Comments (6)
Makes sense. You're welcome to submit a PR too :)
from web3j.
Ok I will.
from web3j.
I ran into the same thing yesterday (though I was trying to use signMessage
). I put up a simple PR to make SignatureData public: #65
from web3j.
I am making one with a function that takes signature as byte[]
, which means you don't really need access to any of the internal classes, and a convenience method signedMessageToAddress
with the same parameters, but it returns the Ethereum address instead of the public key (so really the same as ecrecover). Going to add the tests today, or maybe tomorrow, and submit.
Did this in Solidity btw. so I'm used to Ethereum crypto (https://github.com/androlo/standard-contracts#crypto).
from web3j.
Seems the implementation is missing some fundamentals. For example, signatures are not properly validated before doing recovery. The only check i find is at the start of the recovery function (https://github.com/web3j/web3j/blob/master/src/main/java/org/web3j/crypto/Sign.java#L97), in which both r
and s
are (explicitly) allowed to lie outside of their respective ranges.
Here is an example of an invalid signature passing recovery without exceptions, running from within the Sign test file:
@Test
public void testInvalidSignature() throws SignatureException {
BigInteger signedMessageToKey = Sign.signedMessageToKey(TEST_MESSAGE, new SignatureData((byte) 27, new byte[]{1}, new byte[]{0})); // s=0
System.out.println(signedMessageToKey.toString(16)); // 60ce6c46097eb1d137670db055e7d8af842e368f265e2eabe572f89e704b58083893f06452e0cc9b8ee13f7677a8d00eef8ff8a28363fadb400c77f308980b60
}
I use signature recovery in bank software (and there are deadlines etc) so will go with an alternative, for now, though I could maybe help with some work later, if needed.
Didn't go over the signing but I think recovery will automatically work if the signature is created by the library itself, since those signatures looks like they're always well-formed. I would not recommend supporting user-provided signatures though, until this has been addressed.
Will leave open since the comment about the other PR is in here.
from web3j.
So you'd like to see explicit bounds checked on e, v, r, and s, as per the yellow paper?
ECDSARECOVER(e ∈ B32, v ∈ B1, r ∈ B32, s ∈ B32)
Was there anything else?
from web3j.
Related Issues (20)
- Incorrect address returned from `signedPrefixedMessageToKey` when invalid data passed in
- NoSuchMethodError: 'okhttp3.RequestBody okhttp3.RequestBody.create(java.lang.String, okhttp3.MediaType)' HOT 7
- No AccessList field in EIP1559 transaction HOT 1
- log filter not work, case: on reinstallFilter() called, if getInitialFilterLogs() throw Exception, schedule is Cancelled on reinstallFilter.
- Generated Contract Error: Cannot cast from List to byte[]
- Wrapper Generation with Array of Structs Parameter still an issue in 4.10.3
- Could you please help release the package? This bug has affected normal use: https://github.com/web3j/web3j/pull/1962 HOT 1
- Filter Exception, Invalid request: filter not found
- Generated wrapper around struct containing a `address[]` member can't be instantiated
- FastRawTransactionManager's resetNonce() will bring its nonce field out of sync
- Allow the use of a struct without having a corresponding Java class
- Update BouncyCastle in org.web3j:core:4.8.7-android HOT 3
- Build fails due to dependency jc-kzg-4844 since version 4.11.0 HOT 7
- Create / demonstrate in tests method for recovering address from signTypedData
- CVE-2023-33201 transitive vulnerable dependency
- Solidity multidimensional array as return
- Quick Start command not working HOT 1
- Error: Stack too deep. HOT 2
- Could not set unknown property 'outputDir' for Main Solidity Sources of type org.gradle.api.internal.file.DefaultSourceDirectorySet. HOT 4
- Fail to install web3j cli on Linux HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from web3j.