bitcoinjs-lib/test/ecdsa.js

var assert = require('assert')
var crypto = require('../src/crypto')
var ecdsa = require('../src/ecdsa')
var message = require('../src/message')
var networks = require('../src/networks')

var sec = require('../src/sec')
var ecparams = sec("secp256k1")

var BigInteger = require('bigi')

var fixtures = require('./fixtures/ecdsa.json')

describe('ecdsa', function() {
  describe('deterministicGenerateK', function() {
    it('matches the test vectors', function() {
      fixtures.valid.forEach(function(f) {
        var D = BigInteger.fromHex(f.D)
        var h1 = crypto.sha256(f.message)

        var k = ecdsa.deterministicGenerateK(ecparams, h1, D)
        assert.equal(k.toHex(), f.k)
      })
    })
  })

  describe('recoverPubKey', function() {
    it('succesfully recovers a public key', function() {
      var D = BigInteger.ONE
      var signature = new Buffer('INcvXVVEFyIfHLbDX+xoxlKFn3Wzj9g0UbhObXdMq+YMKC252o5RHFr0/cKdQe1WsBLUBi4morhgZ77obDJVuV0=', 'base64')

      var Q = ecparams.getG().multiply(D)
      var hash = message.magicHash('1111', networks.bitcoin)
      var e = BigInteger.fromBuffer(hash)
      var psig = ecdsa.parseSigCompact(signature)

      var Qprime = ecdsa.recoverPubKey(ecparams, e, psig.r, psig.s, psig.i)
      assert(Q.equals(Qprime))
    })
  })

  describe('sign', function() {
    it('matches the test vectors', function() {
      fixtures.valid.forEach(function(f) {
        var D = BigInteger.fromHex(f.D)
        var hash = crypto.sha256(f.message)
        var sig = ecdsa.sign(ecparams, hash, D)

        assert.equal(sig.r.toString(), f.signature.r)
        assert.equal(sig.s.toString(), f.signature.s)
      })
    })

    it('should sign with low S value', function() {
      var hash = crypto.sha256('Vires in numeris')
      var sig = ecdsa.sign(ecparams, hash, BigInteger.ONE)

      // See BIP62 for more information
      var N_OVER_TWO = ecparams.getN().shiftRight(1)
      assert(sig.s.compareTo(N_OVER_TWO) <= 0)
    })
  })

  describe('verifyRaw', function() {
    it('verifies valid signatures', function() {
      fixtures.valid.forEach(function(f) {
        var D = BigInteger.fromHex(f.D)
        var Q = ecparams.getG().multiply(D)

        var r = new BigInteger(f.signature.r)
        var s = new BigInteger(f.signature.s)
        var e = BigInteger.fromBuffer(crypto.sha256(f.message))

        assert(ecdsa.verifyRaw(ecparams, e, r, s, Q))
      })
    })

    fixtures.invalid.verifyRaw.forEach(function(f) {
      it('fails to verify with ' + f.description, function() {
        var D = BigInteger.fromHex(f.D)
        var e = BigInteger.fromHex(f.e)
        var r = new BigInteger(f.signature.r)
        var s = new BigInteger(f.signature.s)
        var Q = ecparams.getG().multiply(D)

        assert.equal(ecdsa.verifyRaw(ecparams, e, r, s, Q), false)
      })
    })
  })

  describe('serializeSig', function() {
    it('encodes a DER signature', function() {
      fixtures.valid.forEach(function(f) {
        var r = new BigInteger(f.signature.r)
        var s = new BigInteger(f.signature.s)

        var signature = new Buffer(ecdsa.serializeSig(r, s))
        assert.equal(signature.toString('hex'), f.DER)
      })
    })
  })

  describe('parseSig', function() {
    it('decodes the correct signature', function() {
      fixtures.valid.forEach(function(f) {
        var buffer = new Buffer(f.DER, 'hex')
        var signature = ecdsa.parseSig(buffer)

        assert.equal(signature.r.toString(), f.signature.r)
        assert.equal(signature.s.toString(), f.signature.s)
      })
    })

    fixtures.invalid.DER.forEach(function(f) {
      it('throws on ' + f.description, function() {
        var buffer = new Buffer(f.hex)

        assert.throws(function() {
          ecdsa.parseSig(buffer)
        })
      })
    })
  })

  describe('serializeSigCompact', function() {
    it('encodes a compact signature', function() {
      fixtures.valid.forEach(function(f) {
        var r = new BigInteger(f.signature.r)
        var s = new BigInteger(f.signature.s)
        var i = f.signature.i
        var compressed = f.signature.compressed

        var signature = ecdsa.serializeSigCompact(r, s, i, compressed)
        assert.equal(signature.toString('hex'), f.compact)
      })
    })
  })

  describe('parseSigCompact', function() {
    it('decodes the correct signature', function() {
      fixtures.valid.forEach(function(f) {
        var buffer = new Buffer(f.compact, 'hex')
        var signature = ecdsa.parseSigCompact(buffer)

        assert.equal(signature.r.toString(), f.signature.r)
        assert.equal(signature.s.toString(), f.signature.s)
        assert.equal(signature.i, f.signature.i)
        assert.equal(signature.compressed, f.signature.compressed)
      })
    })

    fixtures.invalid.compact.forEach(function(f) {
      it('throws on ' + f.description, function() {
        var buffer = new Buffer(f.hex)

        assert.throws(function() {
          ecdsa.parseSigCompact(buffer)
        })
      })
    })
  })
})
Adds recoverPubKey simple test 2014-03-28 18:24:23 +01:00			`var assert = require('assert')`
tests: use filepaths directly After a long IRC discussion, it was decided that the use of direct filepaths instead of the module is a more pure form of testing , although it may provide less overall coverage than the mixed integration style imports used previously. This will need to be remedied by further integration testing in /test/integration. 2014-05-13 09:55:53 +02:00			`var crypto = require('../src/crypto')`
			`var ecdsa = require('../src/ecdsa')`
message: support alternate networks 2014-05-16 07:39:17 +02:00			`var message = require('../src/message')`
			`var networks = require('../src/networks')`
tests: forces consistent import syntax 2014-05-13 08:35:07 +02:00
tests: use filepaths directly After a long IRC discussion, it was decided that the use of direct filepaths instead of the module is a more pure form of testing , although it may provide less overall coverage than the mixed integration style imports used previously. This will need to be remedied by further integration testing in /test/integration. 2014-05-13 09:55:53 +02:00			`var sec = require('../src/sec')`
Moves 'low S value' test from eckey.js to ecdsa.js 2014-04-17 06:33:35 +02:00			`var ecparams = sec("secp256k1")`
Moves test/misc.js tests to appropriate location 2014-04-16 20:10:05 +02:00
upgrade bigi & remove monkey patching 2014-05-03 04:04:54 +02:00			`var BigInteger = require('bigi')`
Adds recoverPubKey simple test 2014-03-28 18:24:23 +01:00
tests: use JSON fixtures exclusively 2014-05-18 11:47:39 +02:00			`var fixtures = require('./fixtures/ecdsa.json')`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00
Adds recoverPubKey simple test 2014-03-28 18:24:23 +01:00			`describe('ecdsa', function() {`
Enforces Array input for deterministicGenerateK 2014-04-22 22:18:38 +02:00			`describe('deterministicGenerateK', function() {`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`it('matches the test vectors', function() {`
ecdsa: add serializeSigCompact and tests This also adds tests for all other ECDSA serialize/parsing functions. The k, r, s and D values were sourced from test vectors on https://bitcointalk.org/index.php?topic=285142.40 . The compact signatures (aka, i values) were generated from bitcoinjslib, but they are straight forward anyway. 2014-05-16 15:11:04 +02:00			`fixtures.valid.forEach(function(f) {`
ecdsa: remove ECKey dependency in tests 2014-05-17 06:39:31 +02:00			`var D = BigInteger.fromHex(f.D)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`var h1 = crypto.sha256(f.message)`

ecdsa: remove implicit ecparams 2014-05-17 07:06:52 +02:00			`var k = ecdsa.deterministicGenerateK(ecparams, h1, D)`
ecdsa: add serializeSigCompact and tests This also adds tests for all other ECDSA serialize/parsing functions. The k, r, s and D values were sourced from test vectors on https://bitcointalk.org/index.php?topic=285142.40 . The compact signatures (aka, i values) were generated from bitcoinjslib, but they are straight forward anyway. 2014-05-16 15:11:04 +02:00			`assert.equal(k.toHex(), f.k)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`})`
Enforces Array input for deterministicGenerateK 2014-04-22 22:18:38 +02:00			`})`
			`})`

Adds recoverPubKey simple test 2014-03-28 18:24:23 +01:00			`describe('recoverPubKey', function() {`
			`it('succesfully recovers a public key', function() {`
ecdsa: remove ECKey dependency in tests 2014-05-17 06:39:31 +02:00			`var D = BigInteger.ONE`
			`var signature = new Buffer('INcvXVVEFyIfHLbDX+xoxlKFn3Wzj9g0UbhObXdMq+YMKC252o5RHFr0/cKdQe1WsBLUBi4morhgZ77obDJVuV0=', 'base64')`
message: support alternate networks 2014-05-16 07:39:17 +02:00
ecdsa: remove ECKey dependency in tests 2014-05-17 06:39:31 +02:00			`var Q = ecparams.getG().multiply(D)`
message: support alternate networks 2014-05-16 07:39:17 +02:00			`var hash = message.magicHash('1111', networks.bitcoin)`
ecdsa: consistent parameter ordering 2014-05-10 14:30:29 +02:00			`var e = BigInteger.fromBuffer(hash)`
ecdsa: remove ECKey dependency in tests 2014-05-17 06:39:31 +02:00			`var psig = ecdsa.parseSigCompact(signature)`
message: support alternate networks 2014-05-16 07:39:17 +02:00
ecdsa: remove implicit ecparams 2014-05-17 07:06:52 +02:00			`var Qprime = ecdsa.recoverPubKey(ecparams, e, psig.r, psig.s, psig.i)`
ecdsa: remove ECKey dependency in tests 2014-05-17 06:39:31 +02:00			`assert(Q.equals(Qprime))`
Adds recoverPubKey simple test 2014-03-28 18:24:23 +01:00			`})`
			`})`
Moves test/misc.js tests to appropriate location 2014-04-16 20:10:05 +02:00
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`describe('sign', function() {`
			`it('matches the test vectors', function() {`
ecdsa: add serializeSigCompact and tests This also adds tests for all other ECDSA serialize/parsing functions. The k, r, s and D values were sourced from test vectors on https://bitcointalk.org/index.php?topic=285142.40 . The compact signatures (aka, i values) were generated from bitcoinjslib, but they are straight forward anyway. 2014-05-16 15:11:04 +02:00			`fixtures.valid.forEach(function(f) {`
ECKey: remove Buffer/Hex functions An ECKey is a composition of a private key (D), a public key (Q) and its compression flag. These functions gave the impression of serialization of this composition, when really they only serialized `D`. They have therefore been removed in favour of always using a sane serialization format (WIF) that matches the needed behaviour. If a user needs the previous functionality, simply use `privKey.D.` instead of `privKey.`, as BigInteger supports `Buffer/Hex` functions as expected. 2014-05-16 05:46:06 +02:00			`var D = BigInteger.fromHex(f.D)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`var hash = crypto.sha256(f.message)`
ecdsa: remove implicit ecparams 2014-05-17 07:06:52 +02:00			`var sig = ecdsa.sign(ecparams, hash, D)`
Moves test/misc.js tests to appropriate location 2014-04-16 20:10:05 +02:00
ecdsa: add serializeSigCompact and tests This also adds tests for all other ECDSA serialize/parsing functions. The k, r, s and D values were sourced from test vectors on https://bitcointalk.org/index.php?topic=285142.40 . The compact signatures (aka, i values) were generated from bitcoinjslib, but they are straight forward anyway. 2014-05-16 15:11:04 +02:00			`assert.equal(sig.r.toString(), f.signature.r)`
			`assert.equal(sig.s.toString(), f.signature.s)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`})`
Moves test/misc.js tests to appropriate location 2014-04-16 20:10:05 +02:00			`})`
Moves 'low S value' test from eckey.js to ecdsa.js 2014-04-17 06:33:35 +02:00
			`it('should sign with low S value', function() {`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`var hash = crypto.sha256('Vires in numeris')`
ecdsa: remove implicit ecparams 2014-05-17 07:06:52 +02:00			`var sig = ecdsa.sign(ecparams, hash, BigInteger.ONE)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00
			`// See BIP62 for more information`
ecdsa: opt for shiftRight, pow and square In the given situations, these offer better readability, or in the case of shiftRight, a substantial performance increase. 2014-05-17 04:05:05 +02:00			`var N_OVER_TWO = ecparams.getN().shiftRight(1)`
ecdsa: use (r, s) values directly 2014-05-10 14:38:05 +02:00			`assert(sig.s.compareTo(N_OVER_TWO) <= 0)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`})`
			`})`

			`describe('verifyRaw', function() {`
ecdsa: add invalid tests for verifyRaw 2014-05-24 05:40:20 +02:00			`it('verifies valid signatures', function() {`
ecdsa: add serializeSigCompact and tests This also adds tests for all other ECDSA serialize/parsing functions. The k, r, s and D values were sourced from test vectors on https://bitcointalk.org/index.php?topic=285142.40 . The compact signatures (aka, i values) were generated from bitcoinjslib, but they are straight forward anyway. 2014-05-16 15:11:04 +02:00			`fixtures.valid.forEach(function(f) {`
ECKey: remove Buffer/Hex functions An ECKey is a composition of a private key (D), a public key (Q) and its compression flag. These functions gave the impression of serialization of this composition, when really they only serialized `D`. They have therefore been removed in favour of always using a sane serialization format (WIF) that matches the needed behaviour. If a user needs the previous functionality, simply use `privKey.D.` instead of `privKey.`, as BigInteger supports `Buffer/Hex` functions as expected. 2014-05-16 05:46:06 +02:00			`var D = BigInteger.fromHex(f.D)`
ecdsa: remove ECKey dependency in tests 2014-05-17 06:39:31 +02:00			`var Q = ecparams.getG().multiply(D)`
Moves 'low S value' test from eckey.js to ecdsa.js 2014-04-17 06:33:35 +02:00
ecdsa: add serializeSigCompact and tests This also adds tests for all other ECDSA serialize/parsing functions. The k, r, s and D values were sourced from test vectors on https://bitcointalk.org/index.php?topic=285142.40 . The compact signatures (aka, i values) were generated from bitcoinjslib, but they are straight forward anyway. 2014-05-16 15:11:04 +02:00			`var r = new BigInteger(f.signature.r)`
			`var s = new BigInteger(f.signature.s)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`var e = BigInteger.fromBuffer(crypto.sha256(f.message))`
Moves 'low S value' test from eckey.js to ecdsa.js 2014-04-17 06:33:35 +02:00
ecdsa: remove implicit ecparams 2014-05-17 07:06:52 +02:00			`assert(ecdsa.verifyRaw(ecparams, e, r, s, Q))`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`})`
Moves 'low S value' test from eckey.js to ecdsa.js 2014-04-17 06:33:35 +02:00			`})`
ecdsa: add invalid tests for verifyRaw 2014-05-24 05:40:20 +02:00
			`fixtures.invalid.verifyRaw.forEach(function(f) {`
			`it('fails to verify with ' + f.description, function() {`
			`var D = BigInteger.fromHex(f.D)`
			`var e = BigInteger.fromHex(f.e)`
			`var r = new BigInteger(f.signature.r)`
			`var s = new BigInteger(f.signature.s)`
			`var Q = ecparams.getG().multiply(D)`

			`assert.equal(ecdsa.verifyRaw(ecparams, e, r, s, Q), false)`
			`})`
			`})`
Moves test/misc.js tests to appropriate location 2014-04-16 20:10:05 +02:00			`})`
ecdsa: add serializeSigCompact and tests This also adds tests for all other ECDSA serialize/parsing functions. The k, r, s and D values were sourced from test vectors on https://bitcointalk.org/index.php?topic=285142.40 . The compact signatures (aka, i values) were generated from bitcoinjslib, but they are straight forward anyway. 2014-05-16 15:11:04 +02:00
			`describe('serializeSig', function() {`
			`it('encodes a DER signature', function() {`
			`fixtures.valid.forEach(function(f) {`
			`var r = new BigInteger(f.signature.r)`
			`var s = new BigInteger(f.signature.s)`

			`var signature = new Buffer(ecdsa.serializeSig(r, s))`
			`assert.equal(signature.toString('hex'), f.DER)`
			`})`
			`})`
			`})`

			`describe('parseSig', function() {`
			`it('decodes the correct signature', function() {`
			`fixtures.valid.forEach(function(f) {`
			`var buffer = new Buffer(f.DER, 'hex')`
			`var signature = ecdsa.parseSig(buffer)`

			`assert.equal(signature.r.toString(), f.signature.r)`
			`assert.equal(signature.s.toString(), f.signature.s)`
			`})`
			`})`

			`fixtures.invalid.DER.forEach(function(f) {`
			`it('throws on ' + f.description, function() {`
			`var buffer = new Buffer(f.hex)`

			`assert.throws(function() {`
			`ecdsa.parseSig(buffer)`
			`})`
			`})`
			`})`
			`})`

			`describe('serializeSigCompact', function() {`
			`it('encodes a compact signature', function() {`
			`fixtures.valid.forEach(function(f) {`
			`var r = new BigInteger(f.signature.r)`
			`var s = new BigInteger(f.signature.s)`
			`var i = f.signature.i`
			`var compressed = f.signature.compressed`

			`var signature = ecdsa.serializeSigCompact(r, s, i, compressed)`
			`assert.equal(signature.toString('hex'), f.compact)`
			`})`
			`})`
			`})`

			`describe('parseSigCompact', function() {`
			`it('decodes the correct signature', function() {`
			`fixtures.valid.forEach(function(f) {`
			`var buffer = new Buffer(f.compact, 'hex')`
			`var signature = ecdsa.parseSigCompact(buffer)`

			`assert.equal(signature.r.toString(), f.signature.r)`
			`assert.equal(signature.s.toString(), f.signature.s)`
ecdsa: parseSigCompact use Buffer API parseSigCompact also now returns the correct recovert parameter without the need to subtract the compression bit. This makes it easier to use. 2014-05-16 16:28:39 +02:00			`assert.equal(signature.i, f.signature.i)`
			`assert.equal(signature.compressed, f.signature.compressed)`
ecdsa: add serializeSigCompact and tests This also adds tests for all other ECDSA serialize/parsing functions. The k, r, s and D values were sourced from test vectors on https://bitcointalk.org/index.php?topic=285142.40 . The compact signatures (aka, i values) were generated from bitcoinjslib, but they are straight forward anyway. 2014-05-16 15:11:04 +02:00			`})`
			`})`

			`fixtures.invalid.compact.forEach(function(f) {`
			`it('throws on ' + f.description, function() {`
			`var buffer = new Buffer(f.hex)`

			`assert.throws(function() {`
			`ecdsa.parseSigCompact(buffer)`
			`})`
			`})`
			`})`
			`})`
Adds recoverPubKey simple test 2014-03-28 18:24:23 +01:00			`})`