bitcore/lib/crypto/ecdsa.js

var BN = require('./bn');
var Point = require('./point');
var Signature = require('./signature');
var Keypair = require('./keypair');
var Pubkey = require('./pubkey');
var Random = require('./random');

var ECDSA = function ECDSA(obj) {
  if (!(this instanceof ECDSA))
    return new ECDSA(obj);
  if (obj)
    this.set(obj);
};

ECDSA.prototype.set = function(obj) {
  this.hashbuf = obj.hashbuf || this.hashbuf;
  this.keypair = obj.keypair || this.keypair;
  this.sig = obj.sig || this.sig;
  this.k = obj.k || this.k;
  this.verified = obj.verified || this.verified;
  return this;
};

ECDSA.prototype.calci = function() {
  for (var i = 0; i < 4; i++) {
    this.sig.i = i;
    try {
      var Qprime = this.sig2pubkey();
    } catch (e) {
      continue;
    }

    if (Qprime.point.eq(this.keypair.pubkey.point)) {
      this.sig.compressed = this.keypair.pubkey.compressed;
      return this;
    }
  }

  this.sig.i = undefined;
  throw new Error('Unable to find valid recovery factor');
};

ECDSA.prototype.fromString = function(str) {
  var obj = JSON.parse(str);
  if (obj.hashbuf)
    this.hashbuf = new Buffer(obj.hashbuf, 'hex');
  if (obj.keypair)
    this.keypair = Keypair().fromString(obj.keypair);
  if (obj.sig)
    this.sig = Signature().fromString(obj.sig);
  if (obj.k)
    this.k = BN(obj.k, 10);
  return this;
};

ECDSA.prototype.randomK = function() {
  var N = Point.getN();
  var k;
  do {
    k = BN().fromBuffer(Random.getRandomBuffer(32));
  } while (!(k.lt(N) && k.gt(0)));
  this.k = k;
  return this;
};

// Information about public key recovery:
// https://bitcointalk.org/index.php?topic=6430.0
// http://stackoverflow.com/questions/19665491/how-do-i-get-an-ecdsa-public-key-from-just-a-bitcoin-signature-sec1-4-1-6-k
ECDSA.prototype.sig2pubkey = function() {
  var i = this.sig.i;
  if (!(i === 0 || i === 1 || i === 2 || i === 3))
    throw new Error('i must be equal to 0, 1, 2, or 3');

  var e = BN().fromBuffer(this.hashbuf);
  var r = this.sig.r;
  var s = this.sig.s;

  // A set LSB signifies that the y-coordinate is odd
  var isYOdd = i & 1;

  // The more significant bit specifies whether we should use the
  // first or second candidate key.
  var isSecondKey = i >> 1;

  var n = Point.getN();
  var G = Point.getG();

  // 1.1 Let x = r + jn
  var x = isSecondKey ? r.add(n) : r;
  var R = Point.fromX(isYOdd, x);

  // 1.4 Check that nR is at infinity
  var nR = R.mul(n);

  if (!nR.isInfinity())
    throw new Error('nR is not a valid curve point');

  // Compute -e from e
  var eNeg = e.neg().mod(n);

  // 1.6.1 Compute Q = r^-1 (sR - eG)
  // Q = r^-1 (sR + -eG)
  var rInv = r.invm(n);

  //var Q = R.multiplyTwo(s, G, eNeg).mul(rInv);
  var Q = R.mul(s).add(G.mul(eNeg)).mul(rInv);

  var pubkey = new Pubkey({point: Q});
  pubkey.compressed = this.sig.compressed;
  pubkey.validate();

  return pubkey;
};

ECDSA.prototype.sigError = function() {
  if (!Buffer.isBuffer(this.hashbuf) || this.hashbuf.length !== 32)
    return 'hashbuf must be a 32 byte buffer';

  try {
    this.keypair.pubkey.validate();
  } catch (e) {
    return 'Invalid pubkey: ' + e;
  }

  var r = this.sig.r;
  var s = this.sig.s;
  if (!(r.gt(0) && r.lt(Point.getN()))
   || !(s.gt(0) && s.lt(Point.getN())))
    return 'r and s not in range';

  var e = BN().fromBuffer(this.hashbuf);
  var n = Point.getN();
  var sinv = s.invm(n);
  var u1 = sinv.mul(e).mod(n);
  var u2 = sinv.mul(r).mod(n);

  var p = Point.getG().mulAdd(u1, this.keypair.pubkey.point, u2);
  if (p.isInfinity())
    return 'p is infinity';

  if (!(p.getX().mod(n).cmp(r) === 0))
    return 'Invalid signature';
  else
    return false;
};

ECDSA.prototype.sign = function() {
  var hashbuf = this.hashbuf;
  var privkey = this.keypair.privkey;
  var k = this.k;
  var d = privkey.bn;

  if (!k)
    throw new Error('You must specify k - perhaps you should run signRandomK instead');

  if (!hashbuf || !privkey || !d)
    throw new Error('invalid parameters');

  if (!Buffer.isBuffer(hashbuf) || hashbuf.length !== 32)
    throw new Error('hashbuf must be a 32 byte buffer');

  var N = Point.getN();
  var G = Point.getG();
  var e = BN().fromBuffer(hashbuf);

  do {
    var Q = G.mul(k);
    var r = Q.x.mod(N);
    var s = k.invm(N).mul(e.add(d.mul(r))).mod(N);
  } while (r.cmp(0) <= 0 || s.cmp(0) <= 0);

  this.sig = new Signature({r: r, s: s, compressed: this.keypair.pubkey.compressed});
  return this.sig;
};

ECDSA.prototype.signRandomK = function() {
  var k = this.randomK();
  return this.sign();
};

ECDSA.prototype.toString = function() {
  var obj = {};
  if (this.hashbuf)
    obj.hashbuf = this.hashbuf.toString('hex');
  if (this.keypair)
    obj.keypair = this.keypair.toString();
  if (this.sig)
    obj.sig = this.sig.toString();
  if (this.k)
    obj.k = this.k.toString();
  return JSON.stringify(obj);
};

ECDSA.prototype.verify = function() {
  if (!this.sigError())
    return true;
  else
    return false;
};

ECDSA.sign = function(hashbuf, keypair) {
  return ECDSA().set({
    hashbuf: hashbuf,
    keypair: keypair
  }).signRandomK();
};

ECDSA.verify = function(hashbuf, sig, pubkey) {
  return ECDSA().set({
    hashbuf: hashbuf,
    sig: sig,
    keypair: Keypair().set({pubkey: pubkey})
  }).verify();
};

module.exports = ECDSA;
recover public key from signature 2014-08-19 17:15:54 -07:00			`var BN = require('./bn');`
			`var Point = require('./point');`
ecdsa 2014-08-09 17:43:24 -07:00			`var Signature = require('./signature');`
Key -> Keypair "Keypair" is a more explanatory name, and also should be less confused with other kinds of keys (particularly "cipher keys", which are the keys used in symmetric block ciphers, especially AES). 2014-08-29 14:18:56 -07:00			`var Keypair = require('./keypair');`
ecdsa 2014-08-09 17:43:24 -07:00			`var Pubkey = require('./pubkey');`
			`var Random = require('./random');`

ECDSA.prototype.set 2014-08-28 16:07:28 -07:00			`var ECDSA = function ECDSA(obj) {`
allow creating objects without using "new" 2014-08-13 15:55:33 -07:00			`if (!(this instanceof ECDSA))`
ECDSA.prototype.set 2014-08-28 16:07:28 -07:00			`return new ECDSA(obj);`
			`if (obj)`
			`this.set(obj);`
			`};`

			`ECDSA.prototype.set = function(obj) {`
"undefined"s are unnecessary 2014-09-16 10:10:06 -07:00			`this.hashbuf = obj.hashbuf \|\| this.hashbuf;`
			`this.keypair = obj.keypair \|\| this.keypair;`
			`this.sig = obj.sig \|\| this.sig;`
			`this.k = obj.k \|\| this.k;`
			`this.verified = obj.verified \|\| this.verified;`
ECDSA.prototype.set 2014-08-28 16:07:28 -07:00			`return this;`
ecdsa 2014-08-09 17:43:24 -07:00			`};`

recover public key from signature 2014-08-19 17:15:54 -07:00			`ECDSA.prototype.calci = function() {`
			`for (var i = 0; i < 4; i++) {`
			`this.sig.i = i;`
			`try {`
			`var Qprime = this.sig2pubkey();`
			`} catch (e) {`
			`continue;`
			`}`

key -> keypair Since the class has been renamed Key -> Keypair, instances should be renamed key -> keypair. 2014-09-02 16:36:21 -07:00			`if (Qprime.point.eq(this.keypair.pubkey.point)) {`
			`this.sig.compressed = this.keypair.pubkey.compressed;`
recover public key from signature 2014-08-19 17:15:54 -07:00			`return this;`
			`}`
			`}`

			`this.sig.i = undefined;`
			`throw new Error('Unable to find valid recovery factor');`
			`};`

add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`ECDSA.prototype.fromString = function(str) {`
			`var obj = JSON.parse(str);`
"hashbuf" indicates type is a buffer 2014-08-20 10:46:01 -07:00			`if (obj.hashbuf)`
			`this.hashbuf = new Buffer(obj.hashbuf, 'hex');`
key -> keypair Since the class has been renamed Key -> Keypair, instances should be renamed key -> keypair. 2014-09-02 16:36:21 -07:00			`if (obj.keypair)`
			`this.keypair = Keypair().fromString(obj.keypair);`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`if (obj.sig)`
recover public key from signature 2014-08-19 17:15:54 -07:00			`this.sig = Signature().fromString(obj.sig);`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`if (obj.k)`
recover public key from signature 2014-08-19 17:15:54 -07:00			`this.k = BN(obj.k, 10);`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`return this;`
			`};`

			`ECDSA.prototype.randomK = function() {`
recover public key from signature 2014-08-19 17:15:54 -07:00			`var N = Point.getN();`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`var k;`
			`do {`
recover public key from signature 2014-08-19 17:15:54 -07:00			`k = BN().fromBuffer(Random.getRandomBuffer(32));`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`} while (!(k.lt(N) && k.gt(0)));`
			`this.k = k;`
			`return this;`
			`};`

add info on public key recovery 2014-08-24 14:26:17 -07:00			`// Information about public key recovery:`
			`// https://bitcointalk.org/index.php?topic=6430.0`
			`// http://stackoverflow.com/questions/19665491/how-do-i-get-an-ecdsa-public-key-from-just-a-bitcoin-signature-sec1-4-1-6-k`
recover public key from signature 2014-08-19 17:15:54 -07:00			`ECDSA.prototype.sig2pubkey = function() {`
			`var i = this.sig.i;`
			`if (!(i === 0 \|\| i === 1 \|\| i === 2 \|\| i === 3))`
fix error message 2014-08-24 12:50:21 -07:00			`throw new Error('i must be equal to 0, 1, 2, or 3');`
recover public key from signature 2014-08-19 17:15:54 -07:00
"hashbuf" indicates type is a buffer 2014-08-20 10:46:01 -07:00			`var e = BN().fromBuffer(this.hashbuf);`
recover public key from signature 2014-08-19 17:15:54 -07:00			`var r = this.sig.r;`
			`var s = this.sig.s;`

			`// A set LSB signifies that the y-coordinate is odd`
			`var isYOdd = i & 1;`

			`// The more significant bit specifies whether we should use the`
			`// first or second candidate key.`
			`var isSecondKey = i >> 1;`

			`var n = Point.getN();`
			`var G = Point.getG();`

			`// 1.1 Let x = r + jn`
			`var x = isSecondKey ? r.add(n) : r;`
			`var R = Point.fromX(isYOdd, x);`

			`// 1.4 Check that nR is at infinity`
			`var nR = R.mul(n);`

			`if (!nR.isInfinity())`
			`throw new Error('nR is not a valid curve point');`

			`// Compute -e from e`
			`var eNeg = e.neg().mod(n);`

			`// 1.6.1 Compute Q = r^-1 (sR - eG)`
			`// Q = r^-1 (sR + -eG)`
			`var rInv = r.invm(n);`

			`//var Q = R.multiplyTwo(s, G, eNeg).mul(rInv);`
			`var Q = R.mul(s).add(G.mul(eNeg)).mul(rInv);`

Pubkey.prototype.set 2014-08-28 17:41:38 -07:00			`var pubkey = new Pubkey({point: Q});`
sign/verify with uncompressed pubkeys 2014-08-22 19:43:32 -07:00			`pubkey.compressed = this.sig.compressed;`
recover public key from signature 2014-08-19 17:15:54 -07:00			`pubkey.validate();`

			`return pubkey;`
			`};`

ecdsa 2014-08-09 17:43:24 -07:00			`ECDSA.prototype.sigError = function() {`
"hashbuf" indicates type is a buffer 2014-08-20 10:46:01 -07:00			`if (!Buffer.isBuffer(this.hashbuf) \|\| this.hashbuf.length !== 32)`
improve error message 2014-09-16 11:44:51 -07:00			`return 'hashbuf must be a 32 byte buffer';`
ecdsa 2014-08-09 17:43:24 -07:00
			`try {`
key -> keypair Since the class has been renamed Key -> Keypair, instances should be renamed key -> keypair. 2014-09-02 16:36:21 -07:00			`this.keypair.pubkey.validate();`
ecdsa 2014-08-09 17:43:24 -07:00			`} catch (e) {`
			`return 'Invalid pubkey: ' + e;`
recover public key from signature 2014-08-19 17:15:54 -07:00			`}`
ecdsa 2014-08-09 17:43:24 -07:00
			`var r = this.sig.r;`
			`var s = this.sig.s;`
recover public key from signature 2014-08-19 17:15:54 -07:00			`if (!(r.gt(0) && r.lt(Point.getN()))`
			`\|\| !(s.gt(0) && s.lt(Point.getN())))`
ecdsa 2014-08-09 17:43:24 -07:00			`return 'r and s not in range';`

"hashbuf" indicates type is a buffer 2014-08-20 10:46:01 -07:00			`var e = BN().fromBuffer(this.hashbuf);`
recover public key from signature 2014-08-19 17:15:54 -07:00			`var n = Point.getN();`
ecdsa 2014-08-09 17:43:24 -07:00			`var sinv = s.invm(n);`
			`var u1 = sinv.mul(e).mod(n);`
			`var u2 = sinv.mul(r).mod(n);`

key -> keypair Since the class has been renamed Key -> Keypair, instances should be renamed key -> keypair. 2014-09-02 16:36:21 -07:00			`var p = Point.getG().mulAdd(u1, this.keypair.pubkey.point, u2);`
ecdsa 2014-08-09 17:43:24 -07:00			`if (p.isInfinity())`
			`return 'p is infinity';`

			`if (!(p.getX().mod(n).cmp(r) === 0))`
			`return 'Invalid signature';`
			`else`
			`return false;`
			`};`

			`ECDSA.prototype.sign = function() {`
"hashbuf" indicates type is a buffer 2014-08-20 10:46:01 -07:00			`var hashbuf = this.hashbuf;`
key -> keypair Since the class has been renamed Key -> Keypair, instances should be renamed key -> keypair. 2014-09-02 16:36:21 -07:00			`var privkey = this.keypair.privkey;`
ecdsa 2014-08-09 17:43:24 -07:00			`var k = this.k;`
more consistency: n -> bn, p -> point 2014-08-13 12:23:06 -07:00			`var d = privkey.bn;`
ecdsa 2014-08-09 17:43:24 -07:00
message signing 2014-08-21 15:50:38 -07:00			`if (!k)`
			`throw new Error('You must specify k - perhaps you should run signRandomK instead');`

			`if (!hashbuf \|\| !privkey \|\| !d)`
remove "(classname): " from tests ...to reduce the burden on writing new code 2014-08-20 13:03:07 -07:00			`throw new Error('invalid parameters');`
ecdsa 2014-08-09 17:43:24 -07:00
throw error if hashbuf is not 32 bytes 2014-09-16 11:33:49 -07:00			`if (!Buffer.isBuffer(hashbuf) \|\| hashbuf.length !== 32)`
			`throw new Error('hashbuf must be a 32 byte buffer');`

recover public key from signature 2014-08-19 17:15:54 -07:00			`var N = Point.getN();`
			`var G = Point.getG();`
"hashbuf" indicates type is a buffer 2014-08-20 10:46:01 -07:00			`var e = BN().fromBuffer(hashbuf);`
ecdsa 2014-08-09 17:43:24 -07:00
			`do {`
			`var Q = G.mul(k);`
			`var r = Q.x.mod(N);`
			`var s = k.invm(N).mul(e.add(d.mul(r))).mod(N);`
			`} while (r.cmp(0) <= 0 \|\| s.cmp(0) <= 0);`

key -> keypair Since the class has been renamed Key -> Keypair, instances should be renamed key -> keypair. 2014-09-02 16:36:21 -07:00			`this.sig = new Signature({r: r, s: s, compressed: this.keypair.pubkey.compressed});`
ecdsa 2014-08-09 17:43:24 -07:00			`return this.sig;`
			`};`

			`ECDSA.prototype.signRandomK = function() {`
			`var k = this.randomK();`
			`return this.sign();`
			`};`

add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`ECDSA.prototype.toString = function() {`
			`var obj = {};`
"hashbuf" indicates type is a buffer 2014-08-20 10:46:01 -07:00			`if (this.hashbuf)`
			`obj.hashbuf = this.hashbuf.toString('hex');`
key -> keypair Since the class has been renamed Key -> Keypair, instances should be renamed key -> keypair. 2014-09-02 16:36:21 -07:00			`if (this.keypair)`
			`obj.keypair = this.keypair.toString();`
add tests for all ecdsa functions 2014-08-09 19:42:25 -07:00			`if (this.sig)`
			`obj.sig = this.sig.toString();`
			`if (this.k)`
			`obj.k = this.k.toString();`
			`return JSON.stringify(obj);`
			`};`

ecdsa 2014-08-09 17:43:24 -07:00			`ECDSA.prototype.verify = function() {`
			`if (!this.sigError())`
			`return true;`
			`else`
			`return false;`
			`};`

sign, verify convenience functions 2014-09-16 11:34:28 -07:00			`ECDSA.sign = function(hashbuf, keypair) {`
			`return ECDSA().set({`
			`hashbuf: hashbuf,`
			`keypair: keypair`
			`}).signRandomK();`
			`};`

			`ECDSA.verify = function(hashbuf, sig, pubkey) {`
			`return ECDSA().set({`
			`hashbuf: hashbuf,`
			`sig: sig,`
			`keypair: Keypair().set({pubkey: pubkey})`
			`}).verify();`
			`};`

ecdsa 2014-08-09 17:43:24 -07:00			`module.exports = ECDSA;`