Fix point at infinity verification in signature and public key

massaru-stark · massaru-stark · commit 8ccb522cb025 · 2021-11-09T14:32:10.000-03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,8 @@ Given a version number MAJOR.MINOR.PATCH, increment:
 
 
 ## [Unreleased]
+### Fixed
+- point at infinity verification in signature and public key
 
 ## [1.1.3] - 2021-11-04
 ### Fixed
diff --git a/ellipticcurve/curve.js b/ellipticcurve/curve.js
@@ -19,14 +19,23 @@ class CurveFp {
         this.name = name;
         this.nistName = nistName;
         this._oid = oid;
+    };
 
-        this.contains = function (p) {
-            return modulo(((p.y.pow(2)).minus((p.x.pow(3)).add(this.A.multiply(p.x)).add(this.B))), this.P).equals(0);
-        };
+    contains(p) {
+        if (p.x < 0 || p.x > this.P.minus(1)) {
+            return false;
+        }
+        if (p.y < 0 || p.y > this.P.minus(1)) {
+            return false;
+        }
+        if (!modulo(((p.y.pow(2)).minus((p.x.pow(3)).add(this.A.multiply(p.x)).add(this.B))), this.P).equals(0)) {
+            return false;
+        }
+        return true;
+    };
 
-        this.length = function () {
-            return Math.floor((1 + this.N.toString(16).length) / 2);
-        };
+    length() {
+        return Math.floor((1 + this.N.toString(16).length) / 2);
     };
 
     get oid() {
diff --git a/ellipticcurve/ecdsa.js b/ellipticcurve/ecdsa.js
@@ -43,6 +43,9 @@ exports.verify = function (message, signature, publicKey, hashfunc=sha256) {
     let inv = EcdsaMath.inv(sigS, curve.N);
     let u1 = EcdsaMath.multiply(curve.G, modulo((numberMessage.multiply(inv)), curve.N), curve.N, curve.A, curve.P);
     let u2 = EcdsaMath.multiply(publicKey.point, modulo((sigR.multiply(inv)), curve.N), curve.N, curve.A, curve.P);
-    let add = EcdsaMath.add(u1, u2, curve.A, curve.P);
-    return sigR.eq(add.x);
+    let v = EcdsaMath.add(u1, u2, curve.A, curve.P);
+    if (v.isAtInfinity()) {
+        return false;
+    }
+    return v.x.mod(curve.N).eq(sigR);
 };
diff --git a/ellipticcurve/math.js b/ellipticcurve/math.js
@@ -100,7 +100,7 @@ var jacobianDouble = function (p, A, P) {
     // :param A: Coefficient of the first-order term of the equation Y^2 = X^3 + A*X + B (mod p)
     // :return: Point that represents the sum of First and Second Point
 
-    if (!p.y.value) {
+    if (p.y == 0) {
         return new Point(BigInt(0), BigInt(0), BigInt(0));
     };
     let ysq = modulo((p.y.pow(2)), P);
@@ -123,10 +123,10 @@ var jacobianAdd = function (p, q, A, P) {
     // :param A: Coefficient of the first-order term of the equation Y^2 = X^3 + A*X + B (mod p)
     // :return: Point that represents the sum of First and Second Point
 
-    if (!p.y.value) {
+    if (p.y == 0) {
         return q;
     };
-    if (!q.y.value) {
+    if (q.y == 0) {
         return p;
     };
 
diff --git a/ellipticcurve/point.js b/ellipticcurve/point.js
@@ -7,6 +7,10 @@ class Point {
         this.y = y;
         this.z = z;
     }
+
+    isAtInfinity() {
+        return this.y == 0;
+    }
 }
 
 
diff --git a/ellipticcurve/publicKey.js b/ellipticcurve/publicKey.js
@@ -2,6 +2,7 @@ const BinaryAscii = require("./utils/binary");
 const EcdsaCurve = require("./curve");
 const Point = require("./point").Point;
 const der = require("./utils/der");
+const Math = require("./math");
 
 
 class PublicKey {
@@ -86,11 +87,20 @@ class PublicKey {
 
         let p = new Point(BinaryAscii.numberFromString(xs), BinaryAscii.numberFromString(ys));
 
-        if (validatePoint & !curve.contains(p)) {
+        let publicKey = new PublicKey(p, curve);
+        if (!validatePoint) {
+            return publicKey;
+        }
+        if (p.isAtInfinity()) {
+            throw new Error("Public Key point is at infinity");
+        }
+        if (!curve.contains(p)) {
             throw new Error("point (" + p.x + "," + p.y + ") is not valid for curve " + curve.name);
         }
-
-        return new PublicKey(p, curve);
+        if (!Math.multiply(p, curve.N, curve.N, curve.A, curve.P).isAtInfinity()) {
+            throw new Error("Point (" + p.x + "," + p.y + " * " + curve.name + ".N is not at infinity");
+        }
+        return publicKey
     };
 };
 
diff --git a/test/test.js b/test/test.js
@@ -30,6 +30,15 @@ describe("ECDSA test", function() {
             assert.equal(Ecdsa.verify(message2, signature, publicKey), false);
         });
     });
+    describe("#testZeroSignature()", function() {
+        it("should deny authenticity", function() {
+            let privateKey = new PrivateKey();
+            let publicKey = privateKey.publicKey();
+            let message = "This is the right message";
+
+            assert.equal(Ecdsa.verify(message, new Signature(0, 0), publicKey), false);
+        });
+    });
 });
 describe("openSSL test", function() {
     describe("#testAssign()", function() {

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,10 @@ class Point {`
`7`	`7`	`this.y = y;`
`8`	`8`	`this.z = z;`
`9`	`9`	`}`
	`10`	`+`
	`11`	`+ isAtInfinity() {`
	`12`	`+ return this.y == 0;`
	`13`	`+ }`
`10`	`14`	`}`
`11`	`15`
`12`	`16`