@opcat-labs/opcat 1.0.0

package/lib/crypto/bn.js

@@ -0,0 +1,278 @@
+'use strict';
+
+var BN = require('../bn');
+var $ = require('../util/preconditions');
+var _ = require('../util/_');
+
+var reversebuf = function (buf) {
+  var buf2 = Buffer.alloc(buf.length);
+  for (var i = 0; i < buf.length; i++) {
+    buf2[i] = buf[buf.length - 1 - i];
+  }
+  return buf2;
+};
+
+BN.Zero = new BN(0);
+BN.One = new BN(1);
+BN.Minus1 = new BN(-1);
+
+/**
+ * Convert a number into a big number.
+ *
+ * @param {number} n Any positive or negative integer.
+ */
+BN.fromNumber = function (n) {
+  $.checkArgument(_.isNumber(n));
+  return BN.fromString(n.toString(16), 16)
+};
+
+/**
+ * Convert a string number into a big number.
+ *
+ * @param {string} str Any positive or negative integer formatted as a string.
+ * @param {number} base The base of the number, defaults to 10.
+ */
+BN.fromString = function (str, base) {
+  $.checkArgument(_.isString(str));
+  return new BN(str, base);
+};
+
+/**
+ * Convert a buffer (such as a 256 bit binary private key) into a big number.
+ * Sometimes these numbers can be formatted either as 'big endian' or 'little
+ * endian', and so there is an opts parameter that lets you specify which
+ * endianness is specified.
+ *
+ * @param {Buffer} buf A buffer number, such as a 256 bit hash or key.
+ * @param {Object} opts With a property 'endian' that can be either 'big' or 'little'. Defaults big endian (most significant digit first).
+ */
+BN.fromBuffer = function (buf, opts) {
+  if (typeof opts !== 'undefined' && opts.endian === 'little') {
+    buf = reversebuf(buf);
+  }
+  var hex = buf.toString('hex');
+  var bn = new BN(hex, 16);
+  return bn;
+};
+
+/**
+ * Instantiate a BigNumber from a "signed magnitude buffer". (a buffer where the
+ * most significant bit represents the sign (0 = positive, 1 = negative)
+ *
+ * @param {Buffer} buf A buffer number, such as a 256 bit hash or key.
+ * @param {Object} opts With a property 'endian' that can be either 'big' or 'little'. Defaults big endian (most significant digit first).
+ */
+BN.fromSM = function (buf, opts) {
+  var ret;
+  if (buf.length === 0) {
+    return BN.fromBuffer(Buffer.from([0]));
+  }
+
+  var endian = 'big';
+  if (opts) {
+    endian = opts.endian;
+  }
+  if (endian === 'little') {
+    buf = reversebuf(buf);
+  }
+
+  if (buf[0] & 0x80) {
+    buf[0] = buf[0] & 0x7f;
+    ret = BN.fromBuffer(buf);
+    ret.neg().copy(ret);
+  } else {
+    ret = BN.fromBuffer(buf);
+  }
+  return ret;
+};
+
+/**
+ * Convert a big number into a number.
+ */
+BN.prototype.toNumber = function () {
+  return parseInt(this.toString(10), 10);
+};
+
+/**
+ * Convert a big number into a buffer. This is somewhat ambiguous, so there is
+ * an opts parameter that let's you specify the endianness or the size.
+ * opts.endian can be either 'big' or 'little' and opts.size can be any
+ * sufficiently large number of bytes. If you always want to create a 32 byte
+ * big endian number, then specify opts = { endian: 'big', size: 32 }
+ *
+ * @param {Object} opts Defaults to { endian: 'big', size: 32 }
+ */
+BN.prototype.toBuffer = function (opts) {
+  var buf, hex;
+  if (opts && opts.size) {
+    hex = this.toString(16, 2);
+    var natlen = hex.length / 2;
+    buf = Buffer.from(hex, 'hex');
+
+    if (natlen === opts.size) {
+      // buf = buf
+    } else if (natlen > opts.size) {
+      buf = BN.trim(buf, natlen);
+    } else if (natlen < opts.size) {
+      buf = BN.pad(buf, natlen, opts.size);
+    }
+  } else {
+    hex = this.toString(16, 2);
+    buf = Buffer.from(hex, 'hex');
+  }
+
+  if (typeof opts !== 'undefined' && opts.endian === 'little') {
+    buf = reversebuf(buf);
+  }
+
+  return buf;
+};
+
+/**
+ * For big numbers that are either positive or negative, you can convert to
+ * "sign magnitude" format whereby the first bit specifies whether the number is
+ * positive or negative.
+ */
+BN.prototype.toSMBigEndian = function () {
+  var buf;
+  if (this.cmp(BN.Zero) === -1) {
+    buf = this.neg().toBuffer();
+    if (buf[0] & 0x80) {
+      buf = Buffer.concat([Buffer.from([0x80]), buf]);
+    } else {
+      buf[0] = buf[0] | 0x80;
+    }
+  } else {
+    buf = this.toBuffer();
+    if (buf[0] & 0x80) {
+      buf = Buffer.concat([Buffer.from([0x00]), buf]);
+    }
+  }
+
+  if ((buf.length === 1) & (buf[0] === 0)) {
+    buf = Buffer.from([]);
+  }
+  return buf;
+};
+
+/**
+ * For big numbers that are either positive or negative, you can convert to
+ * "sign magnitude" format whereby the first bit specifies whether the number is
+ * positive or negative.
+ *
+ * @param {Object} opts Defaults to { endian: 'big' }
+ */
+BN.prototype.toSM = function (opts) {
+  var endian = opts ? opts.endian : 'big';
+  var buf = this.toSMBigEndian();
+
+  if (endian === 'little') {
+    buf = reversebuf(buf);
+  }
+  return buf;
+};
+
+/**
+ * Create a BN from a "ScriptNum": This is analogous to the constructor for
+ * CScriptNum in bitcoind. Many ops in bitcoind's script interpreter use
+ * CScriptNum, which is not really a proper bignum. Instead, an error is thrown
+ * if trying to input a number bigger than 4 bytes. We copy that behavior here.
+ * A third argument, `size`, is provided to extend the hard limit of 4 bytes, as
+ * some usages require more than 4 bytes.
+ *
+ * @param {Buffer} buf A buffer of a number.
+ * @param {boolean} fRequireMinimal Whether to require minimal size encoding.
+ * @param {number} size The maximum size.
+ */
+BN.fromScriptNumBuffer = function (buf, fRequireMinimal, size) {
+  var nMaxNumSize = size || Number.MAX_SAFE_INTEGER;
+  $.checkArgument(buf.length <= nMaxNumSize, new Error('script number overflow'));
+  if (fRequireMinimal && buf.length > 0) {
+    // Check that the number is encoded with the minimum possible
+    // number of bytes.
+    //
+    // If the most-significant-byte - excluding the sign bit - is zero
+    // then we're not minimal. Note how this test also rejects the
+    // negative-zero encoding, 0x80.
+    if ((buf[buf.length - 1] & 0x7f) === 0) {
+      // One exception: if there's more than one byte and the most
+      // significant bit of the second-most-significant-byte is set
+      // it would conflict with the sign bit. An example of this case
+      // is +-255, which encode to 0xff00 and 0xff80 respectively.
+      // (big-endian).
+      if (buf.length <= 1 || (buf[buf.length - 2] & 0x80) === 0) {
+        throw new Error('non-minimally encoded script number');
+      }
+    }
+  }
+  return BN.fromSM(buf, {
+    endian: 'little',
+  });
+};
+
+/**
+ * The corollary to the above, with the notable exception that we do not throw
+ * an error if the output is larger than four bytes. (Which can happen if
+ * performing a numerical operation that results in an overflow to more than 4
+ * bytes).
+ */
+BN.prototype.toScriptNumBuffer = function () {
+  return this.toSM({
+    endian: 'little',
+  });
+};
+
+/**
+ * Trims a buffer if it starts with zeros.
+ *
+ * @param {Buffer} buf A buffer formatted number.
+ * @param {number} natlen The natural length of the number.
+ */
+BN.trim = function (buf, natlen) {
+  return buf.slice(natlen - buf.length, buf.length);
+};
+
+/**
+ * Adds extra zeros to the start of a number.
+ *
+ * @param {Buffer} buf A buffer formatted number.
+ * @param {number} natlen The natural length of the number.
+ * @param {number} size How big to pad the number in bytes.
+ */
+BN.pad = function (buf, natlen, size) {
+  var rbuf = Buffer.alloc(size);
+  for (var i = 0; i < buf.length; i++) {
+    rbuf[rbuf.length - 1 - i] = buf[buf.length - 1 - i];
+  }
+  for (i = 0; i < size - natlen; i++) {
+    rbuf[i] = 0;
+  }
+  return rbuf;
+};
+/**
+ * Convert a big number into a hex string. This is somewhat ambiguous, so there
+ * is an opts parameter that let's you specify the endianness or the size.
+ * opts.endian can be either 'big' or 'little' and opts.size can be any
+ * sufficiently large number of bytes. If you always want to create a 32 byte
+ * big endian number, then specify opts = { endian: 'big', size: 32 }
+ *
+ * @param {Object} opts Defaults to { endian: 'big', size: 32 }
+ */
+BN.prototype.toHex = function (...args) {
+  return this.toBuffer(...args).toString('hex');
+};
+
+/**
+ * Convert a hex string (such as a 256 bit binary private key) into a big
+ * number. Sometimes these numbers can be formatted either as 'big endian' or
+ * 'little endian', and so there is an opts parameter that lets you specify
+ * which endianness is specified.
+ *
+ * @param {Buffer} buf A buffer number, such as a 256 bit hash or key.
+ * @param {Object} opts With a property 'endian' that can be either 'big' or 'little'. Defaults big endian (most significant digit first).
+ */
+BN.fromHex = function (hex, ...args) {
+  return BN.fromBuffer(Buffer.from(hex, 'hex'), ...args);
+};
+
+module.exports = BN;

package/lib/crypto/ecdsa.js

@@ -0,0 +1,339 @@
+'use strict';
+
+var BN = require('./bn');
+var Point = require('./point');
+var Signature = require('./signature');
+var PublicKey = require('../publickey');
+var Random = require('./random');
+var Hash = require('./hash');
+var _ = require('../util/_');
+var $ = require('../util/preconditions');
+
+var ECDSA = function ECDSA(obj) {
+  if (!(this instanceof ECDSA)) {
+    return new ECDSA(obj);
+  }
+  if (obj) {
+    this.set(obj);
+  }
+};
+
+ECDSA.prototype.set = function (obj) {
+  this.hashbuf = obj.hashbuf || this.hashbuf;
+  this.endian = obj.endian || this.endian; // the endianness of hashbuf
+  this.privkey = obj.privkey || this.privkey;
+  this.pubkey = obj.pubkey || (this.privkey ? this.privkey.publicKey : this.pubkey);
+  this.sig = obj.sig || this.sig;
+  this.k = obj.k || this.k;
+  this.verified = obj.verified || this.verified;
+  return this;
+};
+
+ECDSA.prototype.privkey2pubkey = function () {
+  this.pubkey = this.privkey.toPublicKey();
+};
+
+ECDSA.prototype.calci = function () {
+  for (var i = 0; i < 4; i++) {
+    this.sig.i = i;
+    var Qprime;
+    try {
+      Qprime = this.toPublicKey();
+    } catch (e) {
+      console.error(e);
+      continue;
+    }
+
+    if (Qprime.point.eq(this.pubkey.point)) {
+      this.sig.compressed = this.pubkey.compressed;
+      return this;
+    }
+  }
+
+  this.sig.i = undefined;
+  throw new Error('Unable to find valid recovery factor');
+};
+
+ECDSA.fromString = function (str) {
+  var obj = JSON.parse(str);
+  return new ECDSA(obj);
+};
+
+ECDSA.prototype.randomK = function () {
+  var N = Point.getN();
+  var k;
+  do {
+    k = BN.fromBuffer(Random.getRandomBuffer(32));
+  } while (!(k.lt(N) && k.gt(BN.Zero)));
+  this.k = k;
+  return this;
+};
+
+// https://tools.ietf.org/html/rfc6979#section-3.2
+ECDSA.prototype.deterministicK = function (badrs) {
+  // if r or s were invalid when this function was used in signing,
+  // we do not want to actually compute r, s here for efficiency, so,
+  // we can increment badrs. explained at end of RFC 6979 section 3.2
+  if (_.isUndefined(badrs)) {
+    badrs = 0;
+  }
+  var v = Buffer.alloc(32);
+  v.fill(0x01);
+  var k = Buffer.alloc(32);
+  k.fill(0x00);
+  var x = this.privkey.bn.toBuffer({
+    size: 32,
+  });
+  var hashbuf = this.endian === 'little' ? Buffer.from(this.hashbuf).reverse() : this.hashbuf;
+  k = Hash.sha256hmac(Buffer.concat([v, Buffer.from([0x00]), x, hashbuf]), k);
+  v = Hash.sha256hmac(v, k);
+  k = Hash.sha256hmac(Buffer.concat([v, Buffer.from([0x01]), x, hashbuf]), k);
+  v = Hash.sha256hmac(v, k);
+  v = Hash.sha256hmac(v, k);
+  var T = BN.fromBuffer(v);
+  var N = Point.getN();
+
+  // also explained in 3.2, we must ensure T is in the proper range (0, N)
+  for (var i = 0; i < badrs || !(T.lt(N) && T.gt(BN.Zero)); i++) {
+    k = Hash.sha256hmac(Buffer.concat([v, Buffer.from([0x00])]), k);
+    v = Hash.sha256hmac(v, k);
+    v = Hash.sha256hmac(v, k);
+    T = BN.fromBuffer(v);
+  }
+
+  this.k = T;
+  return this;
+};
+
+// Information about public key recovery:
+// https://bitcointalk.org/index.php?topic=6430.0
+// http://stackoverflow.com/questions/19665491/how-do-i-get-an-ecdsa-public-key-from-just-a-bitcoin-signature-sec1-4-1-6-k
+ECDSA.prototype.toPublicKey = function () {
+  var i = this.sig.i;
+  $.checkArgument(
+    i === 0 || i === 1 || i === 2 || i === 3,
+    new Error('i must be equal to 0, 1, 2, or 3'),
+  );
+
+  var e = BN.fromBuffer(this.hashbuf);
+  var r = this.sig.r;
+  var s = this.sig.s;
+
+  // A set LSB signifies that the y-coordinate is odd
+  var isYOdd = i & 1;
+
+  // The more significant bit specifies whether we should use the
+  // first or second candidate key.
+  var isSecondKey = i >> 1;
+
+  var n = Point.getN();
+  var G = Point.getG();
+
+  // 1.1 Let x = r + jn
+  var x = isSecondKey ? r.add(n) : r;
+  var R = Point.fromX(isYOdd, x);
+
+  // 1.4 Check that nR is at infinity
+  var nR = R.mul(n);
+
+  if (!nR.isInfinity()) {
+    throw new Error('nR is not a valid curve point');
+  }
+
+  // Compute -e from e
+  var eNeg = e.neg().umod(n);
+
+  // 1.6.1 Compute Q = r^-1 (sR - eG)
+  // Q = r^-1 (sR + -eG)
+  var rInv = r.invm(n);
+
+  // var Q = R.multiplyTwo(s, G, eNeg).mul(rInv);
+  var Q = R.mul(s).add(G.mul(eNeg)).mul(rInv);
+
+  var pubkey = PublicKey.fromPoint(Q, this.sig.compressed);
+
+  return pubkey;
+};
+
+ECDSA.prototype.sigError = function () {
+  if (!Buffer.isBuffer(this.hashbuf) || this.hashbuf.length !== 32) {
+    return 'hashbuf must be a 32 byte buffer';
+  }
+
+  var r = this.sig.r;
+  var s = this.sig.s;
+  if (!(r.gt(BN.Zero) && r.lt(Point.getN())) || !(s.gt(BN.Zero) && s.lt(Point.getN()))) {
+    return 'r and s not in range';
+  }
+
+  var e = BN.fromBuffer(
+    this.hashbuf,
+    this.endian
+      ? {
+          endian: this.endian,
+        }
+      : undefined,
+  );
+  var n = Point.getN();
+  var sinv = s.invm(n);
+  var u1 = sinv.mul(e).umod(n);
+  var u2 = sinv.mul(r).umod(n);
+
+  var p = Point.getG().mulAdd(u1, this.pubkey.point, u2);
+  if (p.isInfinity()) {
+    return 'p is infinity';
+  }
+
+  if (p.getX().umod(n).cmp(r) !== 0) {
+    return 'Invalid signature';
+  } else {
+    return false;
+  }
+};
+
+ECDSA.toLowS = function (s) {
+  // enforce low s
+  // see BIP 62, "low S values in signatures"
+  if (
+    s.gt(
+      BN.fromBuffer(
+        Buffer.from('7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0', 'hex'),
+      ),
+    )
+  ) {
+    s = Point.getN().sub(s);
+  }
+  return s;
+};
+
+ECDSA.prototype._findSignature = function (d, e) {
+  var N = Point.getN();
+  var G = Point.getG();
+  // try different values of k until r, s are valid
+  var badrs = 0;
+  var k, Q, r, s;
+  do {
+    if (!this.k || badrs > 0) {
+      this.deterministicK(badrs);
+    }
+    badrs++;
+    k = this.k;
+    Q = G.mul(k);
+    r = new BN(1).mul(Q.x.umod(N));
+    s = k
+      .invm(N)
+      .mul(e.add(d.mul(r)))
+      .umod(N);
+  } while (r.cmp(BN.Zero) <= 0 || s.cmp(BN.Zero) <= 0);
+
+  s = ECDSA.toLowS(s);
+  return {
+    s: s,
+    r: r,
+  };
+};
+
+ECDSA.prototype.sign = function () {
+  var hashbuf = this.hashbuf;
+  var privkey = this.privkey;
+  var d = privkey.bn;
+
+  $.checkState(hashbuf && privkey && d, new Error('invalid parameters'));
+  $.checkState(
+    Buffer.isBuffer(hashbuf) && hashbuf.length === 32,
+    new Error('hashbuf must be a 32 byte buffer'),
+  );
+
+  var e = BN.fromBuffer(
+    hashbuf,
+    this.endian
+      ? {
+          endian: this.endian,
+        }
+      : undefined,
+  );
+
+  var obj = this._findSignature(d, e);
+  obj.compressed = this.pubkey.compressed;
+
+  this.sig = new Signature(obj);
+  return this;
+};
+
+ECDSA.prototype.signRandomK = function () {
+  this.randomK();
+  return this.sign();
+};
+
+ECDSA.prototype.toString = function () {
+  var obj = {};
+  if (this.hashbuf) {
+    obj.hashbuf = this.hashbuf.toString('hex');
+  }
+  if (this.privkey) {
+    obj.privkey = this.privkey.toString();
+  }
+  if (this.pubkey) {
+    obj.pubkey = this.pubkey.toString();
+  }
+  if (this.sig) {
+    obj.sig = this.sig.toString();
+  }
+  if (this.k) {
+    obj.k = this.k.toString();
+  }
+  return JSON.stringify(obj);
+};
+
+ECDSA.prototype.verify = function () {
+  if (!this.sigError()) {
+    this.verified = true;
+  } else {
+    this.verified = false;
+  }
+  return this;
+};
+
+ECDSA.sign = function (hashbuf, privkey, endian) {
+  return ECDSA()
+    .set({
+      hashbuf: hashbuf,
+      endian: endian,
+      privkey: privkey,
+    })
+    .sign().sig;
+};
+
+ECDSA.signWithCalcI = function (hashbuf, privkey, endian) {
+  return ECDSA()
+    .set({
+      hashbuf: hashbuf,
+      endian: endian,
+      privkey: privkey,
+    })
+    .sign()
+    .calci().sig;
+};
+
+ECDSA.signRandomK = function (hashbuf, privkey, endian) {
+  return ECDSA()
+    .set({
+      hashbuf: hashbuf,
+      endian: endian,
+      privkey: privkey,
+    })
+    .signRandomK().sig;
+};
+
+ECDSA.verify = function (hashbuf, sig, pubkey, endian) {
+  return ECDSA()
+    .set({
+      hashbuf: hashbuf,
+      endian: endian,
+      sig: sig,
+      pubkey: pubkey,
+    })
+    .verify().verified;
+};
+
+module.exports = ECDSA;