more tests and deterministic nonce

Author: ty-everett

src/primitives/Secp256r1.ts

@@ -1,5 +1,5 @@
 import Random from './Random.js'
-import { sha256 } from './Hash.js'
+import { sha256, sha256hmac } from './Hash.js'
 import { toArray, toHex } from './utils.js'
 
 export type P256Point = { x: bigint, y: bigint } | null
@@ -237,24 +237,25 @@ export default class Secp256r1 {
   sign (message: ByteSource, privateKey: string | bigint, opts: { prehashed?: boolean, nonce?: bigint } = {}): { r: string, s: string } {
     const { prehashed = false, nonce } = opts
     const d = this.toScalar(privateKey)
-    const z = this.messageToBigInt(message, prehashed)
-    let k = nonce ?? this.randomScalar()
+    const digest = this.normalizeMessage(message, prehashed)
+    const z = this.bytesToScalar(digest)
+    let k = nonce ?? this.deterministicNonce(d, digest)
 
     while (true) {
       const p = this.multiplyBase(k)
       if (this.isInfinity(p)) {
-        k = nonce ?? this.randomScalar()
+        k = nonce ?? this.deterministicNonce(d, digest)
         continue
       }
       const r = this.mod(p.x, this.n)
       if (r === 0n) {
-        k = nonce ?? this.randomScalar()
+        k = nonce ?? this.deterministicNonce(d, digest)
         continue
       }
       const kinv = this.modInv(k, this.n)
       let s = this.mod(kinv * (z + r * d), this.n)
       if (s === 0n) {
-        k = nonce ?? this.randomScalar()
+        k = nonce ?? this.deterministicNonce(d, digest)
         continue
       }
       if (s > HALF_N) s = this.n - s // enforce low-s
@@ -267,14 +268,19 @@ export default class Secp256r1 {
    */
   verify (message: ByteSource, signature: { r: string | bigint, s: string | bigint }, publicKey: P256Point | string, opts: { prehashed?: boolean } = {}): boolean {
     const { prehashed = false } = opts
-    const q = typeof publicKey === 'string' ? this.pointFromHex(publicKey) : publicKey
+    let q: P256Point
+    try {
+      q = typeof publicKey === 'string' ? this.pointFromHex(publicKey) : publicKey
+    } catch {
+      return false
+    }
     if ((q == null) || !this.isOnCurve(q)) return false
 
     const r = typeof signature.r === 'bigint' ? signature.r : BigInt('0x' + signature.r)
     const s = typeof signature.s === 'bigint' ? signature.s : BigInt('0x' + signature.s)
     if (r <= 0n || r >= this.n || s <= 0n || s >= this.n) return false
 
-    const z = this.messageToBigInt(message, prehashed)
+    const z = this.bytesToScalar(this.normalizeMessage(message, prehashed))
     const w = this.modInv(s, this.n)
     const u1 = this.mod(z * w, this.n)
     const u2 = this.mod(r * w, this.n)
@@ -284,13 +290,32 @@ export default class Secp256r1 {
     return v === r
   }
 
-  private messageToBigInt (message: ByteSource, prehashed: boolean): bigint {
+  private normalizeMessage (message: ByteSource, prehashed: boolean): Uint8Array {
     const bytes = this.toBytes(message)
-    const digest = prehashed ? bytes : new Uint8Array(sha256(bytes))
-    const hex = toHex(Array.from(digest))
+    if (prehashed) return bytes
+    return new Uint8Array(sha256(bytes))
+  }
+
+  private bytesToScalar (bytes: Uint8Array): bigint {
+    const hex = toHex(Array.from(bytes))
     return BigInt('0x' + hex) % this.n
   }
 
+  private deterministicNonce (priv: bigint, msgDigest: Uint8Array): bigint {
+    const keyBytes = toArray(this.to32BytesHex(priv), 'hex')
+    let counter = 0
+    while (counter < 1024) { // safety bound
+      const data = counter === 0
+        ? Array.from(msgDigest)
+        : Array.from(msgDigest).concat([counter & 0xff])
+      const hmac = sha256hmac(keyBytes, data)
+      const k = BigInt('0x' + toHex(hmac)) % this.n
+      if (k > 0n) return k
+      counter++
+    }
+    throw new Error('Failed to derive deterministic nonce')
+  }
+
   private toBytes (data: ByteSource): Uint8Array {
     if (typeof data === 'string') {
       const isHex = HEX_REGEX.test(data) && data.length % 2 === 0

src/primitives/__tests/Secp256r1.test.ts

@@ -1,5 +1,6 @@
 import crypto from 'crypto'
 import Secp256r1 from '../Secp256r1.js'
+import { sha256 } from '../Hash.js'
 
 const curve = new Secp256r1()
 
@@ -11,32 +12,72 @@ const THREE_G =
 const toBase64Url = (hex: string): string => Buffer.from(hex, 'hex').toString('base64url')
 
 describe('Secp256r1', () => {
-  test('base point multiplication matches known coordinates', () => {
+  test('base point multiplication matches known coordinates and handles infinity', () => {
     const twoG = curve.multiplyBase(2n)
     const threeG = curve.multiplyBase(3n)
     expect(curve.pointToHex(twoG)).toBe(TWO_G)
     expect(curve.pointToHex(threeG)).toBe(THREE_G)
     expect(curve.multiplyBase(curve.n)).toBeNull()
+    expect(curve.multiply(null, 5n)).toBeNull()
   })
 
-  test('public key generation stays on-curve and supports compression', () => {
+  test('public key generation stays on-curve, supports compression, and rejects bad encodings', () => {
     const priv = curve.generatePrivateKeyHex()
     const pub = curve.publicKeyFromPrivate(priv)
     expect(curve.isOnCurve(pub)).toBe(true)
     const compressed = curve.pointToHex(pub, true)
     const roundTrip = curve.pointFromHex(compressed)
     expect(roundTrip).toEqual(pub)
+    expect(() => curve.pointFromHex('05abcdef')).toThrow()
+    expect(() => curve.pointFromHex('')).toThrow()
   })
 
-  test('ECDSA sign and verify round-trip', () => {
+  test('adding inverse points yields infinity', () => {
+    const p = curve.multiplyBase(9n)
+    const neg = { x: p!.x, y: curve.p - p!.y }
+    expect(curve.add(p, neg)).toBeNull()
+    expect(curve.add(null, p)).toEqual(p)
+  })
+
+  test('ECDSA sign and verify round-trip, low-s enforced, rejects malformed inputs', () => {
     const priv = '1'.repeat(64)
     const pub = curve.publicKeyFromPrivate(priv)
     const message = Buffer.from('p256 check')
     const signature = curve.sign(message, priv)
+    const sVal = BigInt('0x' + signature.s)
+    expect(sVal <= curve.n / 2n).toBe(true)
     expect(curve.verify(message, signature, pub)).toBe(true)
     expect(curve.verify(Buffer.from('different'), signature, pub)).toBe(false)
     const tampered = { r: signature.r, s: signature.s.slice(0, 62) + '00' }
     expect(curve.verify(message, tampered, pub)).toBe(false)
+    const zeroR = { r: '0'.repeat(64), s: signature.s }
+    expect(curve.verify(message, zeroR, pub)).toBe(false)
+    const zeroS = { r: signature.r, s: '0'.repeat(64) }
+    expect(curve.verify(message, zeroS, pub)).toBe(false)
+    expect(curve.verify(message, signature, '02deadbeef')).toBe(false)
+  })
+
+  test('deterministic nonce is stable across calls and message changes', () => {
+    const priv = '2'.repeat(64)
+    const pub = curve.publicKeyFromPrivate(priv)
+    const message = Buffer.from('deterministic nonce')
+    const sig1 = curve.sign(message, priv)
+    const sig2 = curve.sign(message, priv)
+    expect(sig1).toEqual(sig2)
+    const sig3 = curve.sign(Buffer.from('deterministic nonce v2'), priv)
+    expect(sig3).not.toEqual(sig1)
+    expect(curve.verify(message, sig1, pub)).toBe(true)
+  })
+
+  test('prehashed signing path matches explicit hashing input', () => {
+    const priv = '4'.repeat(64)
+    const pub = curve.publicKeyFromPrivate(priv)
+    const message = Buffer.from('prehashed path')
+    const digest = new Uint8Array(sha256(message))
+    const sig1 = curve.sign(message, priv)
+    const sig2 = curve.sign(digest, priv, { prehashed: true })
+    expect(sig1).toEqual(sig2)
+    expect(curve.verify(digest, sig2, pub, { prehashed: true })).toBe(true)
   })
 
   test('signatures interoperate with Node crypto (ieee-p1363 encoding)', () => {