-
Notifications
You must be signed in to change notification settings - Fork 2.1k
/
crypto.js
161 lines (125 loc) · 5.23 KB
/
crypto.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
/* global describe, it */
var assert = require('assert')
var async = require('async')
var bigi = require('bigi')
var bitcoin = require('../../')
var mainnet = require('./_mainnet')
var crypto = require('crypto')
var ecurve = require('ecurve')
var secp256k1 = ecurve.getCurveByName('secp256k1')
describe('bitcoinjs-lib (crypto)', function () {
it('can recover a private key from duplicate R values', function (done) {
this.timeout(30000)
var inputs = [
{
txId: 'f4c16475f2a6e9c602e4a287f9db3040e319eb9ece74761a4b84bc820fbeef50',
vout: 0
},
{
txId: 'f4c16475f2a6e9c602e4a287f9db3040e319eb9ece74761a4b84bc820fbeef50',
vout: 1
}
]
var txIds = inputs.map(function (x) { return x.txId })
// first retrieve the relevant transactions
mainnet.transactions.get(txIds, function (err, results) {
assert.ifError(err)
var transactions = {}
results.forEach(function (tx) {
transactions[tx.txId] = bitcoin.Transaction.fromHex(tx.txHex)
})
var tasks = []
// now we need to collect/transform a bit of data from the selected inputs
inputs.forEach(function (input) {
var transaction = transactions[input.txId]
var script = transaction.ins[input.vout].script
var scriptChunks = bitcoin.script.decompile(script)
assert(bitcoin.script.pubKeyHash.input.check(scriptChunks), 'Expected pubKeyHash script')
var prevOutTxId = Buffer.from(transaction.ins[input.vout].hash).reverse().toString('hex')
var prevVout = transaction.ins[input.vout].index
tasks.push(function (callback) {
mainnet.transactions.get(prevOutTxId, function (err, result) {
if (err) return callback(err)
var prevOut = bitcoin.Transaction.fromHex(result.txHex)
var prevOutScript = prevOut.outs[prevVout].script
var scriptSignature = bitcoin.ECSignature.parseScriptSignature(scriptChunks[0])
var publicKey = bitcoin.ECPair.fromPublicKeyBuffer(scriptChunks[1])
var m = transaction.hashForSignature(input.vout, prevOutScript, scriptSignature.hashType)
assert(publicKey.verify(m, scriptSignature.signature), 'Invalid m')
// store the required information
input.signature = scriptSignature.signature
input.z = bigi.fromBuffer(m)
return callback()
})
})
})
// finally, run the tasks, then on to the math
async.parallel(tasks, function (err) {
if (err) throw err
var n = secp256k1.n
for (var i = 0; i < inputs.length; ++i) {
for (var j = i + 1; j < inputs.length; ++j) {
var inputA = inputs[i]
var inputB = inputs[j]
// enforce matching r values
assert.strictEqual(inputA.signature.r.toString(), inputB.signature.r.toString())
var r = inputA.signature.r
var rInv = r.modInverse(n)
var s1 = inputA.signature.s
var s2 = inputB.signature.s
var z1 = inputA.z
var z2 = inputB.z
var zz = z1.subtract(z2).mod(n)
var ss = s1.subtract(s2).mod(n)
// k = (z1 - z2) / (s1 - s2)
// d1 = (s1 * k - z1) / r
// d2 = (s2 * k - z2) / r
var k = zz.multiply(ss.modInverse(n)).mod(n)
var d1 = ((s1.multiply(k).mod(n)).subtract(z1).mod(n)).multiply(rInv).mod(n)
var d2 = ((s2.multiply(k).mod(n)).subtract(z2).mod(n)).multiply(rInv).mod(n)
// enforce matching private keys
assert.strictEqual(d1.toString(), d2.toString())
}
}
done()
})
})
})
it('can recover a BIP32 parent private key from the parent public key, and a derived, non-hardened child private key', function () {
function recoverParent (master, child) {
assert(!master.keyPair.d, 'You already have the parent private key')
assert(child.keyPair.d, 'Missing child private key')
var curve = secp256k1
var QP = master.keyPair.Q
var serQP = master.keyPair.getPublicKeyBuffer()
var d1 = child.keyPair.d
var d2
var data = Buffer.alloc(37)
serQP.copy(data, 0)
// search index space until we find it
for (var i = 0; i < bitcoin.HDNode.HIGHEST_BIT; ++i) {
data.writeUInt32BE(i, 33)
// calculate I
var I = crypto.createHmac('sha512', master.chainCode).update(data).digest()
var IL = I.slice(0, 32)
var pIL = bigi.fromBuffer(IL)
// See hdnode.js:273 to understand
d2 = d1.subtract(pIL).mod(curve.n)
var Qp = new bitcoin.ECPair(d2).Q
if (Qp.equals(QP)) break
}
var node = new bitcoin.HDNode(new bitcoin.ECPair(d2), master.chainCode, master.network)
node.depth = master.depth
node.index = master.index
node.masterFingerprint = master.masterFingerprint
return node
}
var seed = crypto.randomBytes(32)
var master = bitcoin.HDNode.fromSeedBuffer(seed)
var child = master.derive(6) // m/6
// now for the recovery
var neuteredMaster = master.neutered()
var recovered = recoverParent(neuteredMaster, child)
assert.strictEqual(recovered.toBase58(), master.toBase58())
})
})