@bsv/sdk 1.9.24 → 1.9.30

package/src/primitives/__tests/ECDSA.test.ts

@@ -2,6 +2,7 @@ import * as ECDSA from '../../primitives/ECDSA'
 import BigNumber from '../../primitives/BigNumber'
 import Curve from '../../primitives/Curve'
 import Signature from '../../primitives/Signature'
+import Point from '../../primitives/Point'
 
 const msg = new BigNumber('deadbeef', 16)
 const key = new BigNumber(
@@ -90,4 +91,42 @@ describe('ECDSA', () => {
       ECDSA.sign(msg, key, undefined, n)
     ).toThrow()
   })
+
+  it('k·G + (−k·G) results in point at infinity (TOB-25)', () => {
+    const k = new BigNumber('123456789abcdef', 16)
+
+    const P = curve.g.mul(k)
+    const negP = P.neg()
+    const sum = P.add(negP)
+
+    expect(sum.isInfinity()).toBe(true)
+  })
+
+  it('scalar multiplication by zero returns point at infinity (TOB-25)', () => {
+    const zero = new BigNumber(0)
+    const result = curve.g.mul(zero)
+
+    expect(result.isInfinity()).toBe(true)
+  })
+
+  it('ECDSA verify rejects point-at-infinity public key (TOB-25)', () => {
+    const signature = ECDSA.sign(msg, key)
+    const infinityPub = new Point(null, null)
+
+    expect(() =>
+      ECDSA.verify(msg, signature, infinityPub)
+    ).toThrow()
+  })
+
+  it('sign/verify works with large private key (mulCT stress)', () => {
+    const bigKey = new BigNumber(
+      'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd036413f',
+      16
+    )
+
+    const sig = ECDSA.sign(msg, bigKey)
+    const pub = curve.g.mul(bigKey)
+
+    expect(ECDSA.verify(msg, sig, pub)).toBe(true)
+  })
 })

package/src/primitives/__tests/Point.test.ts

@@ -0,0 +1,112 @@
+import Point from '../../primitives/Point'
+import BigNumber from '../../primitives/BigNumber'
+
+describe('Point.fromJSON / fromDER / fromX curve validation (TOB-24)', () => {
+  it('rejects clearly off-curve coordinates', () => {
+    expect(() =>
+      Point.fromJSON([123, 456], true)
+    ).toThrow(/Invalid point/)
+  })
+
+  it('rejects nested off-curve precomputed points', () => {
+    const bad = [
+      123,
+      456,
+      {
+        doubles: {
+          step: 2,
+          points: [
+            [1, 2],
+            [3, 4]
+          ]
+        }
+      }
+    ]
+    expect(() => Point.fromJSON(bad, true)).toThrow(/Invalid point/)
+  })
+
+  it('accepts valid generator point from toJSON → fromJSON roundtrip', () => {
+    // Compressed secp256k1 G:
+    const G_COMPRESSED =
+      '0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798'
+
+    const g = Point.fromString(G_COMPRESSED)
+    const serialized = g.toJSON()
+    const restored = Point.fromJSON(serialized as any, true)
+
+    expect(restored.eq(g)).toBe(true)
+  })
+
+  it('rejects invalid compressed points in fromDER', () => {
+    // 0x02 is a valid compressed prefix, but x = 0 gives y^2 = 7,
+    // which has no square root mod p on secp256k1 → invalid point.
+    const der = [0x02, ...Array(32).fill(0x00)]
+    expect(() => Point.fromDER(der)).toThrow(/Invalid point/)
+    })
+
+  it('fromX rejects values with no square root mod p', () => {
+    // x = 0 ⇒ y^2 = 7, which has no square root mod p on secp256k1.
+    // This guarantees that fromX must reject it.
+    const badX = '0000000000000000000000000000000000000000000000000000000000000000'
+    expect(() => Point.fromX(badX, true)).toThrow(/Invalid point/)
+    })
+})
+
+describe('Point.mulCT (constant-time scalar multiplication)', () => {
+  const G = Point.fromString(
+    '0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798'
+  )
+
+  it('returns point at infinity for scalar = 0', () => {
+    const r = G.mulCT(0)
+    expect(r.isInfinity()).toBe(true)
+  })
+
+  it('matches regular mul for small scalar', () => {
+    const k = 5
+    const r1 = G.mul(k)
+    const r2 = G.mulCT(k)
+
+    expect(r2.eq(r1)).toBe(true)
+  })
+
+  it('matches regular mul for large scalar', () => {
+    const k =
+      'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'
+
+    const r1 = G.mul(k)
+    const r2 = G.mulCT(k)
+
+    expect(r2.eq(r1)).toBe(true)
+  })
+
+  it('works with non-generator base point', () => {
+    const base = G.mul(3)
+    const k = 11
+
+    const r1 = base.mul(k)
+    const r2 = base.mulCT(k)
+
+    expect(r2.eq(r1)).toBe(true)
+  })
+
+  it('handles alternating bit patterns (ctSwap exercised)', () => {
+    // 101010... pattern forces both swap paths
+    const k = BigInt(
+      '0b101010101010101010101010101010101010101010101010101010101010101'
+    )
+
+    const r1 = G.mul(k.toString(10))
+    const r2 = G.mulCT(k.toString(10))
+
+    expect(r2.eq(r1)).toBe(true)
+  })
+
+  it('handles negative scalars correctly', () => {
+    const k = new BigNumber('123456', 16)
+    const r1 = G.mul(k.neg())
+    const r2 = G.mulCT(k.neg())
+    expect(r2.eq(r1)).toBe(true)
+  })
+})
+

package/src/primitives/__tests/utils.test.ts

@@ -9,7 +9,8 @@ import {
   toBase58,
   fromBase58Check,
   toBase58Check,
-  verifyNotNull
+  verifyNotNull,
+  constantTimeEquals
 } from '../../primitives/utils'
 import Point from '../../primitives/Point'
 
@@ -376,3 +377,25 @@ describe('Point.encode infinity handling', () => {
     expect(() => p.encode()).not.toThrow()
   })
 })
+
+describe('constantTimeEquals', () => {
+  it('returns true for identical arrays', () => {
+    expect(constantTimeEquals([1, 2, 3], [1, 2, 3])).toBe(true)
+  })
+
+  it('returns false for arrays with different content', () => {
+    expect(constantTimeEquals([1, 2, 3], [1, 2, 4])).toBe(false)
+  })
+
+  it('returns false for arrays of different length', () => {
+    expect(constantTimeEquals([1, 2], [1, 2, 3])).toBe(false)
+  })
+
+  it('runs through entire array (no early exit)', () => {
+    expect(constantTimeEquals([0,0,0,0,9], [0,0,0,0,8])).toBe(false)
+  })
+
+  it('works with Uint8Array', () => {
+    expect(constantTimeEquals(new Uint8Array([5,6,7]), new Uint8Array([5,6,7]))).toBe(true)
+  })
+})

package/src/primitives/hex.ts

@@ -5,15 +5,13 @@ const PURE_HEX_REGEX = /^[0-9a-fA-F]*$/
 
 export function assertValidHex (msg: string): void {
   if (typeof msg !== 'string') {
-    console.error('assertValidHex FAIL (non-string):', msg)
-    throw new Error('Invalid hex string')
+    throw new TypeError('Invalid hex string')
   }
 
   // allow empty
   if (msg.length === 0) return
 
   if (!PURE_HEX_REGEX.test(msg)) {
-    console.error('assertValidHex FAIL (bad hex):', msg)
     throw new Error('Invalid hex string')
   }
 }

package/src/primitives/utils.ts

@@ -951,3 +951,13 @@ export function verifyNotNull<T> (value: T | undefined | null, errorMessage: str
   if (value == null) throw new Error(errorMessage)
   return value
 }
+
+export function constantTimeEquals (a: Uint8Array | number[], b: Uint8Array | number[]): boolean {
+  if (a.length !== b.length) return false
+
+  let diff = 0
+  for (let i = 0; i < a.length; i++) {
+    diff |= a[i] ^ b[i]
+  }
+  return diff === 0
+}

package/src/totp/__tests/totp.test.ts

@@ -78,4 +78,25 @@ describe('totp generation and validation', () => {
       checkAdjacentWindow(time - i * periodMS, false)
     }
   })
+
+  test('should reject wrong passcode with same length', () => {
+    jest.setSystemTime(0)
+
+    const correct = TOTP.generate(secret, options)
+
+    // Same length but definitely wrong
+    const wrong = correct === '123456' ? '654321' : '123456'
+
+    expect(wrong.length).toBe(correct.length)
+    expect(TOTP.validate(secret, wrong, options)).toBe(false)
+  })
+
+  test('should validate correct passcode using constant-time comparison', () => {
+    jest.setSystemTime(0)
+
+    const correct = TOTP.generate(secret, options)
+
+    // Ensure the code path executes constantTimeEquals and returns true
+    expect(TOTP.validate(secret, correct, options)).toBe(true)
+  })
 })

package/src/totp/totp.ts

@@ -1,5 +1,6 @@
 import { SHA1HMAC, SHA256HMAC, SHA512HMAC } from '../primitives/Hash.js'
 import BigNumber from '../primitives/BigNumber.js'
+import { constantTimeEquals, toArray } from '../primitives/utils.js'
 
 export type TOTPAlgorithm = 'SHA-1' | 'SHA-256' | 'SHA-512'
 
@@ -68,7 +69,14 @@ export class TOTP {
     }
 
     for (const c of counters) {
-      if (passcode === generateHOTP(secret, c, _options)) {
+      const expected = generateHOTP(secret, c, _options)
+
+      if (
+        constantTimeEquals(
+          toArray(passcode, 'utf8'),
+          toArray(expected, 'utf8')
+        )
+      ) {
         return true
       }
     }

package/src/wallet/ProtoWallet.ts

@@ -30,6 +30,7 @@ import {
   WalletEncryptArgs,
   WalletEncryptResult
 } from './Wallet.interfaces.js'
+import { constantTimeEquals, toArray } from '../primitives/utils.js'
 
 /**
  * A ProtoWallet is precursor to a full wallet, capable of performing all foundational cryptographic operations.
@@ -222,9 +223,13 @@ export class ProtoWallet {
       args.keyID,
       args.counterparty ?? 'self'
     )
-    const valid =
-      Hash.sha256hmac(key.toArray(), args.data).toString() ===
-      args.hmac.toString()
+    const computed = Hash.sha256hmac(key.toArray(), args.data)
+    const provided = args.hmac
+
+    const valid = constantTimeEquals(
+      toArray(computed),
+      toArray(provided)
+    )
     if (!valid) {
       const e = new Error('HMAC is not valid') as Error & { code: string }
       e.code = 'ERR_INVALID_HMAC'

package/src/wallet/__tests/ProtoWallet.test.ts

@@ -4,6 +4,19 @@ import { createNonce, verifyNonce } from '../../auth/utils'
 
 const sampleData = [3, 1, 4, 1, 5, 9]
 
+let userKey: PrivateKey
+let counterpartyKey: PrivateKey
+let user: ProtoWallet
+let counterparty: ProtoWallet
+
+beforeEach(() => {
+  userKey = PrivateKey.fromRandom()
+  counterpartyKey = PrivateKey.fromRandom()
+  user = new ProtoWallet(userKey)
+  counterparty = new ProtoWallet(counterpartyKey)
+})
+
+
 describe('ProtoWallet', () => {
   it('Throws when unsupported functions are called', async () => {
     const wallet = new ProtoWallet('anyone')
@@ -80,10 +93,6 @@ describe('ProtoWallet', () => {
     )
   })
   it('Encrypts messages decryptable by the counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { ciphertext } = await user.encrypt({
       plaintext: sampleData,
       protocolID: [2, 'tests'],
@@ -100,10 +109,6 @@ describe('ProtoWallet', () => {
     expect(ciphertext).not.toEqual(plaintext)
   })
   it('Fails to decryupt messages for the wrong protocol, key, and counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { ciphertext } = await user.encrypt({
       plaintext: sampleData,
       protocolID: [2, 'tests'],
@@ -139,10 +144,6 @@ describe('ProtoWallet', () => {
     ).rejects.toThrow()
   })
   it('Correctly derives keys for a counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { publicKey: identityKey } = await user.getPublicKey({
       identityKey: true
     })
@@ -162,10 +163,6 @@ describe('ProtoWallet', () => {
     expect(derivedForCounterparty).toEqual(derivedByCounterparty)
   })
   it('Signs messages verifiable by the counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { signature } = await user.createSignature({
       data: sampleData,
       protocolID: [2, 'tests'],
@@ -183,10 +180,6 @@ describe('ProtoWallet', () => {
     expect(signature.length).not.toEqual(0)
   })
   it('Directly signs hash of message verifiable by the counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { signature } = await user.createSignature({
       hashToDirectlySign: Hash.sha256(sampleData),
       protocolID: [2, 'tests'],
@@ -212,10 +205,6 @@ describe('ProtoWallet', () => {
     expect(signature.length).not.toEqual(0)
   })
   it('Fails to verify signature for the wrong data, protocol, key, and counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { signature } = await user.createSignature({
       data: sampleData,
       protocolID: [2, 'tests'],
@@ -264,10 +253,6 @@ describe('ProtoWallet', () => {
     ).rejects.toThrow()
   })
   it('Computes HMAC over messages verifiable by the counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { hmac } = await user.createHmac({
       data: sampleData,
       protocolID: [2, 'tests'],
@@ -285,10 +270,6 @@ describe('ProtoWallet', () => {
     expect(hmac.length).toEqual(32)
   })
   it('Fails to verify HMAC for the wrong data, protocol, key, and counterparty', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const counterpartyKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
-    const counterparty = new ProtoWallet(counterpartyKey)
     const { hmac } = await user.createHmac({
       data: sampleData,
       protocolID: [2, 'tests'],
@@ -337,8 +318,6 @@ describe('ProtoWallet', () => {
     ).rejects.toThrow()
   })
   it('Uses anyone for creating signatures and self for other operations if no counterparty is provided', async () => {
-    const userKey = PrivateKey.fromRandom()
-    const user = new ProtoWallet(userKey)
     const { hmac } = await user.createHmac({
       data: sampleData,
       protocolID: [2, 'tests'],
@@ -589,4 +568,46 @@ describe('ProtoWallet', () => {
       expect(linkage).toEqual(expectedLinkage)
     })
   })
+
+  it('Fails constant-time HMAC validation for wrong-but-same-length HMAC', async () => {
+    const { hmac: correctHmac } = await user.createHmac({
+      data: sampleData,
+      protocolID: [2, 'tests'],
+      keyID: '4',
+      counterparty: counterpartyKey.toPublicKey().toString()
+    })
+
+    // Create a different HMAC with same length
+    const wrong = correctHmac.slice()
+    wrong[0] = (wrong[0] + 1) & 0xff  // minimally alter 1 byte
+
+    await expect(async () =>
+      await counterparty.verifyHmac({
+        hmac: wrong,
+        data: sampleData,
+        protocolID: [2, 'tests'],
+        keyID: '4',
+        counterparty: userKey.toPublicKey().toString()
+      })
+    ).rejects.toThrow('HMAC is not valid')
+  })
+
+  it('Validates correct HMAC using the constant-time comparison path', async () => {
+    const { hmac } = await user.createHmac({
+      data: sampleData,
+      protocolID: [2, 'tests'],
+      keyID: '4',
+      counterparty: counterpartyKey.toPublicKey().toString()
+    })
+
+    const { valid } = await counterparty.verifyHmac({
+      hmac,
+      data: sampleData,
+      protocolID: [2, 'tests'],
+      keyID: '4',
+      counterparty: userKey.toPublicKey().toString()
+    })
+
+    expect(valid).toBe(true)
+  })
 })