Skip to content
This repository has been archived by the owner on Aug 2, 2022. It is now read-only.

release/21.0.x: missing sign and verify methods #650

Closed
cc32d9 opened this issue Jan 17, 2020 · 4 comments
Closed

release/21.0.x: missing sign and verify methods #650

cc32d9 opened this issue Jan 17, 2020 · 4 comments

Comments

@cc32d9
Copy link

cc32d9 commented Jan 17, 2020

As release 21 eliminates eosjs-ecc library, two important functions are missing: signing and verifying an arbitrary piece of data.

using eosio-ecc, I could take a serialized private key and sign a blob of data, and export the signature in text or binary form. Also I could load the signature from a 65-bytes binary array and verify it against a public key and the data blob.

Now if I do the same, I need to replicate the conversion from serialized form into elliptic object, and call its sign or verify methods. This creates code duplication and risk of incompatibility.

The eosjs library needs to export simple methods for signing and verifying an arbitrary blob of data. At the moment the Signature Provider object does it for transaction data directly, so there's no abstraction interface.
@cc32d9
Copy link
Author

cc32d9 commented Jan 21, 2020

also the old library provided sha256 method, and the new one does not. eosjs-webauthn-sig.ts depends on SubtleCrypto which is not available in nodejs.

@tbfleming
Copy link
Contributor

nodejs doesn't have webauthn; it's a browser standard

@cc32d9
Copy link
Author

cc32d9 commented Jan 22, 2020

yes, my point is that the old library provided methods for basic cryptography operations, compatible with both browser and nodejs, while the new one does not. Sha256 is not a big deal, changing to sha.js is easy. But ECC primitives need a convenience wrapper in order to avoid code duplication and hidden bugs. This, for example, should not be left to others to duplicate if you need to use an EOSIO key:

    const publicKey = PublicKey.fromString(key);
            const privKey = this.keys.get(convertLegacyPublicKey(key));
            let tries = 0;
            let sig: Signature;
            const isCanonical = (sigData: Uint8Array) =>
                !(sigData[1] & 0x80) && !(sigData[1] === 0 && !(sigData[2] & 0x80))
                && !(sigData[33] & 0x80) && !(sigData[33] === 0 && !(sigData[34] & 0x80));

            do {
                const ellipticSig = privKey.sign(digest, { canonical: true, pers: [++tries] });
                sig = Signature.fromElliptic(ellipticSig, publicKey.getType());
            } while (!isCanonical(sig.toBinary()));

signatures.push(sig.toString());

@bradlhart
Copy link
Contributor

We've added a few methods to the current edge release and they will be included on the v21 release.

See #653

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tbfleming @bradlhart @cc32d9