smartledger-bsv 3.0.0

package/lib/crypto/signature.js

@@ -0,0 +1,410 @@
+'use strict'
+
+var BN = require('./bn')
+var _ = require('../util/_')
+var $ = require('../util/preconditions')
+var JSUtil = require('../util/js')
+
+var Signature = function Signature (r, s) {
+  if (!(this instanceof Signature)) {
+    return new Signature(r, s)
+  }
+  if (r instanceof BN) {
+    this.set({
+      r: r,
+      s: s
+    })
+  } else if (r) {
+    var obj = r
+    this.set(obj)
+  }
+}
+
+Signature.prototype.set = function (obj) {
+  this.r = obj.r || this.r || undefined
+  this.s = obj.s || this.s || undefined
+
+  this.i = typeof obj.i !== 'undefined' ? obj.i : this.i // public key recovery parameter in range [0, 3]
+  this.compressed = typeof obj.compressed !== 'undefined'
+    ? obj.compressed : this.compressed // whether the recovered pubkey is compressed
+  this.nhashtype = obj.nhashtype || this.nhashtype || undefined
+  return this
+}
+
+Signature.fromCompact = function (buf) {
+  $.checkArgument(Buffer.isBuffer(buf), 'Argument is expected to be a Buffer')
+
+  var sig = new Signature()
+
+  var compressed = true
+  var i = buf.slice(0, 1)[0] - 27 - 4
+  if (i < 0) {
+    compressed = false
+    i = i + 4
+  }
+
+  var b2 = buf.slice(1, 33)
+  var b3 = buf.slice(33, 65)
+
+  $.checkArgument(i === 0 || i === 1 || i === 2 || i === 3, new Error('i must be 0, 1, 2, or 3'))
+  $.checkArgument(b2.length === 32, new Error('r must be 32 bytes'))
+  $.checkArgument(b3.length === 32, new Error('s must be 32 bytes'))
+
+  sig.compressed = compressed
+  sig.i = i
+  sig.r = BN.fromBuffer(b2)
+  sig.s = BN.fromBuffer(b3)
+
+  return sig
+}
+
+Signature.fromDER = Signature.fromBuffer = function (buf, strict) {
+  var obj = Signature.parseDER(buf, strict)
+  var sig = new Signature()
+
+  sig.r = obj.r
+  sig.s = obj.s
+
+  return sig
+}
+
+// The format used in a tx
+Signature.fromTxFormat = function (buf) {
+  var nhashtype = buf.readUInt8(buf.length - 1)
+  var derbuf = buf.slice(0, buf.length - 1)
+  var sig = Signature.fromDER(derbuf, false)
+  sig.nhashtype = nhashtype
+  return sig
+}
+
+Signature.fromString = function (str) {
+  var buf = Buffer.from(str, 'hex')
+  return Signature.fromDER(buf)
+}
+
+/**
+ * In order to mimic the non-strict DER encoding of OpenSSL, set strict = false.
+ */
+Signature.parseDER = function (buf, strict) {
+  $.checkArgument(Buffer.isBuffer(buf), new Error('DER formatted signature should be a buffer'))
+  if (_.isUndefined(strict)) {
+    strict = true
+  }
+
+  var header = buf[0]
+  $.checkArgument(header === 0x30, new Error('Header byte should be 0x30'))
+
+  var length = buf[1]
+  var buflength = buf.slice(2).length
+  $.checkArgument(!strict || length === buflength, new Error('Length byte should length of what follows'))
+
+  length = length < buflength ? length : buflength
+
+  var rheader = buf[2 + 0]
+  $.checkArgument(rheader === 0x02, new Error('Integer byte for r should be 0x02'))
+
+  var rlength = buf[2 + 1]
+  var rbuf = buf.slice(2 + 2, 2 + 2 + rlength)
+  var r = BN.fromBuffer(rbuf)
+  var rneg = buf[2 + 1 + 1] === 0x00
+  $.checkArgument(rlength === rbuf.length, new Error('Length of r incorrect'))
+
+  var sheader = buf[2 + 2 + rlength + 0]
+  $.checkArgument(sheader === 0x02, new Error('Integer byte for s should be 0x02'))
+
+  var slength = buf[2 + 2 + rlength + 1]
+  var sbuf = buf.slice(2 + 2 + rlength + 2, 2 + 2 + rlength + 2 + slength)
+  var s = BN.fromBuffer(sbuf)
+  var sneg = buf[2 + 2 + rlength + 2 + 2] === 0x00
+  $.checkArgument(slength === sbuf.length, new Error('Length of s incorrect'))
+
+  var sumlength = 2 + 2 + rlength + 2 + slength
+  $.checkArgument(length === sumlength - 2, new Error('Length of signature incorrect'))
+
+  var obj = {
+    header: header,
+    length: length,
+    rheader: rheader,
+    rlength: rlength,
+    rneg: rneg,
+    rbuf: rbuf,
+    r: r,
+    sheader: sheader,
+    slength: slength,
+    sneg: sneg,
+    sbuf: sbuf,
+    s: s
+  }
+
+  return obj
+}
+
+Signature.prototype.toCompact = function (i, compressed) {
+  i = typeof i === 'number' ? i : this.i
+  compressed = typeof compressed === 'boolean' ? compressed : this.compressed
+
+  if (!(i === 0 || i === 1 || i === 2 || i === 3)) {
+    throw new Error('i must be equal to 0, 1, 2, or 3')
+  }
+
+  var val = i + 27 + 4
+  if (compressed === false) {
+    val = val - 4
+  }
+  var b1 = Buffer.from([val])
+  var b2 = this.r.toBuffer({
+    size: 32
+  })
+  var b3 = this.s.toBuffer({
+    size: 32
+  })
+  return Buffer.concat([b1, b2, b3])
+}
+
+Signature.prototype.toBuffer = Signature.prototype.toDER = function () {
+  var rnbuf = this.r.toBuffer()
+  var snbuf = this.s.toBuffer()
+
+  var rneg = !!(rnbuf[0] & 0x80)
+  var sneg = !!(snbuf[0] & 0x80)
+
+  var rbuf = rneg ? Buffer.concat([Buffer.from([0x00]), rnbuf]) : rnbuf
+  var sbuf = sneg ? Buffer.concat([Buffer.from([0x00]), snbuf]) : snbuf
+
+  var rlength = rbuf.length
+  var slength = sbuf.length
+  var length = 2 + rlength + 2 + slength
+  var rheader = 0x02
+  var sheader = 0x02
+  var header = 0x30
+
+  var der = Buffer.concat([Buffer.from([header, length, rheader, rlength]), rbuf, Buffer.from([sheader, slength]), sbuf])
+  return der
+}
+
+Signature.prototype.toString = function () {
+  var buf = this.toDER()
+  return buf.toString('hex')
+}
+
+/**
+ * This function is translated from bitcoind's IsDERSignature and is used in
+ * the script interpreter.  This "DER" format actually includes an extra byte,
+ * the nhashtype, at the end. It is really the tx format, not DER format.
+ *
+ * A canonical signature exists of: [30] [total len] [02] [len R] [R] [02] [len S] [S] [hashtype]
+ * Where R and S are not negative (their first byte has its highest bit not set), and not
+ * excessively padded (do not start with a 0 byte, unless an otherwise negative number follows,
+ * in which case a single 0 byte is necessary and even required).
+ *
+ * See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
+ */
+Signature.isTxDER = function (buf) {
+  if (buf.length < 9) {
+    //  Non-canonical signature: too short
+    return false
+  }
+  if (buf.length > 73) {
+    // Non-canonical signature: too long
+    return false
+  }
+  if (buf[0] !== 0x30) {
+    //  Non-canonical signature: wrong type
+    return false
+  }
+  if (buf[1] !== buf.length - 3) {
+    //  Non-canonical signature: wrong length marker
+    return false
+  }
+  var nLenR = buf[3]
+  if (5 + nLenR >= buf.length) {
+    //  Non-canonical signature: S length misplaced
+    return false
+  }
+  var nLenS = buf[5 + nLenR]
+  if ((nLenR + nLenS + 7) !== buf.length) {
+    //  Non-canonical signature: R+S length mismatch
+    return false
+  }
+
+  var R = buf.slice(4)
+  if (buf[4 - 2] !== 0x02) {
+    //  Non-canonical signature: R value type mismatch
+    return false
+  }
+  if (nLenR === 0) {
+    //  Non-canonical signature: R length is zero
+    return false
+  }
+  if (R[0] & 0x80) {
+    //  Non-canonical signature: R value negative
+    return false
+  }
+  if (nLenR > 1 && (R[0] === 0x00) && !(R[1] & 0x80)) {
+    //  Non-canonical signature: R value excessively padded
+    return false
+  }
+
+  var S = buf.slice(6 + nLenR)
+  if (buf[6 + nLenR - 2] !== 0x02) {
+    //  Non-canonical signature: S value type mismatch
+    return false
+  }
+  if (nLenS === 0) {
+    //  Non-canonical signature: S length is zero
+    return false
+  }
+  if (S[0] & 0x80) {
+    //  Non-canonical signature: S value negative
+    return false
+  }
+  if (nLenS > 1 && (S[0] === 0x00) && !(S[1] & 0x80)) {
+    //  Non-canonical signature: S value excessively padded
+    return false
+  }
+  return true
+}
+
+/**
+ * Compares to bitcoind's IsLowDERSignature
+ * See also ECDSA signature algorithm which enforces this.
+ * See also BIP 62, "low S values in signatures"
+ */
+Signature.prototype.hasLowS = function () {
+  if (this.s.lt(new BN(1)) ||
+    this.s.gt(new BN('7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0', 'hex'))) {
+    return false
+  }
+  return true
+}
+
+/**
+ * @returns true if the nhashtype is exactly equal to one of the standard options or combinations thereof.
+ * Translated from bitcoind's IsDefinedHashtypeSignature
+ */
+Signature.prototype.hasDefinedHashtype = function () {
+  if (!JSUtil.isNaturalNumber(this.nhashtype)) {
+    return false
+  }
+  // accept with or without Signature.SIGHASH_ANYONECANPAY by ignoring the bit
+  var temp = this.nhashtype & 0x1F
+  if (temp < Signature.SIGHASH_ALL || temp > Signature.SIGHASH_SINGLE) {
+    return false
+  }
+  return true
+}
+
+Signature.prototype.toTxFormat = function () {
+  var derbuf = this.toDER()
+  var buf = Buffer.alloc(1)
+  buf.writeUInt8(this.nhashtype, 0)
+  return Buffer.concat([derbuf, buf])
+}
+
+Signature.SIGHASH_ALL = 0x01
+Signature.SIGHASH_NONE = 0x02
+Signature.SIGHASH_SINGLE = 0x03
+Signature.SIGHASH_FORKID = 0x40
+Signature.SIGHASH_ANYONECANPAY = 0x80
+
+// === SmartLedger Security Enhancement Methods ===
+
+/**
+ * Check if signature is canonical (s <= n/2) - SmartLedger security feature
+ */
+Signature.prototype.isCanonical = function () {
+  var Point = require('./point')
+  var nh = Point.getN().shrn(1) // n/2
+  return this.s.lte(nh)
+}
+
+/**
+ * Return canonicalized version of signature - SmartLedger security feature
+ */
+Signature.prototype.toCanonical = function () {
+  if (this.isCanonical()) {
+    return new Signature({ r: this.r, s: this.s, i: this.i, compressed: this.compressed, nhashtype: this.nhashtype })
+  }
+
+  var Point = require('./point')
+  var n = Point.getN()
+  var canonicalS = n.sub(this.s)
+
+  return new Signature({ r: this.r, s: canonicalS, i: this.i, compressed: this.compressed, nhashtype: this.nhashtype })
+}
+
+/**
+ * Validate signature parameters - SmartLedger security feature
+ */
+Signature.prototype.validate = function () {
+  if (!this.r || !this.s) {
+    throw new Error('Signature missing r or s component')
+  }
+
+  if (this.r.isZero()) {
+    throw new Error('Signature r component is zero')
+  }
+
+  if (this.s.isZero()) {
+    throw new Error('Signature s component is zero')
+  }
+
+  var Point = require('./point')
+  var n = Point.getN()
+
+  if (this.r.gte(n)) {
+    throw new Error('Signature r component >= curve order')
+  }
+
+  if (this.s.gte(n)) {
+    throw new Error('Signature s component >= curve order')
+  }
+
+  if (this.r.isNeg()) {
+    throw new Error('Signature r component is negative')
+  }
+
+  if (this.s.isNeg()) {
+    throw new Error('Signature s component is negative')
+  }
+
+  return true
+}
+
+/**
+ * Boolean signature validation - SmartLedger security feature
+ */
+Signature.prototype.isValid = function () {
+  try {
+    this.validate()
+    return true
+  } catch (e) {
+    return false
+  }
+}
+
+/**
+ * Apply SmartLedger security canonicalization - called during crypto operations
+ */
+Signature.prototype.applySecurityPatches = function () {
+  var Point = require('./point')
+  var n = Point.getN()
+  var nh = n.shrn(1) // n/2
+
+  // Security validation
+  if (this.r.isZero() || this.s.isZero()) {
+    throw new Error('Invalid signature: zero r or s')
+  }
+  if (this.r.gte(n) || this.s.gte(n)) {
+    throw new Error('Invalid signature: out of range')
+  }
+
+  // Canonicalize s value (anti-malleability)
+  if (this.s.gt(nh)) {
+    this.s = n.sub(this.s)
+  }
+
+  return this
+}
+
+module.exports = Signature

package/lib/crypto/smartledger_verify.js

@@ -0,0 +1,109 @@
+'use strict'
+
+/**
+ * SmartLedger Hardened Verification Module
+ * Provides secure ECDSA signature verification with malleability protection
+ */
+
+const BN = require('./bn')
+const Point = require('./point')
+const ECDSA = require('./ecdsa')
+
+// Cache curve constants for performance
+const n = Point.getN()
+const nh = n.shrn(1) // n / 2
+
+/**
+ * Hardened signature verification with canonicalization
+ * @param {Buffer} msgHash - 32-byte message hash
+ * @param {Signature} sig - Signature object with r,s components
+ * @param {PublicKey} pubkey - Public key for verification
+ * @returns {boolean} - true if signature is valid and canonical
+ */
+function smartVerify (msgHash, sig, pubkey) {
+  // Strict input validation
+  if (!Buffer.isBuffer(msgHash) || msgHash.length !== 32) {
+    throw new Error('Invalid message hash: must be 32-byte buffer')
+  }
+
+  if (!sig || !sig.r || !sig.s) {
+    return false
+  }
+
+  // Ensure r and s are BN instances
+  const r = BN.isBN(sig.r) ? sig.r : new BN(sig.r)
+  const s = BN.isBN(sig.s) ? sig.s : new BN(sig.s)
+
+  // Reject zero values
+  if (r.isZero() || s.isZero()) {
+    return false
+  }
+
+  // Reject values >= n (curve order)
+  if (r.gte(n) || s.gte(n)) {
+    return false
+  }
+
+  // Canonicalize s to lower half (anti-malleability)
+  let canonicalS = s
+  if (s.gt(nh)) {
+    canonicalS = n.sub(s)
+  }
+
+  // Create canonicalized signature object
+  const canonicalSig = {
+    r: r,
+    s: canonicalS
+  }
+
+  // Use BSV's original ECDSA verify with canonical signature
+  return ECDSA.verify(msgHash, canonicalSig, pubkey)
+}
+
+/**
+ * Check if signature is in canonical form (s <= n/2)
+ * @param {Object} sig - Signature with r,s components
+ * @returns {boolean} - true if signature is canonical
+ */
+function isCanonical (sig) {
+  if (!sig || !sig.s) {
+    return false
+  }
+
+  const s = BN.isBN(sig.s) ? sig.s : new BN(sig.s)
+  return s.lte(nh)
+}
+
+/**
+ * Canonicalize signature to ensure s <= n/2
+ * @param {Object} sig - Signature object to canonicalize
+ * @returns {Object} - New signature object with canonical s
+ */
+function canonicalize (sig) {
+  if (!sig || !sig.r || !sig.s) {
+    throw new Error('Invalid signature object')
+  }
+
+  const r = BN.isBN(sig.r) ? sig.r : new BN(sig.r)
+  const s = BN.isBN(sig.s) ? sig.s : new BN(sig.s)
+
+  let canonicalS = s
+  if (s.gt(nh)) {
+    canonicalS = n.sub(s)
+  }
+
+  return {
+    r: r,
+    s: canonicalS
+  }
+}
+
+module.exports = {
+  smartVerify,
+  isCanonical,
+  canonicalize,
+  constants: {
+    n: n,
+    nh: nh
+  }
+}

package/lib/ecies/bitcore-ecies.js

@@ -0,0 +1,163 @@
+'use strict'
+
+var bsv = require('../../')
+
+var PublicKey = bsv.PublicKey
+var Hash = bsv.crypto.Hash
+var $ = bsv.util.preconditions
+var aesjs = require('aes-js')
+var CBC = aesjs.ModeOfOperation.cbc
+var Random = bsv.crypto.Random
+
+var AESCBC = function AESCBC () {}
+
+AESCBC.encrypt = function (messagebuf, cipherkeybuf, ivbuf) {
+  $.checkArgument(messagebuf)
+  $.checkArgument(cipherkeybuf)
+  $.checkArgument(ivbuf)
+  ivbuf = ivbuf || Random.getRandomBuffer(128 / 8)
+  messagebuf = aesjs.padding.pkcs7.pad(messagebuf)
+  var aesCbc = new CBC(cipherkeybuf, ivbuf)
+  var ctbuf = aesCbc.encrypt(messagebuf)
+  var encbuf = Buffer.concat([ivbuf, ctbuf])
+  return encbuf
+}
+
+AESCBC.decrypt = function (encbuf, cipherkeybuf) {
+  $.checkArgument(encbuf)
+  $.checkArgument(cipherkeybuf)
+  var ivbuf = encbuf.slice(0, 128 / 8)
+  var ctbuf = encbuf.slice(128 / 8)
+  var aesCbc = new CBC(cipherkeybuf, ivbuf)
+  var messagebuf = aesCbc.decrypt(ctbuf)
+  messagebuf = aesjs.padding.pkcs7.strip(messagebuf)
+  return Buffer.from(messagebuf)
+}
+
+// http://en.wikipedia.org/wiki/Integrated_Encryption_Scheme
+var ECIES = function ECIES (opts) {
+  if (!(this instanceof ECIES)) {
+    return new ECIES()
+  }
+  this.opts = opts || {}
+}
+
+ECIES.prototype.privateKey = function (privateKey) {
+  $.checkArgument(privateKey, 'no private key provided')
+
+  this._privateKey = privateKey || null
+
+  return this
+}
+
+ECIES.prototype.publicKey = function (publicKey) {
+  $.checkArgument(publicKey, 'no public key provided')
+
+  this._publicKey = publicKey || null
+
+  return this
+}
+
+var cachedProperty = function (name, getter) {
+  var cachedName = '_' + name
+  Object.defineProperty(ECIES.prototype, name, {
+    configurable: false,
+    enumerable: true,
+    get: function () {
+      var value = this[cachedName]
+      if (!value) {
+        value = this[cachedName] = getter.apply(this)
+      }
+      return value
+    }
+  })
+}
+
+cachedProperty('Rbuf', function () {
+  return this._privateKey.publicKey.toDER(true)
+})
+
+cachedProperty('kEkM', function () {
+  var r = this._privateKey.bn
+  var KB = this._publicKey.point
+  var P = KB.mul(r)
+  var S = P.getX()
+  var Sbuf = S.toBuffer({ size: 32 })
+  return Hash.sha512(Sbuf)
+})
+
+cachedProperty('kE', function () {
+  return this.kEkM.slice(0, 32)
+})
+
+cachedProperty('kM', function () {
+  return this.kEkM.slice(32, 64)
+})
+
+// Encrypts the message (String or Buffer).
+// Optional `ivbuf` contains 16-byte Buffer to be used in AES-CBC.
+// By default, `ivbuf` is computed deterministically from message and private key using HMAC-SHA256.
+// Deterministic IV enables end-to-end test vectors for alternative implementations.
+// Note that identical messages have identical ciphertexts. If your protocol does not include some
+// kind of a sequence identifier inside the message *and* it is important to not allow attacker to learn
+// that message is repeated, then you should use custom IV.
+// For random IV, pass `Random.getRandomBuffer(16)` for the second argument.
+ECIES.prototype.encrypt = function (message, ivbuf) {
+  if (!Buffer.isBuffer(message)) message = Buffer.from(message)
+  if (ivbuf === undefined) {
+    ivbuf = Hash.sha256hmac(message, this._privateKey.toBuffer()).slice(0, 16)
+  }
+  var c = AESCBC.encrypt(message, this.kE, ivbuf)
+  var d = Hash.sha256hmac(c, this.kM)
+  if (this.opts.shortTag) d = d.slice(0, 4)
+  var encbuf
+  if (this.opts.noKey) {
+    encbuf = Buffer.concat([c, d])
+  } else {
+    encbuf = Buffer.concat([this.Rbuf, c, d])
+  }
+  return encbuf
+}
+
+ECIES.prototype.decrypt = function (encbuf) {
+  $.checkArgument(encbuf)
+  var offset = 0
+  var tagLength = 32
+  if (this.opts.shortTag) {
+    tagLength = 4
+  }
+  if (!this.opts.noKey) {
+    var pub
+    switch (encbuf[0]) {
+      case 4:
+        pub = encbuf.slice(0, 65)
+        break
+      case 3:
+      case 2:
+        pub = encbuf.slice(0, 33)
+        break
+      default:
+        throw new Error('Invalid type: ' + encbuf[0])
+    }
+    this._publicKey = PublicKey.fromDER(pub)
+    offset += pub.length
+  }
+
+  var c = encbuf.slice(offset, encbuf.length - tagLength)
+  var d = encbuf.slice(encbuf.length - tagLength, encbuf.length)
+
+  var d2 = Hash.sha256hmac(c, this.kM)
+  if (this.opts.shortTag) d2 = d2.slice(0, 4)
+
+  var equal = true
+  for (var i = 0; i < d.length; i++) {
+    equal &= (d[i] === d2[i])
+  }
+  if (!equal) {
+    throw new Error('Invalid checksum')
+  }
+
+  return AESCBC.decrypt(c, this.kE)
+}
+
+module.exports = ECIES