search

GetScatter / scatter-js

Importable JavaScript library that allows web applications to directly interface with Scatter Desktop, Classic and Mobile.
MIT License
262 stars 149 forks source link

signing arbitrary data #155

Open robertkowalski opened 4 years ago

robertkowalski commented 4 years ago

Happy friday Scatter team!

We are trying to sign arbitrary data with Scatter.

We use scatter.getArbitrarySignature. It works well for any strings that have less than 12 chars per word.

In our case, we need to sign larger JSON messages, so the limitation becomes tricky. The documentation mentions that the limitation applies to strings.

Not sure if we can pass other data types to it.

I already tried to pass in plain Node.js Buffers and Uint8 Arrays created with eos.Serialize.SerialBuffer, but no luck so far.

Why is the limitation of 12 chars there? Any ideas how to solve this issue?

Example:

const publicKey = 'PUBLIC_KEY'

const data = '{"foo":"bar","type":"candy","price":"100000000","amount": "1.00000000000000"}'
const sig = await scatter.getArbitrarySignature(publicKey, data)
console.log(data, sig, publicKey)

Example with Uint8 Binary data

const publicKey = 'PUBLIC_KEY'

const { TextDecoder, TextEncoder } = require('util')
const { Serialize } = require('eosjs')

const sb = new Serialize.SerialBuffer({
  textEncoder: new TextEncoder(),
  textDecoder: new TextDecoder()
})

const data = '{"foo":"bar","type":"candy","price":"100000000","amount": "1.00000000000000"}'
sb.pushString(data)

const array = sb.asUint8Array()
const sig = await scatter.getArbitrarySignature(publicKey, array)
console.log(array, sig, publicKey)
nsjames commented 4 years ago

That 12 character limit is imposed as a defense mechanism since hashes could be passed into that method which are actually packed transactions, and then signed by the user without their knowledge of the parameters of the transaction they are signing (since arbitrary sigs only show the data being signed, and doesn't unpack it).

The alternative is using a pseudo-chain call to trick Scatter into using an on-chain contract for parsing, and passing in the string to be signed as a parameter. The transaction isn't actually sent to chain, just using the ABIs. Example: https://github.com/GetScatter/scatter-js/blob/master/mock-sites/eosjs/index.html#L245 This also allows hardware wallets to work with arbitrary signatures.