ecdsa: fix indentation

This commit is contained in:
Daniel Cousens 2014-05-23 17:18:32 +10:00
parent d05d661aea
commit 087ca551f5

View file

@ -4,269 +4,269 @@ var crypto = require('./crypto')
var BigInteger = require('bigi') var BigInteger = require('bigi')
var ECPointFp = require('./ec').ECPointFp var ECPointFp = require('./ec').ECPointFp
function deterministicGenerateK(ecparams, hash, D) { function deterministicGenerateK(ecparams, hash, D) {
assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash) assert(Buffer.isBuffer(hash), 'Hash must be a Buffer, not ' + hash)
assert.equal(hash.length, 32, 'Hash must be 256 bit') assert.equal(hash.length, 32, 'Hash must be 256 bit')
assert(D instanceof BigInteger, 'Private key must be a BigInteger') assert(D instanceof BigInteger, 'Private key must be a BigInteger')
var x = D.toBuffer(32) var x = D.toBuffer(32)
var k = new Buffer(32) var k = new Buffer(32)
var v = new Buffer(32) var v = new Buffer(32)
k.fill(0) k.fill(0)
v.fill(1) v.fill(1)
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k) k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([0]), x, hash]), k)
v = crypto.HmacSHA256(v, k) v = crypto.HmacSHA256(v, k)
k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k) k = crypto.HmacSHA256(Buffer.concat([v, new Buffer([1]), x, hash]), k)
v = crypto.HmacSHA256(v, k) v = crypto.HmacSHA256(v, k)
v = crypto.HmacSHA256(v, k) v = crypto.HmacSHA256(v, k)
var n = ecparams.getN() var n = ecparams.getN()
var kB = BigInteger.fromBuffer(v).mod(n) var kB = BigInteger.fromBuffer(v).mod(n)
assert(kB.compareTo(BigInteger.ONE) > 0, 'Invalid k value') assert(kB.compareTo(BigInteger.ONE) > 0, 'Invalid k value')
assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value') assert(kB.compareTo(ecparams.getN()) < 0, 'Invalid k value')
return kB return kB
}
function sign(ecparams, hash, D) {
var k = deterministicGenerateK(ecparams, hash, D)
var n = ecparams.getN()
var G = ecparams.getG()
var Q = G.multiply(k)
var e = BigInteger.fromBuffer(hash)
var r = Q.getX().toBigInteger().mod(n)
assert.notEqual(r.signum(), 0, 'Invalid R value')
var s = k.modInverse(n).multiply(e.add(D.multiply(r))).mod(n)
assert.notEqual(s.signum(), 0, 'Invalid S value')
var N_OVER_TWO = n.shiftRight(1)
// enforce low S values, see bip62: 'low s values in signatures'
if (s.compareTo(N_OVER_TWO) > 0) {
s = n.subtract(s)
} }
function sign(ecparams, hash, D) { return {r: r, s: s}
var k = deterministicGenerateK(ecparams, hash, D) }
var n = ecparams.getN() function verify(ecparams, hash, r, s, Q) {
var G = ecparams.getG() var e = BigInteger.fromBuffer(hash)
var Q = G.multiply(k)
var e = BigInteger.fromBuffer(hash)
var r = Q.getX().toBigInteger().mod(n) return verifyRaw(ecparams, e, r, s, Q)
assert.notEqual(r.signum(), 0, 'Invalid R value') }
var s = k.modInverse(n).multiply(e.add(D.multiply(r))).mod(n) function verifyRaw(ecparams, e, r, s, Q) {
assert.notEqual(s.signum(), 0, 'Invalid S value') var n = ecparams.getN()
var G = ecparams.getG()
var N_OVER_TWO = n.shiftRight(1) if (r.compareTo(BigInteger.ONE) < 0 || r.compareTo(n) >= 0) {
return false
// enforce low S values, see bip62: 'low s values in signatures'
if (s.compareTo(N_OVER_TWO) > 0) {
s = n.subtract(s)
}
return {r: r, s: s}
} }
function verify(ecparams, hash, r, s, Q) { if (s.compareTo(BigInteger.ONE) < 0 || s.compareTo(n) >= 0) {
var e = BigInteger.fromBuffer(hash) return false
return verifyRaw(ecparams, e, r, s, Q)
} }
function verifyRaw(ecparams, e, r, s, Q) { var c = s.modInverse(n)
var n = ecparams.getN() var u1 = e.multiply(c).mod(n)
var G = ecparams.getG() var u2 = r.multiply(c).mod(n)
if (r.compareTo(BigInteger.ONE) < 0 || r.compareTo(n) >= 0) { var point = G.multiplyTwo(u1, Q, u2)
return false var v = point.getX().toBigInteger().mod(n)
}
if (s.compareTo(BigInteger.ONE) < 0 || s.compareTo(n) >= 0) { return v.equals(r)
return false }
}
var c = s.modInverse(n) /**
var u1 = e.multiply(c).mod(n) * Serialize a signature into DER format.
var u2 = r.multiply(c).mod(n) *
* Takes two BigIntegers representing r and s and returns a byte array.
*/
function serializeSig(r, s) {
var rBa = r.toByteArraySigned()
var sBa = s.toByteArraySigned()
var point = G.multiplyTwo(u1, Q, u2) var sequence = []
var v = point.getX().toBigInteger().mod(n) sequence.push(0x02); // INTEGER
sequence.push(rBa.length)
sequence = sequence.concat(rBa)
return v.equals(r) sequence.push(0x02); // INTEGER
sequence.push(sBa.length)
sequence = sequence.concat(sBa)
sequence.unshift(sequence.length)
sequence.unshift(0x30); // SEQUENCE
return sequence
}
/**
* Parses a buffer containing a DER-encoded signature.
*
* This function will return an object of the form:
*
* {
* r: BigInteger,
* s: BigInteger
* }
*/
function parseSig(buffer) {
assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence')
assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length')
assert.equal(buffer.readUInt8(2), 0x02, 'Expected DER integer')
var rLen = buffer.readUInt8(3)
var rB = buffer.slice(4, 4 + rLen)
var offset = 4 + rLen
assert.equal(buffer.readUInt8(offset), 0x02, 'Expected a 2nd DER integer')
var sLen = buffer.readUInt8(1 + offset)
var sB = buffer.slice(2 + offset)
return {
r: BigInteger.fromByteArraySigned(rB),
s: BigInteger.fromByteArraySigned(sB)
}
}
function serializeSigCompact(r, s, i, compressed) {
if (compressed) {
i += 4
} }
/** i += 27
* Serialize a signature into DER format.
*
* Takes two BigIntegers representing r and s and returns a byte array.
*/
function serializeSig(r, s) {
var rBa = r.toByteArraySigned()
var sBa = s.toByteArraySigned()
var sequence = [] var buffer = new Buffer(65)
sequence.push(0x02); // INTEGER buffer.writeUInt8(i, 0)
sequence.push(rBa.length) r.toBuffer(32).copy(buffer, 1)
sequence = sequence.concat(rBa) s.toBuffer(32).copy(buffer, 33)
sequence.push(0x02); // INTEGER return buffer
sequence.push(sBa.length) }
sequence = sequence.concat(sBa)
sequence.unshift(sequence.length) function parseSigCompact(buffer) {
sequence.unshift(0x30); // SEQUENCE assert.equal(buffer.length, 65, 'Invalid signature length')
var i = buffer.readUInt8(0) - 27
return sequence // At most 3 bits
assert.equal(i, i & 7, 'Invalid signature type')
var compressed = !!(i & 4)
// Recovery param only
i = i & 3
var r = BigInteger.fromBuffer(buffer.slice(1, 33))
var s = BigInteger.fromBuffer(buffer.slice(33))
return {
r: r,
s: s,
i: i,
compressed: compressed
}
}
/**
* Recover a public key from a signature.
*
* See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
* Key Recovery Operation".
*
* http://www.secg.org/download/aid-780/sec1-v2.pdf
*/
function recoverPubKey(ecparams, e, r, s, i) {
assert.strictEqual(i & 3, i, 'The recovery param is more than two bits')
// A set LSB signifies that the y-coordinate is odd
// By reduction, the y-coordinate is even if it is clear
var isYEven = !(i & 1)
// The more significant bit specifies whether we should use the
// first or second candidate key.
var isSecondKey = i >> 1
var n = ecparams.getN()
var G = ecparams.getG()
var curve = ecparams.getCurve()
var p = curve.getQ()
var a = curve.getA().toBigInteger()
var b = curve.getB().toBigInteger()
// We precalculate (p + 1) / 4 where p is the field order
if (!curve.P_OVER_FOUR) {
curve.P_OVER_FOUR = p.add(BigInteger.ONE).shiftRight(2)
} }
/** // 1.1 Compute x
* Parses a buffer containing a DER-encoded signature. var x = isSecondKey ? r.add(n) : r
*
* This function will return an object of the form:
*
* {
* r: BigInteger,
* s: BigInteger
* }
*/
function parseSig(buffer) {
assert.equal(buffer.readUInt8(0), 0x30, 'Not a DER sequence')
assert.equal(buffer.readUInt8(1), buffer.length - 2, 'Invalid sequence length')
assert.equal(buffer.readUInt8(2), 0x02, 'Expected DER integer') // 1.3 Convert x to point
var rLen = buffer.readUInt8(3) var alpha = x.pow(3).add(a.multiply(x)).add(b).mod(p)
var rB = buffer.slice(4, 4 + rLen) var beta = alpha.modPow(curve.P_OVER_FOUR, p)
var offset = 4 + rLen // If beta is even, but y isn't, or vice versa, then convert it,
assert.equal(buffer.readUInt8(offset), 0x02, 'Expected a 2nd DER integer') // otherwise we're done and y == beta.
var sLen = buffer.readUInt8(1 + offset) var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta
var sB = buffer.slice(2 + offset)
return { // 1.4 Check that nR isn't at infinity
r: BigInteger.fromByteArraySigned(rB), var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y))
s: BigInteger.fromByteArraySigned(sB) R.validate()
// 1.5 Compute -e from e
var eNeg = e.negate().mod(n)
// 1.6 Compute Q = r^-1 (sR - eG)
// Q = r^-1 (sR + -eG)
var rInv = r.modInverse(n)
var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv)
Q.validate()
if (!verifyRaw(ecparams, e, r, s, Q)) {
throw new Error("Pubkey recovery unsuccessful")
}
return Q
}
/**
* Calculate pubkey extraction parameter.
*
* When extracting a pubkey from a signature, we have to
* distinguish four different cases. Rather than putting this
* burden on the verifier, Bitcoin includes a 2-bit value with the
* signature.
*
* This function simply tries all four cases and returns the value
* that resulted in a successful pubkey recovery.
*/
function calcPubKeyRecoveryParam(ecparams, e, r, s, Q) {
for (var i = 0; i < 4; i++) {
var Qprime = recoverPubKey(ecparams, e, r, s, i)
if (Qprime.equals(Q)) {
return i
} }
} }
function serializeSigCompact(r, s, i, compressed) { throw new Error('Unable to find valid recovery factor')
if (compressed) { }
i += 4
}
i += 27
var buffer = new Buffer(65)
buffer.writeUInt8(i, 0)
r.toBuffer(32).copy(buffer, 1)
s.toBuffer(32).copy(buffer, 33)
return buffer
}
function parseSigCompact(buffer) {
assert.equal(buffer.length, 65, 'Invalid signature length')
var i = buffer.readUInt8(0) - 27
// At most 3 bits
assert.equal(i, i & 7, 'Invalid signature type')
var compressed = !!(i & 4)
// Recovery param only
i = i & 3
var r = BigInteger.fromBuffer(buffer.slice(1, 33))
var s = BigInteger.fromBuffer(buffer.slice(33))
return {
r: r,
s: s,
i: i,
compressed: compressed
}
}
/**
* Recover a public key from a signature.
*
* See SEC 1: Elliptic Curve Cryptography, section 4.1.6, "Public
* Key Recovery Operation".
*
* http://www.secg.org/download/aid-780/sec1-v2.pdf
*/
function recoverPubKey(ecparams, e, r, s, i) {
assert.strictEqual(i & 3, i, 'The recovery param is more than two bits')
// A set LSB signifies that the y-coordinate is odd
// By reduction, the y-coordinate is even if it is clear
var isYEven = !(i & 1)
// The more significant bit specifies whether we should use the
// first or second candidate key.
var isSecondKey = i >> 1
var n = ecparams.getN()
var G = ecparams.getG()
var curve = ecparams.getCurve()
var p = curve.getQ()
var a = curve.getA().toBigInteger()
var b = curve.getB().toBigInteger()
// We precalculate (p + 1) / 4 where p is the field order
if (!curve.P_OVER_FOUR) {
curve.P_OVER_FOUR = p.add(BigInteger.ONE).shiftRight(2)
}
// 1.1 Compute x
var x = isSecondKey ? r.add(n) : r
// 1.3 Convert x to point
var alpha = x.pow(3).add(a.multiply(x)).add(b).mod(p)
var beta = alpha.modPow(curve.P_OVER_FOUR, p)
// If beta is even, but y isn't, or vice versa, then convert it,
// otherwise we're done and y == beta.
var y = (beta.isEven() ^ isYEven) ? p.subtract(beta) : beta
// 1.4 Check that nR isn't at infinity
var R = new ECPointFp(curve, curve.fromBigInteger(x), curve.fromBigInteger(y))
R.validate()
// 1.5 Compute -e from e
var eNeg = e.negate().mod(n)
// 1.6 Compute Q = r^-1 (sR - eG)
// Q = r^-1 (sR + -eG)
var rInv = r.modInverse(n)
var Q = R.multiplyTwo(s, G, eNeg).multiply(rInv)
Q.validate()
if (!verifyRaw(ecparams, e, r, s, Q)) {
throw new Error("Pubkey recovery unsuccessful")
}
return Q
}
/**
* Calculate pubkey extraction parameter.
*
* When extracting a pubkey from a signature, we have to
* distinguish four different cases. Rather than putting this
* burden on the verifier, Bitcoin includes a 2-bit value with the
* signature.
*
* This function simply tries all four cases and returns the value
* that resulted in a successful pubkey recovery.
*/
function calcPubKeyRecoveryParam(ecparams, e, r, s, Q) {
for (var i = 0; i < 4; i++) {
var Qprime = recoverPubKey(ecparams, e, r, s, i)
if (Qprime.equals(Q)) {
return i
}
}
throw new Error('Unable to find valid recovery factor')
}
module.exports = { module.exports = {
calcPubKeyRecoveryParam: calcPubKeyRecoveryParam, calcPubKeyRecoveryParam: calcPubKeyRecoveryParam,
deterministicGenerateK: deterministicGenerateK, deterministicGenerateK: deterministicGenerateK,
recoverPubKey: recoverPubKey, recoverPubKey: recoverPubKey,
sign: sign, sign: sign,
verify: verify, verify: verify,
verifyRaw: verifyRaw, verifyRaw: verifyRaw,
serializeSig: serializeSig, serializeSig: serializeSig,
parseSig: parseSig, parseSig: parseSig,
serializeSigCompact: serializeSigCompact, serializeSigCompact: serializeSigCompact,
parseSigCompact: parseSigCompact parseSigCompact: parseSigCompact
} }