smartledger-bsv 3.3.2 → 3.3.3

package/utilities/working-signature-demo.js

@@ -2,175 +2,173 @@
 
 /**
  * 🔧 BSV Working Script Validation Example
- * 
+ *
  * Creates a transaction with properly signed inputs that will pass
  * the BSV script interpreter validation.
  */
 
-const bsv = require('../index.js');
-const { acceptTransaction } = require('./miner-simulator');
-const { loadConfig } = require('./utxo-manager');
+const bsv = require('../index.js')
+const { acceptTransaction } = require('./miner-simulator')
+const { loadConfig } = require('./utxo-manager')
 
 /**
  * Create a properly signed transaction that should pass script validation
  */
-function createValidTransaction() {
-  console.log('🔧 Creating Valid BSV Transaction');
-  console.log('═'.repeat(80));
-  
+function createValidTransaction () {
+  console.log('🔧 Creating Valid BSV Transaction')
+  console.log('═'.repeat(80))
+
   try {
     // Load wallet config
-    const config = loadConfig();
-    const wallet = config.wallet;
-    const utxo = config.utxo;
-    
+    const config = loadConfig()
+    const wallet = config.wallet
+    const utxo = config.utxo
+
     // Create recipient
-    const recipientKey = new bsv.PrivateKey();
-    const recipientAddress = recipientKey.toAddress();
-    
-    console.log('📋 Transaction Details:');
-    console.log(`👛 From: ${wallet.address}`);
-    console.log(`🎯 To: ${recipientAddress}`);
-    console.log(`💰 Amount: 20,000 satoshis`);
-    console.log(`💳 UTXO: ${utxo.txid}:${utxo.vout} (${utxo.satoshis} sats)`);
-    
+    const recipientKey = new bsv.PrivateKey()
+    const recipientAddress = recipientKey.toAddress()
+
+    console.log('📋 Transaction Details:')
+    console.log(`👛 From: ${wallet.address}`)
+    console.log(`🎯 To: ${recipientAddress}`)
+    console.log(`💰 Amount: 20,000 satoshis`)
+    console.log(`💳 UTXO: ${utxo.txid}:${utxo.vout} (${utxo.satoshis} sats)`)
+
     // Create the transaction step by step
-    const tx = new bsv.Transaction();
-    
+    const tx = new bsv.Transaction()
+
     // Add input
     tx.from({
       txid: utxo.txid,
       vout: utxo.vout,
       scriptPubKey: utxo.script,
       satoshis: utxo.satoshis
-    });
-    
+    })
+
     // Add outputs
-    tx.to(recipientAddress, 20000);
-    tx.change(wallet.address);
-    tx.fee(1000);
-    
-    console.log('\n🔐 Signing transaction...');
-    console.log(`Private Key: ${wallet.privateKeyWIF}`);
-    console.log(`Input Script (before): ${tx.inputs[0].script ? tx.inputs[0].script.toHex() : 'empty'}`);
-    
+    tx.to(recipientAddress, 20000)
+    tx.change(wallet.address)
+    tx.fee(1000)
+
+    console.log('\n🔐 Signing transaction...')
+    console.log(`Private Key: ${wallet.privateKeyWIF}`)
+    console.log(`Input Script (before): ${tx.inputs[0].script ? tx.inputs[0].script.toHex() : 'empty'}`)
+
     // Sign with the correct private key and signature type
-    const privateKey = bsv.PrivateKey.fromWIF(wallet.privateKeyWIF);
-    
+    const privateKey = bsv.PrivateKey.fromWIF(wallet.privateKeyWIF)
+
     // Sign with SIGHASH_ALL | SIGHASH_FORKID
-    const sigType = bsv.crypto.Signature.SIGHASH_ALL | bsv.crypto.Signature.SIGHASH_FORKID;
-    tx.sign(privateKey, sigType);
-    
-    console.log(`Input Script (after): ${tx.inputs[0].script.toHex()}`);
-    console.log(`Script ASM: ${tx.inputs[0].script.toASM()}`);
-    
-    console.log('\n✅ Transaction signed successfully');
-    console.log(`🆔 Transaction ID: ${tx.id}`);
-    console.log(`📦 Raw Hex: ${tx.toString()}`);
-    
+    const sigType = bsv.crypto.Signature.SIGHASH_ALL | bsv.crypto.Signature.SIGHASH_FORKID
+    tx.sign(privateKey, sigType)
+
+    console.log(`Input Script (after): ${tx.inputs[0].script.toHex()}`)
+    console.log(`Script ASM: ${tx.inputs[0].script.toASM()}`)
+
+    console.log('\n✅ Transaction signed successfully')
+    console.log(`🆔 Transaction ID: ${tx.id}`)
+    console.log(`📦 Raw Hex: ${tx.toString()}`)
+
     // Verify the signature locally first
-    console.log('\n🔍 Local signature verification:');
+    console.log('\n🔍 Local signature verification:')
     try {
-      const verified = tx.verify();
-      console.log(`Local verification: ${verified ? '✅ VALID' : '❌ INVALID'}`);
+      const verified = tx.verify()
+      console.log(`Local verification: ${verified ? '✅ VALID' : '❌ INVALID'}`)
     } catch (error) {
-      console.log(`Local verification error: ${error.message}`);
+      console.log(`Local verification error: ${error.message}`)
     }
-    
-    return tx;
-    
+
+    return tx
   } catch (error) {
-    console.error('❌ Error creating transaction:', error.message);
-    return null;
+    console.error('❌ Error creating transaction:', error.message)
+    return null
   }
 }
 
 /**
  * Test the transaction with our miner
  */
-function testWithMiner() {
-  console.log('\n' + '═'.repeat(80));
-  console.log('🎯 Testing with BSV Script Interpreter Miner');
-  console.log('═'.repeat(80));
-  
-  const tx = createValidTransaction();
-  
+function testWithMiner () {
+  console.log('\n' + '═'.repeat(80))
+  console.log('🎯 Testing with BSV Script Interpreter Miner')
+  console.log('═'.repeat(80))
+
+  const tx = createValidTransaction()
+
   if (!tx) {
-    console.log('❌ Failed to create transaction');
-    return;
+    console.log('❌ Failed to create transaction')
+    return
   }
-  
+
   // Test with full script validation
-  console.log('\n📡 Sending to miner with full BSV script validation...');
-  const result = acceptTransaction(tx);
-  
+  console.log('\n📡 Sending to miner with full BSV script validation...')
+  const result = acceptTransaction(tx)
+
   if (result.accepted) {
-    console.log('\n🎉 SUCCESS! Transaction accepted by BSV script interpreter!');
-    console.log(`✅ TXID: ${result.txid}`);
+    console.log('\n🎉 SUCCESS! Transaction accepted by BSV script interpreter!')
+    console.log(`✅ TXID: ${result.txid}`)
   } else {
-    console.log('\n❌ Transaction rejected');
-    console.log('Errors:', result.errors);
+    console.log('\n❌ Transaction rejected')
+    console.log('Errors:', result.errors)
   }
-  
-  return result;
+
+  return result
 }
 
 /**
  * Debug signature creation process
  */
-function debugSignatureCreation() {
-  console.log('\n' + '═'.repeat(80));
-  console.log('🔍 Debugging Signature Creation');
-  console.log('═'.repeat(80));
-  
+function debugSignatureCreation () {
+  console.log('\n' + '═'.repeat(80))
+  console.log('🔍 Debugging Signature Creation')
+  console.log('═'.repeat(80))
+
   try {
-    const config = loadConfig();
-    const wallet = config.wallet;
-    const utxo = config.utxo;
-    
-    console.log('🔑 Wallet Info:');
-    console.log(`Address: ${wallet.address}`);
-    console.log(`Private Key: ${wallet.privateKeyWIF}`);
-    console.log(`Public Key: ${wallet.publicKey}`);
-    
-    console.log('\n💰 UTXO Info:');
-    console.log(`TXID: ${utxo.txid}`);
-    console.log(`Vout: ${utxo.vout}`);
-    console.log(`Value: ${utxo.satoshis} satoshis`);
-    console.log(`Script: ${utxo.script}`);
-    
+    const config = loadConfig()
+    const wallet = config.wallet
+    const utxo = config.utxo
+
+    console.log('🔑 Wallet Info:')
+    console.log(`Address: ${wallet.address}`)
+    console.log(`Private Key: ${wallet.privateKeyWIF}`)
+    console.log(`Public Key: ${wallet.publicKey}`)
+
+    console.log('\n💰 UTXO Info:')
+    console.log(`TXID: ${utxo.txid}`)
+    console.log(`Vout: ${utxo.vout}`)
+    console.log(`Value: ${utxo.satoshis} satoshis`)
+    console.log(`Script: ${utxo.script}`)
+
     // Parse the script
-    const script = bsv.Script.fromHex(utxo.script);
-    console.log(`Script ASM: ${script.toASM()}`);
-    
+    const script = bsv.Script.fromHex(utxo.script)
+    console.log(`Script ASM: ${script.toASM()}`)
+
     // Verify the address matches
-    const scriptAddress = script.toAddress();
-    console.log(`Script Address: ${scriptAddress}`);
-    console.log(`Wallet Address: ${wallet.address}`);
-    console.log(`Addresses match: ${scriptAddress.toString() === wallet.address ? '✅' : '❌'}`);
-    
+    const scriptAddress = script.toAddress()
+    console.log(`Script Address: ${scriptAddress}`)
+    console.log(`Wallet Address: ${wallet.address}`)
+    console.log(`Addresses match: ${scriptAddress.toString() === wallet.address ? '✅' : '❌'}`)
   } catch (error) {
-    console.error('❌ Debug error:', error.message);
+    console.error('❌ Debug error:', error.message)
   }
 }
 
 /**
  * Run all tests
  */
-function runTests() {
-  debugSignatureCreation();
-  const result = testWithMiner();
-  
+function runTests () {
+  debugSignatureCreation()
+  const result = testWithMiner()
+
   if (result && result.accepted) {
-    console.log('\n🎯 Perfect! The BSV script interpreter accepted our transaction!');
+    console.log('\n🎯 Perfect! The BSV script interpreter accepted our transaction!')
   } else {
-    console.log('\n🔧 Need to fix signature creation for script interpreter...');
+    console.log('\n🔧 Need to fix signature creation for script interpreter...')
   }
 }
 
 // Run tests if called directly
 if (require.main === module) {
-  runTests();
+  runTests()
 }
 
 module.exports = {
@@ -178,4 +176,4 @@ module.exports = {
   testWithMiner,
   debugSignatureCreation,
   runTests
-};
+}

package/SECURITY.md

@@ -1,75 +0,0 @@
-# Security Audit and Fixes
-
-## Summary
-
-This fork addresses critical elliptic curve cryptography vulnerabilities in BSV@1.5.6 while maintaining 100% API compatibility as a complete drop-in replacement.
-
-## Vulnerabilities Fixed
-
-### 1. Zero Parameter Signature Attack
-**CVE Context**: Signatures with r=0 or s=0 could bypass validation checks
-**Fix**: Enhanced `sigError()` method in `lib/crypto/ecdsa.js` to explicitly reject zero values
-**Test**: Verified in security validation suite
-
-### 2. Signature Malleability  
-**CVE Context**: High s values (s > n/2) allow multiple valid signatures for the same message
-**Fix**: Canonical signature enforcement in signature validation
-**Test**: High s values automatically converted to canonical form
-
-### 3. Range Validation
-**CVE Context**: Missing validation for parameters outside elliptic curve order
-**Fix**: Added bounds checking for r and s values against curve order n
-**Test**: Out-of-range parameters properly rejected
-
-## Implementation Details
-
-### Files Modified
-- `lib/crypto/ecdsa.js`: Enhanced signature error checking
-- `lib/crypto/signature.js`: Added security validation methods
-- `index.js`: Added SmartLedger security exports
-
-### Security Methods Added
-- `Signature.prototype.isCanonical()`: Check if s ≤ n/2
-- `Signature.prototype.validate()`: Comprehensive parameter validation
-- `Signature.prototype.toCanonical()`: Convert to canonical form
-- `SmartVerify.verifySignature()`: Enhanced strict verification
-
-### Compatibility Approach
-- Security validation only applied during cryptographic operations
-- Format validation preserved for backward compatibility
-- All original BSV tests continue to pass
-- No breaking changes to existing API
-
-## Test Results
-
-### Original BSV Test Suite
-- Signature tests: 41/41 passing
-- ECDSA tests: All core functionality verified
-- Full compatibility test: All BSV components accessible
-
-### Security Validation Tests
-- Zero r value rejection: ✅ PASS
-- Zero s value rejection: ✅ PASS  
-- High s canonicalization: ✅ PASS
-- Range validation: ✅ PASS
-- Strict mode validation: ✅ PASS
-
-## Security Validation Script
-
-Run comprehensive security tests:
-```bash
-node test_security.js
-```
-
-## Verification Steps
-
-1. **Install the package**: `npm install @smartledger/bsv`
-2. **Run compatibility tests**: `npm test`  
-3. **Run security validation**: `node test_security.js`
-4. **Verify drop-in replacement**: All existing BSV code works unchanged
-
-## Responsible Disclosure
-
-These security fixes address known vulnerabilities in elliptic curve signature validation. The fixes have been implemented with careful attention to maintaining backward compatibility while eliminating attack vectors.
-
-For security concerns or questions, please contact the SmartLedger team.

package/architecture_demo.js

@@ -1,247 +0,0 @@
-/**
- * SmartLedger-BSV Legal Token Protocol (LTP) - Primitives-Only Architecture Demo
- * 
- * This demonstrates the key architectural difference:
- * BEFORE: Library did blockchain publishing and storage
- * AFTER: Library provides preparation primitives, external systems handle publishing
- */
-
-const bsv = require('./index.js')
-
-console.log('🚀 SmartLedger-BSV LTP: Primitives-Only Architecture')
-console.log('==================================================\n')
-
-console.log('🔄 ARCHITECTURAL TRANSFORMATION DEMO')
-console.log('------------------------------------\n')
-
-// Demo keys and identities
-const issuerPrivateKey = new bsv.PrivateKey()
-const ownerDID = `did:bsv:${new bsv.PrivateKey().publicKey.toString()}`
-const obligorDID = `did:bsv:${new bsv.PrivateKey().publicKey.toString()}`
-
-console.log('📋 Participants:')
-console.log(`   Issuer DID: ${issuerPrivateKey.publicKey.toString()}`)
-console.log(`   Owner DID: ${ownerDID}`)
-console.log(`   Obligor DID: ${obligorDID}\n`)
-
-/**
- * DEMONSTRATE CLAIM VALIDATION PRIMITIVES
- */
-console.log('1️⃣ CLAIM VALIDATION - Primitives Only')
-console.log('=====================================')
-
-const propertyClaimData = {
-  type: 'PropertyTitle',
-  property: {
-    address: '123 Blockchain Street',
-    parcel_id: 'BLK-2024-001',
-    property_type: 'residential'
-  },
-  owner: ownerDID
-}
-
-// Get available schemas (unchanged utility)
-const availableSchemas = bsv.getClaimSchemaNames()
-console.log('📚 Available claim schemas:', availableSchemas.join(', '))
-
-// Create claim template (utility function)
-const claimTemplate = bsv.createClaimTemplate('PropertyTitle')
-console.log('📋 Claim template structure:')
-console.log('   Required fields:', Object.keys(claimTemplate.properties).slice(0, 3).join(', '), '...')
-
-console.log('\n🔧 PRIMITIVES-ONLY APPROACH:')
-console.log('   ✅ Library validates claim structure')
-console.log('   ✅ Library provides canonicalization')
-console.log('   ✅ Library generates claim hash')
-console.log('   ❌ Library does NOT store claims')
-console.log('   ❌ Library does NOT publish to blockchain')
-
-// Demonstrate claim processing primitives
-const claimHash = bsv.hashClaim(propertyClaimData)
-const canonicalClaim = bsv.canonicalizeClaim(propertyClaimData)
-
-console.log('📊 Claim processing results:')
-console.log(`   Claim Hash: ${claimHash}`)
-console.log(`   Canonical Form: ${canonicalClaim.length} bytes`)
-console.log('')
-
-/**
- * DEMONSTRATE RIGHT TOKEN PRIMITIVES
- */
-console.log('2️⃣ RIGHT TOKEN - Preparation Primitives')
-console.log('=======================================')
-
-console.log('🔧 PRIMITIVES-ONLY APPROACH:')
-
-// Get available right types
-const rightTypes = bsv.getRightTypes()
-console.log('⚖️ Available right types:', Object.keys(rightTypes).slice(0, 4).join(', '), '...')
-
-// Prepare right token (doesn't create, just prepares structure)
-try {
-  const rightTokenPrep = bsv.prepareRightToken(
-    'PROPERTY_OWNERSHIP',
-    `did:bsv:${issuerPrivateKey.publicKey.toString()}`,
-    ownerDID,
-    propertyClaimData,
-    issuerPrivateKey,
-    {
-      jurisdiction: 'demo_jurisdiction',
-      validUntil: '2034-01-15'
-    }
-  )
-
-  console.log('🏠 Right token prepared:')
-  console.log(`   Token ID: ${rightTokenPrep.tokenId}`)
-  console.log(`   Right Type: ${rightTokenPrep.rightType}`)
-  console.log(`   Valid Until: ${rightTokenPrep.validUntil}`)
-  console.log(`   Jurisdiction: ${rightTokenPrep.jurisdiction}`)
-
-  // Prepare verification data
-  const verificationPrep = bsv.prepareRightTokenVerification(rightTokenPrep.token)
-  console.log(`   Verification Ready: ${verificationPrep.isValid ? 'YES' : 'NO'}`)
-
-  console.log('\n   ✅ Library prepares token structure')
-  console.log('   ✅ Library validates token format')
-  console.log('   ✅ Library signs token data')
-  console.log('   ❌ Library does NOT publish to blockchain')
-  console.log('   ❌ Library does NOT store in registry')
-
-} catch (error) {
-  console.log('⚠️ Right token preparation demo skipped (module loading)')
-  console.log('   Expected: Token preparation without blockchain publishing')
-}
-
-console.log('')
-
-/**
- * DEMONSTRATE OBLIGATION PRIMITIVES
- */
-console.log('3️⃣ OBLIGATION TOKEN - Management Primitives')
-console.log('===========================================')
-
-console.log('🔧 PRIMITIVES-ONLY APPROACH:')
-
-// Get obligation types and statuses
-try {
-  const obligationTypes = bsv.getObligationTypes()
-  const obligationStatuses = bsv.getObligationStatus()
-  
-  console.log('📊 Obligation framework:')
-  console.log(`   Types available: ${Object.keys(obligationTypes).length}`)
-  console.log(`   Status options: ${Object.keys(obligationStatuses).length}`)
-  console.log(`   Priority levels: ${Object.keys(bsv.getObligationPriority()).length}`)
-
-  console.log('\n   ✅ Library prepares obligation tokens')
-  console.log('   ✅ Library validates fulfillment data')
-  console.log('   ✅ Library tracks obligation status')
-  console.log('   ❌ Library does NOT execute payments')
-  console.log('   ❌ Library does NOT enforce obligations')
-
-} catch (error) {
-  console.log('⚠️ Obligation demo skipped (module loading)')
-  console.log('   Expected: Obligation management without execution')
-}
-
-console.log('')
-
-/**
- * DEMONSTRATE REGISTRY PRIMITIVES
- */
-console.log('4️⃣ REGISTRY MANAGEMENT - Preparation Primitives')
-console.log('===============================================')
-
-console.log('🔧 PRIMITIVES-ONLY APPROACH:')
-console.log('   ✅ Library prepares registry data structures')
-console.log('   ✅ Library formats token registration data')
-console.log('   ✅ Library validates registry queries')
-console.log('   ❌ Library does NOT store registry data')
-console.log('   ❌ Library does NOT manage database connections')
-
-// Simulate registry preparation
-console.log('📝 Registry operations prepared:')
-console.log('   • Token registration data formatted')
-console.log('   • Search query structure validated')
-console.log('   • Audit log format prepared')
-console.log('   • Statistics query template ready')
-console.log('')
-
-/**
- * DEMONSTRATE BLOCKCHAIN ANCHORING PRIMITIVES
- */
-console.log('5️⃣ BLOCKCHAIN ANCHORING - Commitment Primitives')
-console.log('===============================================')
-
-console.log('🔧 PRIMITIVES-ONLY APPROACH:')
-console.log('   ✅ Library prepares commitment hashes')
-console.log('   ✅ Library creates merkle tree structures')
-console.log('   ✅ Library validates anchor proofs')
-console.log('   ❌ Library does NOT publish transactions')
-console.log('   ❌ Library does NOT manage wallet keys')
-
-// Simulate anchor preparation
-console.log('⛓️ Blockchain operations prepared:')
-console.log('   • Token commitment hash: ready for transaction')
-console.log('   • Batch merkle root: ready for efficient anchoring')
-console.log('   • Verification proof: ready for anchor validation')
-console.log('   • Revocation format: ready for token cancellation')
-console.log('')
-
-/**
- * SUMMARY OF ARCHITECTURAL BENEFITS
- */
-console.log('🎯 PRIMITIVES-ONLY ARCHITECTURE BENEFITS')
-console.log('========================================')
-console.log('')
-console.log('🏗️ SEPARATION OF CONCERNS:')
-console.log('   📚 SmartLedger-BSV: Foundation library with crypto primitives')
-console.log('   🔧 External Apps: Handle UI, storage, and blockchain publishing')
-console.log('   ⚖️ Legal Framework: Validated structure and compliance tools')
-console.log('')
-console.log('💪 DEVELOPER BENEFITS:')
-console.log('   • Maximum flexibility in implementation choices')
-console.log('   • No vendor lock-in to specific platforms or blockchains')
-console.log('   • Clean separation between crypto/legal logic and app logic')
-console.log('   • Easy integration with existing systems and workflows')
-console.log('')
-console.log('⚡ LIBRARY ADVANTAGES:')
-console.log('   • Focused on what it does best: cryptography and validation')
-console.log('   • Smaller footprint and fewer dependencies')
-console.log('   • More predictable behavior and easier testing')
-console.log('   • Clear API boundaries and responsibilities')
-console.log('')
-console.log('🔗 INTEGRATION PATTERN:')
-console.log('   1. Use SmartLedger-BSV to prepare and validate legal tokens')
-console.log('   2. Use external systems for blockchain publishing')
-console.log('   3. Use external systems for storage and registries') 
-console.log('   4. Use external systems for user interfaces and workflows')
-console.log('')
-console.log('🚀 RESULT: Complete foundation for any Legal Token Protocol')
-console.log('   application while maintaining architectural flexibility!')
-
-/**
- * SHOW EXAMPLE EXTERNAL SYSTEM INTEGRATION
- */
-console.log('')
-console.log('📋 EXAMPLE: How External Systems Would Use These Primitives')
-console.log('=========================================================')
-console.log('')
-console.log('// External Application Code Example:')
-console.log('const bsv = require("smartledger-bsv")')
-console.log('const MyBlockchainAPI = require("my-blockchain-service")')
-console.log('const MyStorage = require("my-database-service")')
-console.log('')
-console.log('// 1. Use SmartLedger-BSV to prepare legal token')
-console.log('const tokenPrep = bsv.prepareRightToken(...)')
-console.log('')
-console.log('// 2. Use external service to publish to blockchain')
-console.log('const txResult = await MyBlockchainAPI.publish(tokenPrep.commitment)')
-console.log('')
-console.log('// 3. Use external service to store token data')
-console.log('const storeResult = await MyStorage.save(tokenPrep.token)')
-console.log('')
-console.log('// 4. Use SmartLedger-BSV to verify results')
-console.log('const verification = bsv.verifyTokenAnchor(token, txResult.txid)')
-console.log('')
-console.log('This pattern gives developers complete control while ensuring')
-console.log('cryptographic and legal correctness through SmartLedger-BSV!')