secp256k1_ecdsa sign/verify issue

[cfsbhawkins]

First off thanks for the great library. I am looking to use it to verify test messages and license file for my Dart app. In my testing, I can't get the verify to return true. I have started with your basic sample but even in the simplest of tests it always returns false.

Code Snippet:

final licenseHex = Utilities.hexToBytes(hex.encode(jsonEncode(licenseRequest).codeUnits)); final signature = _privateKey.sign(licenseHex);

final publicKey = _privateKey.getPublicKey(); final verified = publicKey.verify(signature, licenseHex);

verified always fails even with the same hex. This is basically from your sample only change is that I convert my json string into hex using the convert library.

For testing I used this site to create the private keys: https://kjur.github.io/jsrsasign/sample/sample-ecdsa.html

Any help would be greatly appreciated. I know this is a different use case than blockchain but I am looking to use it like PGP message verification from the signer to the apps.

[leonardocustodio]

@justkawal can you take a look in here? thanks

[leonardocustodio]

Hello @cfsbhawkins , can you get me the JSON you are signing so I can check? Note: I am not sure you are aware of this, but the Polkadot signature uses Blake2 to hash the message.

[cfsbhawkins]

Ok let me use Blake2 then to hex the message and I will give it a shot. the hex.encode comes from dart convert.

[leonardocustodio]

Idk if you got at least the step to generate the same public key from a private key. There are a few nuances from what we use in the blockchain. This is how you would do it to get the same public key from a private key as the website:

  final privateKey = PrivateKey.fromHex(
      "81bd2487faa5e7e52ed238a0fddb3f4feb311f6651748c391ee46008ce391d59");
  final publicKey = privateKey.getPublicKey(false);
  print(Utilities.bytesToHex(publicKey.bytes));

The false basically means to not use a compact public key which we use in the blockchain.

[leonardocustodio]

And here is how polkadot implements the sign/verify: https://github.com/polkadot-js/common/blob/master/packages/util-crypto/src/signature/verify.ts https://github.com/polkadot-js/common/blob/37fa211fdb141d4f6eb32e8f377a4651ed2d9068/packages/util-crypto/src/secp256k1/verify.ts#L15-L31

To make it easier to figure out what the exact input you need to sign I suggest looking at their testcases here: https://github.com/polkadot-js/common/blob/master/packages/util-crypto/src/secp256k1/verify.spec.ts

[cfsbhawkins]

@leonardocustodio thanks for the help using _blake2bDigest allowed me to sign and verify, I followed the test cases here https://github.com/leonardocustodio/polkadart/blob/2b3416c3d88eeb6f5874bc0d158931bd832c8eff/packages/polkadart_keyring/test/keypair_ecdsa_test.dart#L95

[leonardocustodio]

Glad to hear :+1:

[justkawal]

@justkawal can you take a look in here? thanks

Sorry, I wasn't available at that time, but I did looked into it, even though you smartly resolved it already and also everything seems to be fine but I did found some optimisations that could be made and will open up a PR for secp256k1...

[leonardocustodio]

Sorry, I wasn't available at that time, but I did looked into it, even though you smartly resolved it already and also everything seems to be fine but I did found some optimisations that could be made and will open up a PR for secp256k1...

Can we add an option to sign/verify without hashing as blake2? For ethereum signatures for example it uses keccak as hasher and for people who will use the pkg for other stuff that not blockchain they may use it without hashing