search

stellar-expert / albedo

Security-centric, developer-friendly, easy-to-use delegated signer and keystore for Stellar Network
https://albedo.link
MIT License
64 stars 14 forks source link

Cannot verify the results of publicKey intent #24

Closed salessandri closed 4 years ago

salessandri commented 4 years ago

I'm having the following issue. I'm trying to use the publicKey intent.

I'm getting the following output:

{
  "pubkey":"GDLDAMLIQ3SCEZK4UGCMMM3B7HXRN7GIVEF4MQWLFBORNBJVA6ZHFIJH",
  "signed_message":"GDLDAMLIQ3SCEZK4UGCMMM3B7HXRN7GIVEF4MQWLFBORNBJVA6ZHFIJH:24880b3aa7de51ac253277a1d48abbe187340f69395b020e0b5aca49c34b7072",
  "signature":"47fa0aba402e8698e156882bb498f7533ec30e711438a05d06f40fdc690342137ef22e86035242ad11b2773f810bd3ec8ff5c7b86532cbe70d7c181f3c77280f"
}

I'm trying to verify the signature but it always fails. I'm doing it in Rust, but even in node.js it is failing:

stellar = require('stellar-sdk')
key = stellar.Keypair.fromPublicKey('GDLDAMLIQ3SCEZK4UGCMMM3B7HXRN7GIVEF4MQWLFBORNBJVA6ZHFIJH')
signed_message = Buffer.from('GDLDAMLIQ3SCEZK4UGCMMM3B7HXRN7GIVEF4MQWLFBORNBJVA6ZHFIJH:24880b3aa7de51ac253277a1d48abbe187340f69395b020e0b5aca49c34b7072')
message_signature = Buffer.from('47fa0aba402e8698e156882bb498f7533ec30e711438a05d06f40fdc690342137ef22e86035242ad11b2773f810bd3ec8ff5c7b86532cbe70d7c181f3c77280f', 'hex')
key.verify(signed_message, message_signature) => false

I might be doing something wrong, but couldn't figure out what it is.

orbitlens commented 4 years ago

Albedo signs not the message itself, but the SHA-256 hash of it. Here is a JS code example for the verification:

const {Keypair } = require("stellar-sdk"),
    shajs = require("sha.js") //this package comes with StellarSDK (as dependency) so you don't need to install it

const pubkey = 'GDWPMRQSLXNEHCXC7RTISZAHULB7FDDIOPR6CF5B5IUWOQXN2CUWN4LO',
    rawSignature = '049a26b40c1a30be1cef3ef7a64af8ae305e7567ee2cac57e5a494e0036860b81dc417c005e4f4dff6ad6bc52f56f0e61e9d084c2718638bc4f78130fc14d20e',
    signedMessage = 'GDWPMRQSLXNEHCXC7RTISZAHULB7FDDIOPR6CF5B5IUWOQXN2CUWN4LO:DGmk7s8gkhXMqRNsiCBanwL76Kt+5+WUzAOlWoh0nDs='

//load a keypair
const kp = Keypair.fromPublicKey(pubkey)
//get the hash of the message to sign
const message = shajs('sha256').update(signedMessage).digest()
//convert hex-encoded signature to byte array
const signature = Buffer.from(rawSignature, 'hex')
//verify the signature
const isValid =  kp.verify(message, signature)
console.log(isValid)

Sorry that we didn't describe the process of signing and verification in details. We'll definitely add this to the documentation.

salessandri commented 4 years ago

That makes a lot more sense :-) Just validated it in my Rust application!