bitcore/lib/crypto/ecdsa.js

'use strict';

var BN = require('./bn');
var Point = require('./point');
var Signature = require('./signature');
var PublicKey = require('../publickey');
var Random = require('./random');
var Hash = require('./hash');
var BufferUtil = require('../util/buffer');
var _ = require('lodash');
var $ = require('../util/preconditions');

var ECDSA = function ECDSA(obj) {
  if (!(this instanceof ECDSA)) {
    return new ECDSA(obj);
  }
  if (obj) {
    this.set(obj);
  }
};

/* jshint maxcomplexity: 9 */
ECDSA.prototype.set = function(obj) {
  this.hashbuf = obj.hashbuf || this.hashbuf;
  this.endian = obj.endian || this.endian; //the endianness of hashbuf
  this.privkey = obj.privkey || this.privkey;
  this.pubkey = obj.pubkey || (this.privkey ? this.privkey.publicKey : this.pubkey);
  this.sig = obj.sig || this.sig;
  this.k = obj.k || this.k;
  this.verified = obj.verified || this.verified;
  return this;
};

ECDSA.prototype.privkey2pubkey = function() {
  this.pubkey = this.privkey.toPublicKey();
};

ECDSA.prototype.calci = function() {
  for (var i = 0; i < 4; i++) {
    this.sig.i = i;
    var Qprime;
    try {
      Qprime = this.toPublicKey();
    } catch (e) {
      console.error(e);
      continue;
    }

    if (Qprime.point.eq(this.pubkey.point)) {
      this.sig.compressed = this.pubkey.compressed;
      return this;
    }
  }

  this.sig.i = undefined;
  throw new Error('Unable to find valid recovery factor');
};

ECDSA.fromString = function(str) {
  var obj = JSON.parse(str);
  return new ECDSA(obj);
};

ECDSA.prototype.randomK = function() {
  var N = Point.getN();
  var k;
  do {
    k = BN.fromBuffer(Random.getRandomBuffer(32));
  } while (!(k.lt(N) && k.gt(BN.Zero)));
  this.k = k;
  return this;
};


// https://tools.ietf.org/html/rfc6979#section-3.2
ECDSA.prototype.deterministicK = function(badrs) {
  /* jshint maxstatements: 25 */
  // if r or s were invalid when this function was used in signing,
  // we do not want to actually compute r, s here for efficiency, so,
  // we can increment badrs. explained at end of RFC 6979 section 3.2
  if (_.isUndefined(badrs)) {
    badrs = 0;
  }
  var v = new Buffer(32);
  v.fill(0x01);
  var k = new Buffer(32);
  k.fill(0x00);
  var x = this.privkey.bn.toBuffer({
    size: 32
  });
  k = Hash.sha256hmac(Buffer.concat([v, new Buffer([0x00]), x, this.hashbuf]), k);
  v = Hash.sha256hmac(v, k);
  k = Hash.sha256hmac(Buffer.concat([v, new Buffer([0x01]), x, this.hashbuf]), k);
  v = Hash.sha256hmac(v, k);
  v = Hash.sha256hmac(v, k);
  var T = BN.fromBuffer(v);
  var N = Point.getN();

  // also explained in 3.2, we must ensure T is in the proper range (0, N)
  for (var i = 0; i < badrs || !(T.lt(N) && T.gt(BN.Zero)); i++) {
    k = Hash.sha256hmac(Buffer.concat([v, new Buffer([0x00])]), k);
    v = Hash.sha256hmac(v, k);
    v = Hash.sha256hmac(v, k);
    T = BN.fromBuffer(v);
  }

  this.k = T;
  return this;
};

// Information about public key recovery:
// https://bitcointalk.org/index.php?topic=6430.0
// http://stackoverflow.com/questions/19665491/how-do-i-get-an-ecdsa-public-key-from-just-a-bitcoin-signature-sec1-4-1-6-k
ECDSA.prototype.toPublicKey = function() {
  /* jshint maxstatements: 25 */
  var i = this.sig.i;
  $.checkArgument(i === 0 || i === 1 || i === 2 || i === 3, new Error('i must be equal to 0, 1, 2, or 3'));

  var e = BN.fromBuffer(this.hashbuf);
  var r = this.sig.r;
  var s = this.sig.s;

  // A set LSB signifies that the y-coordinate is odd
  var isYOdd = i & 1;

  // The more significant bit specifies whether we should use the
  // first or second candidate key.
  var isSecondKey = i >> 1;

  var n = Point.getN();
  var G = Point.getG();

  // 1.1 Let x = r + jn
  var x = isSecondKey ? r.add(n) : r;
  var R = Point.fromX(isYOdd, x);

  // 1.4 Check that nR is at infinity
  var nR = R.mul(n);

  if (!nR.isInfinity()) {
    throw new Error('nR is not a valid curve point');
  }

  // Compute -e from e
  var eNeg = e.neg().mod(n);

  // 1.6.1 Compute Q = r^-1 (sR - eG)
  // Q = r^-1 (sR + -eG)
  var rInv = r.invm(n);

  //var Q = R.multiplyTwo(s, G, eNeg).mul(rInv);
  var Q = R.mul(s).add(G.mul(eNeg)).mul(rInv);

  var pubkey = PublicKey.fromPoint(Q, this.sig.compressed);

  return pubkey;
};

ECDSA.prototype.sigError = function() {
  /* jshint maxstatements: 25 */
  if (!BufferUtil.isBuffer(this.hashbuf) || this.hashbuf.length !== 32) {
    return 'hashbuf must be a 32 byte buffer';
  }

  var r = this.sig.r;
  var s = this.sig.s;
  if (!(r.gt(BN.Zero) && r.lt(Point.getN())) || !(s.gt(BN.Zero) && s.lt(Point.getN()))) {
    return 'r and s not in range';
  }

  var e = BN.fromBuffer(this.hashbuf, this.endian ? {
    endian: this.endian
  } : undefined);
  var n = Point.getN();
  var sinv = s.invm(n);
  var u1 = sinv.mul(e).mod(n);
  var u2 = sinv.mul(r).mod(n);

  var p = Point.getG().mulAdd(u1, this.pubkey.point, u2);
  if (p.isInfinity()) {
    return 'p is infinity';
  }

  if (p.getX().mod(n).cmp(r) !== 0) {
    return 'Invalid signature';
  } else {
    return false;
  }
};

ECDSA.toLowS = function(s) {
  //enforce low s
  //see BIP 62, "low S values in signatures"
  if (s.gt(BN.fromBuffer(new Buffer('7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0', 'hex')))) {
    s = Point.getN().sub(s);
  }
  return s;
};

ECDSA.prototype._findSignature = function(d, e) {
  var N = Point.getN();
  var G = Point.getG();
  // try different values of k until r, s are valid
  var badrs = 0;
  var k, Q, r, s;
  do {
    if (!this.k || badrs > 0) {
      this.deterministicK(badrs);
    }
    badrs++;
    k = this.k;
    Q = G.mul(k);
    r = Q.x.mod(N);
    s = k.invm(N).mul(e.add(d.mul(r))).mod(N);
  } while (r.cmp(BN.Zero) <= 0 || s.cmp(BN.Zero) <= 0);

  s = ECDSA.toLowS(s);
  return {
    s: s,
    r: r
  };

};

ECDSA.prototype.sign = function() {
  var hashbuf = this.hashbuf;
  var privkey = this.privkey;
  var d = privkey.bn;

  $.checkState(hashbuf && privkey && d, new Error('invalid parameters'));
  $.checkState(BufferUtil.isBuffer(hashbuf) && hashbuf.length === 32, new Error('hashbuf must be a 32 byte buffer'));

  var e = BN.fromBuffer(hashbuf, this.endian ? {
    endian: this.endian
  } : undefined);

  var obj = this._findSignature(d, e);
  obj.compressed = this.pubkey.compressed;

  this.sig = new Signature(obj);
  return this;
};

ECDSA.prototype.signRandomK = function() {
  this.randomK();
  return this.sign();
};

ECDSA.prototype.toString = function() {
  var obj = {};
  if (this.hashbuf) {
    obj.hashbuf = this.hashbuf.toString('hex');
  }
  if (this.privkey) {
    obj.privkey = this.privkey.toString();
  }
  if (this.pubkey) {
    obj.pubkey = this.pubkey.toString();
  }
  if (this.sig) {
    obj.sig = this.sig.toString();
  }
  if (this.k) {
    obj.k = this.k.toString();
  }
  return JSON.stringify(obj);
};

ECDSA.prototype.verify = function() {
  if (!this.sigError()) {
    this.verified = true;
  } else {
    this.verified = false;
  }
  return this;
};

ECDSA.sign = function(hashbuf, privkey, endian) {
  return ECDSA().set({
    hashbuf: hashbuf,
    endian: endian,
    privkey: privkey
  }).sign().sig;
};

ECDSA.verify = function(hashbuf, sig, pubkey, endian) {
  return ECDSA().set({
    hashbuf: hashbuf,
    endian: endian,
    sig: sig,
    pubkey: pubkey
  }).verify().verified;
};

module.exports = ECDSA;
use strict to crypto 2014-11-20 07:16:27 -08:00			`'use strict';`

recover public key from signature 2014-08-19 17:15:54 -07:00			`var BN = require('./bn');`
			`var Point = require('./point');`
move Signature to crypto/ 2014-11-27 11:42:44 -08:00			`var Signature = require('./signature');`
Keys: Renamed Privkey to PrivateKey and Pubkey to PublicKey 2014-11-25 10:21:53 -08:00			`var PublicKey = require('../publickey');`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`var Random = require('./random');`
			`var Hash = require('./hash');`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`var BufferUtil = require('../util/buffer');`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`var _ = require('lodash');`
			`var $ = require('../util/preconditions');`
ecdsa 2014-08-09 17:43:24 -07:00
ECDSA.prototype.set 2014-08-28 16:07:28 -07:00			`var ECDSA = function ECDSA(obj) {`
move Signature to crypto/ 2014-11-27 11:42:44 -08:00			`if (!(this instanceof ECDSA)) {`
ECDSA.prototype.set 2014-08-28 16:07:28 -07:00			`return new ECDSA(obj);`
move Signature to crypto/ 2014-11-27 11:42:44 -08:00			`}`
			`if (obj) {`
ECDSA.prototype.set 2014-08-28 16:07:28 -07:00			`this.set(obj);`
move Signature to crypto/ 2014-11-27 11:42:44 -08:00			`}`
ECDSA.prototype.set 2014-08-28 16:07:28 -07:00			`};`

refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`/* jshint maxcomplexity: 9 */`
ECDSA.prototype.set 2014-08-28 16:07:28 -07:00			`ECDSA.prototype.set = function(obj) {`
"undefined"s are unnecessary 2014-09-16 10:10:06 -07:00			`this.hashbuf = obj.hashbuf \|\| this.hashbuf;`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`this.endian = obj.endian \|\| this.endian; //the endianness of hashbuf`
Tests: Updated tests to run from sub-directories and fixed crypto and encoding related missing updates. 2014-11-25 11:20:43 -08:00			`this.privkey = obj.privkey \|\| this.privkey;`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`this.pubkey = obj.pubkey \|\| (this.privkey ? this.privkey.publicKey : this.pubkey);`
"undefined"s are unnecessary 2014-09-16 10:10:06 -07:00			`this.sig = obj.sig \|\| this.sig;`
			`this.k = obj.k \|\| this.k;`
			`this.verified = obj.verified \|\| this.verified;`
ECDSA.prototype.set 2014-08-28 16:07:28 -07:00			`return this;`
ecdsa 2014-08-09 17:43:24 -07:00			`};`

Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`ECDSA.prototype.privkey2pubkey = function() {`
			`this.pubkey = this.privkey.toPublicKey();`
Tests: Updated tests to run from sub-directories and fixed crypto and encoding related missing updates. 2014-11-25 11:20:43 -08:00			`};`

recover public key from signature 2014-08-19 17:15:54 -07:00			`ECDSA.prototype.calci = function() {`
			`for (var i = 0; i < 4; i++) {`
			`this.sig.i = i;`
Tests: Updated tests to run from sub-directories and fixed crypto and encoding related missing updates. 2014-11-25 11:20:43 -08:00			`var Qprime;`
recover public key from signature 2014-08-19 17:15:54 -07:00			`try {`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`Qprime = this.toPublicKey();`
recover public key from signature 2014-08-19 17:15:54 -07:00			`} catch (e) {`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`console.error(e);`
recover public key from signature 2014-08-19 17:15:54 -07:00			`continue;`
			`}`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00
Tests: Updated tests to run from sub-directories and fixed crypto and encoding related missing updates. 2014-11-25 11:20:43 -08:00			`if (Qprime.point.eq(this.pubkey.point)) {`
			`this.sig.compressed = this.pubkey.compressed;`
recover public key from signature 2014-08-19 17:15:54 -07:00			`return this;`
			`}`
			`}`

			`this.sig.i = undefined;`
			`throw new Error('Unable to find valid recovery factor');`
			`};`

refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`ECDSA.fromString = function(str) {`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`var obj = JSON.parse(str);`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`return new ECDSA(obj);`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`};`

			`ECDSA.prototype.randomK = function() {`
recover public key from signature 2014-08-19 17:15:54 -07:00			`var N = Point.getN();`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`var k;`
			`do {`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`k = BN.fromBuffer(Random.getRandomBuffer(32));`
Fix invocations to binary operations called on numbers 2015-02-05 12:24:48 -08:00			`} while (!(k.lt(N) && k.gt(BN.Zero)));`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`this.k = k;`
			`return this;`
			`};`

hash 100% coverage 2014-12-19 14:23:30 -08:00
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`// https://tools.ietf.org/html/rfc6979#section-3.2`
			`ECDSA.prototype.deterministicK = function(badrs) {`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`/* jshint maxstatements: 25 */`
return comment to deterministicK 2014-12-22 12:33:00 -08:00			`// if r or s were invalid when this function was used in signing,`
			`// we do not want to actually compute r, s here for efficiency, so,`
			`// we can increment badrs. explained at end of RFC 6979 section 3.2`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`if (_.isUndefined(badrs)) {`
			`badrs = 0;`
			`}`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`var v = new Buffer(32);`
			`v.fill(0x01);`
			`var k = new Buffer(32);`
			`k.fill(0x00);`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`var x = this.privkey.bn.toBuffer({`
			`size: 32`
			`});`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`k = Hash.sha256hmac(Buffer.concat([v, new Buffer([0x00]), x, this.hashbuf]), k);`
			`v = Hash.sha256hmac(v, k);`
			`k = Hash.sha256hmac(Buffer.concat([v, new Buffer([0x01]), x, this.hashbuf]), k);`
			`v = Hash.sha256hmac(v, k);`
			`v = Hash.sha256hmac(v, k);`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`var T = BN.fromBuffer(v);`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`var N = Point.getN();`

			`// also explained in 3.2, we must ensure T is in the proper range (0, N)`
Fix invocations to binary operations called on numbers 2015-02-05 12:24:48 -08:00			`for (var i = 0; i < badrs \|\| !(T.lt(N) && T.gt(BN.Zero)); i++) {`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`k = Hash.sha256hmac(Buffer.concat([v, new Buffer([0x00])]), k);`
			`v = Hash.sha256hmac(v, k);`
Fix the error loop. I added a similar badrs function to python-ecdsa and compared the results. The 1 badrs (aka forcing it to loop once) gave me a different value. It turns out you missed one of the `v = hmac_k(v)` steps during the loop. Adding one extra `v = hmac_k(v)` in each loop makes it match up with python-ecdsa perfectly (I even tried up to badrs = 30 and it was fine. 2015-01-01 22:32:33 -08:00			`v = Hash.sha256hmac(v, k);`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`T = BN.fromBuffer(v);`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`}`

			`this.k = T;`
			`return this;`
			`};`

add info on public key recovery 2014-08-24 14:26:17 -07:00			`// Information about public key recovery:`
			`// https://bitcointalk.org/index.php?topic=6430.0`
			`// http://stackoverflow.com/questions/19665491/how-do-i-get-an-ecdsa-public-key-from-just-a-bitcoin-signature-sec1-4-1-6-k`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`ECDSA.prototype.toPublicKey = function() {`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`/* jshint maxstatements: 25 */`
recover public key from signature 2014-08-19 17:15:54 -07:00			`var i = this.sig.i;`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`$.checkArgument(i === 0 \|\| i === 1 \|\| i === 2 \|\| i === 3, new Error('i must be equal to 0, 1, 2, or 3'));`
recover public key from signature 2014-08-19 17:15:54 -07:00
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`var e = BN.fromBuffer(this.hashbuf);`
recover public key from signature 2014-08-19 17:15:54 -07:00			`var r = this.sig.r;`
			`var s = this.sig.s;`

			`// A set LSB signifies that the y-coordinate is odd`
			`var isYOdd = i & 1;`

			`// The more significant bit specifies whether we should use the`
			`// first or second candidate key.`
			`var isSecondKey = i >> 1;`

			`var n = Point.getN();`
			`var G = Point.getG();`

			`// 1.1 Let x = r + jn`
			`var x = isSecondKey ? r.add(n) : r;`
			`var R = Point.fromX(isYOdd, x);`

			`// 1.4 Check that nR is at infinity`
			`var nR = R.mul(n);`

refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`if (!nR.isInfinity()) {`
recover public key from signature 2014-08-19 17:15:54 -07:00			`throw new Error('nR is not a valid curve point');`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`}`
recover public key from signature 2014-08-19 17:15:54 -07:00
			`// Compute -e from e`
			`var eNeg = e.neg().mod(n);`

			`// 1.6.1 Compute Q = r^-1 (sR - eG)`
			`// Q = r^-1 (sR + -eG)`
			`var rInv = r.invm(n);`

			`//var Q = R.multiplyTwo(s, G, eNeg).mul(rInv);`
			`var Q = R.mul(s).add(G.mul(eNeg)).mul(rInv);`

Crypto: Update ECDSA with to use PrivateKey and PublicKey 2014-11-25 12:10:22 -08:00			`var pubkey = PublicKey.fromPoint(Q, this.sig.compressed);`
recover public key from signature 2014-08-19 17:15:54 -07:00
			`return pubkey;`
			`};`

ecdsa 2014-08-09 17:43:24 -07:00			`ECDSA.prototype.sigError = function() {`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`/* jshint maxstatements: 25 */`
			`if (!BufferUtil.isBuffer(this.hashbuf) \|\| this.hashbuf.length !== 32) {`
improve error message 2014-09-16 11:44:51 -07:00			`return 'hashbuf must be a 32 byte buffer';`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`}`
ecdsa 2014-08-09 17:43:24 -07:00
			`var r = this.sig.r;`
			`var s = this.sig.s;`
Fix invocations to binary operations called on numbers 2015-02-05 12:24:48 -08:00			`if (!(r.gt(BN.Zero) && r.lt(Point.getN())) \|\| !(s.gt(BN.Zero) && s.lt(Point.getN()))) {`
ecdsa 2014-08-09 17:43:24 -07:00			`return 'r and s not in range';`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`}`
ecdsa 2014-08-09 17:43:24 -07:00
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`var e = BN.fromBuffer(this.hashbuf, this.endian ? {`
			`endian: this.endian`
			`} : undefined);`
recover public key from signature 2014-08-19 17:15:54 -07:00			`var n = Point.getN();`
ecdsa 2014-08-09 17:43:24 -07:00			`var sinv = s.invm(n);`
			`var u1 = sinv.mul(e).mod(n);`
			`var u2 = sinv.mul(r).mod(n);`

Tests: Updated tests to run from sub-directories and fixed crypto and encoding related missing updates. 2014-11-25 11:20:43 -08:00			`var p = Point.getG().mulAdd(u1, this.pubkey.point, u2);`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`if (p.isInfinity()) {`
ecdsa 2014-08-09 17:43:24 -07:00			`return 'p is infinity';`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`}`
ecdsa 2014-08-09 17:43:24 -07:00
hash 100% coverage 2014-12-19 14:23:30 -08:00			`if (p.getX().mod(n).cmp(r) !== 0) {`
ecdsa 2014-08-09 17:43:24 -07:00			`return 'Invalid signature';`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`} else {`
ecdsa 2014-08-09 17:43:24 -07:00			`return false;`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`}`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`};`
ecdsa 2014-08-09 17:43:24 -07:00
hash 100% coverage 2014-12-19 14:23:30 -08:00			`ECDSA.toLowS = function(s) {`
			`//enforce low s`
			`//see BIP 62, "low S values in signatures"`
			`if (s.gt(BN.fromBuffer(new Buffer('7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0', 'hex')))) {`
			`s = Point.getN().sub(s);`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`}`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`return s;`
			`};`
throw error if hashbuf is not 32 bytes 2014-09-16 11:33:49 -07:00
hash 100% coverage 2014-12-19 14:23:30 -08:00			`ECDSA.prototype._findSignature = function(d, e) {`
recover public key from signature 2014-08-19 17:15:54 -07:00			`var N = Point.getN();`
			`var G = Point.getG();`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`// try different values of k until r, s are valid`
			`var badrs = 0;`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`var k, Q, r, s;`
ecdsa 2014-08-09 17:43:24 -07:00			`do {`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`if (!this.k \|\| badrs > 0) {`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`this.deterministicK(badrs);`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`}`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`badrs++;`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`k = this.k;`
			`Q = G.mul(k);`
			`r = Q.x.mod(N);`
			`s = k.invm(N).mul(e.add(d.mul(r))).mod(N);`
Fix invocations to binary operations called on numbers 2015-02-05 12:24:48 -08:00			`} while (r.cmp(BN.Zero) <= 0 \|\| s.cmp(BN.Zero) <= 0);`
ecdsa 2014-08-09 17:43:24 -07:00
hash 100% coverage 2014-12-19 14:23:30 -08:00			`s = ECDSA.toLowS(s);`
			`return {`
refactor BN and ECDSA 2014-12-19 12:10:58 -08:00			`s: s,`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`r: r`
			`};`

			`};`

			`ECDSA.prototype.sign = function() {`
			`var hashbuf = this.hashbuf;`
			`var privkey = this.privkey;`
			`var d = privkey.bn;`

			`$.checkState(hashbuf && privkey && d, new Error('invalid parameters'));`
			`$.checkState(BufferUtil.isBuffer(hashbuf) && hashbuf.length === 32, new Error('hashbuf must be a 32 byte buffer'));`

			`var e = BN.fromBuffer(hashbuf, this.endian ? {`
			`endian: this.endian`
			`} : undefined);`

			`var obj = this._findSignature(d, e);`
			`obj.compressed = this.pubkey.compressed;`

			`this.sig = new Signature(obj);`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`return this;`
ecdsa 2014-08-09 17:43:24 -07:00			`};`

			`ECDSA.prototype.signRandomK = function() {`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`this.randomK();`
ecdsa 2014-08-09 17:43:24 -07:00			`return this.sign();`
			`};`

add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`ECDSA.prototype.toString = function() {`
			`var obj = {};`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`if (this.hashbuf) {`
"hashbuf" indicates type is a buffer 2014-08-20 10:46:01 -07:00			`obj.hashbuf = this.hashbuf.toString('hex');`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`}`
			`if (this.privkey) {`
Tests: Updated tests to run from sub-directories and fixed crypto and encoding related missing updates. 2014-11-25 11:20:43 -08:00			`obj.privkey = this.privkey.toString();`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`}`
			`if (this.pubkey) {`
			`obj.pubkey = this.pubkey.toString();`
			`}`
			`if (this.sig) {`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`obj.sig = this.sig.toString();`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`}`
			`if (this.k) {`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`obj.k = this.k.toString();`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`}`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`return JSON.stringify(obj);`
			`};`

ecdsa 2014-08-09 17:43:24 -07:00			`ECDSA.prototype.verify = function() {`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`if (!this.sigError()) {`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`this.verified = true;`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`} else {`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`this.verified = false;`
hash 100% coverage 2014-12-19 14:23:30 -08:00			`}`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`return this;`
ecdsa 2014-08-09 17:43:24 -07:00			`};`

Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`ECDSA.sign = function(hashbuf, privkey, endian) {`
sign, verify convenience functions 2014-09-16 11:34:28 -07:00			`return ECDSA().set({`
			`hashbuf: hashbuf,`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`endian: endian,`
Tests: Updated tests to run from sub-directories and fixed crypto and encoding related missing updates. 2014-11-25 11:20:43 -08:00			`privkey: privkey`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`}).sign().sig;`
sign, verify convenience functions 2014-09-16 11:34:28 -07:00			`};`

Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`ECDSA.verify = function(hashbuf, sig, pubkey, endian) {`
sign, verify convenience functions 2014-09-16 11:34:28 -07:00			`return ECDSA().set({`
			`hashbuf: hashbuf,`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`endian: endian,`
sign, verify convenience functions 2014-09-16 11:34:28 -07:00			`sig: sig,`
Tests: Updated tests to run from sub-directories and fixed crypto and encoding related missing updates. 2014-11-25 11:20:43 -08:00			`pubkey: pubkey`
Backport changes to ecdsa from fullnode 2014-12-09 06:15:31 -08:00			`}).verify().verified;`
sign, verify convenience functions 2014-09-16 11:34:28 -07:00			`};`

ecdsa 2014-08-09 17:43:24 -07:00			`module.exports = ECDSA;`