zeros), so we pad it to the curve byte size; the wire
+	// layout that `ecdsa_sign` expects is fixed-width.
+	priv_d := if is_priv { pad_left(d, coord)! } else { d }
 	return match coord {
 		32 {
 			if is_priv {
-				Key.ecdsa_p256_private(x, y, d)
+				Key.ecdsa_p256_private(x, y, priv_d)
 			} else {
 				Key.ecdsa_p256_public(x, y)
 			}
 		}
 		48 {
 			if is_priv {
-				Key.ecdsa_p384_private(x, y, d)
+				Key.ecdsa_p384_private(x, y, priv_d)
 			} else {
 				Key.ecdsa_p384_public(x, y)
 			}
@@ -283,3 +287,19 @@ fn ecdsa_key_from_xy_d(xy []u8, d []u8, is_priv bool) !Key {
 		}
 	}
 }
+
+fn pad_left(b []u8, width int) ![]u8 {
+	if b.len == width {
+		return b
+	}
+	if b.len > width {
+		return MalformedMessage{
+			reason: 'ECDSA scalar wider (${b.len}) than curve coordinate size (${width})'
+		}
+	}
+	mut out := []u8{len: width}
+	for i, v in b {
+		out[width - b.len + i] = v
+	}
+	return out
+}

vlib/net/http/signature/key_test.v

@@ -23,6 +23,15 @@ AwEHoUQDQgAEqIVYZVLCrPZHGHjP17CTW0/+D9Lfw0EkjqF7xB4FivAxzic30tMM
 4GF+hR6Dxh71Z50VGGdldkkDXZCnTNnoXQ==
 -----END EC PRIVATE KEY-----'
 
+// P-256 key whose private scalar starts with 0x00, so OpenSSL's
+// `BN_bn2binpad(num_bytes)` returns 31 bytes instead of 32. This
+// exercises the leading-zero padding in `ecdsa_key_from_xy_d`.
+const short_d_p256_private_pem = '-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIACZmEw0q8iipb0amaNiobX/wwn6PoIKUatErMY2Dd4+oAoGCCqGSM49
+AwEHoUQDQgAE/z/OBheMT6mCKDapfETr56tkYLOrnQh+ZL293+IqXsJ+iMZgYe0/
+WHaZhZfCu1OKUWayaVEkvb7j0o3uUfw+OQ==
+-----END EC PRIVATE KEY-----'
+
 fn key_test_b26_components() Components {
 	return Components{
 		method:    'POST'
@@ -103,6 +112,35 @@ fn test_from_pem_ecdsa_p256_public_verifies_rfc_b24_reference() {
 		'sig-b24', pub_key)!
 }
 
+fn test_from_pem_ecdsa_p256_pads_short_private_scalar() {
+	// Regression: a P-256 PEM whose `d` has a leading zero byte must
+	// still produce a 96-byte (x||y||d) key and sign successfully.
+	priv := Key.from_pem(short_d_p256_private_pem)!
+	assert priv.algorithm == .ecdsa_p256_sha256
+	assert priv.is_private
+	assert priv.bytes.len == 96
+	c := Components{
+		method:     'POST'
+		target_uri: 'https://example.com/'
+	}
+	p := SignatureParams{
+		components: ['@method', '@target-uri']
+		created:    1
+	}
+	out := sign(c, p, priv, 'sig1')!
+	verify(c, out.signature_input, out.signature, 'sig1', priv)!
+}
+
+fn test_pad_left_pads_to_width_and_rejects_overflow() {
+	assert pad_left([u8(0x01)], 4)! == [u8(0x00), 0x00, 0x00, 0x01]
+	assert pad_left([u8(0x01), 0x02, 0x03, 0x04], 4)! == [u8(0x01), 0x02, 0x03, 0x04]
+	if _ := pad_left([u8(0x01), 0x02, 0x03, 0x04, 0x05], 4) {
+		assert false, 'must reject scalars wider than the curve'
+	} else {
+		assert err is MalformedMessage
+	}
+}
+
 fn test_from_pem_rejects_garbage() {
 	if _ := Key.from_pem('not a PEM block') {
 		assert false, 'must reject non-PEM input'