-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign.signedMessageToKey() can't be called because the Sign.SignatureData class is not public. #64
Comments
Makes sense. You're welcome to submit a PR too :) |
Ok I will. |
I ran into the same thing yesterday (though I was trying to use |
I am making one with a function that takes signature as Did this in Solidity btw. so I'm used to Ethereum crypto (https://github.com/androlo/standard-contracts#crypto). |
Seems the implementation is missing some fundamentals. For example, signatures are not properly validated before doing recovery. The only check i find is at the start of the recovery function (https://github.com/web3j/web3j/blob/master/src/main/java/org/web3j/crypto/Sign.java#L97), in which both Here is an example of an invalid signature passing recovery without exceptions, running from within the Sign test file:
I use signature recovery in bank software (and there are deadlines etc) so will go with an alternative, for now, though I could maybe help with some work later, if needed. Didn't go over the signing but I think recovery will automatically work if the signature is created by the library itself, since those signatures looks like they're always well-formed. I would not recommend supporting user-provided signatures though, until this has been addressed. Will leave open since the comment about the other PR is in here. |
So you'd like to see explicit bounds checked on e, v, r, and s, as per the yellow paper? ECDSARECOVER(e ∈ B32, v ∈ B1, r ∈ B32, s ∈ B32) Was there anything else? |
…r/web3j#64. 2. Created Assertions utility class.
I looked around but couldn't find any way to create instances of
SignatureData
- could have missed it though.Use case:
I like to use crypto utilities but I always do Ethereum signatures through RPC/IPC calls to the client (eth_sign); that way the private keys never have to leave the clients secure boundaries. To utilize
signedMessageToKey
I have to be able to create instances ofSignatureData
though.There is no RPC binding for doing ecrecover through the client. Being able to call this function, either by creating a SignatureData object manually or if there is an overloaded version which takes a string, would be great.
The text was updated successfully, but these errors were encountered: