2014-04-22 22:18:38 +02:00
|
|
|
var assert = require('assert')
|
2014-05-16 04:36:09 +02:00
|
|
|
var crypto = require('./crypto')
|
2014-04-21 18:19:30 +02:00
|
|
|
|
2014-05-03 04:04:54 +02:00
|
|
|
var BigInteger = require('bigi')
|
2014-06-07 08:24:27 +02:00
|
|
|
var Point = require('ecurve').Point
|
2014-04-23 23:45:28 +02:00
|
|
|
|
2014-06-07 08:24:27 +02:00
|
|
|
function deterministicGenerateK(curve, hash, d) {
|
2014-05-23 09:18:32 +02:00
|
|
|
assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash)
|
|
|
|
assert.equal(hash.length, 32, 'Hash must be 256 bit')
|
2014-06-07 10:24:16 +02:00
|
|
|
assert(d instanceof BigInteger, 'Private key must be a BigInteger')
|
2014-05-23 09:18:32 +02:00
|
|
|
|
2014-06-07 10:24:16 +02:00
|
|
|
var x = d.toBuffer(32)
|
2014-05-23 09:18:32 +02:00
|
|
|
var k = new Buffer(32)
|
|
|
|
var v = new Buffer(32)
|
|
|
|
k.fill(0)
|
|
|
|
v.fill(1)
|
|
|
|
|
|
|
|
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k)
|
|
|
|
v = crypto.HmacSHA256(v, k)
|
|
|
|
|
|
|
|
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k)
|
|
|
|
v = crypto.HmacSHA256(v, k)
|
|
|
|
v = crypto.HmacSHA256(v, k)
|
|
|
|
|
2014-06-07 08:24:27 +02:00
|
|
|
var n = curve.params.n
|
2014-05-23 09:18:32 +02:00
|
|
|
var kB = BigInteger.fromBuffer(v).mod(n)
|
|
|
|
assert(kB.compareTo(BigInteger.ONE) > 0, 'Invalid k value')
|
2014-06-07 08:24:27 +02:00
|
|
|
assert(kB.compareTo(n) < 0, 'Invalid k value')
|
2014-05-23 09:18:32 +02:00
|
|
|
|
|
|
|
return kB
|
|
|
|
}
|
2014-04-23 23:45:28 +02:00
|
|
|
|
2014-06-07 08:24:27 +02:00
|
|
|
function sign(curve, hash, d) {
|
|
|
|
var k = deterministicGenerateK(curve, hash, d)
|
2014-04-23 23:45:28 +02:00
|
|
|
|
2014-06-07 08:24:27 +02:00
|
|
|
var n = curve.params.n
|
|
|
|
var G = curve.params.G
|
2014-05-23 09:18:32 +02:00
|
|
|
var Q = G.multiply(k)
|
|
|
|
var e = BigInteger.fromBuffer(hash)
|
2014-04-23 23:45:28 +02:00
|
|
|
|
2014-06-07 08:24:27 +02:00
|
|
|
var r = Q.affineX.mod(n)
|
2014-05-23 09:18:32 +02:00
|
|
|
assert.notEqual(r.signum(), 0, 'Invalid R value')
|
2014-04-23 23:45:28 +02:00
|
|
|
|
2014-06-07 10:24:16 +02:00
|
|
|
var s = k.modInverse(n).multiply(e.add(d.multiply(r))).mod(n)
|
2014-05-23 09:18:32 +02:00
|
|
|
assert.notEqual(s.signum(), 0, 'Invalid S value')
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
var N_OVER_TWO = n.shiftRight(1)
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
// enforce low S values, see bip62: 'low s values in signatures'
|
|
|
|
if (s.compareTo(N_OVER_TWO) > 0) {
|
|
|
|
s = n.subtract(s)
|
2014-05-17 07:11:43 +02:00
|
|
|
}
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
return {r: r, s: s}
|
|
|
|
}
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-06-07 08:24:27 +02:00
|
|
|
function verify(curve, hash, signature, Q) {
|
2014-05-23 09:18:32 +02:00
|
|
|
var e = BigInteger.fromBuffer(hash)
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-06-07 08:24:27 +02:00
|
|
|
return verifyRaw(curve, e, signature, Q)
|
2014-05-23 09:18:32 +02:00
|
|
|
}
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-06-07 08:24:27 +02:00
|
|
|
function verifyRaw(curve, e, signature, Q) {
|
|
|
|
var n = curve.params.n
|
|
|
|
var G = curve.params.G
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-24 08:25:38 +02:00
|
|
|
var r = signature.r
|
|
|
|
var s = signature.s
|
2014-05-23 09:18:32 +02:00
|
|
|
|
2014-05-24 08:25:38 +02:00
|
|
|
if (r.signum() === 0 || r.compareTo(n) >= 0) return false
|
|
|
|
if (s.signum() === 0 || s.compareTo(n) >= 0) return false
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
var c = s.modInverse(n)
|
2014-05-24 06:33:02 +02:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
var u1 = e.multiply(c).mod(n)
|
|
|
|
var u2 = r.multiply(c).mod(n)
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
var point = G.multiplyTwo(u1, Q, u2)
|
2014-06-07 08:24:27 +02:00
|
|
|
var v = point.affineX.mod(n)
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
return v.equals(r)
|
|
|
|
}
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
/**
|
|
|
|
* Serialize a signature into DER format.
|
|
|
|
*
|
|
|
|
* Takes two BigIntegers representing r and s and returns a byte array.
|
|
|
|
*/
|
2014-05-24 08:25:38 +02:00
|
|
|
function serializeSig(signature) {
|
|
|
|
var rBa = signature.r.toDERInteger()
|
|
|
|
var sBa = signature.s.toDERInteger()
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
var sequence = []
|
2014-05-30 09:49:12 +02:00
|
|
|
sequence.push(0x02) // INTEGER
|
2014-05-23 09:18:32 +02:00
|
|
|
sequence.push(rBa.length)
|
|
|
|
sequence = sequence.concat(rBa)
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-30 09:49:12 +02:00
|
|
|
sequence.push(0x02) // INTEGER
|
2014-05-23 09:18:32 +02:00
|
|
|
sequence.push(sBa.length)
|
|
|
|
sequence = sequence.concat(sBa)
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
sequence.unshift(sequence.length)
|
2014-05-30 09:49:12 +02:00
|
|
|
sequence.unshift(0x30) // SEQUENCE
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-30 09:49:12 +02:00
|
|
|
return new Buffer(sequence)
|
2014-05-23 09:18:32 +02:00
|
|
|
}
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
/**
|
|
|
|
* Parses a buffer containing a DER-encoded signature.
|
|
|
|
*
|
|
|
|
* This function will return an object of the form:
|
|
|
|
*
|
|
|
|
* {
|
|
|
|
* r: BigInteger,
|
|
|
|
* s: BigInteger
|
|
|
|
* }
|
|
|
|
*/
|
|
|
|
function parseSig(buffer) {
|
|
|
|
assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence')
|
|
|
|
assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length')
|
|
|
|
|
2014-05-29 07:42:12 +02:00
|
|
|
assert.equal(buffer.readUInt8(2), 0x02, 'Expected a DER integer')
|
2014-05-23 09:18:32 +02:00
|
|
|
var rLen = buffer.readUInt8(3)
|
|
|
|
var rB = buffer.slice(4, 4 + rLen)
|
|
|
|
|
|
|
|
var offset = 4 + rLen
|
2014-05-29 07:42:12 +02:00
|
|
|
assert.equal(buffer.readUInt8(offset), 0x02, 'Expected a DER integer (2)')
|
2014-05-23 09:18:32 +02:00
|
|
|
var sLen = buffer.readUInt8(1 + offset)
|
|
|
|
var sB = buffer.slice(2 + offset)
|
2014-05-29 07:42:12 +02:00
|
|
|
offset += 2 + sLen
|
|
|
|
|
|
|
|
assert.equal(offset, buffer.length, 'Invalid DER encoding')
|
2014-05-23 09:18:32 +02:00
|
|
|
|
|
|
|
return {
|
2014-05-13 11:10:20 +02:00
|
|
|
r: BigInteger.fromDERInteger(rB),
|
|
|
|
s: BigInteger.fromDERInteger(sB)
|
2014-05-17 07:11:43 +02:00
|
|
|
}
|
2014-05-23 09:18:32 +02:00
|
|
|
}
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-24 08:25:38 +02:00
|
|
|
function serializeSigCompact(signature, i, compressed) {
|
2014-05-23 09:18:32 +02:00
|
|
|
if (compressed) {
|
|
|
|
i += 4
|
|
|
|
}
|
2014-05-16 15:11:04 +02:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
i += 27
|
2014-05-16 15:11:04 +02:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
var buffer = new Buffer(65)
|
|
|
|
buffer.writeUInt8(i, 0)
|
2014-05-24 08:25:38 +02:00
|
|
|
|
|
|
|
signature.r.toBuffer(32).copy(buffer, 1)
|
|
|
|
signature.s.toBuffer(32).copy(buffer, 33)
|
2014-05-16 15:11:04 +02:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
return buffer
|
|
|
|
}
|
2014-05-16 15:11:04 +02:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
function parseSigCompact(buffer) {
|
|
|
|
assert.equal(buffer.length, 65, 'Invalid signature length')
|
|
|
|
var i = buffer.readUInt8(0) - 27
|
2011-08-26 21:43:08 +02:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
// At most 3 bits
|
2014-05-29 07:42:12 +02:00
|
|
|
assert.equal(i, i & 7, 'Invalid signature parameter')
|
2014-05-23 09:18:32 +02:00
|
|
|
var compressed = !!(i & 4)
|
2012-08-16 00:25:06 +02:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
// Recovery param only
|
|
|
|
i = i & 3
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
var r = BigInteger.fromBuffer(buffer.slice(1, 33))
|
|
|
|
var s = BigInteger.fromBuffer(buffer.slice(33))
|
2014-05-16 16:28:39 +02:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
return {
|
2014-05-24 08:25:38 +02:00
|
|
|
signature: {
|
|
|
|
r: r,
|
|
|
|
s: s
|
|
|
|
},
|
2014-05-23 09:18:32 +02:00
|
|
|
i: i,
|
|
|
|
compressed: compressed
|
2014-05-17 07:11:43 +02:00
|
|
|
}
|
2014-05-23 09:18:32 +02:00
|
|
|
}
|
2013-02-17 06:39:15 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
/**
|
|
|
|
* Recover a public key from a signature.
|
|
|
|
*
|
|
|
|
* See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
|
|
|
|
* Key Recovery Operation".
|
|
|
|
*
|
|
|
|
* http://www.secg.org/download/aid-780/sec1-v2.pdf
|
|
|
|
*/
|
2014-06-07 08:24:27 +02:00
|
|
|
function recoverPubKey(curve, e, signature, i) {
|
2014-06-14 03:45:01 +02:00
|
|
|
assert.strictEqual(i & 3, i, 'Recovery param is more than two bits')
|
2014-05-23 09:18:32 +02:00
|
|
|
|
2014-05-24 08:25:38 +02:00
|
|
|
var r = signature.r
|
|
|
|
var s = signature.s
|
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
// A set LSB signifies that the y-coordinate is odd
|
|
|
|
// By reduction, the y-coordinate is even if it is clear
|
|
|
|
var isYEven = !(i & 1)
|
|
|
|
|
|
|
|
// The more significant bit specifies whether we should use the
|
|
|
|
// first or second candidate key.
|
|
|
|
var isSecondKey = i >> 1
|
|
|
|
|
2014-06-07 08:24:27 +02:00
|
|
|
var n = curve.params.n
|
|
|
|
var G = curve.params.G
|
|
|
|
var p = curve.p
|
|
|
|
var a = curve.a
|
|
|
|
var b = curve.b
|
2014-05-23 09:18:32 +02:00
|
|
|
|
|
|
|
// We precalculate (p + 1) / 4 where p is the field order
|
|
|
|
if (!curve.P_OVER_FOUR) {
|
|
|
|
curve.P_OVER_FOUR = p.add(BigInteger.ONE).shiftRight(2)
|
|
|
|
}
|
2011-08-26 21:43:08 +02:00
|
|
|
|
2014-06-14 03:47:22 +02:00
|
|
|
// 1.1 Let x = r + jn
|
2014-05-23 09:18:32 +02:00
|
|
|
var x = isSecondKey ? r.add(n) : r
|
2011-08-26 21:43:08 +02:00
|
|
|
|
2014-06-14 03:47:22 +02:00
|
|
|
// 1.2, 1.3 Convert x to a point R using routine specified in Section 2.3.4
|
2014-05-23 09:18:32 +02:00
|
|
|
var alpha = x.pow(3).add(a.multiply(x)).add(b).mod(p)
|
|
|
|
var beta = alpha.modPow(curve.P_OVER_FOUR, p)
|
2011-08-26 21:43:08 +02:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
// If beta is even, but y isn't, or vice versa, then convert it,
|
|
|
|
// otherwise we're done and y == beta.
|
|
|
|
var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta
|
2011-05-04 18:02:56 +02:00
|
|
|
|
2014-06-14 03:47:22 +02:00
|
|
|
// 1.4 Check that nR is at infinity
|
2014-06-07 08:24:27 +02:00
|
|
|
var R = Point.fromAffine(curve, x, y)
|
2014-06-14 03:45:01 +02:00
|
|
|
var nR = R.multiply(n)
|
|
|
|
assert(curve.isInfinity(nR), 'nR is not a valid curve point')
|
2011-05-04 18:02:56 +02:00
|
|
|
|
2014-06-14 03:47:22 +02:00
|
|
|
// Compute -e from e
|
2014-05-23 09:18:32 +02:00
|
|
|
var eNeg = e.negate().mod(n)
|
2012-01-11 02:40:45 +01:00
|
|
|
|
2014-06-14 03:47:22 +02:00
|
|
|
// 1.6.1 Compute Q = r^-1 (sR - eG)
|
|
|
|
// Q = r^-1 (sR + -eG)
|
2014-05-23 09:18:32 +02:00
|
|
|
var rInv = r.modInverse(n)
|
2014-05-10 14:30:29 +02:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv)
|
2014-06-07 08:24:27 +02:00
|
|
|
curve.validate(Q)
|
2012-08-17 01:38:29 +02:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
return Q
|
|
|
|
}
|
2013-03-02 18:28:13 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
/**
|
|
|
|
* Calculate pubkey extraction parameter.
|
|
|
|
*
|
|
|
|
* When extracting a pubkey from a signature, we have to
|
|
|
|
* distinguish four different cases. Rather than putting this
|
|
|
|
* burden on the verifier, Bitcoin includes a 2-bit value with the
|
|
|
|
* signature.
|
|
|
|
*
|
|
|
|
* This function simply tries all four cases and returns the value
|
|
|
|
* that resulted in a successful pubkey recovery.
|
|
|
|
*/
|
2014-06-07 08:24:27 +02:00
|
|
|
function calcPubKeyRecoveryParam(curve, e, signature, Q) {
|
2014-05-23 09:18:32 +02:00
|
|
|
for (var i = 0; i < 4; i++) {
|
2014-06-07 08:24:27 +02:00
|
|
|
var Qprime = recoverPubKey(curve, e, signature, i)
|
2014-05-23 09:18:32 +02:00
|
|
|
|
2014-06-14 03:47:22 +02:00
|
|
|
// 1.6.2 Verify Q
|
2014-05-23 09:18:32 +02:00
|
|
|
if (Qprime.equals(Q)) {
|
|
|
|
return i
|
|
|
|
}
|
2013-02-17 06:39:15 +01:00
|
|
|
}
|
2012-01-11 02:40:45 +01:00
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
throw new Error('Unable to find valid recovery factor')
|
|
|
|
}
|
|
|
|
|
2014-05-17 07:11:43 +02:00
|
|
|
module.exports = {
|
2014-05-24 08:25:38 +02:00
|
|
|
calcPubKeyRecoveryParam: calcPubKeyRecoveryParam,
|
|
|
|
deterministicGenerateK: deterministicGenerateK,
|
|
|
|
recoverPubKey: recoverPubKey,
|
|
|
|
sign: sign,
|
|
|
|
verify: verify,
|
|
|
|
verifyRaw: verifyRaw,
|
|
|
|
serializeSig: serializeSig,
|
|
|
|
parseSig: parseSig,
|
|
|
|
serializeSigCompact: serializeSigCompact,
|
|
|
|
parseSigCompact: parseSigCompact
|
2014-05-17 07:11:43 +02:00
|
|
|
}
|