From dc41075594cfdef63e8a64340b4fc5651a56a604 Mon Sep 17 00:00:00 2001
From: Dave Collins <davec@conformal.com>
Date: Thu, 21 Sep 2023 00:54:44 -0500
Subject: [PATCH] secp256k1/ecdsa: Add test for order wraparound.

Since it is impossible to calculate the necessary values without
breaking the ECDLP, this adds an invented signature to exercise the
branch of the RecoverCompact function that involves the case when the
original X coordinate of the random point is greater than the group
order and therefore has the overflow bit set.

The result is raising the test coverage from 99.2% to 99.6%.
---
 dcrec/secp256k1/ecdsa/signature_test.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/dcrec/secp256k1/ecdsa/signature_test.go b/dcrec/secp256k1/ecdsa/signature_test.go
index 6011aebfaf..c5aa93096a 100644
--- a/dcrec/secp256k1/ecdsa/signature_test.go
+++ b/dcrec/secp256k1/ecdsa/signature_test.go
@@ -962,6 +962,17 @@ func TestRecoverCompactErrors(t *testing.T) {
 			"44b9bc4620afa158b7efdfea5234ff2d5f2f78b42886f02cf581827ee55318ea",
 		hash: "c301ba9de5d6053caad9f5eb46523f007702add2c62fa39de03146a36b8026b7",
 		err:  ErrSigOverflowsPrime,
+	}, {
+		// Signature invented since finding a private key needed to create a
+		// valid signature with an r value that is > group order prior to the
+		// modular reduction is not possible without breaking the underlying
+		// crypto.
+		name: "R > group order with overflow bit",
+		sig: "21" +
+			"000000000000000000000000000000014551231950b75fc4402da1722fc9baed" +
+			"44b9bc4620afa158b7efdfea5234ff2d5f2f78b42886f02cf581827ee55318ea",
+		hash: "c301ba9de5d6053caad9f5eb46523f007702add2c62fa39de03146a36b8026b7",
+		err:  ErrPointNotOnCurve,
 	}, {
 		// Signature created from private key 0x01, blake256(0x0102030407) over
 		// the secp256r1 curve (note the r1 instead of k1).