lukechilds
/
bitcoinjs-lib
mirror of https://github.com/lukechilds/bitcoinjs-lib.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge pull request #184 from dcousens/ecclean 

ECDSA cleanup
hk-custom-address
Wei Lu 11 years ago
parent
d9184ba6b8 087ca551f5
commit
c6bc0ebdcb
7 changed files with 267 additions and 299 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 493
      src/ecdsa.js
  2. 2
      src/eckey.js
  3. 4
      src/ecpubkey.js
  4. 12
      src/message.js
  5. 22
      src/transaction.js
  6. 29
      test/ecdsa.js
  7. 4
      test/transaction.js

493
src/ecdsa.js
View File

@ -1,317 +1,272 @@
var assert = require('assert')
var crypto = require('./crypto')
var sec = require('./sec')
var ecparams = sec("secp256k1")
var BigInteger = require('bigi')
var ECPointFp = require('./ec').ECPointFp
function implShamirsTrick(P, k, Q, l) {
var m = Math.max(k.bitLength(), l.bitLength())
var Z = P.add2D(Q)
var R = P.curve.getInfinity()
for (var i = m - 1; i >= 0; --i) {
R = R.twice2D()
R.z = BigInteger.ONE
if (k.testBit(i)) {
if (l.testBit(i)) {
R = R.add2D(Z)
} else {
R = R.add2D(P)
}
} else {
if (l.testBit(i)) {
R = R.add2D(Q)
}
}
}
function deterministicGenerateK(ecparams, hash, D) {
assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash)
assert.equal(hash.length, 32, 'Hash must be 256 bit')
assert(D instanceof BigInteger, 'Private key must be a BigInteger')
var x = D.toBuffer(32)
var k = new Buffer(32)
var v = new Buffer(32)
k.fill(0)
v.fill(1)
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k)
v = crypto.HmacSHA256(v, k)
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k)
v = crypto.HmacSHA256(v, k)
v = crypto.HmacSHA256(v, k)
return R
var n = ecparams.getN()
var kB = BigInteger.fromBuffer(v).mod(n)
assert(kB.compareTo(BigInteger.ONE) > 0, 'Invalid k value')
assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value')
return kB
}
var ecdsa = {
deterministicGenerateK: function(hash, D) {
assert(Buffer.isBuffer(hash), 'Hash must be a Buffer')
assert.equal(hash.length, 32, 'Hash must be 256 bit')
assert(D instanceof BigInteger, 'Private key must be a BigInteger')
function sign(ecparams, hash, D) {
var k = deterministicGenerateK(ecparams, hash, D)
var x = D.toBuffer(32)
var k = new Buffer(32)
var v = new Buffer(32)
k.fill(0)
v.fill(1)
var n = ecparams.getN()
var G = ecparams.getG()
var Q = G.multiply(k)
var e = BigInteger.fromBuffer(hash)
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k)
v = crypto.HmacSHA256(v, k)
var r = Q.getX().toBigInteger().mod(n)
assert.notEqual(r.signum(), 0, 'Invalid R value')
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k)
v = crypto.HmacSHA256(v, k)
v = crypto.HmacSHA256(v, k)
var s = k.modInverse(n).multiply(e.add(D.multiply(r))).mod(n)
assert.notEqual(s.signum(), 0, 'Invalid S value')
var n = ecparams.getN()
var kB = BigInteger.fromBuffer(v).mod(n)
assert(kB.compareTo(BigInteger.ONE) > 0, 'Invalid k value')
assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value')
var N_OVER_TWO = n.shiftRight(1)
return kB
},
// enforce low S values, see bip62: 'low s values in signatures'
if (s.compareTo(N_OVER_TWO) > 0) {
s = n.subtract(s)
}
sign: function (hash, D) {
var k = ecdsa.deterministicGenerateK(hash, D)
return {r: r, s: s}
}
var n = ecparams.getN()
var G = ecparams.getG()
var Q = G.multiply(k)
var e = BigInteger.fromBuffer(hash)
function verify(ecparams, hash, r, s, Q) {
var e = BigInteger.fromBuffer(hash)
var r = Q.getX().toBigInteger().mod(n)
assert.notEqual(r.signum(), 0, 'Invalid R value')
return verifyRaw(ecparams, e, r, s, Q)
}
var s = k.modInverse(n).multiply(e.add(D.multiply(r))).mod(n)
assert.notEqual(s.signum(), 0, 'Invalid S value')
function verifyRaw(ecparams, e, r, s, Q) {
var n = ecparams.getN()
var G = ecparams.getG()
var N_OVER_TWO = n.shiftRight(1)
if (r.compareTo(BigInteger.ONE) < 0 || r.compareTo(n) >= 0) {
return false
}
// enforce low S values, see bip62: 'low s values in signatures'
if (s.compareTo(N_OVER_TWO) > 0) {
s = n.subtract(s)
}
if (s.compareTo(BigInteger.ONE) < 0 || s.compareTo(n) >= 0) {
return false
}
return ecdsa.serializeSig(r, s)
},
verify: function (hash, sig, pubkey) {
var r,s
if (Array.isArray(sig) || Buffer.isBuffer(sig)) {
var obj = ecdsa.parseSig(sig)
r = obj.r
s = obj.s
} else if ("object" === typeof sig && sig.r && sig.s) {
r = sig.r
s = sig.s
} else {
throw new Error("Invalid value for signature")
}
var c = s.modInverse(n)
var u1 = e.multiply(c).mod(n)
var u2 = r.multiply(c).mod(n)
var Q
if (pubkey instanceof ECPointFp) {
Q = pubkey
} else if (Array.isArray(pubkey) || Buffer.isBuffer(pubkey)) {
Q = ECPointFp.decodeFrom(ecparams.getCurve(), pubkey)
} else {
throw new Error("Invalid format for pubkey value, must be byte array or ECPointFp")
}
var e = BigInteger.fromBuffer(hash)
var point = G.multiplyTwo(u1, Q, u2)
var v = point.getX().toBigInteger().mod(n)
return ecdsa.verifyRaw(e, r, s, Q)
},
return v.equals(r)
}
verifyRaw: function (e, r, s, Q) {
var n = ecparams.getN()
var G = ecparams.getG()
/**
* Serialize a signature into DER format.
*
* Takes two BigIntegers representing r and s and returns a byte array.
*/
function serializeSig(r, s) {
var rBa = r.toByteArraySigned()
var sBa = s.toByteArraySigned()
if (r.compareTo(BigInteger.ONE) < 0 || r.compareTo(n) >= 0) {
return false
}
var sequence = []
sequence.push(0x02); // INTEGER
sequence.push(rBa.length)
sequence = sequence.concat(rBa)
if (s.compareTo(BigInteger.ONE) < 0 || s.compareTo(n) >= 0) {
return false
}
sequence.push(0x02); // INTEGER
sequence.push(sBa.length)
sequence = sequence.concat(sBa)
var c = s.modInverse(n)
var u1 = e.multiply(c).mod(n)
var u2 = r.multiply(c).mod(n)
// TODO(!!!): For some reason Shamir's trick isn't working with
// signed message verification!? Probably an implementation
// error!
//var point = implShamirsTrick(G, u1, Q, u2)
var point = G.multiply(u1).add(Q.multiply(u2))
var v = point.getX().toBigInteger().mod(n)
return v.equals(r)
},
/**
* Serialize a signature into DER format.
*
* Takes two BigIntegers representing r and s and returns a byte array.
*/
serializeSig: function (r, s) {
var rBa = r.toByteArraySigned()
var sBa = s.toByteArraySigned()
var sequence = []
sequence.push(0x02); // INTEGER
sequence.push(rBa.length)
sequence = sequence.concat(rBa)
sequence.push(0x02); // INTEGER
sequence.push(sBa.length)
sequence = sequence.concat(sBa)
sequence.unshift(sequence.length)
sequence.unshift(0x30); // SEQUENCE
return sequence
},
/**
* Parses a buffer containing a DER-encoded signature.
*
* This function will return an object of the form:
*
* {
* r: BigInteger,
* s: BigInteger
* }
*/
parseSig: function (buffer) {
if (Array.isArray(buffer)) buffer = new Buffer(buffer) // FIXME: transitionary
assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence')
assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length')
assert.equal(buffer.readUInt8(2), 0x02, 'Expected DER integer')
var rLen = buffer.readUInt8(3)
var rB = buffer.slice(4, 4 + rLen)
var offset = 4 + rLen
assert.equal(buffer.readUInt8(offset), 0x02, 'Expected a 2nd DER integer')
var sLen = buffer.readUInt8(1 + offset)
var sB = buffer.slice(2 + offset)
return {
r: BigInteger.fromByteArraySigned(rB),
s: BigInteger.fromByteArraySigned(sB)
}
},
sequence.unshift(sequence.length)
sequence.unshift(0x30); // SEQUENCE
serializeSigCompact: function(r, s, i, compressed) {
if (compressed) {
i += 4
}
return sequence
}
i += 27
/**
* Parses a buffer containing a DER-encoded signature.
*
* This function will return an object of the form:
*
* {
* r: BigInteger,
* s: BigInteger
* }
*/
function parseSig(buffer) {
assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence')
assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length')
assert.equal(buffer.readUInt8(2), 0x02, 'Expected DER integer')
var rLen = buffer.readUInt8(3)
var rB = buffer.slice(4, 4 + rLen)
var offset = 4 + rLen
assert.equal(buffer.readUInt8(offset), 0x02, 'Expected a 2nd DER integer')
var sLen = buffer.readUInt8(1 + offset)
var sB = buffer.slice(2 + offset)
return {
r: BigInteger.fromByteArraySigned(rB),
s: BigInteger.fromByteArraySigned(sB)
}
}
var buffer = new Buffer(65)
buffer.writeUInt8(i, 0)
r.toBuffer(32).copy(buffer, 1)
s.toBuffer(32).copy(buffer, 33)
function serializeSigCompact(r, s, i, compressed) {
if (compressed) {
i += 4
}
return buffer
},
i += 27
parseSigCompact: function (buffer) {
assert.equal(buffer.length, 65, 'Invalid signature length')
var i = buffer.readUInt8(0) - 27
var buffer = new Buffer(65)
buffer.writeUInt8(i, 0)
r.toBuffer(32).copy(buffer, 1)
s.toBuffer(32).copy(buffer, 33)
// At most 3 bits
assert.equal(i, i & 7, 'Invalid signature type')
var compressed = !!(i & 4)
return buffer
}
// Recovery param only
i = i & 3
function parseSigCompact(buffer) {
assert.equal(buffer.length, 65, 'Invalid signature length')
var i = buffer.readUInt8(0) - 27
var r = BigInteger.fromBuffer(buffer.slice(1, 33))
var s = BigInteger.fromBuffer(buffer.slice(33))
// At most 3 bits
assert.equal(i, i & 7, 'Invalid signature type')
var compressed = !!(i & 4)
return {
r: r,
s: s,
i: i,
compressed: compressed
}
},
/**
* Recover a public key from a signature.
*
* See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
* Key Recovery Operation".
*
* http://www.secg.org/download/aid-780/sec1-v2.pdf
*/
recoverPubKey: function (r, s, hash, i) {
assert.strictEqual(i & 3, i, 'The recovery param is more than two bits')
// A set LSB signifies that the y-coordinate is odd
// By reduction, the y-coordinate is even if it is clear
var isYEven = !(i & 1)
// The more significant bit specifies whether we should use the
// first or second candidate key.
var isSecondKey = i >> 1
var n = ecparams.getN()
var G = ecparams.getG()
var curve = ecparams.getCurve()
var p = curve.getQ()
var a = curve.getA().toBigInteger()
var b = curve.getB().toBigInteger()
// We precalculate (p + 1) / 4 where p is the field order
if (!curve.P_OVER_FOUR) {
curve.P_OVER_FOUR = p.add(BigInteger.ONE).shiftRight(2)
}
// Recovery param only
i = i & 3
// 1.1 Compute x
var x = isSecondKey ? r.add(n) : r
var r = BigInteger.fromBuffer(buffer.slice(1, 33))
var s = BigInteger.fromBuffer(buffer.slice(33))
// 1.3 Convert x to point
var alpha = x.pow(3).add(a.multiply(x)).add(b).mod(p)
var beta = alpha.modPow(curve.P_OVER_FOUR, p)
return {
r: r,
s: s,
i: i,
compressed: compressed
}
}
// If beta is even, but y isn't, or vice versa, then convert it,
// otherwise we're done and y == beta.
var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta
/**
* Recover a public key from a signature.
*
* See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
* Key Recovery Operation".
*
* http://www.secg.org/download/aid-780/sec1-v2.pdf
*/
function recoverPubKey(ecparams, e, r, s, i) {
assert.strictEqual(i & 3, i, 'The recovery param is more than two bits')
// A set LSB signifies that the y-coordinate is odd
// By reduction, the y-coordinate is even if it is clear
var isYEven = !(i & 1)
// The more significant bit specifies whether we should use the
// first or second candidate key.
var isSecondKey = i >> 1
var n = ecparams.getN()
var G = ecparams.getG()
var curve = ecparams.getCurve()
var p = curve.getQ()
var a = curve.getA().toBigInteger()
var b = curve.getB().toBigInteger()
// We precalculate (p + 1) / 4 where p is the field order
if (!curve.P_OVER_FOUR) {
curve.P_OVER_FOUR = p.add(BigInteger.ONE).shiftRight(2)
}
// 1.4 Check that nR isn't at infinity
var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y))
R.validate()
// 1.1 Compute x
var x = isSecondKey ? r.add(n) : r
// 1.5 Compute e from M
var e = BigInteger.fromBuffer(hash)
var eNeg = BigInteger.ZERO.subtract(e).mod(n)
// 1.3 Convert x to point
var alpha = x.pow(3).add(a.multiply(x)).add(b).mod(p)
var beta = alpha.modPow(curve.P_OVER_FOUR, p)
// 1.6 Compute Q = r^-1 (sR - eG)
var rInv = r.modInverse(n)
var Q = implShamirsTrick(R, s, G, eNeg).multiply(rInv)
// If beta is even, but y isn't, or vice versa, then convert it,
// otherwise we're done and y == beta.
var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta
Q.validate()
if (!ecdsa.verifyRaw(e, r, s, Q)) {
throw new Error("Pubkey recovery unsuccessful")
}
// 1.4 Check that nR isn't at infinity
var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y))
R.validate()
return Q
},
/**
* Calculate pubkey extraction parameter.
*
* When extracting a pubkey from a signature, we have to
* distinguish four different cases. Rather than putting this
* burden on the verifier, Bitcoin includes a 2-bit value with the
* signature.
*
* This function simply tries all four cases and returns the value
* that resulted in a successful pubkey recovery.
*/
calcPubKeyRecoveryParam: function (origPubKey, r, s, hash) {
for (var i = 0; i < 4; i++) {
var pubKey = ecdsa.recoverPubKey(r, s, hash, i)
if (pubKey.equals(origPubKey)) {
return i
}
}
// 1.5 Compute -e from e
var eNeg = e.negate().mod(n)
// 1.6 Compute Q = r^-1 (sR - eG)
// Q = r^-1 (sR + -eG)
var rInv = r.modInverse(n)
var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv)
Q.validate()
if (!verifyRaw(ecparams, e, r, s, Q)) {
throw new Error("Pubkey recovery unsuccessful")
}
throw new Error("Unable to find valid recovery factor")
return Q
}
/**
* Calculate pubkey extraction parameter.
*
* When extracting a pubkey from a signature, we have to
* distinguish four different cases. Rather than putting this
* burden on the verifier, Bitcoin includes a 2-bit value with the
* signature.
*
* This function simply tries all four cases and returns the value
* that resulted in a successful pubkey recovery.
*/
function calcPubKeyRecoveryParam(ecparams, e, r, s, Q) {
for (var i = 0; i < 4; i++) {
var Qprime = recoverPubKey(ecparams, e, r, s, i)
if (Qprime.equals(Q)) {
return i
}
}
throw new Error('Unable to find valid recovery factor')
}
module.exports = ecdsa
module.exports = {
calcPubKeyRecoveryParam: calcPubKeyRecoveryParam,
deterministicGenerateK: deterministicGenerateK,
recoverPubKey: recoverPubKey,
sign: sign,
verify: verify,
verifyRaw: verifyRaw,
serializeSig: serializeSig,
parseSig: parseSig,
serializeSigCompact: serializeSigCompact,
parseSigCompact: parseSigCompact
}

2
src/eckey.js
View File

@ -63,7 +63,7 @@ ECKey.prototype.toWIF = function(version) {
// Operations
ECKey.prototype.sign = function(hash) {
return ecdsa.sign(hash, this.D)
return ecdsa.sign(ecparams, hash, this.D)
}
module.exports = ECKey

4
src/ecpubkey.js
View File

@ -36,8 +36,8 @@ ECPubKey.prototype.getAddress = function(version) {
return new Address(crypto.hash160(this.toBuffer()), version)
}
ECPubKey.prototype.verify = function(hash, sig) {
return ecdsa.verify(hash, sig, this.Q)
ECPubKey.prototype.verify = function(hash, signature) {
return ecdsa.verify(ecparams, hash, signature.r, signature.s, this.Q)
}
// Export functions

12
src/message.js
View File

@ -1,5 +1,6 @@
/// Implements Bitcoin's feature for signing arbitrary messages.
var Address = require('./address')
var BigInteger = require('bigi')
var bufferutils = require('./bufferutils')
var crypto = require('./crypto')
var ecdsa = require('./ecdsa')
@ -8,6 +9,9 @@ var networks = require('./networks')
var Address = require('./address')
var ECPubKey = require('./ecpubkey')
var sec = require('./sec')
var ecparams = sec('secp256k1')
function magicHash(message, network) {
var magicPrefix = new Buffer(network.magicPrefix)
var messageBuffer = new Buffer(message)
@ -24,8 +28,9 @@ function sign(key, message, network) {
network = network || networks.bitcoin
var hash = magicHash(message, network)
var sig = ecdsa.parseSig(key.sign(hash))
var i = ecdsa.calcPubKeyRecoveryParam(key.pub.Q, sig.r, sig.s, hash)
var sig = key.sign(hash)
var e = BigInteger.fromBuffer(hash)
var i = ecdsa.calcPubKeyRecoveryParam(ecparams, e, sig.r, sig.s, key.pub.Q)
return ecdsa.serializeSigCompact(sig.r, sig.s, i, key.pub.compressed)
}
@ -40,7 +45,8 @@ function verify(address, compactSig, message, network) {
var hash = magicHash(message, network)
var sig = ecdsa.parseSigCompact(compactSig)
var Q = ecdsa.recoverPubKey(sig.r, sig.s, hash, sig.i)
var e = BigInteger.fromBuffer(hash)
var Q = ecdsa.recoverPubKey(ecparams, e, sig.r, sig.s, sig.i)
var pubKey = new ECPubKey(Q, sig.compressed)
return pubKey.getAddress(address.version).toString() === address.toString()

22
src/transaction.js
View File

@ -364,27 +364,35 @@ Transaction.prototype.sign = function(index, key, type) {
this.setScriptSig(index, scriptSig)
}
Transaction.prototype.signScriptSig = function(index, script, key, type) {
Transaction.prototype.signScriptSig = function(index, scriptPubKey, key, type) {
type = type || SIGHASH_ALL
assert((index >= 0), 'Invalid vin index')
assert(script instanceof Script, 'Invalid Script object')
assert(scriptPubKey instanceof Script, 'Invalid Script object')
assert(key instanceof ECKey, 'Invalid private key')
// assert.equal(type & 0x7F, type, 'Invalid type') // TODO
var hash = this.hashForSignature(script, index, type)
return key.sign(hash).concat([type])
var hash = this.hashForSignature(scriptPubKey, index, type)
var sig = key.sign(hash)
var DERsig = ecdsa.serializeSig(sig.r, sig.s)
return Buffer.concat([
new Buffer(DERsig),
new Buffer([type])
])
}
Transaction.prototype.setScriptSig = function(index, script) {
this.ins[index].script = script
}
Transaction.prototype.validateSig = function(index, script, pub, sig) {
var type = sig[sig.length - 1]
Transaction.prototype.validateSig = function(index, script, pub, DERsig) {
var type = DERsig.readUInt8(DERsig.length - 1)
DERsig = DERsig.slice(0, -1)
var hash = this.hashForSignature(script, index, type)
var sig = ecdsa.parseSig(DERsig)
sig = sig.slice(0, -1)
return pub.verify(hash, sig)
}

29
test/ecdsa.js
View File

@ -17,10 +17,10 @@ describe('ecdsa', function() {
describe('deterministicGenerateK', function() {
it('matches the test vectors', function() {
fixtures.valid.forEach(function(f) {
var priv = BigInteger.fromHex(f.D)
var D = BigInteger.fromHex(f.D)
var h1 = crypto.sha256(f.message)
var k = ecdsa.deterministicGenerateK(h1, priv)
var k = ecdsa.deterministicGenerateK(ecparams, h1, D)
assert.equal(k.toHex(), f.k)
})
})
@ -28,14 +28,16 @@ describe('ecdsa', function() {
describe('recoverPubKey', function() {
it('succesfully recovers a public key', function() {
var signature = new Buffer('H0PG6+PUo96UPTJ/DVj8aBU5it+Nuli4YdsLuTMvfJxoHH9Jb7jYTQXCCOX2jrTChD5S1ic3vCrUQHdmB5/sEQY=', 'base64')
var D = BigInteger.ONE
var signature = new Buffer('INcvXVVEFyIfHLbDX+xoxlKFn3Wzj9g0UbhObXdMq+YMKC252o5RHFr0/cKdQe1WsBLUBi4morhgZ77obDJVuV0=', 'base64')
var obj = ecdsa.parseSigCompact(signature)
var Q = ecparams.getG().multiply(D)
var hash = message.magicHash('1111', networks.bitcoin)
var e = BigInteger.fromBuffer(hash)
var psig = ecdsa.parseSigCompact(signature)
var pubKey = new ECPubKey(ecdsa.recoverPubKey(obj.r, obj.s, hash, obj.i))
assert.equal(pubKey.toHex(), '02e8fcf4d749b35879bc1f3b14b49e67ab7301da3558c5a9b74a54f1e6339c334c')
var Qprime = ecdsa.recoverPubKey(ecparams, e, psig.r, psig.s, psig.i)
assert(Q.equals(Qprime))
})
})
@ -43,9 +45,8 @@ describe('ecdsa', function() {
it('matches the test vectors', function() {
fixtures.valid.forEach(function(f) {
var D = BigInteger.fromHex(f.D)
var priv = new ECKey(D)
var hash = crypto.sha256(f.message)
var sig = ecdsa.parseSig(priv.sign(hash))
var sig = ecdsa.sign(ecparams, hash, D)
assert.equal(sig.r.toString(), f.signature.r)
assert.equal(sig.s.toString(), f.signature.s)
@ -53,14 +54,12 @@ describe('ecdsa', function() {
})
it('should sign with low S value', function() {
var priv = ECKey.makeRandom()
var hash = crypto.sha256('Vires in numeris')
var signature = priv.sign(hash)
var psig = ecdsa.parseSig(signature)
var sig = ecdsa.sign(ecparams, hash, BigInteger.ONE)
// See BIP62 for more information
var N_OVER_TWO = ecparams.getN().shiftRight(1)
assert(psig.s.compareTo(N_OVER_TWO) <= 0)
assert(sig.s.compareTo(N_OVER_TWO) <= 0)
})
})
@ -68,13 +67,13 @@ describe('ecdsa', function() {
it('matches the test vectors', function() {
fixtures.valid.forEach(function(f) {
var D = BigInteger.fromHex(f.D)
var priv = new ECKey(D)
var Q = ecparams.getG().multiply(D)
var r = new BigInteger(f.signature.r)
var s = new BigInteger(f.signature.s)
var e = BigInteger.fromBuffer(crypto.sha256(f.message))
assert(ecdsa.verifyRaw(e, r, s, priv.pub.Q))
assert(ecdsa.verifyRaw(ecparams, e, r, s, Q))
})
})
})

4
test/transaction.js
View File

@ -197,7 +197,7 @@ describe('Transaction', function() {
tx.sign(0, key)
var script = prevTx.outs[0].script
var sig = tx.ins[0].script.chunks[0]
var sig = new Buffer(tx.ins[0].script.chunks[0])
assert.equal(tx.validateSig(0, script, key.pub, sig), true)
})
@ -213,7 +213,7 @@ describe('Transaction', function() {
it('returns true for valid signature', function(){
var key = ECKey.fromWIF('L44f7zxJ5Zw4EK9HZtyAnzCYz2vcZ5wiJf9AuwhJakiV4xVkxBeb')
var script = prevTx.outs[0].script
var sig = validTx.ins[0].script.chunks[0]
var sig = new Buffer(validTx.ins[0].script.chunks[0])
assert.equal(validTx.validateSig(0, script, key.pub, sig), true)
})

Write Preview
Loading…
Cancel
Save