As described in this reply to What’s the most measurement of a DER encoded ECDSA signature? the DER encoded signature for a given ECDSA signature (r, s) has format:
0x30 = 1 byte constructed sequence sort
L = 1 byte size of the next bytes (excluding SIGHASH byte)
0x02 = 1 byte primitive integer sort
LR = 1 byte size of integer r
R = integer r in huge endian
0x02 = 1 byte primitive integer sort
LS = 1 byte size of integer s
S = integer s in huge endian
SIGHASH = 1 byte
the place r is prepended with a byte 0x00 within the case the place it has a highest little bit of 1, and likewise with s.
Nevertheless how is the case the place r has a byte size lower than 32 dealt with?
Suppose for instance we had :
r = 0x83e1ed5c6298a2dfb3e98f2d8963575487c888ac02483045022100ec6ab2
which is 30 bytes.
Will we
(1) prepend this with 0x00 due to the best bit (ie. bit 239) being 1, so we put :
0x0083e1ed5c6298a2dfb3e98f2d8963575487c888ac02483045022100ec6ab2
within the R area above, or :
(2) write it in full 32 byte format :
0x000083e1ed5c6298a2dfb3e98f2d8963575487c888ac02483045022100ec6ab2
and subsequently don’t prepend it with 0x00 as a result of the best bit (ie. bit 255) is zero, so we put :
0x000083e1ed5c6298a2dfb3e98f2d8963575487c888ac02483045022100ec6ab2
within the R area above?
Can anybody level to any instance blockchain transactions illustrating how these shorter r, s values are dealt with?
Is there any chance of malleability right here, ie. each choices (1) and (2) are accepted by Bitcoin Core, assuming (r, s) is a sound signature?
Or are main zero bytes at all times stripped away from r and s earlier than contemplating whether or not their highest bit is 1 (noting zero just isn’t a permissible worth for r or s)?