Skip to content

Commit 4e96883

Browse files
authored
Merge pull request #1003 from mikeslee/fix/security-deps
fix(deps): drop secp256k1 package to clear consumer npm-audit alerts
2 parents c5aa993 + a6a2014 commit 4e96883

10 files changed

Lines changed: 42 additions & 46 deletions

File tree

dist/es/public-key.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,17 @@
1-
import { publicKeyConvert } from 'secp256k1';
1+
import { secp256k1 } from 'ethereum-cryptography/secp256k1';
22
import { pubToAddress, toChecksumAddress, hexToBytes, bytesToHex } from '@ethereumjs/util';
33
import { hexToUnit8Array, uint8ArrayToHex, addLeading0x } from './util';
44
export function compress(startsWith04) {
55
// add trailing 04 if not done before
66
var testBuffer = Buffer.from(startsWith04, 'hex');
77
if (testBuffer.length === 64) startsWith04 = '04' + startsWith04;
8-
return uint8ArrayToHex(publicKeyConvert(hexToUnit8Array(startsWith04), true));
8+
return uint8ArrayToHex(secp256k1.ProjectivePoint.fromHex(hexToUnit8Array(startsWith04)).toRawBytes(true));
99
}
1010
export function decompress(startsWith02Or03) {
1111
// if already decompressed an not has trailing 04
1212
var testBuffer = Buffer.from(startsWith02Or03, 'hex');
1313
if (testBuffer.length === 64) startsWith02Or03 = '04' + startsWith02Or03;
14-
var decompressed = uint8ArrayToHex(publicKeyConvert(hexToUnit8Array(startsWith02Or03), false));
14+
var decompressed = uint8ArrayToHex(secp256k1.ProjectivePoint.fromHex(hexToUnit8Array(startsWith02Or03)).toRawBytes(false));
1515

1616
// remove trailing 04
1717
decompressed = decompressed.substring(2);

dist/es/recover-public-key.js

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
import { ecdsaRecover } from 'secp256k1';
1+
import { secp256k1 } from 'ethereum-cryptography/secp256k1';
22
import { removeLeading0x, hexToUnit8Array, uint8ArrayToHex } from './util';
33

44
/**
@@ -15,7 +15,8 @@ export function recoverPublicKey(signature, hash) {
1515
var vValue = signature.slice(-2); // last 2 chars
1616

1717
var recoveryNumber = vValue === '1c' ? 1 : 0;
18-
var pubKey = uint8ArrayToHex(ecdsaRecover(hexToUnit8Array(sigOnly), recoveryNumber, hexToUnit8Array(removeLeading0x(hash)), false));
18+
var point = secp256k1.Signature.fromCompact(hexToUnit8Array(sigOnly)).addRecoveryBit(recoveryNumber).recoverPublicKey(hexToUnit8Array(removeLeading0x(hash)));
19+
var pubKey = uint8ArrayToHex(point.toRawBytes(false));
1920

2021
// remove trailing '04'
2122
pubKey = pubKey.slice(2);

dist/es/sign.js

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,17 @@
1-
import { ecdsaSign as secp256k1_sign } from 'secp256k1';
1+
import { secp256k1 } from 'ethereum-cryptography/secp256k1';
22
import { addLeading0x, removeLeading0x } from './util';
33

44
/**
55
* signs the given message
6-
* we do not use sign from eth-lib because the pure secp256k1-version is 90% faster
76
* @param {string} privateKey
87
* @param {string} hash
98
* @return {string} hexString
109
*/
1110
export function sign(privateKey, hash) {
1211
hash = addLeading0x(hash);
1312
if (hash.length !== 66) throw new Error('EthCrypto.sign(): Can only sign hashes, given: ' + hash);
14-
var sigObj = secp256k1_sign(new Uint8Array(Buffer.from(removeLeading0x(hash), 'hex')), new Uint8Array(Buffer.from(removeLeading0x(privateKey), 'hex')));
15-
var recoveryId = sigObj.recid === 1 ? '1c' : '1b';
16-
var newSignature = '0x' + Buffer.from(sigObj.signature).toString('hex') + recoveryId;
13+
var sig = secp256k1.sign(new Uint8Array(Buffer.from(removeLeading0x(hash), 'hex')), new Uint8Array(Buffer.from(removeLeading0x(privateKey), 'hex')));
14+
var recoveryId = sig.recovery === 1 ? '1c' : '1b';
15+
var newSignature = '0x' + Buffer.from(sig.toCompactRawBytes()).toString('hex') + recoveryId;
1716
return newSignature;
1817
}

dist/lib/public-key.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,20 +6,20 @@ Object.defineProperty(exports, "__esModule", {
66
exports.compress = compress;
77
exports.decompress = decompress;
88
exports.toAddress = toAddress;
9-
var _secp256k = require("secp256k1");
9+
var _secp256k = require("ethereum-cryptography/secp256k1");
1010
var _util = require("@ethereumjs/util");
1111
var _util2 = require("./util");
1212
function compress(startsWith04) {
1313
// add trailing 04 if not done before
1414
var testBuffer = Buffer.from(startsWith04, 'hex');
1515
if (testBuffer.length === 64) startsWith04 = '04' + startsWith04;
16-
return (0, _util2.uint8ArrayToHex)((0, _secp256k.publicKeyConvert)((0, _util2.hexToUnit8Array)(startsWith04), true));
16+
return (0, _util2.uint8ArrayToHex)(_secp256k.secp256k1.ProjectivePoint.fromHex((0, _util2.hexToUnit8Array)(startsWith04)).toRawBytes(true));
1717
}
1818
function decompress(startsWith02Or03) {
1919
// if already decompressed an not has trailing 04
2020
var testBuffer = Buffer.from(startsWith02Or03, 'hex');
2121
if (testBuffer.length === 64) startsWith02Or03 = '04' + startsWith02Or03;
22-
var decompressed = (0, _util2.uint8ArrayToHex)((0, _secp256k.publicKeyConvert)((0, _util2.hexToUnit8Array)(startsWith02Or03), false));
22+
var decompressed = (0, _util2.uint8ArrayToHex)(_secp256k.secp256k1.ProjectivePoint.fromHex((0, _util2.hexToUnit8Array)(startsWith02Or03)).toRawBytes(false));
2323

2424
// remove trailing 04
2525
decompressed = decompressed.substring(2);

dist/lib/recover-public-key.js

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ Object.defineProperty(exports, "__esModule", {
44
value: true
55
});
66
exports.recoverPublicKey = recoverPublicKey;
7-
var _secp256k = require("secp256k1");
7+
var _secp256k = require("ethereum-cryptography/secp256k1");
88
var _util = require("./util");
99
/**
1010
* returns the publicKey for the privateKey with which the messageHash was signed
@@ -20,7 +20,8 @@ function recoverPublicKey(signature, hash) {
2020
var vValue = signature.slice(-2); // last 2 chars
2121

2222
var recoveryNumber = vValue === '1c' ? 1 : 0;
23-
var pubKey = (0, _util.uint8ArrayToHex)((0, _secp256k.ecdsaRecover)((0, _util.hexToUnit8Array)(sigOnly), recoveryNumber, (0, _util.hexToUnit8Array)((0, _util.removeLeading0x)(hash)), false));
23+
var point = _secp256k.secp256k1.Signature.fromCompact((0, _util.hexToUnit8Array)(sigOnly)).addRecoveryBit(recoveryNumber).recoverPublicKey((0, _util.hexToUnit8Array)((0, _util.removeLeading0x)(hash)));
24+
var pubKey = (0, _util.uint8ArrayToHex)(point.toRawBytes(false));
2425

2526
// remove trailing '04'
2627
pubKey = pubKey.slice(2);

dist/lib/sign.js

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,20 +4,19 @@ Object.defineProperty(exports, "__esModule", {
44
value: true
55
});
66
exports.sign = sign;
7-
var _secp256k = require("secp256k1");
7+
var _secp256k = require("ethereum-cryptography/secp256k1");
88
var _util = require("./util");
99
/**
1010
* signs the given message
11-
* we do not use sign from eth-lib because the pure secp256k1-version is 90% faster
1211
* @param {string} privateKey
1312
* @param {string} hash
1413
* @return {string} hexString
1514
*/
1615
function sign(privateKey, hash) {
1716
hash = (0, _util.addLeading0x)(hash);
1817
if (hash.length !== 66) throw new Error('EthCrypto.sign(): Can only sign hashes, given: ' + hash);
19-
var sigObj = (0, _secp256k.ecdsaSign)(new Uint8Array(Buffer.from((0, _util.removeLeading0x)(hash), 'hex')), new Uint8Array(Buffer.from((0, _util.removeLeading0x)(privateKey), 'hex')));
20-
var recoveryId = sigObj.recid === 1 ? '1c' : '1b';
21-
var newSignature = '0x' + Buffer.from(sigObj.signature).toString('hex') + recoveryId;
18+
var sig = _secp256k.secp256k1.sign(new Uint8Array(Buffer.from((0, _util.removeLeading0x)(hash), 'hex')), new Uint8Array(Buffer.from((0, _util.removeLeading0x)(privateKey), 'hex')));
19+
var recoveryId = sig.recovery === 1 ? '1c' : '1b';
20+
var newSignature = '0x' + Buffer.from(sig.toCompactRawBytes()).toString('hex') + recoveryId;
2221
return newSignature;
2322
}

package.json

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -107,8 +107,7 @@
107107
"@types/bn.js": "5.2.0",
108108
"@noble/hashes": "2.2.0",
109109
"ethereum-cryptography": "3.2.0",
110-
"ethers": "6.16.0",
111-
"secp256k1": "5.0.1"
110+
"ethers": "6.16.0"
112111
},
113112
"overrides": {
114113
"acorn": "^8"

src/public-key.js

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
import {
2-
publicKeyConvert
3-
} from 'secp256k1';
2+
secp256k1
3+
} from 'ethereum-cryptography/secp256k1';
44
import {
55
pubToAddress,
66
toChecksumAddress,
@@ -20,10 +20,9 @@ export function compress(startsWith04) {
2020
if (testBuffer.length === 64) startsWith04 = '04' + startsWith04;
2121

2222

23-
return uint8ArrayToHex(publicKeyConvert(
24-
hexToUnit8Array(startsWith04),
25-
true
26-
));
23+
return uint8ArrayToHex(
24+
secp256k1.ProjectivePoint.fromHex(hexToUnit8Array(startsWith04)).toRawBytes(true)
25+
);
2726
}
2827

2928
export function decompress(startsWith02Or03) {
@@ -32,10 +31,9 @@ export function decompress(startsWith02Or03) {
3231
const testBuffer = Buffer.from(startsWith02Or03, 'hex');
3332
if (testBuffer.length === 64) startsWith02Or03 = '04' + startsWith02Or03;
3433

35-
let decompressed = uint8ArrayToHex(publicKeyConvert(
36-
hexToUnit8Array(startsWith02Or03),
37-
false
38-
));
34+
let decompressed = uint8ArrayToHex(
35+
secp256k1.ProjectivePoint.fromHex(hexToUnit8Array(startsWith02Or03)).toRawBytes(false)
36+
);
3937

4038
// remove trailing 04
4139
decompressed = decompressed.substring(2);

src/recover-public-key.js

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
import {
2-
ecdsaRecover
3-
} from 'secp256k1';
2+
secp256k1
3+
} from 'ethereum-cryptography/secp256k1';
44
import {
55
removeLeading0x,
66
hexToUnit8Array,
@@ -23,12 +23,12 @@ export function recoverPublicKey(signature, hash) {
2323

2424
const recoveryNumber = vValue === '1c' ? 1 : 0;
2525

26-
let pubKey = uint8ArrayToHex(ecdsaRecover(
27-
hexToUnit8Array(sigOnly),
28-
recoveryNumber,
29-
hexToUnit8Array(removeLeading0x(hash)),
30-
false
31-
));
26+
const point = secp256k1.Signature
27+
.fromCompact(hexToUnit8Array(sigOnly))
28+
.addRecoveryBit(recoveryNumber)
29+
.recoverPublicKey(hexToUnit8Array(removeLeading0x(hash)));
30+
31+
let pubKey = uint8ArrayToHex(point.toRawBytes(false));
3232

3333
// remove trailing '04'
3434
pubKey = pubKey.slice(2);

src/sign.js

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,13 @@
11
import {
2-
ecdsaSign as secp256k1_sign
3-
} from 'secp256k1';
2+
secp256k1
3+
} from 'ethereum-cryptography/secp256k1';
44
import {
55
addLeading0x,
66
removeLeading0x
77
} from './util';
88

99
/**
1010
* signs the given message
11-
* we do not use sign from eth-lib because the pure secp256k1-version is 90% faster
1211
* @param {string} privateKey
1312
* @param {string} hash
1413
* @return {string} hexString
@@ -18,13 +17,13 @@ export function sign(privateKey, hash) {
1817
if (hash.length !== 66)
1918
throw new Error('EthCrypto.sign(): Can only sign hashes, given: ' + hash);
2019

21-
const sigObj = secp256k1_sign(
20+
const sig = secp256k1.sign(
2221
new Uint8Array(Buffer.from(removeLeading0x(hash), 'hex')),
2322
new Uint8Array(Buffer.from(removeLeading0x(privateKey), 'hex'))
2423
);
2524

26-
const recoveryId = sigObj.recid === 1 ? '1c' : '1b';
25+
const recoveryId = sig.recovery === 1 ? '1c' : '1b';
2726

28-
const newSignature = '0x' + Buffer.from(sigObj.signature).toString('hex') + recoveryId;
27+
const newSignature = '0x' + Buffer.from(sig.toCompactRawBytes()).toString('hex') + recoveryId;
2928
return newSignature;
3029
}

0 commit comments

Comments
 (0)