'use strict'; var BN = require('./bn'); var _ = require('lodash'); var $ = require('../util/preconditions'); var BufferUtil = require('../util/buffer'); var Signature = function Signature(r, s) { if (!(this instanceof Signature)) { return new Signature(r, s); } if (r instanceof BN) { this.set({ r: r, s: s }); } else if (r) { var obj = r; this.set(obj); } }; /* jshint maxcomplexity: 7 */ Signature.prototype.set = function(obj) { this.r = obj.r || this.r || undefined; this.s = obj.s || this.s || undefined; this.i = typeof obj.i !== 'undefined' ? obj.i : this.i; //public key recovery parameter in range [0, 3] this.compressed = typeof obj.compressed !== 'undefined' ? obj.compressed : this.compressed; //whether the recovered pubkey is compressed return this; }; Signature.fromCompact = function(buf) { var sig = new Signature(); //TODO: handle uncompressed pubkeys var compressed = true; var i = buf.slice(0, 1)[0] - 27 - 4; var b2 = buf.slice(1, 33); var b3 = buf.slice(33, 65); $.checkArgument(i === 0 || i === 1 || i === 2 || i === 3, new Error('i must be 0, 1, 2, or 3')); $.checkArgument(b2.length === 32, new Error('r must be 32 bytes')); $.checkArgument(b3.length === 32, new Error('s must be 32 bytes')); sig.compressed = compressed; sig.i = i; sig.r = BN.fromBuffer(b2); sig.s = BN.fromBuffer(b3); return sig; }; Signature.fromDER = Signature.fromBuffer = function(buf, strict) { var obj = Signature.parseDER(buf, strict); var sig = new Signature(); sig.r = obj.r; sig.s = obj.s; return sig; }; // The format used in a tx Signature.fromTxFormat = function(buf) { var nhashtype = buf.readUInt8(buf.length - 1); var derbuf = buf.slice(0, buf.length - 1); var sig = new Signature.fromDER(derbuf, false); sig.nhashtype = nhashtype; return sig; }; Signature.fromString = function(str) { var buf = new Buffer(str, 'hex'); return Signature.fromDER(buf); }; /** * In order to mimic the non-strict DER encoding of OpenSSL, set strict = false. */ Signature.parseDER = function(buf, strict) { $.checkArgument(BufferUtil.isBuffer(buf), new Error('DER formatted signature should be a buffer')); if (_.isUndefined(strict)) { strict = true; } var header = buf[0]; $.checkArgument(header === 0x30, new Error('Header byte should be 0x30')); var length = buf[1]; var buflength = buf.slice(2).length; $.checkArgument(!strict || length === buflength, new Error('Length byte should length of what follows')); length = length < buflength ? length : buflength; var rheader = buf[2 + 0]; $.checkArgument(rheader === 0x02, new Error('Integer byte for r should be 0x02')); var rlength = buf[2 + 1]; var rbuf = buf.slice(2 + 2, 2 + 2 + rlength); var r = BN.fromBuffer(rbuf); var rneg = buf[2 + 1 + 1] === 0x00 ? true : false; $.checkArgument(rlength === rbuf.length, new Error('Length of r incorrect')); var sheader = buf[2 + 2 + rlength + 0]; $.checkArgument(sheader === 0x02, new Error('Integer byte for s should be 0x02')); var slength = buf[2 + 2 + rlength + 1]; var sbuf = buf.slice(2 + 2 + rlength + 2, 2 + 2 + rlength + 2 + slength); var s = BN.fromBuffer(sbuf); var sneg = buf[2 + 2 + rlength + 2 + 2] === 0x00 ? true : false; $.checkArgument(slength === sbuf.length, new Error('Length of s incorrect')); var sumlength = 2 + 2 + rlength + 2 + slength; $.checkArgument(length === sumlength - 2, new Error('Length of signature incorrect')); var obj = { header: header, length: length, rheader: rheader, rlength: rlength, rneg: rneg, rbuf: rbuf, r: r, sheader: sheader, slength: slength, sneg: sneg, sbuf: sbuf, s: s }; return obj; }; Signature.prototype.toCompact = function(i, compressed) { i = typeof i === 'number' ? i : this.i; compressed = typeof compressed === 'boolean' ? compressed : this.compressed; if (!(i === 0 || i === 1 || i === 2 || i === 3)) { throw new Error('i must be equal to 0, 1, 2, or 3'); } var val = i + 27 + 4; if (compressed === false) val = val - 4; var b1 = new Buffer([val]); var b2 = this.r.toBuffer({ size: 32 }); var b3 = this.s.toBuffer({ size: 32 }); return Buffer.concat([b1, b2, b3]); }; Signature.prototype.toBuffer = Signature.prototype.toDER = function() { var rnbuf = this.r.toBuffer(); var snbuf = this.s.toBuffer(); var rneg = rnbuf[0] & 0x80 ? true : false; var sneg = snbuf[0] & 0x80 ? true : false; var rbuf = rneg ? Buffer.concat([new Buffer([0x00]), rnbuf]) : rnbuf; var sbuf = sneg ? Buffer.concat([new Buffer([0x00]), snbuf]) : snbuf; var rlength = rbuf.length; var slength = sbuf.length; var length = 2 + rlength + 2 + slength; var rheader = 0x02; var sheader = 0x02; var header = 0x30; var der = Buffer.concat([new Buffer([header, length, rheader, rlength]), rbuf, new Buffer([sheader, slength]), sbuf]); return der; }; Signature.prototype.toString = function() { var buf = this.toDER(); return buf.toString('hex'); }; /** * This function is translated from bitcoind's IsDERSignature and is used in * the script interpreter. This "DER" format actually includes an extra byte, * the nhashtype, at the end. It is really the tx format, not DER format. * * A canonical signature exists of: [30] [total len] [02] [len R] [R] [02] [len S] [S] [hashtype] * Where R and S are not negative (their first byte has its highest bit not set), and not * excessively padded (do not start with a 0 byte, unless an otherwise negative number follows, * in which case a single 0 byte is necessary and even required). * * See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623 */ Signature.isTxDER = function(buf) { if (buf.length < 9) { // Non-canonical signature: too short return false; } if (buf.length > 73) { // Non-canonical signature: too long return false; } if (buf[0] !== 0x30) { // Non-canonical signature: wrong type return false; } if (buf[1] !== buf.length - 3) { // Non-canonical signature: wrong length marker return false; } var nLenR = buf[3]; if (5 + nLenR >= buf.length) { // Non-canonical signature: S length misplaced return false; } var nLenS = buf[5 + nLenR]; if ((nLenR + nLenS + 7) !== buf.length) { // Non-canonical signature: R+S length mismatch return false; } var R = buf.slice(4); if (buf[4 - 2] !== 0x02) { // Non-canonical signature: R value type mismatch return false; } if (nLenR === 0) { // Non-canonical signature: R length is zero return false; } if (R[0] & 0x80) { // Non-canonical signature: R value negative return false; } if (nLenR > 1 && (R[0] === 0x00) && !(R[1] & 0x80)) { // Non-canonical signature: R value excessively padded return false; } var S = buf.slice(6 + nLenR); if (buf[6 + nLenR - 2] !== 0x02) { // Non-canonical signature: S value type mismatch return false; } if (nLenS === 0) { // Non-canonical signature: S length is zero return false; } if (S[0] & 0x80) { // Non-canonical signature: S value negative return false; } if (nLenS > 1 && (S[0] === 0x00) && !(S[1] & 0x80)) { // Non-canonical signature: S value excessively padded return false; } return true; }; /** * Compares to bitcoind's IsLowDERSignature * See also ECDSA signature algorithm which enforces this. * See also BIP 62, "low S values in signatures" */ Signature.prototype.hasLowS = function() { if (this.s.lt(new BN(1)) || this.s.gt(new BN('7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0'))) { return false; } return true; }; /** * @returns true if the nhashtype is exactly equal to one of the standard options or combinations thereof. * Translated from bitcoind's IsDefinedHashtypeSignature */ Signature.prototype.hasDefinedHashtype = function() { if (this.nhashtype < Signature.SIGHASH_ALL || this.nhashtype > Signature.SIGHASH_SINGLE) { return false; } return true; }; Signature.prototype.toTxFormat = function() { var derbuf = this.toDER(); var buf = new Buffer(1); buf.writeUInt8(this.nhashtype, 0); return Buffer.concat([derbuf, buf]); }; Signature.SIGHASH_ALL = 0x01; Signature.SIGHASH_NONE = 0x02; Signature.SIGHASH_SINGLE = 0x03; Signature.SIGHASH_ANYONECANPAY = 0x80; module.exports = Signature;