|
|
|
@ -1,40 +1,11 @@ |
|
|
|
var assert = require('assert') |
|
|
|
var crypto = require('./crypto') |
|
|
|
var sec = require('./sec') |
|
|
|
var ecparams = sec("secp256k1") |
|
|
|
|
|
|
|
var BigInteger = require('bigi') |
|
|
|
var ECPointFp = require('./ec').ECPointFp |
|
|
|
|
|
|
|
function implShamirsTrick(P, k, Q, l) { |
|
|
|
var m = Math.max(k.bitLength(), l.bitLength()) |
|
|
|
var Z = P.add2D(Q) |
|
|
|
var R = P.curve.getInfinity() |
|
|
|
|
|
|
|
for (var i = m - 1; i >= 0; --i) { |
|
|
|
R = R.twice2D() |
|
|
|
|
|
|
|
R.z = BigInteger.ONE |
|
|
|
|
|
|
|
if (k.testBit(i)) { |
|
|
|
if (l.testBit(i)) { |
|
|
|
R = R.add2D(Z) |
|
|
|
} else { |
|
|
|
R = R.add2D(P) |
|
|
|
} |
|
|
|
} else { |
|
|
|
if (l.testBit(i)) { |
|
|
|
R = R.add2D(Q) |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
return R |
|
|
|
} |
|
|
|
|
|
|
|
var ecdsa = { |
|
|
|
deterministicGenerateK: function(hash, D) { |
|
|
|
assert(Buffer.isBuffer(hash), 'Hash must be a Buffer') |
|
|
|
function deterministicGenerateK(ecparams, hash, D) { |
|
|
|
assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash) |
|
|
|
assert.equal(hash.length, 32, 'Hash must be 256 bit') |
|
|
|
assert(D instanceof BigInteger, 'Private key must be a BigInteger') |
|
|
|
|
|
|
|
@ -57,10 +28,10 @@ var ecdsa = { |
|
|
|
assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value') |
|
|
|
|
|
|
|
return kB |
|
|
|
}, |
|
|
|
} |
|
|
|
|
|
|
|
sign: function (hash, D) { |
|
|
|
var k = ecdsa.deterministicGenerateK(hash, D) |
|
|
|
function sign(ecparams, hash, D) { |
|
|
|
var k = deterministicGenerateK(ecparams, hash, D) |
|
|
|
|
|
|
|
var n = ecparams.getN() |
|
|
|
var G = ecparams.getG() |
|
|
|
@ -80,36 +51,16 @@ var ecdsa = { |
|
|
|
s = n.subtract(s) |
|
|
|
} |
|
|
|
|
|
|
|
return ecdsa.serializeSig(r, s) |
|
|
|
}, |
|
|
|
|
|
|
|
verify: function (hash, sig, pubkey) { |
|
|
|
var r,s |
|
|
|
if (Array.isArray(sig) || Buffer.isBuffer(sig)) { |
|
|
|
var obj = ecdsa.parseSig(sig) |
|
|
|
r = obj.r |
|
|
|
s = obj.s |
|
|
|
} else if ("object" === typeof sig && sig.r && sig.s) { |
|
|
|
r = sig.r |
|
|
|
s = sig.s |
|
|
|
} else { |
|
|
|
throw new Error("Invalid value for signature") |
|
|
|
return {r: r, s: s} |
|
|
|
} |
|
|
|
|
|
|
|
var Q |
|
|
|
if (pubkey instanceof ECPointFp) { |
|
|
|
Q = pubkey |
|
|
|
} else if (Array.isArray(pubkey) || Buffer.isBuffer(pubkey)) { |
|
|
|
Q = ECPointFp.decodeFrom(ecparams.getCurve(), pubkey) |
|
|
|
} else { |
|
|
|
throw new Error("Invalid format for pubkey value, must be byte array or ECPointFp") |
|
|
|
} |
|
|
|
function verify(ecparams, hash, r, s, Q) { |
|
|
|
var e = BigInteger.fromBuffer(hash) |
|
|
|
|
|
|
|
return ecdsa.verifyRaw(e, r, s, Q) |
|
|
|
}, |
|
|
|
return verifyRaw(ecparams, e, r, s, Q) |
|
|
|
} |
|
|
|
|
|
|
|
verifyRaw: function (e, r, s, Q) { |
|
|
|
function verifyRaw(ecparams, e, r, s, Q) { |
|
|
|
var n = ecparams.getN() |
|
|
|
var G = ecparams.getG() |
|
|
|
|
|
|
|
@ -125,23 +76,18 @@ var ecdsa = { |
|
|
|
var u1 = e.multiply(c).mod(n) |
|
|
|
var u2 = r.multiply(c).mod(n) |
|
|
|
|
|
|
|
// TODO(!!!): For some reason Shamir's trick isn't working with
|
|
|
|
// signed message verification!? Probably an implementation
|
|
|
|
// error!
|
|
|
|
//var point = implShamirsTrick(G, u1, Q, u2)
|
|
|
|
var point = G.multiply(u1).add(Q.multiply(u2)) |
|
|
|
|
|
|
|
var point = G.multiplyTwo(u1, Q, u2) |
|
|
|
var v = point.getX().toBigInteger().mod(n) |
|
|
|
|
|
|
|
return v.equals(r) |
|
|
|
}, |
|
|
|
} |
|
|
|
|
|
|
|
/** |
|
|
|
* Serialize a signature into DER format. |
|
|
|
* |
|
|
|
* Takes two BigIntegers representing r and s and returns a byte array. |
|
|
|
*/ |
|
|
|
serializeSig: function (r, s) { |
|
|
|
function serializeSig(r, s) { |
|
|
|
var rBa = r.toByteArraySigned() |
|
|
|
var sBa = s.toByteArraySigned() |
|
|
|
|
|
|
|
@ -158,7 +104,7 @@ var ecdsa = { |
|
|
|
sequence.unshift(0x30); // SEQUENCE
|
|
|
|
|
|
|
|
return sequence |
|
|
|
}, |
|
|
|
} |
|
|
|
|
|
|
|
/** |
|
|
|
* Parses a buffer containing a DER-encoded signature. |
|
|
|
@ -170,9 +116,7 @@ var ecdsa = { |
|
|
|
* s: BigInteger |
|
|
|
* } |
|
|
|
*/ |
|
|
|
parseSig: function (buffer) { |
|
|
|
if (Array.isArray(buffer)) buffer = new Buffer(buffer) // FIXME: transitionary
|
|
|
|
|
|
|
|
function parseSig(buffer) { |
|
|
|
assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence') |
|
|
|
assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length') |
|
|
|
|
|
|
|
@ -189,9 +133,9 @@ var ecdsa = { |
|
|
|
r: BigInteger.fromByteArraySigned(rB), |
|
|
|
s: BigInteger.fromByteArraySigned(sB) |
|
|
|
} |
|
|
|
}, |
|
|
|
} |
|
|
|
|
|
|
|
serializeSigCompact: function(r, s, i, compressed) { |
|
|
|
function serializeSigCompact(r, s, i, compressed) { |
|
|
|
if (compressed) { |
|
|
|
i += 4 |
|
|
|
} |
|
|
|
@ -204,9 +148,9 @@ var ecdsa = { |
|
|
|
s.toBuffer(32).copy(buffer, 33) |
|
|
|
|
|
|
|
return buffer |
|
|
|
}, |
|
|
|
} |
|
|
|
|
|
|
|
parseSigCompact: function (buffer) { |
|
|
|
function parseSigCompact(buffer) { |
|
|
|
assert.equal(buffer.length, 65, 'Invalid signature length') |
|
|
|
var i = buffer.readUInt8(0) - 27 |
|
|
|
|
|
|
|
@ -226,7 +170,7 @@ var ecdsa = { |
|
|
|
i: i, |
|
|
|
compressed: compressed |
|
|
|
} |
|
|
|
}, |
|
|
|
} |
|
|
|
|
|
|
|
/** |
|
|
|
* Recover a public key from a signature. |
|
|
|
@ -236,7 +180,7 @@ var ecdsa = { |
|
|
|
* |
|
|
|
* http://www.secg.org/download/aid-780/sec1-v2.pdf
|
|
|
|
*/ |
|
|
|
recoverPubKey: function (r, s, hash, i) { |
|
|
|
function recoverPubKey(ecparams, e, r, s, i) { |
|
|
|
assert.strictEqual(i & 3, i, 'The recovery param is more than two bits') |
|
|
|
|
|
|
|
// A set LSB signifies that the y-coordinate is odd
|
|
|
|
@ -274,21 +218,22 @@ var ecdsa = { |
|
|
|
var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y)) |
|
|
|
R.validate() |
|
|
|
|
|
|
|
// 1.5 Compute e from M
|
|
|
|
var e = BigInteger.fromBuffer(hash) |
|
|
|
var eNeg = BigInteger.ZERO.subtract(e).mod(n) |
|
|
|
// 1.5 Compute -e from e
|
|
|
|
var eNeg = e.negate().mod(n) |
|
|
|
|
|
|
|
// 1.6 Compute Q = r^-1 (sR - eG)
|
|
|
|
// Q = r^-1 (sR + -eG)
|
|
|
|
var rInv = r.modInverse(n) |
|
|
|
var Q = implShamirsTrick(R, s, G, eNeg).multiply(rInv) |
|
|
|
|
|
|
|
var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv) |
|
|
|
Q.validate() |
|
|
|
if (!ecdsa.verifyRaw(e, r, s, Q)) { |
|
|
|
|
|
|
|
if (!verifyRaw(ecparams, e, r, s, Q)) { |
|
|
|
throw new Error("Pubkey recovery unsuccessful") |
|
|
|
} |
|
|
|
|
|
|
|
return Q |
|
|
|
}, |
|
|
|
} |
|
|
|
|
|
|
|
/** |
|
|
|
* Calculate pubkey extraction parameter. |
|
|
|
@ -301,17 +246,27 @@ var ecdsa = { |
|
|
|
* This function simply tries all four cases and returns the value |
|
|
|
* that resulted in a successful pubkey recovery. |
|
|
|
*/ |
|
|
|
calcPubKeyRecoveryParam: function (origPubKey, r, s, hash) { |
|
|
|
function calcPubKeyRecoveryParam(ecparams, e, r, s, Q) { |
|
|
|
for (var i = 0; i < 4; i++) { |
|
|
|
var pubKey = ecdsa.recoverPubKey(r, s, hash, i) |
|
|
|
var Qprime = recoverPubKey(ecparams, e, r, s, i) |
|
|
|
|
|
|
|
if (pubKey.equals(origPubKey)) { |
|
|
|
if (Qprime.equals(Q)) { |
|
|
|
return i |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
throw new Error("Unable to find valid recovery factor") |
|
|
|
} |
|
|
|
throw new Error('Unable to find valid recovery factor') |
|
|
|
} |
|
|
|
|
|
|
|
module.exports = ecdsa |
|
|
|
module.exports = { |
|
|
|
calcPubKeyRecoveryParam: calcPubKeyRecoveryParam, |
|
|
|
deterministicGenerateK: deterministicGenerateK, |
|
|
|
recoverPubKey: recoverPubKey, |
|
|
|
sign: sign, |
|
|
|
verify: verify, |
|
|
|
verifyRaw: verifyRaw, |
|
|
|
serializeSig: serializeSig, |
|
|
|
parseSig: parseSig, |
|
|
|
serializeSigCompact: serializeSigCompact, |
|
|
|
parseSigCompact: parseSigCompact |
|
|
|
} |
|
|
|
|
Wei Lu
11 years ago