bitcoinjs-lib/test/integration/crypto.js

/* global describe, it */

const assert = require('assert')
const BN = require('bn.js')
const bitcoin = require('../../')
const bip32 = require('bip32')
const crypto = require('crypto')
const tinysecp = require('tiny-secp256k1')

describe('bitcoinjs-lib (crypto)', function () {
  it('can recover a private key from duplicate R values', function () {
    // https://blockchain.info/tx/f4c16475f2a6e9c602e4a287f9db3040e319eb9ece74761a4b84bc820fbeef50
    const tx = bitcoin.Transaction.fromHex('01000000020b668015b32a6178d8524cfef6dc6fc0a4751915c2e9b2ed2d2eab02424341c8000000006a47304402205e00298dc5265b7a914974c9d0298aa0e69a0ca932cb52a360436d6a622e5cd7022024bf5f506968f5f23f1835574d5afe0e9021b4a5b65cf9742332d5e4acb68f41012103fd089f73735129f3d798a657aaaa4aa62a00fa15c76b61fc7f1b27ed1d0f35b8ffffffffa95fa69f11dc1cbb77ef64f25a95d4b12ebda57d19d843333819d95c9172ff89000000006b48304502205e00298dc5265b7a914974c9d0298aa0e69a0ca932cb52a360436d6a622e5cd7022100832176b59e8f50c56631acbc824bcba936c9476c559c42a4468be98975d07562012103fd089f73735129f3d798a657aaaa4aa62a00fa15c76b61fc7f1b27ed1d0f35b8ffffffff02b000eb04000000001976a91472956eed9a8ecb19ae7e3ebd7b06cae4668696a788ac303db000000000001976a9146c0bd55dd2592287cd9992ce3ba3fc1208fb76da88ac00000000')

    tx.ins.forEach(function (input, vin) {
      const { output: prevOutput, pubkey, signature } = bitcoin.payments.p2pkh({ input: input.script })

      const scriptSignature = bitcoin.script.signature.decode(signature)
      const m = tx.hashForSignature(vin, prevOutput, scriptSignature.hashType)
      assert(bitcoin.ECPair.fromPublicKey(pubkey).verify(m, scriptSignature.signature), 'Invalid m')

      // store the required information
      input.signature = scriptSignature.signature
      input.z = new BN(m)
    })

    const n = new BN('fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141', 16)

    for (var i = 0; i < tx.ins.length; ++i) {
      for (var j = i + 1; j < tx.ins.length; ++j) {
        const inputA = tx.ins[i]
        const inputB = tx.ins[j]

        // enforce matching r values
        const r = inputA.signature.slice(0, 32)
        const rB = inputB.signature.slice(0, 32)
        assert.strictEqual(r.toString('hex'), rB.toString('hex'))

        const rInv = new BN(r).invm(n)

        const s1 = new BN(inputA.signature.slice(32, 64))
        const s2 = new BN(inputB.signature.slice(32, 64))
        const z1 = inputA.z
        const z2 = inputB.z

        const zz = z1.sub(z2).mod(n)
        const ss = s1.sub(s2).mod(n)

        // k = (z1 - z2) / (s1 - s2)
        // d1 = (s1 * k - z1) / r
        // d2 = (s2 * k - z2) / r
        const k = zz.mul(ss.invm(n)).mod(n)
        const d1 = ((s1.mul(k).mod(n)).sub(z1).mod(n)).mul(rInv).mod(n)
        const d2 = ((s2.mul(k).mod(n)).sub(z2).mod(n)).mul(rInv).mod(n)

        // enforce matching private keys
        assert.strictEqual(d1.toString(), d2.toString())
      }
    }
  })

  it('can recover a BIP32 parent private key from the parent public key, and a derived, non-hardened child private key', function () {
    function recoverParent (master, child) {
      assert(master.isNeutered(), 'You already have the parent private key')
      assert(!child.isNeutered(), 'Missing child private key')

      const serQP = master.publicKey
      const d1 = child.privateKey
      const data = Buffer.alloc(37)
      serQP.copy(data, 0)

      // search index space until we find it
      let d2
      for (var i = 0; i < 0x80000000; ++i) {
        data.writeUInt32BE(i, 33)

        // calculate I
        const I = crypto.createHmac('sha512', master.chainCode).update(data).digest()
        const IL = I.slice(0, 32)

        // See bip32.js:273 to understand
        d2 = tinysecp.privateSub(d1, IL)

        const Qp = bip32.fromPrivateKey(d2, Buffer.alloc(32, 0)).publicKey
        if (Qp.equals(serQP)) break
      }

      const node = bip32.fromPrivateKey(d2, master.chainCode, master.network)
      node.depth = master.depth
      node.index = master.index
      node.masterFingerprint = master.masterFingerprint
      return node
    }

    const seed = crypto.randomBytes(32)
    const master = bip32.fromSeed(seed)
    const child = master.derive(6) // m/6

    // now for the recovery
    const neuteredMaster = master.neutered()
    const recovered = recoverParent(neuteredMaster, child)
    assert.strictEqual(recovered.toBase58(), master.toBase58())
  })
})
use standardjs formatting 2015-02-23 00:36:57 +01:00			`/* global describe, it */`

sed -i 's/^var /const /' 2018-06-25 08:25:12 +02:00			`const assert = require('assert')`
fix BN require 2018-06-26 12:13:43 +02:00			`const BN = require('bn.js')`
sed -i 's/^var /const /' 2018-06-25 08:25:12 +02:00			`const bitcoin = require('../../')`
			`const bip32 = require('bip32')`
			`const crypto = require('crypto')`
			`const tinysecp = require('tiny-secp256k1')`
tests/integration: add HDNode private key recovery example 2014-12-05 05:07:30 +01:00
use standardjs formatting 2015-02-23 00:36:57 +01:00			`describe('bitcoinjs-lib (crypto)', function () {`
use https://api.dcousens.cloud reg-test server instead of testnet 2018-01-31 02:46:35 +01:00			`it('can recover a private key from duplicate R values', function () {`
			`// https://blockchain.info/tx/f4c16475f2a6e9c602e4a287f9db3040e319eb9ece74761a4b84bc820fbeef50`
sed -i 's/ var / const /', with const->let fixes 2018-06-25 08:37:45 +02:00			const tx = bitcoin.Transaction.fromHex('01000000020b668015b32a6178d8524cfef6dc6fc0a4751915c2e9b2ed2d2eab02424341c8000000006a47304402205e00298dc5265b7a914974c9d0298aa0e69a0ca932cb52a360436d6a622e5cd7022024bf5f506968f5f23f1835574d5afe0e9021b4a5b65cf9742332d5e4acb68f41012103fd089f73735129f3d798a657aaaa4aa62a00fa15c76b61fc7f1b27ed1d0f35b8ffffffffa95fa69f11dc1cbb77ef64f25a95d4b12ebda57d19d843333819d95c9172ff89000000006b48304502205e00298dc5265b7a914974c9d0298aa0e69a0ca932cb52a360436d6a622e5cd7022100832176b59e8f50c56631acbc824bcba936c9476c559c42a4468be98975d07562012103fd089f73735129f3d798a657aaaa4aa62a00fa15c76b61fc7f1b27ed1d0f35b8ffffffff02b000eb04000000001976a91472956eed9a8ecb19ae7e3ebd7b06cae4668696a788ac303db000000000001976a9146c0bd55dd2592287cd9992ce3ba3fc1208fb76da88ac00000000')
tests/integration: add k-value derivation and private key recovery example 2014-12-09 01:52:01 +01:00
use https://api.dcousens.cloud reg-test server instead of testnet 2018-01-31 02:46:35 +01:00			`tx.ins.forEach(function (input, vin) {`
tests/integration: change tests to not use templates 2018-07-11 08:19:32 +02:00			`const { output: prevOutput, pubkey, signature } = bitcoin.payments.p2pkh({ input: input.script })`
tests/integration: add k-value derivation and private key recovery example 2014-12-09 01:52:01 +01:00
tests/integration: change tests to not use templates 2018-07-11 08:19:32 +02:00			`const scriptSignature = bitcoin.script.signature.decode(signature)`
			`const m = tx.hashForSignature(vin, prevOutput, scriptSignature.hashType)`
			`assert(bitcoin.ECPair.fromPublicKey(pubkey).verify(m, scriptSignature.signature), 'Invalid m')`
tests/integration: add k-value derivation and private key recovery example 2014-12-09 01:52:01 +01:00
use https://api.dcousens.cloud reg-test server instead of testnet 2018-01-31 02:46:35 +01:00			`// store the required information`
			`input.signature = scriptSignature.signature`
Replace bigi with bnjs. Updated README links to tests. 2018-06-25 20:38:55 +02:00			`input.z = new BN(m)`
use https://api.dcousens.cloud reg-test server instead of testnet 2018-01-31 02:46:35 +01:00			`})`
tests/integration: add k-value derivation and private key recovery example 2014-12-09 01:52:01 +01:00
tests/integration: fix ecurve import, as removed 2018-07-23 08:54:10 +02:00			`const n = new BN('fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141', 16)`
tests/integration: add k-value derivation and private key recovery example 2014-12-09 01:52:01 +01:00
use https://api.dcousens.cloud reg-test server instead of testnet 2018-01-31 02:46:35 +01:00			`for (var i = 0; i < tx.ins.length; ++i) {`
			`for (var j = i + 1; j < tx.ins.length; ++j) {`
sed -i 's/ var / const /', with const->let fixes 2018-06-25 08:37:45 +02:00			`const inputA = tx.ins[i]`
			`const inputB = tx.ins[j]`
tests/integration: add k-value derivation and private key recovery example 2014-12-09 01:52:01 +01:00
use https://api.dcousens.cloud reg-test server instead of testnet 2018-01-31 02:46:35 +01:00			`// enforce matching r values`
sed -i 's/ var / const /', with const->let fixes 2018-06-25 08:37:45 +02:00			`const r = inputA.signature.slice(0, 32)`
			`const rB = inputB.signature.slice(0, 32)`
ECPair/script_signature: switch to 64-byte RS buffers only 2018-05-15 02:07:11 +02:00			`assert.strictEqual(r.toString('hex'), rB.toString('hex'))`
tests/integration: add k-value derivation and private key recovery example 2014-12-09 01:52:01 +01:00
Merge branch 'master' into bnjs 2018-06-26 05:15:07 +02:00			`const rInv = new BN(r).invm(n)`
ECPair/script_signature: switch to 64-byte RS buffers only 2018-05-15 02:07:11 +02:00
Merge branch 'master' into bnjs 2018-06-26 05:15:07 +02:00			`const s1 = new BN(inputA.signature.slice(32, 64))`
			`const s2 = new BN(inputB.signature.slice(32, 64))`
sed -i 's/ var / const /', with const->let fixes 2018-06-25 08:37:45 +02:00			`const z1 = inputA.z`
			`const z2 = inputB.z`
tests/integration: add k-value derivation and private key recovery example 2014-12-09 01:52:01 +01:00
Merge branch 'master' into bnjs 2018-06-26 05:15:07 +02:00			`const zz = z1.sub(z2).mod(n)`
			`const ss = s1.sub(s2).mod(n)`
tests/integration: add k-value derivation and private key recovery example 2014-12-09 01:52:01 +01:00
use https://api.dcousens.cloud reg-test server instead of testnet 2018-01-31 02:46:35 +01:00			`// k = (z1 - z2) / (s1 - s2)`
			`// d1 = (s1 * k - z1) / r`
			`// d2 = (s2 * k - z2) / r`
Merge branch 'master' into bnjs 2018-06-26 05:15:07 +02:00			`const k = zz.mul(ss.invm(n)).mod(n)`
			`const d1 = ((s1.mul(k).mod(n)).sub(z1).mod(n)).mul(rInv).mod(n)`
			`const d2 = ((s2.mul(k).mod(n)).sub(z2).mod(n)).mul(rInv).mod(n)`
integration: wait for duplicate R value recovery to finish 2015-08-07 12:52:07 +02:00
use https://api.dcousens.cloud reg-test server instead of testnet 2018-01-31 02:46:35 +01:00			`// enforce matching private keys`
			`assert.strictEqual(d1.toString(), d2.toString())`
			`}`
			`}`
tests/integration: add k-value derivation and private key recovery example 2014-12-09 01:52:01 +01:00			`})`
testing/integration/examples: isolate to addresses/transactions examples, use public broadcast endpoints 2017-08-09 08:03:12 +02:00
			`it('can recover a BIP32 parent private key from the parent public key, and a derived, non-hardened child private key', function () {`
			`function recoverParent (master, child) {`
rm HDNode, use bip32 module 2018-05-15 14:17:46 +02:00			`assert(master.isNeutered(), 'You already have the parent private key')`
			`assert(!child.isNeutered(), 'Missing child private key')`
testing/integration/examples: isolate to addresses/transactions examples, use public broadcast endpoints 2017-08-09 08:03:12 +02:00
sed -i 's/ var / const /', with const->let fixes 2018-06-25 08:37:45 +02:00			`const serQP = master.publicKey`
			`const d1 = child.privateKey`
			`const data = Buffer.alloc(37)`
testing/integration/examples: isolate to addresses/transactions examples, use public broadcast endpoints 2017-08-09 08:03:12 +02:00			`serQP.copy(data, 0)`

			`// search index space until we find it`
sed -i 's/ var / const /', with const->let fixes 2018-06-25 08:37:45 +02:00			`let d2`
rm HDNode, use bip32 module 2018-05-15 14:17:46 +02:00			`for (var i = 0; i < 0x80000000; ++i) {`
testing/integration/examples: isolate to addresses/transactions examples, use public broadcast endpoints 2017-08-09 08:03:12 +02:00			`data.writeUInt32BE(i, 33)`

			`// calculate I`
sed -i 's/ var / const /', with const->let fixes 2018-06-25 08:37:45 +02:00			`const I = crypto.createHmac('sha512', master.chainCode).update(data).digest()`
			`const IL = I.slice(0, 32)`
testing/integration/examples: isolate to addresses/transactions examples, use public broadcast endpoints 2017-08-09 08:03:12 +02:00
rm HDNode, use bip32 module 2018-05-15 14:17:46 +02:00			`// See bip32.js:273 to understand`
			`d2 = tinysecp.privateSub(d1, IL)`
testing/integration/examples: isolate to addresses/transactions examples, use public broadcast endpoints 2017-08-09 08:03:12 +02:00
sed -i 's/ var / const /', with const->let fixes 2018-06-25 08:37:45 +02:00			`const Qp = bip32.fromPrivateKey(d2, Buffer.alloc(32, 0)).publicKey`
rm HDNode, use bip32 module 2018-05-15 14:17:46 +02:00			`if (Qp.equals(serQP)) break`
testing/integration/examples: isolate to addresses/transactions examples, use public broadcast endpoints 2017-08-09 08:03:12 +02:00			`}`

sed -i 's/ var / const /', with const->let fixes 2018-06-25 08:37:45 +02:00			`const node = bip32.fromPrivateKey(d2, master.chainCode, master.network)`
testing/integration/examples: isolate to addresses/transactions examples, use public broadcast endpoints 2017-08-09 08:03:12 +02:00			`node.depth = master.depth`
			`node.index = master.index`
			`node.masterFingerprint = master.masterFingerprint`
			`return node`
			`}`

sed -i 's/ var / const /', with const->let fixes 2018-06-25 08:37:45 +02:00			`const seed = crypto.randomBytes(32)`
			`const master = bip32.fromSeed(seed)`
			`const child = master.derive(6) // m/6`
testing/integration/examples: isolate to addresses/transactions examples, use public broadcast endpoints 2017-08-09 08:03:12 +02:00
			`// now for the recovery`
sed -i 's/ var / const /', with const->let fixes 2018-06-25 08:37:45 +02:00			`const neuteredMaster = master.neutered()`
			`const recovered = recoverParent(neuteredMaster, child)`
testing/integration/examples: isolate to addresses/transactions examples, use public broadcast endpoints 2017-08-09 08:03:12 +02:00			`assert.strictEqual(recovered.toBase58(), master.toBase58())`
			`})`
tests/integration: add HDNode private key recovery example 2014-12-05 05:07:30 +01:00			`})`