-
Notifications
You must be signed in to change notification settings - Fork 1.5k
/
ninja.key.js
352 lines (312 loc) · 14.6 KB
/
ninja.key.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
var ninja = { wallets: {} };
ninja.privateKey = {
isPrivateKey: function (key) {
return (
Bitcoin.ECKey.isWalletImportFormat(key) ||
Bitcoin.ECKey.isCompressedWalletImportFormat(key) ||
Bitcoin.ECKey.isHexFormat(key) ||
Bitcoin.ECKey.isBase64Format(key) ||
Bitcoin.ECKey.isMiniFormat(key)
);
},
getECKeyFromAdding: function (privKey1, privKey2) {
var n = EllipticCurve.getSECCurveByName("secp256k1").getN();
var ecKey1 = new Bitcoin.ECKey(privKey1);
var ecKey2 = new Bitcoin.ECKey(privKey2);
// if both keys are the same return null
if (ecKey1.getBitcoinHexFormat() == ecKey2.getBitcoinHexFormat()) return null;
if (ecKey1 == null || ecKey2 == null) return null;
var combinedPrivateKey = new Bitcoin.ECKey(ecKey1.priv.add(ecKey2.priv).mod(n));
// compressed when both keys are compressed
if (ecKey1.compressed && ecKey2.compressed) combinedPrivateKey.setCompressed(true);
return combinedPrivateKey;
},
getECKeyFromMultiplying: function (privKey1, privKey2) {
var n = EllipticCurve.getSECCurveByName("secp256k1").getN();
var ecKey1 = new Bitcoin.ECKey(privKey1);
var ecKey2 = new Bitcoin.ECKey(privKey2);
// if both keys are the same return null
if (ecKey1.getBitcoinHexFormat() == ecKey2.getBitcoinHexFormat()) return null;
if (ecKey1 == null || ecKey2 == null) return null;
var combinedPrivateKey = new Bitcoin.ECKey(ecKey1.priv.multiply(ecKey2.priv).mod(n));
// compressed when both keys are compressed
if (ecKey1.compressed && ecKey2.compressed) combinedPrivateKey.setCompressed(true);
return combinedPrivateKey;
},
// 58 base58 characters starting with 6P
isBIP38Format: function (key) {
key = key.toString();
return (/^6P[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{56}$/.test(key));
},
BIP38EncryptedKeyToByteArrayAsync: function (base58Encrypted, passphrase, callback) {
var hex;
try {
hex = Bitcoin.Base58.decode(base58Encrypted);
} catch (e) {
callback(new Error(ninja.translator.get("detailalertnotvalidprivatekey")));
return;
}
// 43 bytes: 2 bytes prefix, 37 bytes payload, 4 bytes checksum
if (hex.length != 43) {
callback(new Error(ninja.translator.get("detailalertnotvalidprivatekey")));
return;
}
// first byte is always 0x01
else if (hex[0] != 0x01) {
callback(new Error(ninja.translator.get("detailalertnotvalidprivatekey")));
return;
}
var expChecksum = hex.slice(-4);
hex = hex.slice(0, -4);
var checksum = Bitcoin.Util.dsha256(hex);
if (checksum[0] != expChecksum[0] || checksum[1] != expChecksum[1] || checksum[2] != expChecksum[2] || checksum[3] != expChecksum[3]) {
callback(new Error(ninja.translator.get("detailalertnotvalidprivatekey")));
return;
}
var isCompPoint = false;
var isECMult = false;
var hasLotSeq = false;
// second byte for non-EC-multiplied key
if (hex[1] == 0x42) {
// key should use compression
if (hex[2] == 0xe0) {
isCompPoint = true;
}
// key should NOT use compression
else if (hex[2] != 0xc0) {
callback(new Error(ninja.translator.get("detailalertnotvalidprivatekey")));
return;
}
}
// second byte for EC-multiplied key
else if (hex[1] == 0x43) {
isECMult = true;
isCompPoint = (hex[2] & 0x20) != 0;
hasLotSeq = (hex[2] & 0x04) != 0;
if ((hex[2] & 0x24) != hex[2]) {
callback(new Error(ninja.translator.get("detailalertnotvalidprivatekey")));
return;
}
}
else {
callback(new Error(ninja.translator.get("detailalertnotvalidprivatekey")));
return;
}
var decrypted;
var AES_opts = { mode: new Crypto.mode.ECB(Crypto.pad.NoPadding), asBytes: true };
var verifyHashAndReturn = function () {
var tmpkey = new Bitcoin.ECKey(decrypted); // decrypted using closure
var base58AddrText = tmpkey.setCompressed(isCompPoint).getBitcoinAddress(); // isCompPoint using closure
checksum = Bitcoin.Util.dsha256(base58AddrText); // checksum using closure
if (checksum[0] != hex[3] || checksum[1] != hex[4] || checksum[2] != hex[5] || checksum[3] != hex[6]) {
callback(new Error(ninja.translator.get("bip38alertincorrectpassphrase"))); // callback using closure
return;
}
callback(tmpkey.getBitcoinPrivateKeyByteArray()); // callback using closure
};
if (!isECMult) {
var addresshash = hex.slice(3, 7);
Crypto_scrypt(passphrase, addresshash, 16384, 8, 8, 64, function (derivedBytes) {
var k = derivedBytes.slice(32, 32 + 32);
decrypted = Crypto.AES.decrypt(hex.slice(7, 7 + 32), k, AES_opts);
for (var x = 0; x < 32; x++) decrypted[x] ^= derivedBytes[x];
verifyHashAndReturn(); //TODO: pass in 'decrypted' as a param
});
}
else {
var ownerentropy = hex.slice(7, 7 + 8);
var ownersalt = !hasLotSeq ? ownerentropy : ownerentropy.slice(0, 4);
Crypto_scrypt(passphrase, ownersalt, 16384, 8, 8, 32, function (prefactorA) {
var passfactor;
if (!hasLotSeq) { // hasLotSeq using closure
passfactor = prefactorA;
} else {
var prefactorB = prefactorA.concat(ownerentropy); // ownerentropy using closure
passfactor = Bitcoin.Util.dsha256(prefactorB);
}
// remove this ECKey from the pool (because user does not see it)
var userKeyPool = Bitcoin.KeyPool.getArray();
var kp = new Bitcoin.ECKey(passfactor);
var passpoint = kp.setCompressed(true).getPub();
Bitcoin.KeyPool.setArray(userKeyPool);
var encryptedpart2 = hex.slice(23, 23 + 16);
var addresshashplusownerentropy = hex.slice(3, 3 + 12);
Crypto_scrypt(passpoint, addresshashplusownerentropy, 1024, 1, 1, 64, function (derived) {
var k = derived.slice(32);
var unencryptedpart2 = Crypto.AES.decrypt(encryptedpart2, k, AES_opts);
for (var i = 0; i < 16; i++) { unencryptedpart2[i] ^= derived[i + 16]; }
var encryptedpart1 = hex.slice(15, 15 + 8).concat(unencryptedpart2.slice(0, 0 + 8));
var unencryptedpart1 = Crypto.AES.decrypt(encryptedpart1, k, AES_opts);
for (var i = 0; i < 16; i++) { unencryptedpart1[i] ^= derived[i]; }
var seedb = unencryptedpart1.slice(0, 0 + 16).concat(unencryptedpart2.slice(8, 8 + 8));
var factorb = Bitcoin.Util.dsha256(seedb);
var ps = EllipticCurve.getSECCurveByName("secp256k1");
var privateKey = BigInteger.fromByteArrayUnsigned(passfactor).multiply(BigInteger.fromByteArrayUnsigned(factorb)).remainder(ps.getN());
decrypted = privateKey.toByteArrayUnsigned();
verifyHashAndReturn();
});
});
}
},
BIP38PrivateKeyToEncryptedKeyAsync: function (base58Key, passphrase, compressed, callback) {
var privKey = new Bitcoin.ECKey(base58Key);
var privKeyBytes = privKey.getBitcoinPrivateKeyByteArray();
var address = privKey.setCompressed(compressed).getBitcoinAddress();
// compute sha256(sha256(address)) and take first 4 bytes
var salt = Bitcoin.Util.dsha256(address).slice(0, 4);
// derive key using scrypt
var AES_opts = { mode: new Crypto.mode.ECB(Crypto.pad.NoPadding), asBytes: true };
Crypto_scrypt(passphrase, salt, 16384, 8, 8, 64, function (derivedBytes) {
for (var i = 0; i < 32; ++i) {
privKeyBytes[i] ^= derivedBytes[i];
}
// 0x01 0x42 + flagbyte + salt + encryptedhalf1 + encryptedhalf2
var flagByte = compressed ? 0xe0 : 0xc0;
var encryptedKey = [0x01, 0x42, flagByte].concat(salt);
encryptedKey = encryptedKey.concat(Crypto.AES.encrypt(privKeyBytes, derivedBytes.slice(32), AES_opts));
encryptedKey = encryptedKey.concat(Bitcoin.Util.dsha256(encryptedKey).slice(0, 4));
callback(Bitcoin.Base58.encode(encryptedKey));
});
},
BIP38GenerateIntermediatePointAsync: function (passphrase, lotNum, sequenceNum, callback) {
var noNumbers = lotNum === null || sequenceNum === null;
var rng = new SecureRandom();
var ownerEntropy, ownerSalt;
if (noNumbers) {
ownerSalt = ownerEntropy = new Array(8);
rng.nextBytes(ownerEntropy);
}
else {
// 1) generate 4 random bytes
ownerSalt = new Array(4);
rng.nextBytes(ownerSalt);
// 2) Encode the lot and sequence numbers as a 4 byte quantity (big-endian):
// lotnumber * 4096 + sequencenumber. Call these four bytes lotsequence.
var lotSequence = BigInteger(4096 * lotNum + sequenceNum).toByteArrayUnsigned();
// 3) Concatenate ownersalt + lotsequence and call this ownerentropy.
var ownerEntropy = ownerSalt.concat(lotSequence);
}
// 4) Derive a key from the passphrase using scrypt
Crypto_scrypt(passphrase, ownerSalt, 16384, 8, 8, 32, function (prefactor) {
// Take SHA256(SHA256(prefactor + ownerentropy)) and call this passfactor
var passfactorBytes = noNumbers ? prefactor : Bitcoin.Util.dsha256(prefactor.concat(ownerEntropy));
var passfactor = BigInteger.fromByteArrayUnsigned(passfactorBytes);
// 5) Compute the elliptic curve point G * passfactor, and convert the result to compressed notation (33 bytes)
var ellipticCurve = EllipticCurve.getSECCurveByName("secp256k1");
var passpoint = ellipticCurve.getG().multiply(passfactor).getEncoded(1);
// 6) Convey ownersalt and passpoint to the party generating the keys, along with a checksum to ensure integrity.
// magic bytes "2C E9 B3 E1 FF 39 E2 51" followed by ownerentropy, and then passpoint
var magicBytes = [0x2C, 0xE9, 0xB3, 0xE1, 0xFF, 0x39, 0xE2, 0x51];
if (noNumbers) magicBytes[7] = 0x53;
var intermediate = magicBytes.concat(ownerEntropy).concat(passpoint);
// base58check encode
intermediate = intermediate.concat(Bitcoin.Util.dsha256(intermediate).slice(0, 4));
callback(Bitcoin.Base58.encode(intermediate));
});
},
BIP38GenerateECAddressAsync: function (intermediate, compressed, callback) {
// decode IPS
var x = Bitcoin.Base58.decode(intermediate);
//if(x.slice(49, 4) !== Bitcoin.Util.dsha256(x.slice(0,49)).slice(0,4)) {
// callback({error: 'Invalid intermediate passphrase string'});
//}
var noNumbers = (x[7] === 0x53);
var ownerEntropy = x.slice(8, 8 + 8);
var passpoint = x.slice(16, 16 + 33);
// 1) Set flagbyte.
// set bit 0x20 for compressed key
// set bit 0x04 if ownerentropy contains a value for lotsequence
var flagByte = (compressed ? 0x20 : 0x00) | (noNumbers ? 0x00 : 0x04);
// 2) Generate 24 random bytes, call this seedb.
var seedB = new Array(24);
var rng = new SecureRandom();
rng.nextBytes(seedB);
// Take SHA256(SHA256(seedb)) to yield 32 bytes, call this factorb.
var factorB = Bitcoin.Util.dsha256(seedB);
// 3) ECMultiply passpoint by factorb. Use the resulting EC point as a public key and hash it into a Bitcoin
// address using either compressed or uncompressed public key methodology (specify which methodology is used
// inside flagbyte). This is the generated Bitcoin address, call it generatedaddress.
var ec = EllipticCurve.getSECCurveByName("secp256k1").getCurve();
var generatedPoint = ec.decodePointHex(ninja.publicKey.getHexFromByteArray(passpoint));
var generatedBytes = generatedPoint.multiply(BigInteger.fromByteArrayUnsigned(factorB)).getEncoded(compressed);
var generatedAddress = (new Bitcoin.Address(Bitcoin.Util.sha256ripe160(generatedBytes))).toString();
// 4) Take the first four bytes of SHA256(SHA256(generatedaddress)) and call it addresshash.
var addressHash = Bitcoin.Util.dsha256(generatedAddress).slice(0, 4);
// 5) Now we will encrypt seedb. Derive a second key from passpoint using scrypt
Crypto_scrypt(passpoint, addressHash.concat(ownerEntropy), 1024, 1, 1, 64, function (derivedBytes) {
// 6) Do AES256Encrypt(seedb[0...15]] xor derivedhalf1[0...15], derivedhalf2), call the 16-byte result encryptedpart1
for (var i = 0; i < 16; ++i) {
seedB[i] ^= derivedBytes[i];
}
var AES_opts = { mode: new Crypto.mode.ECB(Crypto.pad.NoPadding), asBytes: true };
var encryptedPart1 = Crypto.AES.encrypt(seedB.slice(0, 16), derivedBytes.slice(32), AES_opts);
// 7) Do AES256Encrypt((encryptedpart1[8...15] + seedb[16...23]) xor derivedhalf1[16...31], derivedhalf2), call the 16-byte result encryptedseedb.
var message2 = encryptedPart1.slice(8, 8 + 8).concat(seedB.slice(16, 16 + 8));
for (var i = 0; i < 16; ++i) {
message2[i] ^= derivedBytes[i + 16];
}
var encryptedSeedB = Crypto.AES.encrypt(message2, derivedBytes.slice(32), AES_opts);
// 0x01 0x43 + flagbyte + addresshash + ownerentropy + encryptedpart1[0...7] + encryptedpart2
var encryptedKey = [0x01, 0x43, flagByte].concat(addressHash).concat(ownerEntropy).concat(encryptedPart1.slice(0, 8)).concat(encryptedSeedB);
// base58check encode
encryptedKey = encryptedKey.concat(Bitcoin.Util.dsha256(encryptedKey).slice(0, 4));
callback(generatedAddress, Bitcoin.Base58.encode(encryptedKey));
});
}
};
ninja.publicKey = {
isPublicKeyHexFormat: function (key) {
key = key.toString();
return ninja.publicKey.isUncompressedPublicKeyHexFormat(key) || ninja.publicKey.isCompressedPublicKeyHexFormat(key);
},
// 130 characters [0-9A-F] starts with 04
isUncompressedPublicKeyHexFormat: function (key) {
key = key.toString();
return /^04[A-Fa-f0-9]{128}$/.test(key);
},
// 66 characters [0-9A-F] starts with 02 or 03
isCompressedPublicKeyHexFormat: function (key) {
key = key.toString();
return /^0[2-3][A-Fa-f0-9]{64}$/.test(key);
},
getBitcoinAddressFromByteArray: function (pubKeyByteArray) {
var pubKeyHash = Bitcoin.Util.sha256ripe160(pubKeyByteArray);
var addr = new Bitcoin.Address(pubKeyHash);
return addr.toString();
},
getHexFromByteArray: function (pubKeyByteArray) {
return Crypto.util.bytesToHex(pubKeyByteArray).toString().toUpperCase();
},
getByteArrayFromAdding: function (pubKeyHex1, pubKeyHex2) {
var ecparams = EllipticCurve.getSECCurveByName("secp256k1");
var curve = ecparams.getCurve();
var ecPoint1 = curve.decodePointHex(pubKeyHex1);
var ecPoint2 = curve.decodePointHex(pubKeyHex2);
// if both points are the same return null
if (ecPoint1.equals(ecPoint2)) return null;
var compressed = (ecPoint1.compressed && ecPoint2.compressed);
var pubKey = ecPoint1.add(ecPoint2).getEncoded(compressed);
return pubKey;
},
getByteArrayFromMultiplying: function (pubKeyHex, ecKey) {
var ecparams = EllipticCurve.getSECCurveByName("secp256k1");
var ecPoint = ecparams.getCurve().decodePointHex(pubKeyHex);
var compressed = (ecPoint.compressed && ecKey.compressed);
// if both points are the same return null
ecKey.setCompressed(false);
if (ecPoint.equals(ecKey.getPubPoint())) {
return null;
}
var bigInt = ecKey.priv;
var pubKey = ecPoint.multiply(bigInt).getEncoded(compressed);
return pubKey;
},
// used by unit test
getDecompressedPubKeyHex: function (pubKeyHexComp) {
var ecparams = EllipticCurve.getSECCurveByName("secp256k1");
var ecPoint = ecparams.getCurve().decodePointHex(pubKeyHexComp);
var pubByteArray = ecPoint.getEncoded(0);
var pubHexUncompressed = ninja.publicKey.getHexFromByteArray(pubByteArray);
return pubHexUncompressed;
}
};