@bsv/sdk 1.9.24 → 1.9.29

package/src/primitives/AESGCM.ts

@@ -202,33 +202,73 @@ export const getBytes = function (numericValue: number): number[] {
   ]
 }
 
-const createZeroBlock = function (length: number): number[] {
-  return new Array(length).fill(0)
+export const getBytes64 = function (numericValue: number): number[] {
+  if (numericValue < 0 || numericValue > Number.MAX_SAFE_INTEGER) {
+    throw new Error('getBytes64: value out of range')
+  }
+
+  const hi = Math.floor(numericValue / 0x100000000)
+  const lo = numericValue >>> 0
+
+  return [
+    (hi >>> 24) & 0xFF,
+    (hi >>> 16) & 0xFF,
+    (hi >>> 8) & 0xFF,
+    hi & 0xFF,
+    (lo >>> 24) & 0xFF,
+    (lo >>> 16) & 0xFF,
+    (lo >>> 8) & 0xFF,
+    lo & 0xFF
+  ]
 }
 
-const R = [0xe1].concat(createZeroBlock(15))
+type Bytes = Uint8Array
 
-export const exclusiveOR = function (block0: number[], block1: number[]): number[] {
+const createZeroBlock = function (length: number): Bytes {
+  // Uint8Array is already zero-filled
+  return new Uint8Array(length)
+}
+
+// R = 0xe1 || 15 zero bytes
+const R: Bytes = (() => {
+  const r = new Uint8Array(16)
+  r[0] = 0xe1
+  return r
+})()
+
+const concatBytes = (...arrays: Bytes[]): Bytes => {
+  let total = 0
+  for (const a of arrays) total += a.length
+
+  const out = new Uint8Array(total)
+  let offset = 0
+  for (const a of arrays) {
+    out.set(a, offset)
+    offset += a.length
+  }
+  return out
+}
+
+export const exclusiveOR = function (block0: Bytes, block1: Bytes): Bytes {
   const len = block0.length
-  const result = new Array(len)
+  const result = new Uint8Array(len)
   for (let i = 0; i < len; i++) {
-    result[i] = block0[i] ^ block1[i]
+    result[i] = block0[i] ^ (block1[i] ?? 0)
   }
   return result
 }
 
-const xorInto = function (target: number[], block: number[]): void {
+const xorInto = function (target: Bytes, block: Bytes): void {
   for (let i = 0; i < target.length; i++) {
-    target[i] ^= block[i]
+    target[i] ^= block[i] ?? 0
   }
 }
 
-export const rightShift = function (block: number[]): number[] {
-  let i: number
+export const rightShift = function (block: Bytes): Bytes {
   let carry = 0
   let oldCarry = 0
 
-  for (i = 0; i < block.length; i++) {
+  for (let i = 0; i < block.length; i++) {
     oldCarry = carry
     carry = block[i] & 0x01
     block[i] = block[i] >> 1
@@ -241,7 +281,7 @@ export const rightShift = function (block: number[]): number[] {
   return block
 }
 
-export const multiply = function (block0: number[], block1: number[]): number[] {
+export const multiply = function (block0: Bytes, block1: Bytes): Bytes {
   const v = block1.slice()
   const z = createZeroBlock(16)
 
@@ -264,16 +304,14 @@ export const multiply = function (block0: number[], block1: number[]): number[]
 }
 
 export const incrementLeastSignificantThirtyTwoBits = function (
-  block: number[]
-): number[] {
-  let i
+  block: Bytes
+): Bytes {
   const result = block.slice()
-  for (i = 15; i !== 11; i--) {
-    result[i] = result[i] + 1
 
-    if (result[i] === 256) {
-      result[i] = 0
-    } else {
+  for (let i = 15; i > 11; i--) {
+    result[i] = (result[i] + 1) & 0xff // wrap explicitly
+
+    if (result[i] !== 0) {
       break
     }
   }
@@ -281,11 +319,12 @@ export const incrementLeastSignificantThirtyTwoBits = function (
   return result
 }
 
-export function ghash (input: number[], hashSubKey: number[]): number[] {
+export function ghash (input: Bytes, hashSubKey: Bytes): Bytes {
   let result = createZeroBlock(16)
+  const block = new Uint8Array(16)
 
   for (let i = 0; i < input.length; i += 16) {
-    const block = result.slice()
+    block.set(result)
     for (let j = 0; j < 16; j++) {
       block[j] ^= input[i + j] ?? 0
     }
@@ -296,14 +335,14 @@ export function ghash (input: number[], hashSubKey: number[]): number[] {
 }
 
 function gctr (
-  input: number[],
-  initialCounterBlock: number[],
-  key: number[]
-): number[] {
-  if (input.length === 0) return []
-
-  const output = new Array(input.length)
-  let counterBlock = initialCounterBlock
+  input: Bytes,
+  initialCounterBlock: Bytes,
+  key: Bytes
+): Bytes {
+  if (input.length === 0) return new Uint8Array(0)
+
+  const output = new Uint8Array(input.length)
+  let counterBlock = initialCounterBlock.slice()
   let pos = 0
   const n = Math.ceil(input.length / 16)
 
@@ -323,12 +362,97 @@ function gctr (
   return output
 }
 
+function buildAuthInput (cipherText: Bytes): Bytes {
+  const aadLenBits = 0
+  const ctLenBits = cipherText.length * 8
+
+  let padLen: number
+  if (cipherText.length === 0) {
+    padLen = 16
+  } else if (cipherText.length % 16 === 0) {
+    padLen = 0
+  } else {
+    padLen = 16 - (cipherText.length % 16)
+  }
+
+  const total =
+    16 +
+    cipherText.length +
+    padLen +
+    16
+
+  const out = new Uint8Array(total)
+  let offset = 0
+
+  offset += 16
+
+  out.set(cipherText, offset)
+  offset += cipherText.length
+
+  offset += padLen
+
+  const aadLen = getBytes64(aadLenBits)
+  out.set(aadLen, offset)
+  offset += 8
+
+  const ctLen = getBytes64(ctLenBits)
+  out.set(ctLen, offset)
+
+  return out
+}
+
+/**
+ * SECURITY NOTE – NON-STANDARD AES-GCM PADDING
+ *
+ * This implementation intentionally deviates from NIST SP 800-38D’s AES-GCM
+ * specification in how the GHASH input is formed when the additional
+ * authenticated data (AAD) or ciphertext length is zero.
+ *
+ * In the standard, AAD and ciphertext are each padded with the minimum number
+ * of zero bytes required to reach a multiple of 16 bytes; when the length is
+ * already a multiple of 16 (including the case length = 0), no padding block
+ * is added. In this implementation, when AAD.length === 0 or ciphertext.length
+ * === 0, an extra 16-byte block of zeros is appended before the length fields
+ * are processed. The same formatting logic is used symmetrically in both
+ * AESGCM (encryption) and AESGCMDecrypt (decryption).
+ *
+ * As a result:
+ *   - Authentication tags produced here are NOT compatible with tags produced
+ *     by standards-compliant AES-GCM implementations in the cases where AAD
+ *     or ciphertext are empty.
+ *   - Ciphertexts generated by this code must be decrypted by this exact
+ *     implementation (or one that reproduces the same GHASH formatting), and
+ *     must not be mixed with ciphertexts produced by a strictly standard
+ *     AES-GCM library.
+ *
+ * Cryptographic impact: this change alters only the encoding of the message
+ * that is input to GHASH; it does not change the block cipher, key derivation,
+ * IV handling, or the basic “encrypt-then-MAC over (AAD, ciphertext, lengths)”
+ * structure of AES-GCM. Under the usual assumptions that AES is a secure block
+ * cipher and GHASH with a secret subkey is a secure polynomial MAC, this
+ * variant continues to provide confidentiality and integrity for data encrypted
+ * and decrypted consistently with this implementation. We are not aware of any
+ * attack that exploits the presence of this extra zero block when AAD or
+ * ciphertext are empty.
+ *
+ * However, this padding behavior is non-compliant with NIST SP 800-38D and has
+ * not been analyzed as extensively as standard AES-GCM. Code that requires
+ * strict standards compliance or interoperability with external AES-GCM
+ * implementations SHOULD NOT use this module as-is. Any future migration to a
+ * fully compliant AES-GCM encoding will require a compatibility strategy, as
+ * existing ciphertexts produced by this implementation will otherwise become
+ * undecryptable.
+ *
+ * This non-standard padding behavior is retained intentionally for backward
+ * compatibility: existing ciphertexts in production were generated with this
+ * encoding, and changing it would render previously encrypted data
+ * undecryptable by newer versions of the library.
+ */
 export function AESGCM (
-  plainText: number[],
-  additionalAuthenticatedData: number[],
-  initializationVector: number[],
-  key: number[]
-): { result: number[], authenticationTag: number[] } {
+  plainText: Bytes,
+  initializationVector: Bytes,
+  key: Bytes
+): { result: Bytes, authenticationTag: Bytes } {
   if (initializationVector.length === 0) {
     throw new Error('Initialization vector must not be empty')
   }
@@ -337,60 +461,54 @@ export function AESGCM (
     throw new Error('Key must not be empty')
   }
 
-  let preCounterBlock
-  let plainTag
-  const hashSubKey = AES(createZeroBlock(16), key)
-  preCounterBlock = [...initializationVector]
+  const hashSubKey = new Uint8Array(AES(createZeroBlock(16), key))
+
+  let preCounterBlock: Bytes
+
   if (initializationVector.length === 12) {
-    preCounterBlock = preCounterBlock.concat(createZeroBlock(3)).concat([0x01])
+    preCounterBlock = concatBytes(initializationVector, createZeroBlock(3), new Uint8Array([0x01]))
   } else {
-    if (initializationVector.length % 16 !== 0) {
-      preCounterBlock = preCounterBlock.concat(
-        createZeroBlock(16 - (initializationVector.length % 16))
+    let ivPadded = initializationVector
+    if (ivPadded.length % 16 !== 0) {
+      ivPadded = concatBytes(
+        ivPadded,
+        createZeroBlock(16 - (ivPadded.length % 16))
       )
     }
 
-    preCounterBlock = preCounterBlock.concat(createZeroBlock(8))
+    const lenBlock = getBytes64(initializationVector.length * 8)
+    const s = concatBytes(
+      ivPadded,
+      createZeroBlock(8),
+      new Uint8Array(lenBlock)
+    )
 
-    preCounterBlock = ghash(preCounterBlock.concat(createZeroBlock(4))
-      .concat(getBytes(initializationVector.length * 8)), hashSubKey)
+    preCounterBlock = ghash(s, hashSubKey)
   }
 
-  const cipherText = gctr(plainText, incrementLeastSignificantThirtyTwoBits(preCounterBlock), key)
-
-  plainTag = additionalAuthenticatedData.slice()
+  const cipherText = gctr(
+    plainText,
+    incrementLeastSignificantThirtyTwoBits(preCounterBlock),
+    key
+  )
 
-  if (additionalAuthenticatedData.length === 0) {
-    plainTag = plainTag.concat(createZeroBlock(16))
-  } else if (additionalAuthenticatedData.length % 16 !== 0) {
-    plainTag = plainTag.concat(createZeroBlock(16 - (additionalAuthenticatedData.length % 16)))
-  }
+  const authInput = buildAuthInput(cipherText)
 
-  plainTag = plainTag.concat(cipherText)
-
-  if (cipherText.length === 0) {
-    plainTag = plainTag.concat(createZeroBlock(16))
-  } else if (cipherText.length % 16 !== 0) {
-    plainTag = plainTag.concat(createZeroBlock(16 - (cipherText.length % 16)))
-  }
-
-  plainTag = plainTag.concat(createZeroBlock(4))
-    .concat(getBytes(additionalAuthenticatedData.length * 8))
-    .concat(createZeroBlock(4)).concat(getBytes(cipherText.length * 8))
+  const s = ghash(authInput, hashSubKey)
+  const authenticationTag = gctr(s, preCounterBlock, key)
 
   return {
     result: cipherText,
-    authenticationTag: gctr(ghash(plainTag, hashSubKey), preCounterBlock, key)
+    authenticationTag
   }
 }
 
 export function AESGCMDecrypt (
-  cipherText: number[],
-  additionalAuthenticatedData: number[],
-  initializationVector: number[],
-  authenticationTag: number[],
-  key: number[]
-): number[] | null {
+  cipherText: Bytes,
+  initializationVector: Bytes,
+  authenticationTag: Bytes,
+  key: Bytes
+): Bytes | null {
   if (cipherText.length === 0) {
     throw new Error('Cipher text must not be empty')
   }
@@ -403,53 +521,57 @@ export function AESGCMDecrypt (
     throw new Error('Key must not be empty')
   }
 
-  let preCounterBlock
-  let compareTag
-
   // Generate the hash subkey
-  const hashSubKey = AES(createZeroBlock(16), key)
+  const hashSubKey = new Uint8Array(AES(createZeroBlock(16), key))
+
+  let preCounterBlock: Bytes
 
-  preCounterBlock = [...initializationVector]
   if (initializationVector.length === 12) {
-    preCounterBlock = preCounterBlock.concat(createZeroBlock(3)).concat([0x01])
+    preCounterBlock = concatBytes(
+      initializationVector,
+      createZeroBlock(3),
+      new Uint8Array([0x01])
+    )
   } else {
-    if (initializationVector.length % 16 !== 0) {
-      preCounterBlock = preCounterBlock.concat(createZeroBlock(16 - (initializationVector.length % 16)))
+    let ivPadded = initializationVector
+    if (ivPadded.length % 16 !== 0) {
+      ivPadded = concatBytes(
+        ivPadded,
+        createZeroBlock(16 - (ivPadded.length % 16))
+      )
     }
 
-    preCounterBlock = preCounterBlock.concat(createZeroBlock(8))
+    const lenBlock = getBytes64(initializationVector.length * 8)
+    const s = concatBytes(
+      ivPadded,
+      createZeroBlock(8),
+      new Uint8Array(lenBlock)
+    )
 
-    preCounterBlock = ghash(preCounterBlock.concat(createZeroBlock(4)).concat(getBytes(initializationVector.length * 8)), hashSubKey)
+    preCounterBlock = ghash(s, hashSubKey)
   }
 
   // Decrypt to obtain the plain text
-  const plainText = gctr(cipherText, incrementLeastSignificantThirtyTwoBits(preCounterBlock), key)
+  const plainText = gctr(
+    cipherText,
+    incrementLeastSignificantThirtyTwoBits(preCounterBlock),
+    key
+  )
 
-  compareTag = additionalAuthenticatedData.slice()
+  const authInput = buildAuthInput(cipherText)
+  const s = ghash(authInput, hashSubKey)
+  const calculatedTag = gctr(s, preCounterBlock, key)
 
-  if (additionalAuthenticatedData.length === 0) {
-    compareTag = compareTag.concat(createZeroBlock(16))
-  } else if (additionalAuthenticatedData.length % 16 !== 0) {
-    compareTag = compareTag.concat(createZeroBlock(16 - (additionalAuthenticatedData.length % 16)))
+  if (calculatedTag.length !== authenticationTag.length) {
+    return null
   }
 
-  compareTag = compareTag.concat(cipherText)
-
-  if (cipherText.length === 0) {
-    compareTag = compareTag.concat(createZeroBlock(16))
-  } else if (cipherText.length % 16 !== 0) {
-    compareTag = compareTag.concat(createZeroBlock(16 - (cipherText.length % 16)))
+  let diff = 0
+  for (let i = 0; i < calculatedTag.length; i++) {
+    diff |= calculatedTag[i] ^ authenticationTag[i]
   }
 
-  compareTag = compareTag.concat(createZeroBlock(4))
-    .concat(getBytes(additionalAuthenticatedData.length * 8))
-    .concat(createZeroBlock(4)).concat(getBytes(cipherText.length * 8))
-
-  // Generate the authentication tag
-  const calculatedTag = gctr(ghash(compareTag, hashSubKey), preCounterBlock, key)
-
-  // If the calculated tag does not match the provided tag, return null - the decryption failed.
-  if (calculatedTag.join() !== authenticationTag.join()) {
+  if (diff !== 0) {
     return null
   }
 

package/src/primitives/Point.ts

@@ -44,14 +44,17 @@ export const biModInv = (a: bigint): bigint => { // binary‑ext GCD
 export const biModSqr = (a: bigint): bigint => biModMul(a, a)
 
 export const biModPow = (base: bigint, exp: bigint): bigint => {
-  let result = BI_ONE
+  let result = 1n
   base = biMod(base)
-  let e = exp
-  while (e > BI_ZERO) {
-    if ((e & BI_ONE) === BI_ONE) result = biModMul(result, base)
+
+  while (exp > 0n) {
+    if ((exp & 1n) !== 0n) {
+      result = biModMul(result, base)
+    }
     base = biModMul(base, base)
-    e >>= BI_ONE
+    exp >>= 1n
   }
+
   return result
 }
 
@@ -59,7 +62,12 @@ export const P_PLUS1_DIV4 = (P_BIGINT + 1n) >> 2n
 
 export const biModSqrt = (a: bigint): bigint | null => {
   const r = biModPow(a, P_PLUS1_DIV4)
-  return biModMul(r, r) === biMod(a) ? r : null
+
+  if (biModMul(r, r) !== biMod(a)) {
+    return null
+  }
+
+  return r
 }
 
 const toBigInt = (x: BigNumber | number | number[] | string): bigint => {
@@ -220,6 +228,13 @@ export default class Point extends BasePoint {
   y: BigNumber | null
   inf: boolean
 
+  static _assertOnCurve (p: Point): Point {
+    if (!p.validate()) {
+      throw new Error('Invalid point')
+    }
+    return p
+  }
+
   /**
    * Creates a point object from a given Array. These numbers can represent coordinates in hex format, or points
    * in multiple established formats.
@@ -238,7 +253,6 @@ export default class Point extends BasePoint {
    */
   static fromDER (bytes: number[]): Point {
     const len = 32
-    // uncompressed, hybrid-odd, hybrid-even
     if (
       (bytes[0] === 0x04 || bytes[0] === 0x06 || bytes[0] === 0x07) &&
       bytes.length - 1 === 2 * len
@@ -258,12 +272,14 @@ export default class Point extends BasePoint {
         bytes.slice(1 + len, 1 + 2 * len)
       )
 
-      return res
+      return Point._assertOnCurve(res)
     } else if (
       (bytes[0] === 0x02 || bytes[0] === 0x03) &&
       bytes.length - 1 === len
     ) {
-      return Point.fromX(bytes.slice(1, 1 + len), bytes[0] === 0x03)
+      return Point._assertOnCurve(
+        Point.fromX(bytes.slice(1, 1 + len), bytes[0] === 0x03)
+      )
     }
     throw new Error('Unknown point format')
   }
@@ -287,7 +303,7 @@ export default class Point extends BasePoint {
    */
   static fromString (str: string): Point {
     const bytes = toArray(str, 'hex')
-    return Point.fromDER(bytes)
+    return Point._assertOnCurve(Point.fromDER(bytes))
   }
 
   /**
@@ -308,16 +324,22 @@ export default class Point extends BasePoint {
   static fromX (x: BigNumber | number | number[] | string, odd: boolean): Point {
     let xBigInt = toBigInt(x)
     xBigInt = biMod(xBigInt)
+
     const y2 = biModAdd(biModMul(biModSqr(xBigInt), xBigInt), 7n)
     const y = biModSqrt(y2)
-    if (y === null) throw new Error('Invalid point')
+    if (y === null) {
+      throw new Error('Invalid point')
+    }
+
     let yBig = y
     if ((yBig & BI_ONE) !== (odd ? BI_ONE : BI_ZERO)) {
       yBig = biModSub(P_BIGINT, yBig)
     }
+
     const xBN = new BigNumber(xBigInt.toString(16), 16)
     const yBN = new BigNumber(yBig.toString(16), 16)
-    return new Point(xBN, yBN)
+
+    return Point._assertOnCurve(new Point(xBN, yBN))
   }
 
   /**
@@ -339,33 +361,45 @@ export default class Point extends BasePoint {
     if (typeof obj === 'string') {
       obj = JSON.parse(obj)
     }
-    const res = new Point(obj[0], obj[1], isRed)
-    if (typeof obj[2] !== 'object') {
+
+    let res = new Point(obj[0], obj[1], isRed)
+    res = Point._assertOnCurve(res)
+
+    if (typeof obj[2] !== 'object' || obj[2] === null) {
       return res
     }
 
-    const obj2point = (obj): Point => {
-      return new Point(obj[0], obj[1], isRed)
+    const pre = obj[2]
+
+    const obj2point = (p): Point => {
+      const pt = new Point(p[0], p[1], isRed)
+      return Point._assertOnCurve(pt)
     }
 
-    const pre = obj[2]
     res.precomputed = {
       beta: null,
+
       doubles:
         typeof pre.doubles === 'object' && pre.doubles !== null
           ? {
               step: pre.doubles.step,
-              points: [res].concat(pre.doubles.points.map(obj2point))
+              points: [res].concat(
+                pre.doubles.points.map(obj2point)
+              )
             }
           : undefined,
+
       naf:
         typeof pre.naf === 'object' && pre.naf !== null
           ? {
               wnd: pre.naf.wnd,
-              points: [res].concat(pre.naf.points.map(obj2point))
+              points: [res].concat(
+                pre.naf.points.map(obj2point)
+              )
             }
           : undefined
     }
+
     return res
   }
 
@@ -426,7 +460,20 @@ export default class Point extends BasePoint {
    * const isValid = aPoint.validate();
    */
   validate (): boolean {
-    return this.curve.validate(this)
+    if (this.inf || this.x == null || this.y == null) return false
+
+    try {
+      const xBig = BigInt('0x' + this.x.fromRed().toString(16))
+      const yBig = BigInt('0x' + this.y.fromRed().toString(16))
+
+      // compute y² and x³ + 7 using bigint-secure field ops
+      const lhs = biModMul(yBig, yBig)
+      const rhs = biModAdd(biModMul(biModMul(xBig, xBig), xBig), 7n)
+
+      return lhs === rhs
+    } catch {
+      return false
+    }
   }
 
   /**