/**
   * Returns true if the given signature is has canonical encoding, and will thus be accepted as
   * standard by the reference client. DER and the SIGHASH encoding allow for quite some flexibility
   * in how the same structures are encoded, and this can open up novel attacks in which a man in
   * the middle takes a transaction and then changes its signature such that the transaction hash is
   * different but it's still valid. This can confuse wallets and generally violates people's mental
   * model of how Bitcoin should work, thus, non-canonical signatures are now not relayed by
   * default.
   */
  public static boolean isEncodingCanonical(byte[] signature) {
    // See reference client's IsCanonicalSignature,
    // https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
    // A canonical signature exists of: <30> <total len> <02> <len R> <R> <02> <len S> <S>
    // <hashtype>
    // Where R and S are not negative (their first byte has its highest bit not set), and not
    // excessively padded (do not start with a 0 byte, unless an otherwise negative number follows,
    // in which case a single 0 byte is necessary and even required).
    if (signature.length < 9 || signature.length > 73) return false;

    int hashType =
        signature[signature.length - 1] & ((int) (~Transaction.SIGHASH_ANYONECANPAY_VALUE));
    if (hashType < (Transaction.SigHash.ALL.ordinal() + 1)
        || hashType > (Transaction.SigHash.SINGLE.ordinal() + 1)) return false;

    //                   "wrong type"                  "wrong length marker"
    if ((signature[0] & 0xff) != 0x30 || (signature[1] & 0xff) != signature.length - 3)
      return false;

    int lenR = signature[3] & 0xff;
    if (5 + lenR >= signature.length || lenR == 0) return false;
    int lenS = signature[5 + lenR] & 0xff;
    if (lenR + lenS + 7 != signature.length || lenS == 0) return false;

    //    R value type mismatch          R value negative
    if (signature[4 - 2] != 0x02 || (signature[4] & 0x80) == 0x80) return false;
    if (lenR > 1 && signature[4] == 0x00 && (signature[4 + 1] & 0x80) != 0x80)
      return false; // R value excessively padded

    //       S value type mismatch                    S value negative
    if (signature[6 + lenR - 2] != 0x02 || (signature[6 + lenR] & 0x80) == 0x80) return false;
    if (lenS > 1 && signature[6 + lenR] == 0x00 && (signature[6 + lenR + 1] & 0x80) != 0x80)
      return false; // S value excessively padded

    return true;
  }
 /** Constructs a signature with the given components and SIGHASH_ALL. */
 public TransactionSignature(BigInteger r, BigInteger s) {
   this(r, s, Transaction.SigHash.ALL.ordinal() + 1);
 }