@bsv/sdk 1.9.23 → 1.9.29

package/src/primitives/__tests/ECDSA.test.ts

@@ -2,6 +2,7 @@ import * as ECDSA from '../../primitives/ECDSA'
 import BigNumber from '../../primitives/BigNumber'
 import Curve from '../../primitives/Curve'
 import Signature from '../../primitives/Signature'
+import Point from '../../primitives/Point'
 
 const msg = new BigNumber('deadbeef', 16)
 const key = new BigNumber(
@@ -90,4 +91,30 @@ describe('ECDSA', () => {
       ECDSA.sign(msg, key, undefined, n)
     ).toThrow()
   })
+
+  it('k·G + (−k·G) results in point at infinity (TOB-25)', () => {
+    const k = new BigNumber('123456789abcdef', 16)
+
+    const P = curve.g.mul(k)
+    const negP = P.neg()
+    const sum = P.add(negP)
+
+    expect(sum.isInfinity()).toBe(true)
+  })
+
+  it('scalar multiplication by zero returns point at infinity (TOB-25)', () => {
+    const zero = new BigNumber(0)
+    const result = curve.g.mul(zero)
+
+    expect(result.isInfinity()).toBe(true)
+  })
+
+  it('ECDSA verify rejects point-at-infinity public key (TOB-25)', () => {
+    const signature = ECDSA.sign(msg, key)
+    const infinityPub = new Point(null, null)
+
+    expect(() =>
+      ECDSA.verify(msg, signature, infinityPub)
+    ).toThrow()
+  })
 })

package/src/primitives/__tests/Hash.test.ts

@@ -105,9 +105,9 @@ describe('Hash', function () {
   describe('BaseHash padding and endianness', () => {
     it('encodes length in big-endian for SHA1', () => {
       const sha1 = new (hash as any).SHA1()
-      ;(sha1 as any).pendingTotal = 12345
-      const pad = (sha1 as any)._pad() as number[]
-      const padLength = (sha1 as any).padLength as number
+      ;(sha1).pendingTotal = 12345
+      const pad = (sha1)._pad() as number[]
+      const padLength = (sha1).padLength as number
       const lengthBytes = pad.slice(-padLength)
 
       const totalBits = BigInt(12345) * 8n
@@ -123,9 +123,9 @@ describe('Hash', function () {
 
     it('encodes length in little-endian for RIPEMD160', () => {
       const ripemd = new (hash as any).RIPEMD160()
-      ;(ripemd as any).pendingTotal = 12345
-      const pad = (ripemd as any)._pad() as number[]
-      const padLength = (ripemd as any).padLength as number
+      ;(ripemd).pendingTotal = 12345
+      const pad = (ripemd)._pad() as number[]
+      const padLength = (ripemd).padLength as number
       const lengthBytes = pad.slice(-padLength)
 
       const totalBits = BigInt(12345) * 8n
@@ -141,11 +141,11 @@ describe('Hash', function () {
 
     it('throws when message length exceeds maximum encodable bits', () => {
       const sha1 = new (hash as any).SHA1()
-      ;(sha1 as any).padLength = 1
-      ;(sha1 as any).pendingTotal = 40
+      ;(sha1).padLength = 1
+      ;(sha1).pendingTotal = 40
 
       expect(() => {
-        ;(sha1 as any)._pad()
+        ;(sha1)._pad()
       }).toThrow(new Error('Message too long for this hash function'))
     })
   })
@@ -180,7 +180,6 @@ describe('Hash', function () {
   })
 
   describe('Hash strict length validation (TOB-21)', () => {
-
     it('throws when pendingTotal is not a safe integer', () => {
       const h = new SHA1()
 
@@ -201,4 +200,57 @@ describe('Hash', function () {
       }).toThrow('Message too long for this hash function')
     })
   })
+
+  describe('TOB-20 byte-order helper functions', () => {
+    const { htonl, swapBytes32, realHtonl } = hash
+
+    it('swapBytes32 performs a strict 32-bit byte swap', () => {
+      expect(swapBytes32(0x11223344)).toBe(0x44332211)
+      expect(swapBytes32(0xaabbccdd)).toBe(0xddccbbaa)
+      expect(swapBytes32(0x00000000)).toBe(0x00000000)
+      expect(swapBytes32(0xffffffff)).toBe(0xffffffff)
+    })
+
+    it('swapBytes32 always returns an unsigned 32-bit integer', () => {
+      expect(swapBytes32(-1)).toBe(0xffffffff) // wraps to unsigned
+      expect(swapBytes32(0x80000000)).toBe(0x00000080) // MSB becomes LSB
+    })
+
+    it('htonl is now an alias for swapBytes32 (deprecated)', () => {
+      expect(htonl(0x11223344)).toBe(swapBytes32(0x11223344))
+      expect(htonl(0xaabbccdd)).toBe(swapBytes32(0xaabbccdd))
+    })
+
+    it('realHtonl matches swapBytes32 on little-endian systems', () => {
+      // All JS engines used for Node/Jest are little-endian
+      expect(realHtonl(0x11223344)).toBe(0x44332211)
+      expect(realHtonl(0xaabbccdd)).toBe(0xddccbbaa)
+    })
+
+    it('realHtonl preserves value when system is big-endian (forced simulation)', () => {
+      // We simulate the big-endian branch of realHtonl by calling
+      // the fallback path directly.
+      const forceBigEndianRealHtonl = (w: number) => (w >>> 0)
+
+      expect(forceBigEndianRealHtonl(0x11223344)).toBe(0x11223344)
+      expect(forceBigEndianRealHtonl(0xaabbccdd)).toBe(0xaabbccdd)
+      expect(forceBigEndianRealHtonl(0xffffffff)).toBe(0xffffffff >>> 0)
+    })
+
+    it('htonl, swapBytes32, realHtonl never throw for any 32-bit input', () => {
+      const inputs = [
+        0, 1, -1,
+        0x7fffffff,
+        0x80000000,
+        0xffffffff,
+        0x12345678
+      ]
+
+      for (const n of inputs) {
+        expect(() => htonl(n)).not.toThrow()
+        expect(() => swapBytes32(n)).not.toThrow()
+        expect(() => realHtonl(n)).not.toThrow()
+      }
+    })
+  })
 })

package/src/primitives/__tests/Point.test.ts

@@ -0,0 +1,52 @@
+import Point from '../../primitives/Point'
+
+describe('Point.fromJSON / fromDER / fromX curve validation (TOB-24)', () => {
+  it('rejects clearly off-curve coordinates', () => {
+    expect(() =>
+      Point.fromJSON([123, 456], true)
+    ).toThrow(/Invalid point/)
+  })
+
+  it('rejects nested off-curve precomputed points', () => {
+    const bad = [
+      123,
+      456,
+      {
+        doubles: {
+          step: 2,
+          points: [
+            [1, 2],
+            [3, 4]
+          ]
+        }
+      }
+    ]
+    expect(() => Point.fromJSON(bad, true)).toThrow(/Invalid point/)
+  })
+
+  it('accepts valid generator point from toJSON → fromJSON roundtrip', () => {
+    // Compressed secp256k1 G:
+    const G_COMPRESSED =
+      '0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798'
+
+    const g = Point.fromString(G_COMPRESSED)
+    const serialized = g.toJSON()
+    const restored = Point.fromJSON(serialized as any, true)
+
+    expect(restored.eq(g)).toBe(true)
+  })
+
+  it('rejects invalid compressed points in fromDER', () => {
+    // 0x02 is a valid compressed prefix, but x = 0 gives y^2 = 7,
+    // which has no square root mod p on secp256k1 → invalid point.
+    const der = [0x02, ...Array(32).fill(0x00)]
+    expect(() => Point.fromDER(der)).toThrow(/Invalid point/)
+    })
+
+  it('fromX rejects values with no square root mod p', () => {
+    // x = 0 ⇒ y^2 = 7, which has no square root mod p on secp256k1.
+    // This guarantees that fromX must reject it.
+    const badX = '0000000000000000000000000000000000000000000000000000000000000000'
+    expect(() => Point.fromX(badX, true)).toThrow(/Invalid point/)
+    })
+})

package/src/primitives/__tests/utils.test.ts

@@ -9,7 +9,8 @@ import {
   toBase58,
   fromBase58Check,
   toBase58Check,
-  verifyNotNull
+  verifyNotNull,
+  constantTimeEquals
 } from '../../primitives/utils'
 import Point from '../../primitives/Point'
 
@@ -376,3 +377,25 @@ describe('Point.encode infinity handling', () => {
     expect(() => p.encode()).not.toThrow()
   })
 })
+
+describe('constantTimeEquals', () => {
+  it('returns true for identical arrays', () => {
+    expect(constantTimeEquals([1, 2, 3], [1, 2, 3])).toBe(true)
+  })
+
+  it('returns false for arrays with different content', () => {
+    expect(constantTimeEquals([1, 2, 3], [1, 2, 4])).toBe(false)
+  })
+
+  it('returns false for arrays of different length', () => {
+    expect(constantTimeEquals([1, 2], [1, 2, 3])).toBe(false)
+  })
+
+  it('runs through entire array (no early exit)', () => {
+    expect(constantTimeEquals([0,0,0,0,9], [0,0,0,0,8])).toBe(false)
+  })
+
+  it('works with Uint8Array', () => {
+    expect(constantTimeEquals(new Uint8Array([5,6,7]), new Uint8Array([5,6,7]))).toBe(true)
+  })
+})

package/src/primitives/hex.ts

@@ -5,15 +5,13 @@ const PURE_HEX_REGEX = /^[0-9a-fA-F]*$/
 
 export function assertValidHex (msg: string): void {
   if (typeof msg !== 'string') {
-    console.error('assertValidHex FAIL (non-string):', msg)
-    throw new Error('Invalid hex string')
+    throw new TypeError('Invalid hex string')
   }
 
   // allow empty
   if (msg.length === 0) return
 
   if (!PURE_HEX_REGEX.test(msg)) {
-    console.error('assertValidHex FAIL (bad hex):', msg)
     throw new Error('Invalid hex string')
   }
 }

package/src/primitives/utils.ts

@@ -951,3 +951,13 @@ export function verifyNotNull<T> (value: T | undefined | null, errorMessage: str
   if (value == null) throw new Error(errorMessage)
   return value
 }
+
+export function constantTimeEquals (a: Uint8Array | number[], b: Uint8Array | number[]): boolean {
+  if (a.length !== b.length) return false
+
+  let diff = 0
+  for (let i = 0; i < a.length; i++) {
+    diff |= a[i] ^ b[i]
+  }
+  return diff === 0
+}

package/src/totp/__tests/totp.test.ts

@@ -78,4 +78,25 @@ describe('totp generation and validation', () => {
       checkAdjacentWindow(time - i * periodMS, false)
     }
   })
+
+  test('should reject wrong passcode with same length', () => {
+    jest.setSystemTime(0)
+
+    const correct = TOTP.generate(secret, options)
+
+    // Same length but definitely wrong
+    const wrong = correct === '123456' ? '654321' : '123456'
+
+    expect(wrong.length).toBe(correct.length)
+    expect(TOTP.validate(secret, wrong, options)).toBe(false)
+  })
+
+  test('should validate correct passcode using constant-time comparison', () => {
+    jest.setSystemTime(0)
+
+    const correct = TOTP.generate(secret, options)
+
+    // Ensure the code path executes constantTimeEquals and returns true
+    expect(TOTP.validate(secret, correct, options)).toBe(true)
+  })
 })

package/src/totp/totp.ts

@@ -1,5 +1,6 @@
 import { SHA1HMAC, SHA256HMAC, SHA512HMAC } from '../primitives/Hash.js'
 import BigNumber from '../primitives/BigNumber.js'
+import { constantTimeEquals, toArray } from '../primitives/utils.js'
 
 export type TOTPAlgorithm = 'SHA-1' | 'SHA-256' | 'SHA-512'
 
@@ -68,7 +69,14 @@ export class TOTP {
     }
 
     for (const c of counters) {
-      if (passcode === generateHOTP(secret, c, _options)) {
+      const expected = generateHOTP(secret, c, _options)
+
+      if (
+        constantTimeEquals(
+          toArray(passcode, 'utf8'),
+          toArray(expected, 'utf8')
+        )
+      ) {
         return true
       }
     }

package/src/wallet/ProtoWallet.ts

@@ -30,6 +30,7 @@ import {
   WalletEncryptArgs,
   WalletEncryptResult
 } from './Wallet.interfaces.js'
+import { constantTimeEquals, toArray } from '../primitives/utils.js'
 
 /**
  * A ProtoWallet is precursor to a full wallet, capable of performing all foundational cryptographic operations.
@@ -222,9 +223,13 @@ export class ProtoWallet {
       args.keyID,
       args.counterparty ?? 'self'
     )
-    const valid =
-      Hash.sha256hmac(key.toArray(), args.data).toString() ===
-      args.hmac.toString()
+    const computed = Hash.sha256hmac(key.toArray(), args.data)
+    const provided = args.hmac
+
+    const valid = constantTimeEquals(
+      toArray(computed),
+      toArray(provided)
+    )
     if (!valid) {
       const e = new Error('HMAC is not valid') as Error & { code: string }
       e.code = 'ERR_INVALID_HMAC'

package/src/wallet/__tests/ProtoWallet.test.ts

@@ -4,6 +4,19 @@ import { createNonce, verifyNonce } from '../../auth/utils'
 
 const sampleData = [3, 1, 4, 1, 5, 9]
 
+let userKey: PrivateKey
+let counterpartyKey: PrivateKey
+let user: ProtoWallet
+let counterparty: ProtoWallet
+
+beforeEach(() => {
+  userKey = PrivateKey.fromRandom()
+  counterpartyKey = PrivateKey.fromRandom()
+  user = new ProtoWallet(userKey)
+  counterparty = new ProtoWallet(counterpartyKey)
+})
+
+
 describe('ProtoWallet', () => {
   it('Throws when unsupported functions are called', async () => {
     const wallet = new ProtoWallet('anyone')
@@ -80,10 +93,6 @@ describe('ProtoWallet', () => {
     )
   })
   it('Encrypts messages decryptable by the counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { ciphertext } = await user.encrypt({
       plaintext: sampleData,
       protocolID: [2, 'tests'],
@@ -100,10 +109,6 @@ describe('ProtoWallet', () => {
     expect(ciphertext).not.toEqual(plaintext)
   })
   it('Fails to decryupt messages for the wrong protocol, key, and counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { ciphertext } = await user.encrypt({
       plaintext: sampleData,
       protocolID: [2, 'tests'],
@@ -139,10 +144,6 @@ describe('ProtoWallet', () => {
     ).rejects.toThrow()
   })
   it('Correctly derives keys for a counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { publicKey: identityKey } = await user.getPublicKey({
       identityKey: true
     })
@@ -162,10 +163,6 @@ describe('ProtoWallet', () => {
     expect(derivedForCounterparty).toEqual(derivedByCounterparty)
   })
   it('Signs messages verifiable by the counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { signature } = await user.createSignature({
       data: sampleData,
       protocolID: [2, 'tests'],
@@ -183,10 +180,6 @@ describe('ProtoWallet', () => {
     expect(signature.length).not.toEqual(0)
   })
   it('Directly signs hash of message verifiable by the counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { signature } = await user.createSignature({
       hashToDirectlySign: Hash.sha256(sampleData),
       protocolID: [2, 'tests'],
@@ -212,10 +205,6 @@ describe('ProtoWallet', () => {
     expect(signature.length).not.toEqual(0)
   })
   it('Fails to verify signature for the wrong data, protocol, key, and counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { signature } = await user.createSignature({
       data: sampleData,
       protocolID: [2, 'tests'],
@@ -264,10 +253,6 @@ describe('ProtoWallet', () => {
     ).rejects.toThrow()
   })
   it('Computes HMAC over messages verifiable by the counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { hmac } = await user.createHmac({
       data: sampleData,
       protocolID: [2, 'tests'],
@@ -285,10 +270,6 @@ describe('ProtoWallet', () => {
     expect(hmac.length).toEqual(32)
   })
   it('Fails to verify HMAC for the wrong data, protocol, key, and counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { hmac } = await user.createHmac({
       data: sampleData,
       protocolID: [2, 'tests'],
@@ -337,8 +318,6 @@ describe('ProtoWallet', () => {
     ).rejects.toThrow()
   })
   it('Uses anyone for creating signatures and self for other operations if no counterparty is provided', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
     const { hmac } = await user.createHmac({
       data: sampleData,
       protocolID: [2, 'tests'],
@@ -589,4 +568,46 @@ describe('ProtoWallet', () => {
       expect(linkage).toEqual(expectedLinkage)
     })
   })
+
+  it('Fails constant-time HMAC validation for wrong-but-same-length HMAC', async () => {
+    const { hmac: correctHmac } = await user.createHmac({
+      data: sampleData,
+      protocolID: [2, 'tests'],
+      keyID: '4',
+      counterparty: counterpartyKey.toPublicKey().toString()
+    })
+
+    // Create a different HMAC with same length
+    const wrong = correctHmac.slice()
+    wrong[0] = (wrong[0] + 1) & 0xff  // minimally alter 1 byte
+
+    await expect(async () =>
+      await counterparty.verifyHmac({
+        hmac: wrong,
+        data: sampleData,
+        protocolID: [2, 'tests'],
+        keyID: '4',
+        counterparty: userKey.toPublicKey().toString()
+      })
+    ).rejects.toThrow('HMAC is not valid')
+  })
+
+  it('Validates correct HMAC using the constant-time comparison path', async () => {
+    const { hmac } = await user.createHmac({
+      data: sampleData,
+      protocolID: [2, 'tests'],
+      keyID: '4',
+      counterparty: counterpartyKey.toPublicKey().toString()
+    })
+
+    const { valid } = await counterparty.verifyHmac({
+      hmac,
+      data: sampleData,
+      protocolID: [2, 'tests'],
+      keyID: '4',
+      counterparty: userKey.toPublicKey().toString()
+    })
+
+    expect(valid).toBe(true)
+  })
 })