r1 1

Author: ty-everett

src/primitives/Secp256r1.ts

@@ -0,0 +1,270 @@
+import crypto from 'crypto'
+
+export type P256Point = { x: bigint, y: bigint } | null
+
+type ByteSource = string | Uint8Array | ArrayBufferView
+
+const HEX_REGEX = /^[0-9a-fA-F]+$/
+
+const P = BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff')
+const N = BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551')
+const A = P - 3n // a = -3 mod p
+const B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b')
+const GX = BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296')
+const GY = BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5')
+const G: P256Point = { x: GX, y: GY }
+const HALF_N = N >> 1n
+
+const COMPRESSED_EVEN = '02'
+const COMPRESSED_ODD = '03'
+const UNCOMPRESSED = '04'
+
+export default class Secp256r1 {
+  readonly p = P
+  readonly n = N
+  readonly a = A
+  readonly b = B
+  readonly g = G
+
+  private mod (x: bigint, m: bigint = this.p): bigint {
+    const v = x % m
+    return v >= 0n ? v : v + m
+  }
+
+  private modInv (x: bigint, m: bigint): bigint {
+    if (x === 0n || m <= 0n) throw new Error('Invalid mod inverse input')
+    let [a, b] = [this.mod(x, m), m]
+    let [u, v] = [1n, 0n]
+    while (b !== 0n) {
+      const q = a / b
+      ;[a, b] = [b, a - q * b]
+      ;[u, v] = [v, u - q * v]
+    }
+    if (a !== 1n) throw new Error('Inverse does not exist')
+    return this.mod(u, m)
+  }
+
+  private modPow (base: bigint, exponent: bigint, modulus: bigint): bigint {
+    if (modulus === 1n) return 0n
+    let result = 1n
+    let b = this.mod(base, modulus)
+    let e = exponent
+    while (e > 0n) {
+      if (e & 1n) result = this.mod(result * b, modulus)
+      e >>= 1n
+      b = this.mod(b * b, modulus)
+    }
+    return result
+  }
+
+  private isInfinity (p: P256Point): p is null {
+    return p === null
+  }
+
+  private assertOnCurve (p: P256Point): void {
+    if (this.isInfinity(p)) return
+    const { x, y } = p
+    const left = this.mod(y * y)
+    const right = this.mod(this.mod(x * x * x + this.a * x) + this.b)
+    if (left !== right) {
+      throw new Error('Point is not on secp256r1')
+    }
+  }
+
+  pointFromAffine (x: bigint, y: bigint): P256Point {
+    const point: P256Point = { x: this.mod(x), y: this.mod(y) }
+    this.assertOnCurve(point)
+    return point
+  }
+
+  pointFromHex (hex: string): P256Point {
+    if (hex.startsWith(UNCOMPRESSED)) {
+      const x = BigInt('0x' + hex.slice(2, 66))
+      const y = BigInt('0x' + hex.slice(66))
+      return this.pointFromAffine(x, y)
+    }
+    if (hex.startsWith(COMPRESSED_EVEN) || hex.startsWith(COMPRESSED_ODD)) {
+      const x = BigInt('0x' + hex.slice(2))
+      const ySq = this.mod(this.mod(x * x * x + this.a * x) + this.b)
+      const y = this.modPow(ySq, (this.p + 1n) >> 2n, this.p)
+      const isOdd = (y & 1n) === 1n
+      const shouldBeOdd = hex.startsWith(COMPRESSED_ODD)
+      const yFinal = (isOdd === shouldBeOdd) ? y : this.p - y
+      return this.pointFromAffine(x, yFinal)
+    }
+    throw new Error('Invalid point encoding')
+  }
+
+  pointToHex (p: P256Point, compressed = false): string {
+    if (this.isInfinity(p)) return '00'
+    const xHex = this.to32BytesHex(p.x)
+    const yHex = this.to32BytesHex(p.y)
+    if (!compressed) return UNCOMPRESSED + xHex + yHex
+    const prefix = (p.y & 1n) === 0n ? COMPRESSED_EVEN : COMPRESSED_ODD
+    return prefix + xHex
+  }
+
+  private addPoints (p1: P256Point, p2: P256Point): P256Point {
+    if (this.isInfinity(p1)) return p2
+    if (this.isInfinity(p2)) return p1
+
+    const { x: x1, y: y1 } = p1
+    const { x: x2, y: y2 } = p2
+
+    if (x1 === x2) {
+      if (y1 === y2) {
+        return this.doublePoint(p1)
+      }
+      return null
+    }
+
+    const m = this.mod((y2 - y1) * this.modInv(x2 - x1, this.p))
+    const x3 = this.mod(m * m - x1 - x2)
+    const y3 = this.mod(m * (x1 - x3) - y1)
+    return { x: x3, y: y3 }
+  }
+
+  private doublePoint (p: P256Point): P256Point {
+    if (this.isInfinity(p)) return p
+    if (p.y === 0n) return null
+    const m = this.mod((3n * p.x * p.x + this.a) * this.modInv(2n * p.y, this.p))
+    const x3 = this.mod(m * m - 2n * p.x)
+    const y3 = this.mod(m * (p.x - x3) - p.y)
+    return { x: x3, y: y3 }
+  }
+
+  add (p1: P256Point, p2: P256Point): P256Point {
+    return this.addPoints(p1, p2)
+  }
+
+  multiply (point: P256Point, scalar: bigint): P256Point {
+    if (scalar === 0n || this.isInfinity(point)) return null
+    let k = this.mod(scalar, this.n)
+    let result: P256Point = null
+    let addend: P256Point = point
+    while (k > 0n) {
+      if (k & 1n) {
+        result = this.addPoints(result, addend)
+      }
+      addend = this.doublePoint(addend)
+      k >>= 1n
+    }
+    return result
+  }
+
+  multiplyBase (scalar: bigint): P256Point {
+    return this.multiply(this.g, scalar)
+  }
+
+  isOnCurve (p: P256Point): boolean {
+    try {
+      this.assertOnCurve(p)
+      return true
+    } catch (err) {
+      return false
+    }
+  }
+
+  generatePrivateKeyHex (): string {
+    return this.to32BytesHex(this.randomScalar())
+  }
+
+  private randomScalar (): bigint {
+    while (true) {
+      const bytes = crypto.randomBytes(32)
+      const k = BigInt('0x' + bytes.toString('hex'))
+      if (k > 0n && k < this.n) return k
+    }
+  }
+
+  private normalizePrivateKey (d: bigint): bigint {
+    const key = this.mod(d, this.n)
+    if (key === 0n) throw new Error('Invalid private key')
+    return key
+  }
+
+  private toScalar (input: string | bigint): bigint {
+    if (typeof input === 'bigint') return this.normalizePrivateKey(input)
+    const hex = input.startsWith('0x') ? input.slice(2) : input
+    if (!HEX_REGEX.test(hex) || hex.length === 0 || hex.length > 64) {
+      throw new Error('Private key must be a hex string <= 32 bytes')
+    }
+    const value = BigInt('0x' + hex.padStart(64, '0'))
+    return this.normalizePrivateKey(value)
+  }
+
+  publicKeyFromPrivate (privateKey: string | bigint): P256Point {
+    const d = this.toScalar(privateKey)
+    return this.multiplyBase(d)
+  }
+
+  sign (message: ByteSource, privateKey: string | bigint, opts: { prehashed?: boolean, nonce?: bigint } = {}): { r: string, s: string } {
+    const { prehashed = false, nonce } = opts
+    const d = this.toScalar(privateKey)
+    const z = this.messageToBigInt(message, prehashed)
+    let k = nonce ?? this.randomScalar()
+
+    while (true) {
+      const p = this.multiplyBase(k)
+      if (this.isInfinity(p)) {
+        k = nonce ?? this.randomScalar()
+        continue
+      }
+      const r = this.mod(p.x, this.n)
+      if (r === 0n) {
+        k = nonce ?? this.randomScalar()
+        continue
+      }
+      const kinv = this.modInv(k, this.n)
+      let s = this.mod(kinv * (z + r * d), this.n)
+      if (s === 0n) {
+        k = nonce ?? this.randomScalar()
+        continue
+      }
+      if (s > HALF_N) s = this.n - s // enforce low-s
+      return { r: this.to32BytesHex(r), s: this.to32BytesHex(s) }
+    }
+  }
+
+  verify (message: ByteSource, signature: { r: string | bigint, s: string | bigint }, publicKey: P256Point | string, opts: { prehashed?: boolean } = {}): boolean {
+    const { prehashed = false } = opts
+    const q = typeof publicKey === 'string' ? this.pointFromHex(publicKey) : publicKey
+    if (!q || !this.isOnCurve(q)) return false
+
+    const r = typeof signature.r === 'bigint' ? signature.r : BigInt('0x' + signature.r)
+    const s = typeof signature.s === 'bigint' ? signature.s : BigInt('0x' + signature.s)
+    if (r <= 0n || r >= this.n || s <= 0n || s >= this.n) return false
+
+    const z = this.messageToBigInt(message, prehashed)
+    const w = this.modInv(s, this.n)
+    const u1 = this.mod(z * w, this.n)
+    const u2 = this.mod(r * w, this.n)
+    const p = this.addPoints(this.multiplyBase(u1), this.multiply(q, u2))
+    if (this.isInfinity(p)) return false
+    const v = this.mod(p.x, this.n)
+    return v === r
+  }
+
+  private messageToBigInt (message: ByteSource, prehashed: boolean): bigint {
+    const bytes = this.toBuffer(message)
+    const digest = prehashed ? bytes : crypto.createHash('sha256').update(bytes).digest()
+    const hex = digest.toString('hex')
+    return BigInt('0x' + hex) % this.n
+  }
+
+  private toBuffer (data: ByteSource): Buffer {
+    if (typeof data === 'string') {
+      if (HEX_REGEX.test(data) && data.length % 2 === 0) {
+        return Buffer.from(data, 'hex')
+      }
+      return Buffer.from(data, 'utf8')
+    }
+    if (data instanceof Uint8Array) return Buffer.from(data)
+    if (ArrayBuffer.isView(data)) return Buffer.from(data.buffer, data.byteOffset, data.byteLength)
+    throw new Error('Unsupported message format')
+  }
+
+  private to32BytesHex (num: bigint): string {
+    return num.toString(16).padStart(64, '0')
+  }
+}

src/primitives/__tests/Secp256r1.test.ts

@@ -0,0 +1,60 @@
+import crypto from 'crypto'
+import Secp256r1 from '../Secp256r1.js'
+
+const curve = new Secp256r1()
+
+const TWO_G =
+  '047cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc4766997807775510db8ed040293d9ac69f7430dbba7dade63ce982299e04b79d227873d1'
+const THREE_G =
+  '045ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c8734640c4998ff7e374b06ce1a64a2ecd82ab036384fb83d9a79b127a27d5032'
+
+const toBase64Url = (hex: string): string => Buffer.from(hex, 'hex').toString('base64url')
+
+describe('Secp256r1', () => {
+  test('base point multiplication matches known coordinates', () => {
+    const twoG = curve.multiplyBase(2n)
+    const threeG = curve.multiplyBase(3n)
+    expect(curve.pointToHex(twoG)).toBe(TWO_G)
+    expect(curve.pointToHex(threeG)).toBe(THREE_G)
+    expect(curve.multiplyBase(curve.n)).toBeNull()
+  })
+
+  test('public key generation stays on-curve and supports compression', () => {
+    const priv = curve.generatePrivateKeyHex()
+    const pub = curve.publicKeyFromPrivate(priv)
+    expect(curve.isOnCurve(pub)).toBe(true)
+    const compressed = curve.pointToHex(pub, true)
+    const roundTrip = curve.pointFromHex(compressed)
+    expect(roundTrip).toEqual(pub)
+  })
+
+  test('ECDSA sign and verify round-trip', () => {
+    const priv = '1'.repeat(64)
+    const pub = curve.publicKeyFromPrivate(priv)
+    const message = Buffer.from('p256 check')
+    const signature = curve.sign(message, priv)
+    expect(curve.verify(message, signature, pub)).toBe(true)
+    expect(curve.verify(Buffer.from('different'), signature, pub)).toBe(false)
+    const tampered = { r: signature.r, s: signature.s.slice(0, 62) + '00' }
+    expect(curve.verify(message, tampered, pub)).toBe(false)
+  })
+
+  test('signatures interoperate with Node crypto (ieee-p1363 encoding)', () => {
+    const priv = '3'.repeat(64)
+    const pub = curve.publicKeyFromPrivate(priv)
+    const message = Buffer.from('interop check')
+    const signature = curve.sign(message, priv)
+    const sigBuf = Buffer.concat([Buffer.from(signature.r, 'hex'), Buffer.from(signature.s, 'hex')])
+
+    const pubHex = curve.pointToHex(pub)
+    const jwk = {
+      kty: 'EC',
+      crv: 'P-256',
+      x: toBase64Url(pubHex.slice(2, 66)),
+      y: toBase64Url(pubHex.slice(66))
+    }
+
+    const ok = crypto.verify('sha256', message, { key: jwk, format: 'jwk', dsaEncoding: 'ieee-p1363' }, sigBuf)
+    expect(ok).toBe(true)
+  })
+})