1 line
22 KiB
JSON
1 line
22 KiB
JSON
{"ast":null,"code":"'use strict';\n\nvar BN = require('bn.js');\n\nvar HmacDRBG = require('hmac-drbg');\n\nvar utils = require('../utils');\n\nvar curves = require('../curves');\n\nvar rand = require('brorand');\n\nvar assert = utils.assert;\n\nvar KeyPair = require('./key');\n\nvar Signature = require('./signature');\n\nfunction EC(options) {\n if (!(this instanceof EC)) return new EC(options); // Shortcut `elliptic.ec(curve-name)`\n\n if (typeof options === 'string') {\n assert(Object.prototype.hasOwnProperty.call(curves, options), 'Unknown curve ' + options);\n options = curves[options];\n } // Shortcut for `elliptic.ec(elliptic.curves.curveName)`\n\n\n if (options instanceof curves.PresetCurve) options = {\n curve: options\n };\n this.curve = options.curve.curve;\n this.n = this.curve.n;\n this.nh = this.n.ushrn(1);\n this.g = this.curve.g; // Point on curve\n\n this.g = options.curve.g;\n this.g.precompute(options.curve.n.bitLength() + 1); // Hash for function for DRBG\n\n this.hash = options.hash || options.curve.hash;\n}\n\nmodule.exports = EC;\n\nEC.prototype.keyPair = function keyPair(options) {\n return new KeyPair(this, options);\n};\n\nEC.prototype.keyFromPrivate = function keyFromPrivate(priv, enc) {\n return KeyPair.fromPrivate(this, priv, enc);\n};\n\nEC.prototype.keyFromPublic = function keyFromPublic(pub, enc) {\n return KeyPair.fromPublic(this, pub, enc);\n};\n\nEC.prototype.genKeyPair = function genKeyPair(options) {\n if (!options) options = {}; // Instantiate Hmac_DRBG\n\n var drbg = new HmacDRBG({\n hash: this.hash,\n pers: options.pers,\n persEnc: options.persEnc || 'utf8',\n entropy: options.entropy || rand(this.hash.hmacStrength),\n entropyEnc: options.entropy && options.entropyEnc || 'utf8',\n nonce: this.n.toArray()\n });\n var bytes = this.n.byteLength();\n var ns2 = this.n.sub(new BN(2));\n\n for (;;) {\n var priv = new BN(drbg.generate(bytes));\n if (priv.cmp(ns2) > 0) continue;\n priv.iaddn(1);\n return this.keyFromPrivate(priv);\n }\n};\n\nEC.prototype._truncateToN = function _truncateToN(msg, truncOnly) {\n var delta = msg.byteLength() * 8 - this.n.bitLength();\n if (delta > 0) msg = msg.ushrn(delta);\n if (!truncOnly && msg.cmp(this.n) >= 0) return msg.sub(this.n);else return msg;\n};\n\nEC.prototype.sign = function sign(msg, key, enc, options) {\n if (typeof enc === 'object') {\n options = enc;\n enc = null;\n }\n\n if (!options) options = {};\n key = this.keyFromPrivate(key, enc);\n msg = this._truncateToN(new BN(msg, 16)); // Zero-extend key to provide enough entropy\n\n var bytes = this.n.byteLength();\n var bkey = key.getPrivate().toArray('be', bytes); // Zero-extend nonce to have the same byte size as N\n\n var nonce = msg.toArray('be', bytes); // Instantiate Hmac_DRBG\n\n var drbg = new HmacDRBG({\n hash: this.hash,\n entropy: bkey,\n nonce: nonce,\n pers: options.pers,\n persEnc: options.persEnc || 'utf8'\n }); // Number of bytes to generate\n\n var ns1 = this.n.sub(new BN(1));\n\n for (var iter = 0;; iter++) {\n var k = options.k ? options.k(iter) : new BN(drbg.generate(this.n.byteLength()));\n k = this._truncateToN(k, true);\n if (k.cmpn(1) <= 0 || k.cmp(ns1) >= 0) continue;\n var kp = this.g.mul(k);\n if (kp.isInfinity()) continue;\n var kpX = kp.getX();\n var r = kpX.umod(this.n);\n if (r.cmpn(0) === 0) continue;\n var s = k.invm(this.n).mul(r.mul(key.getPrivate()).iadd(msg));\n s = s.umod(this.n);\n if (s.cmpn(0) === 0) continue;\n var recoveryParam = (kp.getY().isOdd() ? 1 : 0) | (kpX.cmp(r) !== 0 ? 2 : 0); // Use complement of `s`, if it is > `n / 2`\n\n if (options.canonical && s.cmp(this.nh) > 0) {\n s = this.n.sub(s);\n recoveryParam ^= 1;\n }\n\n return new Signature({\n r: r,\n s: s,\n recoveryParam: recoveryParam\n });\n }\n};\n\nEC.prototype.verify = function verify(msg, signature, key, enc) {\n msg = this._truncateToN(new BN(msg, 16));\n key = this.keyFromPublic(key, enc);\n signature = new Signature(signature, 'hex'); // Perform primitive values validation\n\n var r = signature.r;\n var s = signature.s;\n if (r.cmpn(1) < 0 || r.cmp(this.n) >= 0) return false;\n if (s.cmpn(1) < 0 || s.cmp(this.n) >= 0) return false; // Validate signature\n\n var sinv = s.invm(this.n);\n var u1 = sinv.mul(msg).umod(this.n);\n var u2 = sinv.mul(r).umod(this.n);\n var p;\n\n if (!this.curve._maxwellTrick) {\n p = this.g.mulAdd(u1, key.getPublic(), u2);\n if (p.isInfinity()) return false;\n return p.getX().umod(this.n).cmp(r) === 0;\n } // NOTE: Greg Maxwell's trick, inspired by:\n // https://git.io/vad3K\n\n\n p = this.g.jmulAdd(u1, key.getPublic(), u2);\n if (p.isInfinity()) return false; // Compare `p.x` of Jacobian point with `r`,\n // this will do `p.x == r * p.z^2` instead of multiplying `p.x` by the\n // inverse of `p.z^2`\n\n return p.eqXToP(r);\n};\n\nEC.prototype.recoverPubKey = function (msg, signature, j, enc) {\n assert((3 & j) === j, 'The recovery param is more than two bits');\n signature = new Signature(signature, enc);\n var n = this.n;\n var e = new BN(msg);\n var r = signature.r;\n var s = signature.s; // A set LSB signifies that the y-coordinate is odd\n\n var isYOdd = j & 1;\n var isSecondKey = j >> 1;\n if (r.cmp(this.curve.p.umod(this.curve.n)) >= 0 && isSecondKey) throw new Error('Unable to find sencond key candinate'); // 1.1. Let x = r + jn.\n\n if (isSecondKey) r = this.curve.pointFromX(r.add(this.curve.n), isYOdd);else r = this.curve.pointFromX(r, isYOdd);\n var rInv = signature.r.invm(n);\n var s1 = n.sub(e).mul(rInv).umod(n);\n var s2 = s.mul(rInv).umod(n); // 1.6.1 Compute Q = r^-1 (sR - eG)\n // Q = r^-1 (sR + -eG)\n\n return this.g.mulAdd(s1, r, s2);\n};\n\nEC.prototype.getKeyRecoveryParam = function (e, signature, Q, enc) {\n signature = new Signature(signature, enc);\n if (signature.recoveryParam !== null) return signature.recoveryParam;\n\n for (var i = 0; i < 4; i++) {\n var Qprime;\n\n try {\n Qprime = this.recoverPubKey(e, signature, i);\n } catch (e) {\n continue;\n }\n\n if (Qprime.eq(Q)) return i;\n }\n\n throw new Error('Unable to find valid recovery factor');\n};","map":{"version":3,"sources":["/Users/tylerkoenig/Code/personal/react-scss2/node_modules/elliptic/lib/elliptic/ec/index.js"],"names":["BN","require","HmacDRBG","utils","curves","rand","assert","KeyPair","Signature","EC","options","Object","prototype","hasOwnProperty","call","PresetCurve","curve","n","nh","ushrn","g","precompute","bitLength","hash","module","exports","keyPair","keyFromPrivate","priv","enc","fromPrivate","keyFromPublic","pub","fromPublic","genKeyPair","drbg","pers","persEnc","entropy","hmacStrength","entropyEnc","nonce","toArray","bytes","byteLength","ns2","sub","generate","cmp","iaddn","_truncateToN","msg","truncOnly","delta","sign","key","bkey","getPrivate","ns1","iter","k","cmpn","kp","mul","isInfinity","kpX","getX","r","umod","s","invm","iadd","recoveryParam","getY","isOdd","canonical","verify","signature","sinv","u1","u2","p","_maxwellTrick","mulAdd","getPublic","jmulAdd","eqXToP","recoverPubKey","j","e","isYOdd","isSecondKey","Error","pointFromX","add","rInv","s1","s2","getKeyRecoveryParam","Q","i","Qprime","eq"],"mappings":"AAAA;;AAEA,IAAIA,EAAE,GAAGC,OAAO,CAAC,OAAD,CAAhB;;AACA,IAAIC,QAAQ,GAAGD,OAAO,CAAC,WAAD,CAAtB;;AACA,IAAIE,KAAK,GAAGF,OAAO,CAAC,UAAD,CAAnB;;AACA,IAAIG,MAAM,GAAGH,OAAO,CAAC,WAAD,CAApB;;AACA,IAAII,IAAI,GAAGJ,OAAO,CAAC,SAAD,CAAlB;;AACA,IAAIK,MAAM,GAAGH,KAAK,CAACG,MAAnB;;AAEA,IAAIC,OAAO,GAAGN,OAAO,CAAC,OAAD,CAArB;;AACA,IAAIO,SAAS,GAAGP,OAAO,CAAC,aAAD,CAAvB;;AAEA,SAASQ,EAAT,CAAYC,OAAZ,EAAqB;AACnB,MAAI,EAAE,gBAAgBD,EAAlB,CAAJ,EACE,OAAO,IAAIA,EAAJ,CAAOC,OAAP,CAAP,CAFiB,CAInB;;AACA,MAAI,OAAOA,OAAP,KAAmB,QAAvB,EAAiC;AAC/BJ,IAAAA,MAAM,CAACK,MAAM,CAACC,SAAP,CAAiBC,cAAjB,CAAgCC,IAAhC,CAAqCV,MAArC,EAA6CM,OAA7C,CAAD,EACJ,mBAAmBA,OADf,CAAN;AAGAA,IAAAA,OAAO,GAAGN,MAAM,CAACM,OAAD,CAAhB;AACD,GAVkB,CAYnB;;;AACA,MAAIA,OAAO,YAAYN,MAAM,CAACW,WAA9B,EACEL,OAAO,GAAG;AAAEM,IAAAA,KAAK,EAAEN;AAAT,GAAV;AAEF,OAAKM,KAAL,GAAaN,OAAO,CAACM,KAAR,CAAcA,KAA3B;AACA,OAAKC,CAAL,GAAS,KAAKD,KAAL,CAAWC,CAApB;AACA,OAAKC,EAAL,GAAU,KAAKD,CAAL,CAAOE,KAAP,CAAa,CAAb,CAAV;AACA,OAAKC,CAAL,GAAS,KAAKJ,KAAL,CAAWI,CAApB,CAnBmB,CAqBnB;;AACA,OAAKA,CAAL,GAASV,OAAO,CAACM,KAAR,CAAcI,CAAvB;AACA,OAAKA,CAAL,CAAOC,UAAP,CAAkBX,OAAO,CAACM,KAAR,CAAcC,CAAd,CAAgBK,SAAhB,KAA8B,CAAhD,EAvBmB,CAyBnB;;AACA,OAAKC,IAAL,GAAYb,OAAO,CAACa,IAAR,IAAgBb,OAAO,CAACM,KAAR,CAAcO,IAA1C;AACD;;AACDC,MAAM,CAACC,OAAP,GAAiBhB,EAAjB;;AAEAA,EAAE,CAACG,SAAH,CAAac,OAAb,GAAuB,SAASA,OAAT,CAAiBhB,OAAjB,EAA0B;AAC/C,SAAO,IAAIH,OAAJ,CAAY,IAAZ,EAAkBG,OAAlB,CAAP;AACD,CAFD;;AAIAD,EAAE,CAACG,SAAH,CAAae,cAAb,GAA8B,SAASA,cAAT,CAAwBC,IAAxB,EAA8BC,GAA9B,EAAmC;AAC/D,SAAOtB,OAAO,CAACuB,WAAR,CAAoB,IAApB,EAA0BF,IAA1B,EAAgCC,GAAhC,CAAP;AACD,CAFD;;AAIApB,EAAE,CAACG,SAAH,CAAamB,aAAb,GAA6B,SAASA,aAAT,CAAuBC,GAAvB,EAA4BH,GAA5B,EAAiC;AAC5D,SAAOtB,OAAO,CAAC0B,UAAR,CAAmB,IAAnB,EAAyBD,GAAzB,EAA8BH,GAA9B,CAAP;AACD,CAFD;;AAIApB,EAAE,CAACG,SAAH,CAAasB,UAAb,GAA0B,SAASA,UAAT,CAAoBxB,OAApB,EAA6B;AACrD,MAAI,CAACA,OAAL,EACEA,OAAO,GAAG,EAAV,CAFmD,CAIrD;;AACA,MAAIyB,IAAI,GAAG,IAAIjC,QAAJ,CAAa;AACtBqB,IAAAA,IAAI,EAAE,KAAKA,IADW;AAEtBa,IAAAA,IAAI,EAAE1B,OAAO,CAAC0B,IAFQ;AAGtBC,IAAAA,OAAO,EAAE3B,OAAO,CAAC2B,OAAR,IAAmB,MAHN;AAItBC,IAAAA,OAAO,EAAE5B,OAAO,CAAC4B,OAAR,IAAmBjC,IAAI,CAAC,KAAKkB,IAAL,CAAUgB,YAAX,CAJV;AAKtBC,IAAAA,UAAU,EAAE9B,OAAO,CAAC4B,OAAR,IAAmB5B,OAAO,CAAC8B,UAA3B,IAAyC,MAL/B;AAMtBC,IAAAA,KAAK,EAAE,KAAKxB,CAAL,CAAOyB,OAAP;AANe,GAAb,CAAX;AASA,MAAIC,KAAK,GAAG,KAAK1B,CAAL,CAAO2B,UAAP,EAAZ;AACA,MAAIC,GAAG,GAAG,KAAK5B,CAAL,CAAO6B,GAAP,CAAW,IAAI9C,EAAJ,CAAO,CAAP,CAAX,CAAV;;AACA,WAAS;AACP,QAAI4B,IAAI,GAAG,IAAI5B,EAAJ,CAAOmC,IAAI,CAACY,QAAL,CAAcJ,KAAd,CAAP,CAAX;AACA,QAAIf,IAAI,CAACoB,GAAL,CAASH,GAAT,IAAgB,CAApB,EACE;AAEFjB,IAAAA,IAAI,CAACqB,KAAL,CAAW,CAAX;AACA,WAAO,KAAKtB,cAAL,CAAoBC,IAApB,CAAP;AACD;AACF,CAxBD;;AA0BAnB,EAAE,CAACG,SAAH,CAAasC,YAAb,GAA4B,SAASA,YAAT,CAAsBC,GAAtB,EAA2BC,SAA3B,EAAsC;AAChE,MAAIC,KAAK,GAAGF,GAAG,CAACP,UAAJ,KAAmB,CAAnB,GAAuB,KAAK3B,CAAL,CAAOK,SAAP,EAAnC;AACA,MAAI+B,KAAK,GAAG,CAAZ,EACEF,GAAG,GAAGA,GAAG,CAAChC,KAAJ,CAAUkC,KAAV,CAAN;AACF,MAAI,CAACD,SAAD,IAAcD,GAAG,CAACH,GAAJ,CAAQ,KAAK/B,CAAb,KAAmB,CAArC,EACE,OAAOkC,GAAG,CAACL,GAAJ,CAAQ,KAAK7B,CAAb,CAAP,CADF,KAGE,OAAOkC,GAAP;AACH,CARD;;AAUA1C,EAAE,CAACG,SAAH,CAAa0C,IAAb,GAAoB,SAASA,IAAT,CAAcH,GAAd,EAAmBI,GAAnB,EAAwB1B,GAAxB,EAA6BnB,OAA7B,EAAsC;AACxD,MAAI,OAAOmB,GAAP,KAAe,QAAnB,EAA6B;AAC3BnB,IAAAA,OAAO,GAAGmB,GAAV;AACAA,IAAAA,GAAG,GAAG,IAAN;AACD;;AACD,MAAI,CAACnB,OAAL,EACEA,OAAO,GAAG,EAAV;AAEF6C,EAAAA,GAAG,GAAG,KAAK5B,cAAL,CAAoB4B,GAApB,EAAyB1B,GAAzB,CAAN;AACAsB,EAAAA,GAAG,GAAG,KAAKD,YAAL,CAAkB,IAAIlD,EAAJ,CAAOmD,GAAP,EAAY,EAAZ,CAAlB,CAAN,CATwD,CAWxD;;AACA,MAAIR,KAAK,GAAG,KAAK1B,CAAL,CAAO2B,UAAP,EAAZ;AACA,MAAIY,IAAI,GAAGD,GAAG,CAACE,UAAJ,GAAiBf,OAAjB,CAAyB,IAAzB,EAA+BC,KAA/B,CAAX,CAbwD,CAexD;;AACA,MAAIF,KAAK,GAAGU,GAAG,CAACT,OAAJ,CAAY,IAAZ,EAAkBC,KAAlB,CAAZ,CAhBwD,CAkBxD;;AACA,MAAIR,IAAI,GAAG,IAAIjC,QAAJ,CAAa;AACtBqB,IAAAA,IAAI,EAAE,KAAKA,IADW;AAEtBe,IAAAA,OAAO,EAAEkB,IAFa;AAGtBf,IAAAA,KAAK,EAAEA,KAHe;AAItBL,IAAAA,IAAI,EAAE1B,OAAO,CAAC0B,IAJQ;AAKtBC,IAAAA,OAAO,EAAE3B,OAAO,CAAC2B,OAAR,IAAmB;AALN,GAAb,CAAX,CAnBwD,CA2BxD;;AACA,MAAIqB,GAAG,GAAG,KAAKzC,CAAL,CAAO6B,GAAP,CAAW,IAAI9C,EAAJ,CAAO,CAAP,CAAX,CAAV;;AAEA,OAAK,IAAI2D,IAAI,GAAG,CAAhB,GAAqBA,IAAI,EAAzB,EAA6B;AAC3B,QAAIC,CAAC,GAAGlD,OAAO,CAACkD,CAAR,GACNlD,OAAO,CAACkD,CAAR,CAAUD,IAAV,CADM,GAEN,IAAI3D,EAAJ,CAAOmC,IAAI,CAACY,QAAL,CAAc,KAAK9B,CAAL,CAAO2B,UAAP,EAAd,CAAP,CAFF;AAGAgB,IAAAA,CAAC,GAAG,KAAKV,YAAL,CAAkBU,CAAlB,EAAqB,IAArB,CAAJ;AACA,QAAIA,CAAC,CAACC,IAAF,CAAO,CAAP,KAAa,CAAb,IAAkBD,CAAC,CAACZ,GAAF,CAAMU,GAAN,KAAc,CAApC,EACE;AAEF,QAAII,EAAE,GAAG,KAAK1C,CAAL,CAAO2C,GAAP,CAAWH,CAAX,CAAT;AACA,QAAIE,EAAE,CAACE,UAAH,EAAJ,EACE;AAEF,QAAIC,GAAG,GAAGH,EAAE,CAACI,IAAH,EAAV;AACA,QAAIC,CAAC,GAAGF,GAAG,CAACG,IAAJ,CAAS,KAAKnD,CAAd,CAAR;AACA,QAAIkD,CAAC,CAACN,IAAF,CAAO,CAAP,MAAc,CAAlB,EACE;AAEF,QAAIQ,CAAC,GAAGT,CAAC,CAACU,IAAF,CAAO,KAAKrD,CAAZ,EAAe8C,GAAf,CAAmBI,CAAC,CAACJ,GAAF,CAAMR,GAAG,CAACE,UAAJ,EAAN,EAAwBc,IAAxB,CAA6BpB,GAA7B,CAAnB,CAAR;AACAkB,IAAAA,CAAC,GAAGA,CAAC,CAACD,IAAF,CAAO,KAAKnD,CAAZ,CAAJ;AACA,QAAIoD,CAAC,CAACR,IAAF,CAAO,CAAP,MAAc,CAAlB,EACE;AAEF,QAAIW,aAAa,GAAG,CAACV,EAAE,CAACW,IAAH,GAAUC,KAAV,KAAoB,CAApB,GAAwB,CAAzB,KACCT,GAAG,CAACjB,GAAJ,CAAQmB,CAAR,MAAe,CAAf,GAAmB,CAAnB,GAAuB,CADxB,CAApB,CAtB2B,CAyB3B;;AACA,QAAIzD,OAAO,CAACiE,SAAR,IAAqBN,CAAC,CAACrB,GAAF,CAAM,KAAK9B,EAAX,IAAiB,CAA1C,EAA6C;AAC3CmD,MAAAA,CAAC,GAAG,KAAKpD,CAAL,CAAO6B,GAAP,CAAWuB,CAAX,CAAJ;AACAG,MAAAA,aAAa,IAAI,CAAjB;AACD;;AAED,WAAO,IAAIhE,SAAJ,CAAc;AAAE2D,MAAAA,CAAC,EAAEA,CAAL;AAAQE,MAAAA,CAAC,EAAEA,CAAX;AAAcG,MAAAA,aAAa,EAAEA;AAA7B,KAAd,CAAP;AACD;AACF,CA/DD;;AAiEA/D,EAAE,CAACG,SAAH,CAAagE,MAAb,GAAsB,SAASA,MAAT,CAAgBzB,GAAhB,EAAqB0B,SAArB,EAAgCtB,GAAhC,EAAqC1B,GAArC,EAA0C;AAC9DsB,EAAAA,GAAG,GAAG,KAAKD,YAAL,CAAkB,IAAIlD,EAAJ,CAAOmD,GAAP,EAAY,EAAZ,CAAlB,CAAN;AACAI,EAAAA,GAAG,GAAG,KAAKxB,aAAL,CAAmBwB,GAAnB,EAAwB1B,GAAxB,CAAN;AACAgD,EAAAA,SAAS,GAAG,IAAIrE,SAAJ,CAAcqE,SAAd,EAAyB,KAAzB,CAAZ,CAH8D,CAK9D;;AACA,MAAIV,CAAC,GAAGU,SAAS,CAACV,CAAlB;AACA,MAAIE,CAAC,GAAGQ,SAAS,CAACR,CAAlB;AACA,MAAIF,CAAC,CAACN,IAAF,CAAO,CAAP,IAAY,CAAZ,IAAiBM,CAAC,CAACnB,GAAF,CAAM,KAAK/B,CAAX,KAAiB,CAAtC,EACE,OAAO,KAAP;AACF,MAAIoD,CAAC,CAACR,IAAF,CAAO,CAAP,IAAY,CAAZ,IAAiBQ,CAAC,CAACrB,GAAF,CAAM,KAAK/B,CAAX,KAAiB,CAAtC,EACE,OAAO,KAAP,CAX4D,CAa9D;;AACA,MAAI6D,IAAI,GAAGT,CAAC,CAACC,IAAF,CAAO,KAAKrD,CAAZ,CAAX;AACA,MAAI8D,EAAE,GAAGD,IAAI,CAACf,GAAL,CAASZ,GAAT,EAAciB,IAAd,CAAmB,KAAKnD,CAAxB,CAAT;AACA,MAAI+D,EAAE,GAAGF,IAAI,CAACf,GAAL,CAASI,CAAT,EAAYC,IAAZ,CAAiB,KAAKnD,CAAtB,CAAT;AACA,MAAIgE,CAAJ;;AAEA,MAAI,CAAC,KAAKjE,KAAL,CAAWkE,aAAhB,EAA+B;AAC7BD,IAAAA,CAAC,GAAG,KAAK7D,CAAL,CAAO+D,MAAP,CAAcJ,EAAd,EAAkBxB,GAAG,CAAC6B,SAAJ,EAAlB,EAAmCJ,EAAnC,CAAJ;AACA,QAAIC,CAAC,CAACjB,UAAF,EAAJ,EACE,OAAO,KAAP;AAEF,WAAOiB,CAAC,CAACf,IAAF,GAASE,IAAT,CAAc,KAAKnD,CAAnB,EAAsB+B,GAAtB,CAA0BmB,CAA1B,MAAiC,CAAxC;AACD,GAzB6D,CA2B9D;AACA;;;AAEAc,EAAAA,CAAC,GAAG,KAAK7D,CAAL,CAAOiE,OAAP,CAAeN,EAAf,EAAmBxB,GAAG,CAAC6B,SAAJ,EAAnB,EAAoCJ,EAApC,CAAJ;AACA,MAAIC,CAAC,CAACjB,UAAF,EAAJ,EACE,OAAO,KAAP,CAhC4D,CAkC9D;AACA;AACA;;AACA,SAAOiB,CAAC,CAACK,MAAF,CAASnB,CAAT,CAAP;AACD,CAtCD;;AAwCA1D,EAAE,CAACG,SAAH,CAAa2E,aAAb,GAA6B,UAASpC,GAAT,EAAc0B,SAAd,EAAyBW,CAAzB,EAA4B3D,GAA5B,EAAiC;AAC5DvB,EAAAA,MAAM,CAAC,CAAC,IAAIkF,CAAL,MAAYA,CAAb,EAAgB,0CAAhB,CAAN;AACAX,EAAAA,SAAS,GAAG,IAAIrE,SAAJ,CAAcqE,SAAd,EAAyBhD,GAAzB,CAAZ;AAEA,MAAIZ,CAAC,GAAG,KAAKA,CAAb;AACA,MAAIwE,CAAC,GAAG,IAAIzF,EAAJ,CAAOmD,GAAP,CAAR;AACA,MAAIgB,CAAC,GAAGU,SAAS,CAACV,CAAlB;AACA,MAAIE,CAAC,GAAGQ,SAAS,CAACR,CAAlB,CAP4D,CAS5D;;AACA,MAAIqB,MAAM,GAAGF,CAAC,GAAG,CAAjB;AACA,MAAIG,WAAW,GAAGH,CAAC,IAAI,CAAvB;AACA,MAAIrB,CAAC,CAACnB,GAAF,CAAM,KAAKhC,KAAL,CAAWiE,CAAX,CAAab,IAAb,CAAkB,KAAKpD,KAAL,CAAWC,CAA7B,CAAN,KAA0C,CAA1C,IAA+C0E,WAAnD,EACE,MAAM,IAAIC,KAAJ,CAAU,sCAAV,CAAN,CAb0D,CAe5D;;AACA,MAAID,WAAJ,EACExB,CAAC,GAAG,KAAKnD,KAAL,CAAW6E,UAAX,CAAsB1B,CAAC,CAAC2B,GAAF,CAAM,KAAK9E,KAAL,CAAWC,CAAjB,CAAtB,EAA2CyE,MAA3C,CAAJ,CADF,KAGEvB,CAAC,GAAG,KAAKnD,KAAL,CAAW6E,UAAX,CAAsB1B,CAAtB,EAAyBuB,MAAzB,CAAJ;AAEF,MAAIK,IAAI,GAAGlB,SAAS,CAACV,CAAV,CAAYG,IAAZ,CAAiBrD,CAAjB,CAAX;AACA,MAAI+E,EAAE,GAAG/E,CAAC,CAAC6B,GAAF,CAAM2C,CAAN,EAAS1B,GAAT,CAAagC,IAAb,EAAmB3B,IAAnB,CAAwBnD,CAAxB,CAAT;AACA,MAAIgF,EAAE,GAAG5B,CAAC,CAACN,GAAF,CAAMgC,IAAN,EAAY3B,IAAZ,CAAiBnD,CAAjB,CAAT,CAvB4D,CAyB5D;AACA;;AACA,SAAO,KAAKG,CAAL,CAAO+D,MAAP,CAAca,EAAd,EAAkB7B,CAAlB,EAAqB8B,EAArB,CAAP;AACD,CA5BD;;AA8BAxF,EAAE,CAACG,SAAH,CAAasF,mBAAb,GAAmC,UAAST,CAAT,EAAYZ,SAAZ,EAAuBsB,CAAvB,EAA0BtE,GAA1B,EAA+B;AAChEgD,EAAAA,SAAS,GAAG,IAAIrE,SAAJ,CAAcqE,SAAd,EAAyBhD,GAAzB,CAAZ;AACA,MAAIgD,SAAS,CAACL,aAAV,KAA4B,IAAhC,EACE,OAAOK,SAAS,CAACL,aAAjB;;AAEF,OAAK,IAAI4B,CAAC,GAAG,CAAb,EAAgBA,CAAC,GAAG,CAApB,EAAuBA,CAAC,EAAxB,EAA4B;AAC1B,QAAIC,MAAJ;;AACA,QAAI;AACFA,MAAAA,MAAM,GAAG,KAAKd,aAAL,CAAmBE,CAAnB,EAAsBZ,SAAtB,EAAiCuB,CAAjC,CAAT;AACD,KAFD,CAEE,OAAOX,CAAP,EAAU;AACV;AACD;;AAED,QAAIY,MAAM,CAACC,EAAP,CAAUH,CAAV,CAAJ,EACE,OAAOC,CAAP;AACH;;AACD,QAAM,IAAIR,KAAJ,CAAU,sCAAV,CAAN;AACD,CAjBD","sourcesContent":["'use strict';\n\nvar BN = require('bn.js');\nvar HmacDRBG = require('hmac-drbg');\nvar utils = require('../utils');\nvar curves = require('../curves');\nvar rand = require('brorand');\nvar assert = utils.assert;\n\nvar KeyPair = require('./key');\nvar Signature = require('./signature');\n\nfunction EC(options) {\n if (!(this instanceof EC))\n return new EC(options);\n\n // Shortcut `elliptic.ec(curve-name)`\n if (typeof options === 'string') {\n assert(Object.prototype.hasOwnProperty.call(curves, options),\n 'Unknown curve ' + options);\n\n options = curves[options];\n }\n\n // Shortcut for `elliptic.ec(elliptic.curves.curveName)`\n if (options instanceof curves.PresetCurve)\n options = { curve: options };\n\n this.curve = options.curve.curve;\n this.n = this.curve.n;\n this.nh = this.n.ushrn(1);\n this.g = this.curve.g;\n\n // Point on curve\n this.g = options.curve.g;\n this.g.precompute(options.curve.n.bitLength() + 1);\n\n // Hash for function for DRBG\n this.hash = options.hash || options.curve.hash;\n}\nmodule.exports = EC;\n\nEC.prototype.keyPair = function keyPair(options) {\n return new KeyPair(this, options);\n};\n\nEC.prototype.keyFromPrivate = function keyFromPrivate(priv, enc) {\n return KeyPair.fromPrivate(this, priv, enc);\n};\n\nEC.prototype.keyFromPublic = function keyFromPublic(pub, enc) {\n return KeyPair.fromPublic(this, pub, enc);\n};\n\nEC.prototype.genKeyPair = function genKeyPair(options) {\n if (!options)\n options = {};\n\n // Instantiate Hmac_DRBG\n var drbg = new HmacDRBG({\n hash: this.hash,\n pers: options.pers,\n persEnc: options.persEnc || 'utf8',\n entropy: options.entropy || rand(this.hash.hmacStrength),\n entropyEnc: options.entropy && options.entropyEnc || 'utf8',\n nonce: this.n.toArray(),\n });\n\n var bytes = this.n.byteLength();\n var ns2 = this.n.sub(new BN(2));\n for (;;) {\n var priv = new BN(drbg.generate(bytes));\n if (priv.cmp(ns2) > 0)\n continue;\n\n priv.iaddn(1);\n return this.keyFromPrivate(priv);\n }\n};\n\nEC.prototype._truncateToN = function _truncateToN(msg, truncOnly) {\n var delta = msg.byteLength() * 8 - this.n.bitLength();\n if (delta > 0)\n msg = msg.ushrn(delta);\n if (!truncOnly && msg.cmp(this.n) >= 0)\n return msg.sub(this.n);\n else\n return msg;\n};\n\nEC.prototype.sign = function sign(msg, key, enc, options) {\n if (typeof enc === 'object') {\n options = enc;\n enc = null;\n }\n if (!options)\n options = {};\n\n key = this.keyFromPrivate(key, enc);\n msg = this._truncateToN(new BN(msg, 16));\n\n // Zero-extend key to provide enough entropy\n var bytes = this.n.byteLength();\n var bkey = key.getPrivate().toArray('be', bytes);\n\n // Zero-extend nonce to have the same byte size as N\n var nonce = msg.toArray('be', bytes);\n\n // Instantiate Hmac_DRBG\n var drbg = new HmacDRBG({\n hash: this.hash,\n entropy: bkey,\n nonce: nonce,\n pers: options.pers,\n persEnc: options.persEnc || 'utf8',\n });\n\n // Number of bytes to generate\n var ns1 = this.n.sub(new BN(1));\n\n for (var iter = 0; ; iter++) {\n var k = options.k ?\n options.k(iter) :\n new BN(drbg.generate(this.n.byteLength()));\n k = this._truncateToN(k, true);\n if (k.cmpn(1) <= 0 || k.cmp(ns1) >= 0)\n continue;\n\n var kp = this.g.mul(k);\n if (kp.isInfinity())\n continue;\n\n var kpX = kp.getX();\n var r = kpX.umod(this.n);\n if (r.cmpn(0) === 0)\n continue;\n\n var s = k.invm(this.n).mul(r.mul(key.getPrivate()).iadd(msg));\n s = s.umod(this.n);\n if (s.cmpn(0) === 0)\n continue;\n\n var recoveryParam = (kp.getY().isOdd() ? 1 : 0) |\n (kpX.cmp(r) !== 0 ? 2 : 0);\n\n // Use complement of `s`, if it is > `n / 2`\n if (options.canonical && s.cmp(this.nh) > 0) {\n s = this.n.sub(s);\n recoveryParam ^= 1;\n }\n\n return new Signature({ r: r, s: s, recoveryParam: recoveryParam });\n }\n};\n\nEC.prototype.verify = function verify(msg, signature, key, enc) {\n msg = this._truncateToN(new BN(msg, 16));\n key = this.keyFromPublic(key, enc);\n signature = new Signature(signature, 'hex');\n\n // Perform primitive values validation\n var r = signature.r;\n var s = signature.s;\n if (r.cmpn(1) < 0 || r.cmp(this.n) >= 0)\n return false;\n if (s.cmpn(1) < 0 || s.cmp(this.n) >= 0)\n return false;\n\n // Validate signature\n var sinv = s.invm(this.n);\n var u1 = sinv.mul(msg).umod(this.n);\n var u2 = sinv.mul(r).umod(this.n);\n var p;\n\n if (!this.curve._maxwellTrick) {\n p = this.g.mulAdd(u1, key.getPublic(), u2);\n if (p.isInfinity())\n return false;\n\n return p.getX().umod(this.n).cmp(r) === 0;\n }\n\n // NOTE: Greg Maxwell's trick, inspired by:\n // https://git.io/vad3K\n\n p = this.g.jmulAdd(u1, key.getPublic(), u2);\n if (p.isInfinity())\n return false;\n\n // Compare `p.x` of Jacobian point with `r`,\n // this will do `p.x == r * p.z^2` instead of multiplying `p.x` by the\n // inverse of `p.z^2`\n return p.eqXToP(r);\n};\n\nEC.prototype.recoverPubKey = function(msg, signature, j, enc) {\n assert((3 & j) === j, 'The recovery param is more than two bits');\n signature = new Signature(signature, enc);\n\n var n = this.n;\n var e = new BN(msg);\n var r = signature.r;\n var s = signature.s;\n\n // A set LSB signifies that the y-coordinate is odd\n var isYOdd = j & 1;\n var isSecondKey = j >> 1;\n if (r.cmp(this.curve.p.umod(this.curve.n)) >= 0 && isSecondKey)\n throw new Error('Unable to find sencond key candinate');\n\n // 1.1. Let x = r + jn.\n if (isSecondKey)\n r = this.curve.pointFromX(r.add(this.curve.n), isYOdd);\n else\n r = this.curve.pointFromX(r, isYOdd);\n\n var rInv = signature.r.invm(n);\n var s1 = n.sub(e).mul(rInv).umod(n);\n var s2 = s.mul(rInv).umod(n);\n\n // 1.6.1 Compute Q = r^-1 (sR - eG)\n // Q = r^-1 (sR + -eG)\n return this.g.mulAdd(s1, r, s2);\n};\n\nEC.prototype.getKeyRecoveryParam = function(e, signature, Q, enc) {\n signature = new Signature(signature, enc);\n if (signature.recoveryParam !== null)\n return signature.recoveryParam;\n\n for (var i = 0; i < 4; i++) {\n var Qprime;\n try {\n Qprime = this.recoverPubKey(e, signature, i);\n } catch (e) {\n continue;\n }\n\n if (Qprime.eq(Q))\n return i;\n }\n throw new Error('Unable to find valid recovery factor');\n};\n"]},"metadata":{},"sourceType":"script"} |