Merge remote-tracking branch 'origin/master' into TOB-24

Stephen-Thomson · Stephen-Thomson · commit e3f18a6d6fc1 · 2025-12-11T08:48:05.000-08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file. The format
 ## Table of Contents
 
 - [Unreleased](#unreleased)
+- [1.9.26 - 2025-12-10](#1926---2025-12-10)
 - [1.9.25 - 2025-12-09](#1925---2025-12-09)
 - [1.9.24 - 2025-12-09](#1924---2025-12-09)
 - [1.9.23 - 2025-12-08](#1923---2025-12-08)
@@ -198,6 +199,17 @@ All notable changes to this project will be documented in this file. The format
 
 ---
 
+## [1.9.26] - 2025-12-10
+
+### Security
+- Addressed TOB-25 by adding explicit ECDSA and elliptic-curve regression tests
+  ensuring correct propagation and handling of the point at infinity during
+  scalar multiplication and signature verification.
+  These tests prevent regressions where invalid infinity points could be
+  incorrectly treated as valid curve points.
+
+---
+
 ## [1.9.25] - 2025-12-09
 
 ### Added
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@bsv/sdk",
-  "version": "1.9.25",
+  "version": "1.9.26",
   "type": "module",
   "description": "BSV Blockchain Software Development Kit",
   "main": "dist/cjs/mod.js",
diff --git a/src/primitives/__tests/ECDSA.test.ts b/src/primitives/__tests/ECDSA.test.ts
@@ -2,6 +2,7 @@ import * as ECDSA from '../../primitives/ECDSA'
 import BigNumber from '../../primitives/BigNumber'
 import Curve from '../../primitives/Curve'
 import Signature from '../../primitives/Signature'
+import Point from '../../primitives/Point'
 
 const msg = new BigNumber('deadbeef', 16)
 const key = new BigNumber(
@@ -90,4 +91,30 @@ describe('ECDSA', () => {
       ECDSA.sign(msg, key, undefined, n)
     ).toThrow()
   })
+
+  it('k·G + (−k·G) results in point at infinity (TOB-25)', () => {
+    const k = new BigNumber('123456789abcdef', 16)
+
+    const P = curve.g.mul(k)
+    const negP = P.neg()
+    const sum = P.add(negP)
+
+    expect(sum.isInfinity()).toBe(true)
+  })
+
+  it('scalar multiplication by zero returns point at infinity (TOB-25)', () => {
+    const zero = new BigNumber(0)
+    const result = curve.g.mul(zero)
+
+    expect(result.isInfinity()).toBe(true)
+  })
+
+  it('ECDSA verify rejects point-at-infinity public key (TOB-25)', () => {
+    const signature = ECDSA.sign(msg, key)
+    const infinityPub = new Point(null, null)
+
+    expect(() =>
+      ECDSA.verify(msg, signature, infinityPub)
+    ).toThrow()
+  })
 })

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@bsv/sdk",`
`3`		`- "version": "1.9.25",`
	`3`	`+ "version": "1.9.26",`
`4`	`4`	`"type": "module",`
`5`	`5`	`"description": "BSV Blockchain Software Development Kit",`
`6`	`6`	`"main": "dist/cjs/mod.js",`