feat(secp256k1): add recoverable ECDSA signature support (#13)

Author: ARitz-Cracker

src/lib/bin/secp256k1/secp256k1.base64.ts

@@ -1,4 +1,4 @@
-// tslint:disable:no-expression-statement no-magic-numbers
+// tslint:disable:no-expression-statement no-magic-numbers no-bitwise
 import { ExecutionContext, test } from 'ava';
 import { randomBytes } from 'crypto';
 import { readFileSync } from 'fs';
@@ -215,6 +215,78 @@ const testSecp256k1Wasm = (
     ),
     1
   );
+
+  // recovery signature
+  const rawRSigPtr = secp256k1Wasm.malloc(65);
+  t.not(rawRSigPtr, 0);
+  t.is(
+    secp256k1Wasm.signRecoverable(
+      contextPtr,
+      rawRSigPtr,
+      sigHashPtr,
+      privkeyPtr
+    ),
+    1
+  );
+
+  // the r and s portions of the signature should match that of a non-recoverable signature
+  const rIDPtr = secp256k1Wasm.malloc(4);
+  const compactRSigPtr = secp256k1Wasm.malloc(64);
+  t.not(compactRSigPtr, 0);
+  secp256k1Wasm.recoverableSignatureSerialize(
+    contextPtr,
+    compactRSigPtr,
+    rIDPtr,
+    rawRSigPtr
+  );
+  const compactRSig = secp256k1Wasm.readHeapU8(compactRSigPtr, 64);
+  const rID = secp256k1Wasm.heapU32[rIDPtr >> 2];
+
+  t.deepEqual(compactRSig, sigCompact);
+  t.is(rID, 1);
+
+  // re-parsing the signature should produce the same internal format.
+  const rawRSig2Ptr = secp256k1Wasm.malloc(65);
+  t.is(
+    secp256k1Wasm.recoverableSignatureParse(
+      contextPtr,
+      rawRSig2Ptr,
+      compactRSigPtr,
+      rID
+    ),
+    1
+  );
+  t.deepEqual(
+    secp256k1Wasm.readHeapU8(rawRSigPtr, 65),
+    secp256k1Wasm.readHeapU8(rawRSig2Ptr, 65)
+  );
+
+  // the recovered public key should match the derived public key
+  const recoveredPublicKeyPtr = secp256k1Wasm.malloc(65);
+  const recoveredPublicKeyCompressedPtr = secp256k1Wasm.malloc(33);
+  const recoveredPublicKeyCompressedLengthPtr = secp256k1Wasm.mallocSizeT(33);
+
+  t.is(
+    secp256k1Wasm.recover(
+      contextPtr,
+      recoveredPublicKeyPtr,
+      rawRSigPtr,
+      sigHashPtr
+    ),
+    1
+  );
+
+  secp256k1Wasm.pubkeySerialize(
+    contextPtr,
+    recoveredPublicKeyCompressedPtr,
+    recoveredPublicKeyCompressedLengthPtr,
+    recoveredPublicKeyPtr,
+    CompressionFlag.COMPRESSED
+  );
+  t.deepEqual(
+    pubkeyCompressed,
+    secp256k1Wasm.readHeapU8(recoveredPublicKeyCompressedPtr, 33)
+  );
 };
 
 const binary = getEmbeddedSecp256k1Binary();

src/lib/bin/secp256k1/secp256k1.wasm

@@ -222,6 +222,70 @@ export interface Secp256k1Wasm {
    */
   readonly readSizeT: (pointer: number) => number;
 
+  /**
+   * Compute the public key given a recoverable signature and message hash.
+   *
+   * Returns 1 if the signature was valid and public key stored, otherwise 0.
+   *
+   * @param contextPtr pointer to a context object, initialized for signing
+   * @param publicKeyPtr pointer to the created public key (note, this is an
+   * internal representation, and must be serialized for outside use)
+   * @param rSigPtr pointer to a recoverable signature (internal format)
+   * @param msg32Ptr pointer to the 32-byte message hash the signed by this
+   * signature
+   */
+  readonly recover: (
+    contextPtr: number,
+    publicKeyPtr: number,
+    rSigPtr: number,
+    msg32Ptr: number
+  ) => 1 | 0;
+
+  /**
+   * Parse an ECDSA signature in compact (64 bytes) format with a recovery
+   * number. Returns 1 when the signature could be parsed, 0 otherwise.
+   *
+   * The signature must consist of a 32-byte big endian R value, followed by a
+   * 32-byte big endian S value. If R or S fall outside of [0..order-1], the
+   * encoding is invalid. R and S with value 0 are allowed in the encoding.
+   *
+   * After the call, sig will always be initialized. If parsing failed or R or
+   * S are zero, the resulting sig value is guaranteed to fail validation for
+   * any message and public key.
+   *
+   * @param contextPtr pointer to a context object
+   * @param outputRSigPtr a pointer to a 65 byte space where the parsed signature
+   * will be written. (internal format)
+   * @param inputSigPtr pointer to a serialized signature in compact format
+   * @param rid the recovery number, as an int. (Not a pointer)
+   */
+  readonly recoverableSignatureParse: (
+    contextPtr: number,
+    outputRSigPtr: number,
+    inputSigPtr: number,
+    rid: number
+  ) => 1 | 0;
+
+  /**
+   * Serialize a recoverable ECDSA signature in compact (64 byte) format along
+   * with the recovery number. Always returns 1.
+   *
+   * See `recoverableSignatureParse` for details about the encoding.
+   *
+   * @param contextPtr pointer to a context object
+   * @param sigOutPtr pointer to a 64-byte space to store the compact
+   * serialization
+   * @param recIDOutPtr pointer to an int which will store the recovery number
+   * @param rSigPtr pointer to the 65-byte signature to be serialized
+   * (Secp256k1 internal format)
+   */
+  readonly recoverableSignatureSerialize: (
+    contextPtr: number,
+    sigOutPtr: number,
+    recIDOutPtr: number,
+    rSigPtr: number
+  ) => 1;
+
   /**
    * Verify an ECDSA secret key.
    *
@@ -416,6 +480,31 @@ export interface Secp256k1Wasm {
     inputSigPtr: number
   ) => 1 | 0;
 
+  /**
+   * Create a recoverable ECDSA signature. The created signature is always in
+   * lower-S form.
+   *
+   * Returns 1 if the signature was created, 0 if the nonce generation function
+   * failed, or the private key was invalid.
+   *
+   * Note, this WebAssembly Secp256k1 implementation does not currently support
+   * the final two arguments from the C library, `noncefp` and `ndata`. The
+   * default nonce generation function, `secp256k1_nonce_function_default`, is
+   * always used.
+   *
+   * @param contextPtr pointer to a context object, initialized for signing
+   * @param outputRSigPtr pointer to a 65 byte space where the signature will be
+   * written (internal format)
+   * @param msg32Ptr pointer to the 32-byte message hash being signed
+   * @param secretKeyPtr pointer to a 32-byte secret key
+   */
+  readonly signRecoverable: (
+    contextPtr: number,
+    outputRSigPtr: number,
+    msg32Ptr: number,
+    secretKeyPtr: number
+  ) => 1 | 0;
+
   /**
    * Verify an ECDSA signature.
    *
@@ -514,6 +603,32 @@ const wrapSecp256k1Wasm = (
     const pointerView32 = pointer >> 2;
     return heapU32[pointerView32];
   },
+  recover: (contextPtr, outputPubkeyPointer, rSigPtr, msg32Ptr) =>
+    instance.exports._secp256k1_ecdsa_recover(
+      contextPtr,
+      outputPubkeyPointer,
+      rSigPtr,
+      msg32Ptr
+    ),
+  recoverableSignatureParse: (contextPtr, outputRSigPtr, inputSigPtr, rid) =>
+    instance.exports._secp256k1_ecdsa_recoverable_signature_parse_compact(
+      contextPtr,
+      outputRSigPtr,
+      inputSigPtr,
+      rid
+    ),
+  recoverableSignatureSerialize: (
+    contextPtr,
+    sigOutPtr,
+    recIDOutPtr,
+    rSigPtr
+  ) =>
+    instance.exports._secp256k1_ecdsa_recoverable_signature_serialize_compact(
+      contextPtr,
+      sigOutPtr,
+      recIDOutPtr,
+      rSigPtr
+    ),
   seckeyVerify: (contextPtr, secretKeyPtr) =>
     instance.exports._secp256k1_ec_seckey_verify(contextPtr, secretKeyPtr),
   sign: (contextPtr, outputSigPtr, msg32Ptr, secretKeyPtr) =>
@@ -523,6 +638,13 @@ const wrapSecp256k1Wasm = (
       msg32Ptr,
       secretKeyPtr
     ),
+  signRecoverable: (contextPtr, outputRSigPtr, msg32Ptr, secretKeyPtr) =>
+    instance.exports._secp256k1_ecdsa_sign_recoverable(
+      contextPtr,
+      outputRSigPtr,
+      msg32Ptr,
+      secretKeyPtr
+    ),
   signatureMalleate: (contextPtr, outputSigPtr, inputSigPtr) =>
     instance.exports._secp256k1_ecdsa_signature_malleate(
       contextPtr,

src/lib/bin/secp256k1/secp256k1Wasm.spec.ts

@@ -40,6 +40,8 @@ const sigCompact = new Uint8Array([0xab, 0x4c, 0x6d, 0x9b, 0xa5, 0x1d, 0xa8, 0x3
 // prettier-ignore
 const sigCompactHighS = new Uint8Array([0xab, 0x4c, 0x6d, 0x9b, 0xa5, 0x1d, 0xa8, 0x30, 0x72, 0x61, 0x5c, 0x33, 0xa9, 0x88, 0x7b, 0x75, 0x64, 0x78, 0xe6, 0xf9, 0xde, 0x38, 0x10, 0x85, 0xf5, 0x18, 0x3c, 0x97, 0x60, 0x3f, 0xc6, 0xff, 0xd6, 0x8d, 0xde, 0x77, 0x42, 0x6c, 0x80, 0xab, 0x37, 0x9e, 0xa7, 0xd3, 0x59, 0x03, 0x97, 0xa3, 0x2d, 0x0c, 0x28, 0xd9, 0xa9, 0x58, 0x35, 0x05, 0x3c, 0x5d, 0x8b, 0x2e, 0x85, 0x43, 0x89, 0xdd]);
 
+const sigRecovery = 1;
+
 // bitcoin-ts setup
 const secp256k1Promise = instantiateSecp256k1();
 const binary = getEmbeddedSecp256k1Binary();
@@ -356,6 +358,90 @@ test('secp256k1.normalizeSignatureDER', async t => {
   t.notThrows(() => fc.assert(equivalentToSecp256k1Node));
 });
 
+test('secp256k1.recoverPublicKeyCompressed', async t => {
+  const secp256k1 = await secp256k1Promise;
+  t.deepEqual(
+    secp256k1.recoverPublicKeyCompressed(sigCompact, sigRecovery, messageHash),
+    pubkeyCompressed
+  );
+
+  const equivalentToSecp256k1Node = fc.property(
+    fcValidPrivateKey(secp256k1),
+    fcUint8Array32(),
+    (privateKey, hash) => {
+      const recoverableStuff = secp256k1.signMessageHashRecoverableCompact(
+        privateKey,
+        hash
+      );
+      t.deepEqual(
+        secp256k1.recoverPublicKeyCompressed(
+          recoverableStuff.signature,
+          recoverableStuff.recovery,
+          hash
+        ),
+        new Uint8Array(
+          secp256k1Node.recover(
+            Buffer.from(hash),
+            Buffer.from(recoverableStuff.signature),
+            recoverableStuff.recovery,
+            true
+          )
+        )
+      );
+    }
+  );
+  t.notThrows(() => fc.assert(equivalentToSecp256k1Node));
+  // TODO: equivalentToElliptic test for recoverable signatures.
+  /*
+  const equivalentToElliptic = fc.property();
+  t.notThrows(() => fc.assert(equivalentToElliptic));
+  */
+});
+
+test('secp256k1.recoverPublicKeyUncompressed', async t => {
+  const secp256k1 = await secp256k1Promise;
+  t.deepEqual(
+    secp256k1.recoverPublicKeyUncompressed(
+      sigCompact,
+      sigRecovery,
+      messageHash
+    ),
+    pubkeyUncompressed
+  );
+
+  const equivalentToSecp256k1Node = fc.property(
+    fcValidPrivateKey(secp256k1),
+    fcUint8Array32(),
+    (privateKey, hash) => {
+      const recoverableStuff = secp256k1.signMessageHashRecoverableCompact(
+        privateKey,
+        hash
+      );
+      t.deepEqual(
+        secp256k1.recoverPublicKeyUncompressed(
+          recoverableStuff.signature,
+          recoverableStuff.recovery,
+          hash
+        ),
+        new Uint8Array(
+          secp256k1Node.recover(
+            Buffer.from(hash),
+            Buffer.from(recoverableStuff.signature),
+            recoverableStuff.recovery,
+            false
+          )
+        )
+      );
+    }
+  );
+  t.notThrows(() => fc.assert(equivalentToSecp256k1Node));
+  // TODO: equivalentToElliptic test for recoverable signatures.
+  /*
+  const equivalentToElliptic = fc.property();
+  t.notThrows(() => fc.assert(equivalentToElliptic));
+  */
+});
+
 test('secp256k1.signMessageHashCompact', async t => {
   const secp256k1 = await secp256k1Promise;
   t.deepEqual(
@@ -431,6 +517,44 @@ test('secp256k1.signMessageHashDER', async t => {
   t.notThrows(() => fc.assert(equivalentToElliptic));
 });
 
+test('secp256k1.signMessageHashRecoverableCompact', async t => {
+  const secp256k1 = await secp256k1Promise;
+  const recoverableStuff = secp256k1.signMessageHashRecoverableCompact(
+    privkey,
+    messageHash
+  );
+  t.is(recoverableStuff.recovery, sigRecovery);
+  t.deepEqual(recoverableStuff.signature, sigCompact);
+  t.throws(() =>
+    secp256k1.signMessageHashRecoverableCompact(secp256k1OrderN, messageHash)
+  );
+  const equivalentToSecp256k1Node = fc.property(
+    fcValidPrivateKey(secp256k1),
+    fcUint8Array32(),
+    (privateKey, hash) => {
+      const nodeRecoverableStuff = secp256k1Node.sign(
+        Buffer.from(hash),
+        Buffer.from(privateKey)
+      );
+      //tslint:disable-next-line:no-object-mutation
+      nodeRecoverableStuff.signature = new Uint8Array(
+        nodeRecoverableStuff.signature
+      );
+      t.deepEqual(
+        secp256k1.signMessageHashRecoverableCompact(privateKey, hash),
+        nodeRecoverableStuff
+      );
+    }
+  );
+  t.notThrows(() => fc.assert(equivalentToSecp256k1Node));
+
+  // TODO: equivalentToElliptic test for recoverable signatures.
+  /*
+  const equivalentToElliptic = fc.property();
+  t.notThrows(() => fc.assert(equivalentToElliptic));
+  */
+});
+
 test('secp256k1.signatureCompactToDER', async t => {
   const secp256k1 = await secp256k1Promise;
   t.deepEqual(secp256k1.signatureCompactToDER(sigCompact), sigDER);