npm - @bsv/sdk - Versions diffs - 1.9.31 → 1.10.1 - Mend

@bsv/sdk 1.9.31 → 1.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

package/dist/cjs/package.json +1 -1
package/dist/cjs/src/auth/Peer.js +68 -48
package/dist/cjs/src/auth/Peer.js.map +1 -1
package/dist/cjs/src/primitives/BigNumber.js +28 -54
package/dist/cjs/src/primitives/BigNumber.js.map +1 -1
package/dist/cjs/src/primitives/ECDSA.js +36 -1
package/dist/cjs/src/primitives/ECDSA.js.map +1 -1
package/dist/cjs/src/primitives/ReductionContext.js +35 -46
package/dist/cjs/src/primitives/ReductionContext.js.map +1 -1
package/dist/cjs/tsconfig.cjs.tsbuildinfo +1 -1
package/dist/esm/src/auth/Peer.js +68 -48
package/dist/esm/src/auth/Peer.js.map +1 -1
package/dist/esm/src/primitives/BigNumber.js +28 -54
package/dist/esm/src/primitives/BigNumber.js.map +1 -1
package/dist/esm/src/primitives/ECDSA.js +36 -1
package/dist/esm/src/primitives/ECDSA.js.map +1 -1
package/dist/esm/src/primitives/ReductionContext.js +35 -46
package/dist/esm/src/primitives/ReductionContext.js.map +1 -1
package/dist/esm/tsconfig.esm.tsbuildinfo +1 -1
package/dist/types/src/auth/Peer.d.ts.map +1 -1
package/dist/types/src/auth/types.d.ts +2 -0
package/dist/types/src/auth/types.d.ts.map +1 -1
package/dist/types/src/primitives/BigNumber.d.ts +8 -0
package/dist/types/src/primitives/BigNumber.d.ts.map +1 -1
package/dist/types/src/primitives/ECDSA.d.ts +24 -0
package/dist/types/src/primitives/ECDSA.d.ts.map +1 -1
package/dist/types/src/primitives/ReductionContext.d.ts +9 -0
package/dist/types/src/primitives/ReductionContext.d.ts.map +1 -1
package/dist/types/tsconfig.types.tsbuildinfo +1 -1
package/dist/umd/bundle.js +3 -3
package/dist/umd/bundle.js.map +1 -1
package/docs/index.md +15 -1
package/docs/reference/auth.md +2 -0
package/docs/reference/messages.md +0 -24
package/docs/reference/primitives.md +91 -31
package/package.json +1 -1
package/src/auth/Peer.ts +122 -57
package/src/auth/__tests/Peer.test.ts +166 -257
package/src/auth/types.ts +2 -0
package/src/primitives/BigNumber.ts +27 -31
package/src/primitives/ECDSA.ts +41 -2
package/src/primitives/ReductionContext.ts +44 -48
package/src/primitives/__tests/ECDSA.test.ts +16 -0

package/src/primitives/ECDSA.ts CHANGED Viewed

@@ -22,6 +22,8 @@ import DRBG from './DRBG.js'
  * @example
  * let msg = new BigNumber('1234567890abcdef', 16);
  * let truncatedMsg = truncateToN(msg);
+ *
+ * This behavior follows the message truncation rules defined in FIPS 186-4.
  */
 function truncateToN (
   msg: BigNumber,
@@ -32,7 +34,7 @@ function truncateToN (
   if (delta > 0) {
     msg.iushrn(delta)
   }
-  if (truncOnly === null && msg.cmp(curve.n) >= 0) {
+  if (truncOnly !== true && msg.cmp(curve.n) >= 0) {
     return msg.sub(curve.n)
   } else {
     return msg
@@ -68,12 +70,34 @@ const halfN = N_BIGINT >> 1n
  * const key = new BigNumber('123456')
  * const signature = sign(msg, key)
  */
+/**
+ * SECURITY NOTE:
+ *
+ * This function implements ECDSA signing and expects `msg` to be the output of
+ * a cryptographic hash function (e.g. SHA-256), not an arbitrary-length message.
+ *
+ * Per FIPS 186-4 / SEC 1, the message representative used by ECDSA must not
+ * exceed the bit length of the curve order `n`. Inputs larger than `n` must be
+ * hashed before signing.
+ *
+ * As a short-term mitigation for TOB-22, this implementation explicitly rejects
+ * messages whose bit length exceeds that of the curve order.
+ *
+ * Long-term, callers SHOULD always hash messages before invoking `sign()`.
+ */
 export const sign = (
   msg: BigNumber,
   key: BigNumber,
   forceLowS: boolean = false,
   customK?: BigNumber | ((iter: number) => BigNumber)
 ): Signature => {
+  const nBitLength = curve.n.bitLength()
+  if (msg.bitLength() > nBitLength) {
+    throw new Error(
+      `ECDSA message is too large: expected <= ${nBitLength} bits. Callers must hash messages before signing.`
+    )
+  }
   msg = truncateToN(msg)
   const msgBig = bnToBigInt(msg)
   const keyBig = bnToBigInt(key)
@@ -163,8 +187,23 @@ export const sign = (
  * const signature = sign(msg, new BigNumber('123456'))
  * const isVerified = verify(msg, sig, key)
  */
+/**
+ * SECURITY NOTE:
+ *
+ * This verification routine assumes that `msg` is a hashed message
+ * representative produced using the same hash function used during signing.
+ *
+ * As part of TOB-22 short-term hardening, messages exceeding the curve order
+ * bit length are rejected to prevent misuse with non-hashed inputs.
+ */
 export const verify = (msg: BigNumber, sig: Signature, key: Point): boolean => {
-// Convert inputs to BigInt
+  const nBitLength = curve.n.bitLength()
+  if (msg.bitLength() > nBitLength) {
+    // could be throw or return false; returning false is typical for verify
+    return false
+  }
+  // Convert inputs to BigInt
   const hash = bnToBigInt(msg)
   if ((key.x == null) || (key.y == null)) {
     throw new Error('Invalid public key: missing coordinates.')

package/src/primitives/ReductionContext.ts CHANGED Viewed

@@ -2,6 +2,16 @@ import BigNumber from './BigNumber.js'
 import K256 from './K256.js'
 import Mersenne from './Mersenne.js'
+/**
+ * SECURITY NOTE:
+ * This reduction context avoids obvious variable-time constructs (such as
+ * sliding-window exponentiation and conditional modular reduction) to reduce
+ * timing side-channel leakage. However, JavaScript BigInt arithmetic does not
+ * provide constant-time guarantees. These mitigations improve resistance to
+ * coarse timing attacks but do not make the implementation suitable for
+ * hostile multi-tenant or shared-CPU environments.
+ */
 /**
  * A base reduction engine that provides several arithmetic operations over
  * big numbers under a modulus context. It's particularly suitable for
@@ -152,11 +162,21 @@ export default class ReductionContext {
   add (a: BigNumber, b: BigNumber): BigNumber {
     this.verify2(a, b)
-    const res = a.add(b)
-    if (res.cmp(this.m) >= 0) {
-      res.isub(this.m)
+    // Start from a red clone
+    const res = a.clone()
+    // In-place add keeps red context
+    res.iadd(b)
+    // Always subtract modulus (still red)
+    res.isub(this.m)
+    // If negative, add modulus back
+    if (res.isNeg()) {
+      res.iadd(this.m)
     }
-    return res.forceRed(this)
+    return res
   }
   /**
@@ -178,11 +198,14 @@ export default class ReductionContext {
   iadd (a: BigNumber, b: BigNumber): BigNumber {
     this.verify2(a, b)
-    const res = a.iadd(b)
-    if (res.cmp(this.m) >= 0) {
-      res.isub(this.m)
+    a.iadd(b)
+    a.isub(this.m)
+    if (a.isNeg()) {
+      a.iadd(this.m)
     }
-    return res
+    return a
   }
   /**
@@ -439,52 +462,25 @@ export default class ReductionContext {
    * context.pow(new BigNumber(3), new BigNumber(2)); // Returns 2 (3^2 % 7)
    */
   pow (a: BigNumber, num: BigNumber): BigNumber {
+    this.verify1(a)
     if (num.isZero()) return new BigNumber(1).toRed(this)
-    if (num.cmpn(1) === 0) return a.clone()
-    const windowSize = 4
-    const wnd = new Array(1 << windowSize)
-    wnd[0] = new BigNumber(1).toRed(this)
-    wnd[1] = a
-    let i = 2
-    for (; i < wnd.length; i++) {
-      wnd[i] = this.mul(wnd[i - 1], a)
-    }
-    let res = wnd[0]
-    let current = 0
-    let currentLen = 0
-    let start = num.bitLength() % 26
-    if (start === 0) {
-      start = 26
-    }
+    let result = new BigNumber(1).toRed(this)
+    const base = a.clone()
+    const bits = num.bitLength()
-    for (i = num.length - 1; i >= 0; i--) {
-      const word = num.words[i]
-      for (let j = start - 1; j >= 0; j--) {
-        const bit = (word >> j) & 1
-        if (res !== wnd[0]) {
-          res = this.sqr(res)
-        }
-        if (bit === 0 && current === 0) {
-          currentLen = 0
-          continue
-        }
-        current <<= 1
-        current |= bit
-        currentLen++
-        if (currentLen !== windowSize && (i !== 0 || j !== 0)) continue
-        res = this.mul(res, wnd[current])
-        currentLen = 0
-        current = 0
+    for (let i = bits - 1; i >= 0; i--) {
+      // Always square
+      result = this.sqr(result)
+      // Multiply if bit is set
+      if (num.testn(i)) {
+        result = this.mul(result, base)
       }
-      start = 26
     }
-    return res
+    return result
   }
   /**

package/src/primitives/__tests/ECDSA.test.ts CHANGED Viewed

@@ -129,4 +129,20 @@ describe('ECDSA', () => {
     expect(ECDSA.verify(msg, sig, pub)).toBe(true)
   })
+  it('should reject signing messages larger than curve order bit length (TOB-22)', () => {
+    // Create a message definitely larger than secp256k1 order size
+    const tooLargeMsg = new BigNumber(1).iushln(curve.n.bitLength() + 1)
+    expect(() =>
+      ECDSA.sign(tooLargeMsg, key)
+    ).toThrow(/message is too large/i)
+  })
+  it('verify should return false for messages larger than curve order bit length (TOB-22)', () => {
+    const signature = ECDSA.sign(msg, key)
+    const tooLargeMsg = new BigNumber(1).iushln(curve.n.bitLength() + 1)
+    expect(ECDSA.verify(tooLargeMsg, signature, pub)).toBe(false)
+  })
 })