'use strict';
var BN = require('./bn');
var _ = require('lodash');
var $ = require('../util/preconditions');
var BufferUtil = require('../util/buffer');
var Signature = function Signature(r, s) {
if (!(this instanceof Signature)) {
return new Signature(r, s);
}
if (r instanceof BN) {
this.set({
r: r,
s: s
});
} else if (r) {
var obj = r;
this.set(obj);
}
};
/* jshint maxcomplexity: 7 */
Signature.prototype.set = function(obj) {
this.r = obj.r || this.r || undefined;
this.s = obj.s || this.s || undefined;
this.i = typeof obj.i !== 'undefined' ? obj.i : this.i; //public key recovery parameter in range [0, 3]
this.compressed = typeof obj.compressed !== 'undefined' ?
obj.compressed : this.compressed; //whether the recovered pubkey is compressed
return this;
};
Signature.fromCompact = function(buf) {
var sig = new Signature();
//TODO: handle uncompressed pubkeys
var compressed = true;
var i = buf.slice(0, 1)[0] - 27 - 4;
var b2 = buf.slice(1, 33);
var b3 = buf.slice(33, 65);
$.checkArgument(i === 0 || i === 1 || i === 2 || i === 3, new Error('i must be 0, 1, 2, or 3'));
$.checkArgument(b2.length === 32, new Error('r must be 32 bytes'));
$.checkArgument(b3.length === 32, new Error('s must be 32 bytes'));
sig.compressed = compressed;
sig.i = i;
sig.r = BN.fromBuffer(b2);
sig.s = BN.fromBuffer(b3);
return sig;
};
Signature.fromDER = Signature.fromBuffer = function(buf, strict) {
var obj = Signature.parseDER(buf, strict);
var sig = new Signature();
sig.r = obj.r;
sig.s = obj.s;
return sig;
};
// The format used in a tx
Signature.fromTxFormat = function(buf) {
var nhashtype = buf.readUInt8(buf.length - 1);
var derbuf = buf.slice(0, buf.length - 1);
var sig = new Signature.fromDER(derbuf, false);
sig.nhashtype = nhashtype;
return sig;
};
Signature.fromString = function(str) {
var buf = new Buffer(str, 'hex');
return Signature.fromDER(buf);
};
/**
* In order to mimic the non-strict DER encoding of OpenSSL, set strict = false.
*/
Signature.parseDER = function(buf, strict) {
$.checkArgument(BufferUtil.isBuffer(buf), new Error('DER formatted signature should be a buffer'));
if (_.isUndefined(strict)) {
strict = true;
}
var header = buf[0];
$.checkArgument(header === 0x30, new Error('Header byte should be 0x30'));
var length = buf[1];
var buflength = buf.slice(2).length;
$.checkArgument(!strict || length === buflength, new Error('Length byte should length of what follows'));
length = length < buflength ? length : buflength;
var rheader = buf[2 + 0];
$.checkArgument(rheader === 0x02, new Error('Integer byte for r should be 0x02'));
var rlength = buf[2 + 1];
var rbuf = buf.slice(2 + 2, 2 + 2 + rlength);
var r = BN.fromBuffer(rbuf);
var rneg = buf[2 + 1 + 1] === 0x00 ? true : false;
$.checkArgument(rlength === rbuf.length, new Error('Length of r incorrect'));
var sheader = buf[2 + 2 + rlength + 0];
$.checkArgument(sheader === 0x02, new Error('Integer byte for s should be 0x02'));
var slength = buf[2 + 2 + rlength + 1];
var sbuf = buf.slice(2 + 2 + rlength + 2, 2 + 2 + rlength + 2 + slength);
var s = BN.fromBuffer(sbuf);
var sneg = buf[2 + 2 + rlength + 2 + 2] === 0x00 ? true : false;
$.checkArgument(slength === sbuf.length, new Error('Length of s incorrect'));
var sumlength = 2 + 2 + rlength + 2 + slength;
$.checkArgument(length === sumlength - 2, new Error('Length of signature incorrect'));
var obj = {
header: header,
length: length,
rheader: rheader,
rlength: rlength,
rneg: rneg,
rbuf: rbuf,
r: r,
sheader: sheader,
slength: slength,
sneg: sneg,
sbuf: sbuf,
s: s
};
return obj;
};
Signature.prototype.toCompact = function(i, compressed) {
i = typeof i === 'number' ? i : this.i;
compressed = typeof compressed === 'boolean' ? compressed : this.compressed;
if (!(i === 0 || i === 1 || i === 2 || i === 3)) {
throw new Error('i must be equal to 0, 1, 2, or 3');
}
var val = i + 27 + 4;
if (compressed === false)
val = val - 4;
var b1 = new Buffer([val]);
var b2 = this.r.toBuffer({
size: 32
});
var b3 = this.s.toBuffer({
size: 32
});
return Buffer.concat([b1, b2, b3]);
};
Signature.prototype.toBuffer = Signature.prototype.toDER = function() {
var rnbuf = this.r.toBuffer();
var snbuf = this.s.toBuffer();
var rneg = rnbuf[0] & 0x80 ? true : false;
var sneg = snbuf[0] & 0x80 ? true : false;
var rbuf = rneg ? Buffer.concat([new Buffer([0x00]), rnbuf]) : rnbuf;
var sbuf = sneg ? Buffer.concat([new Buffer([0x00]), snbuf]) : snbuf;
var rlength = rbuf.length;
var slength = sbuf.length;
var length = 2 + rlength + 2 + slength;
var rheader = 0x02;
var sheader = 0x02;
var header = 0x30;
var der = Buffer.concat([new Buffer([header, length, rheader, rlength]), rbuf, new Buffer([sheader, slength]), sbuf]);
return der;
};
Signature.prototype.toString = function() {
var buf = this.toDER();
return buf.toString('hex');
};
/**
* This function is translated from bitcoind's IsDERSignature and is used in
* the script interpreter. This "DER" format actually includes an extra byte,
* the nhashtype, at the end. It is really the tx format, not DER format.
*
* A canonical signature exists of: [30] [total len] [02] [len R] [R] [02] [len S] [S] [hashtype]
* Where R and S are not negative (their first byte has its highest bit not set), and not
* excessively padded (do not start with a 0 byte, unless an otherwise negative number follows,
* in which case a single 0 byte is necessary and even required).
*
* See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
*/
Signature.isTxDER = function(buf) {
if (buf.length < 9) {
// Non-canonical signature: too short
return false;
}
if (buf.length > 73) {
// Non-canonical signature: too long
return false;
}
if (buf[0] !== 0x30) {
// Non-canonical signature: wrong type
return false;
}
if (buf[1] !== buf.length - 3) {
// Non-canonical signature: wrong length marker
return false;
}
var nLenR = buf[3];
if (5 + nLenR >= buf.length) {
// Non-canonical signature: S length misplaced
return false;
}
var nLenS = buf[5 + nLenR];
if ((nLenR + nLenS + 7) !== buf.length) {
// Non-canonical signature: R+S length mismatch
return false;
}
var R = buf.slice(4);
if (buf[4 - 2] !== 0x02) {
// Non-canonical signature: R value type mismatch
return false;
}
if (nLenR === 0) {
// Non-canonical signature: R length is zero
return false;
}
if (R[0] & 0x80) {
// Non-canonical signature: R value negative
return false;
}
if (nLenR > 1 && (R[0] === 0x00) && !(R[1] & 0x80)) {
// Non-canonical signature: R value excessively padded
return false;
}
var S = buf.slice(6 + nLenR);
if (buf[6 + nLenR - 2] !== 0x02) {
// Non-canonical signature: S value type mismatch
return false;
}
if (nLenS === 0) {
// Non-canonical signature: S length is zero
return false;
}
if (S[0] & 0x80) {
// Non-canonical signature: S value negative
return false;
}
if (nLenS > 1 && (S[0] === 0x00) && !(S[1] & 0x80)) {
// Non-canonical signature: S value excessively padded
return false;
}
return true;
};
/**
* Compares to bitcoind's IsLowDERSignature
* See also ECDSA signature algorithm which enforces this.
* See also BIP 62, "low S values in signatures"
*/
Signature.prototype.hasLowS = function() {
if (this.s.lt(new BN(1)) ||
this.s.gt(new BN('7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0'))) {
return false;
}
return true;
};
/**
* @returns true if the nhashtype is exactly equal to one of the standard options or combinations thereof.
* Translated from bitcoind's IsDefinedHashtypeSignature
*/
Signature.prototype.hasDefinedHashtype = function() {
if (this.nhashtype < Signature.SIGHASH_ALL || this.nhashtype > Signature.SIGHASH_SINGLE) {
return false;
}
return true;
};
Signature.prototype.toTxFormat = function() {
var derbuf = this.toDER();
var buf = new Buffer(1);
buf.writeUInt8(this.nhashtype, 0);
return Buffer.concat([derbuf, buf]);
};
Signature.SIGHASH_ALL = 0x01;
Signature.SIGHASH_NONE = 0x02;
Signature.SIGHASH_SINGLE = 0x03;
Signature.SIGHASH_ANYONECANPAY = 0x80;
module.exports = Signature;