@smartledger/bsv 1.5.6-fix1

package/lib/crypto/ecdsa.js

@@ -0,0 +1,330 @@
+'use strict'
+
+var BN = require('./bn')
+var Point = require('./point')
+var Signature = require('./signature')
+var PublicKey = require('../publickey')
+var Random = require('./random')
+var Hash = require('./hash')
+var _ = require('../util/_')
+var $ = require('../util/preconditions')
+
+var ECDSA = function ECDSA (obj) {
+  if (!(this instanceof ECDSA)) {
+    return new ECDSA(obj)
+  }
+  if (obj) {
+    this.set(obj)
+  }
+}
+
+ECDSA.prototype.set = function (obj) {
+  this.hashbuf = obj.hashbuf || this.hashbuf
+  this.endian = obj.endian || this.endian // the endianness of hashbuf
+  this.privkey = obj.privkey || this.privkey
+  this.pubkey = obj.pubkey || (this.privkey ? this.privkey.publicKey : this.pubkey)
+  this.sig = obj.sig || this.sig
+  this.k = obj.k || this.k
+  this.verified = obj.verified || this.verified
+  return this
+}
+
+ECDSA.prototype.privkey2pubkey = function () {
+  this.pubkey = this.privkey.toPublicKey()
+}
+
+ECDSA.prototype.calci = function () {
+  for (var i = 0; i < 4; i++) {
+    this.sig.i = i
+    var Qprime
+    try {
+      Qprime = this.toPublicKey()
+    } catch (e) {
+      console.error(e)
+      continue
+    }
+
+    if (Qprime.point.eq(this.pubkey.point)) {
+      this.sig.compressed = this.pubkey.compressed
+      return this
+    }
+  }
+
+  this.sig.i = undefined
+  throw new Error('Unable to find valid recovery factor')
+}
+
+ECDSA.fromString = function (str) {
+  var obj = JSON.parse(str)
+  return new ECDSA(obj)
+}
+
+ECDSA.prototype.randomK = function () {
+  var N = Point.getN()
+  var k
+  do {
+    k = BN.fromBuffer(Random.getRandomBuffer(32))
+  } while (!(k.lt(N) && k.gt(BN.Zero)))
+  this.k = k
+  return this
+}
+
+// https://tools.ietf.org/html/rfc6979#section-3.2
+ECDSA.prototype.deterministicK = function (badrs) {
+  // if r or s were invalid when this function was used in signing,
+  // we do not want to actually compute r, s here for efficiency, so,
+  // we can increment badrs. explained at end of RFC 6979 section 3.2
+  if (_.isUndefined(badrs)) {
+    badrs = 0
+  }
+  var v = Buffer.alloc(32)
+  v.fill(0x01)
+  var k = Buffer.alloc(32)
+  k.fill(0x00)
+  var x = this.privkey.bn.toBuffer({
+    size: 32
+  })
+  var hashbuf = this.endian === 'little' ? Buffer.from(this.hashbuf).reverse() : this.hashbuf
+  k = Hash.sha256hmac(Buffer.concat([v, Buffer.from([0x00]), x, hashbuf]), k)
+  v = Hash.sha256hmac(v, k)
+  k = Hash.sha256hmac(Buffer.concat([v, Buffer.from([0x01]), x, hashbuf]), k)
+  v = Hash.sha256hmac(v, k)
+  v = Hash.sha256hmac(v, k)
+  var T = BN.fromBuffer(v)
+  var N = Point.getN()
+
+  // also explained in 3.2, we must ensure T is in the proper range (0, N)
+  for (var i = 0; i < badrs || !(T.lt(N) && T.gt(BN.Zero)); i++) {
+    k = Hash.sha256hmac(Buffer.concat([v, Buffer.from([0x00])]), k)
+    v = Hash.sha256hmac(v, k)
+    v = Hash.sha256hmac(v, k)
+    T = BN.fromBuffer(v)
+  }
+
+  this.k = T
+  return this
+}
+
+// Information about public key recovery:
+// https://bitcointalk.org/index.php?topic=6430.0
+// http://stackoverflow.com/questions/19665491/how-do-i-get-an-ecdsa-public-key-from-just-a-bitcoin-signature-sec1-4-1-6-k
+ECDSA.prototype.toPublicKey = function () {
+  var i = this.sig.i
+  $.checkArgument(i === 0 || i === 1 || i === 2 || i === 3, new Error('i must be equal to 0, 1, 2, or 3'))
+
+  var e = BN.fromBuffer(this.hashbuf)
+  var r = this.sig.r
+  var s = this.sig.s
+
+  // A set LSB signifies that the y-coordinate is odd
+  var isYOdd = i & 1
+
+  // The more significant bit specifies whether we should use the
+  // first or second candidate key.
+  var isSecondKey = i >> 1
+
+  var n = Point.getN()
+  var G = Point.getG()
+
+  // 1.1 Let x = r + jn
+  var x = isSecondKey ? r.add(n) : r
+  var R = Point.fromX(isYOdd, x)
+
+  // 1.4 Check that nR is at infinity
+  var nR = R.mul(n)
+
+  if (!nR.isInfinity()) {
+    throw new Error('nR is not a valid curve point')
+  }
+
+  // Compute -e from e
+  var eNeg = e.neg().umod(n)
+
+  // 1.6.1 Compute Q = r^-1 (sR - eG)
+  // Q = r^-1 (sR + -eG)
+  var rInv = r.invm(n)
+
+  // var Q = R.multiplyTwo(s, G, eNeg).mul(rInv);
+  var Q = R.mul(s).add(G.mul(eNeg)).mul(rInv)
+
+  var pubkey = PublicKey.fromPoint(Q, this.sig.compressed)
+
+  return pubkey
+}
+
+ECDSA.prototype.sigError = function () {
+  if (!Buffer.isBuffer(this.hashbuf) || this.hashbuf.length !== 32) {
+    return 'hashbuf must be a 32 byte buffer'
+  }
+
+  // === SmartLedger Security Patches ===
+  // Apply security validation during cryptographic verification
+  try {
+    // Create a copy to avoid mutating original signature
+    var secureSig = {
+      r: this.sig.r,
+      s: this.sig.s
+    }
+
+    // Apply security patches to the copy
+    var n = Point.getN()
+
+    // Fix 1 & 2: Enhanced range validation (maintains original message for compatibility)
+    if (secureSig.r.isZero() || secureSig.s.isZero() ||
+        secureSig.r.gte(n) || secureSig.s.gte(n)) {
+      return 'r and s not in range'
+    }
+
+    // Fix 3: Canonicalize s for verification (non-mutating)
+    var nh = n.shrn(1) // n/2
+    if (secureSig.s.gt(nh)) {
+      secureSig.s = n.sub(secureSig.s)
+    }
+
+    // Use secure signature for verification
+    var r = secureSig.r
+    var canonicalS = secureSig.s
+  } catch (error) {
+    return 'Signature security validation failed: ' + error.message
+  }
+
+  var e = BN.fromBuffer(this.hashbuf, this.endian ? {
+    endian: this.endian
+  } : undefined)
+  // Use canonical s for verification
+  var sinv = canonicalS.invm(n)
+  var u1 = sinv.mul(e).umod(n)
+  var u2 = sinv.mul(r).umod(n)
+
+  var p = Point.getG().mulAdd(u1, this.pubkey.point, u2)
+  if (p.isInfinity()) {
+    return 'p is infinity'
+  }
+
+  if (p.getX().umod(n).cmp(r) !== 0) {
+    return 'Invalid signature'
+  } else {
+    return false
+  }
+}
+
+ECDSA.toLowS = function (s) {
+  // enforce low s
+  // see BIP 62, "low S values in signatures"
+  if (s.gt(BN.fromBuffer(Buffer.from('7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0', 'hex')))) {
+    s = Point.getN().sub(s)
+  }
+  return s
+}
+
+ECDSA.prototype._findSignature = function (d, e) {
+  var N = Point.getN()
+  var G = Point.getG()
+  // try different values of k until r, s are valid
+  var badrs = 0
+  var k, Q, r, s
+  do {
+    if (!this.k || badrs > 0) {
+      this.deterministicK(badrs)
+    }
+    badrs++
+    k = this.k
+    Q = G.mul(k)
+    r = Q.x.umod(N)
+    s = k.invm(N).mul(e.add(d.mul(r))).umod(N)
+  } while (r.cmp(BN.Zero) <= 0 || s.cmp(BN.Zero) <= 0)
+
+  s = ECDSA.toLowS(s)
+  return {
+    s: s,
+    r: r
+  }
+}
+
+ECDSA.prototype.sign = function () {
+  var hashbuf = this.hashbuf
+  var privkey = this.privkey
+  var d = privkey.bn
+
+  $.checkState(hashbuf && privkey && d, new Error('invalid parameters'))
+  $.checkState(Buffer.isBuffer(hashbuf) && hashbuf.length === 32, new Error('hashbuf must be a 32 byte buffer'))
+
+  var e = BN.fromBuffer(hashbuf, this.endian ? {
+    endian: this.endian
+  } : undefined)
+
+  var obj = this._findSignature(d, e)
+  obj.compressed = this.pubkey.compressed
+
+  this.sig = new Signature(obj)
+  return this
+}
+
+ECDSA.prototype.signRandomK = function () {
+  this.randomK()
+  return this.sign()
+}
+
+ECDSA.prototype.toString = function () {
+  var obj = {}
+  if (this.hashbuf) {
+    obj.hashbuf = this.hashbuf.toString('hex')
+  }
+  if (this.privkey) {
+    obj.privkey = this.privkey.toString()
+  }
+  if (this.pubkey) {
+    obj.pubkey = this.pubkey.toString()
+  }
+  if (this.sig) {
+    obj.sig = this.sig.toString()
+  }
+  if (this.k) {
+    obj.k = this.k.toString()
+  }
+  return JSON.stringify(obj)
+}
+
+ECDSA.prototype.verify = function () {
+  if (!this.sigError()) {
+    this.verified = true
+  } else {
+    this.verified = false
+  }
+  return this
+}
+
+ECDSA.sign = function (hashbuf, privkey, endian) {
+  return ECDSA().set({
+    hashbuf: hashbuf,
+    endian: endian,
+    privkey: privkey
+  }).sign().sig
+}
+
+ECDSA.signWithCalcI = function (hashbuf, privkey, endian) {
+  return ECDSA().set({
+    hashbuf: hashbuf,
+    endian: endian,
+    privkey: privkey
+  }).sign().calci().sig
+}
+
+ECDSA.signRandomK = function (hashbuf, privkey, endian) {
+  return ECDSA().set({
+    hashbuf: hashbuf,
+    endian: endian,
+    privkey: privkey
+  }).signRandomK().sig
+}
+
+ECDSA.verify = function (hashbuf, sig, pubkey, endian) {
+  return ECDSA().set({
+    hashbuf: hashbuf,
+    endian: endian,
+    sig: sig,
+    pubkey: pubkey
+  }).verify().verified
+}
+
+module.exports = ECDSA

package/lib/crypto/elliptic-fixed.js

@@ -0,0 +1,74 @@
+'use strict'
+
+/**
+ * SmartLedger Elliptic Security Wrapper
+ * Patches elliptic library to prevent signature verification vulnerabilities
+ */
+
+const { ec: EC } = require('elliptic')
+const ec = new EC('secp256k1')
+
+// Store original verify method
+const origVerify = ec.verify.bind(ec)
+
+/**
+ * Hardened elliptic verify method
+ * Rejects invalid signature parameters before calling original verify
+ */
+ec.verify = function (msg, sig, key, enc, opts) {
+  // Validate signature components exist
+  if (!sig || typeof sig !== 'object') {
+    return false
+  }
+
+  // Check for r and s components
+  if (!sig.r || !sig.s) {
+    return false
+  }
+
+  // Convert to BN if needed for comparison
+  const r = typeof sig.r.cmp === 'function' ? sig.r : this.curve.n.red ? this.curve.n.fromRed(sig.r) : sig.r
+  const s = typeof sig.s.cmp === 'function' ? sig.s : this.curve.n.red ? this.curve.n.fromRed(sig.s) : sig.s
+
+  // Reject if r or s >= curve order n
+  if (r && r.cmp && r.cmp(this.curve.n) >= 0) {
+    return false
+  }
+  if (s && s.cmp && s.cmp(this.curve.n) >= 0) {
+    return false
+  }
+
+  // Reject zero values
+  if (r && r.isZero && r.isZero()) {
+    return false
+  }
+  if (s && s.isZero && s.isZero()) {
+    return false
+  }
+
+  // Call original verify with validated parameters
+  return origVerify(msg, sig, key, enc, opts)
+}
+
+// Store original sign method for potential future hardening
+const origSign = ec.sign.bind(ec)
+
+/**
+ * Hardened elliptic sign method
+ * Ensures canonical signatures (s <= n/2)
+ */
+ec.sign = function (msg, key, enc, options) {
+  const signature = origSign(msg, key, enc, options)
+
+  // Canonicalize s value to lower half
+  if (signature.s && signature.s.cmp) {
+    const halfOrder = this.curve.n.shrn(1)
+    if (signature.s.cmp(halfOrder) > 0) {
+      signature.s = this.curve.n.sub(signature.s)
+    }
+  }
+
+  return signature
+}
+
+module.exports = ec

package/lib/crypto/hash.browser.js

@@ -0,0 +1,171 @@
+'use strict'
+
+var hash = require('hash.js')
+var $ = require('../util/preconditions')
+
+var Hash = module.exports
+
+/**
+ * A SHA or SHA1 hash, which is always 160 bits or 20 bytes long.
+ *
+ * See:
+ * https://en.wikipedia.org/wiki/SHA-1
+ *
+ * @param {Buffer} buf Data, a.k.a. pre-image, which can be any size.
+ * @returns {Buffer} The hash in the form of a buffer.
+ */
+Hash.sha1 = function (buf) {
+  $.checkArgument(Buffer.isBuffer(buf))
+  return Buffer.from(hash.sha1().update(buf).digest('hex'), 'hex')
+}
+
+Hash.sha1.blocksize = 512
+
+/**
+ * A SHA256 hash, which is always 256 bits or 32 bytes long.
+ *
+ * See:
+ * https://www.movable-type.co.uk/scripts/sha256.html
+ *
+ * @param {Buffer} buf Data, a.k.a. pre-image, which can be any size.
+ * @returns {Buffer} The hash in the form of a buffer.
+ */
+Hash.sha256 = function (buf) {
+  $.checkArgument(Buffer.isBuffer(buf))
+  return Buffer.from(hash.sha256().update(buf).digest('hex'), 'hex')
+}
+
+Hash.sha256.blocksize = 512
+
+/**
+ * A double SHA256 hash, which is always 256 bits or 32 bytes bytes long. This
+ * hash function is commonly used inside Bitcoin, particularly for the hash of a
+ * block and the hash of a transaction.
+ *
+ * See:
+ * https://www.movable-type.co.uk/scripts/sha256.html
+ *
+ * @param {Buffer} buf Data, a.k.a. pre-image, which can be any size.
+ * @returns {Buffer} The hash in the form of a buffer.
+ */
+Hash.sha256sha256 = function (buf) {
+  $.checkArgument(Buffer.isBuffer(buf))
+  return Hash.sha256(Hash.sha256(buf))
+}
+
+/**
+ * A RIPEMD160 hash, which is always 160 bits or 20 bytes long.
+ *
+ * See:
+ * https://en.wikipedia.org/wiki/RIPEMD
+ *
+ * @param {Buffer} buf Data, a.k.a. pre-image, which can be any size.
+ * @returns {Buffer} The hash in the form of a buffer.
+ */
+Hash.ripemd160 = function (buf) {
+  $.checkArgument(Buffer.isBuffer(buf))
+  return Buffer.from(hash.ripemd160().update(buf).digest('hex'), 'hex')
+}
+/**
+ * A RIPEMD160 hash of a SHA256 hash, which is always 160 bits or 20 bytes long.
+ * This value is commonly used inside Bitcoin, particularly for Bitcoin
+ * addresses.
+ *
+ * See:
+ * https://en.wikipedia.org/wiki/RIPEMD
+ *
+ * @param {Buffer} buf Data, a.k.a. pre-image, which can be any size.
+ * @returns {Buffer} The hash in the form of a buffer.
+ */
+Hash.sha256ripemd160 = function (buf) {
+  $.checkArgument(Buffer.isBuffer(buf))
+  return Hash.ripemd160(Hash.sha256(buf))
+}
+
+/**
+ * A SHA512 hash, which is always 512 bits or 64 bytes long.
+ *
+ * See:
+ * https://en.wikipedia.org/wiki/SHA-2
+ *
+ * @param {Buffer} buf Data, a.k.a. pre-image, which can be any size.
+ * @returns {Buffer} The hash in the form of a buffer.
+ */
+Hash.sha512 = function (buf) {
+  $.checkArgument(Buffer.isBuffer(buf))
+  return Buffer.from(hash.sha512().update(buf).digest('hex'), 'hex')
+}
+
+Hash.sha512.blocksize = 1024
+
+/**
+ * A way to do HMAC using any underlying hash function. If you ever find that
+ * you want to hash two pieces of data together, you should use HMAC instead of
+ * just using a hash function. Rather than doing hash(data1 + data2) you should
+ * do HMAC(data1, data2). Actually, rather than use HMAC directly, we recommend
+ * you use either sha256hmac or sha515hmac provided below.
+ *
+ * See:
+ * https://en.wikipedia.org/wiki/Length_extension_attack
+ * https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks
+ *
+ * @param {function} hashf Which hash function to use.
+ * @param {Buffer} data Data, which can be any size.
+ * @param {Buffer} key Key, which can be any size.
+ * @returns {Buffer} The HMAC in the form of a buffer.
+ */
+Hash.hmac = function (hashf, data, key) {
+  // http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
+  // http://tools.ietf.org/html/rfc4868#section-2
+  $.checkArgument(Buffer.isBuffer(data))
+  $.checkArgument(Buffer.isBuffer(key))
+  $.checkArgument(hashf.blocksize)
+
+  var blocksize = hashf.blocksize / 8
+
+  if (key.length > blocksize) {
+    key = hashf(key)
+  } else if (key < blocksize) {
+    var fill = Buffer.alloc(blocksize)
+    fill.fill(0)
+    key.copy(fill)
+    key = fill
+  }
+
+  var oKey = Buffer.alloc(blocksize)
+  oKey.fill(0x5c)
+
+  var iKey = Buffer.alloc(blocksize)
+  iKey.fill(0x36)
+
+  var oKeyPad = Buffer.alloc(blocksize)
+  var iKeyPad = Buffer.alloc(blocksize)
+  for (var i = 0; i < blocksize; i++) {
+    oKeyPad[i] = oKey[i] ^ key[i]
+    iKeyPad[i] = iKey[i] ^ key[i]
+  }
+
+  return hashf(Buffer.concat([oKeyPad, hashf(Buffer.concat([iKeyPad, data]))]))
+}
+
+/**
+ * A SHA256 HMAC.
+ *
+ * @param {Buffer} data Data, which can be any size.
+ * @param {Buffer} key Key, which can be any size.
+ * @returns {Buffer} The HMAC in the form of a buffer.
+ */
+Hash.sha256hmac = function (data, key) {
+  return Hash.hmac(Hash.sha256, data, key)
+}
+
+/**
+ * A SHA512 HMAC.
+ *
+ * @param {Buffer} data Data, which can be any size.
+ * @param {Buffer} key Key, which can be any size.
+ * @returns {Buffer} The HMAC in the form of a buffer.
+ */
+Hash.sha512hmac = function (data, key) {
+  return Hash.hmac(Hash.sha512, data, key)
+}

package/lib/crypto/hash.js

@@ -0,0 +1,2 @@
+if (process.browser) module.exports = require('./hash.browser')
+else module.exports = require('./hash.node')