lukechilds
/
bitcoinjs-lib
mirror of https://github.com/lukechilds/bitcoinjs-lib.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

ecdsa: fix indentation

hk-custom-address
Daniel Cousens 11 years ago
parent
d05d661aea
commit
087ca551f5
1 changed files with 218 additions and 218 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 436
      src/ecdsa.js

436
src/ecdsa.js
View File

@ -4,269 +4,269 @@ var crypto = require('./crypto')
var BigInteger = require('bigi') var BigInteger = require('bigi')
var ECPointFp = require('./ec').ECPointFp var ECPointFp = require('./ec').ECPointFp
function deterministicGenerateK(ecparams, hash, D) { function deterministicGenerateK(ecparams, hash, D) {
assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash) assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash)
assert.equal(hash.length, 32, 'Hash must be 256 bit') assert.equal(hash.length, 32, 'Hash must be 256 bit')
assert(D instanceof BigInteger, 'Private key must be a BigInteger') assert(D instanceof BigInteger, 'Private key must be a BigInteger')
var x = D.toBuffer(32) var x = D.toBuffer(32)
var k = new Buffer(32) var k = new Buffer(32)
var v = new Buffer(32) var v = new Buffer(32)
k.fill(0) k.fill(0)
v.fill(1) v.fill(1)
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k) k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k)
v = crypto.HmacSHA256(v, k) v = crypto.HmacSHA256(v, k)
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k) k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k)
v = crypto.HmacSHA256(v, k) v = crypto.HmacSHA256(v, k)
v = crypto.HmacSHA256(v, k) v = crypto.HmacSHA256(v, k)
var n = ecparams.getN() var n = ecparams.getN()
var kB = BigInteger.fromBuffer(v).mod(n) var kB = BigInteger.fromBuffer(v).mod(n)
assert(kB.compareTo(BigInteger.ONE) > 0, 'Invalid k value') assert(kB.compareTo(BigInteger.ONE) > 0, 'Invalid k value')
assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value') assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value')
return kB return kB
} }
function sign(ecparams, hash, D) { function sign(ecparams, hash, D) {
var k = deterministicGenerateK(ecparams, hash, D) var k = deterministicGenerateK(ecparams, hash, D)
var n = ecparams.getN() var n = ecparams.getN()
var G = ecparams.getG() var G = ecparams.getG()
var Q = G.multiply(k) var Q = G.multiply(k)
var e = BigInteger.fromBuffer(hash) var e = BigInteger.fromBuffer(hash)
var r = Q.getX().toBigInteger().mod(n) var r = Q.getX().toBigInteger().mod(n)
assert.notEqual(r.signum(), 0, 'Invalid R value') assert.notEqual(r.signum(), 0, 'Invalid R value')
var s = k.modInverse(n).multiply(e.add(D.multiply(r))).mod(n) var s = k.modInverse(n).multiply(e.add(D.multiply(r))).mod(n)
assert.notEqual(s.signum(), 0, 'Invalid S value') assert.notEqual(s.signum(), 0, 'Invalid S value')
var N_OVER_TWO = n.shiftRight(1) var N_OVER_TWO = n.shiftRight(1)
// enforce low S values, see bip62: 'low s values in signatures' // enforce low S values, see bip62: 'low s values in signatures'
if (s.compareTo(N_OVER_TWO) > 0) { if (s.compareTo(N_OVER_TWO) > 0) {
s = n.subtract(s) s = n.subtract(s)
}
return {r: r, s: s}
} }
function verify(ecparams, hash, r, s, Q) { return {r: r, s: s}
var e = BigInteger.fromBuffer(hash) }
return verifyRaw(ecparams, e, r, s, Q) function verify(ecparams, hash, r, s, Q) {
} var e = BigInteger.fromBuffer(hash)
function verifyRaw(ecparams, e, r, s, Q) { return verifyRaw(ecparams, e, r, s, Q)
var n = ecparams.getN() }
var G = ecparams.getG()
if (r.compareTo(BigInteger.ONE) < 0 || r.compareTo(n) >= 0) { function verifyRaw(ecparams, e, r, s, Q) {
return false var n = ecparams.getN()
} var G = ecparams.getG()
if (s.compareTo(BigInteger.ONE) < 0 || s.compareTo(n) >= 0) { if (r.compareTo(BigInteger.ONE) < 0 || r.compareTo(n) >= 0) {
return false return false
} }
if (s.compareTo(BigInteger.ONE) < 0 || s.compareTo(n) >= 0) {
return false
}
var c = s.modInverse(n) var c = s.modInverse(n)
var u1 = e.multiply(c).mod(n) var u1 = e.multiply(c).mod(n)
var u2 = r.multiply(c).mod(n) var u2 = r.multiply(c).mod(n)
var point = G.multiplyTwo(u1, Q, u2) var point = G.multiplyTwo(u1, Q, u2)
var v = point.getX().toBigInteger().mod(n) var v = point.getX().toBigInteger().mod(n)
return v.equals(r) return v.equals(r)
} }
/** /**
* Serialize a signature into DER format. * Serialize a signature into DER format.
* *
* Takes two BigIntegers representing r and s and returns a byte array. * Takes two BigIntegers representing r and s and returns a byte array.
*/ */
function serializeSig(r, s) { function serializeSig(r, s) {
var rBa = r.toByteArraySigned() var rBa = r.toByteArraySigned()
var sBa = s.toByteArraySigned() var sBa = s.toByteArraySigned()
var sequence = [] var sequence = []
sequence.push(0x02); // INTEGER sequence.push(0x02); // INTEGER
sequence.push(rBa.length) sequence.push(rBa.length)
sequence = sequence.concat(rBa) sequence = sequence.concat(rBa)
sequence.push(0x02); // INTEGER sequence.push(0x02); // INTEGER
sequence.push(sBa.length) sequence.push(sBa.length)
sequence = sequence.concat(sBa) sequence = sequence.concat(sBa)
sequence.unshift(sequence.length) sequence.unshift(sequence.length)
sequence.unshift(0x30); // SEQUENCE sequence.unshift(0x30); // SEQUENCE
return sequence return sequence
} }
/** /**
* Parses a buffer containing a DER-encoded signature. * Parses a buffer containing a DER-encoded signature.
* *
* This function will return an object of the form: * This function will return an object of the form:
* *
* { * {
* r: BigInteger, * r: BigInteger,
* s: BigInteger * s: BigInteger
* } * }
*/ */
function parseSig(buffer) { function parseSig(buffer) {
assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence') assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence')
assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length') assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length')
assert.equal(buffer.readUInt8(2), 0x02, 'Expected DER integer') assert.equal(buffer.readUInt8(2), 0x02, 'Expected DER integer')
var rLen = buffer.readUInt8(3) var rLen = buffer.readUInt8(3)
var rB = buffer.slice(4, 4 + rLen) var rB = buffer.slice(4, 4 + rLen)
var offset = 4 + rLen var offset = 4 + rLen
assert.equal(buffer.readUInt8(offset), 0x02, 'Expected a 2nd DER integer') assert.equal(buffer.readUInt8(offset), 0x02, 'Expected a 2nd DER integer')
var sLen = buffer.readUInt8(1 + offset) var sLen = buffer.readUInt8(1 + offset)
var sB = buffer.slice(2 + offset) var sB = buffer.slice(2 + offset)
return { return {
r: BigInteger.fromByteArraySigned(rB), r: BigInteger.fromByteArraySigned(rB),
s: BigInteger.fromByteArraySigned(sB) s: BigInteger.fromByteArraySigned(sB)
}
} }
}
function serializeSigCompact(r, s, i, compressed) { function serializeSigCompact(r, s, i, compressed) {
if (compressed) { if (compressed) {
i += 4 i += 4
} }
i += 27 i += 27
var buffer = new Buffer(65) var buffer = new Buffer(65)
buffer.writeUInt8(i, 0) buffer.writeUInt8(i, 0)
r.toBuffer(32).copy(buffer, 1) r.toBuffer(32).copy(buffer, 1)
s.toBuffer(32).copy(buffer, 33) s.toBuffer(32).copy(buffer, 33)
return buffer return buffer
} }
function parseSigCompact(buffer) { function parseSigCompact(buffer) {
assert.equal(buffer.length, 65, 'Invalid signature length') assert.equal(buffer.length, 65, 'Invalid signature length')
var i = buffer.readUInt8(0) - 27 var i = buffer.readUInt8(0) - 27
// At most 3 bits // At most 3 bits
assert.equal(i, i & 7, 'Invalid signature type') assert.equal(i, i & 7, 'Invalid signature type')
var compressed = !!(i & 4) var compressed = !!(i & 4)
// Recovery param only // Recovery param only
i = i & 3 i = i & 3
var r = BigInteger.fromBuffer(buffer.slice(1, 33)) var r = BigInteger.fromBuffer(buffer.slice(1, 33))
var s = BigInteger.fromBuffer(buffer.slice(33)) var s = BigInteger.fromBuffer(buffer.slice(33))
return { return {
r: r, r: r,
s: s, s: s,
i: i, i: i,
compressed: compressed compressed: compressed
}
} }
}
/** /**
* Recover a public key from a signature. * Recover a public key from a signature.
* *
* See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public * See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
* Key Recovery Operation". * Key Recovery Operation".
* *
* http://www.secg.org/download/aid-780/sec1-v2.pdf * http://www.secg.org/download/aid-780/sec1-v2.pdf
*/ */
function recoverPubKey(ecparams, e, r, s, i) { function recoverPubKey(ecparams, e, r, s, i) {
assert.strictEqual(i & 3, i, 'The recovery param is more than two bits') assert.strictEqual(i & 3, i, 'The recovery param is more than two bits')
// A set LSB signifies that the y-coordinate is odd // A set LSB signifies that the y-coordinate is odd
// By reduction, the y-coordinate is even if it is clear // By reduction, the y-coordinate is even if it is clear
var isYEven = !(i & 1) var isYEven = !(i & 1)
// The more significant bit specifies whether we should use the // The more significant bit specifies whether we should use the
// first or second candidate key. // first or second candidate key.
var isSecondKey = i >> 1 var isSecondKey = i >> 1
var n = ecparams.getN() var n = ecparams.getN()
var G = ecparams.getG() var G = ecparams.getG()
var curve = ecparams.getCurve() var curve = ecparams.getCurve()
var p = curve.getQ() var p = curve.getQ()
var a = curve.getA().toBigInteger() var a = curve.getA().toBigInteger()
var b = curve.getB().toBigInteger() var b = curve.getB().toBigInteger()
// We precalculate (p + 1) / 4 where p is the field order // We precalculate (p + 1) / 4 where p is the field order
if (!curve.P_OVER_FOUR) { if (!curve.P_OVER_FOUR) {
curve.P_OVER_FOUR = p.add(BigInteger.ONE).shiftRight(2) curve.P_OVER_FOUR = p.add(BigInteger.ONE).shiftRight(2)
} }
// 1.1 Compute x
var x = isSecondKey ? r.add(n) : r
// 1.3 Convert x to point // 1.1 Compute x
var alpha = x.pow(3).add(a.multiply(x)).add(b).mod(p) var x = isSecondKey ? r.add(n) : r
var beta = alpha.modPow(curve.P_OVER_FOUR, p)
// If beta is even, but y isn't, or vice versa, then convert it, // 1.3 Convert x to point
// otherwise we're done and y == beta. var alpha = x.pow(3).add(a.multiply(x)).add(b).mod(p)
var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta var beta = alpha.modPow(curve.P_OVER_FOUR, p)
// 1.4 Check that nR isn't at infinity // If beta is even, but y isn't, or vice versa, then convert it,
var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y)) // otherwise we're done and y == beta.
R.validate() var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta
// 1.5 Compute -e from e // 1.4 Check that nR isn't at infinity
var eNeg = e.negate().mod(n) var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y))
R.validate()
// 1.6 Compute Q = r^-1 (sR - eG) // 1.5 Compute -e from e
// Q = r^-1 (sR + -eG) var eNeg = e.negate().mod(n)
var rInv = r.modInverse(n)
var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv) // 1.6 Compute Q = r^-1 (sR - eG)
Q.validate() // Q = r^-1 (sR + -eG)
var rInv = r.modInverse(n)
if (!verifyRaw(ecparams, e, r, s, Q)) { var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv)
throw new Error("Pubkey recovery unsuccessful") Q.validate()
}
return Q if (!verifyRaw(ecparams, e, r, s, Q)) {
throw new Error("Pubkey recovery unsuccessful")
} }
/** return Q
* Calculate pubkey extraction parameter. }
*
* When extracting a pubkey from a signature, we have to
* distinguish four different cases. Rather than putting this
* burden on the verifier, Bitcoin includes a 2-bit value with the
* signature.
*
* This function simply tries all four cases and returns the value
* that resulted in a successful pubkey recovery.
*/
function calcPubKeyRecoveryParam(ecparams, e, r, s, Q) {
for (var i = 0; i < 4; i++) {
var Qprime = recoverPubKey(ecparams, e, r, s, i)
if (Qprime.equals(Q)) {
return i
}
}
throw new Error('Unable to find valid recovery factor') /**
* Calculate pubkey extraction parameter.
*
* When extracting a pubkey from a signature, we have to
* distinguish four different cases. Rather than putting this
* burden on the verifier, Bitcoin includes a 2-bit value with the
* signature.
*
* This function simply tries all four cases and returns the value
* that resulted in a successful pubkey recovery.
*/
function calcPubKeyRecoveryParam(ecparams, e, r, s, Q) {
for (var i = 0; i < 4; i++) {
var Qprime = recoverPubKey(ecparams, e, r, s, i)
if (Qprime.equals(Q)) {
return i
}
} }
throw new Error('Unable to find valid recovery factor')
}
module.exports = { module.exports = {
calcPubKeyRecoveryParam: calcPubKeyRecoveryParam, calcPubKeyRecoveryParam: calcPubKeyRecoveryParam,
deterministicGenerateK: deterministicGenerateK, deterministicGenerateK: deterministicGenerateK,
recoverPubKey: recoverPubKey, recoverPubKey: recoverPubKey,
sign: sign, sign: sign,
verify: verify, verify: verify,
verifyRaw: verifyRaw, verifyRaw: verifyRaw,
serializeSig: serializeSig, serializeSig: serializeSig,
parseSig: parseSig, parseSig: parseSig,
serializeSigCompact: serializeSigCompact, serializeSigCompact: serializeSigCompact,
parseSigCompact: parseSigCompact parseSigCompact: parseSigCompact
} }

Write Preview
Loading…
Cancel
Save