search

near / near-api-js

JavaScript library to interact with NEAR Protocol via RPC API
https://near.github.io/near-api-js
MIT License
390 stars 244 forks source link

Ed25519 signature verification inconsistent with nearcore #343

Open abacabadabacaba opened 4 years ago

abacabadabacaba commented 4 years ago

This is nearprotocol/nearcore#2700 for near-api-js. See that issue for a long description. The Ed25519 verification function in near-api-js may produce results different from other implementations that we use (in particular, the one we use in nearcore).

vgrichina commented 4 years ago

In near-api-js, we use tweetnacl library. This library doesn't check that the value s is canonically encoded, so it may accept invalid signatures. However, it looks like no one uses near-api-js to verify signatures.

@abacabadabacaba how to fix this? Do we need to verify some stuff in signature before sending it to tweetnacl? Can you give pseudocode?

volovyks commented 3 years ago

@abacabadabacaba is this issue still relevant?

abacabadabacaba commented 3 years ago

Yes, nothing has changed so far. As I posted before, this issue is not urgent because we don't depend much on signature verification in near-api-js. In the future, we may want to move away from tweetnacl (for example, to have the code for near/near-wallet#1372 in near-api-js), in which case we can fix this. Or we can add an extra check on top of tweetnacl.

vikinatora commented 8 months ago

@gtsonevv we should check if this is still the case with noble-curves