2014-04-22 22:18:38 +02:00
|
|
|
|
var assert = require('assert')
|
2015-03-17 02:31:53 +01:00
|
|
|
|
var createHmac = require('create-hmac')
|
2014-12-23 05:08:20 +01:00
|
|
|
|
var typeForce = require('typeforce')
|
2014-04-21 18:19:30 +02:00
|
|
|
|
|
2014-05-03 04:04:54 +02:00
|
|
|
|
var BigInteger = require('bigi')
|
2014-06-15 08:44:52 +02:00
|
|
|
|
var ECSignature = require('./ecsignature')
|
2014-04-23 23:45:28 +02:00
|
|
|
|
|
2014-12-08 01:24:16 +01:00
|
|
|
|
var ZERO = new Buffer([0])
|
|
|
|
|
|
var ONE = new Buffer([1])
|
|
|
|
|
|
|
2014-06-21 14:25:09 +02:00
|
|
|
|
// https://tools.ietf.org/html/rfc6979#section-3.2
|
2015-02-23 00:36:57 +01:00
|
|
|
|
function deterministicGenerateK (curve, hash, d, checkSig) {
|
2014-12-23 05:08:20 +01:00
|
|
|
|
typeForce('Buffer', hash)
|
|
|
|
|
|
typeForce('BigInteger', d)
|
2014-09-15 07:00:13 +02:00
|
|
|
|
typeForce('Function', checkSig)
|
2014-09-15 06:21:01 +02:00
|
|
|
|
|
|
|
|
|
|
// sanity check
|
2014-05-23 09:18:32 +02:00
|
|
|
|
assert.equal(hash.length, 32, 'Hash must be 256 bit')
|
|
|
|
|
|
|
2014-06-07 10:24:16 +02:00
|
|
|
|
var x = d.toBuffer(32)
|
2014-05-23 09:18:32 +02:00
|
|
|
|
var k = new Buffer(32)
|
|
|
|
|
|
var v = new Buffer(32)
|
2014-06-21 14:25:09 +02:00
|
|
|
|
|
2015-01-04 02:29:01 +01:00
|
|
|
|
// Step A, ignored as hash already provided
|
2014-06-21 14:25:09 +02:00
|
|
|
|
// Step B
|
2014-05-23 09:18:32 +02:00
|
|
|
|
v.fill(1)
|
|
|
|
|
|
|
2014-06-21 14:25:09 +02:00
|
|
|
|
// Step C
|
|
|
|
|
|
k.fill(0)
|
|
|
|
|
|
|
|
|
|
|
|
// Step D
|
2015-03-17 02:31:53 +01:00
|
|
|
|
k = createHmac('sha256', k)
|
2014-12-08 01:24:16 +01:00
|
|
|
|
.update(v)
|
|
|
|
|
|
.update(ZERO)
|
|
|
|
|
|
.update(x)
|
|
|
|
|
|
.update(hash)
|
|
|
|
|
|
.digest()
|
2014-06-21 14:25:09 +02:00
|
|
|
|
|
|
|
|
|
|
// Step E
|
2015-03-17 02:31:53 +01:00
|
|
|
|
v = createHmac('sha256', k).update(v).digest()
|
2014-05-23 09:18:32 +02:00
|
|
|
|
|
2014-06-21 14:25:09 +02:00
|
|
|
|
// Step F
|
2015-03-17 02:31:53 +01:00
|
|
|
|
k = createHmac('sha256', k)
|
2014-12-08 01:24:16 +01:00
|
|
|
|
.update(v)
|
|
|
|
|
|
.update(ONE)
|
|
|
|
|
|
.update(x)
|
|
|
|
|
|
.update(hash)
|
|
|
|
|
|
.digest()
|
2014-06-21 14:25:09 +02:00
|
|
|
|
|
|
|
|
|
|
// Step G
|
2015-03-17 02:31:53 +01:00
|
|
|
|
v = createHmac('sha256', k).update(v).digest()
|
2014-06-21 14:25:09 +02:00
|
|
|
|
|
|
|
|
|
|
// Step H1/H2a, ignored as tlen === qlen (256 bit)
|
|
|
|
|
|
// Step H2b
|
2015-03-17 02:31:53 +01:00
|
|
|
|
v = createHmac('sha256', k).update(v).digest()
|
2014-05-23 09:18:32 +02:00
|
|
|
|
|
2014-06-21 14:25:09 +02:00
|
|
|
|
var T = BigInteger.fromBuffer(v)
|
|
|
|
|
|
|
2015-01-04 02:46:37 +01:00
|
|
|
|
// Step H3, repeat until T is within the interval [1, n - 1] and is suitable for ECDSA
|
|
|
|
|
|
while ((T.signum() <= 0) || (T.compareTo(curve.n) >= 0) || !checkSig(T)) {
|
2015-03-17 02:31:53 +01:00
|
|
|
|
k = createHmac('sha256', k)
|
2014-12-08 01:24:16 +01:00
|
|
|
|
.update(v)
|
|
|
|
|
|
.update(ZERO)
|
|
|
|
|
|
.digest()
|
|
|
|
|
|
|
2015-03-17 02:31:53 +01:00
|
|
|
|
v = createHmac('sha256', k).update(v).digest()
|
2014-06-21 14:25:09 +02:00
|
|
|
|
|
2015-01-04 02:46:37 +01:00
|
|
|
|
// Step H1/H2a, again, ignored as tlen === qlen (256 bit)
|
|
|
|
|
|
// Step H2b again
|
2015-03-17 02:31:53 +01:00
|
|
|
|
v = createHmac('sha256', k).update(v).digest()
|
2014-06-21 14:25:09 +02:00
|
|
|
|
T = BigInteger.fromBuffer(v)
|
|
|
|
|
|
}
|
2014-05-23 09:18:32 +02:00
|
|
|
|
|
2014-06-21 14:25:09 +02:00
|
|
|
|
return T
|
2014-05-23 09:18:32 +02:00
|
|
|
|
}
|
2014-04-23 23:45:28 +02:00
|
|
|
|
|
2015-02-23 00:36:57 +01:00
|
|
|
|
function sign (curve, hash, d) {
|
2015-06-23 07:32:26 +02:00
|
|
|
|
typeForce('Curve', curve)
|
|
|
|
|
|
typeForce('Buffer', hash)
|
|
|
|
|
|
typeForce('BigInteger', d)
|
|
|
|
|
|
|
2015-01-04 02:46:37 +01:00
|
|
|
|
var e = BigInteger.fromBuffer(hash)
|
2014-06-15 17:36:05 +02:00
|
|
|
|
var n = curve.n
|
|
|
|
|
|
var G = curve.G
|
2014-04-23 23:45:28 +02:00
|
|
|
|
|
2015-04-10 03:07:08 +02:00
|
|
|
|
var r, s
|
2015-02-23 00:36:57 +01:00
|
|
|
|
deterministicGenerateK(curve, hash, d, function (k) {
|
2015-01-04 02:46:37 +01:00
|
|
|
|
var Q = G.multiply(k)
|
|
|
|
|
|
|
2015-04-10 03:07:08 +02:00
|
|
|
|
if (curve.isInfinity(Q)) return false
|
2015-01-04 02:46:37 +01:00
|
|
|
|
|
|
|
|
|
|
r = Q.affineX.mod(n)
|
2015-04-10 03:07:08 +02:00
|
|
|
|
if (r.signum() === 0) return false
|
2015-01-04 02:46:37 +01:00
|
|
|
|
|
|
|
|
|
|
s = k.modInverse(n).multiply(e.add(d.multiply(r))).mod(n)
|
2015-04-10 03:07:08 +02:00
|
|
|
|
if (s.signum() === 0) return false
|
2014-04-23 23:45:28 +02:00
|
|
|
|
|
2015-01-04 02:46:37 +01:00
|
|
|
|
return true
|
|
|
|
|
|
})
|
2013-02-17 06:39:15 +01:00
|
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
|
var N_OVER_TWO = n.shiftRight(1)
|
2013-02-17 06:39:15 +01:00
|
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
|
// enforce low S values, see bip62: 'low s values in signatures'
|
|
|
|
|
|
if (s.compareTo(N_OVER_TWO) > 0) {
|
|
|
|
|
|
s = n.subtract(s)
|
2014-05-17 07:11:43 +02:00
|
|
|
|
}
|
2013-02-17 06:39:15 +01:00
|
|
|
|
|
2014-06-15 08:44:52 +02:00
|
|
|
|
return new ECSignature(r, s)
|
2014-05-23 09:18:32 +02:00
|
|
|
|
}
|
2013-02-17 06:39:15 +01:00
|
|
|
|
|
2015-04-10 09:22:00 +02:00
|
|
|
|
function verify (curve, hash, signature, Q) {
|
2015-06-23 07:32:26 +02:00
|
|
|
|
typeForce('Curve', curve)
|
|
|
|
|
|
typeForce('Buffer', hash)
|
|
|
|
|
|
typeForce('ECSignature', signature)
|
|
|
|
|
|
typeForce('Point', Q)
|
|
|
|
|
|
|
2014-06-15 17:36:05 +02:00
|
|
|
|
var n = curve.n
|
|
|
|
|
|
var G = curve.G
|
2013-02-17 06:39:15 +01:00
|
|
|
|
|
2014-05-24 08:25:38 +02:00
|
|
|
|
var r = signature.r
|
|
|
|
|
|
var s = signature.s
|
2014-05-23 09:18:32 +02:00
|
|
|
|
|
2014-07-30 07:01:43 +02:00
|
|
|
|
// 1.4.1 Enforce r and s are both integers in the interval [1, n − 1]
|
2014-07-29 15:45:10 +02:00
|
|
|
|
if (r.signum() <= 0 || r.compareTo(n) >= 0) return false
|
|
|
|
|
|
if (s.signum() <= 0 || s.compareTo(n) >= 0) return false
|
2013-02-17 06:39:15 +01:00
|
|
|
|
|
2015-04-10 09:22:00 +02:00
|
|
|
|
// 1.4.2 H = Hash(M), already done by the user
|
|
|
|
|
|
// 1.4.3 e = H
|
|
|
|
|
|
var e = BigInteger.fromBuffer(hash)
|
|
|
|
|
|
|
2015-04-10 09:20:22 +02:00
|
|
|
|
// Compute s^-1
|
|
|
|
|
|
var sInv = s.modInverse(n)
|
2014-05-24 06:33:02 +02:00
|
|
|
|
|
2014-07-30 07:01:43 +02:00
|
|
|
|
// 1.4.4 Compute u1 = es^−1 mod n
|
|
|
|
|
|
// u2 = rs^−1 mod n
|
2015-04-10 09:20:22 +02:00
|
|
|
|
var u1 = e.multiply(sInv).mod(n)
|
|
|
|
|
|
var u2 = r.multiply(sInv).mod(n)
|
2013-02-17 06:39:15 +01:00
|
|
|
|
|
2015-04-10 09:20:22 +02:00
|
|
|
|
// 1.4.5 Compute R = (xR, yR)
|
|
|
|
|
|
// R = u1G + u2Q
|
2014-07-30 07:01:43 +02:00
|
|
|
|
var R = G.multiplyTwo(u1, Q, u2)
|
2013-02-17 06:39:15 +01:00
|
|
|
|
|
2014-07-30 07:01:43 +02:00
|
|
|
|
// 1.4.5 (cont.) Enforce R is not at infinity
|
|
|
|
|
|
if (curve.isInfinity(R)) return false
|
|
|
|
|
|
|
2015-04-10 09:20:22 +02:00
|
|
|
|
// 1.4.6 Convert the field element R.x to an integer
|
|
|
|
|
|
var xR = R.affineX
|
|
|
|
|
|
|
|
|
|
|
|
// 1.4.7 Set v = xR mod n
|
|
|
|
|
|
var v = xR.mod(n)
|
|
|
|
|
|
|
2015-03-02 03:25:09 +01:00
|
|
|
|
// 1.4.8 If v = r, output "valid", and if v != r, output "invalid"
|
2014-05-23 09:18:32 +02:00
|
|
|
|
return v.equals(r)
|
|
|
|
|
|
}
|
2013-02-17 06:39:15 +01:00
|
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
|
/**
|
|
|
|
|
|
* Recover a public key from a signature.
|
|
|
|
|
|
*
|
|
|
|
|
|
* See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
|
|
|
|
|
|
* Key Recovery Operation".
|
|
|
|
|
|
*
|
|
|
|
|
|
* http://www.secg.org/download/aid-780/sec1-v2.pdf
|
|
|
|
|
|
*/
|
2015-02-23 00:36:57 +01:00
|
|
|
|
function recoverPubKey (curve, e, signature, i) {
|
2015-06-23 07:32:26 +02:00
|
|
|
|
typeForce('Curve', curve)
|
|
|
|
|
|
typeForce('BigInteger', e)
|
|
|
|
|
|
typeForce('ECSignature', signature)
|
|
|
|
|
|
typeForce('Number', i)
|
2014-06-14 03:45:01 +02:00
|
|
|
|
assert.strictEqual(i & 3, i, 'Recovery param is more than two bits')
|
2014-05-23 09:18:32 +02:00
|
|
|
|
|
2014-07-29 15:45:10 +02:00
|
|
|
|
var n = curve.n
|
|
|
|
|
|
var G = curve.G
|
|
|
|
|
|
|
2014-05-24 08:25:38 +02:00
|
|
|
|
var r = signature.r
|
|
|
|
|
|
var s = signature.s
|
|
|
|
|
|
|
2014-07-29 15:45:10 +02:00
|
|
|
|
assert(r.signum() > 0 && r.compareTo(n) < 0, 'Invalid r value')
|
|
|
|
|
|
assert(s.signum() > 0 && s.compareTo(n) < 0, 'Invalid s value')
|
|
|
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
|
// A set LSB signifies that the y-coordinate is odd
|
2014-06-21 14:33:26 +02:00
|
|
|
|
var isYOdd = i & 1
|
2014-05-23 09:18:32 +02:00
|
|
|
|
|
|
|
|
|
|
// The more significant bit specifies whether we should use the
|
|
|
|
|
|
// first or second candidate key.
|
|
|
|
|
|
var isSecondKey = i >> 1
|
|
|
|
|
|
|
2014-06-14 03:47:22 +02:00
|
|
|
|
// 1.1 Let x = r + jn
|
2014-05-23 09:18:32 +02:00
|
|
|
|
var x = isSecondKey ? r.add(n) : r
|
2014-06-21 14:33:26 +02:00
|
|
|
|
var R = curve.pointFromX(isYOdd, x)
|
2011-05-04 18:02:56 +02:00
|
|
|
|
|
2014-06-14 03:47:22 +02:00
|
|
|
|
// 1.4 Check that nR is at infinity
|
2014-06-14 03:45:01 +02:00
|
|
|
|
var nR = R.multiply(n)
|
|
|
|
|
|
assert(curve.isInfinity(nR), 'nR is not a valid curve point')
|
2011-05-04 18:02:56 +02:00
|
|
|
|
|
2015-04-10 03:07:30 +02:00
|
|
|
|
// Compute r^-1
|
|
|
|
|
|
var rInv = r.modInverse(n)
|
|
|
|
|
|
|
2014-06-14 03:47:22 +02:00
|
|
|
|
// Compute -e from e
|
2014-05-23 09:18:32 +02:00
|
|
|
|
var eNeg = e.negate().mod(n)
|
2012-01-11 02:40:45 +01:00
|
|
|
|
|
2014-06-14 03:47:22 +02:00
|
|
|
|
// 1.6.1 Compute Q = r^-1 (sR - eG)
|
|
|
|
|
|
// Q = r^-1 (sR + -eG)
|
2014-05-23 09:18:32 +02:00
|
|
|
|
var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv)
|
2015-04-10 03:07:30 +02:00
|
|
|
|
|
2014-06-07 08:24:27 +02:00
|
|
|
|
curve.validate(Q)
|
2012-08-17 01:38:29 +02:00
|
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
|
return Q
|
|
|
|
|
|
}
|
2013-03-02 18:28:13 +01:00
|
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
|
/**
|
|
|
|
|
|
* Calculate pubkey extraction parameter.
|
|
|
|
|
|
*
|
|
|
|
|
|
* When extracting a pubkey from a signature, we have to
|
|
|
|
|
|
* distinguish four different cases. Rather than putting this
|
|
|
|
|
|
* burden on the verifier, Bitcoin includes a 2-bit value with the
|
|
|
|
|
|
* signature.
|
|
|
|
|
|
*
|
|
|
|
|
|
* This function simply tries all four cases and returns the value
|
|
|
|
|
|
* that resulted in a successful pubkey recovery.
|
|
|
|
|
|
*/
|
2015-02-23 00:36:57 +01:00
|
|
|
|
function calcPubKeyRecoveryParam (curve, e, signature, Q) {
|
2015-06-23 07:32:26 +02:00
|
|
|
|
typeForce('Curve', curve)
|
|
|
|
|
|
typeForce('BigInteger', e)
|
|
|
|
|
|
typeForce('ECSignature', signature)
|
|
|
|
|
|
typeForce('Point', Q)
|
|
|
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
|
for (var i = 0; i < 4; i++) {
|
2014-06-07 08:24:27 +02:00
|
|
|
|
var Qprime = recoverPubKey(curve, e, signature, i)
|
2014-05-23 09:18:32 +02:00
|
|
|
|
|
2014-06-14 03:47:22 +02:00
|
|
|
|
// 1.6.2 Verify Q
|
2014-05-23 09:18:32 +02:00
|
|
|
|
if (Qprime.equals(Q)) {
|
|
|
|
|
|
return i
|
|
|
|
|
|
}
|
2013-02-17 06:39:15 +01:00
|
|
|
|
}
|
2012-01-11 02:40:45 +01:00
|
|
|
|
|
2014-05-23 09:18:32 +02:00
|
|
|
|
throw new Error('Unable to find valid recovery factor')
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2014-05-17 07:11:43 +02:00
|
|
|
|
module.exports = {
|
2014-05-24 08:25:38 +02:00
|
|
|
|
calcPubKeyRecoveryParam: calcPubKeyRecoveryParam,
|
|
|
|
|
|
deterministicGenerateK: deterministicGenerateK,
|
|
|
|
|
|
recoverPubKey: recoverPubKey,
|
|
|
|
|
|
sign: sign,
|
2015-04-10 09:22:00 +02:00
|
|
|
|
verify: verify
|
2014-05-17 07:11:43 +02:00
|
|
|
|
}
|
