bitcoinjs-lib/test/ecdsa.js

/* global describe, it */

var assert = require('assert')
var crypto = require('../src/crypto')
var ecdsa = require('../src/ecdsa')
var message = require('../src/message')
var networks = require('../src/networks')
var sinon = require('sinon')

var BigInteger = require('bigi')
var ECSignature = require('../src/ecsignature')

var ecurve = require('ecurve')
var curve = ecurve.getCurveByName('secp256k1')

var fixtures = require('./fixtures/ecdsa.json')

describe('ecdsa', function () {
  describe('deterministicGenerateK', function () {
    function checkSig () {
      return true
    }

    fixtures.valid.ecdsa.forEach(function (f) {
      it('for "' + f.message + '"', function () {
        var d = BigInteger.fromHex(f.d)
        var h1 = crypto.sha256(f.message)

        var k = ecdsa.deterministicGenerateK(curve, h1, d, checkSig)
        assert.equal(k.toHex(), f.k)
      })
    })

    it('loops until an appropriate k value is found', sinon.test(function () {
      this.mock(BigInteger).expects('fromBuffer')
        .exactly(3)
        .onCall(0).returns(new BigInteger('0')) // < 1
        .onCall(1).returns(curve.n) // > n-1
        .onCall(2).returns(new BigInteger('42')) // valid

      var d = new BigInteger('1')
      var h1 = new Buffer(32)
      var k = ecdsa.deterministicGenerateK(curve, h1, d, checkSig)

      assert.equal(k.toString(), '42')
    }))

    it('loops until a suitable signature is found', sinon.test(function () {
      this.mock(BigInteger).expects('fromBuffer')
        .exactly(4)
        .onCall(0).returns(new BigInteger('0')) // < 1
        .onCall(1).returns(curve.n) // > n-1
        .onCall(2).returns(new BigInteger('42')) // valid, but 'bad' signature
        .onCall(3).returns(new BigInteger('53')) // valid, good signature

      var checkSig = this.mock()
      checkSig.exactly(2)
      checkSig.onCall(0).returns(false) // bad signature
      checkSig.onCall(1).returns(true) // good signature

      var d = new BigInteger('1')
      var h1 = new Buffer(32)
      var k = ecdsa.deterministicGenerateK(curve, h1, d, checkSig)

      assert.equal(k.toString(), '53')
    }))

    fixtures.valid.rfc6979.forEach(function (f) {
      it('produces the expected k values for ' + f.message + " if k wasn't suitable", function () {
        var d = BigInteger.fromHex(f.d)
        var h1 = crypto.sha256(f.message)

        var results = []
        ecdsa.deterministicGenerateK(curve, h1, d, function (k) {
          results.push(k)

          return results.length === 16
        })

        assert.equal(results[0].toHex(), f.k0)
        assert.equal(results[1].toHex(), f.k1)
        assert.equal(results[15].toHex(), f.k15)
      })
    })
  })

  describe('recoverPubKey', function () {
    fixtures.valid.ecdsa.forEach(function (f) {
      it('recovers the pubKey for ' + f.d, function () {
        var d = BigInteger.fromHex(f.d)
        var Q = curve.G.multiply(d)
        var signature = {
          r: new BigInteger(f.signature.r),
          s: new BigInteger(f.signature.s)
        }
        var h1 = crypto.sha256(f.message)
        var e = BigInteger.fromBuffer(h1)
        var Qprime = ecdsa.recoverPubKey(curve, e, signature, f.i)

        assert(Qprime.equals(Q))
      })
    })

    describe('with i ∈ {0,1,2,3}', function () {
      var hash = message.magicHash('1111', networks.bitcoin)
      var e = BigInteger.fromBuffer(hash)

      var signatureBuffer = new Buffer('INcvXVVEFyIfHLbDX+xoxlKFn3Wzj9g0UbhObXdMq+YMKC252o5RHFr0/cKdQe1WsBLUBi4morhgZ77obDJVuV0=', 'base64')
      var signature = ECSignature.parseCompact(signatureBuffer).signature
      var points = [
        '03e3a8c44a8bf712f1fbacee274fb19c0239b1a9e877eff0075ea335f2be8ff380',
        '0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798',
        '03d49e765f0bc27525c51a1b98fb1c99dacd59abe85a203af90f758260550b56c5',
        '027eea09d46ac7fb6aa2e96f9c576677214ffdc238eb167734a9b39d1eb4c3d30d'
      ]

      points.forEach(function (expectedHex, i) {
        it('recovers an expected point for i of ' + i, function () {
          var Qprime = ecdsa.recoverPubKey(curve, e, signature, i)
          var QprimeHex = Qprime.getEncoded().toString('hex')

          assert.equal(QprimeHex, expectedHex)
        })
      })
    })

    fixtures.invalid.recoverPubKey.forEach(function (f) {
      it('throws on ' + f.description, function () {
        var e = BigInteger.fromHex(f.e)
        var signature = new ECSignature(new BigInteger(f.signature.r), new BigInteger(f.signature.s))

        assert.throws(function () {
          ecdsa.recoverPubKey(curve, e, signature, f.i)
        }, new RegExp(f.exception))
      })
    })
  })

  describe('sign', function () {
    fixtures.valid.ecdsa.forEach(function (f) {
      it('produces a deterministic signature for "' + f.message + '"', function () {
        var d = BigInteger.fromHex(f.d)
        var hash = crypto.sha256(f.message)
        var signature = ecdsa.sign(curve, hash, d)

        assert.equal(signature.r.toString(), f.signature.r)
        assert.equal(signature.s.toString(), f.signature.s)
      })
    })

    it('should sign with low S value', function () {
      var hash = crypto.sha256('Vires in numeris')
      var sig = ecdsa.sign(curve, hash, BigInteger.ONE)

      // See BIP62 for more information
      var N_OVER_TWO = curve.n.shiftRight(1)
      assert(sig.s.compareTo(N_OVER_TWO) <= 0)
    })
  })

  describe('verify', function () {
    fixtures.valid.ecdsa.forEach(function (f) {
      it('verifies a valid signature for "' + f.message + '"', function () {
        var d = BigInteger.fromHex(f.d)
        var H = crypto.sha256(f.message)
        var signature = new ECSignature(new BigInteger(f.signature.r), new BigInteger(f.signature.s))
        var Q = curve.G.multiply(d)

        assert(ecdsa.verify(curve, H, signature, Q))
      })
    })

    fixtures.invalid.verify.forEach(function (f) {
      it('fails to verify with ' + f.description, function () {
        var H = crypto.sha256(f.message)
        var d = BigInteger.fromHex(f.d)
        var signature = new ECSignature(new BigInteger(f.signature.r), new BigInteger(f.signature.s))
        var Q = curve.G.multiply(d)

        assert.equal(ecdsa.verify(curve, H, signature, Q), false)
      })
    })
  })
})
use standardjs formatting 2015-02-23 00:36:57 +01:00			`/* global describe, it */`

Adds recoverPubKey simple test 2014-03-28 18:24:23 +01:00			`var assert = require('assert')`
tests: use filepaths directly After a long IRC discussion, it was decided that the use of direct filepaths instead of the module is a more pure form of testing , although it may provide less overall coverage than the mixed integration style imports used previously. This will need to be remedied by further integration testing in /test/integration. 2014-05-13 09:55:53 +02:00			`var crypto = require('../src/crypto')`
			`var ecdsa = require('../src/ecdsa')`
message: support alternate networks 2014-05-16 07:39:17 +02:00			`var message = require('../src/message')`
			`var networks = require('../src/networks')`
ecdsa: adds test for detGenK loop 2014-06-25 18:42:51 +02:00			`var sinon = require('sinon')`
tests: forces consistent import syntax 2014-05-13 08:35:07 +02:00
upgrade bigi & remove monkey patching 2014-05-03 04:04:54 +02:00			`var BigInteger = require('bigi')`
ecdsa: moved all signature encoding to ECSignature 2014-06-15 08:44:52 +02:00			`var ECSignature = require('../src/ecsignature')`
Adds recoverPubKey simple test 2014-03-28 18:24:23 +01:00
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`var ecurve = require('ecurve')`
			`var curve = ecurve.getCurveByName('secp256k1')`

tests: use JSON fixtures exclusively 2014-05-18 11:47:39 +02:00			`var fixtures = require('./fixtures/ecdsa.json')`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00
use standardjs formatting 2015-02-23 00:36:57 +01:00			`describe('ecdsa', function () {`
			`describe('deterministicGenerateK', function () {`
			`function checkSig () {`
			`return true`
			`}`
ecdsa: fixes edge case presented in #336 2015-01-04 02:46:37 +01:00
use standardjs formatting 2015-02-23 00:36:57 +01:00			`fixtures.valid.ecdsa.forEach(function (f) {`
			`it('for "' + f.message + '"', function () {`
all: rename D to d as per SEC convention 2014-06-07 10:24:16 +02:00			`var d = BigInteger.fromHex(f.d)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`var h1 = crypto.sha256(f.message)`

ecdsa: fixes edge case presented in #336 2015-01-04 02:46:37 +01:00			`var k = ecdsa.deterministicGenerateK(curve, h1, d, checkSig)`
ecdsa: add serializeSigCompact and tests This also adds tests for all other ECDSA serialize/parsing functions. The k, r, s and D values were sourced from test vectors on https://bitcointalk.org/index.php?topic=285142.40 . The compact signatures (aka, i values) were generated from bitcoinjslib, but they are straight forward anyway. 2014-05-16 15:11:04 +02:00			`assert.equal(k.toHex(), f.k)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`})`
Enforces Array input for deterministicGenerateK 2014-04-22 22:18:38 +02:00			`})`
ecdsa: adds test for detGenK loop 2014-06-25 18:42:51 +02:00
use standardjs formatting 2015-02-23 00:36:57 +01:00			`it('loops until an appropriate k value is found', sinon.test(function () {`
ecdsa: adds test for detGenK loop 2014-06-25 18:42:51 +02:00			`this.mock(BigInteger).expects('fromBuffer')`
			`.exactly(3)`
tests: adds ecdsa test enforcing valid signature callback 2015-01-05 01:15:07 +01:00			`.onCall(0).returns(new BigInteger('0')) // < 1`
			`.onCall(1).returns(curve.n) // > n-1`
			`.onCall(2).returns(new BigInteger('42')) // valid`
ecdsa: adds test for detGenK loop 2014-06-25 18:42:51 +02:00
			`var d = new BigInteger('1')`
			`var h1 = new Buffer(32)`
ecdsa: fixes edge case presented in #336 2015-01-04 02:46:37 +01:00			`var k = ecdsa.deterministicGenerateK(curve, h1, d, checkSig)`
ecdsa: adds test for detGenK loop 2014-06-25 18:42:51 +02:00
			`assert.equal(k.toString(), '42')`
			`}))`
tests: adds ecdsa test enforcing valid signature callback 2015-01-05 01:15:07 +01:00
use standardjs formatting 2015-02-23 00:36:57 +01:00			`it('loops until a suitable signature is found', sinon.test(function () {`
tests: adds ecdsa test enforcing valid signature callback 2015-01-05 01:15:07 +01:00			`this.mock(BigInteger).expects('fromBuffer')`
			`.exactly(4)`
			`.onCall(0).returns(new BigInteger('0')) // < 1`
			`.onCall(1).returns(curve.n) // > n-1`
			`.onCall(2).returns(new BigInteger('42')) // valid, but 'bad' signature`
			`.onCall(3).returns(new BigInteger('53')) // valid, good signature`

			`var checkSig = this.mock()`
			`checkSig.exactly(2)`
			`checkSig.onCall(0).returns(false) // bad signature`
			`checkSig.onCall(1).returns(true) // good signature`

			`var d = new BigInteger('1')`
			`var h1 = new Buffer(32)`
			`var k = ecdsa.deterministicGenerateK(curve, h1, d, checkSig)`

			`assert.equal(k.toString(), '53')`
			`}))`
tests: add bip32JPs RFC6979 test vectors and tests 2015-01-05 02:31:28 +01:00
use standardjs formatting 2015-02-23 00:36:57 +01:00			`fixtures.valid.rfc6979.forEach(function (f) {`
			`it('produces the expected k values for ' + f.message + " if k wasn't suitable", function () {`
tests: add bip32JPs RFC6979 test vectors and tests 2015-01-05 02:31:28 +01:00			`var d = BigInteger.fromHex(f.d)`
			`var h1 = crypto.sha256(f.message)`

tests: ecdsa test cleanup 2015-01-05 02:42:09 +01:00			`var results = []`
use standardjs formatting 2015-02-23 00:36:57 +01:00			`ecdsa.deterministicGenerateK(curve, h1, d, function (k) {`
tests: ecdsa test cleanup 2015-01-05 02:42:09 +01:00			`results.push(k)`
tests: add bip32JPs RFC6979 test vectors and tests 2015-01-05 02:31:28 +01:00
tests: ecdsa test cleanup 2015-01-05 02:42:09 +01:00			`return results.length === 16`
tests: add bip32JPs RFC6979 test vectors and tests 2015-01-05 02:31:28 +01:00			`})`
tests: ecdsa test cleanup 2015-01-05 02:42:09 +01:00
			`assert.equal(results[0].toHex(), f.k0)`
			`assert.equal(results[1].toHex(), f.k1)`
			`assert.equal(results[15].toHex(), f.k15)`
			`})`
tests: add bip32JPs RFC6979 test vectors and tests 2015-01-05 02:31:28 +01:00			`})`
Enforces Array input for deterministicGenerateK 2014-04-22 22:18:38 +02:00			`})`

use standardjs formatting 2015-02-23 00:36:57 +01:00			`describe('recoverPubKey', function () {`
			`fixtures.valid.ecdsa.forEach(function (f) {`
			`it('recovers the pubKey for ' + f.d, function () {`
ecdsa: add more extensive tests for recoverPubKey 2014-06-14 13:06:30 +02:00			`var d = BigInteger.fromHex(f.d)`
ecurve: upgrade to 0.9.0 2014-06-15 17:36:05 +02:00			`var Q = curve.G.multiply(d)`
ecdsa: add more extensive tests for recoverPubKey 2014-06-14 13:06:30 +02:00			`var signature = {`
			`r: new BigInteger(f.signature.r),`
			`s: new BigInteger(f.signature.s)`
			`}`
			`var h1 = crypto.sha256(f.message)`
			`var e = BigInteger.fromBuffer(h1)`
ecdsa: moved all signature encoding to ECSignature 2014-06-15 08:44:52 +02:00			`var Qprime = ecdsa.recoverPubKey(curve, e, signature, f.i)`
message: support alternate networks 2014-05-16 07:39:17 +02:00
ecdsa: add more extensive tests for recoverPubKey 2014-06-14 13:06:30 +02:00			`assert(Qprime.equals(Q))`
			`})`
			`})`

use standardjs formatting 2015-02-23 00:36:57 +01:00			`describe('with i ∈ {0,1,2,3}', function () {`
message: support alternate networks 2014-05-16 07:39:17 +02:00			`var hash = message.magicHash('1111', networks.bitcoin)`
ecdsa: consistent parameter ordering 2014-05-10 14:30:29 +02:00			`var e = BigInteger.fromBuffer(hash)`
ecdsa: add more extensive tests for recoverPubKey 2014-06-14 13:06:30 +02:00
ecdsa: moved all signature encoding to ECSignature 2014-06-15 08:44:52 +02:00			`var signatureBuffer = new Buffer('INcvXVVEFyIfHLbDX+xoxlKFn3Wzj9g0UbhObXdMq+YMKC252o5RHFr0/cKdQe1WsBLUBi4morhgZ77obDJVuV0=', 'base64')`
ECSignature: rename parsing functions to parse* 2014-06-16 16:26:16 +02:00			`var signature = ECSignature.parseCompact(signatureBuffer).signature`
ecdsa: add more extensive tests for recoverPubKey 2014-06-14 13:06:30 +02:00			`var points = [`
			`'03e3a8c44a8bf712f1fbacee274fb19c0239b1a9e877eff0075ea335f2be8ff380',`
			`'0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798',`
			`'03d49e765f0bc27525c51a1b98fb1c99dacd59abe85a203af90f758260550b56c5',`
			`'027eea09d46ac7fb6aa2e96f9c576677214ffdc238eb167734a9b39d1eb4c3d30d'`
			`]`

use standardjs formatting 2015-02-23 00:36:57 +01:00			`points.forEach(function (expectedHex, i) {`
			`it('recovers an expected point for i of ' + i, function () {`
ecdsa: moved all signature encoding to ECSignature 2014-06-15 08:44:52 +02:00			`var Qprime = ecdsa.recoverPubKey(curve, e, signature, i)`
ecdsa: add more extensive tests for recoverPubKey 2014-06-14 13:06:30 +02:00			`var QprimeHex = Qprime.getEncoded().toString('hex')`
message: support alternate networks 2014-05-16 07:39:17 +02:00
ecdsa: add more extensive tests for recoverPubKey 2014-06-14 13:06:30 +02:00			`assert.equal(QprimeHex, expectedHex)`
			`})`
			`})`
Adds recoverPubKey simple test 2014-03-28 18:24:23 +01:00			`})`
ecdsa: add invalid test fixtures for recoverPubKey 2014-06-14 03:45:01 +02:00
use standardjs formatting 2015-02-23 00:36:57 +01:00			`fixtures.invalid.recoverPubKey.forEach(function (f) {`
			`it('throws on ' + f.description, function () {`
ecdsa: add invalid test fixtures for recoverPubKey 2014-06-14 03:45:01 +02:00			`var e = BigInteger.fromHex(f.e)`
ecdsa: moved all signature encoding to ECSignature 2014-06-15 08:44:52 +02:00			`var signature = new ECSignature(new BigInteger(f.signature.r), new BigInteger(f.signature.s))`
ecdsa: add invalid test fixtures for recoverPubKey 2014-06-14 03:45:01 +02:00
use standardjs formatting 2015-02-23 00:36:57 +01:00			`assert.throws(function () {`
ecdsa: add invalid test fixtures for recoverPubKey 2014-06-14 03:45:01 +02:00			`ecdsa.recoverPubKey(curve, e, signature, f.i)`
			`}, new RegExp(f.exception))`
			`})`
			`})`
Adds recoverPubKey simple test 2014-03-28 18:24:23 +01:00			`})`
Moves test/misc.js tests to appropriate location 2014-04-16 20:10:05 +02:00
use standardjs formatting 2015-02-23 00:36:57 +01:00			`describe('sign', function () {`
			`fixtures.valid.ecdsa.forEach(function (f) {`
			`it('produces a deterministic signature for "' + f.message + '"', function () {`
all: rename D to d as per SEC convention 2014-06-07 10:24:16 +02:00			`var d = BigInteger.fromHex(f.d)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`var hash = crypto.sha256(f.message)`
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`var signature = ecdsa.sign(curve, hash, d)`
Moves test/misc.js tests to appropriate location 2014-04-16 20:10:05 +02:00
ecdsa: always use signature object 2014-05-24 08:25:38 +02:00			`assert.equal(signature.r.toString(), f.signature.r)`
			`assert.equal(signature.s.toString(), f.signature.s)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`})`
Moves test/misc.js tests to appropriate location 2014-04-16 20:10:05 +02:00			`})`
Moves 'low S value' test from eckey.js to ecdsa.js 2014-04-17 06:33:35 +02:00
use standardjs formatting 2015-02-23 00:36:57 +01:00			`it('should sign with low S value', function () {`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`var hash = crypto.sha256('Vires in numeris')`
use ecurve instead of custom ec 2014-06-07 08:24:27 +02:00			`var sig = ecdsa.sign(curve, hash, BigInteger.ONE)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00
			`// See BIP62 for more information`
ecurve: upgrade to 0.9.0 2014-06-15 17:36:05 +02:00			`var N_OVER_TWO = curve.n.shiftRight(1)`
ecdsa: use (r, s) values directly 2014-05-10 14:38:05 +02:00			`assert(sig.s.compareTo(N_OVER_TWO) <= 0)`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`})`
			`})`

ecdsa: remove unused verifyRaw 2015-04-10 09:22:00 +02:00			`describe('verify', function () {`
use standardjs formatting 2015-02-23 00:36:57 +01:00			`fixtures.valid.ecdsa.forEach(function (f) {`
			`it('verifies a valid signature for "' + f.message + '"', function () {`
all: rename D to d as per SEC convention 2014-06-07 10:24:16 +02:00			`var d = BigInteger.fromHex(f.d)`
tests: add tests for ecdsa.verify 2014-10-11 04:47:32 +02:00			`var H = crypto.sha256(f.message)`
various: more standard-format artifact fixes 2015-03-02 03:31:03 +01:00			`var signature = new ECSignature(new BigInteger(f.signature.r), new BigInteger(f.signature.s))`
ecurve: upgrade to 0.9.0 2014-06-15 17:36:05 +02:00			`var Q = curve.G.multiply(d)`
Moves 'low S value' test from eckey.js to ecdsa.js 2014-04-17 06:33:35 +02:00
tests: add tests for ecdsa.verify 2014-10-11 04:47:32 +02:00			`assert(ecdsa.verify(curve, H, signature, Q))`
Adds RFC6979 test vectors and fixes ecdsa.sign/detGenK 2014-04-23 23:45:28 +02:00			`})`
Moves 'low S value' test from eckey.js to ecdsa.js 2014-04-17 06:33:35 +02:00			`})`
ecdsa: add invalid tests for verifyRaw 2014-05-24 05:40:20 +02:00
ecdsa: remove unused verifyRaw 2015-04-10 09:22:00 +02:00			`fixtures.invalid.verify.forEach(function (f) {`
use standardjs formatting 2015-02-23 00:36:57 +01:00			`it('fails to verify with ' + f.description, function () {`
tests: add tests for ecdsa.verify 2014-10-11 04:47:32 +02:00			`var H = crypto.sha256(f.message)`
all: rename D to d as per SEC convention 2014-06-07 10:24:16 +02:00			`var d = BigInteger.fromHex(f.d)`
various: more standard-format artifact fixes 2015-03-02 03:31:03 +01:00			`var signature = new ECSignature(new BigInteger(f.signature.r), new BigInteger(f.signature.s))`
ecurve: upgrade to 0.9.0 2014-06-15 17:36:05 +02:00			`var Q = curve.G.multiply(d)`
ecdsa: add invalid tests for verifyRaw 2014-05-24 05:40:20 +02:00
tests: add tests for ecdsa.verify 2014-10-11 04:47:32 +02:00			`assert.equal(ecdsa.verify(curve, H, signature, Q), false)`
ecdsa: add invalid tests for verifyRaw 2014-05-24 05:40:20 +02:00			`})`
			`})`
Moves test/misc.js tests to appropriate location 2014-04-16 20:10:05 +02:00			`})`
Adds recoverPubKey simple test 2014-03-28 18:24:23 +01:00			`})`