RanchiMall/bscwallet
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
bscwallet/scripts/tap_combined.js
sairaj mote 1eeed5c2ff Added UI and updated meta mask integration
2023-11-04 17:45:48 +05:30

8429 lines
358 KiB
JavaScript
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/******
*
START OF BASE SECTION
*
*
******/
/*! scure-base - MIT License (c) 2022 Paul Miller (paulmillr.com) */
var base = {};
var taproot = {};
var secp = {};
var hashmini = {};
(function () {
base.bytes = base.stringToBytes = base.str = base.bytesToString = base.hex = base.utf8 = base.bech32m = base.bech32 = base.base58check = base.base58xmr = base.base58xrp = base.base58flickr = base.base58 = base.base64url = base.base64 = base.base32crockford = base.base32hex = base.base32 = base.base16 = base.utils = base.assertNumber = void 0;
// Utilities
function assertNumber(n) {
if (!Number.isSafeInteger(n))
throw new Error("Wrong integer: ".concat(n));
}
base.assertNumber = assertNumber;
function chain() {
var args = [];
for (var _i = 0; _i < arguments.length; _i++) {
args[_i] = arguments[_i];
}
// Wrap call in closure so JIT can inline calls
var wrap = function (a, b) { return function (c) { return a(b(c)); }; };
// Construct chain of args[-1].encode(args[-2].encode([...]))
var encode = Array.from(args)
.reverse()
.reduce(function (acc, i) { return (acc ? wrap(acc, i.encode) : i.encode); }, undefined);
// Construct chain of args[0].decode(args[1].decode(...))
var decode = args.reduce(function (acc, i) { return (acc ? wrap(acc, i.decode) : i.decode); }, undefined);
return { encode: encode, decode: decode };
}
// Encodes integer radix representation to array of strings using alphabet and back
function alphabet(alphabet) {
return {
encode: function (digits) {
if (!Array.isArray(digits) || (digits.length && typeof digits[0] !== 'number'))
throw new Error('alphabet.encode input should be an array of numbers');
return digits.map(function (i) {
assertNumber(i);
if (i < 0 || i >= alphabet.length)
throw new Error("Digit index outside alphabet: ".concat(i, " (alphabet: ").concat(alphabet.length, ")"));
return alphabet[i];
});
},
decode: function (input) {
if (!Array.isArray(input) || (input.length && typeof input[0] !== 'string'))
throw new Error('alphabet.decode input should be array of strings');
return input.map(function (letter) {
if (typeof letter !== 'string')
throw new Error("alphabet.decode: not string element=".concat(letter));
var index = alphabet.indexOf(letter);
if (index === -1)
throw new Error("Unknown letter: \"".concat(letter, "\". Allowed: ").concat(alphabet));
return index;
});
},
};
}
function join(separator) {
if (separator === void 0) { separator = ''; }
if (typeof separator !== 'string')
throw new Error('join separator should be string');
return {
encode: function (from) {
if (!Array.isArray(from) || (from.length && typeof from[0] !== 'string'))
throw new Error('join.encode input should be array of strings');
for (var _i = 0, from_1 = from; _i < from_1.length; _i++) {
var i = from_1[_i];
if (typeof i !== 'string')
throw new Error("join.encode: non-string input=".concat(i));
}
return from.join(separator);
},
decode: function (to) {
if (typeof to !== 'string')
throw new Error('join.decode input should be string');
return to.split(separator);
},
};
}
// Pad strings array so it has integer number of bits
function padding(bits, chr) {
if (chr === void 0) { chr = '='; }
assertNumber(bits);
if (typeof chr !== 'string')
throw new Error('padding chr should be string');
return {
encode: function (data) {
if (!Array.isArray(data) || (data.length && typeof data[0] !== 'string'))
throw new Error('padding.encode input should be array of strings');
for (var _i = 0, data_1 = data; _i < data_1.length; _i++) {
var i = data_1[_i];
if (typeof i !== 'string')
throw new Error("padding.encode: non-string input=".concat(i));
}
while ((data.length * bits) % 8)
data.push(chr);
return data;
},
decode: function (input) {
if (!Array.isArray(input) || (input.length && typeof input[0] !== 'string'))
throw new Error('padding.encode input should be array of strings');
for (var _i = 0, input_1 = input; _i < input_1.length; _i++) {
var i = input_1[_i];
if (typeof i !== 'string')
throw new Error("padding.decode: non-string input=".concat(i));
}
var end = input.length;
if ((end * bits) % 8)
throw new Error('Invalid padding: string should have whole number of bytes');
for (; end > 0 && input[end - 1] === chr; end--) {
if (!(((end - 1) * bits) % 8))
throw new Error('Invalid padding: string has too much padding');
}
return input.slice(0, end);
},
};
}
function normalize(fn) {
if (typeof fn !== 'function')
throw new Error('normalize fn should be function');
return { encode: function (from) { return from; }, decode: function (to) { return fn(to); } };
}
// NOTE: it has quadratic time complexity
function convertRadix(data, from, to) {
// base 1 is impossible
if (from < 2)
throw new Error("convertRadix: wrong from=".concat(from, ", base cannot be less than 2"));
if (to < 2)
throw new Error("convertRadix: wrong to=".concat(to, ", base cannot be less than 2"));
if (!Array.isArray(data))
throw new Error('convertRadix: data should be array');
if (!data.length)
return [];
var pos = 0;
var res = [];
var digits = Array.from(data);
digits.forEach(function (d) {
assertNumber(d);
if (d < 0 || d >= from)
throw new Error("Wrong integer: ".concat(d));
});
while (true) {
var carry = 0;
var done = true;
for (var i = pos; i < digits.length; i++) {
var digit = digits[i];
var digitBase = from * carry + digit;
if (!Number.isSafeInteger(digitBase) ||
(from * carry) / from !== carry ||
digitBase - digit !== from * carry) {
throw new Error('convertRadix: carry overflow');
}
carry = digitBase % to;
digits[i] = Math.floor(digitBase / to);
if (!Number.isSafeInteger(digits[i]) || digits[i] * to + carry !== digitBase)
throw new Error('convertRadix: carry overflow');
if (!done)
continue;
else if (!digits[i])
pos = i;
else
done = false;
}
res.push(carry);
if (done)
break;
}
for (var i = 0; i < data.length - 1 && data[i] === 0; i++)
res.push(0);
return res.reverse();
}
var gcd = function (a, b) { return (!b ? a : gcd(b, a % b)); };
var radix2carry = function (from, to) { return from + (to - gcd(from, to)); };
// BigInt is 5x slower
function convertRadix2(data, from, to, padding) {
if (!Array.isArray(data))
throw new Error('convertRadix2: data should be array');
if (from <= 0 || from > 32)
throw new Error("convertRadix2: wrong from=".concat(from));
if (to <= 0 || to > 32)
throw new Error("convertRadix2: wrong to=".concat(to));
if (radix2carry(from, to) > 32) {
throw new Error("convertRadix2: carry overflow from=".concat(from, " to=").concat(to, " carryBits=").concat(radix2carry(from, to)));
}
var carry = 0;
var pos = 0; // bitwise position in current element
var mask = Math.pow(2, to) - 1;
var res = [];
for (var _i = 0, data_2 = data; _i < data_2.length; _i++) {
var n = data_2[_i];
assertNumber(n);
if (n >= Math.pow(2, from))
throw new Error("convertRadix2: invalid data word=".concat(n, " from=").concat(from));
carry = (carry << from) | n;
if (pos + from > 32)
throw new Error("convertRadix2: carry overflow pos=".concat(pos, " from=").concat(from));
pos += from;
for (; pos >= to; pos -= to)
res.push(((carry >> (pos - to)) & mask) >>> 0);
carry &= Math.pow(2, pos) - 1; // clean carry, otherwise it will cause overflow
}
carry = (carry << (to - pos)) & mask;
if (!padding && pos >= from)
throw new Error('Excess padding');
if (!padding && carry)
throw new Error("Non-zero padding: ".concat(carry));
if (padding && pos > 0)
res.push(carry >>> 0);
return res;
}
function radix(num) {
assertNumber(num);
return {
encode: function (bytes) {
if (!(bytes instanceof Uint8Array))
throw new Error('radix.encode input should be Uint8Array');
return convertRadix(Array.from(bytes), Math.pow(2, 8), num);
},
decode: function (digits) {
if (!Array.isArray(digits) || (digits.length && typeof digits[0] !== 'number'))
throw new Error('radix.decode input should be array of strings');
return Uint8Array.from(convertRadix(digits, num, Math.pow(2, 8)));
},
};
}
// If both bases are power of same number (like `2**8 <-> 2**64`),
// there is a linear algorithm. For now we have implementation for power-of-two bases only
function radix2(bits, revPadding) {
if (revPadding === void 0) { revPadding = false; }
assertNumber(bits);
if (bits <= 0 || bits > 32)
throw new Error('radix2: bits should be in (0..32]');
if (radix2carry(8, bits) > 32 || radix2carry(bits, 8) > 32)
throw new Error('radix2: carry overflow');
return {
encode: function (bytes) {
if (!(bytes instanceof Uint8Array))
throw new Error('radix2.encode input should be Uint8Array');
return convertRadix2(Array.from(bytes), 8, bits, !revPadding);
},
decode: function (digits) {
if (!Array.isArray(digits) || (digits.length && typeof digits[0] !== 'number'))
throw new Error('radix2.decode input should be array of strings');
return Uint8Array.from(convertRadix2(digits, bits, 8, revPadding));
},
};
}
function unsafeWrapper(fn) {
if (typeof fn !== 'function')
throw new Error('unsafeWrapper fn should be function');
return function () {
var args = [];
for (var _i = 0; _i < arguments.length; _i++) {
args[_i] = arguments[_i];
}
try {
return fn.apply(null, args);
}
catch (e) { }
};
}
function checksum(len, fn) {
assertNumber(len);
if (typeof fn !== 'function')
throw new Error('checksum fn should be function');
return {
encode: function (data) {
if (!(data instanceof Uint8Array))
throw new Error('checksum.encode: input should be Uint8Array');
var checksum = fn(data).slice(0, len);
var res = new Uint8Array(data.length + len);
res.set(data);
res.set(checksum, data.length);
return res;
},
decode: function (data) {
if (!(data instanceof Uint8Array))
throw new Error('checksum.decode: input should be Uint8Array');
var payload = data.slice(0, -len);
var newChecksum = fn(payload).slice(0, len);
var oldChecksum = data.slice(-len);
for (var i = 0; i < len; i++)
if (newChecksum[i] !== oldChecksum[i])
throw new Error('Invalid checksum');
return payload;
},
};
}
base.utils = { alphabet: alphabet, chain: chain, checksum: checksum, radix: radix, radix2: radix2, join: join, padding: padding };
// RFC 4648 aka RFC 3548
// ---------------------
base.base16 = chain(radix2(4), alphabet('0123456789ABCDEF'), join(''));
base.base32 = chain(radix2(5), alphabet('ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'), padding(5), join(''));
base.base32hex = chain(radix2(5), alphabet('0123456789ABCDEFGHIJKLMNOPQRSTUV'), padding(5), join(''));
base.base32crockford = chain(radix2(5), alphabet('0123456789ABCDEFGHJKMNPQRSTVWXYZ'), join(''), normalize(function (s) { return s.toUpperCase().replace(/O/g, '0').replace(/[IL]/g, '1'); }));
base.base64 = chain(radix2(6), alphabet('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'), padding(6), join(''));
base.base64url = chain(radix2(6), alphabet('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_'), padding(6), join(''));
// base58 code
// -----------
var genBase58 = function (abc) { return chain(radix(58), alphabet(abc), join('')); };
base.base58 = genBase58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz');
base.base58flickr = genBase58('123456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ');
base.base58xrp = genBase58('rpshnaf39wBUDNEGHJKLM4PQRST7VWXYZ2bcdeCg65jkm8oFqi1tuvAxyz');
// xmr ver is done in 8-byte blocks (which equals 11 chars in decoding). Last (non-full) block padded with '1' to size in XMR_BLOCK_LEN.
// Block encoding significantly reduces quadratic complexity of base58.
// Data len (index) -> encoded block len
var XMR_BLOCK_LEN = [0, 2, 3, 5, 6, 7, 9, 10, 11];
base.base58xmr = {
encode: function (data) {
var res = '';
for (var i = 0; i < data.length; i += 8) {
var block = data.subarray(i, i + 8);
res += base.base58.encode(block).padStart(XMR_BLOCK_LEN[block.length], '1');
}
return res;
},
decode: function (str) {
var res = [];
for (var i = 0; i < str.length; i += 11) {
var slice = str.slice(i, i + 11);
var blockLen = XMR_BLOCK_LEN.indexOf(slice.length);
var block = base.base58.decode(slice);
for (var j = 0; j < block.length - blockLen; j++) {
if (block[j] !== 0)
throw new Error('base58xmr: wrong padding');
}
res = res.concat(Array.from(block.slice(block.length - blockLen)));
}
return Uint8Array.from(res);
},
};
var base58check = function (sha256) {
return chain(checksum(4, function (data) { return sha256(sha256(data)); }), base.base58);
};
base.base58check = base58check;
var BECH_ALPHABET = chain(alphabet('qpzry9x8gf2tvdw0s3jn54khce6mua7l'), join(''));
var POLYMOD_GENERATORS = [0x3b6a57b2, 0x26508e6d, 0x1ea119fa, 0x3d4233dd, 0x2a1462b3];
function bech32Polymod(pre) {
var b = pre >> 25;
var chk = (pre & 0x1ffffff) << 5;
for (var i = 0; i < POLYMOD_GENERATORS.length; i++) {
if (((b >> i) & 1) === 1)
chk ^= POLYMOD_GENERATORS[i];
}
return chk;
}
function bechChecksum(prefix, words, encodingConst) {
if (encodingConst === void 0) { encodingConst = 1; }
var len = prefix.length;
var chk = 1;
for (var i = 0; i < len; i++) {
var c = prefix.charCodeAt(i);
if (c < 33 || c > 126)
throw new Error("Invalid prefix (".concat(prefix, ")"));
chk = bech32Polymod(chk) ^ (c >> 5);
}
chk = bech32Polymod(chk);
for (var i = 0; i < len; i++)
chk = bech32Polymod(chk) ^ (prefix.charCodeAt(i) & 0x1f);
for (var _i = 0, words_1 = words; _i < words_1.length; _i++) {
var v = words_1[_i];
chk = bech32Polymod(chk) ^ v;
}
for (var i = 0; i < 6; i++)
chk = bech32Polymod(chk);
chk ^= encodingConst;
return BECH_ALPHABET.encode(convertRadix2([chk % Math.pow(2, 30)], 30, 5, false));
}
function genBech32(encoding) {
var ENCODING_CONST = encoding === 'bech32' ? 1 : 0x2bc830a3;
var _words = radix2(5);
var fromWords = _words.decode;
var toWords = _words.encode;
var fromWordsUnsafe = unsafeWrapper(fromWords);
function encode(prefix, words, limit) {
if (limit === void 0) { limit = 90; }
if (typeof prefix !== 'string')
throw new Error("bech32.encode prefix should be string, not ".concat(typeof prefix));
if (!Array.isArray(words) || (words.length && typeof words[0] !== 'number'))
throw new Error("bech32.encode words should be array of numbers, not ".concat(typeof words));
var actualLength = prefix.length + 7 + words.length;
if (limit !== false && actualLength > limit)
throw new TypeError("Length ".concat(actualLength, " exceeds limit ").concat(limit));
prefix = prefix.toLowerCase();
return "".concat(prefix, "1").concat(BECH_ALPHABET.encode(words)).concat(bechChecksum(prefix, words, ENCODING_CONST));
}
function decode(str, limit) {
if (limit === void 0) { limit = 90; }
if (typeof str !== 'string')
throw new Error("bech32.decode input should be string, not ".concat(typeof str));
if (str.length < 8 || (limit !== false && str.length > limit))
throw new TypeError("Wrong string length: ".concat(str.length, " (").concat(str, "). Expected (8..").concat(limit, ")"));
// don't allow mixed case
var lowered = str.toLowerCase();
if (str !== lowered && str !== str.toUpperCase())
throw new Error("String must be lowercase or uppercase");
str = lowered;
var sepIndex = str.lastIndexOf('1');
if (sepIndex === 0 || sepIndex === -1)
throw new Error("Letter \"1\" must be present between prefix and data only");
var prefix = str.slice(0, sepIndex);
var _words = str.slice(sepIndex + 1);
if (_words.length < 6)
throw new Error('Data must be at least 6 characters long');
var words = BECH_ALPHABET.decode(_words).slice(0, -6);
var sum = bechChecksum(prefix, words, ENCODING_CONST);
if (!_words.endsWith(sum))
throw new Error("Invalid checksum in ".concat(str, ": expected \"").concat(sum, "\""));
return { prefix: prefix, words: words };
}
var decodeUnsafe = unsafeWrapper(decode);
function decodeToBytes(str) {
var _a = decode(str, false), prefix = _a.prefix, words = _a.words;
return { prefix: prefix, words: words, bytes: fromWords(words) };
}
return { encode: encode, decode: decode, decodeToBytes: decodeToBytes, decodeUnsafe: decodeUnsafe, fromWords: fromWords, fromWordsUnsafe: fromWordsUnsafe, toWords: toWords };
}
base.bech32 = genBech32('bech32');
base.bech32m = genBech32('bech32m');
base.utf8 = {
encode: function (data) { return new TextDecoder().decode(data); },
decode: function (str) { return new TextEncoder().encode(str); },
};
base.hex = chain(radix2(4), alphabet('0123456789abcdef'), join(''), normalize(function (s) {
if (typeof s !== 'string' || s.length % 2)
throw new TypeError("hex.decode: expected string, got ".concat(typeof s, " with length ").concat(s.length));
return s.toLowerCase();
}));
// prettier-ignore
var CODERS = {
utf8: base.utf8,
hex: base.hex,
base16: base.base16,
base32: base.base32,
base64: base.base64,
base64url: base.base64url,
base58: base.base58,
base58xmr: base.base58xmr
};
var coderTypeError = "Invalid encoding type. Available types: ".concat(Object.keys(CODERS).join(', '));
var bytesToString = function (type, bytes) {
if (typeof type !== 'string' || !CODERS.hasOwnProperty(type))
throw new TypeError(coderTypeError);
if (!(bytes instanceof Uint8Array))
throw new TypeError('bytesToString() expects Uint8Array');
return CODERS[type].encode(bytes);
};
base.bytesToString = bytesToString;
base.str = base.bytesToString; // as in python, but for bytes only
var stringToBytes = function (type, str) {
if (!CODERS.hasOwnProperty(type))
throw new TypeError(coderTypeError);
if (typeof str !== 'string')
throw new TypeError('stringToBytes() expects string');
return CODERS[type].decode(str);
};
base.stringToBytes = stringToBytes;
base.bytes = base.stringToBytes;
/****
*
*
START OF SECP AND SCHNORR SECTION
*
*
*****/
const _nodeResolve_empty = {};
const nodeCrypto = /*#__PURE__*/Object.freeze({
__proto__: null,
'default': _nodeResolve_empty
});
/*! noble-secp256k1 - MIT License (c) 2019 Paul Miller (paulmillr.com) */
var _0n = BigInt(0);
var _1n = BigInt(1);
var _2n = BigInt(2);
var _3n = BigInt(3);
var _8n = BigInt(8);
const CURVE = Object.freeze({
a: _0n,
b: BigInt(7),
P: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'),
n: BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'),
h: _1n,
Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
});
function weistrass(x) {
const { a, b } = CURVE;
const x2 = mod(x * x);
const x3 = mod(x2 * x);
return mod(x3 + a * x + b);
}
const USE_ENDOMORPHISM = CURVE.a === _0n;
class ShaError extends Error {
constructor(message) {
super(message);
}
}
class JacobianPoint {
constructor(x, y, z) {
this.x = x;
this.y = y;
this.z = z;
}
static fromAffine(p) {
if (!(p instanceof Point)) {
throw new TypeError('JacobianPoint#fromAffine: expected Point');
}
return new JacobianPoint(p.x, p.y, _1n);
}
static toAffineBatch(points) {
const toInv = invertBatch(points.map((p) => p.z));
return points.map((p, i) => p.toAffine(toInv[i]));
}
static normalizeZ(points) {
return JacobianPoint.toAffineBatch(points).map(JacobianPoint.fromAffine);
}
equals(other) {
if (!(other instanceof JacobianPoint))
throw new TypeError('JacobianPoint expected');
const { x: X1, y: Y1, z: Z1 } = this;
const { x: X2, y: Y2, z: Z2 } = other;
const Z1Z1 = mod(Z1 * Z1);
const Z2Z2 = mod(Z2 * Z2);
const U1 = mod(X1 * Z2Z2);
const U2 = mod(X2 * Z1Z1);
const S1 = mod(mod(Y1 * Z2) * Z2Z2);
const S2 = mod(mod(Y2 * Z1) * Z1Z1);
return U1 === U2 && S1 === S2;
}
negate() {
return new JacobianPoint(this.x, mod(-this.y), this.z);
}
double() {
const { x: X1, y: Y1, z: Z1 } = this;
const A = mod(X1 * X1);
const B = mod(Y1 * Y1);
const C = mod(B * B);
const x1b = X1 + B;
const D = mod(_2n * (mod(x1b * x1b) - A - C));
const E = mod(_3n * A);
const F = mod(E * E);
const X3 = mod(F - _2n * D);
const Y3 = mod(E * (D - X3) - _8n * C);
const Z3 = mod(_2n * Y1 * Z1);
return new JacobianPoint(X3, Y3, Z3);
}
add(other) {
if (!(other instanceof JacobianPoint))
throw new TypeError('JacobianPoint expected');
const { x: X1, y: Y1, z: Z1 } = this;
const { x: X2, y: Y2, z: Z2 } = other;
if (X2 === _0n || Y2 === _0n)
return this;
if (X1 === _0n || Y1 === _0n)
return other;
const Z1Z1 = mod(Z1 * Z1);
const Z2Z2 = mod(Z2 * Z2);
const U1 = mod(X1 * Z2Z2);
const U2 = mod(X2 * Z1Z1);
const S1 = mod(mod(Y1 * Z2) * Z2Z2);
const S2 = mod(mod(Y2 * Z1) * Z1Z1);
const H = mod(U2 - U1);
const r = mod(S2 - S1);
if (H === _0n) {
if (r === _0n) {
return this.double();
}
else {
return JacobianPoint.ZERO;
}
}
const HH = mod(H * H);
const HHH = mod(H * HH);
const V = mod(U1 * HH);
const X3 = mod(r * r - HHH - _2n * V);
const Y3 = mod(r * (V - X3) - S1 * HHH);
const Z3 = mod(Z1 * Z2 * H);
return new JacobianPoint(X3, Y3, Z3);
}
subtract(other) {
return this.add(other.negate());
}
multiplyUnsafe(scalar) {
const P0 = JacobianPoint.ZERO;
if (typeof scalar === 'bigint' && scalar === _0n)
return P0;
let n = normalizeScalar(scalar);
if (n === _1n)
return this;
if (!USE_ENDOMORPHISM) {
let p = P0;
let d = this;
while (n > _0n) {
if (n & _1n)
p = p.add(d);
d = d.double();
n >>= _1n;
}
return p;
}
let { k1neg, k1, k2neg, k2 } = splitScalarEndo(n);
let k1p = P0;
let k2p = P0;
let d = this;
while (k1 > _0n || k2 > _0n) {
if (k1 & _1n)
k1p = k1p.add(d);
if (k2 & _1n)
k2p = k2p.add(d);
d = d.double();
k1 >>= _1n;
k2 >>= _1n;
}
if (k1neg)
k1p = k1p.negate();
if (k2neg)
k2p = k2p.negate();
k2p = new JacobianPoint(mod(k2p.x * CURVE.beta), k2p.y, k2p.z);
return k1p.add(k2p);
}
precomputeWindow(W) {
const windows = USE_ENDOMORPHISM ? 128 / W + 1 : 256 / W + 1;
const points = [];
let p = this;
let base = p;
for (let window = 0; window < windows; window++) {
base = p;
points.push(base);
for (let i = 1; i < 2 ** (W - 1); i++) {
base = base.add(p);
points.push(base);
}
p = base.double();
}
return points;
}
wNAF(n, affinePoint) {
if (!affinePoint && this.equals(JacobianPoint.BASE))
affinePoint = Point.BASE;
const W = (affinePoint && affinePoint._WINDOW_SIZE) || 1;
if (256 % W) {
throw new Error('Point#wNAF: Invalid precomputation window, must be power of 2');
}
let precomputes = affinePoint && pointPrecomputes.get(affinePoint);
if (!precomputes) {
precomputes = this.precomputeWindow(W);
if (affinePoint && W !== 1) {
precomputes = JacobianPoint.normalizeZ(precomputes);
pointPrecomputes.set(affinePoint, precomputes);
}
}
let p = JacobianPoint.ZERO;
let f = JacobianPoint.ZERO;
const windows = 1 + (USE_ENDOMORPHISM ? 128 / W : 256 / W);
const windowSize = 2 ** (W - 1);
const mask = BigInt(2 ** W - 1);
const maxNumber = 2 ** W;
const shiftBy = BigInt(W);
for (let window = 0; window < windows; window++) {
const offset = window * windowSize;
let wbits = Number(n & mask);
n >>= shiftBy;
if (wbits > windowSize) {
wbits -= maxNumber;
n += _1n;
}
if (wbits === 0) {
let pr = precomputes[offset];
if (window % 2)
pr = pr.negate();
f = f.add(pr);
}
else {
let cached = precomputes[offset + Math.abs(wbits) - 1];
if (wbits < 0)
cached = cached.negate();
p = p.add(cached);
}
}
return { p, f };
}
multiply(scalar, affinePoint) {
let n = normalizeScalar(scalar);
let point;
let fake;
if (USE_ENDOMORPHISM) {
const { k1neg, k1, k2neg, k2 } = splitScalarEndo(n);
let { p: k1p, f: f1p } = this.wNAF(k1, affinePoint);
let { p: k2p, f: f2p } = this.wNAF(k2, affinePoint);
if (k1neg)
k1p = k1p.negate();
if (k2neg)
k2p = k2p.negate();
k2p = new JacobianPoint(mod(k2p.x * CURVE.beta), k2p.y, k2p.z);
point = k1p.add(k2p);
fake = f1p.add(f2p);
}
else {
const { p, f } = this.wNAF(n, affinePoint);
point = p;
fake = f;
}
return JacobianPoint.normalizeZ([point, fake])[0];
}
toAffine(invZ = invert(this.z)) {
const { x, y, z } = this;
const iz1 = invZ;
const iz2 = mod(iz1 * iz1);
const iz3 = mod(iz2 * iz1);
const ax = mod(x * iz2);
const ay = mod(y * iz3);
const zz = mod(z * iz1);
if (zz !== _1n)
throw new Error('invZ was invalid');
return new Point(ax, ay);
}
}
JacobianPoint.BASE = new JacobianPoint(CURVE.Gx, CURVE.Gy, _1n);
JacobianPoint.ZERO = new JacobianPoint(_0n, _1n, _0n);
const pointPrecomputes = new WeakMap();
class Point {
constructor(x, y) {
this.x = x;
this.y = y;
}
_setWindowSize(windowSize) {
this._WINDOW_SIZE = windowSize;
pointPrecomputes.delete(this);
}
hasEvenY() {
return this.y % _2n === _0n;
}
static fromCompressedHex(bytes) {
const isShort = bytes.length === 32;
const x = bytesToNumber(isShort ? bytes : bytes.subarray(1));
if (!isValidFieldElement(x))
throw new Error('Point is not on curve');
const y2 = weistrass(x);
let y = sqrtMod(y2);
const isYOdd = (y & _1n) === _1n;
if (isShort) {
if (isYOdd)
y = mod(-y);
}
else {
const isFirstByteOdd = (bytes[0] & 1) === 1;
if (isFirstByteOdd !== isYOdd)
y = mod(-y);
}
const point = new Point(x, y);
point.assertValidity();
return point;
}
static fromUncompressedHex(bytes) {
const x = bytesToNumber(bytes.subarray(1, 33));
const y = bytesToNumber(bytes.subarray(33, 65));
const point = new Point(x, y);
point.assertValidity();
return point;
}
static fromHex(hex) {
const bytes = ensureBytes(hex);
const len = bytes.length;
const header = bytes[0];
if (len === 32 || (len === 33 && (header === 0x02 || header === 0x03))) {
return this.fromCompressedHex(bytes);
}
if (len === 65 && header === 0x04)
return this.fromUncompressedHex(bytes);
throw new Error(`Point.fromHex: received invalid point. Expected 32-33 compressed bytes or 65 uncompressed bytes, not ${len}`);
}
static fromPrivateKey(privateKey) {
return Point.BASE.multiply(normalizePrivateKey(privateKey));
}
static fromSignature(msgHash, signature, recovery) {
msgHash = ensureBytes(msgHash);
const h = truncateHash(msgHash);
const { r, s } = normalizeSignature(signature);
if (recovery !== 0 && recovery !== 1) {
throw new Error('Cannot recover signature: invalid recovery bit');
}
const prefix = recovery & 1 ? '03' : '02';
const R = Point.fromHex(prefix + numTo32bStr(r));
const { n } = CURVE;
const rinv = invert(r, n);
const u1 = mod(-h * rinv, n);
const u2 = mod(s * rinv, n);
const Q = Point.BASE.multiplyAndAddUnsafe(R, u1, u2);
if (!Q)
throw new Error('Cannot recover signature: point at infinify');
Q.assertValidity();
return Q;
}
toRawBytes(isCompressed = false) {
return hexToBytes(this.toHex(isCompressed));
}
toHex(isCompressed = false) {
const x = numTo32bStr(this.x);
if (isCompressed) {
const prefix = this.hasEvenY() ? '02' : '03';
return `${prefix}${x}`;
}
else {
return `04${x}${numTo32bStr(this.y)}`;
}
}
toHexX() {
return this.toHex(true).slice(2);
}
toRawX() {
return this.toRawBytes(true).slice(1);
}
assertValidity() {
const msg = 'Point is not on elliptic curve';
const { x, y } = this;
if (!isValidFieldElement(x) || !isValidFieldElement(y))
throw new Error(msg);
const left = mod(y * y);
const right = weistrass(x);
if (mod(left - right) !== _0n)
throw new Error(msg);
}
equals(other) {
return this.x === other.x && this.y === other.y;
}
negate() {
return new Point(this.x, mod(-this.y));
}
double() {
return JacobianPoint.fromAffine(this).double().toAffine();
}
add(other) {
return JacobianPoint.fromAffine(this).add(JacobianPoint.fromAffine(other)).toAffine();
}
subtract(other) {
return this.add(other.negate());
}
multiply(scalar) {
return JacobianPoint.fromAffine(this).multiply(scalar, this).toAffine();
}
multiplyAndAddUnsafe(Q, a, b) {
const P = JacobianPoint.fromAffine(this);
const aP = a === _0n || a === _1n || this !== Point.BASE ? P.multiplyUnsafe(a) : P.multiply(a);
const bQ = JacobianPoint.fromAffine(Q).multiplyUnsafe(b);
const sum = aP.add(bQ);
return sum.equals(JacobianPoint.ZERO) ? undefined : sum.toAffine();
}
}
Point.BASE = new Point(CURVE.Gx, CURVE.Gy);
Point.ZERO = new Point(_0n, _0n);
function sliceDER(s) {
return Number.parseInt(s[0], 16) >= 8 ? '00' + s : s;
}
function parseDERInt(data) {
if (data.length < 2 || data[0] !== 0x02) {
throw new Error(`Invalid signature integer tag: ${bytesToHex(data)}`);
}
const len = data[1];
const res = data.subarray(2, len + 2);
if (!len || res.length !== len) {
throw new Error(`Invalid signature integer: wrong length`);
}
if (res[0] === 0x00 && res[1] <= 0x7f) {
throw new Error('Invalid signature integer: trailing length');
}
return { data: bytesToNumber(res), left: data.subarray(len + 2) };
}
function parseDERSignature(data) {
if (data.length < 2 || data[0] != 0x30) {
throw new Error(`Invalid signature tag: ${bytesToHex(data)}`);
}
if (data[1] !== data.length - 2) {
throw new Error('Invalid signature: incorrect length');
}
const { data: r, left: sBytes } = parseDERInt(data.subarray(2));
const { data: s, left: rBytesLeft } = parseDERInt(sBytes);
if (rBytesLeft.length) {
throw new Error(`Invalid signature: left bytes after parsing: ${bytesToHex(rBytesLeft)}`);
}
return { r, s };
}
class Signature {
constructor(r, s) {
this.r = r;
this.s = s;
this.assertValidity();
}
static fromCompact(hex) {
const arr = hex instanceof Uint8Array;
const name = 'Signature.fromCompact';
if (typeof hex !== 'string' && !arr)
throw new TypeError(`${name}: Expected string or Uint8Array`);
const str = arr ? bytesToHex(hex) : hex;
if (str.length !== 128)
throw new Error(`${name}: Expected 64-byte hex`);
return new Signature(hexToNumber(str.slice(0, 64)), hexToNumber(str.slice(64, 128)));
}
static fromDER(hex) {
const arr = hex instanceof Uint8Array;
if (typeof hex !== 'string' && !arr)
throw new TypeError(`Signature.fromDER: Expected string or Uint8Array`);
const { r, s } = parseDERSignature(arr ? hex : hexToBytes(hex));
return new Signature(r, s);
}
static fromHex(hex) {
return this.fromDER(hex);
}
assertValidity() {
const { r, s } = this;
if (!isWithinCurveOrder(r))
throw new Error('Invalid Signature: r must be 0 < r < n');
if (!isWithinCurveOrder(s))
throw new Error('Invalid Signature: s must be 0 < s < n');
}
hasHighS() {
const HALF = CURVE.n >> _1n;
return this.s > HALF;
}
normalizeS() {
return this.hasHighS() ? new Signature(this.r, CURVE.n - this.s) : this;
}
toDERRawBytes(isCompressed = false) {
return hexToBytes(this.toDERHex(isCompressed));
}
toDERHex(isCompressed = false) {
const sHex = sliceDER(numberToHexUnpadded(this.s));
if (isCompressed)
return sHex;
const rHex = sliceDER(numberToHexUnpadded(this.r));
const rLen = numberToHexUnpadded(rHex.length / 2);
const sLen = numberToHexUnpadded(sHex.length / 2);
const length = numberToHexUnpadded(rHex.length / 2 + sHex.length / 2 + 4);
return `30${length}02${rLen}${rHex}02${sLen}${sHex}`;
}
toRawBytes() {
return this.toDERRawBytes();
}
toHex() {
return this.toDERHex();
}
toCompactRawBytes() {
return hexToBytes(this.toCompactHex());
}
toCompactHex() {
return numTo32bStr(this.r) + numTo32bStr(this.s);
}
}
function concatBytes(...arrays) {
if (!arrays.every((b) => b instanceof Uint8Array))
throw new Error('Uint8Array list expected');
if (arrays.length === 1)
return arrays[0];
const length = arrays.reduce((a, arr) => a + arr.length, 0);
const result = new Uint8Array(length);
for (let i = 0, pad = 0; i < arrays.length; i++) {
const arr = arrays[i];
result.set(arr, pad);
pad += arr.length;
}
return result;
}
var hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
function bytesToHex(uint8a) {
if (!(uint8a instanceof Uint8Array))
throw new Error('Expected Uint8Array');
let hex = '';
for (let i = 0; i < uint8a.length; i++) {
hex += hexes[uint8a[i]];
}
return hex;
}
secp.bytesToHex = bytesToHex
const POW_2_256 = BigInt('0x10000000000000000000000000000000000000000000000000000000000000000');
function numTo32bStr(num) {
if (typeof num !== 'bigint')
throw new Error('Expected bigint');
if (!(_0n <= num && num < POW_2_256))
throw new Error('Expected number < 2^256');
return num.toString(16).padStart(64, '0');
}
function numTo32b(num) {
const b = hexToBytes(numTo32bStr(num));
if (b.length !== 32)
throw new Error('Error: expected 32 bytes');
return b;
}
function numberToHexUnpadded(num) {
const hex = num.toString(16);
return hex.length & 1 ? `0${hex}` : hex;
}
function hexToNumber(hex) {
if (typeof hex !== 'string') {
throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
}
return BigInt(`0x${hex}`);
}
secp.hexToNumber = hexToNumber;
function hexToBytes(hex) {
if (typeof hex !== 'string') {
throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
}
if (hex.length % 2)
throw new Error('hexToBytes: received invalid unpadded hex' + hex.length);
const array = new Uint8Array(hex.length / 2);
for (let i = 0; i < array.length; i++) {
const j = i * 2;
const hexByte = hex.slice(j, j + 2);
const byte = Number.parseInt(hexByte, 16);
if (Number.isNaN(byte) || byte < 0)
throw new Error('Invalid byte sequence');
array[i] = byte;
}
return array;
}
secp.hexToBytes = hexToBytes;
function bytesToNumber(bytes) {
return hexToNumber(bytesToHex(bytes));
}
secp.bytesToNumber = bytesToNumber;
function ensureBytes(hex) {
return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes(hex);
}
function normalizeScalar(num) {
if (typeof num === 'number' && Number.isSafeInteger(num) && num > 0)
return BigInt(num);
if (typeof num === 'bigint' && isWithinCurveOrder(num))
return num;
throw new TypeError('Expected valid private scalar: 0 < scalar < curve.n');
}
function mod(a, b = CURVE.P) {
const result = a % b;
return result >= _0n ? result : b + result;
}
function pow2(x, power) {
const { P } = CURVE;
let res = x;
while (power-- > _0n) {
res *= res;
res %= P;
}
return res;
}
function sqrtMod(x) {
const { P } = CURVE;
const _6n = BigInt(6);
const _11n = BigInt(11);
const _22n = BigInt(22);
const _23n = BigInt(23);
const _44n = BigInt(44);
const _88n = BigInt(88);
const b2 = (x * x * x) % P;
const b3 = (b2 * b2 * x) % P;
const b6 = (pow2(b3, _3n) * b3) % P;
const b9 = (pow2(b6, _3n) * b3) % P;
const b11 = (pow2(b9, _2n) * b2) % P;
const b22 = (pow2(b11, _11n) * b11) % P;
const b44 = (pow2(b22, _22n) * b22) % P;
const b88 = (pow2(b44, _44n) * b44) % P;
const b176 = (pow2(b88, _88n) * b88) % P;
const b220 = (pow2(b176, _44n) * b44) % P;
const b223 = (pow2(b220, _3n) * b3) % P;
const t1 = (pow2(b223, _23n) * b22) % P;
const t2 = (pow2(t1, _6n) * b2) % P;
return pow2(t2, _2n);
}
function invert(number, modulo = CURVE.P) {
if (number === _0n || modulo <= _0n) {
throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
}
let a = mod(number, modulo);
let b = modulo;
let x = _0n, u = _1n;
while (a !== _0n) {
const q = b / a;
const r = b % a;
const m = x - u * q;
b = a, a = r, x = u, u = m;
}
const gcd = b;
if (gcd !== _1n)
throw new Error('invert: does not exist');
return mod(x, modulo);
}
function invertBatch(nums, p = CURVE.P) {
const scratch = new Array(nums.length);
const lastMultiplied = nums.reduce((acc, num, i) => {
if (num === _0n)
return acc;
scratch[i] = acc;
return mod(acc * num, p);
}, _1n);
const inverted = invert(lastMultiplied, p);
nums.reduceRight((acc, num, i) => {
if (num === _0n)
return acc;
scratch[i] = mod(acc * scratch[i], p);
return mod(acc * num, p);
}, inverted);
return scratch;
}
const divNearest = (a, b) => (a + b / _2n) / b;
const ENDO = {
a1: BigInt('0x3086d221a7d46bcde86c90e49284eb15'),
b1: -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3'),
a2: BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8'),
b2: BigInt('0x3086d221a7d46bcde86c90e49284eb15'),
POW_2_128: BigInt('0x100000000000000000000000000000000'),
};
function splitScalarEndo(k) {
const { n } = CURVE;
const { a1, b1, a2, b2, POW_2_128 } = ENDO;
const c1 = divNearest(b2 * k, n);
const c2 = divNearest(-b1 * k, n);
let k1 = mod(k - c1 * a1 - c2 * a2, n);
let k2 = mod(-c1 * b1 - c2 * b2, n);
const k1neg = k1 > POW_2_128;
const k2neg = k2 > POW_2_128;
if (k1neg)
k1 = n - k1;
if (k2neg)
k2 = n - k2;
if (k1 > POW_2_128 || k2 > POW_2_128) {
throw new Error('splitScalarEndo: Endomorphism failed, k=' + k);
}
return { k1neg, k1, k2neg, k2 };
}
function truncateHash(hash) {
const { n } = CURVE;
const byteLength = hash.length;
const delta = byteLength * 8 - 256;
let h = bytesToNumber(hash);
if (delta > 0)
h = h >> BigInt(delta);
if (h >= n)
h -= n;
return h;
}
let _sha256Sync;
let _hmacSha256Sync;
class HmacDrbg {
constructor() {
this.v = new Uint8Array(32).fill(1);
this.k = new Uint8Array(32).fill(0);
this.counter = 0;
}
hmac(...values) {
return utils.hmacSha256(this.k, ...values);
}
hmacSync(...values) {
return _hmacSha256Sync(this.k, ...values);
}
checkSync() {
if (typeof _hmacSha256Sync !== 'function')
throw new ShaError('hmacSha256Sync needs to be set');
}
incr() {
if (this.counter >= 1000)
throw new Error('Tried 1,000 k values for sign(), all were invalid');
this.counter += 1;
}
async reseed(seed = new Uint8Array()) {
this.k = await this.hmac(this.v, Uint8Array.from([0x00]), seed);
this.v = await this.hmac(this.v);
if (seed.length === 0)
return;
this.k = await this.hmac(this.v, Uint8Array.from([0x01]), seed);
this.v = await this.hmac(this.v);
}
reseedSync(seed = new Uint8Array()) {
this.checkSync();
this.k = this.hmacSync(this.v, Uint8Array.from([0x00]), seed);
this.v = this.hmacSync(this.v);
if (seed.length === 0)
return;
this.k = this.hmacSync(this.v, Uint8Array.from([0x01]), seed);
this.v = this.hmacSync(this.v);
}
async generate() {
this.incr();
this.v = await this.hmac(this.v);
return this.v;
}
generateSync() {
this.checkSync();
this.incr();
this.v = this.hmacSync(this.v);
return this.v;
}
}
function isWithinCurveOrder(num) {
return _0n < num && num < CURVE.n;
}
function isValidFieldElement(num) {
return _0n < num && num < CURVE.P;
}
function kmdToSig(kBytes, m, d) {
const k = bytesToNumber(kBytes);
if (!isWithinCurveOrder(k))
return;
const { n } = CURVE;
const q = Point.BASE.multiply(k);
const r = mod(q.x, n);
if (r === _0n)
return;
const s = mod(invert(k, n) * mod(m + d * r, n), n);
if (s === _0n)
return;
const sig = new Signature(r, s);
const recovery = (q.x === sig.r ? 0 : 2) | Number(q.y & _1n);
return { sig, recovery };
}
function normalizePrivateKey(key) {
let num;
if (typeof key === 'bigint') {
num = key;
}
else if (typeof key === 'number' && Number.isSafeInteger(key) && key > 0) {
num = BigInt(key);
}
else if (typeof key === 'string') {
if (key.length !== 64)
throw new Error('Expected 32 bytes of private key');
num = hexToNumber(key);
}
else if (key instanceof Uint8Array) {
if (key.length !== 32)
throw new Error('Expected 32 bytes of private key');
num = bytesToNumber(key);
}
else {
throw new TypeError('Expected valid private key');
}
if (!isWithinCurveOrder(num))
throw new Error('Expected private key: 0 < key < n');
return num;
}
function normalizePublicKey(publicKey) {
if (publicKey instanceof Point) {
publicKey.assertValidity();
return publicKey;
}
else {
return Point.fromHex(publicKey);
}
}
function normalizeSignature(signature) {
if (signature instanceof Signature) {
signature.assertValidity();
return signature;
}
try {
return Signature.fromDER(signature);
}
catch (error) {
return Signature.fromCompact(signature);
}
}
function getPublicKey(privateKey, isCompressed = false) {
return Point.fromPrivateKey(privateKey).toRawBytes(isCompressed);
}
function recoverPublicKey(msgHash, signature, recovery, isCompressed = false) {
return Point.fromSignature(msgHash, signature, recovery).toRawBytes(isCompressed);
}
function isProbPub(item) {
const arr = item instanceof Uint8Array;
const str = typeof item === 'string';
const len = (arr || str) && item.length;
if (arr)
return len === 33 || len === 65;
if (str)
return len === 66 || len === 130;
if (item instanceof Point)
return true;
return false;
}
function getSharedSecret(privateA, publicB, isCompressed = false) {
if (isProbPub(privateA))
throw new TypeError('getSharedSecret: first arg must be private key');
if (!isProbPub(publicB))
throw new TypeError('getSharedSecret: second arg must be public key');
const b = normalizePublicKey(publicB);
b.assertValidity();
return b.multiply(normalizePrivateKey(privateA)).toRawBytes(isCompressed);
}
function bits2int(bytes) {
const slice = bytes.length > 32 ? bytes.slice(0, 32) : bytes;
return bytesToNumber(slice);
}
function bits2octets(bytes) {
const z1 = bits2int(bytes);
const z2 = mod(z1, CURVE.n);
return int2octets(z2 < _0n ? z1 : z2);
}
function int2octets(num) {
return numTo32b(num);
}
function initSigArgs(msgHash, privateKey, extraEntropy) {
if (msgHash == null)
throw new Error(`sign: expected valid message hash, not "${msgHash}"`);
const h1 = ensureBytes(msgHash);
const d = normalizePrivateKey(privateKey);
const seedArgs = [int2octets(d), bits2octets(h1)];
if (extraEntropy != null) {
if (extraEntropy === true)
extraEntropy = utils.randomBytes(32);
const e = ensureBytes(extraEntropy);
if (e.length !== 32)
throw new Error('sign: Expected 32 bytes of extra data');
seedArgs.push(e);
}
const seed = concatBytes(...seedArgs);
const m = bits2int(h1);
return { seed, m, d };
}
function finalizeSig(recSig, opts) {
let { sig, recovery } = recSig;
const { canonical, der, recovered } = Object.assign({ canonical: true, der: true }, opts);
if (canonical && sig.hasHighS()) {
sig = sig.normalizeS();
recovery ^= 1;
}
const hashed = der ? sig.toDERRawBytes() : sig.toCompactRawBytes();
return recovered ? [hashed, recovery] : hashed;
}
async function sign(msgHash, privKey, opts = {}) {
const { seed, m, d } = initSigArgs(msgHash, privKey, opts.extraEntropy);
let sig;
const drbg = new HmacDrbg();
await drbg.reseed(seed);
while (!(sig = kmdToSig(await drbg.generate(), m, d)))
await drbg.reseed();
return finalizeSig(sig, opts);
}
function signSync(msgHash, privKey, opts = {}) {
const { seed, m, d } = initSigArgs(msgHash, privKey, opts.extraEntropy);
let sig;
const drbg = new HmacDrbg();
drbg.reseedSync(seed);
while (!(sig = kmdToSig(drbg.generateSync(), m, d)))
drbg.reseedSync();
return finalizeSig(sig, opts);
}
const vopts = { strict: true };
function verify(signature, msgHash, publicKey, opts = vopts) {
let sig;
try {
sig = normalizeSignature(signature);
msgHash = ensureBytes(msgHash);
}
catch (error) {
return false;
}
const { r, s } = sig;
if (opts.strict && sig.hasHighS())
return false;
const h = truncateHash(msgHash);
let P;
try {
P = normalizePublicKey(publicKey);
}
catch (error) {
return false;
}
const { n } = CURVE;
const sinv = invert(s, n);
const u1 = mod(h * sinv, n);
const u2 = mod(r * sinv, n);
const R = Point.BASE.multiplyAndAddUnsafe(P, u1, u2);
if (!R)
return false;
const v = mod(R.x, n);
return v === r;
}
function schnorrChallengeFinalize(ch) {
return mod(bytesToNumber(ch), CURVE.n);
}
class SchnorrSignature {
constructor(r, s) {
this.r = r;
this.s = s;
this.assertValidity();
}
static fromHex(hex) {
const bytes = ensureBytes(hex);
if (bytes.length !== 64)
throw new TypeError(`SchnorrSignature.fromHex: expected 64 bytes, not ${bytes.length}`);
const r = bytesToNumber(bytes.subarray(0, 32));
const s = bytesToNumber(bytes.subarray(32, 64));
return new SchnorrSignature(r, s);
}
assertValidity() {
const { r, s } = this;
if (!isValidFieldElement(r) || !isWithinCurveOrder(s))
throw new Error('Invalid signature');
}
toHex() {
return numTo32bStr(this.r) + numTo32bStr(this.s);
}
toRawBytes() {
return hexToBytes(this.toHex());
}
}
function schnorrGetPublicKey(privateKey) {
return Point.fromPrivateKey(privateKey).toRawX();
}
class InternalSchnorrSignature {
constructor(message, privateKey, auxRand = utils.randomBytes()) {
if (message == null)
throw new TypeError(`sign: Expected valid message, not "${message}"`);
this.m = ensureBytes(message);
const { x, scalar } = this.getScalar(normalizePrivateKey(privateKey));
this.px = x;
this.d = scalar;
this.rand = ensureBytes(auxRand);
if (this.rand.length !== 32)
throw new TypeError('sign: Expected 32 bytes of aux randomness');
}
getScalar(priv) {
const point = Point.fromPrivateKey(priv);
const scalar = point.hasEvenY() ? priv : CURVE.n - priv;
return { point, scalar, x: point.toRawX() };
}
initNonce(d, t0h) {
return numTo32b(d ^ bytesToNumber(t0h));
}
finalizeNonce(k0h) {
const k0 = mod(bytesToNumber(k0h), CURVE.n);
if (k0 === _0n)
throw new Error('sign: Creation of signature failed. k is zero');
const { point: R, x: rx, scalar: k } = this.getScalar(k0);
return { R, rx, k };
}
finalizeSig(R, k, e, d) {
return new SchnorrSignature(R.x, mod(k + e * d, CURVE.n)).toRawBytes();
}
error() {
throw new Error('sign: Invalid signature produced');
}
async calc() {
const { m, d, px, rand } = this;
const tag = utils.taggedHash;
const t = this.initNonce(d, await tag(TAGS.aux, rand));
const { R, rx, k } = this.finalizeNonce(await tag(TAGS.nonce, t, px, m));
const e = schnorrChallengeFinalize(await tag(TAGS.challenge, rx, px, m));
const sig = this.finalizeSig(R, k, e, d);
if (!(await schnorrVerify(sig, m, px)))
this.error();
return sig;
}
calcSync() {
const { m, d, px, rand } = this;
const tag = utils.taggedHashSync;
const t = this.initNonce(d, tag(TAGS.aux, rand));
const { R, rx, k } = this.finalizeNonce(tag(TAGS.nonce, t, px, m));
const e = schnorrChallengeFinalize(tag(TAGS.challenge, rx, px, m));
const sig = this.finalizeSig(R, k, e, d);
if (!schnorrVerifySync(sig, m, px))
this.error();
return sig;
}
}
async function schnorrSign(msg, privKey, auxRand) {
return new InternalSchnorrSignature(msg, privKey, auxRand).calc();
}
function schnorrSignSync(msg, privKey, auxRand) {
return new InternalSchnorrSignature(msg, privKey, auxRand).calcSync();
}
function initSchnorrVerify(signature, message, publicKey) {
const raw = signature instanceof SchnorrSignature;
const sig = raw ? signature : SchnorrSignature.fromHex(signature);
if (raw)
sig.assertValidity();
return {
...sig,
m: ensureBytes(message),
P: normalizePublicKey(publicKey),
};
}
function finalizeSchnorrVerify(r, P, s, e) {
const R = Point.BASE.multiplyAndAddUnsafe(P, normalizePrivateKey(s), mod(-e, CURVE.n));
if (!R || !R.hasEvenY() || R.x !== r)
return false;
return true;
}
async function schnorrVerify(signature, message, publicKey) {
try {
const { r, s, m, P } = initSchnorrVerify(signature, message, publicKey);
const e = schnorrChallengeFinalize(await utils.taggedHash(TAGS.challenge, numTo32b(r), P.toRawX(), m));
return finalizeSchnorrVerify(r, P, s, e);
}
catch (error) {
return false;
}
}
function schnorrVerifySync(signature, message, publicKey) {
try {
const { r, s, m, P } = initSchnorrVerify(signature, message, publicKey);
const e = schnorrChallengeFinalize(utils.taggedHashSync(TAGS.challenge, numTo32b(r), P.toRawX(), m));
return finalizeSchnorrVerify(r, P, s, e);
}
catch (error) {
if (error instanceof ShaError)
throw error;
return false;
}
}
const schnorr = {
Signature: SchnorrSignature,
getPublicKey: schnorrGetPublicKey,
sign: schnorrSign,
verify: schnorrVerify,
signSync: schnorrSignSync,
verifySync: schnorrVerifySync,
};
Point.BASE._setWindowSize(8);
const crypto = {
node: nodeCrypto,
web: typeof self === 'object' && 'crypto' in self ? self.crypto : undefined,
};
const TAGS = {
challenge: 'BIP0340/challenge',
aux: 'BIP0340/aux',
nonce: 'BIP0340/nonce',
};
const TAGGED_HASH_PREFIXES = {};
var utils = {
bytesToHex,
hexToBytes,
randomBytes,
concatBytes,
mod,
invert,
isValidPrivateKey(privateKey) {
try {
normalizePrivateKey(privateKey);
return true;
}
catch (error) {
return false;
}
},
_bigintTo32Bytes: numTo32b,
_normalizePrivateKey: normalizePrivateKey,
hashToPrivateKey: (hash) => {
hash = ensureBytes(hash);
if (hash.length < 40 || hash.length > 1024)
throw new Error('Expected 40-1024 bytes of private key as per FIPS 186');
const num = mod(bytesToNumber(hash), CURVE.n - _1n) + _1n;
return numTo32b(num);
},
randomBytes: (bytesLength = 32) => {
if (crypto.web) {
return crypto.web.getRandomValues(new Uint8Array(bytesLength));
}
else if (crypto.node) {
const { randomBytes } = crypto.node;
return Uint8Array.from(randomBytes(bytesLength));
}
else {
throw new Error("The environment doesn't have randomBytes function");
}
},
randomPrivateKey: () => {
return utils.hashToPrivateKey(utils.randomBytes(40));
},
sha256: async (...messages) => {
if (crypto.web) {
const buffer = await crypto.web.subtle.digest('SHA-256', concatBytes(...messages));
return new Uint8Array(buffer);
}
else if (crypto.node) {
const { createHash } = crypto.node;
const hash = createHash('sha256');
messages.forEach((m) => hash.update(m));
return Uint8Array.from(hash.digest());
}
else {
throw new Error("The environment doesn't have sha256 function");
}
},
hmacSha256: async (key, ...messages) => {
if (crypto.web) {
const ckey = await crypto.web.subtle.importKey('raw', key, { name: 'HMAC', hash: { name: 'SHA-256' } }, false, ['sign']);
const message = concatBytes(...messages);
const buffer = await crypto.web.subtle.sign('HMAC', ckey, message);
return new Uint8Array(buffer);
}
else if (crypto.node) {
const { createHmac } = crypto.node;
const hash = createHmac('sha256', key);
messages.forEach((m) => hash.update(m));
return Uint8Array.from(hash.digest());
}
else {
throw new Error("The environment doesn't have hmac-sha256 function");
}
},
sha256Sync: undefined,
hmacSha256Sync: undefined,
taggedHash: async (tag, ...messages) => {
let tagP = TAGGED_HASH_PREFIXES[tag];
if (tagP === undefined) {
const tagH = await utils.sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
tagP = concatBytes(tagH, tagH);
TAGGED_HASH_PREFIXES[tag] = tagP;
}
return utils.sha256(tagP, ...messages);
},
taggedHashSync: (tag, ...messages) => {
if (typeof _sha256Sync !== 'function')
throw new ShaError('sha256Sync is undefined, you need to set it');
let tagP = TAGGED_HASH_PREFIXES[tag];
if (tagP === undefined) {
const tagH = _sha256Sync(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
tagP = concatBytes(tagH, tagH);
TAGGED_HASH_PREFIXES[tag] = tagP;
}
return _sha256Sync(tagP, ...messages);
},
precompute(windowSize = 8, point = Point.BASE) {
const cached = point === Point.BASE ? point : new Point(point.x, point.y);
cached._setWindowSize(windowSize);
cached.multiply(_3n);
return cached;
},
};
Object.defineProperties(utils, {
sha256Sync: {
configurable: false,
get() {
return _sha256Sync;
},
set(val) {
if (!_sha256Sync)
_sha256Sync = val;
},
},
hmacSha256Sync: {
configurable: false,
get() {
return _hmacSha256Sync;
},
set(val) {
if (!_hmacSha256Sync)
_hmacSha256Sync = val;
},
},
});
//var secp = {};
secp.CURVE = CURVE;
secp.Point = Point;
secp.Signature = Signature;
secp.getPublicKey = getPublicKey;
secp.getSharedSecret = getSharedSecret;
secp.recoverPublicKey = recoverPublicKey;
secp.schnorr = schnorr;
secp.sign = sign;
secp.signSync = signSync;
secp.utils = utils;
secp.verify = verify;
/******
*
START OF HASH SECTION
*
*
******/
//hashmini = {};
/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
// Cast array to different type
const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);
const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
// Cast array to view
const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
// The rotate right (circular right shift) operation for uint32
const rotr = (word, shift) => (word << (32 - shift)) | (word >>> shift);
const isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44;
// There is almost no big endian hardware, but js typed arrays uses platform specific endianness.
// So, just to be sure not to corrupt anything.
if (!isLE)
throw new Error('Non little-endian hardware is not supported');
var hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
/**
* @example bytesToHex(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]))
*/
function bytesToHex(uint8a) {
// pre-caching improves the speed 6x
if (!(uint8a instanceof Uint8Array))
throw new Error('Uint8Array expected');
let hex = '';
for (let i = 0; i < uint8a.length; i++) {
hex += hexes[uint8a[i]];
}
return hex;
}
/**
* @example hexToBytes('deadbeef')
*/
function hexToBytes(hex) {
if (typeof hex !== 'string') {
throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
}
if (hex.length % 2)
throw new Error('hexToBytes: received invalid unpadded hex');
const array = new Uint8Array(hex.length / 2);
for (let i = 0; i < array.length; i++) {
const j = i * 2;
const hexByte = hex.slice(j, j + 2);
const byte = Number.parseInt(hexByte, 16);
if (Number.isNaN(byte) || byte < 0)
throw new Error('Invalid byte sequence');
array[i] = byte;
}
return array;
}
// There is no setImmediate in browser and setTimeout is slow. However, call to async function will return Promise
// which will be fullfiled only on next scheduler queue processing step and this is exactly what we need.
const nextTick = async () => { };
// Returns control to thread each 'tick' ms to avoid blocking
async function asyncLoop(iters, tick, cb) {
let ts = Date.now();
for (let i = 0; i < iters; i++) {
cb(i);
// Date.now() is not monotonic, so in case if clock goes backwards we return return control too
const diff = Date.now() - ts;
if (diff >= 0 && diff < tick)
continue;
await nextTick();
ts += diff;
}
}
function utf8ToBytes(str) {
if (typeof str !== 'string') {
throw new TypeError(`utf8ToBytes expected string, got ${typeof str}`);
}
return new TextEncoder().encode(str);
}
function toBytes(data) {
if (typeof data === 'string')
data = utf8ToBytes(data);
if (!(data instanceof Uint8Array))
throw new TypeError(`Expected input type is Uint8Array (got ${typeof data})`);
return data;
}
// For runtime check if class implements interface
class Hash {
// Safe version that clones internal state
clone() {
return this._cloneInto();
}
}
// Check if object doens't have custom constructor (like Uint8Array/Array)
var isPlainObject = (obj) => Object.prototype.toString.call(obj) === '[object Object]' && obj.constructor === Object;
function checkOpts(defaults, opts) {
if (opts !== undefined && (typeof opts !== 'object' || !isPlainObject(opts)))
throw new TypeError('Options should be object or undefined');
const merged = Object.assign(defaults, opts);
return merged;
}
function wrapConstructor(hashConstructor) {
const hashC = (message) => hashConstructor().update(toBytes(message)).digest();
const tmp = hashConstructor();
hashC.outputLen = tmp.outputLen;
hashC.blockLen = tmp.blockLen;
hashC.create = () => hashConstructor();
return hashC;
}
function wrapConstructorWithOpts(hashCons) {
const hashC = (msg, opts) => hashCons(opts).update(toBytes(msg)).digest();
const tmp = hashCons({});
hashC.outputLen = tmp.outputLen;
hashC.blockLen = tmp.blockLen;
hashC.create = (opts) => hashCons(opts);
return hashC;
}
/**
* Secure PRNG
*/
function randomBytes(bytesLength = 32) {
if (crypto.crypto.web) {
return crypto.crypto.web.getRandomValues(new Uint8Array(bytesLength));
}
else if (crypto.crypto.node) {
return new Uint8Array(crypto.crypto.node.randomBytes(bytesLength).buffer);
}
else {
throw new Error("The environment doesn't have randomBytes function");
}
}
function number(n) {
if (!Number.isSafeInteger(n) || n < 0)
throw new Error(`Wrong positive integer: ${n}`);
}
function bool(b) {
if (typeof b !== 'boolean')
throw new Error(`Expected boolean, not ${b}`);
}
function bytes(b, ...lengths) {
if (!(b instanceof Uint8Array))
throw new TypeError('Expected Uint8Array');
if (lengths.length > 0 && !lengths.includes(b.length))
throw new TypeError(`Expected Uint8Array of length ${lengths}, not of length=${b.length}`);
}
function isNumber(inputValue) {
return !isNaN(parseFloat(inputValue)) && isFinite(inputValue);
}
function hash(hash) {
if (typeof hash !== 'function' || typeof hash.create !== 'function')
throw new Error('Hash should be wrapped by utils.wrapConstructor');
//ROHIT I put it inTry catch block because it was crashing the Transaction Signature
try {
isNumber(hash.outputLen);
isNumber(hash.blockLen);
} catch (error) {
return;
}
}
/* //ORIGINAL FUNCTION
function hash(hash) {
if (typeof hash !== 'function' || typeof hash.create !== 'function')
throw new Error('Hash should be wrapped by utils.wrapConstructor');
number(hash.outputLen);
number(hash.blockLen);
}*/
function exists(instance, checkFinished = true) {
if (instance.destroyed)
throw new Error('Hash instance has been destroyed');
if (checkFinished && instance.finished)
throw new Error('Hash#digest() has already been called');
}
function output(out, instance) {
bytes(out);
const min = instance.outputLen;
if (out.length < min) {
throw new Error(`digestInto() expects output buffer of length at least ${min}`);
}
}
const assert = {
number,
bool,
bytes,
hash,
exists,
output,
};
// prettier-ignore
const SIGMA$1 = new Uint8Array([
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3,
11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4,
7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8,
9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13,
2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9,
12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11,
13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10,
6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5,
10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0,
// For BLAKE2b, the two extra permutations for rounds 10 and 11 are SIGMA[10..11] = SIGMA[0..1].
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3,
]);
class BLAKE2 extends Hash {
constructor(blockLen, outputLen, opts = {}, keyLen, saltLen, persLen) {
super();
this.blockLen = blockLen;
this.outputLen = outputLen;
this.length = 0;
this.pos = 0;
this.finished = false;
this.destroyed = false;
assert.number(blockLen);
assert.number(outputLen);
assert.number(keyLen);
if (outputLen < 0 || outputLen > keyLen)
throw new Error('Blake2: outputLen bigger than keyLen');
if (opts.key !== undefined && (opts.key.length < 1 || opts.key.length > keyLen))
throw new Error(`Key should be up 1..${keyLen} byte long or undefined`);
if (opts.salt !== undefined && opts.salt.length !== saltLen)
throw new Error(`Salt should be ${saltLen} byte long or undefined`);
if (opts.personalization !== undefined && opts.personalization.length !== persLen)
throw new Error(`Personalization should be ${persLen} byte long or undefined`);
this.buffer32 = u32((this.buffer = new Uint8Array(blockLen)));
}
update(data) {
assert.exists(this);
// Main difference with other hashes: there is flag for last block,
// so we cannot process current block before we know that there
// is the next one. This significantly complicates logic and reduces ability
// to do zero-copy processing
const { blockLen, buffer, buffer32 } = this;
data = toBytes(data);
const len = data.length;
for (let pos = 0; pos < len;) {
// If buffer is full and we still have input (don't process last block, same as blake2s)
if (this.pos === blockLen) {
this.compress(buffer32, 0, false);
this.pos = 0;
}
const take = Math.min(blockLen - this.pos, len - pos);
const dataOffset = data.byteOffset + pos;
// full block && aligned to 4 bytes && not last in input
if (take === blockLen && !(dataOffset % 4) && pos + take < len) {
const data32 = new Uint32Array(data.buffer, dataOffset, Math.floor((len - pos) / 4));
for (let pos32 = 0; pos + blockLen < len; pos32 += buffer32.length, pos += blockLen) {
this.length += blockLen;
this.compress(data32, pos32, false);
}
continue;
}
buffer.set(data.subarray(pos, pos + take), this.pos);
this.pos += take;
this.length += take;
pos += take;
}
return this;
}
digestInto(out) {
assert.exists(this);
assert.output(out, this);
const { pos, buffer32 } = this;
this.finished = true;
// Padding
this.buffer.subarray(pos).fill(0);
this.compress(buffer32, 0, true);
const out32 = u32(out);
this.get().forEach((v, i) => (out32[i] = v));
}
digest() {
const { buffer, outputLen } = this;
this.digestInto(buffer);
const res = buffer.slice(0, outputLen);
this.destroy();
return res;
}
_cloneInto(to) {
const { buffer, length, finished, destroyed, outputLen, pos } = this;
to || (to = new this.constructor({ dkLen: outputLen }));
to.set(...this.get());
to.length = length;
to.finished = finished;
to.destroyed = destroyed;
to.outputLen = outputLen;
to.buffer.set(buffer);
to.pos = pos;
return to;
}
}
const U32_MASK64 = BigInt(2 ** 32 - 1);
const _32n = BigInt(32);
// We are not using BigUint64Array, because they are extremely slow as per 2022
function fromBig(n, le = false) {
if (le)
return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };
return { h: Number((n >> _32n) & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
}
function split(lst, le = false) {
let Ah = new Uint32Array(lst.length);
let Al = new Uint32Array(lst.length);
for (let i = 0; i < lst.length; i++) {
const { h, l } = fromBig(lst[i], le);
[Ah[i], Al[i]] = [h, l];
}
return [Ah, Al];
}
const toBig = (h, l) => (BigInt(h >>> 0) << _32n) | BigInt(l >>> 0);
// for Shift in [0, 32)
const shrSH = (h, l, s) => h >>> s;
const shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
// Right rotate for Shift in [1, 32)
const rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));
const rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
// Right rotate for Shift in (32, 64), NOTE: 32 is special case.
const rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));
const rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));
// Right rotate for shift===32 (just swaps l&h)
const rotr32H = (h, l) => l;
const rotr32L = (h, l) => h;
// Left rotate for Shift in [1, 32)
const rotlSH = (h, l, s) => (h << s) | (l >>> (32 - s));
const rotlSL = (h, l, s) => (l << s) | (h >>> (32 - s));
// Left rotate for Shift in (32, 64), NOTE: 32 is special case.
const rotlBH = (h, l, s) => (l << (s - 32)) | (h >>> (64 - s));
const rotlBL = (h, l, s) => (h << (s - 32)) | (l >>> (64 - s));
// JS uses 32-bit signed integers for bitwise operations which means we cannot
// simple take carry out of low bit sum by shift, we need to use division.
// Removing "export" has 5% perf penalty -_-
function add(Ah, Al, Bh, Bl) {
const l = (Al >>> 0) + (Bl >>> 0);
return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };
}
// Addition with more than 2 elements
const add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
const add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;
const add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
const add4H = (low, Ah, Bh, Ch, Dh) => (Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;
const add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
const add5H = (low, Ah, Bh, Ch, Dh, Eh) => (Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;
// prettier-ignore
const u64 = {
fromBig, split, toBig,
shrSH, shrSL,
rotrSH, rotrSL, rotrBH, rotrBL,
rotr32H, rotr32L,
rotlSH, rotlSL, rotlBH, rotlBL,
add, add3L, add3H, add4L, add4H, add5H, add5L,
};
// Same as SHA-512 but LE
// prettier-ignore
const IV$2 = new Uint32Array([
0xf3bcc908, 0x6a09e667, 0x84caa73b, 0xbb67ae85, 0xfe94f82b, 0x3c6ef372, 0x5f1d36f1, 0xa54ff53a,
0xade682d1, 0x510e527f, 0x2b3e6c1f, 0x9b05688c, 0xfb41bd6b, 0x1f83d9ab, 0x137e2179, 0x5be0cd19
]);
// Temporary buffer
const BUF$1 = new Uint32Array(32);
// Mixing function G splitted in two halfs
function G1$1(a, b, c, d, msg, x) {
// NOTE: V is LE here
const Xl = msg[x], Xh = msg[x + 1]; // prettier-ignore
let Al = BUF$1[2 * a], Ah = BUF$1[2 * a + 1]; // prettier-ignore
let Bl = BUF$1[2 * b], Bh = BUF$1[2 * b + 1]; // prettier-ignore
let Cl = BUF$1[2 * c], Ch = BUF$1[2 * c + 1]; // prettier-ignore
let Dl = BUF$1[2 * d], Dh = BUF$1[2 * d + 1]; // prettier-ignore
// v[a] = (v[a] + v[b] + x) | 0;
let ll = u64.add3L(Al, Bl, Xl);
Ah = u64.add3H(ll, Ah, Bh, Xh);
Al = ll | 0;
// v[d] = rotr(v[d] ^ v[a], 32)
({ Dh, Dl } = { Dh: Dh ^ Ah, Dl: Dl ^ Al });
({ Dh, Dl } = { Dh: u64.rotr32H(Dh, Dl), Dl: u64.rotr32L(Dh, Dl) });
// v[c] = (v[c] + v[d]) | 0;
({ h: Ch, l: Cl } = u64.add(Ch, Cl, Dh, Dl));
// v[b] = rotr(v[b] ^ v[c], 24)
({ Bh, Bl } = { Bh: Bh ^ Ch, Bl: Bl ^ Cl });
({ Bh, Bl } = { Bh: u64.rotrSH(Bh, Bl, 24), Bl: u64.rotrSL(Bh, Bl, 24) });
(BUF$1[2 * a] = Al), (BUF$1[2 * a + 1] = Ah);
(BUF$1[2 * b] = Bl), (BUF$1[2 * b + 1] = Bh);
(BUF$1[2 * c] = Cl), (BUF$1[2 * c + 1] = Ch);
(BUF$1[2 * d] = Dl), (BUF$1[2 * d + 1] = Dh);
}
function G2$1(a, b, c, d, msg, x) {
// NOTE: V is LE here
const Xl = msg[x], Xh = msg[x + 1]; // prettier-ignore
let Al = BUF$1[2 * a], Ah = BUF$1[2 * a + 1]; // prettier-ignore
let Bl = BUF$1[2 * b], Bh = BUF$1[2 * b + 1]; // prettier-ignore
let Cl = BUF$1[2 * c], Ch = BUF$1[2 * c + 1]; // prettier-ignore
let Dl = BUF$1[2 * d], Dh = BUF$1[2 * d + 1]; // prettier-ignore
// v[a] = (v[a] + v[b] + x) | 0;
let ll = u64.add3L(Al, Bl, Xl);
Ah = u64.add3H(ll, Ah, Bh, Xh);
Al = ll | 0;
// v[d] = rotr(v[d] ^ v[a], 16)
({ Dh, Dl } = { Dh: Dh ^ Ah, Dl: Dl ^ Al });
({ Dh, Dl } = { Dh: u64.rotrSH(Dh, Dl, 16), Dl: u64.rotrSL(Dh, Dl, 16) });
// v[c] = (v[c] + v[d]) | 0;
({ h: Ch, l: Cl } = u64.add(Ch, Cl, Dh, Dl));
// v[b] = rotr(v[b] ^ v[c], 63)
({ Bh, Bl } = { Bh: Bh ^ Ch, Bl: Bl ^ Cl });
({ Bh, Bl } = { Bh: u64.rotrBH(Bh, Bl, 63), Bl: u64.rotrBL(Bh, Bl, 63) });
(BUF$1[2 * a] = Al), (BUF$1[2 * a + 1] = Ah);
(BUF$1[2 * b] = Bl), (BUF$1[2 * b + 1] = Bh);
(BUF$1[2 * c] = Cl), (BUF$1[2 * c + 1] = Ch);
(BUF$1[2 * d] = Dl), (BUF$1[2 * d + 1] = Dh);
}
class BLAKE2b extends BLAKE2 {
constructor(opts = {}) {
super(128, opts.dkLen === undefined ? 64 : opts.dkLen, opts, 64, 16, 16);
// Same as SHA-512, but LE
this.v0l = IV$2[0] | 0;
this.v0h = IV$2[1] | 0;
this.v1l = IV$2[2] | 0;
this.v1h = IV$2[3] | 0;
this.v2l = IV$2[4] | 0;
this.v2h = IV$2[5] | 0;
this.v3l = IV$2[6] | 0;
this.v3h = IV$2[7] | 0;
this.v4l = IV$2[8] | 0;
this.v4h = IV$2[9] | 0;
this.v5l = IV$2[10] | 0;
this.v5h = IV$2[11] | 0;
this.v6l = IV$2[12] | 0;
this.v6h = IV$2[13] | 0;
this.v7l = IV$2[14] | 0;
this.v7h = IV$2[15] | 0;
const keyLength = opts.key ? opts.key.length : 0;
this.v0l ^= this.outputLen | (keyLength << 8) | (0x01 << 16) | (0x01 << 24);
if (opts.salt) {
const salt = u32(toBytes(opts.salt));
this.v4l ^= salt[0];
this.v4h ^= salt[1];
this.v5l ^= salt[2];
this.v5h ^= salt[3];
}
if (opts.personalization) {
const pers = u32(toBytes(opts.personalization));
this.v6l ^= pers[0];
this.v6h ^= pers[1];
this.v7l ^= pers[2];
this.v7h ^= pers[3];
}
if (opts.key) {
// Pad to blockLen and update
const tmp = new Uint8Array(this.blockLen);
tmp.set(toBytes(opts.key));
this.update(tmp);
}
}
// prettier-ignore
get() {
let { v0l, v0h, v1l, v1h, v2l, v2h, v3l, v3h, v4l, v4h, v5l, v5h, v6l, v6h, v7l, v7h } = this;
return [v0l, v0h, v1l, v1h, v2l, v2h, v3l, v3h, v4l, v4h, v5l, v5h, v6l, v6h, v7l, v7h];
}
// prettier-ignore
set(v0l, v0h, v1l, v1h, v2l, v2h, v3l, v3h, v4l, v4h, v5l, v5h, v6l, v6h, v7l, v7h) {
this.v0l = v0l | 0;
this.v0h = v0h | 0;
this.v1l = v1l | 0;
this.v1h = v1h | 0;
this.v2l = v2l | 0;
this.v2h = v2h | 0;
this.v3l = v3l | 0;
this.v3h = v3h | 0;
this.v4l = v4l | 0;
this.v4h = v4h | 0;
this.v5l = v5l | 0;
this.v5h = v5h | 0;
this.v6l = v6l | 0;
this.v6h = v6h | 0;
this.v7l = v7l | 0;
this.v7h = v7h | 0;
}
compress(msg, offset, isLast) {
this.get().forEach((v, i) => (BUF$1[i] = v)); // First half from state.
BUF$1.set(IV$2, 16); // Second half from IV.
let { h, l } = u64.fromBig(BigInt(this.length));
BUF$1[24] = IV$2[8] ^ l; // Low word of the offset.
BUF$1[25] = IV$2[9] ^ h; // High word.
// Invert all bits for last block
if (isLast) {
BUF$1[28] = ~BUF$1[28];
BUF$1[29] = ~BUF$1[29];
}
let j = 0;
const s = SIGMA$1;
for (let i = 0; i < 12; i++) {
G1$1(0, 4, 8, 12, msg, offset + 2 * s[j++]);
G2$1(0, 4, 8, 12, msg, offset + 2 * s[j++]);
G1$1(1, 5, 9, 13, msg, offset + 2 * s[j++]);
G2$1(1, 5, 9, 13, msg, offset + 2 * s[j++]);
G1$1(2, 6, 10, 14, msg, offset + 2 * s[j++]);
G2$1(2, 6, 10, 14, msg, offset + 2 * s[j++]);
G1$1(3, 7, 11, 15, msg, offset + 2 * s[j++]);
G2$1(3, 7, 11, 15, msg, offset + 2 * s[j++]);
G1$1(0, 5, 10, 15, msg, offset + 2 * s[j++]);
G2$1(0, 5, 10, 15, msg, offset + 2 * s[j++]);
G1$1(1, 6, 11, 12, msg, offset + 2 * s[j++]);
G2$1(1, 6, 11, 12, msg, offset + 2 * s[j++]);
G1$1(2, 7, 8, 13, msg, offset + 2 * s[j++]);
G2$1(2, 7, 8, 13, msg, offset + 2 * s[j++]);
G1$1(3, 4, 9, 14, msg, offset + 2 * s[j++]);
G2$1(3, 4, 9, 14, msg, offset + 2 * s[j++]);
}
this.v0l ^= BUF$1[0] ^ BUF$1[16];
this.v0h ^= BUF$1[1] ^ BUF$1[17];
this.v1l ^= BUF$1[2] ^ BUF$1[18];
this.v1h ^= BUF$1[3] ^ BUF$1[19];
this.v2l ^= BUF$1[4] ^ BUF$1[20];
this.v2h ^= BUF$1[5] ^ BUF$1[21];
this.v3l ^= BUF$1[6] ^ BUF$1[22];
this.v3h ^= BUF$1[7] ^ BUF$1[23];
this.v4l ^= BUF$1[8] ^ BUF$1[24];
this.v4h ^= BUF$1[9] ^ BUF$1[25];
this.v5l ^= BUF$1[10] ^ BUF$1[26];
this.v5h ^= BUF$1[11] ^ BUF$1[27];
this.v6l ^= BUF$1[12] ^ BUF$1[28];
this.v6h ^= BUF$1[13] ^ BUF$1[29];
this.v7l ^= BUF$1[14] ^ BUF$1[30];
this.v7h ^= BUF$1[15] ^ BUF$1[31];
BUF$1.fill(0);
}
destroy() {
this.destroyed = true;
this.buffer32.fill(0);
this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
}
}
/**
* BLAKE2b - optimized for 64-bit platforms. JS doesn't have uint64, so it's slower than BLAKE2s.
* @param msg - message that would be hashed
* @param opts - dkLen, key, salt, personalization
*/
const blake2b = wrapConstructorWithOpts((opts) => new BLAKE2b(opts));
// Initial state:
// first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19)
// same as SHA-256
// prettier-ignore
const IV$1 = new Uint32Array([
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
]);
// Mixing function G splitted in two halfs
function G1(a, b, c, d, x) {
a = (a + b + x) | 0;
d = rotr(d ^ a, 16);
c = (c + d) | 0;
b = rotr(b ^ c, 12);
return { a, b, c, d };
}
function G2(a, b, c, d, x) {
a = (a + b + x) | 0;
d = rotr(d ^ a, 8);
c = (c + d) | 0;
b = rotr(b ^ c, 7);
return { a, b, c, d };
}
// prettier-ignore
function compress(s, offset, msg, rounds, v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, v13, v14, v15) {
let j = 0;
for (let i = 0; i < rounds; i++) {
({ a: v0, b: v4, c: v8, d: v12 } = G1(v0, v4, v8, v12, msg[offset + s[j++]]));
({ a: v0, b: v4, c: v8, d: v12 } = G2(v0, v4, v8, v12, msg[offset + s[j++]]));
({ a: v1, b: v5, c: v9, d: v13 } = G1(v1, v5, v9, v13, msg[offset + s[j++]]));
({ a: v1, b: v5, c: v9, d: v13 } = G2(v1, v5, v9, v13, msg[offset + s[j++]]));
({ a: v2, b: v6, c: v10, d: v14 } = G1(v2, v6, v10, v14, msg[offset + s[j++]]));
({ a: v2, b: v6, c: v10, d: v14 } = G2(v2, v6, v10, v14, msg[offset + s[j++]]));
({ a: v3, b: v7, c: v11, d: v15 } = G1(v3, v7, v11, v15, msg[offset + s[j++]]));
({ a: v3, b: v7, c: v11, d: v15 } = G2(v3, v7, v11, v15, msg[offset + s[j++]]));
({ a: v0, b: v5, c: v10, d: v15 } = G1(v0, v5, v10, v15, msg[offset + s[j++]]));
({ a: v0, b: v5, c: v10, d: v15 } = G2(v0, v5, v10, v15, msg[offset + s[j++]]));
({ a: v1, b: v6, c: v11, d: v12 } = G1(v1, v6, v11, v12, msg[offset + s[j++]]));
({ a: v1, b: v6, c: v11, d: v12 } = G2(v1, v6, v11, v12, msg[offset + s[j++]]));
({ a: v2, b: v7, c: v8, d: v13 } = G1(v2, v7, v8, v13, msg[offset + s[j++]]));
({ a: v2, b: v7, c: v8, d: v13 } = G2(v2, v7, v8, v13, msg[offset + s[j++]]));
({ a: v3, b: v4, c: v9, d: v14 } = G1(v3, v4, v9, v14, msg[offset + s[j++]]));
({ a: v3, b: v4, c: v9, d: v14 } = G2(v3, v4, v9, v14, msg[offset + s[j++]]));
}
return { v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, v13, v14, v15 };
}
class BLAKE2s extends BLAKE2 {
constructor(opts = {}) {
super(64, opts.dkLen === undefined ? 32 : opts.dkLen, opts, 32, 8, 8);
// Internal state, same as SHA-256
this.v0 = IV$1[0] | 0;
this.v1 = IV$1[1] | 0;
this.v2 = IV$1[2] | 0;
this.v3 = IV$1[3] | 0;
this.v4 = IV$1[4] | 0;
this.v5 = IV$1[5] | 0;
this.v6 = IV$1[6] | 0;
this.v7 = IV$1[7] | 0;
const keyLength = opts.key ? opts.key.length : 0;
this.v0 ^= this.outputLen | (keyLength << 8) | (0x01 << 16) | (0x01 << 24);
if (opts.salt) {
const salt = u32(toBytes(opts.salt));
this.v4 ^= salt[0];
this.v5 ^= salt[1];
}
if (opts.personalization) {
const pers = u32(toBytes(opts.personalization));
this.v6 ^= pers[0];
this.v7 ^= pers[1];
}
if (opts.key) {
// Pad to blockLen and update
const tmp = new Uint8Array(this.blockLen);
tmp.set(toBytes(opts.key));
this.update(tmp);
}
}
get() {
const { v0, v1, v2, v3, v4, v5, v6, v7 } = this;
return [v0, v1, v2, v3, v4, v5, v6, v7];
}
// prettier-ignore
set(v0, v1, v2, v3, v4, v5, v6, v7) {
this.v0 = v0 | 0;
this.v1 = v1 | 0;
this.v2 = v2 | 0;
this.v3 = v3 | 0;
this.v4 = v4 | 0;
this.v5 = v5 | 0;
this.v6 = v6 | 0;
this.v7 = v7 | 0;
}
compress(msg, offset, isLast) {
const { h, l } = u64.fromBig(BigInt(this.length));
// prettier-ignore
const { v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, v13, v14, v15 } = compress(SIGMA$1, offset, msg, 10, this.v0, this.v1, this.v2, this.v3, this.v4, this.v5, this.v6, this.v7, IV$1[0], IV$1[1], IV$1[2], IV$1[3], l ^ IV$1[4], h ^ IV$1[5], isLast ? ~IV$1[6] : IV$1[6], IV$1[7]);
this.v0 ^= v0 ^ v8;
this.v1 ^= v1 ^ v9;
this.v2 ^= v2 ^ v10;
this.v3 ^= v3 ^ v11;
this.v4 ^= v4 ^ v12;
this.v5 ^= v5 ^ v13;
this.v6 ^= v6 ^ v14;
this.v7 ^= v7 ^ v15;
}
destroy() {
this.destroyed = true;
this.buffer32.fill(0);
this.set(0, 0, 0, 0, 0, 0, 0, 0);
}
}
/**
* BLAKE2s - optimized for 32-bit platforms. JS doesn't have uint64, so it's faster than BLAKE2b.
* @param msg - message that would be hashed
* @param opts - dkLen, key, salt, personalization
*/
const blake2s = wrapConstructorWithOpts((opts) => new BLAKE2s(opts));
// Flag bitset
var Flags;
(function (Flags) {
Flags[Flags["CHUNK_START"] = 1] = "CHUNK_START";
Flags[Flags["CHUNK_END"] = 2] = "CHUNK_END";
Flags[Flags["PARENT"] = 4] = "PARENT";
Flags[Flags["ROOT"] = 8] = "ROOT";
Flags[Flags["KEYED_HASH"] = 16] = "KEYED_HASH";
Flags[Flags["DERIVE_KEY_CONTEXT"] = 32] = "DERIVE_KEY_CONTEXT";
Flags[Flags["DERIVE_KEY_MATERIAL"] = 64] = "DERIVE_KEY_MATERIAL";
})(Flags || (Flags = {}));
const SIGMA = (() => {
const Id = Array.from({ length: 16 }, (_, i) => i);
const permute = (arr) => [2, 6, 3, 10, 7, 0, 4, 13, 1, 11, 12, 5, 9, 14, 15, 8].map((i) => arr[i]);
const res = [];
for (let i = 0, v = Id; i < 7; i++, v = permute(v))
res.push(...v);
return Uint8Array.from(res);
})();
// Why is this so slow? It should be 6x faster than blake2b.
// - There is only 30% reduction in number of rounds from blake2s
// - This function uses tree mode to achive parallelisation via SIMD and threading,
// however in JS we don't have threads and SIMD, so we get only overhead from tree structure
// - It is possible to speed it up via Web Workers, hovewer it will make code singnificantly more
// complicated, which we are trying to avoid, since this library is intended to be used
// for cryptographic purposes. Also, parallelization happens only on chunk level (1024 bytes),
// which won't really benefit small inputs.
class BLAKE3 extends BLAKE2 {
constructor(opts = {}, flags = 0) {
super(64, opts.dkLen === undefined ? 32 : opts.dkLen, {}, Number.MAX_SAFE_INTEGER, 0, 0);
this.flags = 0 | 0;
this.chunkPos = 0; // Position of current block in chunk
this.chunksDone = 0; // How many chunks we already have
this.stack = [];
// Output
this.posOut = 0;
this.bufferOut32 = new Uint32Array(16);
this.chunkOut = 0; // index of output chunk
this.enableXOF = true;
this.outputLen = opts.dkLen === undefined ? 32 : opts.dkLen;
assert.number(this.outputLen);
if (opts.key !== undefined && opts.context !== undefined)
throw new Error('Blake3: only key or context can be specified at same time');
else if (opts.key !== undefined) {
const key = toBytes(opts.key);
if (key.length !== 32)
throw new Error('Blake3: key should be 32 byte');
this.IV = u32(key);
this.flags = flags | Flags.KEYED_HASH;
}
else if (opts.context !== undefined) {
const context_key = new BLAKE3({ dkLen: 32 }, Flags.DERIVE_KEY_CONTEXT)
.update(opts.context)
.digest();
this.IV = u32(context_key);
this.flags = flags | Flags.DERIVE_KEY_MATERIAL;
}
else {
this.IV = IV$1.slice();
this.flags = flags;
}
this.state = this.IV.slice();
this.bufferOut = u8(this.bufferOut32);
}
// Unused
get() {
return [];
}
set() { }
b2Compress(counter, flags, buf, bufPos = 0) {
const { state: s, pos } = this;
const { h, l } = u64.fromBig(BigInt(counter), true);
// prettier-ignore
const { v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, v13, v14, v15 } = compress(SIGMA, bufPos, buf, 7, s[0], s[1], s[2], s[3], s[4], s[5], s[6], s[7], IV$1[0], IV$1[1], IV$1[2], IV$1[3], h, l, pos, flags);
s[0] = v0 ^ v8;
s[1] = v1 ^ v9;
s[2] = v2 ^ v10;
s[3] = v3 ^ v11;
s[4] = v4 ^ v12;
s[5] = v5 ^ v13;
s[6] = v6 ^ v14;
s[7] = v7 ^ v15;
}
compress(buf, bufPos = 0, isLast = false) {
// Compress last block
let flags = this.flags;
if (!this.chunkPos)
flags |= Flags.CHUNK_START;
if (this.chunkPos === 15 || isLast)
flags |= Flags.CHUNK_END;
if (!isLast)
this.pos = this.blockLen;
this.b2Compress(this.chunksDone, flags, buf, bufPos);
this.chunkPos += 1;
// If current block is last in chunk (16 blocks), then compress chunks
if (this.chunkPos === 16 || isLast) {
let chunk = this.state;
this.state = this.IV.slice();
// If not the last one, compress only when there are trailing zeros in chunk counter
// chunks used as binary tree where current stack is path. Zero means current leaf is finished and can be compressed.
// 1 (001) - leaf not finished (just push current chunk to stack)
// 2 (010) - leaf finished at depth=1 (merge with last elm on stack and push back)
// 3 (011) - last leaf not finished
// 4 (100) - leafs finished at depth=1 and depth=2
for (let last, chunks = this.chunksDone + 1; isLast || !(chunks & 1); chunks >>= 1) {
if (!(last = this.stack.pop()))
break;
this.buffer32.set(last, 0);
this.buffer32.set(chunk, 8);
this.pos = this.blockLen;
this.b2Compress(0, this.flags | Flags.PARENT, this.buffer32, 0);
chunk = this.state;
this.state = this.IV.slice();
}
this.chunksDone++;
this.chunkPos = 0;
this.stack.push(chunk);
}
this.pos = 0;
}
_cloneInto(to) {
to = super._cloneInto(to);
const { IV, flags, state, chunkPos, posOut, chunkOut, stack, chunksDone } = this;
to.state.set(state.slice());
to.stack = stack.map((i) => Uint32Array.from(i));
to.IV.set(IV);
to.flags = flags;
to.chunkPos = chunkPos;
to.chunksDone = chunksDone;
to.posOut = posOut;
to.chunkOut = chunkOut;
to.enableXOF = this.enableXOF;
to.bufferOut32.set(this.bufferOut32);
return to;
}
destroy() {
this.destroyed = true;
this.state.fill(0);
this.buffer32.fill(0);
this.IV.fill(0);
this.bufferOut32.fill(0);
for (let i of this.stack)
i.fill(0);
}
// Same as b2Compress, but doesn't modify state and returns 16 u32 array (instead of 8)
b2CompressOut() {
const { state: s, pos, flags, buffer32, bufferOut32: out32 } = this;
const { h, l } = u64.fromBig(BigInt(this.chunkOut++));
// prettier-ignore
const { v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, v13, v14, v15 } = compress(SIGMA, 0, buffer32, 7, s[0], s[1], s[2], s[3], s[4], s[5], s[6], s[7], IV$1[0], IV$1[1], IV$1[2], IV$1[3], l, h, pos, flags);
out32[0] = v0 ^ v8;
out32[1] = v1 ^ v9;
out32[2] = v2 ^ v10;
out32[3] = v3 ^ v11;
out32[4] = v4 ^ v12;
out32[5] = v5 ^ v13;
out32[6] = v6 ^ v14;
out32[7] = v7 ^ v15;
out32[8] = s[0] ^ v8;
out32[9] = s[1] ^ v9;
out32[10] = s[2] ^ v10;
out32[11] = s[3] ^ v11;
out32[12] = s[4] ^ v12;
out32[13] = s[5] ^ v13;
out32[14] = s[6] ^ v14;
out32[15] = s[7] ^ v15;
this.posOut = 0;
}
finish() {
if (this.finished)
return;
this.finished = true;
// Padding
this.buffer.fill(0, this.pos);
// Process last chunk
let flags = this.flags | Flags.ROOT;
if (this.stack.length) {
flags |= Flags.PARENT;
this.compress(this.buffer32, 0, true);
this.chunksDone = 0;
this.pos = this.blockLen;
}
else {
flags |= (!this.chunkPos ? Flags.CHUNK_START : 0) | Flags.CHUNK_END;
}
this.flags = flags;
this.b2CompressOut();
}
writeInto(out) {
assert.exists(this, false);
assert.bytes(out);
this.finish();
const { blockLen, bufferOut } = this;
for (let pos = 0, len = out.length; pos < len;) {
if (this.posOut >= blockLen)
this.b2CompressOut();
const take = Math.min(blockLen - this.posOut, len - pos);
out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);
this.posOut += take;
pos += take;
}
return out;
}
xofInto(out) {
if (!this.enableXOF)
throw new Error('XOF is not possible after digest call');
return this.writeInto(out);
}
xof(bytes) {
assert.number(bytes);
return this.xofInto(new Uint8Array(bytes));
}
digestInto(out) {
assert.output(out, this);
if (this.finished)
throw new Error('digest() was already called');
this.enableXOF = false;
this.writeInto(out);
this.destroy();
return out;
}
digest() {
return this.digestInto(new Uint8Array(this.outputLen));
}
}
/**
* BLAKE3 hash function.
* @param msg - message that would be hashed
* @param opts - dkLen, key, context
*/
const blake3 = wrapConstructorWithOpts((opts) => new BLAKE3(opts));
// HMAC (RFC 2104)
class HMAC extends Hash {
constructor(hash, _key) {
super();
this.finished = false;
this.destroyed = false;
assert.hash(hash);
const key = toBytes(_key);
this.iHash = hash.create();
if (typeof this.iHash.update !== 'function')
throw new TypeError('Expected instance of class which extends utils.Hash');
this.blockLen = this.iHash.blockLen;
this.outputLen = this.iHash.outputLen;
const blockLen = this.blockLen;
const pad = new Uint8Array(blockLen);
// blockLen can be bigger than outputLen
pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
for (let i = 0; i < pad.length; i++)
pad[i] ^= 0x36;
this.iHash.update(pad);
// By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
this.oHash = hash.create();
// Undo internal XOR && apply outer XOR
for (let i = 0; i < pad.length; i++)
pad[i] ^= 0x36 ^ 0x5c;
this.oHash.update(pad);
pad.fill(0);
}
update(buf) {
assert.exists(this);
this.iHash.update(buf);
return this;
}
digestInto(out) {
assert.exists(this);
assert.bytes(out, this.outputLen);
this.finished = true;
this.iHash.digestInto(out);
this.oHash.update(out);
this.oHash.digestInto(out);
this.destroy();
}
digest() {
const out = new Uint8Array(this.oHash.outputLen);
this.digestInto(out);
return out;
}
_cloneInto(to) {
// Create new instance without calling constructor since key already in state and we don't know it.
to || (to = Object.create(Object.getPrototypeOf(this), {}));
const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
to = to;
to.finished = finished;
to.destroyed = destroyed;
to.blockLen = blockLen;
to.outputLen = outputLen;
to.oHash = oHash._cloneInto(to.oHash);
to.iHash = iHash._cloneInto(to.iHash);
return to;
}
destroy() {
this.destroyed = true;
this.oHash.destroy();
this.iHash.destroy();
}
}
/**
* HMAC: RFC2104 message authentication code.
* @param hash - function that would be used e.g. sha256
* @param key - message key
* @param message - message data
*/
const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
hmac.create = (hash, key) => new HMAC(hash, key);
// HKDF (RFC 5869)
// https://soatok.blog/2021/11/17/understanding-hkdf/
/**
* HKDF-Extract(IKM, salt) -> PRK
* Arguments position differs from spec (IKM is first one, since it is not optional)
* @param hash
* @param ikm
* @param salt
* @returns
*/
function extract(hash, ikm, salt) {
assert.hash(hash);
// NOTE: some libraries treat zero-length array as 'not provided';
// we don't, since we have undefined as 'not provided'
// https://github.com/RustCrypto/KDFs/issues/15
if (salt === undefined)
salt = new Uint8Array(hash.outputLen); // if not provided, it is set to a string of HashLen zeros
return hmac(hash, toBytes(salt), toBytes(ikm));
}
// HKDF-Expand(PRK, info, L) -> OKM
const HKDF_COUNTER = new Uint8Array([0]);
const EMPTY_BUFFER = new Uint8Array();
/**
* HKDF-expand from the spec.
* @param prk - a pseudorandom key of at least HashLen octets (usually, the output from the extract step)
* @param info - optional context and application specific information (can be a zero-length string)
* @param length - length of output keying material in octets
*/
function expand(hash, prk, info, length = 32) {
assert.hash(hash);
assert.number(length);
if (length > 255 * hash.outputLen)
throw new Error('Length should be <= 255*HashLen');
const blocks = Math.ceil(length / hash.outputLen);
if (info === undefined)
info = EMPTY_BUFFER;
// first L(ength) octets of T
const okm = new Uint8Array(blocks * hash.outputLen);
// Re-use HMAC instance between blocks
const HMAC = hmac.create(hash, prk);
const HMACTmp = HMAC._cloneInto();
const T = new Uint8Array(HMAC.outputLen);
for (let counter = 0; counter < blocks; counter++) {
HKDF_COUNTER[0] = counter + 1;
// T(0) = empty string (zero length)
// T(N) = HMAC-Hash(PRK, T(N-1) | info | N)
HMACTmp.update(counter === 0 ? EMPTY_BUFFER : T)
.update(info)
.update(HKDF_COUNTER)
.digestInto(T);
okm.set(T, hash.outputLen * counter);
HMAC._cloneInto(HMACTmp);
}
HMAC.destroy();
HMACTmp.destroy();
T.fill(0);
HKDF_COUNTER.fill(0);
return okm.slice(0, length);
}
/**
* HKDF (RFC 5869): extract + expand in one step.
* @param hash - hash function that would be used (e.g. sha256)
* @param ikm - input keying material, the initial key
* @param salt - optional salt value (a non-secret random value)
* @param info - optional context and application specific information
* @param length - length of output keying material in octets
*/
const hkdf = (hash, ikm, salt, info, length) => expand(hash, extract(hash, ikm, salt), info, length);
// Common prologue and epilogue for sync/async functions
function pbkdf2Init(hash, _password, _salt, _opts) {
assert.hash(hash);
const opts = checkOpts({ dkLen: 32, asyncTick: 10 }, _opts);
const { c, dkLen, asyncTick } = opts;
assert.number(c);
assert.number(dkLen);
assert.number(asyncTick);
if (c < 1)
throw new Error('PBKDF2: iterations (c) should be >= 1');
const password = toBytes(_password);
const salt = toBytes(_salt);
// DK = PBKDF2(PRF, Password, Salt, c, dkLen);
const DK = new Uint8Array(dkLen);
// U1 = PRF(Password, Salt + INT_32_BE(i))
const PRF = hmac.create(hash, password);
const PRFSalt = PRF._cloneInto().update(salt);
return { c, dkLen, asyncTick, DK, PRF, PRFSalt };
}
function pbkdf2Output(PRF, PRFSalt, DK, prfW, u) {
PRF.destroy();
PRFSalt.destroy();
if (prfW)
prfW.destroy();
u.fill(0);
return DK;
}
/**
* PBKDF2-HMAC: RFC 2898 key derivation function
* @param hash - hash function that would be used e.g. sha256
* @param password - password from which a derived key is generated
* @param salt - cryptographic salt
* @param opts - {c, dkLen} where c is work factor and dkLen is output message size
*/
function pbkdf2$1(hash, password, salt, opts) {
const { c, dkLen, DK, PRF, PRFSalt } = pbkdf2Init(hash, password, salt, opts);
let prfW; // Working copy
const arr = new Uint8Array(4);
const view = createView(arr);
const u = new Uint8Array(PRF.outputLen);
// DK = T1 + T2 + ⋯ + Tdklen/hlen
for (let ti = 1, pos = 0; pos < dkLen; ti++, pos += PRF.outputLen) {
// Ti = F(Password, Salt, c, i)
const Ti = DK.subarray(pos, pos + PRF.outputLen);
view.setInt32(0, ti, false);
// F(Password, Salt, c, i) = U1 ^ U2 ^ ⋯ ^ Uc
// U1 = PRF(Password, Salt + INT_32_BE(i))
(prfW = PRFSalt._cloneInto(prfW)).update(arr).digestInto(u);
Ti.set(u.subarray(0, Ti.length));
for (let ui = 1; ui < c; ui++) {
// Uc = PRF(Password, Uc1)
PRF._cloneInto(prfW).update(u).digestInto(u);
for (let i = 0; i < Ti.length; i++)
Ti[i] ^= u[i];
}
}
return pbkdf2Output(PRF, PRFSalt, DK, prfW, u);
}
async function pbkdf2Async(hash, password, salt, opts) {
const { c, dkLen, asyncTick, DK, PRF, PRFSalt } = pbkdf2Init(hash, password, salt, opts);
let prfW; // Working copy
const arr = new Uint8Array(4);
const view = createView(arr);
const u = new Uint8Array(PRF.outputLen);
// DK = T1 + T2 + ⋯ + Tdklen/hlen
for (let ti = 1, pos = 0; pos < dkLen; ti++, pos += PRF.outputLen) {
// Ti = F(Password, Salt, c, i)
const Ti = DK.subarray(pos, pos + PRF.outputLen);
view.setInt32(0, ti, false);
// F(Password, Salt, c, i) = U1 ^ U2 ^ ⋯ ^ Uc
// U1 = PRF(Password, Salt + INT_32_BE(i))
(prfW = PRFSalt._cloneInto(prfW)).update(arr).digestInto(u);
Ti.set(u.subarray(0, Ti.length));
await asyncLoop(c - 1, asyncTick, (i) => {
// Uc = PRF(Password, Uc1)
PRF._cloneInto(prfW).update(u).digestInto(u);
for (let i = 0; i < Ti.length; i++)
Ti[i] ^= u[i];
});
}
return pbkdf2Output(PRF, PRFSalt, DK, prfW, u);
}
// Polyfill for Safari 14
function setBigUint64(view, byteOffset, value, isLE) {
if (typeof view.setBigUint64 === 'function')
return view.setBigUint64(byteOffset, value, isLE);
const _32n = BigInt(32);
const _u32_max = BigInt(0xffffffff);
const wh = Number((value >> _32n) & _u32_max);
const wl = Number(value & _u32_max);
const h = isLE ? 4 : 0;
const l = isLE ? 0 : 4;
view.setUint32(byteOffset + h, wh, isLE);
view.setUint32(byteOffset + l, wl, isLE);
}
// Base SHA2 class (RFC 6234)
class SHA2 extends Hash {
constructor(blockLen, outputLen, padOffset, isLE) {
super();
this.blockLen = blockLen;
this.outputLen = outputLen;
this.padOffset = padOffset;
this.isLE = isLE;
this.finished = false;
this.length = 0;
this.pos = 0;
this.destroyed = false;
this.buffer = new Uint8Array(blockLen);
this.view = createView(this.buffer);
}
update(data) {
assert.exists(this);
const { view, buffer, blockLen } = this;
data = toBytes(data);
const len = data.length;
for (let pos = 0; pos < len;) {
const take = Math.min(blockLen - this.pos, len - pos);
// Fast path: we have at least one block in input, cast it to view and process
if (take === blockLen) {
const dataView = createView(data);
for (; blockLen <= len - pos; pos += blockLen)
this.process(dataView, pos);
continue;
}
buffer.set(data.subarray(pos, pos + take), this.pos);
this.pos += take;
pos += take;
if (this.pos === blockLen) {
this.process(view, 0);
this.pos = 0;
}
}
this.length += data.length;
this.roundClean();
return this;
}
digestInto(out) {
assert.exists(this);
assert.output(out, this);
this.finished = true;
// Padding
// We can avoid allocation of buffer for padding completely if it
// was previously not allocated here. But it won't change performance.
const { buffer, view, blockLen, isLE } = this;
let { pos } = this;
// append the bit '1' to the message
buffer[pos++] = 0b10000000;
this.buffer.subarray(pos).fill(0);
// we have less than padOffset left in buffer, so we cannot put length in current block, need process it and pad again
if (this.padOffset > blockLen - pos) {
this.process(view, 0);
pos = 0;
}
// Pad until full block byte with zeros
for (let i = pos; i < blockLen; i++)
buffer[i] = 0;
// Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that
// You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen.
// So we just write lowest 64 bits of that value.
setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE);
this.process(view, 0);
const oview = createView(out);
this.get().forEach((v, i) => oview.setUint32(4 * i, v, isLE));
}
digest() {
const { buffer, outputLen } = this;
this.digestInto(buffer);
const res = buffer.slice(0, outputLen);
this.destroy();
return res;
}
_cloneInto(to) {
to || (to = new this.constructor());
to.set(...this.get());
const { blockLen, buffer, length, finished, destroyed, pos } = this;
to.length = length;
to.pos = pos;
to.finished = finished;
to.destroyed = destroyed;
if (length % blockLen)
to.buffer.set(buffer);
return to;
}
}
// https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
// https://homes.esat.kuleuven.be/~bosselae/ripemd160/pdf/AB-9601/AB-9601.pdf
const Rho = new Uint8Array([7, 4, 13, 1, 10, 6, 15, 3, 12, 0, 9, 5, 2, 14, 11, 8]);
const Id = Uint8Array.from({ length: 16 }, (_, i) => i);
const Pi = Id.map((i) => (9 * i + 5) % 16);
let idxL = [Id];
let idxR = [Pi];
for (let i = 0; i < 4; i++)
for (let j of [idxL, idxR])
j.push(j[i].map((k) => Rho[k]));
const shifts = [
[11, 14, 15, 12, 5, 8, 7, 9, 11, 13, 14, 15, 6, 7, 9, 8],
[12, 13, 11, 15, 6, 9, 9, 7, 12, 15, 11, 13, 7, 8, 7, 7],
[13, 15, 14, 11, 7, 7, 6, 8, 13, 14, 13, 12, 5, 5, 6, 9],
[14, 11, 12, 14, 8, 6, 5, 5, 15, 12, 15, 14, 9, 9, 8, 6],
[15, 12, 13, 13, 9, 5, 8, 6, 14, 11, 12, 11, 8, 6, 5, 5],
].map((i) => new Uint8Array(i));
const shiftsL = idxL.map((idx, i) => idx.map((j) => shifts[i][j]));
const shiftsR = idxR.map((idx, i) => idx.map((j) => shifts[i][j]));
const Kl = new Uint32Array([0x00000000, 0x5a827999, 0x6ed9eba1, 0x8f1bbcdc, 0xa953fd4e]);
const Kr = new Uint32Array([0x50a28be6, 0x5c4dd124, 0x6d703ef3, 0x7a6d76e9, 0x00000000]);
// The rotate left (circular left shift) operation for uint32
const rotl$1 = (word, shift) => (word << shift) | (word >>> (32 - shift));
// It's called f() in spec.
function f(group, x, y, z) {
if (group === 0)
return x ^ y ^ z;
else if (group === 1)
return (x & y) | (~x & z);
else if (group === 2)
return (x | ~y) ^ z;
else if (group === 3)
return (x & z) | (y & ~z);
else
return x ^ (y | ~z);
}
// Temporary buffer, not used to store anything between runs
const BUF = new Uint32Array(16);
class RIPEMD160 extends SHA2 {
constructor() {
super(64, 20, 8, true);
this.h0 = 0x67452301 | 0;
this.h1 = 0xefcdab89 | 0;
this.h2 = 0x98badcfe | 0;
this.h3 = 0x10325476 | 0;
this.h4 = 0xc3d2e1f0 | 0;
}
get() {
const { h0, h1, h2, h3, h4 } = this;
return [h0, h1, h2, h3, h4];
}
set(h0, h1, h2, h3, h4) {
this.h0 = h0 | 0;
this.h1 = h1 | 0;
this.h2 = h2 | 0;
this.h3 = h3 | 0;
this.h4 = h4 | 0;
}
process(view, offset) {
for (let i = 0; i < 16; i++, offset += 4)
BUF[i] = view.getUint32(offset, true);
// prettier-ignore
let al = this.h0 | 0, ar = al, bl = this.h1 | 0, br = bl, cl = this.h2 | 0, cr = cl, dl = this.h3 | 0, dr = dl, el = this.h4 | 0, er = el;
// Instead of iterating 0 to 80, we split it into 5 groups
// And use the groups in constants, functions, etc. Much simpler
for (let group = 0; group < 5; group++) {
const rGroup = 4 - group;
const hbl = Kl[group], hbr = Kr[group]; // prettier-ignore
const rl = idxL[group], rr = idxR[group]; // prettier-ignore
const sl = shiftsL[group], sr = shiftsR[group]; // prettier-ignore
for (let i = 0; i < 16; i++) {
const tl = (rotl$1(al + f(group, bl, cl, dl) + BUF[rl[i]] + hbl, sl[i]) + el) | 0;
al = el, el = dl, dl = rotl$1(cl, 10) | 0, cl = bl, bl = tl; // prettier-ignore
}
// 2 loops are 10% faster
for (let i = 0; i < 16; i++) {
const tr = (rotl$1(ar + f(rGroup, br, cr, dr) + BUF[rr[i]] + hbr, sr[i]) + er) | 0;
ar = er, er = dr, dr = rotl$1(cr, 10) | 0, cr = br, br = tr; // prettier-ignore
}
}
// Add the compressed chunk to the current hash value
this.set((this.h1 + cl + dr) | 0, (this.h2 + dl + er) | 0, (this.h3 + el + ar) | 0, (this.h4 + al + br) | 0, (this.h0 + bl + cr) | 0);
}
roundClean() {
BUF.fill(0);
}
destroy() {
this.destroyed = true;
this.buffer.fill(0);
this.set(0, 0, 0, 0, 0);
}
}
/**
* RIPEMD-160 - a hash function from 1990s.
* @param message - msg that would be hashed
*/
const ripemd160 = wrapConstructor(() => new RIPEMD160());
// Choice: a ? b : c
const Chi = (a, b, c) => (a & b) ^ (~a & c);
// Majority function, true if any two inpust is true
const Maj = (a, b, c) => (a & b) ^ (a & c) ^ (b & c);
// Round constants:
// first 32 bits of the fractional parts of the cube roots of the first 64 primes 2..311)
// prettier-ignore
const SHA256_K = new Uint32Array([
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
]);
// Initial state (first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19):
// prettier-ignore
const IV = new Uint32Array([
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
]);
// Temporary buffer, not used to store anything between runs
// Named this way because it matches specification.
const SHA256_W = new Uint32Array(64);
class SHA256 extends SHA2 {
constructor() {
super(64, 32, 8, false);
// We cannot use array here since array allows indexing by variable
// which means optimizer/compiler cannot use registers.
this.A = IV[0] | 0;
this.B = IV[1] | 0;
this.C = IV[2] | 0;
this.D = IV[3] | 0;
this.E = IV[4] | 0;
this.F = IV[5] | 0;
this.G = IV[6] | 0;
this.H = IV[7] | 0;
}
get() {
const { A, B, C, D, E, F, G, H } = this;
return [A, B, C, D, E, F, G, H];
}
// prettier-ignore
set(A, B, C, D, E, F, G, H) {
this.A = A | 0;
this.B = B | 0;
this.C = C | 0;
this.D = D | 0;
this.E = E | 0;
this.F = F | 0;
this.G = G | 0;
this.H = H | 0;
}
process(view, offset) {
// Extend the first 16 words into the remaining 48 words w[16..63] of the message schedule array
for (let i = 0; i < 16; i++, offset += 4)
SHA256_W[i] = view.getUint32(offset, false);
for (let i = 16; i < 64; i++) {
const W15 = SHA256_W[i - 15];
const W2 = SHA256_W[i - 2];
const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ (W15 >>> 3);
const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ (W2 >>> 10);
SHA256_W[i] = (s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16]) | 0;
}
// Compression function main loop, 64 rounds
let { A, B, C, D, E, F, G, H } = this;
for (let i = 0; i < 64; i++) {
const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;
const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);
const T2 = (sigma0 + Maj(A, B, C)) | 0;
H = G;
G = F;
F = E;
E = (D + T1) | 0;
D = C;
C = B;
B = A;
A = (T1 + T2) | 0;
}
// Add the compressed chunk to the current hash value
A = (A + this.A) | 0;
B = (B + this.B) | 0;
C = (C + this.C) | 0;
D = (D + this.D) | 0;
E = (E + this.E) | 0;
F = (F + this.F) | 0;
G = (G + this.G) | 0;
H = (H + this.H) | 0;
this.set(A, B, C, D, E, F, G, H);
}
roundClean() {
SHA256_W.fill(0);
}
destroy() {
this.set(0, 0, 0, 0, 0, 0, 0, 0);
this.buffer.fill(0);
}
}
/**
* SHA2-256 hash function
* @param message - data that would be hashed
*/
const sha256 = wrapConstructor(() => new SHA256());
// RFC 7914 Scrypt KDF
// Left rotate for uint32
const rotl = (a, b) => (a << b) | (a >>> (32 - b));
// The main Scrypt loop: uses Salsa extensively.
// Six versions of the function were tried, this is the fastest one.
// prettier-ignore
function XorAndSalsa(prev, pi, input, ii, out, oi) {
// Based on https://cr.yp.to/salsa20.html
// Xor blocks
let y00 = prev[pi++] ^ input[ii++], y01 = prev[pi++] ^ input[ii++];
let y02 = prev[pi++] ^ input[ii++], y03 = prev[pi++] ^ input[ii++];
let y04 = prev[pi++] ^ input[ii++], y05 = prev[pi++] ^ input[ii++];
let y06 = prev[pi++] ^ input[ii++], y07 = prev[pi++] ^ input[ii++];
let y08 = prev[pi++] ^ input[ii++], y09 = prev[pi++] ^ input[ii++];
let y10 = prev[pi++] ^ input[ii++], y11 = prev[pi++] ^ input[ii++];
let y12 = prev[pi++] ^ input[ii++], y13 = prev[pi++] ^ input[ii++];
let y14 = prev[pi++] ^ input[ii++], y15 = prev[pi++] ^ input[ii++];
// Save state to temporary variables (salsa)
let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15;
// Main loop (salsa)
for (let i = 0; i < 8; i += 2) {
x04 ^= rotl(x00 + x12 | 0, 7);
x08 ^= rotl(x04 + x00 | 0, 9);
x12 ^= rotl(x08 + x04 | 0, 13);
x00 ^= rotl(x12 + x08 | 0, 18);
x09 ^= rotl(x05 + x01 | 0, 7);
x13 ^= rotl(x09 + x05 | 0, 9);
x01 ^= rotl(x13 + x09 | 0, 13);
x05 ^= rotl(x01 + x13 | 0, 18);
x14 ^= rotl(x10 + x06 | 0, 7);
x02 ^= rotl(x14 + x10 | 0, 9);
x06 ^= rotl(x02 + x14 | 0, 13);
x10 ^= rotl(x06 + x02 | 0, 18);
x03 ^= rotl(x15 + x11 | 0, 7);
x07 ^= rotl(x03 + x15 | 0, 9);
x11 ^= rotl(x07 + x03 | 0, 13);
x15 ^= rotl(x11 + x07 | 0, 18);
x01 ^= rotl(x00 + x03 | 0, 7);
x02 ^= rotl(x01 + x00 | 0, 9);
x03 ^= rotl(x02 + x01 | 0, 13);
x00 ^= rotl(x03 + x02 | 0, 18);
x06 ^= rotl(x05 + x04 | 0, 7);
x07 ^= rotl(x06 + x05 | 0, 9);
x04 ^= rotl(x07 + x06 | 0, 13);
x05 ^= rotl(x04 + x07 | 0, 18);
x11 ^= rotl(x10 + x09 | 0, 7);
x08 ^= rotl(x11 + x10 | 0, 9);
x09 ^= rotl(x08 + x11 | 0, 13);
x10 ^= rotl(x09 + x08 | 0, 18);
x12 ^= rotl(x15 + x14 | 0, 7);
x13 ^= rotl(x12 + x15 | 0, 9);
x14 ^= rotl(x13 + x12 | 0, 13);
x15 ^= rotl(x14 + x13 | 0, 18);
}
// Write output (salsa)
out[oi++] = (y00 + x00) | 0;
out[oi++] = (y01 + x01) | 0;
out[oi++] = (y02 + x02) | 0;
out[oi++] = (y03 + x03) | 0;
out[oi++] = (y04 + x04) | 0;
out[oi++] = (y05 + x05) | 0;
out[oi++] = (y06 + x06) | 0;
out[oi++] = (y07 + x07) | 0;
out[oi++] = (y08 + x08) | 0;
out[oi++] = (y09 + x09) | 0;
out[oi++] = (y10 + x10) | 0;
out[oi++] = (y11 + x11) | 0;
out[oi++] = (y12 + x12) | 0;
out[oi++] = (y13 + x13) | 0;
out[oi++] = (y14 + x14) | 0;
out[oi++] = (y15 + x15) | 0;
}
function BlockMix(input, ii, out, oi, r) {
// The block B is r 128-byte chunks (which is equivalent of 2r 64-byte chunks)
let head = oi + 0;
let tail = oi + 16 * r;
for (let i = 0; i < 16; i++)
out[tail + i] = input[ii + (2 * r - 1) * 16 + i]; // X ← B[2r1]
for (let i = 0; i < r; i++, head += 16, ii += 16) {
// We write odd & even Yi at same time. Even: 0bXXXXX0 Odd: 0bXXXXX1
XorAndSalsa(out, tail, input, ii, out, head); // head[i] = Salsa(blockIn[2*i] ^ tail[i-1])
if (i > 0)
tail += 16; // First iteration overwrites tmp value in tail
XorAndSalsa(out, head, input, (ii += 16), out, tail); // tail[i] = Salsa(blockIn[2*i+1] ^ head[i])
}
}
// Common prologue and epilogue for sync/async functions
function scryptInit(password, salt, _opts) {
// Maxmem - 1GB+1KB by default
const opts = checkOpts({
dkLen: 32,
asyncTick: 10,
maxmem: 1024 ** 3 + 1024,
}, _opts);
const { N, r, p, dkLen, asyncTick, maxmem, onProgress } = opts;
assert.number(N);
assert.number(r);
assert.number(p);
assert.number(dkLen);
assert.number(asyncTick);
assert.number(maxmem);
if (onProgress !== undefined && typeof onProgress !== 'function')
throw new Error('progressCb should be function');
const blockSize = 128 * r;
const blockSize32 = blockSize / 4;
if (N <= 1 || (N & (N - 1)) !== 0 || N >= 2 ** (blockSize / 8) || N > 2 ** 32) {
// NOTE: we limit N to be less than 2**32 because of 32 bit variant of Integrify function
// There is no JS engines that allows alocate more than 4GB per single Uint8Array for now, but can change in future.
throw new Error('Scrypt: N must be larger than 1, a power of 2, less than 2^(128 * r / 8) and less than 2^32');
}
if (p < 0 || p > ((2 ** 32 - 1) * 32) / blockSize) {
throw new Error('Scrypt: p must be a positive integer less than or equal to ((2^32 - 1) * 32) / (128 * r)');
}
if (dkLen < 0 || dkLen > (2 ** 32 - 1) * 32) {
throw new Error('Scrypt: dkLen should be positive integer less than or equal to (2^32 - 1) * 32');
}
const memUsed = blockSize * (N + p);
if (memUsed > maxmem) {
throw new Error(`Scrypt: parameters too large, ${memUsed} (128 * r * (N + p)) > ${maxmem} (maxmem)`);
}
// [B0...Bp1] ← PBKDF2HMAC-SHA256(Passphrase, Salt, 1, blockSize*ParallelizationFactor)
// Since it has only one iteration there is no reason to use async variant
const B = pbkdf2$1(sha256, password, salt, { c: 1, dkLen: blockSize * p });
const B32 = u32(B);
// Re-used between parallel iterations. Array(iterations) of B
const V = u32(new Uint8Array(blockSize * N));
const tmp = u32(new Uint8Array(blockSize));
let blockMixCb = () => { };
if (onProgress) {
const totalBlockMix = 2 * N * p;
// Invoke callback if progress changes from 10.01 to 10.02
// Allows to draw smooth progress bar on up to 8K screen
const callbackPer = Math.max(Math.floor(totalBlockMix / 10000), 1);
let blockMixCnt = 0;
blockMixCb = () => {
blockMixCnt++;
if (onProgress && (!(blockMixCnt % callbackPer) || blockMixCnt === totalBlockMix))
onProgress(blockMixCnt / totalBlockMix);
};
}
return { N, r, p, dkLen, blockSize32, V, B32, B, tmp, blockMixCb, asyncTick };
}
function scryptOutput(password, dkLen, B, V, tmp) {
const res = pbkdf2$1(sha256, password, B, { c: 1, dkLen });
B.fill(0);
V.fill(0);
tmp.fill(0);
return res;
}
/**
* Scrypt KDF from RFC 7914.
* @param password - pass
* @param salt - salt
* @param opts - parameters
* - `N` is cpu/mem work factor (power of 2 e.g. 2**18)
* - `r` is block size (8 is common), fine-tunes sequential memory read size and performance
* - `p` is parallelization factor (1 is common)
* - `dkLen` is output key length in bytes e.g. 32.
* - `asyncTick` - (default: 10) max time in ms for which async function can block execution
* - `maxmem` - (default: `1024 ** 3 + 1024` aka 1GB+1KB). A limit that the app could use for scrypt
* - `onProgress` - callback function that would be executed for progress report
* @returns Derived key
*/
function scrypt$1(password, salt, opts) {
const { N, r, p, dkLen, blockSize32, V, B32, B, tmp, blockMixCb } = scryptInit(password, salt, opts);
for (let pi = 0; pi < p; pi++) {
const Pi = blockSize32 * pi;
for (let i = 0; i < blockSize32; i++)
V[i] = B32[Pi + i]; // V[0] = B[i]
for (let i = 0, pos = 0; i < N - 1; i++) {
BlockMix(V, pos, V, (pos += blockSize32), r); // V[i] = BlockMix(V[i-1]);
blockMixCb();
}
BlockMix(V, (N - 1) * blockSize32, B32, Pi, r); // Process last element
blockMixCb();
for (let i = 0; i < N; i++) {
// First u32 of the last 64-byte block (u32 is LE)
const j = B32[Pi + blockSize32 - 16] % N; // j = Integrify(X) % iterations
for (let k = 0; k < blockSize32; k++)
tmp[k] = B32[Pi + k] ^ V[j * blockSize32 + k]; // tmp = B ^ V[j]
BlockMix(tmp, 0, B32, Pi, r); // B = BlockMix(B ^ V[j])
blockMixCb();
}
}
return scryptOutput(password, dkLen, B, V, tmp);
}
/**
* Scrypt KDF from RFC 7914.
*/
async function scryptAsync(password, salt, opts) {
const { N, r, p, dkLen, blockSize32, V, B32, B, tmp, blockMixCb, asyncTick } = scryptInit(password, salt, opts);
for (let pi = 0; pi < p; pi++) {
const Pi = blockSize32 * pi;
for (let i = 0; i < blockSize32; i++)
V[i] = B32[Pi + i]; // V[0] = B[i]
let pos = 0;
await asyncLoop(N - 1, asyncTick, (i) => {
BlockMix(V, pos, V, (pos += blockSize32), r); // V[i] = BlockMix(V[i-1]);
blockMixCb();
});
BlockMix(V, (N - 1) * blockSize32, B32, Pi, r); // Process last element
blockMixCb();
await asyncLoop(N, asyncTick, (i) => {
// First u32 of the last 64-byte block (u32 is LE)
const j = B32[Pi + blockSize32 - 16] % N; // j = Integrify(X) % iterations
for (let k = 0; k < blockSize32; k++)
tmp[k] = B32[Pi + k] ^ V[j * blockSize32 + k]; // tmp = B ^ V[j]
BlockMix(tmp, 0, B32, Pi, r); // B = BlockMix(B ^ V[j])
blockMixCb();
});
}
return scryptOutput(password, dkLen, B, V, tmp);
}
// Round contants (first 32 bits of the fractional parts of the cube roots of the first 80 primes 2..409):
// prettier-ignore
const [SHA512_Kh, SHA512_Kl] = u64.split([
'0x428a2f98d728ae22', '0x7137449123ef65cd', '0xb5c0fbcfec4d3b2f', '0xe9b5dba58189dbbc',
'0x3956c25bf348b538', '0x59f111f1b605d019', '0x923f82a4af194f9b', '0xab1c5ed5da6d8118',
'0xd807aa98a3030242', '0x12835b0145706fbe', '0x243185be4ee4b28c', '0x550c7dc3d5ffb4e2',
'0x72be5d74f27b896f', '0x80deb1fe3b1696b1', '0x9bdc06a725c71235', '0xc19bf174cf692694',
'0xe49b69c19ef14ad2', '0xefbe4786384f25e3', '0x0fc19dc68b8cd5b5', '0x240ca1cc77ac9c65',
'0x2de92c6f592b0275', '0x4a7484aa6ea6e483', '0x5cb0a9dcbd41fbd4', '0x76f988da831153b5',
'0x983e5152ee66dfab', '0xa831c66d2db43210', '0xb00327c898fb213f', '0xbf597fc7beef0ee4',
'0xc6e00bf33da88fc2', '0xd5a79147930aa725', '0x06ca6351e003826f', '0x142929670a0e6e70',
'0x27b70a8546d22ffc', '0x2e1b21385c26c926', '0x4d2c6dfc5ac42aed', '0x53380d139d95b3df',
'0x650a73548baf63de', '0x766a0abb3c77b2a8', '0x81c2c92e47edaee6', '0x92722c851482353b',
'0xa2bfe8a14cf10364', '0xa81a664bbc423001', '0xc24b8b70d0f89791', '0xc76c51a30654be30',
'0xd192e819d6ef5218', '0xd69906245565a910', '0xf40e35855771202a', '0x106aa07032bbd1b8',
'0x19a4c116b8d2d0c8', '0x1e376c085141ab53', '0x2748774cdf8eeb99', '0x34b0bcb5e19b48a8',
'0x391c0cb3c5c95a63', '0x4ed8aa4ae3418acb', '0x5b9cca4f7763e373', '0x682e6ff3d6b2b8a3',
'0x748f82ee5defb2fc', '0x78a5636f43172f60', '0x84c87814a1f0ab72', '0x8cc702081a6439ec',
'0x90befffa23631e28', '0xa4506cebde82bde9', '0xbef9a3f7b2c67915', '0xc67178f2e372532b',
'0xca273eceea26619c', '0xd186b8c721c0c207', '0xeada7dd6cde0eb1e', '0xf57d4f7fee6ed178',
'0x06f067aa72176fba', '0x0a637dc5a2c898a6', '0x113f9804bef90dae', '0x1b710b35131c471b',
'0x28db77f523047d84', '0x32caab7b40c72493', '0x3c9ebe0a15c9bebc', '0x431d67c49c100d4c',
'0x4cc5d4becb3e42b6', '0x597f299cfc657e2a', '0x5fcb6fab3ad6faec', '0x6c44198c4a475817'
].map(n => BigInt(n)));
// Temporary buffer, not used to store anything between runs
const SHA512_W_H = new Uint32Array(80);
const SHA512_W_L = new Uint32Array(80);
class SHA512 extends SHA2 {
constructor() {
super(128, 64, 16, false);
// We cannot use array here since array allows indexing by variable which means optimizer/compiler cannot use registers.
// Also looks cleaner and easier to verify with spec.
// Initial state (first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19):
// h -- high 32 bits, l -- low 32 bits
this.Ah = 0x6a09e667 | 0;
this.Al = 0xf3bcc908 | 0;
this.Bh = 0xbb67ae85 | 0;
this.Bl = 0x84caa73b | 0;
this.Ch = 0x3c6ef372 | 0;
this.Cl = 0xfe94f82b | 0;
this.Dh = 0xa54ff53a | 0;
this.Dl = 0x5f1d36f1 | 0;
this.Eh = 0x510e527f | 0;
this.El = 0xade682d1 | 0;
this.Fh = 0x9b05688c | 0;
this.Fl = 0x2b3e6c1f | 0;
this.Gh = 0x1f83d9ab | 0;
this.Gl = 0xfb41bd6b | 0;
this.Hh = 0x5be0cd19 | 0;
this.Hl = 0x137e2179 | 0;
}
// prettier-ignore
get() {
const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];
}
// prettier-ignore
set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {
this.Ah = Ah | 0;
this.Al = Al | 0;
this.Bh = Bh | 0;
this.Bl = Bl | 0;
this.Ch = Ch | 0;
this.Cl = Cl | 0;
this.Dh = Dh | 0;
this.Dl = Dl | 0;
this.Eh = Eh | 0;
this.El = El | 0;
this.Fh = Fh | 0;
this.Fl = Fl | 0;
this.Gh = Gh | 0;
this.Gl = Gl | 0;
this.Hh = Hh | 0;
this.Hl = Hl | 0;
}
process(view, offset) {
// Extend the first 16 words into the remaining 64 words w[16..79] of the message schedule array
for (let i = 0; i < 16; i++, offset += 4) {
SHA512_W_H[i] = view.getUint32(offset);
SHA512_W_L[i] = view.getUint32((offset += 4));
}
for (let i = 16; i < 80; i++) {
// s0 := (w[i-15] rightrotate 1) xor (w[i-15] rightrotate 8) xor (w[i-15] rightshift 7)
const W15h = SHA512_W_H[i - 15] | 0;
const W15l = SHA512_W_L[i - 15] | 0;
const s0h = u64.rotrSH(W15h, W15l, 1) ^ u64.rotrSH(W15h, W15l, 8) ^ u64.shrSH(W15h, W15l, 7);
const s0l = u64.rotrSL(W15h, W15l, 1) ^ u64.rotrSL(W15h, W15l, 8) ^ u64.shrSL(W15h, W15l, 7);
// s1 := (w[i-2] rightrotate 19) xor (w[i-2] rightrotate 61) xor (w[i-2] rightshift 6)
const W2h = SHA512_W_H[i - 2] | 0;
const W2l = SHA512_W_L[i - 2] | 0;
const s1h = u64.rotrSH(W2h, W2l, 19) ^ u64.rotrBH(W2h, W2l, 61) ^ u64.shrSH(W2h, W2l, 6);
const s1l = u64.rotrSL(W2h, W2l, 19) ^ u64.rotrBL(W2h, W2l, 61) ^ u64.shrSL(W2h, W2l, 6);
// SHA256_W[i] = s0 + s1 + SHA256_W[i - 7] + SHA256_W[i - 16];
const SUMl = u64.add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);
const SUMh = u64.add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]);
SHA512_W_H[i] = SUMh | 0;
SHA512_W_L[i] = SUMl | 0;
}
let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
// Compression function main loop, 80 rounds
for (let i = 0; i < 80; i++) {
// S1 := (e rightrotate 14) xor (e rightrotate 18) xor (e rightrotate 41)
const sigma1h = u64.rotrSH(Eh, El, 14) ^ u64.rotrSH(Eh, El, 18) ^ u64.rotrBH(Eh, El, 41);
const sigma1l = u64.rotrSL(Eh, El, 14) ^ u64.rotrSL(Eh, El, 18) ^ u64.rotrBL(Eh, El, 41);
//const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;
const CHIh = (Eh & Fh) ^ (~Eh & Gh);
const CHIl = (El & Fl) ^ (~El & Gl);
// T1 = H + sigma1 + Chi(E, F, G) + SHA512_K[i] + SHA512_W[i]
// prettier-ignore
const T1ll = u64.add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]);
const T1h = u64.add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]);
const T1l = T1ll | 0;
// S0 := (a rightrotate 28) xor (a rightrotate 34) xor (a rightrotate 39)
const sigma0h = u64.rotrSH(Ah, Al, 28) ^ u64.rotrBH(Ah, Al, 34) ^ u64.rotrBH(Ah, Al, 39);
const sigma0l = u64.rotrSL(Ah, Al, 28) ^ u64.rotrBL(Ah, Al, 34) ^ u64.rotrBL(Ah, Al, 39);
const MAJh = (Ah & Bh) ^ (Ah & Ch) ^ (Bh & Ch);
const MAJl = (Al & Bl) ^ (Al & Cl) ^ (Bl & Cl);
Hh = Gh | 0;
Hl = Gl | 0;
Gh = Fh | 0;
Gl = Fl | 0;
Fh = Eh | 0;
Fl = El | 0;
({ h: Eh, l: El } = u64.add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));
Dh = Ch | 0;
Dl = Cl | 0;
Ch = Bh | 0;
Cl = Bl | 0;
Bh = Ah | 0;
Bl = Al | 0;
const All = u64.add3L(T1l, sigma0l, MAJl);
Ah = u64.add3H(All, T1h, sigma0h, MAJh);
Al = All | 0;
}
// Add the compressed chunk to the current hash value
({ h: Ah, l: Al } = u64.add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));
({ h: Bh, l: Bl } = u64.add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));
({ h: Ch, l: Cl } = u64.add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));
({ h: Dh, l: Dl } = u64.add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));
({ h: Eh, l: El } = u64.add(this.Eh | 0, this.El | 0, Eh | 0, El | 0));
({ h: Fh, l: Fl } = u64.add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));
({ h: Gh, l: Gl } = u64.add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));
({ h: Hh, l: Hl } = u64.add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));
this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);
}
roundClean() {
SHA512_W_H.fill(0);
SHA512_W_L.fill(0);
}
destroy() {
this.buffer.fill(0);
this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
}
}
class SHA512_256 extends SHA512 {
constructor() {
super();
// h -- high 32 bits, l -- low 32 bits
this.Ah = 0x22312194 | 0;
this.Al = 0xfc2bf72c | 0;
this.Bh = 0x9f555fa3 | 0;
this.Bl = 0xc84c64c2 | 0;
this.Ch = 0x2393b86b | 0;
this.Cl = 0x6f53b151 | 0;
this.Dh = 0x96387719 | 0;
this.Dl = 0x5940eabd | 0;
this.Eh = 0x96283ee2 | 0;
this.El = 0xa88effe3 | 0;
this.Fh = 0xbe5e1e25 | 0;
this.Fl = 0x53863992 | 0;
this.Gh = 0x2b0199fc | 0;
this.Gl = 0x2c85b8aa | 0;
this.Hh = 0x0eb72ddc | 0;
this.Hl = 0x81c52ca2 | 0;
this.outputLen = 32;
}
}
class SHA384 extends SHA512 {
constructor() {
super();
// h -- high 32 bits, l -- low 32 bits
this.Ah = 0xcbbb9d5d | 0;
this.Al = 0xc1059ed8 | 0;
this.Bh = 0x629a292a | 0;
this.Bl = 0x367cd507 | 0;
this.Ch = 0x9159015a | 0;
this.Cl = 0x3070dd17 | 0;
this.Dh = 0x152fecd8 | 0;
this.Dl = 0xf70e5939 | 0;
this.Eh = 0x67332667 | 0;
this.El = 0xffc00b31 | 0;
this.Fh = 0x8eb44a87 | 0;
this.Fl = 0x68581511 | 0;
this.Gh = 0xdb0c2e0d | 0;
this.Gl = 0x64f98fa7 | 0;
this.Hh = 0x47b5481d | 0;
this.Hl = 0xbefa4fa4 | 0;
this.outputLen = 48;
}
}
const sha512 = wrapConstructor(() => new SHA512());
wrapConstructor(() => new SHA512_256());
wrapConstructor(() => new SHA384());
// Various per round constants calculations
const [SHA3_PI, SHA3_ROTL, _SHA3_IOTA] = [[], [], []];
var _0n = BigInt(0);
var _1n = BigInt(1);
var _2n = BigInt(2);
var _7n = BigInt(7);
const _256n = BigInt(256);
const _0x71n = BigInt(0x71);
for (let round = 0, R = _1n, x = 1, y = 0; round < 24; round++) {
// Pi
[x, y] = [y, (2 * x + 3 * y) % 5];
SHA3_PI.push(2 * (5 * y + x));
// Rotational
SHA3_ROTL.push((((round + 1) * (round + 2)) / 2) % 64);
// Iota
let t = _0n;
for (let j = 0; j < 7; j++) {
R = ((R << _1n) ^ ((R >> _7n) * _0x71n)) % _256n;
if (R & _2n)
t ^= _1n << ((_1n << BigInt(j)) - _1n);
}
_SHA3_IOTA.push(t);
}
const [SHA3_IOTA_H, SHA3_IOTA_L] = u64.split(_SHA3_IOTA, true);
// Left rotation (without 0, 32, 64)
const rotlH = (h, l, s) => s > 32 ? u64.rotlBH(h, l, s) : u64.rotlSH(h, l, s);
const rotlL = (h, l, s) => s > 32 ? u64.rotlBL(h, l, s) : u64.rotlSL(h, l, s);
// Same as keccakf1600, but allows to skip some rounds
function keccakP(s, rounds = 24) {
const B = new Uint32Array(5 * 2);
// NOTE: all indices are x2 since we store state as u32 instead of u64 (bigints to slow in js)
for (let round = 24 - rounds; round < 24; round++) {
// Theta θ
for (let x = 0; x < 10; x++)
B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];
for (let x = 0; x < 10; x += 2) {
const idx1 = (x + 8) % 10;
const idx0 = (x + 2) % 10;
const B0 = B[idx0];
const B1 = B[idx0 + 1];
const Th = rotlH(B0, B1, 1) ^ B[idx1];
const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];
for (let y = 0; y < 50; y += 10) {
s[x + y] ^= Th;
s[x + y + 1] ^= Tl;
}
}
// Rho (ρ) and Pi (π)
let curH = s[2];
let curL = s[3];
for (let t = 0; t < 24; t++) {
const shift = SHA3_ROTL[t];
const Th = rotlH(curH, curL, shift);
const Tl = rotlL(curH, curL, shift);
const PI = SHA3_PI[t];
curH = s[PI];
curL = s[PI + 1];
s[PI] = Th;
s[PI + 1] = Tl;
}
// Chi (χ)
for (let y = 0; y < 50; y += 10) {
for (let x = 0; x < 10; x++)
B[x] = s[y + x];
for (let x = 0; x < 10; x++)
s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10];
}
// Iota (ι)
s[0] ^= SHA3_IOTA_H[round];
s[1] ^= SHA3_IOTA_L[round];
}
B.fill(0);
}
class Keccak extends Hash {
// NOTE: we accept arguments in bytes instead of bits here.
constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {
super();
this.blockLen = blockLen;
this.suffix = suffix;
this.outputLen = outputLen;
this.enableXOF = enableXOF;
this.rounds = rounds;
this.pos = 0;
this.posOut = 0;
this.finished = false;
this.destroyed = false;
// Can be passed from user as dkLen
assert.number(outputLen);
// 1600 = 5x5 matrix of 64bit. 1600 bits === 200 bytes
if (0 >= this.blockLen || this.blockLen >= 200)
throw new Error('Sha3 supports only keccak-f1600 function');
this.state = new Uint8Array(200);
this.state32 = u32(this.state);
}
keccak() {
keccakP(this.state32, this.rounds);
this.posOut = 0;
this.pos = 0;
}
update(data) {
assert.exists(this);
const { blockLen, state } = this;
data = toBytes(data);
const len = data.length;
for (let pos = 0; pos < len;) {
const take = Math.min(blockLen - this.pos, len - pos);
for (let i = 0; i < take; i++)
state[this.pos++] ^= data[pos++];
if (this.pos === blockLen)
this.keccak();
}
return this;
}
finish() {
if (this.finished)
return;
this.finished = true;
const { state, suffix, pos, blockLen } = this;
// Do the padding
state[pos] ^= suffix;
if ((suffix & 0x80) !== 0 && pos === blockLen - 1)
this.keccak();
state[blockLen - 1] ^= 0x80;
this.keccak();
}
writeInto(out) {
assert.exists(this, false);
assert.bytes(out);
this.finish();
const bufferOut = this.state;
const { blockLen } = this;
for (let pos = 0, len = out.length; pos < len;) {
if (this.posOut >= blockLen)
this.keccak();
const take = Math.min(blockLen - this.posOut, len - pos);
out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);
this.posOut += take;
pos += take;
}
return out;
}
xofInto(out) {
// Sha3/Keccak usage with XOF is probably mistake, only SHAKE instances can do XOF
if (!this.enableXOF)
throw new Error('XOF is not possible for this instance');
return this.writeInto(out);
}
xof(bytes) {
assert.number(bytes);
return this.xofInto(new Uint8Array(bytes));
}
digestInto(out) {
assert.output(out, this);
if (this.finished)
throw new Error('digest() was already called');
this.writeInto(out);
this.destroy();
return out;
}
digest() {
return this.digestInto(new Uint8Array(this.outputLen));
}
destroy() {
this.destroyed = true;
this.state.fill(0);
}
_cloneInto(to) {
const { blockLen, suffix, outputLen, rounds, enableXOF } = this;
to || (to = new Keccak(blockLen, suffix, outputLen, enableXOF, rounds));
to.state32.set(this.state32);
to.pos = this.pos;
to.posOut = this.posOut;
to.finished = this.finished;
to.rounds = rounds;
// Suffix can change in cSHAKE
to.suffix = suffix;
to.outputLen = outputLen;
to.enableXOF = enableXOF;
to.destroyed = this.destroyed;
return to;
}
}
const gen = (suffix, blockLen, outputLen) => wrapConstructor(() => new Keccak(blockLen, suffix, outputLen));
const sha3_224 = gen(0x06, 144, 224 / 8);
/**
* SHA3-256 hash function
* @param message - that would be hashed
*/
const sha3_256 = gen(0x06, 136, 256 / 8);
const sha3_384 = gen(0x06, 104, 384 / 8);
const sha3_512 = gen(0x06, 72, 512 / 8);
const keccak_224 = gen(0x01, 144, 224 / 8);
/**
* keccak-256 hash function. Different from SHA3-256.
* @param message - that would be hashed
*/
const keccak_256 = gen(0x01, 136, 256 / 8);
const keccak_384 = gen(0x01, 104, 384 / 8);
const keccak_512 = gen(0x01, 72, 512 / 8);
const genShake = (suffix, blockLen, outputLen) => wrapConstructorWithOpts((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === undefined ? outputLen : opts.dkLen, true));
genShake(0x1f, 168, 128 / 8);
genShake(0x1f, 136, 256 / 8);
// cSHAKE && KMAC (NIST SP800-185)
function leftEncode(n) {
const res = [n & 0xff];
n >>= 8;
for (; n > 0; n >>= 8)
res.unshift(n & 0xff);
res.unshift(res.length);
return new Uint8Array(res);
}
function rightEncode(n) {
const res = [n & 0xff];
n >>= 8;
for (; n > 0; n >>= 8)
res.unshift(n & 0xff);
res.push(res.length);
return new Uint8Array(res);
}
function chooseLen(opts, outputLen) {
return opts.dkLen === undefined ? outputLen : opts.dkLen;
}
const toBytesOptional = (buf) => (buf !== undefined ? toBytes(buf) : new Uint8Array([]));
// NOTE: second modulo is necessary since we don't need to add padding if current element takes whole block
const getPadding = (len, block) => new Uint8Array((block - (len % block)) % block);
// Personalization
function cshakePers(hash, opts = {}) {
if (!opts || (!opts.personalization && !opts.NISTfn))
return hash;
// Encode and pad inplace to avoid unneccesary memory copies/slices (so we don't need to zero them later)
// bytepad(encode_string(N) || encode_string(S), 168)
const blockLenBytes = leftEncode(hash.blockLen);
const fn = toBytesOptional(opts.NISTfn);
const fnLen = leftEncode(8 * fn.length); // length in bits
const pers = toBytesOptional(opts.personalization);
const persLen = leftEncode(8 * pers.length); // length in bits
if (!fn.length && !pers.length)
return hash;
hash.suffix = 0x04;
hash.update(blockLenBytes).update(fnLen).update(fn).update(persLen).update(pers);
let totalLen = blockLenBytes.length + fnLen.length + fn.length + persLen.length + pers.length;
hash.update(getPadding(totalLen, hash.blockLen));
return hash;
}
const gencShake = (suffix, blockLen, outputLen) => wrapConstructorWithOpts((opts = {}) => cshakePers(new Keccak(blockLen, suffix, chooseLen(opts, outputLen), true), opts));
const cshake128 = gencShake(0x1f, 168, 128 / 8);
const cshake256 = gencShake(0x1f, 136, 256 / 8);
class KMAC extends Keccak {
constructor(blockLen, outputLen, enableXOF, key, opts = {}) {
super(blockLen, 0x1f, outputLen, enableXOF);
cshakePers(this, { NISTfn: 'KMAC', personalization: opts.personalization });
key = toBytes(key);
// 1. newX = bytepad(encode_string(K), 168) || X || right_encode(L).
const blockLenBytes = leftEncode(this.blockLen);
const keyLen = leftEncode(8 * key.length);
this.update(blockLenBytes).update(keyLen).update(key);
const totalLen = blockLenBytes.length + keyLen.length + key.length;
this.update(getPadding(totalLen, this.blockLen));
}
finish() {
if (!this.finished)
this.update(rightEncode(this.enableXOF ? 0 : this.outputLen * 8)); // outputLen in bits
super.finish();
}
_cloneInto(to) {
// Create new instance without calling constructor since key already in state and we don't know it.
// Force "to" to be instance of KMAC instead of Sha3.
if (!to) {
to = Object.create(Object.getPrototypeOf(this), {});
to.state = this.state.slice();
to.blockLen = this.blockLen;
to.state32 = u32(to.state);
}
return super._cloneInto(to);
}
clone() {
return this._cloneInto();
}
}
function genKmac(blockLen, outputLen, xof = false) {
const kmac = (key, message, opts) => kmac.create(key, opts).update(message).digest();
kmac.create = (key, opts = {}) => new KMAC(blockLen, chooseLen(opts, outputLen), xof, key, opts);
return kmac;
}
const kmac128 = genKmac(168, 128 / 8);
const kmac256 = genKmac(136, 256 / 8);
genKmac(168, 128 / 8, true);
genKmac(136, 256 / 8, true);
// Kangaroo
// Same as NIST rightEncode, but returns [0] for zero string
function rightEncodeK12(n) {
const res = [];
for (; n > 0; n >>= 8)
res.unshift(n & 0xff);
res.push(res.length);
return new Uint8Array(res);
}
const EMPTY = new Uint8Array([]);
class KangarooTwelve extends Keccak {
constructor(blockLen, leafLen, outputLen, rounds, opts) {
super(blockLen, 0x07, outputLen, true, rounds);
this.leafLen = leafLen;
this.chunkLen = 8192;
this.chunkPos = 0; // Position of current block in chunk
this.chunksDone = 0; // How many chunks we already have
const { personalization } = opts;
this.personalization = toBytesOptional(personalization);
}
update(data) {
data = toBytes(data);
const { chunkLen, blockLen, leafLen, rounds } = this;
for (let pos = 0, len = data.length; pos < len;) {
if (this.chunkPos == chunkLen) {
if (this.leafHash)
super.update(this.leafHash.digest());
else {
this.suffix = 0x06; // Its safe to change suffix here since its used only in digest()
super.update(new Uint8Array([3, 0, 0, 0, 0, 0, 0, 0]));
}
this.leafHash = new Keccak(blockLen, 0x0b, leafLen, false, rounds);
this.chunksDone++;
this.chunkPos = 0;
}
const take = Math.min(chunkLen - this.chunkPos, len - pos);
const chunk = data.subarray(pos, pos + take);
if (this.leafHash)
this.leafHash.update(chunk);
else
super.update(chunk);
this.chunkPos += take;
pos += take;
}
return this;
}
finish() {
if (this.finished)
return;
const { personalization } = this;
this.update(personalization).update(rightEncodeK12(personalization.length));
// Leaf hash
if (this.leafHash) {
super.update(this.leafHash.digest());
super.update(rightEncodeK12(this.chunksDone));
super.update(new Uint8Array([0xff, 0xff]));
}
super.finish.call(this);
}
destroy() {
super.destroy.call(this);
if (this.leafHash)
this.leafHash.destroy();
// We cannot zero personalization buffer since it is user provided and we don't want to mutate user input
this.personalization = EMPTY;
}
_cloneInto(to) {
const { blockLen, leafLen, leafHash, outputLen, rounds } = this;
to || (to = new KangarooTwelve(blockLen, leafLen, outputLen, rounds, {}));
super._cloneInto(to);
if (leafHash)
to.leafHash = leafHash._cloneInto(to.leafHash);
to.personalization.set(this.personalization);
to.leafLen = this.leafLen;
to.chunkPos = this.chunkPos;
to.chunksDone = this.chunksDone;
return to;
}
clone() {
return this._cloneInto();
}
}
// Default to 32 bytes, so it can be used without opts
const k12 = wrapConstructorWithOpts((opts = {}) => new KangarooTwelve(168, 32, chooseLen(opts, 32), 12, opts));
// MarsupilamiFourteen
const m14 = wrapConstructorWithOpts((opts = {}) => new KangarooTwelve(136, 64, chooseLen(opts, 64), 14, opts));
// A tiny KDF for various applications like AES key-gen
const SCRYPT_FACTOR = 2 ** 19;
const PBKDF2_FACTOR = 2 ** 17;
// Scrypt KDF
function scrypt(password, salt) {
return scrypt$1(password, salt, { N: SCRYPT_FACTOR, r: 8, p: 1, dkLen: 32 });
}
// PBKDF2-HMAC-SHA256
function pbkdf2(password, salt) {
return pbkdf2$1(sha256, password, salt, { c: PBKDF2_FACTOR, dkLen: 32 });
}
// Combines two 32-byte byte arrays
function xor32(a, b) {
bytes(a, 32);
bytes(b, 32);
const arr = new Uint8Array(32);
for (let i = 0; i < 32; i++) {
arr[i] = a[i] ^ b[i];
}
return arr;
}
function strHasLength(str, min, max) {
return typeof str === 'string' && str.length >= min && str.length <= max;
}
/**
* Derives main seed. Takes a lot of time. Prefer `eskdf` method instead.
*/
function deriveMainSeed(username, password) {
if (!strHasLength(username, 8, 255))
throw new Error('invalid username');
if (!strHasLength(password, 8, 255))
throw new Error('invalid password');
const scr = scrypt(password + '\u{1}', username + '\u{1}');
const pbk = pbkdf2(password + '\u{2}', username + '\u{2}');
const res = xor32(scr, pbk);
scr.fill(0);
pbk.fill(0);
return res;
}
/**
* Converts protocol & accountId pair to HKDF salt & info params.
*/
function getSaltInfo(protocol, accountId = 0) {
// Note that length here also repeats two lines below
// We do an additional length check here to reduce the scope of DoS attacks
if (!(strHasLength(protocol, 3, 15) && /^[a-z0-9]{3,15}$/.test(protocol))) {
throw new Error('invalid protocol');
}
// Allow string account ids for some protocols
const allowsStr = /^password\d{0,3}|ssh|tor|file$/.test(protocol);
let salt; // Extract salt. Default is undefined.
if (typeof accountId === 'string') {
if (!allowsStr)
throw new Error('accountId must be a number');
if (!strHasLength(accountId, 1, 255))
throw new Error('accountId must be valid string');
salt = toBytes(accountId);
}
else if (Number.isSafeInteger(accountId)) {
if (accountId < 0 || accountId > 2 ** 32 - 1)
throw new Error('invalid accountId');
// Convert to Big Endian Uint32
salt = new Uint8Array(4);
createView(salt).setUint32(0, accountId, false);
}
else {
throw new Error(`accountId must be a number${allowsStr ? ' or string' : ''}`);
}
const info = toBytes(protocol);
return { salt, info };
}
function countBytes(num) {
if (typeof num !== 'bigint' || num <= BigInt(128))
throw new Error('invalid number');
return Math.ceil(num.toString(2).length / 8);
}
/**
* Parses keyLength and modulus options to extract length of result key.
* If modulus is used, adds 64 bits to it as per FIPS 186 B.4.1 to combat modulo bias.
*/
function getKeyLength(options) {
if (!options || typeof options !== 'object')
return 32;
const hasLen = 'keyLength' in options;
const hasMod = 'modulus' in options;
if (hasLen && hasMod)
throw new Error('cannot combine keyLength and modulus options');
if (!hasLen && !hasMod)
throw new Error('must have either keyLength or modulus option');
// FIPS 186 B.4.1 requires at least 64 more bits
const l = hasMod ? countBytes(options.modulus) + 8 : options.keyLength;
if (!(typeof l === 'number' && l >= 16 && l <= 8192))
throw new Error('invalid keyLength');
return l;
}
/**
* Converts key to bigint and divides it by modulus. Big Endian.
* Implements FIPS 186 B.4.1, which removes 0 and modulo bias from output.
*/
function modReduceKey(key, modulus) {
const _1 = BigInt(1);
const num = BigInt('0x' + bytesToHex(key)); // check for ui8a, then bytesToNumber()
const res = (num % (modulus - _1)) + _1; // Remove 0 from output
if (res < _1)
throw new Error('expected positive number'); // Guard against bad values
const len = key.length - 8; // FIPS requires 64 more bits = 8 bytes
const hex = res.toString(16).padStart(len * 2, '0'); // numberToHex()
const bytes = hexToBytes(hex);
if (bytes.length !== len)
throw new Error('invalid length of result key');
return bytes;
}
/**
* ESKDF
* @param username - username, email, or identifier, min: 8 characters, should have enough entropy
* @param password - password, min: 8 characters, should have enough entropy
* @example
* const kdf = await eskdf('example-university', 'beginning-new-example');
* const key = kdf.deriveChildKey('aes', 0);
* console.log(kdf.fingerprint);
* kdf.expire();
*/
async function eskdf(username, password) {
// We are using closure + object instead of class because
// we want to make `seed` non-accessible for any external function.
let seed = deriveMainSeed(username, password);
function deriveCK(protocol, accountId = 0, options) {
bytes(seed, 32);
// Validates protocol & accountId
const { salt, info } = getSaltInfo(protocol, accountId);
// Validates options
const keyLength = getKeyLength(options);
const key = hkdf(sha256, seed, salt, info, keyLength);
// Modulus has already been validated
return options && 'modulus' in options ? modReduceKey(key, options.modulus) : key;
}
function expire() {
if (seed)
seed.fill(1);
seed = undefined;
}
// prettier-ignore
const fingerprint = Array.from(deriveCK('fingerprint', 0))
.slice(0, 6)
.map((char) => char.toString(16).padStart(2, '0').toUpperCase())
.join(':');
return Object.freeze({ deriveChildKey: deriveCK, expire, fingerprint });
}
// var utils = { bytesToHex, randomBytes }; CHECK THIS
var sha256_1 = {};//require("@noble/hashes/sha256");
sha256_1.sha256 = sha256;
var hmac_1 = {}; // require("@noble/hashes/hmac");
hmac_1.hmac = hmac;
var ripemd160_1 = {}; // require("@noble/hashes/ripemd160");
ripemd160_1.ripemd160 = ripemd160;
hashmini.blake2b = blake2b;
hashmini.blake2s = blake2s;
hashmini.blake3 = blake3;
hashmini.cshake128 = cshake128;
hashmini.cshake256 = cshake256;
hashmini.eskdf = eskdf;
hashmini.hkdf = hkdf;
hashmini.hmac = hmac;
hashmini.k12 = k12;
hashmini.keccak_224 = keccak_224;
hashmini.keccak_256 = keccak_256;
hashmini.keccak_384 = keccak_384;
hashmini.keccak_512 = keccak_512;
hashmini.kmac128 = kmac128;
hashmini.kmac256 = kmac256;
hashmini.m14 = m14;
hashmini.pbkdf2 = pbkdf2$1;
hashmini.pbkdf2Async = pbkdf2Async;
hashmini.ripemd160 = ripemd160;
hashmini.scrypt = scrypt$1;
hashmini.scryptAsync = scryptAsync;
hashmini.sha256 = sha256;
hashmini.sha3_224 = sha3_224;
hashmini.sha3_256 = sha3_256;
hashmini.sha3_384 = sha3_384;
hashmini.sha3_512 = sha3_512;
hashmini.sha512 = sha512;
hashmini.utils = utils;
Object.defineProperty(hashmini, '__esModule', { value: true });
/******
*
START OF MICRO PACKED SECTION
*
*
******/
var P = {};
/* //ROHIT THIS FUNCTION IS CREATING PROBLEMS
var __assign = (this && this.__assign) || function () {
__assign = Object.assign || function(t) {
for (var s, i = 1, n = arguments.length; i < n; i++) {
s = arguments[i];
for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
t[p] = s[p];
}
return t;
};
return __assign.apply(this, arguments);
};*/
//Alternative implementation through ChatGPT
var __assign = (this && this.__assign) || function () {
return Object.assign.apply(Object, arguments);
};
Object.defineProperty(P, "__esModule", { value: true });
P.magicBytes = P.magic = P.optional = P.flagged = P.flag = P.bytesFormatted = P.lazy = P.validate = P.apply = P.hex = P.cstring = P.string = P.bytes = P.bool = P.I8 = P.U8 = P.I16BE = P.I16LE = P.U16BE = P.U16LE = P.I32BE = P.I32LE = P.U32BE = P.U32LE = P.int = P.I64BE = P.I64LE = P.U64BE = P.U64LE = P.I128BE = P.I128LE = P.U128BE = P.U128LE = P.I256BE = P.I256LE = P.U256BE = P.U256LE = P.bigint = P.bits = P.coders = P.isCoder = P.wrap = P.checkBounds = P.Writer = P.Reader = P.isBytes = P.concatBytes = P.equalBytes = P.NULL = P.EMPTY = void 0;
P.debug = P.nothing = P.base64armor = P.pointer = P.padRight = P.padLeft = P.ZeroPad = P.bitset = P.mappedTag = P.tag = P.map = P.array = P.prefix = P.tuple = P.struct = P.constant = void 0;
//NOT NEEDED AFTTER INTEGRATION var base = require("@scure/base");
/**
* TODO:
* - Holes, simplify pointers. Hole is some sized element which is skipped at encoding,
* but later other elements can write to it by path
* - Composite / tuple keys for dict
* - Web UI for easier debugging. We can wrap every coder to something that would write
* start & end positions to; and we can colorize specific bytes used by specific coder
*/
// Useful default values
P.EMPTY = new Uint8Array(); // Empty bytes array
P.NULL = new Uint8Array([0]); // NULL
function equalBytes(a, b) {
if (a.length !== b.length)
return false;
for (var i = 0; i < a.length; i++)
if (a[i] !== b[i])
return false;
return true;
}
P.equalBytes = equalBytes;
function concatBytes() {
var arrays = [];
for (var _i = 0; _i < arguments.length; _i++) {
arrays[_i] = arguments[_i];
}
if (arrays.length === 1)
return arrays[0];
var length = arrays.reduce(function (a, arr) { return a + arr.length; }, 0);
var result = new Uint8Array(length);
for (var i = 0, pad = 0; i < arrays.length; i++) {
var arr = arrays[i];
result.set(arr, pad);
pad += arr.length;
}
return result;
}
P.concatBytes = concatBytes;
var isBytes = function (b) { return b instanceof Uint8Array; };
P.isBytes = isBytes;
// Utils
var Reader = /** @class */ (function () {
function Reader(data, path, fieldPath) {
if (path === void 0) { path = []; }
if (fieldPath === void 0) { fieldPath = []; }
this.data = data;
this.path = path;
this.fieldPath = fieldPath;
this.pos = 0;
this.hasPtr = false;
this.bitBuf = 0;
this.bitPos = 0;
}
Reader.prototype.err = function (msg) {
return new Error("Reader(".concat(this.fieldPath.join('/'), "): ").concat(msg));
};
// read bytes by absolute offset
Reader.prototype.absBytes = function (n) {
if (n > this.data.length)
throw new Error('absBytes: Unexpected end of buffer');
return this.data.subarray(n);
};
Reader.prototype.bytes = function (n, peek) {
if (peek === void 0) { peek = false; }
if (this.bitPos)
throw this.err('readBytes: bitPos not empty');
if (!Number.isFinite(n))
throw this.err("readBytes: wrong length=".concat(n));
if (this.pos + n > this.data.length)
throw this.err('readBytes: Unexpected end of buffer');
var slice = this.data.subarray(this.pos, this.pos + n);
if (!peek)
this.pos += n;
return slice;
};
Reader.prototype.byte = function (peek) {
if (peek === void 0) { peek = false; }
if (this.bitPos)
throw this.err('readByte: bitPos not empty');
return this.data[peek ? this.pos : this.pos++];
};
Object.defineProperty(Reader.prototype, "leftBytes", {
get: function () {
return this.data.length - this.pos;
},
enumerable: false,
configurable: true
});
Reader.prototype.isEnd = function () {
return this.pos >= this.data.length && !this.bitPos;
};
Reader.prototype.length = function (len) {
var byteLen;
if (isCoder(len))
byteLen = Number(len.decodeStream(this));
else if (typeof len === 'number')
byteLen = len;
else if (typeof len === 'string')
byteLen = getPath(this.path, len.split('/'));
if (typeof byteLen === 'bigint')
byteLen = Number(byteLen);
if (typeof byteLen !== 'number')
throw this.err("Wrong length: ".concat(byteLen));
return byteLen;
};
// Note: bits reads in BE (left to right) mode: (0b1000_0000).readBits(1) == 1
Reader.prototype.bits = function (bits) {
if (bits > 32)
throw this.err('BitReader: cannot read more than 32 bits in single call');
var out = 0;
while (bits) {
if (!this.bitPos) {
this.bitBuf = this.data[this.pos++];
this.bitPos = 8;
}
var take = Math.min(bits, this.bitPos);
this.bitPos -= take;
// out = (out << take) | ((this.bitBuf >> this.bitPos) & (Math.pow(2, take) - 1));
out = (out << take) | ((this.bitBuf >> this.bitPos) & (BigInt(2) ** BigInt(take) - 1));
// this.bitBuf &= Math.pow(2, this.bitPos) - 1;
this.bitBuf &= BigInt(2) ** BigInt(this.bitPos) - 1;
bits -= take;
}
// Fix signed integers
return out >>> 0;
};
Reader.prototype.find = function (needle, pos) {
if (pos === void 0) { pos = this.pos; }
if (!(0, P.isBytes)(needle))
throw this.err("find: needle is not bytes! ".concat(needle));
if (this.bitPos)
throw this.err('findByte: bitPos not empty');
if (!needle.length)
throw this.err("find: needle is empty");
// indexOf should be faster than full equalBytes check
for (var idx = pos; (idx = this.data.indexOf(needle[0], idx)) !== -1; idx++) {
if (idx === -1)
return;
var leftBytes = this.data.length - idx;
if (leftBytes < needle.length)
return;
if (equalBytes(needle, this.data.subarray(idx, idx + needle.length)))
return idx;
}
};
Reader.prototype.finish = function () {
if (this.isEnd() || this.hasPtr)
return;
throw this.err("".concat(this.leftBytes, " bytes ").concat(this.bitPos, " bits left after unpack: ").concat(base.hex.encode(this.data.slice(this.pos))));
};
Reader.prototype.fieldPathPush = function (s) {
this.fieldPath.push(s);
};
Reader.prototype.fieldPathPop = function () {
this.fieldPath.pop();
};
return Reader;
}());
P.Reader = Reader;
var Writer = /** @class */ (function () {
function Writer(path, fieldPath) {
if (path === void 0) { path = []; }
if (fieldPath === void 0) { fieldPath = []; }
this.path = path;
this.fieldPath = fieldPath;
this.buffers = [];
this.pos = 0;
this.ptrs = [];
this.bitBuf = 0;
this.bitPos = 0;
}
Writer.prototype.err = function (msg) {
return new Error("Writer(".concat(this.fieldPath.join('/'), "): ").concat(msg));
};
Writer.prototype.bytes = function (b) {
if (this.bitPos)
throw this.err('writeBytes: ends with non-empty bit buffer');
this.buffers.push(b);
this.pos += b.length;
};
Writer.prototype.byte = function (b) {
if (this.bitPos)
throw this.err('writeByte: ends with non-empty bit buffer');
this.buffers.push(new Uint8Array([b]));
this.pos++;
};
Object.defineProperty(Writer.prototype, "buffer", {
get: function () {
if (this.bitPos)
throw this.err('buffer: ends with non-empty bit buffer');
var buf = concatBytes.apply(void 0, this.buffers);
for (var _i = 0, _a = this.ptrs; _i < _a.length; _i++) {
var ptr = _a[_i];
var pos = buf.length;
buf = concatBytes(buf, ptr.buffer);
var val = ptr.ptr.encode(pos);
for (var i = 0; i < val.length; i++)
buf[ptr.pos + i] = val[i];
}
return buf;
},
enumerable: false,
configurable: true
});
Writer.prototype.length = function (len, value) {
if (len === null)
return;
if (isCoder(len))
return len.encodeStream(this, value);
var byteLen;
if (typeof len === 'number')
byteLen = len;
else if (typeof len === 'string')
byteLen = getPath(this.path, len.split('/'));
if (typeof byteLen === 'bigint')
byteLen = Number(byteLen);
if (byteLen === undefined || byteLen !== value)
throw this.err("Wrong length: ".concat(byteLen, " len=").concat(len, " exp=").concat(value));
};
Writer.prototype.bits = function (value, bits) {
if (bits > 32)
throw this.err('writeBits: cannot write more than 32 bits in single call');
// if (value >= Math.pow(2, bits))
if (value >= BigInt(2) ** BigInt(bits))
throw this.err("writeBits: value (".concat(value, ") >= 2**bits (").concat(bits, ")"));
while (bits) {
var take = Math.min(bits, 8 - this.bitPos);
this.bitBuf = (this.bitBuf << take) | (value >> (bits - take));
this.bitPos += take;
bits -= take;
// value &= Math.pow(2, bits) - 1;
value &= BigInt(2) ** BigInt(bits) - 1;
if (this.bitPos === 8) {
this.bitPos = 0;
this.buffers.push(new Uint8Array([this.bitBuf]));
this.pos++;
}
}
};
Writer.prototype.fieldPathPush = function (s) {
this.fieldPath.push(s);
};
Writer.prototype.fieldPathPop = function () {
this.fieldPath.pop();
};
return Writer;
}());
P.Writer = Writer;
// Immutable LE<->BE
var swap = function (b) { return Uint8Array.from(b).reverse(); };
function checkBounds(p, value, bits, signed) {
if (signed) {
// [-(2**(32-1)), 2**(32-1)-1]
// var signBit = Math.pow(2n, (bits - 1n));
var signBit = BigInt(2n) ** BigInt((bits - 1n));
if (value < -signBit || value >= signBit)
throw p.err('sInt: value out of bounds');
}
else {
// [0, 2**32-1]
// if (0n > value || value >= Math.pow(2n, bits))
if (0n > value || value >= BigInt(2n) ** BigInt(bits))//Math.pow(2n, bits))
throw p.err('uInt: value out of bounds');
}
}
P.checkBounds = checkBounds;
// Wrap stream encoder into generic encoder
function wrap(inner) {
return __assign(__assign({}, inner), {
encode: function (value) {
var w = new Writer();
inner.encodeStream(w, value);
return w.buffer;
}, decode: function (data) {
var r = new Reader(data);
var res = inner.decodeStream(r);
r.finish();
return res;
}
});
}
P.wrap = wrap;
function getPath(objPath, path) {
objPath = Array.from(objPath);
var i = 0;
for (; i < path.length; i++) {
if (path[i] === '..')
objPath.pop();
else
break;
}
var cur = objPath.pop();
for (; i < path.length; i++) {
if (!cur || cur[path[i]] === undefined)
return undefined;
cur = cur[path[i]];
}
return cur;
}
function isCoder(elm) {
return (typeof elm.encode === 'function' &&
typeof elm.encodeStream === 'function' &&
typeof elm.decode === 'function' &&
typeof elm.decodeStream === 'function');
}
P.isCoder = isCoder;
// Coders (like in @scure/base) for common operations
// TODO:
// - move to base? very generic converters, not releated to base and packed
// - encode/decode -> from/to? coder->convert?
function dict() {
return {
encode: function (from) {
var to = {};
for (var _i = 0, from_1 = from; _i < from_1.length; _i++) {
var _a = from_1[_i], name = _a[0], value = _a[1];
if (to[name] !== undefined)
throw new Error("coders.dict: same key(".concat(name, ") appears twice in struct"));
to[name] = value;
}
return to;
},
decode: function (to) { return Object.entries(to); },
};
}
// Safely converts bigint to number
// Sometimes pointers / tags use u64 or other big numbers which cannot be represented by number,
// but we still can use them since real value will be smaller than u32
var number = {
encode: function (from) {
if (from > BigInt(Number.MAX_SAFE_INTEGER))
throw new Error("coders.number: element bigger than MAX_SAFE_INTEGER=".concat(from));
return Number(from);
},
decode: function (to) { return BigInt(to); },
// decode: function (to) {if (!isNaN(to)) { return BigInt(to);} else { return to;} },
};
function tsEnum(e) {
return {
encode: function (from) { return e[from]; },
decode: function (to) { return e[to]; },
};
}
function decimal(precision) {
//var decimalMask = Math.pow(10n, BigInt(precision)); //CHECK THIS
var decimalMask = BitInt(10n) ** BigInt(precision);
return {
encode: function (from) {
var s = (from < 0n ? -from : from).toString(10);
var sep = s.length - precision;
if (sep < 0) {
s = s.padStart(s.length - sep, '0');
sep = 0;
}
var i = s.length - 1;
for (; i >= sep && s[i] === '0'; i--)
;
var _a = [s.slice(0, sep), s.slice(sep, i + 1)], int = _a[0], frac = _a[1];
if (!int)
int = '0';
if (from < 0n)
int = '-' + int;
if (!frac)
return int;
return "".concat(int, ".").concat(frac);
},
decode: function (to) {
var neg = false;
if (to.startsWith('-')) {
neg = true;
to = to.slice(1);
}
var sep = to.indexOf('.');
sep = sep === -1 ? to.length : sep;
var _a = [to.slice(0, sep), to.slice(sep + 1)], intS = _a[0], fracS = _a[1];
var int = BigInt(intS) * decimalMask;
var fracLen = Math.min(fracS.length, precision);
// var frac = BigInt(fracS.slice(0, fracLen)) * Math.pow(10n, BigInt(precision - fracLen));
var frac = BigInt(fracS.slice(0, fracLen)) * (BigInt(10n) ** BigInt(precision - fracLen));
var value = int + frac;
return neg ? -value : value;
},
};
}
/**
* Allows to split big conditional coders into a small one; also sort of parser combinator:
*
* `encode = [Ae, Be]; decode = [Ad, Bd]`
* ->
* `match([{encode: Ae, decode: Ad}, {encode: Be; decode: Bd}])`
*
* 1. It is easier to reason: encode/decode of specific part are closer to each other
* 2. Allows composable coders and ability to add conditions on runtime
* @param lst
* @returns
*/
function match(lst) {
return {
encode: function (from) {
for (var _i = 0, lst_1 = lst; _i < lst_1.length; _i++) {
var c = lst_1[_i];
var elm = c.encode(from);
if (elm !== undefined)
return elm;
}
throw new Error("match/encode: cannot find match in ".concat(from));
},
decode: function (to) {
for (var _i = 0, lst_2 = lst; _i < lst_2.length; _i++) {
var c = lst_2[_i];
var elm = c.decode(to);
if (elm !== undefined)
return elm;
}
throw new Error("match/decode: cannot find match in ".concat(to));
},
};
}
P.coders = { dict: dict, number: number, tsEnum: tsEnum, decimal: decimal, match: match };
// PackedCoders
var bits = function (len) {
return wrap({
encodeStream: function (w, value) { return w.bits(value, len); },
decodeStream: function (r) { return r.bits(len); },
});
};
P.bits = bits;
var bigint = function (size, le, signed) {
if (le === void 0) { le = false; }
if (signed === void 0) { signed = false; }
return wrap({
size: size,
encodeStream: function (w, value) {
if (typeof value !== 'number' && typeof value !== 'bigint')
throw w.err("bigint: invalid value: ".concat(value));
var _value = BigInt(value);
var bLen = BigInt(size);
checkBounds(w, _value, 8n * bLen, !!signed);
// var signBit = Math.pow(2n, (8n * bLen - 1n));
var signBit = BigInt(2n) ** BigInt(8n * bLen - 1n);
if (signed && _value < 0)
_value = _value | signBit;
var b = [];
for (var i = 0; i < size; i++) {
b.push(Number(_value & 255n));
_value >>= 8n;
}
var res = new Uint8Array(b).reverse();
w.bytes(le ? res.reverse() : res);
},
decodeStream: function (r) {
var bLen = BigInt(size);
var value = r.bytes(size);
if (le)
value = swap(value);
var b = swap(value);
//var signBit = Math.pow(2n, (8n * bLen - 1n));
var signBit = BigInt(2n) ** BigInt(8n * bLen - 1n);
var res = 0n;
for (var i = 0; i < b.length; i++)
res |= BigInt(b[i]) << (8n * BigInt(i));
if (signed && res & signBit)
res = (res ^ signBit) - signBit;
checkBounds(r, res, 8n * bLen, !!signed);
return res;
},
});
};
P.bigint = bigint;
P.U256LE = (0, P.bigint)(32, true);
P.U256BE = (0, P.bigint)(32, false);
P.I256LE = (0, P.bigint)(32, true, true);
P.I256BE = (0, P.bigint)(32, false, true);
P.U128LE = (0, P.bigint)(16, true);
P.U128BE = (0, P.bigint)(16, false);
P.I128LE = (0, P.bigint)(16, true, true);
P.I128BE = (0, P.bigint)(16, false, true);
P.U64LE = (0, P.bigint)(8, true);
P.U64BE = (0, P.bigint)(8, false);
P.I64LE = (0, P.bigint)(8, true, true);
P.I64BE = (0, P.bigint)(8, false, true);
var int = function (size, le, signed) {
if (le === void 0) { le = false; }
if (signed === void 0) { signed = false; }
if (size > 6)
throw new Error('int supports size up to 6 bytes (48 bits), for other use bigint');
return apply((0, P.bigint)(size, le, signed), P.coders.number);
};
P.int = int;
P.U32LE = (0, P.int)(4, true);
P.U32BE = (0, P.int)(4, false);
P.I32LE = (0, P.int)(4, true, true);
P.I32BE = (0, P.int)(4, false, true);
P.U16LE = (0, P.int)(2, true);
P.U16BE = (0, P.int)(2, false);
P.I16LE = (0, P.int)(2, true, true);
P.I16BE = (0, P.int)(2, false, true);
P.U8 = (0, P.int)(1, false);
P.I8 = (0, P.int)(1, false, true);
P.bool = wrap({
size: 1,
encodeStream: function (w, value) { return w.byte(value ? 1 : 0); },
decodeStream: function (r) {
var value = r.byte();
if (value !== 0 && value !== 1)
throw r.err("bool: invalid value ".concat(value));
return value === 1;
},
});
// Can be done w array, but specific implementation should be
// faster: no need to create js array of numbers.
var bytes = function (len, le) {
if (le === void 0) { le = false; }
return wrap({
size: typeof len === 'number' ? len : undefined,
encodeStream: function (w, value) {
if (!(0, P.isBytes)(value))
throw w.err("bytes: invalid value ".concat(value));
if (!(0, P.isBytes)(len))
w.length(len, value.length);
w.bytes(le ? swap(value) : value);
if ((0, P.isBytes)(len))
w.bytes(len);
},
decodeStream: function (r) {
var bytes;
if ((0, P.isBytes)(len)) {
var tPos = r.find(len);
if (!tPos)
throw r.err("bytes: cannot find terminator");
bytes = r.bytes(tPos - r.pos);
r.bytes(len.length);
}
else
bytes = r.bytes(len === null ? r.leftBytes : r.length(len));
return le ? swap(bytes) : bytes;
},
});
};
P.bytes = bytes;
var string = function (len, le) {
if (le === void 0) { le = false; }
var inner = (0, P.bytes)(len, le);
return wrap({
size: inner.size,
encodeStream: function (w, value) { return inner.encodeStream(w, base.utf8.decode(value)); },
decodeStream: function (r) { return base.utf8.encode(inner.decodeStream(r)); },
});
};
P.string = string;
P.cstring = (0, P.string)(P.NULL);
var hex = function (len, le, withZero) {
if (le === void 0) { le = false; }
if (withZero === void 0) { withZero = false; }
var inner = (0, P.bytes)(len, le);
return wrap({
size: inner.size,
encodeStream: function (w, value) {
if (withZero && !value.startsWith('0x'))
throw new Error('hex(withZero=true).encode input should start with 0x');
var bytes = base.hex.decode(withZero ? value.slice(2) : value);
return inner.encodeStream(w, bytes);
},
decodeStream: function (r) {
return (withZero ? '0x' : '') + base.hex.encode(inner.decodeStream(r));
},
});
};
P.hex = hex;
// Interoperability with base
function apply(inner, b) {
if (!isCoder(inner))
throw new Error("apply: invalid inner value ".concat(inner));
return wrap({
size: inner.size,
encodeStream: function (w, value) {
var innerValue;
try {
innerValue = b.decode(value);
}
catch (e) {
throw w.err('' + e);
}
return inner.encodeStream(w, innerValue);
},
decodeStream: function (r) {
var innerValue = inner.decodeStream(r);
try {
return b.encode(innerValue);
}
catch (e) {
throw r.err('' + e);
}
},
});
}
P.apply = apply;
// Additional check of values both on encode and decode steps.
// E.g. to force uint32 to be 1..10
function validate(inner, fn) {
if (!isCoder(inner))
throw new Error("validate: invalid inner value ".concat(inner));
return wrap({
size: inner.size,
encodeStream: function (w, value) { return inner.encodeStream(w, fn(value)); },
decodeStream: function (r) { return fn(inner.decodeStream(r)); },
});
}
P.validate = validate;
function lazy(fn) {
return wrap({
encodeStream: function (w, value) { return fn().encodeStream(w, value); },
decodeStream: function (r) { return fn().decodeStream(r); },
});
}
P.lazy = lazy;
var bytesFormatted = function (len, fmt, le) {
if (le === void 0) { le = false; }
var inner = (0, P.bytes)(len, le);
return wrap({
size: inner.size,
encodeStream: function (w, value) { return inner.encodeStream(w, base.bytes(fmt, value)); },
decodeStream: function (r) { return base.str(fmt, inner.decodeStream(r)); },
});
};
P.bytesFormatted = bytesFormatted;
// Returns true if some marker exists, otherwise false. Xor argument flips behaviour
var flag = function (flagValue, xor) {
if (xor === void 0) { xor = false; }
return wrap({
size: flagValue.length,
encodeStream: function (w, value) {
if (!!value !== xor)
w.bytes(flagValue);
},
decodeStream: function (r) {
var hasFlag = r.leftBytes >= flagValue.length;
if (hasFlag) {
hasFlag = equalBytes(r.bytes(flagValue.length, true), flagValue);
// Found flag, advance cursor position
if (hasFlag)
r.bytes(flagValue.length);
}
// hasFlag ^ xor
return hasFlag !== xor;
},
});
};
P.flag = flag;
// Decode/encode only if flag found
function flagged(path, inner, def) {
if (!isCoder(inner))
throw new Error("flagged: invalid inner value ".concat(inner));
return wrap({
encodeStream: function (w, value) {
if (typeof path === 'string') {
if (getPath(w.path, path.split('/')))
inner.encodeStream(w, value);
else if (def)
inner.encodeStream(w, def);
}
else {
path.encodeStream(w, !!value);
if (!!value)
inner.encodeStream(w, value);
else if (def)
inner.encodeStream(w, def);
}
},
decodeStream: function (r) {
var hasFlag = false;
if (typeof path === 'string')
hasFlag = getPath(r.path, path.split('/'));
else
hasFlag = path.decodeStream(r);
// If there is a flag -- decode and return value
if (hasFlag)
return inner.decodeStream(r);
else if (def)
inner.decodeStream(r);
},
});
}
P.flagged = flagged;
function optional(flag, inner, def) {
if (!isCoder(flag) || !isCoder(inner))
throw new Error("optional: invalid flag or inner value flag=".concat(flag, " inner=").concat(inner));
return wrap({
size: def !== undefined && flag.size && inner.size ? flag.size + inner.size : undefined,
encodeStream: function (w, value) {
flag.encodeStream(w, !!value);
if (value)
inner.encodeStream(w, value);
else if (def !== undefined)
inner.encodeStream(w, def);
},
decodeStream: function (r) {
if (flag.decodeStream(r))
return inner.decodeStream(r);
else if (def !== undefined)
inner.decodeStream(r);
},
});
}
P.optional = optional;
function magic(inner, constant, check) {
if (check === void 0) { check = true; }
if (!isCoder(inner))
throw new Error("flagged: invalid inner value ".concat(inner));
return wrap({
size: inner.size,
encodeStream: function (w, value) { return inner.encodeStream(w, constant); },
decodeStream: function (r) {
var value = inner.decodeStream(r);
if ((check && typeof value !== 'object' && value !== constant) ||
((0, P.isBytes)(constant) && !equalBytes(constant, value))) {
throw r.err("magic: invalid value: ".concat(value, " !== ").concat(constant));
}
return;
},
});
}
P.magic = magic;
var magicBytes = function (constant) {
var c = typeof constant === 'string' ? base.utf8.decode(constant) : constant;
return magic((0, P.bytes)(c.length), c);
};
P.magicBytes = magicBytes;
function constant(c) {
return wrap({
encodeStream: function (w, value) {
if (value !== c)
throw new Error("constant: invalid value ".concat(value, " (exp: ").concat(c, ")"));
},
decodeStream: function (r) { return c; },
});
}
P.constant = constant;
function sizeof(fields) {
var size = 0;
for (var _i = 0, fields_1 = fields; _i < fields_1.length; _i++) {
var f = fields_1[_i];
if (!f.size)
return;
size += f.size;
}
return size;
}
function struct(fields) {
if (Array.isArray(fields))
throw new Error('Packed.Struct: got array instead of object');
return wrap({
size: sizeof(Object.values(fields)),
encodeStream: function (w, value) {
if (typeof value !== 'object' || value === null)
throw w.err("struct: invalid value ".concat(value));
w.path.push(value);
for (var name in fields) {
w.fieldPathPush(name);
var field = fields[name];
field.encodeStream(w, value[name]);
w.fieldPathPop();
}
w.path.pop();
},
decodeStream: function (r) {
var res = {};
r.path.push(res);
for (var name in fields) {
r.fieldPathPush(name);
res[name] = fields[name].decodeStream(r);
r.fieldPathPop();
}
r.path.pop();
return res;
},
});
}
P.struct = struct;
function tuple(fields) {
if (!Array.isArray(fields))
throw new Error("Packed.Tuple: got ".concat(typeof fields, " instead of array"));
return wrap({
size: sizeof(fields),
encodeStream: function (w, value) {
if (!Array.isArray(value))
throw w.err("tuple: invalid value ".concat(value));
w.path.push(value);
for (var i = 0; i < fields.length; i++) {
w.fieldPathPush('' + i);
fields[i].encodeStream(w, value[i]);
w.fieldPathPop();
}
w.path.pop();
},
decodeStream: function (r) {
var res = [];
r.path.push(res);
for (var i = 0; i < fields.length; i++) {
r.fieldPathPush('' + i);
res.push(fields[i].decodeStream(r));
r.fieldPathPop();
}
r.path.pop();
return res;
},
});
}
P.tuple = tuple;
function prefix(len, inner) {
if (!isCoder(inner))
throw new Error("prefix: invalid inner value ".concat(inner));
if ((0, P.isBytes)(len))
throw new Error("prefix: len cannot be Uint8Array");
var b = (0, P.bytes)(len);
return wrap({
size: typeof len === 'number' ? len : undefined,
encodeStream: function (w, value) {
var wChild = new Writer(w.path, w.fieldPath);
inner.encodeStream(wChild, value);
b.encodeStream(w, wChild.buffer);
},
decodeStream: function (r) {
var data = b.decodeStream(r);
return inner.decodeStream(new Reader(data, r.path, r.fieldPath));
},
});
}
P.prefix = prefix;
function array(len, inner) {
if (!isCoder(inner))
throw new Error("array: invalid inner value ".concat(inner));
return wrap({
size: typeof len === 'number' && inner.size ? len * inner.size : undefined,
encodeStream: function (w, value) {
if (!Array.isArray(value))
throw w.err("array: invalid value ".concat(value));
if (!(0, P.isBytes)(len))
w.length(len, value.length);
w.path.push(value);
for (var i = 0; i < value.length; i++) {
w.fieldPathPush('' + i);
var elm = value[i];
var startPos = w.pos;
inner.encodeStream(w, elm);
if ((0, P.isBytes)(len)) {
// Terminator is bigger than elm size, so skip
if (len.length > w.pos - startPos)
continue;
var data = w.buffer.subarray(startPos, w.pos);
// There is still possible case when multiple elements create terminator,
// but it is hard to catch here, will be very slow
if (equalBytes(data.subarray(0, len.length), len))
throw w.err("array: inner element encoding same as separator. elm=".concat(elm, " data=").concat(data));
}
w.fieldPathPop();
}
w.path.pop();
if ((0, P.isBytes)(len))
w.bytes(len);
},
decodeStream: function (r) {
var res = [];
if (len === null) {
var i = 0;
r.path.push(res);
while (!r.isEnd()) {
r.fieldPathPush('' + i++);
res.push(inner.decodeStream(r));
r.fieldPathPop();
if (inner.size && r.leftBytes < inner.size)
break;
}
r.path.pop();
}
else if ((0, P.isBytes)(len)) {
var i = 0;
r.path.push(res);
while (true) {
if (equalBytes(r.bytes(len.length, true), len)) {
// Advance cursor position if terminator found
r.bytes(len.length);
break;
}
r.fieldPathPush('' + i++);
res.push(inner.decodeStream(r));
r.fieldPathPop();
}
r.path.pop();
}
else {
r.fieldPathPush('arrayLen');
var length = r.length(len);
r.fieldPathPop();
r.path.push(res);
for (var i = 0; i < length; i++) {
r.fieldPathPush('' + i);
res.push(inner.decodeStream(r));
r.fieldPathPop();
}
r.path.pop();
}
return res;
},
});
}
P.array = array;
function map(inner, variants) {
if (!isCoder(inner))
throw new Error("map: invalid inner value ".concat(inner));
var variantNames = new Map();
for (var k in variants)
variantNames.set(variants[k], k);
return wrap({
size: inner.size,
encodeStream: function (w, value) {
if (typeof value !== 'string')
throw w.err("map: invalid value ".concat(value));
if (!(value in variants))
throw w.err("Map: unknown variant: ".concat(value));
inner.encodeStream(w, variants[value]);
},
decodeStream: function (r) {
var variant = inner.decodeStream(r);
var name = variantNames.get(variant);
if (name === undefined)
throw r.err("Enum: unknown value: ".concat(variant, " ").concat(Array.from(variantNames.keys())));
return name;
},
});
}
P.map = map;
function tag(tag, variants) {
if (!isCoder(tag))
throw new Error("tag: invalid tag value ".concat(tag));
return wrap({
size: tag.size,
encodeStream: function (w, value) {
var TAG = value.TAG, data = value.data;
var dataType = variants[TAG];
if (!dataType)
throw w.err("Tag: invalid tag ".concat(TAG.toString()));
tag.encodeStream(w, TAG);
dataType.encodeStream(w, data);
},
decodeStream: function (r) {
var TAG = tag.decodeStream(r);
var dataType = variants[TAG];
if (!dataType)
throw r.err("Tag: invalid tag ".concat(TAG));
return { TAG: TAG, data: dataType.decodeStream(r) };
},
});
}
P.tag = tag;
// Takes {name: [value, coder]}
function mappedTag(tagCoder, variants) {
if (!isCoder(tagCoder))
throw new Error("mappedTag: invalid tag value ".concat(tag));
var mapValue = {};
var tagValue = {};
for (var key in variants) {
mapValue[key] = variants[key][0];
tagValue[key] = variants[key][1];
}
return tag(map(tagCoder, mapValue), tagValue);
}
P.mappedTag = mappedTag;
function bitset(names, pad) {
if (pad === void 0) { pad = false; }
return wrap({
encodeStream: function (w, value) {
if (typeof value !== 'object' || value === null)
throw w.err("bitset: invalid value ".concat(value));
for (var i = 0; i < names.length; i++)
w.bits(+value[names[i]], 1);
if (pad && names.length % 8)
w.bits(0, 8 - (names.length % 8));
},
decodeStream: function (r) {
var out = {};
for (var i = 0; i < names.length; i++)
out[names[i]] = !!r.bits(1);
if (pad && names.length % 8)
r.bits(8 - (names.length % 8));
return out;
},
});
}
P.bitset = bitset;
var ZeroPad = function (_) { return 0; };
P.ZeroPad = ZeroPad;
function padLength(blockSize, len) {
if (len % blockSize === 0)
return 0;
return blockSize - (len % blockSize);
}
function padLeft(blockSize, inner, padFn) {
if (!isCoder(inner))
throw new Error("padLeft: invalid inner value ".concat(inner));
var _padFn = padFn || P.ZeroPad;
if (!inner.size)
throw new Error('padLeft with dynamic size argument is impossible');
return wrap({
size: inner.size + padLength(blockSize, inner.size),
encodeStream: function (w, value) {
var padBytes = padLength(blockSize, inner.size);
for (var i = 0; i < padBytes; i++)
w.byte(_padFn(i));
inner.encodeStream(w, value);
},
decodeStream: function (r) {
r.bytes(padLength(blockSize, inner.size));
return inner.decodeStream(r);
},
});
}
P.padLeft = padLeft;
function padRight(blockSize, inner, padFn) {
if (!isCoder(inner))
throw new Error("padRight: invalid inner value ".concat(inner));
var _padFn = padFn || P.ZeroPad;
return wrap({
size: inner.size ? inner.size + padLength(blockSize, inner.size) : undefined,
encodeStream: function (w, value) {
var pos = w.pos;
inner.encodeStream(w, value);
var padBytes = padLength(blockSize, w.pos - pos);
for (var i = 0; i < padBytes; i++)
w.byte(_padFn(i));
},
decodeStream: function (r) {
var start = r.pos;
var res = inner.decodeStream(r);
r.bytes(padLength(blockSize, r.pos - start));
return res;
},
});
}
P.padRight = padRight;
function pointer(ptr, inner, sized) {
if (sized === void 0) { sized = false; }
if (!isCoder(ptr))
throw new Error("pointer: invalid ptr value ".concat(ptr));
if (!isCoder(inner))
throw new Error("pointer: invalid inner value ".concat(inner));
if (!ptr.size)
throw new Error('Pointer: unsized ptr');
return wrap({
size: sized ? ptr.size : undefined,
encodeStream: function (w, value) {
var start = w.pos;
ptr.encodeStream(w, 0);
w.ptrs.push({ pos: start, ptr: ptr, buffer: inner.encode(value) });
},
decodeStream: function (r) {
var ptrVal = ptr.decodeStream(r);
// This check enforces termination of parser, if there is backwards pointers,
// then it is possible to create loop and cause DoS.
if (ptrVal < r.pos)
throw new Error('pointer.decodeStream pointer less than position');
r.hasPtr = true;
var rChild = new Reader(r.absBytes(ptrVal), r.path, r.fieldPath);
return inner.decodeStream(rChild);
},
});
}
P.pointer = pointer;
// lineLen: gpg=64, ssh=70
function base64armor(name, lineLen, inner, checksum) {
var markBegin = "-----BEGIN ".concat(name.toUpperCase(), "-----");
var markEnd = "-----END ".concat(name.toUpperCase(), "-----");
return {
encode: function (value) {
var data = inner.encode(value);
var encoded = base.base64.encode(data);
var lines = [];
for (var i = 0; i < encoded.length; i += lineLen) {
var s = encoded.slice(i, i + lineLen);
if (s.length)
lines.push("".concat(encoded.slice(i, i + lineLen), "\n"));
}
var body = lines.join('');
if (checksum)
body += "=".concat(base.base64.encode(checksum(data)), "\n");
return "".concat(markBegin, "\n\n").concat(body).concat(markEnd, "\n");
},
decode: function (s) {
var lines = s.replace(markBegin, '').replace(markEnd, '').trim().split('\n');
lines = lines.map(function (l) { return l.replace('\r', '').trim(); });
if (checksum && lines[lines.length - 1].startsWith('=')) {
var body = base.base64.decode(lines.slice(0, -1).join(''));
var cs = lines[lines.length - 1].slice(1);
var realCS = base.base64.encode(checksum(body));
if (realCS !== cs)
throw new Error("Base64Armor: invalid checksum ".concat(cs, " instead of ").concat(realCS));
return inner.decode(body);
}
return inner.decode(base.base64.decode(lines.join('')));
},
};
}
P.base64armor = base64armor;
// Does nothing at all
P.nothing = magic((0, P.bytes)(0), P.EMPTY);
function debug(inner) {
if (!isCoder(inner))
throw new Error("debug: invalid inner value ".concat(inner));
var log = function (name, rw, value) {
console.log("DEBUG/".concat(name, "(").concat(rw.fieldPath.join('/'), "):"), { type: typeof value, value: value });
return value;
};
return wrap({
size: inner.size,
encodeStream: function (w, value) { return inner.encodeStream(w, log('encode', w, value)); },
decodeStream: function (r) { return log('decode', r, inner.decodeStream(r)); },
});
}
P.debug = debug;
/******
*
START OF TAPROOT SECTION
*
*
******/
var __assign = (this && this.__assign) || function () {
__assign = Object.assign || function (t) {
for (var s, i = 1, n = arguments.length; i < n; i++) {
s = arguments[i];
for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
t[p] = s[p];
}
return t;
};
return __assign.apply(this, arguments);
};
var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
if (ar || !(i in from)) {
if (!ar) ar = Array.prototype.slice.call(from, 0, i);
ar[i] = from[i];
}
}
return to.concat(ar || Array.prototype.slice.call(from));
};
//var taproot = {};
Object.defineProperty(taproot, "__esModule", { value: true });
taproot.Transaction = taproot.tapLeafHash = taproot.TAP_LEAF_VERSION = taproot._sortPubkeys = taproot.SigHashCoder = taproot.SignatureHash = taproot.Address = taproot.WIF = taproot.parseWitnessProgram = taproot.programToWitness = taproot.OutScript = taproot.p2tr_ms = taproot.p2tr_pk = taproot.p2tr_ns = taproot.combinations = taproot.p2tr = taproot.TAPROOT_UNSPENDABLE_KEY = taproot.taprootListToTree = taproot.p2ms = taproot.p2wpkh = taproot.p2wsh = taproot.p2sh = taproot.p2pkh = taproot.p2pk = taproot.RawPSBTV2 = taproot.RawPSBTV0 = taproot._DebugPSBT = taproot._RawPSBTV2 = taproot._RawPSBTV0 = taproot.TaprootControlBlock = taproot.RawTx = taproot.RawWitness = taproot.RawOutput = taproot.RawInput = taproot.VarBytes = taproot.BTCArray = taproot.CompactSize = taproot.Script = taproot.OPNum = taproot.OP = taproot.cmp = taproot.decimal = taproot.DEFAULT_SEQUENCE = taproot.DEFAULT_LOCKTIME = taproot.DEFAULT_VERSION = taproot.PRECISION = taproot.NETWORK = taproot.taprootTweakPubkey = taproot.taprootTweakPrivKey = taproot.base58check = void 0;
taproot.PSBTCombine = taproot.bip32Path = taproot.sortedMultisig = taproot.multisig = taproot.getAddress = void 0;
/*! micro-btc-signer - MIT License (c) 2022 Paul Miller (paulmillr.com) */
/*****
// ALL OF THESE ARE INTEGRATED ABOVE
var secp = require("@noble/secp256k1");
var base = require("@scure/base");
var sha256_1 = require("@noble/hashes/sha256");
var hmac_1 = require("@noble/hashes/hmac");
var ripemd160_1 = require("@noble/hashes/ripemd160");
var P = require("micro-packed");
*****/
var hash160 = function (msg) { return (0, ripemd160_1.ripemd160)((0, sha256_1.sha256)(msg)); };
var sha256x2 = function () {
var msgs = [];
for (var _i = 0; _i < arguments.length; _i++) {
msgs[_i] = arguments[_i];
}
return (0, sha256_1.sha256)((0, sha256_1.sha256)(concat.apply(void 0, msgs)));
};
var concat = P.concatBytes;
// Make base58check work
taproot.base58check = base.base58check(sha256_1.sha256);
// Enable sync API for noble-secp256k1
secp.utils.hmacSha256Sync = function (key) {
var msgs = [];
for (var _i = 1; _i < arguments.length; _i++) {
msgs[_i - 1] = arguments[_i];
}
return (0, hmac_1.hmac)(sha256_1.sha256, key, concat.apply(void 0, msgs));
};
secp.utils.sha256Sync = function () {
var msgs = [];
for (var _i = 0; _i < arguments.length; _i++) {
msgs[_i] = arguments[_i];
}
return (0, sha256_1.sha256)(concat.apply(void 0, msgs));
};
var taggedHash = secp.utils.taggedHashSync;
var PubT;
(function (PubT) {
PubT[PubT["ecdsa"] = 0] = "ecdsa";
PubT[PubT["schnorr"] = 1] = "schnorr";
})(PubT || (PubT = {}));
var validatePubkey = function (pub, type) {
var len = pub.length;
if (type === PubT.ecdsa) {
if (len === 32)
throw new Error('Expected non-Schnorr key');
}
else if (type === PubT.schnorr) {
if (len !== 32)
throw new Error('Expected 32-byte Schnorr key');
}
else {
throw new Error('Unknown key type');
}
secp.Point.fromHex(pub); // does assertValidity
return pub;
};
function isValidPubkey(pub, type) {
try {
return !!validatePubkey(pub, type);
}
catch (e) {
return false;
}
}
// Not best way, but closest to bitcoin implementation (easier to check)
var hasLowR = function (sig) { return secp.Signature.fromHex(sig).toCompactRawBytes()[0] < 0x80; };
// TODO: move to @noble/secp256k1?
function signECDSA(hash, privateKey, lowR) {
if (lowR === void 0) { lowR = false; }
var sig = secp.signSync(hash, privateKey, { canonical: true });
if (lowR && !hasLowR(sig)) {
var extraEntropy = new Uint8Array(32);
for (var cnt = 0; cnt < Number.MAX_SAFE_INTEGER; cnt++) {
extraEntropy.set(P.U32LE.encode(cnt));
sig = secp.signSync(hash, privateKey, { canonical: true, extraEntropy: extraEntropy });
if (hasLowR(sig))
break;
}
}
return sig;
}
function taprootTweakPrivKey(privKey, merkleRoot) {
if (merkleRoot === void 0) { merkleRoot = new Uint8Array(); }
var n = secp.CURVE.n;
var priv = secp.utils._normalizePrivateKey(privKey);
var point = secp.Point.fromPrivateKey(priv);
var tweak = taggedHash('TapTweak', point.toRawX(), merkleRoot);
var privWithProperY = point.hasEvenY() ? priv : n - priv;
var tweaked = secp.utils.mod(privWithProperY + secp.utils._normalizePrivateKey(tweak), n);
return secp.utils._bigintTo32Bytes(tweaked);
}
taproot.taprootTweakPrivKey = taprootTweakPrivKey;
function taprootTweakPubkey(pubKey, h) {
var tweak = taggedHash('TapTweak', pubKey, h);
var tweaked = secp.Point.fromHex(pubKey).add(secp.Point.fromPrivateKey(tweak));
return [tweaked.toRawX(), !tweaked.hasEvenY()];
}
taproot.taprootTweakPubkey = taprootTweakPubkey;
// Can be 33 or 64 bytes
var PubKeyECDSA = P.validate(P.bytes(null), function (pub) { return validatePubkey(pub, PubT.ecdsa); });
var PubKeySchnorr = P.validate(P.bytes(32), function (pub) { return validatePubkey(pub, PubT.schnorr); });
var SignatureSchnorr = P.validate(P.bytes(null), function (sig) {
if (sig.length !== 64 && sig.length !== 65)
throw new Error('Schnorr signature should be 64 or 65 bytes long');
return sig;
});
function uniqPubkey(pubkeys) {
var map = {};
for (var _i = 0, pubkeys_1 = pubkeys; _i < pubkeys_1.length; _i++) {
var pub = pubkeys_1[_i];
var key = base.hex.encode(pub);
if (map[key])
throw new Error("Multisig: non-uniq pubkey: ".concat(pubkeys.map(base.hex.encode)));
map[key] = true;
}
}
taproot.NETWORK = {
bech32: 'bc',
pubKeyHash: 0x00,
scriptHash: 0x05,
wif: 0x80,
};
taproot.PRECISION = 8;
taproot.DEFAULT_VERSION = 2;
taproot.DEFAULT_LOCKTIME = 0;
taproot.DEFAULT_SEQUENCE = 4294967293;
var EMPTY32 = new Uint8Array(32);
// Utils
//ROHIT taproot.Decimal = 8;
//taproot.Decimal = P.coders.decimal(taproot.PRECISION);//CHECK THIS
var decimal = {};
decimal.decode = function (numberAsString) { return parseInt(numberAsString * 100000000) };
taproot.decimal = decimal;
class Decimal {
static decode(bitcoinAmount) {
const bitcoinInSatoshis = BigInt(Math.floor(parseFloat(bitcoinAmount) * 100000000));
return bitcoinInSatoshis;
}
static encode(satoshis) {
const bitcoinAmount = (Number(satoshis) / 100000000).toFixed(8);
return bitcoinAmount;
}
}
taproot.Decimal = Decimal;
function cmp(a, b) {
if (a instanceof Uint8Array && b instanceof Uint8Array) {
// -1 -> a<b, 0 -> a==b, 1 -> a>b
var len = Math.min(a.length, b.length);
for (var i = 0; i < len; i++)
if (a[i] != b[i])
return Math.sign(a[i] - b[i]);
return Math.sign(a.length - b.length);
}
else if (a instanceof Uint8Array || b instanceof Uint8Array)
throw new Error("cmp: wrong values a=".concat(a, " b=").concat(b));
if ((typeof a === 'bigint' && typeof b === 'number') ||
(typeof a === 'number' && typeof b === 'bigint')) {
a = BigInt(a);
b = BigInt(b);
}
if (a === undefined || b === undefined)
throw new Error("cmp: wrong values a=".concat(a, " b=").concat(b));
// Default js comparasion
return Number(a > b) - Number(a < b);
}
taproot.cmp = cmp;
// Coders
// prettier-ignore
var OP;
(function (OP) {
OP[OP["OP_0"] = 0] = "OP_0";
OP[OP["PUSHDATA1"] = 76] = "PUSHDATA1";
OP[OP["PUSHDATA2"] = 77] = "PUSHDATA2";
OP[OP["PUSHDATA4"] = 78] = "PUSHDATA4";
OP[OP["1NEGATE"] = 79] = "1NEGATE";
OP[OP["RESERVED"] = 80] = "RESERVED";
OP[OP["OP_1"] = 81] = "OP_1";
OP[OP["OP_2"] = 82] = "OP_2";
OP[OP["OP_3"] = 83] = "OP_3";
OP[OP["OP_4"] = 84] = "OP_4";
OP[OP["OP_5"] = 85] = "OP_5";
OP[OP["OP_6"] = 86] = "OP_6";
OP[OP["OP_7"] = 87] = "OP_7";
OP[OP["OP_8"] = 88] = "OP_8";
OP[OP["OP_9"] = 89] = "OP_9";
OP[OP["OP_10"] = 90] = "OP_10";
OP[OP["OP_11"] = 91] = "OP_11";
OP[OP["OP_12"] = 92] = "OP_12";
OP[OP["OP_13"] = 93] = "OP_13";
OP[OP["OP_14"] = 94] = "OP_14";
OP[OP["OP_15"] = 95] = "OP_15";
OP[OP["OP_16"] = 96] = "OP_16";
// Control
OP[OP["NOP"] = 97] = "NOP";
OP[OP["VER"] = 98] = "VER";
OP[OP["IF"] = 99] = "IF";
OP[OP["NOTIF"] = 100] = "NOTIF";
OP[OP["VERIF"] = 101] = "VERIF";
OP[OP["VERNOTIF"] = 102] = "VERNOTIF";
OP[OP["ELSE"] = 103] = "ELSE";
OP[OP["ENDIF"] = 104] = "ENDIF";
OP[OP["VERIFY"] = 105] = "VERIFY";
OP[OP["RETURN"] = 106] = "RETURN";
// Stack
OP[OP["TOALTSTACK"] = 107] = "TOALTSTACK";
OP[OP["FROMALTSTACK"] = 108] = "FROMALTSTACK";
OP[OP["2DROP"] = 109] = "2DROP";
OP[OP["2DUP"] = 110] = "2DUP";
OP[OP["3DUP"] = 111] = "3DUP";
OP[OP["2OVER"] = 112] = "2OVER";
OP[OP["2ROT"] = 113] = "2ROT";
OP[OP["2SWAP"] = 114] = "2SWAP";
OP[OP["IFDUP"] = 115] = "IFDUP";
OP[OP["DEPTH"] = 116] = "DEPTH";
OP[OP["DROP"] = 117] = "DROP";
OP[OP["DUP"] = 118] = "DUP";
OP[OP["NIP"] = 119] = "NIP";
OP[OP["OVER"] = 120] = "OVER";
OP[OP["PICK"] = 121] = "PICK";
OP[OP["ROLL"] = 122] = "ROLL";
OP[OP["ROT"] = 123] = "ROT";
OP[OP["SWAP"] = 124] = "SWAP";
OP[OP["TUCK"] = 125] = "TUCK";
// Splice
OP[OP["CAT"] = 126] = "CAT";
OP[OP["SUBSTR"] = 127] = "SUBSTR";
OP[OP["LEFT"] = 128] = "LEFT";
OP[OP["RIGHT"] = 129] = "RIGHT";
OP[OP["SIZE"] = 130] = "SIZE";
// Boolean logic
OP[OP["INVERT"] = 131] = "INVERT";
OP[OP["AND"] = 132] = "AND";
OP[OP["OR"] = 133] = "OR";
OP[OP["XOR"] = 134] = "XOR";
OP[OP["EQUAL"] = 135] = "EQUAL";
OP[OP["EQUALVERIFY"] = 136] = "EQUALVERIFY";
OP[OP["RESERVED1"] = 137] = "RESERVED1";
OP[OP["RESERVED2"] = 138] = "RESERVED2";
// Numbers
OP[OP["1ADD"] = 139] = "1ADD";
OP[OP["1SUB"] = 140] = "1SUB";
OP[OP["2MUL"] = 141] = "2MUL";
OP[OP["2DIV"] = 142] = "2DIV";
OP[OP["NEGATE"] = 143] = "NEGATE";
OP[OP["ABS"] = 144] = "ABS";
OP[OP["NOT"] = 145] = "NOT";
OP[OP["0NOTEQUAL"] = 146] = "0NOTEQUAL";
OP[OP["ADD"] = 147] = "ADD";
OP[OP["SUB"] = 148] = "SUB";
OP[OP["MUL"] = 149] = "MUL";
OP[OP["DIV"] = 150] = "DIV";
OP[OP["MOD"] = 151] = "MOD";
OP[OP["LSHIFT"] = 152] = "LSHIFT";
OP[OP["RSHIFT"] = 153] = "RSHIFT";
OP[OP["BOOLAND"] = 154] = "BOOLAND";
OP[OP["BOOLOR"] = 155] = "BOOLOR";
OP[OP["NUMEQUAL"] = 156] = "NUMEQUAL";
OP[OP["NUMEQUALVERIFY"] = 157] = "NUMEQUALVERIFY";
OP[OP["NUMNOTEQUAL"] = 158] = "NUMNOTEQUAL";
OP[OP["LESSTHAN"] = 159] = "LESSTHAN";
OP[OP["GREATERTHAN"] = 160] = "GREATERTHAN";
OP[OP["LESSTHANOREQUAL"] = 161] = "LESSTHANOREQUAL";
OP[OP["GREATERTHANOREQUAL"] = 162] = "GREATERTHANOREQUAL";
OP[OP["MIN"] = 163] = "MIN";
OP[OP["MAX"] = 164] = "MAX";
OP[OP["WITHIN"] = 165] = "WITHIN";
// Crypto
OP[OP["RIPEMD160"] = 166] = "RIPEMD160";
OP[OP["SHA1"] = 167] = "SHA1";
OP[OP["SHA256"] = 168] = "SHA256";
OP[OP["HASH160"] = 169] = "HASH160";
OP[OP["HASH256"] = 170] = "HASH256";
OP[OP["CODESEPARATOR"] = 171] = "CODESEPARATOR";
OP[OP["CHECKSIG"] = 172] = "CHECKSIG";
OP[OP["CHECKSIGVERIFY"] = 173] = "CHECKSIGVERIFY";
OP[OP["CHECKMULTISIG"] = 174] = "CHECKMULTISIG";
OP[OP["CHECKMULTISIGVERIFY"] = 175] = "CHECKMULTISIGVERIFY";
// Expansion
OP[OP["NOP1"] = 176] = "NOP1";
OP[OP["CHECKLOCKTIMEVERIFY"] = 177] = "CHECKLOCKTIMEVERIFY";
OP[OP["CHECKSEQUENCEVERIFY"] = 178] = "CHECKSEQUENCEVERIFY";
OP[OP["NOP4"] = 179] = "NOP4";
OP[OP["NOP5"] = 180] = "NOP5";
OP[OP["NOP6"] = 181] = "NOP6";
OP[OP["NOP7"] = 182] = "NOP7";
OP[OP["NOP8"] = 183] = "NOP8";
OP[OP["NOP9"] = 184] = "NOP9";
OP[OP["NOP10"] = 185] = "NOP10";
// BIP 342
OP[OP["CHECKSIGADD"] = 186] = "CHECKSIGADD";
// Invalid
OP[OP["INVALID"] = 255] = "INVALID";
})(OP = taproot.OP || (taproot.OP = {}));
// OP_\n to numeric value
// TODO: maybe add numbers to script parser for this case?
// prettier-ignore
var OPNum;
(function (OPNum) {
OPNum[OPNum["OP_0"] = 0] = "OP_0";
OPNum[OPNum["OP_1"] = 1] = "OP_1";
OPNum[OPNum["OP_2"] = 2] = "OP_2";
OPNum[OPNum["OP_3"] = 3] = "OP_3";
OPNum[OPNum["OP_4"] = 4] = "OP_4";
OPNum[OPNum["OP_5"] = 5] = "OP_5";
OPNum[OPNum["OP_6"] = 6] = "OP_6";
OPNum[OPNum["OP_7"] = 7] = "OP_7";
OPNum[OPNum["OP_8"] = 8] = "OP_8";
OPNum[OPNum["OP_9"] = 9] = "OP_9";
OPNum[OPNum["OP_10"] = 10] = "OP_10";
OPNum[OPNum["OP_11"] = 11] = "OP_11";
OPNum[OPNum["OP_12"] = 12] = "OP_12";
OPNum[OPNum["OP_13"] = 13] = "OP_13";
OPNum[OPNum["OP_14"] = 14] = "OP_14";
OPNum[OPNum["OP_15"] = 15] = "OP_15";
OPNum[OPNum["OP_16"] = 16] = "OP_16";
})(OPNum = taproot.OPNum || (taproot.OPNum = {}));
function OPtoNumber(op) {
if (typeof op === 'string' && OP[op] !== undefined && OPNum[op] !== undefined)
return OPNum[op];
}
// Converts script bytes to parsed script
// 5221030000000000000000000000000000000000000000000000000000000000000001210300000000000000000000000000000000000000000000000000000000000000022103000000000000000000000000000000000000000000000000000000000000000353ae
// =>
// OP_2
// 030000000000000000000000000000000000000000000000000000000000000001
// 030000000000000000000000000000000000000000000000000000000000000002
// 030000000000000000000000000000000000000000000000000000000000000003
// OP_3
// CHECKMULTISIG
// TODO: simplify like CompactSize?
taproot.Script = P.wrap({
encodeStream: function (w, value) {
for (var _i = 0, value_1 = value; _i < value_1.length; _i++) {
var o = value_1[_i];
if (typeof o === 'string') {
if (OP[o] === undefined)
throw new Error("Unknown opcode=".concat(o));
w.byte(OP[o]);
continue;
}
var len = o.length;
if (len < OP.PUSHDATA1)
w.byte(len);
else if (len <= 0xff) {
w.byte(OP.PUSHDATA1);
w.byte(len);
}
else if (len <= 0xffff) {
w.byte(OP.PUSHDATA2);
w.bytes(P.U16LE.encode(len));
}
else {
w.byte(OP.PUSHDATA4);
w.bytes(P.U32LE.encode(len));
}
w.bytes(o);
}
},
decodeStream: function (r) {
var out = [];
while (!r.isEnd()) {
var cur = r.byte();
// if 0 < cur < 78
if (OP.OP_0 < cur && cur <= OP.PUSHDATA4) {
var len = void 0;
if (cur < OP.PUSHDATA1)
len = cur;
else if (cur === OP.PUSHDATA1)
len = P.U8.decodeStream(r);
else if (cur === OP.PUSHDATA2)
len = P.U16LE.decodeStream(r);
else if (cur === OP.PUSHDATA4)
len = P.U32LE.decodeStream(r);
else
throw new Error('Should be not possible');
out.push(r.bytes(len));
}
else {
var op = OP[cur];
if (op === undefined)
throw new Error("Unknown opcode=".concat(cur.toString(16)));
out.push(op);
}
}
return out;
},
});
// BTC specific variable length integer encoding
// https://en.bitcoin.it/wiki/Protocol_documentation#Variable_length_integer
var CSLimits = {
0xfd: [0xfd, 2, 253n, 65535n],
0xfe: [0xfe, 4, 65536n, 4294967295n],
0xff: [0xff, 8, 4294967296n, 18446744073709551615n],
};
taproot.CompactSize = P.wrap({
encodeStream: function (w, value) {
if (typeof value === 'number')
value = BigInt(value);
if (0n <= value && value <= 252n)
return w.byte(Number(value));
for (var _i = 0, _a = Object.values(CSLimits); _i < _a.length; _i++) {
var _b = _a[_i], flag = _b[0], bytes = _b[1], start = _b[2], stop = _b[3];
if (start > value || value > stop)
continue;
w.byte(flag);
for (var i = 0; i < bytes; i++)
w.byte(Number((value >> (8n * BigInt(i))) & 0xffn));
return;
}
throw w.err("VarInt too big: ".concat(value));
},
decodeStream: function (r) {
var b0 = r.byte();
if (b0 <= 0xfc)
return BigInt(b0);
var _a = CSLimits[b0], _ = _a[0], bytes = _a[1], start = _a[2];
var num = 0n;
for (var i = 0; i < bytes; i++)
num |= BigInt(r.byte()) << (8n * BigInt(i));
if (num < start)
throw r.err("Wrong CompactSize(".concat(8 * bytes, ")"));
return num;
},
});
// Same thing, but in number instead of bigint. Checks for safe integer inside
var CompactSizeLen = P.apply(taproot.CompactSize, P.coders.number);
// Array of size <CompactSize>
var BTCArray = function (t) { return P.array(taproot.CompactSize, t); };
taproot.BTCArray = BTCArray;
// ui8a of size <CompactSize>
taproot.VarBytes = P.bytes(taproot.CompactSize);
taproot.RawInput = P.struct({
hash: P.bytes(32, true),
index: P.U32LE,
finalScriptSig: taproot.VarBytes,
sequence: P.U32LE, // ?
});
taproot.RawOutput = P.struct({ amount: P.U64LE, script: taproot.VarBytes });
var EMPTY_OUTPUT = {
amount: 0xffffffffffffffffn,
script: P.EMPTY,
};
// SegWit v0 stack of witness buffers
taproot.RawWitness = P.array(CompactSizeLen, taproot.VarBytes);
// https://en.bitcoin.it/wiki/Protocol_documentation#tx
// TODO: more tests. Unsigned tx has version=2 for some reason,
// probably we're exporting broken unsigned tx
// Related: https://github.com/bitcoin/bips/blob/master/bip-0068.mediawiki
var _RawTx = P.struct({
version: P.I32LE,
segwitFlag: P.flag(new Uint8Array([0x00, 0x01])),
inputs: (0, taproot.BTCArray)(taproot.RawInput),
outputs: (0, taproot.BTCArray)(taproot.RawOutput),
witnesses: P.flagged('segwitFlag', P.array('inputs/length', taproot.RawWitness)),
// Need to handle that?
// < 500000000 Block number at which this transaction is unlocked
// >= 500000000 UNIX timestamp at which this transaction is unlocked
lockTime: P.U32LE,
});
function validateRawTx(tx) {
if (tx.segwitFlag && tx.witnesses && !tx.witnesses.length)
throw new Error('Segwit flag with empty witnesses array');
return tx;
}
taproot.RawTx = P.validate(_RawTx, validateRawTx);
var BIP32Der = P.struct({
fingerprint: P.U32BE,
path: P.array(null, P.U32LE),
});
// <control byte with leaf version and parity bit> <internal key p> <C> <E> <AB>
var _TaprootControlBlock = P.struct({
version: P.U8,
internalKey: P.bytes(32),
merklePath: P.array(null, P.bytes(32)),
});
taproot.TaprootControlBlock = P.validate(_TaprootControlBlock, function (cb) {
if (cb.merklePath.length > 128)
throw new Error('TaprootControlBlock: merklePath should be of length 0..128 (inclusive)');
return cb;
});
var TaprootBIP32Der = P.struct({
hashes: P.array(CompactSizeLen, P.bytes(32)),
der: BIP32Der,
});
// {name: [tag, keyCoder, valueCoder]}
var PSBTGlobal = {
// TODO: RAW TX here
unsignedTx: [0x00, false, taproot.RawTx, [0], [2], [0]],
// The 78 byte serialized extended public key as defined by BIP 32.
xpub: [0x01, P.bytes(78), BIP32Der, [], [], [0, 2]],
txVersion: [0x02, false, P.U32LE, [2], [0], [2]],
fallbackLocktime: [0x03, false, P.U32LE, [], [0], [2]],
inputCount: [0x04, false, CompactSizeLen, [2], [0], [2]],
outputCount: [0x05, false, CompactSizeLen, [2], [0], [2]],
// bitfield
txModifiable: [0x06, false, P.U8, [], [0], [2]],
version: [0xfb, false, P.U32LE, [], [], [0, 2]],
// key = <identifierlen> <identifier> <subtype> <subkeydata>
propietary: [0xfc, P.bytes(null), P.bytes(null), [], [], [0, 2]],
};
var PSBTInput = {
nonWitnessUtxo: [0x00, false, taproot.RawTx, [], [], [0, 2]],
witnessUtxo: [0x01, false, taproot.RawOutput, [], [], [0, 2]],
partialSig: [0x02, PubKeyECDSA, P.bytes(null), [], [], [0, 2]],
sighashType: [0x03, false, P.U32LE, [], [], [0, 2]],
redeemScript: [0x04, false, P.bytes(null), [], [], [0, 2]],
witnessScript: [0x05, false, P.bytes(null), [], [], [0, 2]],
bip32Derivation: [0x06, PubKeyECDSA, BIP32Der, [], [], [0, 2]],
finalScriptSig: [0x07, false, P.bytes(null), [], [], [0, 2]],
finalScriptWitness: [0x08, false, taproot.RawWitness, [], [], [0, 2]],
porCommitment: [0x09, false, P.bytes(null), [], [], [0, 2]],
ripemd160: [0x0a, P.bytes(20), P.bytes(null), [], [], [0, 2]],
sha256: [0x0b, P.bytes(32), P.bytes(null), [], [], [0, 2]],
hash160: [0x0c, P.bytes(20), P.bytes(null), [], [], [0, 2]],
hash256: [0x0d, P.bytes(32), P.bytes(null), [], [], [0, 2]],
hash: [0x0e, false, P.bytes(32), [2], [0], [2]],
index: [0x0f, false, P.U32LE, [2], [0], [2]],
sequence: [0x10, false, P.U32LE, [], [0], [2]],
requiredTimeLocktime: [0x11, false, P.U32LE, [], [0], [2]],
requiredHeightLocktime: [0x12, false, P.U32LE, [], [0], [2]],
tapKeySig: [0x13, false, SignatureSchnorr, [], [], [0, 2]],
tapScriptSig: [
0x14,
P.struct({ pubKey: PubKeySchnorr, leafHash: P.bytes(32) }),
SignatureSchnorr,
[],
[],
[0, 2],
],
// value = <bytes script> <8-bit uint leaf version>
tapLeafScript: [0x15, taproot.TaprootControlBlock, P.bytes(null), [], [], [0, 2]],
tapBip32Derivation: [0x16, P.bytes(32), TaprootBIP32Der, [], [], [0, 2]],
tapInternalKey: [0x17, false, PubKeySchnorr, [], [], [0, 2]],
tapMerkleRoot: [0x18, false, P.bytes(32), [], [], [0, 2]],
propietary: [0xfc, P.bytes(null), P.bytes(null), [], [], [0, 2]],
};
// All other keys removed when finalizing
var PSBTInputFinalKeys = [
'hash',
'sequence',
'index',
'witnessUtxo',
'nonWitnessUtxo',
'finalScriptSig',
'finalScriptWitness',
'unknown',
];
// Can be modified even on signed input
var PSBTInputUnsignedKeys = [
'partialSig',
'finalScriptSig',
'finalScriptWitness',
'tapKeySig',
'tapScriptSig',
];
var PSBTOutput = {
redeemScript: [0x00, false, P.bytes(null), [], [], [0, 2]],
witnessScript: [0x01, false, P.bytes(null), [], [], [0, 2]],
bip32Derivation: [0x02, PubKeyECDSA, BIP32Der, [], [], [0, 2]],
amount: [0x03, false, P.I64LE, [2], [0], [2]],
script: [0x04, false, P.bytes(null), [2], [0], [2]],
tapInternalKey: [0x05, false, PubKeySchnorr, [], [], [0, 2]],
/*
{<8-bit uint depth> <8-bit uint leaf version> <compact size uint scriptlen> <bytes script>}*
*/
tapTree: [
0x06,
false,
P.array(null, P.struct({
depth: P.U8,
version: P.U8,
script: taproot.VarBytes,
})),
[],
[],
[0, 2],
],
tapBip32Derivation: [0x07, PubKeySchnorr, TaprootBIP32Der, [], [], [0, 2]],
propietary: [0xfc, P.bytes(null), P.bytes(null), [], [], [0, 2]],
};
// Can be modified even on signed input
var PSBTOutputUnsignedKeys = [];
var PSBTKeyPair = P.array(P.NULL, P.struct({
// <key> := <keylen> <keytype> <keydata> WHERE keylen = len(keytype)+len(keydata)
key: P.prefix(CompactSizeLen, P.struct({ type: CompactSizeLen, key: P.bytes(null) })),
// <value> := <valuelen> <valuedata>
value: P.bytes(CompactSizeLen),
}));
var PSBTUnknownKey = P.struct({ type: CompactSizeLen, key: P.bytes(null) });
// Key cannot be 'unknown', value coder cannot be array for elements with empty key
function PSBTKeyMap(psbtEnum) {
// -> Record<type, [keyName, ...coders]>
var byType = {};
for (var k in psbtEnum) {
var _a = psbtEnum[k], num = _a[0], kc = _a[1], vc = _a[2];
byType[num] = [k, kc, vc];
}
return P.wrap({
encodeStream: function (w, value) {
var out = [];
var _loop_1 = function (name) {
var val = value[name];
if (val === undefined)
return "continue";
var _c = psbtEnum[name], type_1 = _c[0], kc = _c[1], vc = _c[2];
if (!kc)
out.push({ key: { type: type_1, key: P.EMPTY }, value: vc.encode(val) });
else {
// TODO: check here if there is duplicate keys
var kv = val.map(function (_a) {
var k = _a[0], v = _a[1];
return [
kc.encode(k),
vc.encode(v),
];
});
// sort by keys
kv.sort(function (a, b) { return cmp(a[0], b[0]); });
for (var _d = 0, kv_1 = kv; _d < kv_1.length; _d++) {
var _e = kv_1[_d], key = _e[0], value_2 = _e[1];
out.push({ key: { key: key, type: type_1 }, value: value_2 });
}
}
};
// Because we use order of psbtEnum, keymap is sorted here
for (var name in psbtEnum) {
_loop_1(name);
}
if (value.unknown) {
value.unknown.sort(function (a, b) { return cmp(a[0], b[0]); });
for (var _i = 0, _a = value.unknown; _i < _a.length; _i++) {
var _b = _a[_i], k = _b[0], v = _b[1];
out.push({ key: PSBTUnknownKey.decode(k), value: v });
}
}
PSBTKeyPair.encodeStream(w, out);
},
decodeStream: function (r) {
var raw = PSBTKeyPair.decodeStream(r);
var out = {};
var noKey = {};
for (var _i = 0, raw_1 = raw; _i < raw_1.length; _i++) {
var elm = raw_1[_i];
var name = 'unknown';
var key = elm.key.key;
var value = elm.value;
if (byType[elm.key.type]) {
var _a = byType[elm.key.type], _name = _a[0], kc = _a[1], vc = _a[2];
name = _name;
if (!kc && key.length) {
throw new Error("PSBT: Non-empty key for ".concat(name, " (key=").concat(base.hex.encode(key), " value=").concat(base.hex.encode(value)));
}
key = kc ? kc.decode(key) : undefined;
value = vc.decode(value);
if (!kc) {
if (out[name])
throw new Error("PSBT: Same keys: ".concat(name, " (key=").concat(key, " value=").concat(value, ")"));
out[name] = value;
noKey[name] = true;
continue;
}
}
else {
// For unknown: add key type inside key
key = PSBTUnknownKey.encode({ type: elm.key.type, key: elm.key.key });
}
// Only keyed elements at this point
if (noKey[name])
throw new Error("PSBT: Key type with empty key and no key=".concat(name, " val=").concat(value));
if (!out[name])
out[name] = [];
out[name].push([key, value]);
}
return out;
},
});
}
// Basic sanity check for scripts
function checkWSH(s, witnessScript) {
if (!P.equalBytes(s.hash, (0, sha256_1.sha256)(witnessScript)))
throw new Error('checkScript: wsh wrong witnessScript hash');
var w = taproot.OutScript.decode(witnessScript);
if (w.type === 'tr' || w.type === 'tr_ns' || w.type === 'tr_ms')
throw new Error("checkScript: P2".concat(w.type, " cannot be wrapped in P2SH"));
if (w.type === 'wpkh' || w.type === 'sh')
throw new Error("checkScript: P2".concat(w.type, " cannot be wrapped in P2WSH"));
}
function checkScript(script, redeemScript, witnessScript) {
// TODO: revalidate
if (script) {
var s = taproot.OutScript.decode(script);
// TODO: ms||pk maybe work, but there will be no address
if (s.type === 'tr_ns' || s.type === 'tr_ms' || s.type === 'ms' || s.type == 'pk')
throw new Error("checkScript: non-wrapped ".concat(s.type));
if (s.type === 'sh' && redeemScript) {
if (!P.equalBytes(s.hash, hash160(redeemScript)))
throw new Error('checkScript: sh wrong redeemScript hash');
var r = taproot.OutScript.decode(redeemScript);
if (r.type === 'tr' || r.type === 'tr_ns' || r.type === 'tr_ms')
throw new Error("checkScript: P2".concat(r.type, " cannot be wrapped in P2SH"));
// Not sure if this unspendable, but we cannot represent this via PSBT
if (r.type === 'sh')
throw new Error('checkScript: P2SH cannot be wrapped in P2SH');
}
if (s.type === 'wsh' && witnessScript)
checkWSH(s, witnessScript);
}
if (redeemScript) {
var r = taproot.OutScript.decode(redeemScript);
if (r.type === 'wsh' && witnessScript)
checkWSH(r, witnessScript);
}
}
var PSBTInputCoder = P.validate(PSBTKeyMap(PSBTInput), function (i) {
if (i.finalScriptWitness && !i.finalScriptWitness.length)
throw new Error('validateInput: wmpty finalScriptWitness');
//if (i.finalScriptSig && !i.finalScriptSig.length) throw new Error('validateInput: empty finalScriptSig');
if (i.partialSig && !i.partialSig.length)
throw new Error('Empty partialSig');
if (i.partialSig)
for (var _i = 0, _a = i.partialSig; _i < _a.length; _i++) {
var _b = _a[_i], k = _b[0], v = _b[1];
validatePubkey(k, PubT.ecdsa);
}
if (i.bip32Derivation)
for (var _c = 0, _d = i.bip32Derivation; _c < _d.length; _c++) {
var _e = _d[_c], k = _e[0], v = _e[1];
validatePubkey(k, PubT.ecdsa);
}
// Locktime = unsigned little endian integer greater than or equal to 500000000 representing
if (i.requiredTimeLocktime !== undefined && i.requiredTimeLocktime < 500000000)
throw new Error("validateInput: wrong timeLocktime=".concat(i.requiredTimeLocktime));
// unsigned little endian integer greater than 0 and less than 500000000
if (i.requiredHeightLocktime !== undefined &&
(i.requiredHeightLocktime <= 0 || i.requiredHeightLocktime >= 500000000))
throw new Error("validateInput: wrong heighLocktime=".concat(i.requiredHeightLocktime));
if (i.nonWitnessUtxo && i.index !== undefined) {
var last = i.nonWitnessUtxo.outputs.length - 1;
if (i.index > last)
throw new Error("validateInput: index(".concat(i.index, ") not in nonWitnessUtxo"));
var prevOut = i.nonWitnessUtxo.outputs[i.index];
if (i.witnessUtxo &&
(!P.equalBytes(i.witnessUtxo.script, prevOut.script) ||
i.witnessUtxo.amount !== prevOut.amount))
throw new Error('validateInput: witnessUtxo different from nonWitnessUtxo');
}
if (i.tapLeafScript) {
// tap leaf version appears here twice: in control block and at the end of script
for (var _f = 0, _g = i.tapLeafScript; _f < _g.length; _f++) {
var _h = _g[_f], k = _h[0], v = _h[1];
if ((k.version & 254) !== v[v.length - 1])
throw new Error('validateInput: tapLeafScript version mimatch');
if (v[v.length - 1] & 1)
throw new Error('validateInput: tapLeafScript version has parity bit!');
}
}
return i;
});
var PSBTOutputCoder = P.validate(PSBTKeyMap(PSBTOutput), function (o) {
if (o.bip32Derivation)
for (var _i = 0, _a = o.bip32Derivation; _i < _a.length; _i++) {
var _b = _a[_i], k = _b[0], v = _b[1];
validatePubkey(k, PubT.ecdsa);
}
return o;
});
var PSBTGlobalCoder = P.validate(PSBTKeyMap(PSBTGlobal), function (g) {
var version = g.version || 0;
if (version === 0) {
if (!g.unsignedTx)
throw new Error('PSBTv0: missing unsignedTx');
if (g.unsignedTx.segwitFlag || g.unsignedTx.witnesses)
throw new Error('PSBTv0: witness in unsingedTx');
for (var _i = 0, _a = g.unsignedTx.inputs; _i < _a.length; _i++) {
var inp = _a[_i];
if (inp.finalScriptSig && inp.finalScriptSig.length)
throw new Error('PSBTv0: input scriptSig found in unsignedTx');
}
}
return g;
});
taproot._RawPSBTV0 = P.struct({
magic: P.magic(P.string(new Uint8Array([0xff])), 'psbt'),
global: PSBTGlobalCoder,
inputs: P.array('global/unsignedTx/inputs/length', PSBTInputCoder),
outputs: P.array(null, PSBTOutputCoder),
});
taproot._RawPSBTV2 = P.struct({
magic: P.magic(P.string(new Uint8Array([0xff])), 'psbt'),
global: PSBTGlobalCoder,
inputs: P.array('global/inputCount', PSBTInputCoder),
outputs: P.array('global/outputCount', PSBTOutputCoder),
});
taproot._DebugPSBT = P.struct({
magic: P.magic(P.string(new Uint8Array([0xff])), 'psbt'),
items: P.array(null, P.apply(P.array(P.NULL, P.tuple([P.hex(CompactSizeLen), P.bytes(taproot.CompactSize)])), P.coders.dict())),
});
function validatePSBTFields(version, info, lst) {
for (var k in lst) {
if (k === 'unknown')
continue;
if (!info[k])
continue;
var _a = info[k].slice(-3), reqInc = _a[0], reqExc = _a[1], allowInc = _a[2];
if (reqExc.includes(version) || !allowInc.includes(version))
throw new Error("PSBTv".concat(version, ": field ").concat(k, " is not allowed"));
}
for (var k in info) {
var _b = info[k].slice(-3), reqInc = _b[0], reqExc = _b[1], allowInc = _b[2];
if (reqInc.includes(version) && lst[k] === undefined)
throw new Error("PSBTv".concat(version, ": missing required field ").concat(k));
}
}
function cleanPSBTFields(version, info, lst) {
var out = {};
for (var k in lst) {
if (k !== 'unknown') {
if (!info[k])
continue;
var _a = info[k].slice(-3), reqInc = _a[0], reqExc = _a[1], allowInc = _a[2];
if (reqExc.includes(version) || !allowInc.includes(version))
continue;
}
out[k] = lst[k];
}
return out;
}
function validatePSBT(tx) {
var version = (tx && tx.global && tx.global.version) || 0;
validatePSBTFields(version, PSBTGlobal, tx.global);
for (var _i = 0, _a = tx.inputs; _i < _a.length; _i++) {
var i = _a[_i];
validatePSBTFields(version, PSBTInput, i);
}
for (var _b = 0, _c = tx.outputs; _b < _c.length; _b++) {
var o = _c[_b];
validatePSBTFields(version, PSBTOutput, o);
}
// We allow only one empty element at the end of map (compat with bitcoinjs-lib bug)
var inputCount = !version ? tx.global.unsignedTx.inputs.length : tx.global.inputCount;
if (tx.inputs.length < inputCount)
throw new Error('Not enough inputs');
var inputsLeft = tx.inputs.slice(inputCount);
if (inputsLeft.length > 1 || (inputsLeft.length && Object.keys(inputsLeft[0]).length))
throw new Error("Unexpected inputs left in tx=".concat(inputsLeft));
// Same for inputs
var outputCount = !version ? tx.global.unsignedTx.outputs.length : tx.global.outputCount;
if (tx.outputs.length < outputCount)
throw new Error('Not outputs inputs');
var outputsLeft = tx.outputs.slice(outputCount);
if (outputsLeft.length > 1 || (outputsLeft.length && Object.keys(outputsLeft[0]).length))
throw new Error("Unexpected outputs left in tx=".concat(outputsLeft));
return tx;
}
// Check if object doens't have custom constructor (like Uint8Array/Array)
var isPlainObject = function (obj) {
return Object.prototype.toString.call(obj) === '[object Object]' && obj.constructor === Object;
};
function type(v) {
if (v instanceof Uint8Array)
return 'bytes';
if (Array.isArray(v))
return 'array';
if (['number', 'string', 'bigint', 'boolean', 'undefined'].includes(typeof v))
return typeof v;
if (v === null)
return 'null'; // typeof null=object
if (isPlainObject(v))
return 'object';
throw new Error("Unknown type=".concat(v));
}
// Basic structure merge: object = {...old, ...new}, arrays = old.concat(new). other -> replace
// function merge<T extends PSBTKeyMap>(
// psbtEnum: T,
// val: PSBTKeyMapKeys<T>,
// cur?: PSBTKeyMapKeys<T>
// ): PSBTKeyMapKeys<T> {
// }
function mergeKeyMap(psbtEnum, val, cur, allowedFields) {
var res = __assign(__assign({}, cur), val);
var _loop_2 = function (k) {
var key = k;
var _a = psbtEnum[key], _ = _a[0], kC = _a[1], vC = _a[2];
var cannotChange = allowedFields && !allowedFields.includes(k);
if (val[k] === undefined && k in val) {
if (cannotChange)
throw new Error("Cannot remove signed field=".concat(k));
delete res[k];
}
else if (kC) {
var oldKV = (cur && cur[k] ? cur[k] : []);
var newKV = val[key];
if (newKV) {
if (!Array.isArray(newKV))
throw new Error("keyMap(".concat(k, "): KV pairs should be [k, v][]"));
// Decode hex in k-v
newKV = newKV.map(function (val) {
if (val.length !== 2)
throw new Error("keyMap(".concat(k, "): KV pairs should be [k, v][]"));
return [
typeof val[0] === 'string' ? kC.decode(base.hex.decode(val[0])) : val[0],
typeof val[1] === 'string' ? vC.decode(base.hex.decode(val[1])) : val[1],
];
});
var map_1 = {};
var add = function (kStr, k, v) {
if (map_1[kStr] === undefined) {
map_1[kStr] = [k, v];
return;
}
var oldVal = base.hex.encode(vC.encode(map_1[kStr][1]));
var newVal = base.hex.encode(vC.encode(v));
if (oldVal !== newVal)
throw new Error("keyMap(".concat(key, "): same key=").concat(kStr, " oldVal=").concat(oldVal, " newVal=").concat(newVal));
};
for (var _i = 0, oldKV_1 = oldKV; _i < oldKV_1.length; _i++) {
var _b = oldKV_1[_i], k_1 = _b[0], v = _b[1];
var kStr = base.hex.encode(kC.encode(k_1));
add(kStr, k_1, v);
}
for (var _c = 0, newKV_1 = newKV; _c < newKV_1.length; _c++) {
var _d = newKV_1[_c], k_2 = _d[0], v = _d[1];
var kStr = base.hex.encode(kC.encode(k_2));
// undefined removes previous value
if (v === undefined)
delete map_1[kStr];
else
add(kStr, k_2, v);
}
res[key] = Object.values(map_1);
}
}
else if (typeof res[k] === 'string') {
res[k] = vC.decode(base.hex.decode(res[k]));
}
};
// All arguments can be provided as hex
for (var k in psbtEnum) {
_loop_2(k);
}
// Remove unknown keys
for (var k in res)
if (!psbtEnum[k])
delete res[k];
return res;
}
taproot.RawPSBTV0 = P.validate(taproot._RawPSBTV0, validatePSBT);
taproot.RawPSBTV2 = P.validate(taproot._RawPSBTV2, validatePSBT);
// (TxHash, Idx)
var TxHashIdx = P.struct({ hash: P.bytes(32, true), index: P.U32LE });
// /Coders
var isBytes = function (b) { return b instanceof Uint8Array; };
var OutPK = {
encode: function (from) {
if (from.length !== 2 ||
!P.isBytes(from[0]) ||
!isValidPubkey(from[0], PubT.ecdsa) ||
from[1] !== 'CHECKSIG')
return;
return { type: 'pk', pubkey: from[0] };
},
decode: function (to) { return (to.type === 'pk' ? [to.pubkey, 'CHECKSIG'] : undefined); },
};
var p2pk = function (pubkey, network) {
if (network === void 0) { network = taproot.NETWORK; }
if (!isValidPubkey(pubkey, PubT.ecdsa))
throw new Error('P2PK: invalid publicKey');
return {
type: 'pk',
script: taproot.OutScript.encode({ type: 'pk', pubkey: pubkey }),
};
};
taproot.p2pk = p2pk;
var OutPKH = {
encode: function (from) {
if (from.length !== 5 || from[0] !== 'DUP' || from[1] !== 'HASH160' || !isBytes(from[2]))
return;
if (from[3] !== 'EQUALVERIFY' || from[4] !== 'CHECKSIG')
return;
return { type: 'pkh', hash: from[2] };
},
decode: function (to) {
return to.type === 'pkh' ? ['DUP', 'HASH160', to.hash, 'EQUALVERIFY', 'CHECKSIG'] : undefined;
},
};
var p2pkh = function (publicKey, network) {
if (network === void 0) { network = taproot.NETWORK; }
if (!isValidPubkey(publicKey, PubT.ecdsa))
throw new Error('P2PKH: invalid publicKey');
var hash = hash160(publicKey);
return {
type: 'pkh',
script: taproot.OutScript.encode({ type: 'pkh', hash: hash }),
address: Address(network).encode({ type: 'pkh', hash: hash }),
};
};
taproot.p2pkh = p2pkh;
var OutSH = {
encode: function (from) {
if (from.length !== 3 || from[0] !== 'HASH160' || !isBytes(from[1]) || from[2] !== 'EQUAL')
return;
return { type: 'sh', hash: from[1] };
},
decode: function (to) {
return to.type === 'sh' ? ['HASH160', to.hash, 'EQUAL'] : undefined;
},
};
var p2sh = function (child, network) {
if (network === void 0) { network = taproot.NETWORK; }
var hash = hash160(child.script);
var script = taproot.OutScript.encode({ type: 'sh', hash: hash });
checkScript(script, child.script, child.witnessScript);
var res = {
type: 'sh',
redeemScript: child.script,
script: taproot.OutScript.encode({ type: 'sh', hash: hash }),
address: Address(network).encode({ type: 'sh', hash: hash }),
};
if (child.witnessScript)
res.witnessScript = child.witnessScript;
return res;
};
taproot.p2sh = p2sh;
var OutWSH = {
encode: function (from) {
if (from.length !== 2 || from[0] !== 'OP_0' || !isBytes(from[1]))
return;
if (from[1].length !== 32)
return;
return { type: 'wsh', hash: from[1] };
},
decode: function (to) { return (to.type === 'wsh' ? ['OP_0', to.hash] : undefined); },
};
var p2wsh = function (child, network) {
if (network === void 0) { network = taproot.NETWORK; }
var hash = (0, sha256_1.sha256)(child.script);
var script = taproot.OutScript.encode({ type: 'wsh', hash: hash });
checkScript(script, undefined, child.script);
return {
type: 'wsh',
witnessScript: child.script,
script: taproot.OutScript.encode({ type: 'wsh', hash: hash }),
address: Address(network).encode({ type: 'wsh', hash: hash }),
};
};
taproot.p2wsh = p2wsh;
var OutWPKH = {
encode: function (from) {
if (from.length !== 2 || from[0] !== 'OP_0' || !isBytes(from[1]))
return;
if (from[1].length !== 20)
return;
return { type: 'wpkh', hash: from[1] };
},
decode: function (to) { return (to.type === 'wpkh' ? ['OP_0', to.hash] : undefined); },
};
var p2wpkh = function (publicKey, network) {
if (network === void 0) { network = taproot.NETWORK; }
if (!isValidPubkey(publicKey, PubT.ecdsa))
throw new Error('P2WPKH: invalid publicKey');
if (publicKey.length === 65)
throw new Error('P2WPKH: uncompressed public key');
var hash = hash160(publicKey);
return {
type: 'wpkh',
script: taproot.OutScript.encode({ type: 'wpkh', hash: hash }),
address: Address(network).encode({ type: 'wpkh', hash: hash }),
};
};
taproot.p2wpkh = p2wpkh;
var OutMS = {
encode: function (from) {
var last = from.length - 1;
if (from[last] !== 'CHECKMULTISIG')
return;
var m = OPtoNumber(from[0]);
var n = OPtoNumber(from[last - 1]);
if (m === undefined || n === undefined)
throw new Error('OutScript.encode/multisig wrong params');
var pubkeys = from.slice(1, -2); // Any is ok, check in for later
if (n !== pubkeys.length)
throw new Error('OutScript.encode/multisig: wrong length');
return { type: 'ms', m: m, pubkeys: pubkeys }; // we don't need n, since it is the same as pubkeys
},
// checkmultisig(n, ..pubkeys, m)
decode: function (to) {
return to.type === 'ms'
? __spreadArray(__spreadArray(["OP_".concat(to.m)], to.pubkeys, true), ["OP_".concat(to.pubkeys.length), 'CHECKMULTISIG'], false) : undefined;
},
};
var p2ms = function (m, pubkeys, allowSamePubkeys) {
if (allowSamePubkeys === void 0) { allowSamePubkeys = false; }
if (!allowSamePubkeys)
uniqPubkey(pubkeys);
return { type: 'ms', script: taproot.OutScript.encode({ type: 'ms', pubkeys: pubkeys, m: m }) };
};
taproot.p2ms = p2ms;
var OutTR = {
encode: function (from) {
if (from.length !== 2 || from[0] !== 'OP_1' || !isBytes(from[1]))
return;
return { type: 'tr', pubkey: from[1] };
},
decode: function (to) { return (to.type === 'tr' ? ['OP_1', to.pubkey] : undefined); },
};
// Helper for generating binary tree from list, with weights
function taprootListToTree(taprootList) {
// Clone input in order to not corrupt it
var lst = Array.from(taprootList);
// We have at least 2 elements => can create branch
while (lst.length >= 2) {
// Sort: elements with smallest weight are in the end of queue
lst.sort(function (a, b) { return (b.weight || 1) - (a.weight || 1); });
var b = lst.pop();
var a = lst.pop();
var weight = ((a === null || a === void 0 ? void 0 : a.weight) || 1) + ((b === null || b === void 0 ? void 0 : b.weight) || 1);
lst.push({
weight: weight,
// Unwrap children array
childs: [a.childs || a, b.childs || b],
});
}
// At this point there is always 1 element in lst
var last = lst[0];
return (last.childs || last);
}
taproot.taprootListToTree = taprootListToTree;
function checkTaprootScript(script, allowUnknowOutput) {
if (allowUnknowOutput === void 0) { allowUnknowOutput = false; }
var out = taproot.OutScript.decode(script);
if (out.type === 'unknown' && allowUnknowOutput)
return;
if (!['tr_ns', 'tr_ms'].includes(out.type))
throw new Error("P2TR: invalid leaf script=".concat(out.type));
}
//Contructs a binary tree from a list of scripts
function taprootHashTree(tree, allowUnknowOutput) {
var _a;
if (allowUnknowOutput === void 0) { allowUnknowOutput = false; }
if (!tree)
throw new Error('taprootHashTree: empty tree');
if (Array.isArray(tree) && tree.length === 1)
tree = tree[0];
// Terminal node (leaf)
if (!Array.isArray(tree)) {
var version = tree.leafVersion, leafScript = tree.script, tapInternalKey = tree.tapInternalKey;
// Earliest tree walk where we can validate tapScripts
if (tree.tapLeafScript || (tree.tapMerkleRoot && !P.equalBytes(tree.tapMerkleRoot, P.EMPTY)))
throw new Error('P2TR: tapRoot leafScript cannot have tree');
// Just to be sure that it is spendable
if (tapInternalKey && P.equalBytes(tapInternalKey, taproot.TAPROOT_UNSPENDABLE_KEY))
throw new Error('P2TR: tapRoot leafScript cannot have unspendble key');
var script = typeof leafScript === 'string' ? base.hex.decode(leafScript) : leafScript;
checkTaprootScript(script, allowUnknowOutput);
return {
type: 'leaf',
tapInternalKey: tapInternalKey,
version: version,
script: script,
hash: (0, taproot.tapLeafHash)(script, version),
};
}
// If tree / branch is not binary tree, convert it
if (tree.length !== 2)
tree = taprootListToTree(tree);
if (tree.length !== 2)
throw new Error('hashTree: non binary tree!');
// branch
// NOTE: both nodes should exist
var left = taprootHashTree(tree[0], allowUnknowOutput);
var right = taprootHashTree(tree[1], allowUnknowOutput);
// We cannot swap left/right here, since it will change structure of tree
var _b = [left.hash, right.hash], lH = _b[0], rH = _b[1];
if (cmp(rH, lH) === -1)
_a = [rH, lH], lH = _a[0], rH = _a[1];
return { type: 'branch', left: left, right: right, hash: taggedHash('TapBranch', lH, rH) };
}
taproot.taprootHashTree = taprootHashTree;
//Adds a path element to a binary tree
function taprootAddPath(tree, path) {
if (path === void 0) { path = []; }
if (!tree)
throw new Error("taprootAddPath: empty tree");
if (tree.type === 'leaf')
return __assign(__assign({}, tree), { path: path });
if (tree.type !== 'branch')
throw new Error("taprootAddPath: wrong type=".concat(tree));
return __assign(__assign({}, tree), {
path: path,
// Left element has right hash in path and otherwise
left: taprootAddPath(tree.left, __spreadArray([tree.right.hash], path, true)), right: taprootAddPath(tree.right, __spreadArray([tree.left.hash], path, true))
});
}
taproot.taprootAddPath = taprootAddPath;
//Flattens the tree
function taprootWalkTree(tree) {
if (!tree)
throw new Error("taprootAddPath: empty tree");
if (tree.type === 'leaf')
return [tree];
if (tree.type !== 'branch')
throw new Error("taprootWalkTree: wrong type=".concat(tree));
return __spreadArray(__spreadArray([], taprootWalkTree(tree.left), true), taprootWalkTree(tree.right), true);
}
taproot.taprootWalkTree = taprootWalkTree;
// Another stupid decision, where lack of standard affects security.
// Multisig needs to be generated with some key.
// We are using approach from BIP 341/bitcoinjs-lib: SHA256(uncompressedDER(SECP256K1_GENERATOR_POINT))
// It is possible to switch SECP256K1_GENERATOR_POINT with some random point;
// but it's too complex to prove.
// Also used by bitcoin-core and bitcoinjs-lib
taproot.TAPROOT_UNSPENDABLE_KEY = (0, sha256_1.sha256)(secp.Point.BASE.toRawBytes(false));
// Works as key OR tree.
// If we only have tree, need to add unspendable key, otherwise
// complex multisig wallet can be spent by owner of key only. See TAPROOT_UNSPENDABLE_KEY
function p2tr(internalPubKey, tree, network, allowUnknowOutput) {
if (network === void 0) { network = taproot.NETWORK; }
if (allowUnknowOutput === void 0) { allowUnknowOutput = false; }
// Unspendable
if (!internalPubKey && !tree)
throw new Error('p2tr: should have pubKey or scriptTree (or both)');
var pubKey = typeof internalPubKey === 'string'
? base.hex.decode(internalPubKey)
: internalPubKey || taproot.TAPROOT_UNSPENDABLE_KEY;
if (!isValidPubkey(pubKey, PubT.schnorr))
throw new Error('p2tr: non-schnorr pubkey');
var hashedTree = tree ? taprootAddPath(taprootHashTree(tree, allowUnknowOutput)) : undefined;
var tapMerkleRoot = hashedTree ? hashedTree.hash : undefined;
var _a = taprootTweakPubkey(pubKey, tapMerkleRoot || P.EMPTY), tweakedPubkey = _a[0], parity = _a[1];
var leaves;
if (hashedTree) {
leaves = taprootWalkTree(hashedTree).map(function (l) {
return (__assign(__assign({}, l), {
controlBlock: taproot.TaprootControlBlock.encode({
version: (l.version || taproot.TAP_LEAF_VERSION) + +parity,
internalKey: l.tapInternalKey || pubKey,
merklePath: l.path,
})
}));
});
}
var tapLeafScript;
if (leaves) {
tapLeafScript = leaves.map(function (l) {
return [
taproot.TaprootControlBlock.decode(l.controlBlock),
concat(l.script, new Uint8Array([l.version || taproot.TAP_LEAF_VERSION])),
];
});
}
var res = {
type: 'tr',
script: taproot.OutScript.encode({ type: 'tr', pubkey: tweakedPubkey }),
address: Address(network).encode({ type: 'tr', pubkey: tweakedPubkey }),
// For tests
tweakedPubkey: tweakedPubkey,
// PSBT stuff
tapInternalKey: pubKey,
};
// Just in case someone would want to select a specific script
if (leaves)
res.leaves = leaves;
if (tapLeafScript)
res.tapLeafScript = tapLeafScript;
if (tapMerkleRoot)
res.tapMerkleRoot = tapMerkleRoot;
return res;
}
taproot.p2tr = p2tr;
var OutTRNS = {
encode: function (from) {
var last = from.length - 1;
if (from[last] !== 'CHECKSIG')
return;
var pubkeys = [];
for (var i = 0; i < last; i++) {
var elm = from[i];
if (i & 1) {
if (elm !== 'CHECKSIGVERIFY')
// ROHIT Removing throw, and replacing with return to let the process continue
//throw new Error('OutScript.encode/tr_ns: wrong element');
return;
if (i === last - 1)
// ROHIT Removing throw, and replacing with return to let the process continue
//throw new Error('OutScript.encode/tr_ns: wrong element');
return;
continue;
}
if (!isBytes(elm))
//ROHIT TO SOLVE CHEKKSIG ERROR
//throw new Error('OutScript.encode/tr_ns: wrong element');
return;
pubkeys.push(elm);
}
return { type: 'tr_ns', pubkeys: pubkeys };
},
decode: function (to) {
if (to.type !== 'tr_ns')
return;
var out = [];
for (var i = 0; i < to.pubkeys.length - 1; i++)
out.push(to.pubkeys[i], 'CHECKSIGVERIFY');
out.push(to.pubkeys[to.pubkeys.length - 1], 'CHECKSIG');
return out;
},
};
// Returns all combinations of size M from lst
function combinations(m, list) {
var res = [];
if (!Array.isArray(list))
throw new Error('combinations: lst arg should be array');
var n = list.length;
if (m > n)
throw new Error('combinations: m > lst.length, no combinations possible');
/*
Basically works as M nested loops like:
for (;idx[0]<lst.length;idx[0]++) for (idx[1]=idx[0]+1;idx[1]<lst.length;idx[1]++)
but since we cannot create nested loops dynamically, we unroll it to a single loop
*/
var idx = Array.from({ length: m }, function (_, i) { return i; });
var last = idx.length - 1;
main: for (; ;) {
res.push(idx.map(function (i) { return list[i]; }));
idx[last] += 1;
var i = last;
// Propagate increment
// NOTE: idx[i] cannot be bigger than n-m+i, otherwise last elements in right part will overflow
for (; i >= 0 && idx[i] > n - m + i; i--) {
idx[i] = 0;
// Overflow in idx[0], break
if (i === 0)
break main;
idx[i - 1] += 1;
}
// Propagate: idx[i+1] = idx[idx]+1
for (i += 1; i < idx.length; i++)
idx[i] = idx[i - 1] + 1;
}
return res;
}
taproot.combinations = combinations;
/**
* M-of-N multi-leaf wallet via p2tr_ns. If m == n, single script is emitted.
* Takes O(n^2) if m != n. 99-of-100 is ok, 5-of-100 is not.
* `2-of-[A,B,C] => [A,B] | [A,C] | [B,C]`
*/
var p2tr_ns = function (m, pubkeys, allowSamePubkeys) {
if (allowSamePubkeys === void 0) { allowSamePubkeys = false; }
if (!allowSamePubkeys)
uniqPubkey(pubkeys);
return combinations(m, pubkeys).map(function (i) {
return ({
type: 'tr_ns',
script: taproot.OutScript.encode({ type: 'tr_ns', pubkeys: i }),
});
});
};
taproot.p2tr_ns = p2tr_ns;
// Taproot public key (case of p2tr_ns)
var p2tr_pk = function (pubkey) { return (0, taproot.p2tr_ns)(1, [pubkey], undefined)[0]; };
taproot.p2tr_pk = p2tr_pk;
var OutTRMS = {
encode: function (from) {
var last = from.length - 1;
if (from[last] !== 'NUMEQUAL' || from[1] !== 'CHECKSIG')
return;
var pubkeys = [];
var m = OPtoNumber(from[last - 1]);
if (m === undefined)
return;
for (var i = 0; i < last - 1; i++) {
var elm = from[i];
if (i & 1) {
if (elm !== (i === 1 ? 'CHECKSIG' : 'CHECKSIGADD'))
throw new Error('OutScript.encode/tr_ms: wrong element');
continue;
}
if (!isBytes(elm))
throw new Error('OutScript.encode/tr_ms: wrong key element');
pubkeys.push(elm);
}
return { type: 'tr_ms', pubkeys: pubkeys, m: m };
},
decode: function (to) {
if (to.type !== 'tr_ms')
return;
var out = [to.pubkeys[0], 'CHECKSIG'];
for (var i = 1; i < to.pubkeys.length; i++)
out.push(to.pubkeys[i], 'CHECKSIGADD');
out.push("OP_".concat(to.m), 'NUMEQUAL');
return out;
},
};
function p2tr_ms(m, pubkeys, allowSamePubkeys) {
if (allowSamePubkeys === void 0) { allowSamePubkeys = false; }
if (!allowSamePubkeys)
uniqPubkey(pubkeys);
return {
type: 'tr_ms',
script: taproot.OutScript.encode({ type: 'tr_ms', pubkeys: pubkeys, m: m }),
};
}
taproot.p2tr_ms = p2tr_ms;
var OutUnknown = {
encode: function (from) {
return { type: 'unknown', script: taproot.Script.encode(from) };
},
decode: function (to) {
return to.type === 'unknown' ? taproot.Script.decode(to.script) : undefined;
},
};
// /Payments
var OutScripts = [
OutPK,
OutPKH,
OutSH,
OutWSH,
OutWPKH,
OutMS,
OutTR,
OutTRNS,
OutTRMS,
OutUnknown,
];
// TODO: we can support user supplied output scripts now
// - addOutScript
// - removeOutScript
// - We can do that as log we modify array in-place
var _OutScript = P.apply(taproot.Script, P.coders.match(OutScripts));
// We can validate this once, because of packed & coders
taproot.OutScript = P.validate(_OutScript, function (i) {
if (i.type === 'pk' && !isValidPubkey(i.pubkey, PubT.ecdsa))
throw new Error('OutScript/pk: wrong key');
if ((i.type === 'pkh' || i.type === 'sh' || i.type === 'wpkh') &&
(!isBytes(i.hash) || i.hash.length !== 20))
throw new Error("OutScript/".concat(i.type, ": wrong hash"));
if (i.type === 'wsh' && (!isBytes(i.hash) || i.hash.length !== 32))
throw new Error("OutScript/wsh: wrong hash");
if (i.type === 'tr' && (!isBytes(i.pubkey) || !isValidPubkey(i.pubkey, PubT.schnorr)))
throw new Error('OutScript/tr: wrong taproot public key');
if (i.type === 'ms' || i.type === 'tr_ns' || i.type === 'tr_ms')
if (!Array.isArray(i.pubkeys))
throw new Error('OutScript/multisig: wrong pubkeys array');
if (i.type === 'ms') {
var n = i.pubkeys.length;
for (var _i = 0, _a = i.pubkeys; _i < _a.length; _i++) {
var p = _a[_i];
if (!isValidPubkey(p, PubT.ecdsa))
throw new Error('OutScript/multisig: wrong pubkey');
}
if (i.m <= 0 || n > 16 || i.m > n)
throw new Error('OutScript/multisig: invalid params');
}
if (i.type === 'tr_ns' || i.type === 'tr_ms') {
for (var _b = 0, _c = i.pubkeys; _b < _c.length; _b++) {
var p = _c[_b];
if (!isValidPubkey(p, PubT.schnorr))
throw new Error("OutScript/".concat(i.type, ": wrong pubkey"));
}
}
if (i.type === 'tr_ms') {
var n = i.pubkeys.length;
if (i.m <= 0 || n > 16 || i.m > n)
throw new Error('OutScript/tr_ms: invalid params');
}
return i;
});
// Address
// TODO: clean-up
function validateWitness(version, data) {
if (data.length < 2 || data.length > 40)
throw new Error('Witness: invalid length');
if (version > 16)
throw new Error('Witness: invalid version');
if (version === 0 && !(data.length === 20 || data.length === 32))
throw new Error('Witness: invalid length for version');
}
taproot.validateWitness = validateWitness;
function programToWitness(version, data, network) {
if (network === void 0) { network = taproot.NETWORK; }
validateWitness(version, data);
var coder = version === 0 ? base.bech32 : base.bech32m;
return coder.encode(network.bech32, [version].concat(coder.toWords(data)));
}
taproot.programToWitness = programToWitness;
// TODO: remove?
function parseWitnessProgram(version, data) {
validateWitness(version, data);
var encodedVersion = version > 0 ? version + 0x50 : version;
return concat(new Uint8Array([encodedVersion]), taproot.VarBytes.encode(Uint8Array.from(data)));
}
taproot.parseWitnessProgram = parseWitnessProgram;
function formatKey(hashed, prefix) {
return taproot.base58check.encode(concat(Uint8Array.from(prefix), hashed));
}
function WIF(network) {
if (network === void 0) { network = taproot.NETWORK; }
return {
encode: function (privKey) {
var compressed = concat(privKey, new Uint8Array([0x01]));
return formatKey(compressed.subarray(0, 33), [network.wif]);
},
decode: function (wif) {
var parsed = taproot.base58check.decode(wif);
if (parsed[0] !== network.wif)
throw new Error('Wrong WIF prefix');
parsed = parsed.subarray(1);
// Check what it is. Compressed flag?
if (parsed.length !== 33)
throw new Error('Wrong WIF length');
if (parsed[32] !== 0x01)
throw new Error('Wrong WIF postfix');
return parsed.subarray(0, -1);
},
};
}
taproot.WIF = WIF;
// Returns OutType, which can be used to create outscript
function Address(network) {
if (network === void 0) { network = taproot.NETWORK; }
return {
encode: function (from) {
var type = from.type;
if (type === 'wpkh')
return programToWitness(0, from.hash, network);
else if (type === 'wsh')
return programToWitness(0, from.hash, network);
else if (type === 'tr')
return programToWitness(1, from.pubkey, network);
else if (type === 'pkh')
return formatKey(from.hash, [network.pubKeyHash]);
else if (type === 'sh')
return formatKey(from.hash, [network.scriptHash]);
return 1;
},
decode: function (address) {
if (address.length < 14 || address.length > 74)
throw new Error('Invalid address length');
// Bech32
if (network.bech32 && address.toLowerCase().startsWith(network.bech32)) {
var res = void 0;
try {
res = base.bech32.decode(address);
if (res.words[0] !== 0)
throw new Error("bech32: wrong version=".concat(res.words[0]));
}
catch (_) {
// Starting from version 1 it is decoded as bech32m
res = base.bech32m.decode(address);
if (res.words[0] === 0)
throw new Error("bech32m: wrong version=".concat(res.words[0]));
}
if (res.prefix !== network.bech32)
throw new Error("wrong bech32 prefix=".concat(res.prefix));
var _a = res.words, version = _a[0], program = _a.slice(1);
var data_1 = base.bech32.fromWords(program);
validateWitness(version, data_1);
if (version === 0 && data_1.length === 32)
return { type: 'wsh', hash: data_1 };
else if (version === 0 && data_1.length === 20)
return { type: 'wpkh', hash: data_1 };
else if (version === 1 && data_1.length === 32)
return { type: 'tr', pubkey: data_1 };
else
throw new Error('Unkown witness program');
}
var data = base.base58.decode(address);
if (data.length !== 25)
throw new Error('Invalid base58 address');
// Pay To Public Key Hash
if (data[0] === network.pubKeyHash) {
var bytes = base.base58.decode(address);
return { type: 'pkh', hash: bytes.slice(1, bytes.length - 4) };
}
else if (data[0] === network.scriptHash) {
var bytes = base.base58.decode(address);
return {
type: 'sh',
hash: base.base58.decode(address).slice(1, bytes.length - 4),
};
}
throw new Error("Invalid address prefix=".concat(data[0]));
},
};
}
taproot.Address = Address;
// /Address
var SignatureHash;
(function (SignatureHash) {
SignatureHash[SignatureHash["DEFAULT"] = 0] = "DEFAULT";
SignatureHash[SignatureHash["ALL"] = 1] = "ALL";
SignatureHash[SignatureHash["NONE"] = 2] = "NONE";
SignatureHash[SignatureHash["SINGLE"] = 3] = "SINGLE";
SignatureHash[SignatureHash["ANYONECANPAY"] = 128] = "ANYONECANPAY";
SignatureHash[SignatureHash["ALL_SIGHASH_ANYONECANPAY"] = 129] = "ALL_SIGHASH_ANYONECANPAY";
SignatureHash[SignatureHash["NONE_SIGHASH_ANYONECANPAY"] = 130] = "NONE_SIGHASH_ANYONECANPAY";
SignatureHash[SignatureHash["SINGLE_SIGHASH_ANYONECANPAY"] = 131] = "SINGLE_SIGHASH_ANYONECANPAY";
})(SignatureHash = taproot.SignatureHash || (taproot.SignatureHash = {}));
taproot.SigHashCoder = P.apply(P.U32LE, P.coders.tsEnum(SignatureHash));
function sum(arr) {
return arr.map(function (n) { return BigInt(n); }).reduce(function (a, b) { return a + b; });
}
// TODO: encoder maybe?
function unpackSighash(hashType) {
var masked = hashType & 31;
return {
isAny: !!(hashType & 128),
isNone: masked === 2,
isSingle: masked === 3,
};
}
var _sortPubkeys = function (pubkeys) { return Array.from(pubkeys).sort(cmp); };
taproot._sortPubkeys = _sortPubkeys;
var def = {
sequence: function (n) { return (n === undefined ? taproot.DEFAULT_SEQUENCE : n); },
lockTime: function (n) { return (n === undefined ? taproot.DEFAULT_LOCKTIME : n); },
};
taproot.TAP_LEAF_VERSION = 0xc0;
var tapLeafHash = function (script, version) {
if (version === void 0) { version = taproot.TAP_LEAF_VERSION; }
return taggedHash('TapLeaf', new Uint8Array([version]), taproot.VarBytes.encode(script));
};
taproot.tapLeafHash = tapLeafHash;
function getTaprootKeys(privKey, pubKey, internalKey, merkleRoot) {
if (merkleRoot === void 0) { merkleRoot = P.EMPTY; }
if (P.equalBytes(internalKey, pubKey)) {
privKey = taprootTweakPrivKey(privKey, merkleRoot);
pubKey = secp.schnorr.getPublicKey(privKey);
}
return { privKey: privKey, pubKey: pubKey };
}
taproot.getTaprootKeys = getTaprootKeys;
var Transaction = /** @class */ (function () {
// function Transaction(version, lockTime, PSBTVersion,opts) { //Changed the position of opts so that it can test examples work
function Transaction(opts, version, lockTime, PSBTVersion) {
if (version === void 0) { version = taproot.DEFAULT_VERSION; }
if (lockTime === void 0) { lockTime = 0; }
if (PSBTVersion === void 0) { PSBTVersion = 0; }
if (opts === void 0) { opts = {}; }
this.PSBTVersion = PSBTVersion;
this.opts = opts;
this.global = {};
this.inputs = [];
this.outputs = [];
if (lockTime !== taproot.DEFAULT_LOCKTIME)
this.global.fallbackLocktime = lockTime;
this.global.txVersion = version;
}
// Import
Transaction.fromRaw = function (raw, opts) {
if (opts === void 0) { opts = {}; }
var parsed = taproot.RawTx.decode(raw);
var tx = new Transaction(parsed.version, parsed.lockTime, undefined, opts);
for (var _i = 0, _a = parsed.outputs; _i < _a.length; _i++) {
var o = _a[_i];
tx.addOutput(o);
}
tx.outputs = parsed.outputs;
tx.inputs = parsed.inputs;
if (parsed.witnesses) {
for (var i = 0; i < parsed.witnesses.length; i++)
tx.inputs[i].finalScriptWitness = parsed.witnesses[i];
}
return tx;
};
// PSBT
Transaction.fromPSBT = function (psbt, opts) {
if (opts === void 0) { opts = {}; }
var parsed;
try {
parsed = taproot.RawPSBTV0.decode(psbt);
}
catch (e0) {
try {
parsed = taproot.RawPSBTV2.decode(psbt);
}
catch (e2) {
// Throw error for v0 parsing, since it popular, otherwise it would be shadowed by v2 error
throw e0;
}
}
var version = parsed.global.version || 0;
var unsigned = parsed.global.unsignedTx;
var txVersion = !version ? unsigned === null || unsigned === void 0 ? void 0 : unsigned.version : parsed.global.txVersion;
var lockTime = !version ? unsigned === null || unsigned === void 0 ? void 0 : unsigned.lockTime : parsed.global.fallbackLocktime;
var tx = new Transaction(txVersion, lockTime, version, opts);
// We need slice here, because otherwise
var inputCount = !version ? unsigned === null || unsigned === void 0 ? void 0 : unsigned.inputs.length : parsed.global.inputCount;
tx.inputs = parsed.inputs.slice(0, inputCount).map(function (i, j) {
var _a;
return (__assign(__assign({ finalScriptSig: P.EMPTY }, (_a = parsed.global.unsignedTx) === null || _a === void 0 ? void 0 : _a.inputs[j]), i));
});
var outputCount = !version ? unsigned === null || unsigned === void 0 ? void 0 : unsigned.outputs.length : parsed.global.outputCount;
tx.outputs = parsed.outputs.slice(0, outputCount).map(function (i, j) {
var _a;
return (__assign(__assign({}, i), (_a = parsed.global.unsignedTx) === null || _a === void 0 ? void 0 : _a.outputs[j]));
});
tx.global = __assign(__assign({}, parsed.global), { txVersion: txVersion }); // just in case propietary/unknown fields
if (lockTime !== taproot.DEFAULT_LOCKTIME)
tx.global.fallbackLocktime = lockTime;
return tx;
};
Transaction.prototype.toPSBT = function (ver) {
if (ver === void 0) { ver = this.PSBTVersion; }
var inputs = this.inputs.map(function (i) { return cleanPSBTFields(ver, PSBTInput, i); });
for (var _i = 0, inputs_1 = inputs; _i < inputs_1.length; _i++) {
var inp = inputs_1[_i];
// Don't serialize empty fields
if (inp.partialSig && !inp.partialSig.length)
delete inp.partialSig;
if (inp.finalScriptSig && !inp.finalScriptSig.length)
delete inp.finalScriptSig;
if (inp.finalScriptWitness && !inp.finalScriptWitness.length)
delete inp.finalScriptWitness;
}
var outputs = this.outputs.map(function (i) { return cleanPSBTFields(ver, PSBTOutput, i); });
if (ver && ver !== 2)
throw new Error("Wrong PSBT version=".concat(ver));
var global = __assign({}, this.global);
if (!ver) {
global.unsignedTx = taproot.RawTx.decode(this.unsignedTx);
delete global.fallbackLocktime;
delete global.txVersion;
}
else {
global.version = ver;
global.txVersion = this.version;
global.inputCount = this.inputs.length;
global.outputCount = this.outputs.length;
if (global.fallbackLocktime && global.fallbackLocktime === taproot.DEFAULT_LOCKTIME)
delete global.fallbackLocktime;
}
if (this.opts.bip174jsCompat) {
if (!inputs.length)
inputs.push({});
if (!outputs.length)
outputs.push({});
}
return (ver === 2 ? taproot.RawPSBTV2 : taproot.RawPSBTV0).encode({
global: global,
inputs: inputs,
outputs: outputs,
});
};
Object.defineProperty(Transaction.prototype, "lockTime", {
// BIP370 lockTime (https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki#determining-lock-time)
get: function () {
var height = taproot.DEFAULT_LOCKTIME;
var heightCnt = 0;
var time = taproot.DEFAULT_LOCKTIME;
var timeCnt = 0;
for (var _i = 0, _a = this.inputs; _i < _a.length; _i++) {
var i = _a[_i];
if (i.requiredHeightLocktime) {
height = Math.max(height, i.requiredHeightLocktime);
heightCnt++;
}
if (i.requiredTimeLocktime) {
time = Math.max(time, i.requiredTimeLocktime);
timeCnt++;
}
}
if (heightCnt && heightCnt >= timeCnt)
return height;
if (time !== taproot.DEFAULT_LOCKTIME)
return time;
return this.global.fallbackLocktime || taproot.DEFAULT_LOCKTIME;
},
enumerable: false,
configurable: true
});
Object.defineProperty(Transaction.prototype, "version", {
get: function () {
// Should be not possible
if (this.global.txVersion === undefined)
throw new Error('No global.txVersion');
return this.global.txVersion;
},
enumerable: false,
configurable: true
});
Transaction.prototype.inputStatus = function (idx) {
this.checkInputIdx(idx);
var input = this.inputs[idx];
// Finalized
if (input.finalScriptSig && input.finalScriptSig.length)
return 'finalized';
if (input.finalScriptWitness && input.finalScriptWitness.length)
return 'finalized';
// Signed taproot
if (input.tapKeySig)
return 'signed';
if (input.tapScriptSig && input.tapScriptSig.length)
return 'signed';
// Signed
if (input.partialSig && input.partialSig.length)
return 'signed';
return 'unsigned';
};
// TODO: re-use in preimages
Transaction.prototype.inputSighash = function (idx) {
this.checkInputIdx(idx);
var sighash = this.inputType(this.inputs[idx]).sighash;
// ALL or DEFAULT -- everything signed
// NONE -- all inputs + no outputs
// SINGLE -- all inputs + output with same index
// ALL + ANYONE -- specific input + all outputs
// NONE + ANYONE -- specific input + no outputs
// SINGLE -- specific inputs + output with same index
var sigOutputs = sighash === SignatureHash.DEFAULT ? SignatureHash.ALL : sighash & 3;
var sigInputs = sighash & SignatureHash.ANYONECANPAY;
return { sigInputs: sigInputs, sigOutputs: sigOutputs };
};
Transaction.prototype.signStatus = function () {
// if addInput or addOutput is not possible, then all inputs or outputs are signed
var addInput = true, addOutput = true;
var inputs = [], outputs = [];
for (var idx = 0; idx < this.inputs.length; idx++) {
var status = this.inputStatus(idx);
// Unsigned input doesn't affect anything
if (status === 'unsigned')
continue;
var _a = this.inputSighash(idx), sigInputs = _a.sigInputs, sigOutputs = _a.sigOutputs;
// Input type
if (sigInputs === SignatureHash.ANYONECANPAY)
inputs.push(idx);
else
addInput = false;
// Output type
if (sigOutputs === SignatureHash.ALL)
addOutput = false;
else if (sigOutputs === SignatureHash.SINGLE)
outputs.push(idx);
else if (sigOutputs === SignatureHash.NONE) {
// Doesn't affect any outputs at all
}
else
throw new Error("Wrong signature hash output type: ".concat(sigOutputs));
}
return { addInput: addInput, addOutput: addOutput, inputs: inputs, outputs: outputs };
};
Object.defineProperty(Transaction.prototype, "isFinal", {
get: function () {
for (var idx = 0; idx < this.inputs.length; idx++)
if (this.inputStatus(idx) !== 'finalized')
return false;
return true;
},
enumerable: false,
configurable: true
});
Object.defineProperty(Transaction.prototype, "hasWitnesses", {
// Info utils
get: function () {
var out = false;
for (var _i = 0, _a = this.inputs; _i < _a.length; _i++) {
var i = _a[_i];
if (i.finalScriptWitness && i.finalScriptWitness.length)
out = true;
}
return out;
},
enumerable: false,
configurable: true
});
Object.defineProperty(Transaction.prototype, "weight", {
// https://en.bitcoin.it/wiki/Weight_units
get: function () {
if (!this.isFinal)
throw new Error('Transaction is not finalized');
// TODO: Can we find out how much witnesses/script will be used before signing?
var out = 32;
if (this.hasWitnesses)
out += 2;
out += 4 * CompactSizeLen.encode(this.inputs.length).length;
out += 4 * CompactSizeLen.encode(this.outputs.length).length;
for (var _i = 0, _a = this.inputs; _i < _a.length; _i++) {
var i = _a[_i];
out += 160 + 4 * taproot.VarBytes.encode(i.finalScriptSig).length;
}
for (var _b = 0, _c = this.outputs; _b < _c.length; _b++) {
var o = _c[_b];
out += 32 + 4 * taproot.VarBytes.encode(o.script).length;
}
if (this.hasWitnesses) {
for (var _d = 0, _e = this.inputs; _d < _e.length; _d++) {
var i = _e[_d];
if (i.finalScriptWitness)
out += taproot.RawWitness.encode(i.finalScriptWitness).length;
}
}
return out;
},
enumerable: false,
configurable: true
});
Object.defineProperty(Transaction.prototype, "vsize", {
get: function () {
return Math.ceil(this.weight / 4);
},
enumerable: false,
configurable: true
});
Transaction.prototype.toBytes = function (withScriptSig, withWitness) {
if (withScriptSig === void 0) { withScriptSig = false; }
if (withWitness === void 0) { withWitness = false; }
return taproot.RawTx.encode({
version: this.version,
lockTime: this.lockTime,
inputs: this.inputs.map(function (i) { return (__assign(__assign({}, i), { finalScriptSig: (withScriptSig && i.finalScriptSig) || P.EMPTY })); }),
outputs: this.outputs,
witnesses: this.inputs.map(function (i) { return i.finalScriptWitness || []; }),
segwitFlag: withWitness && this.hasWitnesses,
});
};
Object.defineProperty(Transaction.prototype, "unsignedTx", {
get: function () {
return this.toBytes(false, false);
},
enumerable: false,
configurable: true
});
Object.defineProperty(Transaction.prototype, "hex", {
get: function () {
return base.hex.encode(this.toBytes(true, this.hasWitnesses));
},
enumerable: false,
configurable: true
});
Object.defineProperty(Transaction.prototype, "hash", {
// TODO: hash requires non-empty script in inputs, why?
get: function () {
if (!this.isFinal)
throw new Error('Transaction is not finalized');
return base.hex.encode(sha256x2(this.toBytes(true)));
},
enumerable: false,
configurable: true
});
Object.defineProperty(Transaction.prototype, "id", {
get: function () {
if (!this.isFinal)
throw new Error('Transaction is not finalized');
return base.hex.encode(sha256x2(this.toBytes(true)).reverse());
},
enumerable: false,
configurable: true
});
// Input stuff
Transaction.prototype.checkInputIdx = function (idx) {
if (!Number.isSafeInteger(idx) || 0 > idx || idx >= this.inputs.length)
throw new Error("Wrong input index=".concat(idx));
};
// Modification
Transaction.prototype.normalizeInput = function (i, cur, allowedFields) {
var res = __assign(__assign({}, cur), i);
if (res.sequence === undefined)
res.sequence = taproot.DEFAULT_SEQUENCE;
if (res.hash === undefined && typeof res.txid === 'string')
res.hash = base.hex.decode(res.txid);
if (res.hash === undefined && typeof res.txid === 'object')
res.hash = res.txid;
if (typeof res.hash === 'string')
res.hash = base.hex.decode(res.hash).reverse();
if (res.tapMerkleRoot === null)
delete res.tapMerkleRoot;
if (res.hash === undefined || res.index === undefined)
throw new Error('Transaction/input: hash and index required');
res = mergeKeyMap(PSBTInput, res, cur, allowedFields);
PSBTInputCoder.encode(res);
// Cannot move in PSBTInputCoder, since it requires opts for parsing
if (res.nonWitnessUtxo) {
var outputs = res.nonWitnessUtxo.outputs;
if (outputs.length - 1 < res.index)
throw new Error('nonWitnessUtxo: incorect output index');
var tx = Transaction.fromRaw(taproot.RawTx.encode(res.nonWitnessUtxo), this.opts);
var hash = base.hex.encode(res.hash);
if (tx.id !== hash)
//ROHIT UNDONE var txid = base.hex.encode(res.txid);
//ROHIT UNDONE if (tx.id !== txid)
throw new Error("nonWitnessUtxo: wrong hash, exp=".concat(txid, " got=").concat(tx.id));
}
// TODO: use this.prevout?
var prevOut;
if (res.nonWitnessUtxo && i.index !== undefined)
prevOut = res.nonWitnessUtxo.outputs[res.index];
else if (res.witnessUtxo)
prevOut = res.witnessUtxo;
if (!this.opts.disableScriptCheck)
checkScript(prevOut && prevOut.script, res.redeemScript, res.witnessScript);
return res;
};
Transaction.prototype.addInput = function (input) {
if (!this.signStatus().addInput)
throw new Error('Tx has signed inputs, cannot add new one');
this.inputs.push(this.normalizeInput(input));
//ROHIT ATTEMPT UNDONE this.inputs.push(this.normalizeInput(this.inputs,input));
return this.inputs.length - 1;
};
Transaction.prototype.updateInput = function (idx, input) {
this.checkInputIdx(idx);
var allowedFields = undefined;
var status = this.signStatus();
if (!status.addInput || status.inputs.includes(idx))
allowedFields = PSBTInputUnsignedKeys;
this.inputs[idx] = this.normalizeInput(input, this.inputs[idx], allowedFields);
};
// Output stuff
Transaction.prototype.checkOutputIdx = function (idx) {
if (!Number.isSafeInteger(idx) || 0 > idx || idx >= this.outputs.length)
throw new Error("Wrong output index=".concat(idx));
};
Transaction.prototype.normalizeOutput = function (o, cur, allowedFields) {
var res = __assign(__assign({}, cur), o);
if (res.amount !== undefined)
res.amount = typeof res.amount === 'string' ? taproot.decimal.decode(res.amount) : res.amount;
res = mergeKeyMap(PSBTOutput, res, cur, allowedFields);
PSBTOutputCoder.encode(res);
if (res.script === undefined || res.amount === undefined)
throw new Error('Transaction/output: script and amount required');
if (!this.opts.allowUnknowOutput && taproot.OutScript.decode(res.script).type === 'unknown') {
throw new Error('Transaction/output: unknown output script type, there is a chance that input is unspendable. Pass allowUnkownScript=true, if you sure');
}
if (!this.opts.disableScriptCheck)
checkScript(res.script, res.redeemScript, res.witnessScript);
return res;
};
Transaction.prototype.addOutput = function (o) {
if (!this.signStatus().addOutput)
throw new Error('Tx has signed outputs, cannot add new one');
this.outputs.push(this.normalizeOutput(o));
return this.outputs.length - 1;
};
Transaction.prototype.updateOutput = function (idx, output) {
this.checkOutputIdx(idx);
var allowedFields = undefined;
var status = this.signStatus();
if (!status.addOutput || status.outputs.includes(idx))
allowedFields = PSBTOutputUnsignedKeys;
this.outputs[idx] = this.normalizeOutput(output, this.outputs[idx], allowedFields);
};
Transaction.prototype.addOutputAddress = function (address, amount, network) {
if (network === void 0) { network = taproot.NETWORK; }
return this.addOutput({
script: taproot.OutScript.encode(Address(network).decode(address)),
amount: typeof amount === 'string' ? taproot.decimal.decode(amount) : amount,
});
};
Object.defineProperty(Transaction.prototype, "fee", {
// Utils
get: function () {
var res = 0n;
for (var _i = 0, _a = this.inputs; _i < _a.length; _i++) {
var i = _a[_i];
var prevOut = this.prevOut(i);
if (!prevOut)
throw new Error('Empty input amount');
res += prevOut.amount;
}
for (var _b = 0, _c = this.outputs; _b < _c.length; _b++) {
var i = _c[_b];
res -= i.amount;
}
return res;
},
enumerable: false,
configurable: true
});
// Signing
// Based on https://github.com/bitcoin/bitcoin/blob/5871b5b5ab57a0caf9b7514eb162c491c83281d5/test/functional/test_framework/script.py#L624
// There is optimization opportunity to re-use hashes for multiple inputs for witness v0/v1,
// but we are trying to be less complicated for audit purpose for now.
Transaction.prototype.preimageLegacy = function (idx, prevOutScript, hashType) {
var _a = unpackSighash(hashType), isAny = _a.isAny, isNone = _a.isNone, isSingle = _a.isSingle;
if (idx < 0 || !Number.isSafeInteger(idx))
throw new Error("Invalid input idx=".concat(idx));
if ((isSingle && idx >= this.outputs.length) || idx >= this.inputs.length)
return P.U256BE.encode(1n);
prevOutScript = taproot.Script.encode(taproot.Script.decode(prevOutScript).filter(function (i) { return i !== 'CODESEPARATOR'; }));
var inputs = this.inputs.map(function (input, inputIdx) { return (__assign(__assign({}, input), { finalScriptSig: inputIdx === idx ? prevOutScript : P.EMPTY })); });
if (isAny)
inputs = [inputs[idx]];
else if (isNone || isSingle) {
inputs = inputs.map(function (input, inputIdx) { return (__assign(__assign({}, input), { sequence: inputIdx === idx ? def.sequence(input.sequence) : 0 })); });
}
var outputs = this.outputs;
if (isNone)
outputs = [];
else if (isSingle) {
outputs = this.outputs.slice(0, idx).fill(EMPTY_OUTPUT).concat([outputs[idx]]);
}
var tmpTx = taproot.RawTx.encode({
lockTime: this.lockTime,
version: this.version,
segwitFlag: false,
inputs: inputs,
outputs: outputs,
});
return sha256x2(tmpTx, P.I32LE.encode(hashType));
};
Transaction.prototype.preimageWitnessV0 = function (idx, prevOutScript, hashType, amount) {
var _a = unpackSighash(hashType), isAny = _a.isAny, isNone = _a.isNone, isSingle = _a.isSingle;
var inputHash = EMPTY32;
var sequenceHash = EMPTY32;
var outputHash = EMPTY32;
var inputs = this.inputs;
if (!isAny)
inputHash = sha256x2.apply(void 0, inputs.map(TxHashIdx.encode));
if (!isAny && !isSingle && !isNone)
sequenceHash = sha256x2.apply(void 0, inputs.map(function (i) { return P.U32LE.encode(def.sequence(i.sequence)); }));
if (!isSingle && !isNone) {
outputHash = sha256x2.apply(void 0, this.outputs.map(taproot.RawOutput.encode));
}
else if (isSingle && idx < this.outputs.length)
outputHash = sha256x2(taproot.RawOutput.encode(this.outputs[idx]));
var input = inputs[idx];
return sha256x2(P.I32LE.encode(this.version), inputHash, sequenceHash, P.bytes(32, true).encode(input.hash), P.U32LE.encode(input.index), taproot.VarBytes.encode(prevOutScript), P.U64LE.encode(amount), P.U32LE.encode(def.sequence(input.sequence)), outputHash, P.U32LE.encode(this.lockTime), P.U32LE.encode(hashType));
};
Transaction.prototype.preimageWitnessV1 = function (idx, prevOutScript, hashType, amount, codeSeparator, leafScript, leafVer, annex) {
if (codeSeparator === void 0) { codeSeparator = -1; }
if (leafVer === void 0) { leafVer = 0xc0; }
if (!Array.isArray(amount) || this.inputs.length !== amount.length)
throw new Error("Invalid amounts array=".concat(amount));
if (!Array.isArray(prevOutScript) || this.inputs.length !== prevOutScript.length)
throw new Error("Invalid prevOutScript array=".concat(prevOutScript));
var out = [
P.U8.encode(0),
P.U8.encode(hashType),
P.I32LE.encode(this.version),
P.U32LE.encode(this.lockTime),
];
var outType = hashType === SignatureHash.DEFAULT ? SignatureHash.ALL : hashType & 3;
var inType = hashType & SignatureHash.ANYONECANPAY;
if (inType !== SignatureHash.ANYONECANPAY) {
out.push.apply(out, [
this.inputs.map(TxHashIdx.encode),
amount.map(P.U64LE.encode),
prevOutScript.map(taproot.VarBytes.encode),
this.inputs.map(function (i) { return P.U32LE.encode(def.sequence(i.sequence)); }),
].map(function (i) { return (0, sha256_1.sha256)(concat.apply(void 0, i)); }));
}
if (outType === SignatureHash.ALL) {
out.push((0, sha256_1.sha256)(concat.apply(void 0, this.outputs.map(taproot.RawOutput.encode))));
}
var spendType = (annex ? 1 : 0) | (leafScript ? 2 : 0);
out.push(new Uint8Array([spendType]));
if (inType === SignatureHash.ANYONECANPAY) {
var inp = this.inputs[idx];
out.push(TxHashIdx.encode(inp), P.U64LE.encode(amount[idx]), taproot.VarBytes.encode(prevOutScript[idx]), P.U32LE.encode(def.sequence(inp.sequence)));
}
else
out.push(P.U32LE.encode(idx));
if (spendType & 1)
out.push((0, sha256_1.sha256)(taproot.VarBytes.encode(annex)));
if (outType === SignatureHash.SINGLE)
out.push(idx < this.outputs.length ? (0, sha256_1.sha256)(taproot.RawOutput.encode(this.outputs[idx])) : EMPTY32);
if (leafScript)
out.push((0, taproot.tapLeafHash)(leafScript, leafVer), P.U8.encode(0), P.I32LE.encode(codeSeparator));
return taggedHash.apply(void 0, __spreadArray(['TapSighash'], out, false));
};
// Utils for sign/finalize
// Used pretty often, should be fast
Transaction.prototype.prevOut = function (input) {
if (input.nonWitnessUtxo)
return input.nonWitnessUtxo.outputs[input.index];
else if (input.witnessUtxo)
return input.witnessUtxo;
else
throw new Error('Cannot find previous output info.');
};
Transaction.prototype.inputType = function (input) {
// TODO: check here if non-segwit tx + no nonWitnessUtxo
var txType = 'legacy';
var defaultSighash = SignatureHash.ALL;
var prevOut = this.prevOut(input);
var first = taproot.OutScript.decode(prevOut.script);
var type = first.type;
var cur = first;
var stack = [first];
if (first.type === 'tr') {
defaultSighash = SignatureHash.DEFAULT;
return {
txType: 'taproot',
type: 'tr',
last: first,
lastScript: prevOut.script,
defaultSighash: defaultSighash,
sighash: input.sighashType || defaultSighash,
};
}
else {
if (first.type === 'wpkh' || first.type === 'wsh')
txType = 'segwit';
if (first.type === 'sh') {
if (!input.redeemScript)
throw new Error('inputType: sh without redeemScript');
var child = taproot.OutScript.decode(input.redeemScript);
if (child.type === 'wpkh' || child.type === 'wsh')
txType = 'segwit';
stack.push(child);
cur = child;
type += "-".concat(child.type);
}
// wsh can be inside sh
if (cur.type === 'wsh') {
if (!input.witnessScript)
throw new Error('inputType: wsh without witnessScript');
var child = taproot.OutScript.decode(input.witnessScript);
if (child.type === 'wsh')
txType = 'segwit';
stack.push(child);
cur = child;
type += "-".concat(child.type);
}
// TODO: check for uncompressed public keys in segwit tx
var last = stack[stack.length - 1];
if (last.type === 'sh' || last.type === 'wsh')
throw new Error('inputType: sh/wsh cannot be terminal type');
var lastScript = taproot.OutScript.encode(last);
var res = {
type: type,
txType: txType,
last: last,
lastScript: lastScript,
defaultSighash: defaultSighash,
sighash: input.sighashType || defaultSighash,
};
return res;
}
};
// TODO: signer can be privateKey OR instance of bip32 HD stuff
Transaction.prototype.signIdx = function (privateKey, idx, allowedSighash, _auxRand) {
this.checkInputIdx(idx);
var input = this.inputs[idx];
var inputType = this.inputType(input);
// Handle BIP32 HDKey
if (!(privateKey instanceof Uint8Array)) {
if (!input.bip32Derivation || !input.bip32Derivation.length)
throw new Error('bip32Derivation: empty');
var signers = input.bip32Derivation
.filter(function (i) { return i[1].fingerprint == privateKey.fingerprint; })
.map(function (_a) {
var pubKey = _a[0], path = _a[1].path;
var s = privateKey;
for (var _i = 0, path_1 = path; _i < path_1.length; _i++) {
var i = path_1[_i];
s = s.deriveChild(i);
}
if (!P.equalBytes(s.publicKey, pubKey))
throw new Error('bip32Derivation: wrong pubKey');
if (!s.privateKey)
throw new Error('bip32Derivation: no privateKey');
return s;
});
if (!signers.length)
throw new Error("bip32Derivation: no items with fingerprint=".concat(privateKey.fingerprint));
var signed = false;
for (var _i = 0, signers_1 = signers; _i < signers_1.length; _i++) {
var s = signers_1[_i];
if (this.signIdx(s.privateKey, idx))
signed = true;
}
return signed;
}
// Sighash checks
// Just for compat with bitcoinjs-lib, so users won't face unexpected behaviour.
if (!allowedSighash)
allowedSighash = [inputType.defaultSighash];
var sighash = inputType.sighash;
if (!allowedSighash.includes(sighash)) {
throw new Error("Input with not allowed sigHash=".concat(sighash, ". Allowed: ").concat(allowedSighash.join(', ')));
}
// NOTE: it is possible to sign these inputs for legacy/segwit v0 (but no taproot!),
// however this was because of bug in bitcoin-core, which remains here because of consensus.
// If this is absolutely neccessary for you workflow, please open issue. For now it is disable to
// avoid complicated workflow where SINGLE will block adding new outputs
var _a = this.inputSighash(idx), sigInputs = _a.sigInputs, sigOutputs = _a.sigOutputs;
if (sigOutputs === SignatureHash.SINGLE && idx >= this.outputs.length) {
throw new Error("Input with sighash SINGLE, but there is no output with corresponding index=".concat(idx));
}
// Actual signing
// Taproot
var prevOut = this.prevOut(input);
if (inputType.txType === 'taproot') {
if (input.tapBip32Derivation)
throw new Error('tapBip32Derivation unsupported');
var prevOuts = this.inputs.map(this.prevOut);
var prevOutScript = prevOuts.map(function (i) { return i.script; });
var amount = prevOuts.map(function (i) { return i.amount; });
var signed = false;
var schnorrPub = secp.schnorr.getPublicKey(privateKey);
var merkleRoot = input.tapMerkleRoot || P.EMPTY;
if (input.tapInternalKey) {
// internal + tweak = tweaked key
// if internal key == current public key, we need to tweak private key,
// otherwise sign as is. bitcoinjs implementation always wants tweaked
// priv key to be provided
var _b = getTaprootKeys(privateKey, schnorrPub, input.tapInternalKey, merkleRoot), pubKey = _b.pubKey, privKey = _b.privKey;
var _c = taprootTweakPubkey(input.tapInternalKey, merkleRoot), taprootPubKey = _c[0], parity = _c[1];
if (P.equalBytes(taprootPubKey, pubKey)) {
var hash = this.preimageWitnessV1(idx, prevOutScript, sighash, amount);
var sig = concat(secp.schnorr.signSync(hash, privKey, _auxRand), sighash !== SignatureHash.DEFAULT ? new Uint8Array([sighash]) : P.EMPTY);
this.updateInput(idx, { tapKeySig: sig });
signed = true;
}
}
if (input.tapLeafScript) {
input.tapScriptSig = input.tapScriptSig || [];
var _loop_3 = function (cb, _script) {
var script = _script.subarray(0, -1);
var scriptDecoded = taproot.Script.decode(script);
var ver = _script[_script.length - 1];
var hash = (0, taproot.tapLeafHash)(script, ver);
var _j = getTaprootKeys(privateKey, schnorrPub, cb.internalKey, P.EMPTY // Because we cannot have nested taproot tree
), pubKey = _j.pubKey, privKey = _j.privKey;
var pos = scriptDecoded.findIndex(function (i) { return i instanceof Uint8Array && P.equalBytes(i, pubKey); });
// Skip if there is no public key in tapLeafScript
if (pos === -1)
return "continue";
var msg = this_1.preimageWitnessV1(idx, prevOutScript, sighash, amount, undefined, script, ver);
var sig = concat(secp.schnorr.signSync(msg, privKey, _auxRand), sighash !== SignatureHash.DEFAULT ? new Uint8Array([sighash]) : P.EMPTY);
this_1.updateInput(idx, { tapScriptSig: [[{ pubKey: pubKey, leafHash: hash }, sig]] });
signed = true;
};
var this_1 = this;
for (var _d = 0, _e = input.tapLeafScript; _d < _e.length; _d++) {
var _f = _e[_d], cb = _f[0], _script = _f[1];
_loop_3(cb, _script);
}
}
if (!signed)
throw new Error('No taproot scripts signed');
return true;
}
else {
// only compressed keys are supported for now
var pubKey = secp.getPublicKey(privateKey, true);
// TODO: replace with explicit checks
// Check if script has public key or its has inside
var hasPubkey = false;
var pubKeyHash = hash160(pubKey);
for (var _g = 0, _h = taproot.Script.decode(inputType.lastScript); _g < _h.length; _g++) {
var i = _h[_g];
if (i instanceof Uint8Array && (P.equalBytes(i, pubKey) || P.equalBytes(i, pubKeyHash)))
hasPubkey = true;
}
if (!hasPubkey)
throw new Error("Input script doesn't have pubKey: ".concat(inputType.lastScript));
var hash = void 0;
if (inputType.txType === 'legacy') {
if (!this.opts.allowLegacyWitnessUtxo && !input.nonWitnessUtxo) {
throw new Error("Transaction/sign: legacy input without nonWitnessUtxo, can result in attack that forces paying higher fees. Pass allowLegacyWitnessUtxo=true, if you sure");
}
hash = this.preimageLegacy(idx, inputType.lastScript, sighash);
}
else if (inputType.txType === 'segwit') {
var script = inputType.lastScript;
// If wpkh OR sh-wpkh, wsh-wpkh is impossible, so looks ok
// TODO: re-check
if (inputType.last.type === 'wpkh')
script = taproot.OutScript.encode({ type: 'pkh', hash: inputType.last.hash });
hash = this.preimageWitnessV0(idx, script, sighash, prevOut.amount);
}
else
throw new Error("Transaction/sign: unknown tx type: ".concat(inputType.txType));
var sig = signECDSA(hash, privateKey, this.opts.lowR);
this.updateInput(idx, {
partialSig: [[pubKey, concat(sig, new Uint8Array([sighash]))]],
});
}
return true;
};
// TODO: this is bad API. Will work if user creates and signs tx, but if
// there is some complex workflow with exchanging PSBT and signing them,
// then it is better to validate which output user signs. How could a better API look like?
// Example: user adds input, sends to another party, then signs received input (mixer etc),
// another user can add different input for same key and user will sign it.
// Even worse: another user can add bip32 derivation, and spend money from different address.
Transaction.prototype.sign = function (privateKey, allowedSighash, _auxRand) {
//debugger; //ROHIT
var num = 0;
for (var i = 0; i < this.inputs.length; i++) {
try {
if (this.signIdx(privateKey, i, allowedSighash, _auxRand))
num++;
}
catch (e) { }
}
if (!num)
throw new Error('No inputs signed');
return num;
};
Transaction.prototype.finalizeIdx = function (idx) {
this.checkInputIdx(idx);
if (this.fee < 0n)
throw new Error('Outputs spends more than inputs amount');
var input = this.inputs[idx];
var inputType = this.inputType(input);
// Taproot finalize
if (inputType.txType === 'taproot') {
if (input.tapKeySig)
input.finalScriptWitness = [input.tapKeySig];
else if (input.tapLeafScript && input.tapScriptSig) {
// TODO: this works the same as bitcoinjs lib fork, however it is not secure,
// since we add signatures to script which we don't understand.
// Maybe it is better to disable it?
// Proper way will be to create check for known scripts, however MuSig, p2tr_ns and other
// scripts are still not standard; and it will take significant amount of work for them.
// Sort leafs by control block length. TODO: maybe need to check script length too?
var leafs = input.tapLeafScript.sort(function (a, b) {
return taproot.TaprootControlBlock.encode(a[0]).length - taproot.TaprootControlBlock.encode(b[0]).length;
});
var _loop_4 = function (cb, _script) {
// Last byte is version
var script = _script.slice(0, -1);
var ver = _script[_script.length - 1];
var outScript_1 = taproot.OutScript.decode(script);
var hash = (0, taproot.tapLeafHash)(script, ver);
var scriptSig = input.tapScriptSig.filter(function (i) { return P.equalBytes(i[0].leafHash, hash); });
var signatures = [];
if (outScript_1.type === 'tr_ms') {
var m = outScript_1.m;
var pubkeys = outScript_1.pubkeys;
var added = 0;
var _loop_6 = function (pub) {
var sigIdx = scriptSig.findIndex(function (i) { return P.equalBytes(i[0].pubKey, pub); });
// Should have exact amount of signatures (more -- will fail)
if (added === m || sigIdx === -1) {
signatures.push(P.EMPTY);
return "continue";
}
signatures.push(scriptSig[sigIdx][1]);
added++;
};
for (var _c = 0, pubkeys_3 = pubkeys; _c < pubkeys_3.length; _c++) {
var pub = pubkeys_3[_c];
_loop_6(pub);
}
// Should be exact same as m
if (added !== m)
return "continue";
}
else if (outScript_1.type === 'tr_ns') {
var _loop_7 = function (pub) {
var sigIdx = scriptSig.findIndex(function (i) { return P.equalBytes(i[0].pubKey, pub); });
if (sigIdx === -1)
return "continue";
signatures.push(scriptSig[sigIdx][1]);
};
for (var _d = 0, _e = outScript_1.pubkeys; _d < _e.length; _d++) {
var pub = _e[_d];
_loop_7(pub);
}
if (signatures.length !== outScript_1.pubkeys.length)
return "continue";
}
else if (outScript_1.type === 'unknown' && this_2.opts.allowUnknowInput) {
// Trying our best to sign what we can
var scriptDecoded_1 = taproot.Script.decode(script);
signatures = scriptSig
.map(function (_a) {
var pubKey = _a[0].pubKey, signature = _a[1];
var pos = scriptDecoded_1.findIndex(function (i) { return i instanceof Uint8Array && P.equalBytes(i, pubKey); });
if (pos === -1)
throw new Error('finalize/taproot: cannot find position of pubkey in script');
return { signature: signature, pos: pos };
})
// Reverse order (because witness is stack and we take last element first from it)
.sort(function (a, b) { return a.pos - b.pos; })
.map(function (i) { return i.signature; });
if (!signatures.length)
return "continue";
}
else
throw new Error('Finalize: Unknown tapLeafScript');
// Witness is stack, so last element will be used first
input.finalScriptWitness = signatures
.reverse()
.concat([script, taproot.TaprootControlBlock.encode(cb)]);
return "break";
};
var this_2 = this;
for (var _i = 0, leafs_1 = leafs; _i < leafs_1.length; _i++) {
var _a = leafs_1[_i], cb = _a[0], _script = _a[1];
var state_1 = _loop_4(cb, _script);
if (state_1 === "break")
break;
}
if (!input.finalScriptWitness)
throw new Error('finalize/taproot: empty witness');
}
else
throw new Error('finalize/taproot: unknown input');
// Clean input
for (var k in input)
if (!PSBTInputFinalKeys.includes(k))
delete input[k];
return;
}
var outScript = inputType.lastScript;
var isSegwit = inputType.txType === 'segwit';
if (!input.partialSig || !input.partialSig.length)
throw new Error('Not enough partial sign');
// TODO: this is completely broken, fix.
var inputScript;
var witness = [];
// TODO: move input scripts closer to payments/output scripts
// Multisig
if (inputType.last.type === 'ms') {
var m = inputType.last.m;
var pubkeys = inputType.last.pubkeys;
var signatures = [];
var _loop_5 = function (pub) {
var sign = input.partialSig.find(function (s) { return P.equalBytes(pub, s[0]); });
if (!sign)
return "continue";
signatures.push(sign[1]);
};
// partial: [pubkey, sign]
for (var _b = 0, pubkeys_2 = pubkeys; _b < pubkeys_2.length; _b++) {
var pub = pubkeys_2[_b];
_loop_5(pub);
}
signatures = signatures.slice(0, m);
if (signatures.length !== m) {
throw new Error("Multisig: wrong signatures count, m=".concat(m, " n=").concat(pubkeys.length, " signatures=").concat(signatures.length));
}
inputScript = taproot.Script.encode(__spreadArray(['OP_0'], signatures, true));
}
else if (inputType.last.type === 'pk') {
inputScript = taproot.Script.encode([input.partialSig[0][1]]);
}
else if (inputType.last.type === 'pkh') {
// check if output is correct here
inputScript = taproot.Script.encode([input.partialSig[0][1], input.partialSig[0][0]]);
}
else if (inputType.last.type === 'wpkh') {
// check if output is correct here
inputScript = P.EMPTY;
witness = [input.partialSig[0][1], input.partialSig[0][0]];
}
else if (inputType.last.type === 'unknown' && !this.opts.allowUnknowInput)
throw new Error('Unknown inputs not allowed');
var finalScriptSig, finalScriptWitness;
if (input.witnessScript) {
// P2WSH
if (inputScript && inputScript.length > 0 && outScript && outScript.length > 0) {
witness = taproot.Script.decode(inputScript).map(function (i) {
if (i === 'OP_0')
return P.EMPTY;
if (i instanceof Uint8Array)
return i;
throw new Error("Wrong witness op=".concat(i));
});
}
if (witness && outScript)
witness = witness.concat(outScript);
outScript = taproot.Script.encode(['OP_0', (0, sha256_1.sha256)(outScript)]);
inputScript = P.EMPTY;
}
if (isSegwit)
finalScriptWitness = witness;
if (input.redeemScript) {
// P2SH
finalScriptSig = taproot.Script.encode(__spreadArray(__spreadArray([], taproot.Script.decode(inputScript), true), [outScript], false));
}
else if (!isSegwit)
finalScriptSig = inputScript;
if (!finalScriptSig && !finalScriptWitness)
throw new Error('Unknown error finalizing input');
if (finalScriptSig)
input.finalScriptSig = finalScriptSig;
if (finalScriptWitness)
input.finalScriptWitness = finalScriptWitness;
// Clean input
for (var k in input)
if (!PSBTInputFinalKeys.includes(k))
delete input[k];
};
Transaction.prototype.finalize = function () {
for (var i = 0; i < this.inputs.length; i++)
this.finalizeIdx(i);
};
Transaction.prototype.extract = function () {
if (!this.isFinal)
throw new Error('Transaction has unfinalized inputs');
if (!this.outputs.length)
throw new Error('Transaction has no outputs');
// TODO: Check if inputs.amount >= outputs.amount
return this.toBytes(true, true);
};
Transaction.prototype.combine = function (other) {
for (var _i = 0, _a = ['PSBTVersion', 'version', 'lockTime']; _i < _a.length; _i++) {
var k = _a[_i];
if (this[k] !== other[k])
throw new Error("Transaction/combine: different ".concat(k, " this=").concat(this[k], " other=").concat(other[k]));
}
for (var _b = 0, _c = ['inputs', 'outputs']; _b < _c.length; _b++) {
var k = _c[_b];
if (this[k].length !== other[k].length) {
throw new Error("Transaction/combine: different ".concat(k, " length this=").concat(this[k].length, " other=").concat(other[k].length));
}
}
var thisUnsigned = this.global.unsignedTx ? taproot.RawTx.encode(this.global.unsignedTx) : P.EMPTY;
var otherUnsigned = other.global.unsignedTx ? taproot.RawTx.encode(other.global.unsignedTx) : P.EMPTY;
if (!P.equalBytes(thisUnsigned, otherUnsigned))
throw new Error("Transaction/combine: different unsigned tx");
this.global = mergeKeyMap(PSBTGlobal, this.global, other.global);
for (var i = 0; i < this.inputs.length; i++)
this.updateInput(i, other.inputs[i]);
for (var i = 0; i < this.outputs.length; i++)
this.updateOutput(i, other.outputs[i]);
return this;
};
return Transaction;
}());
taproot.Transaction = Transaction;
// User facing API?
// Simple pubkey address, without complex scripts
function getAddress(type, privKey, network) {
if (network === void 0) { network = taproot.NETWORK; }
if (type === 'tr') {
return p2tr(secp.schnorr.getPublicKey(privKey), undefined, network).address;
}
var pubKey = secp.getPublicKey(privKey, true);
if (type === 'pkh')
return (0, taproot.p2pkh)(pubKey, network).address;
if (type === 'wpkh')
return (0, taproot.p2wpkh)(pubKey, network).address;
throw new Error("getAddress: unknown type=".concat(type));
}
taproot.getAddress = getAddress;
// TODO: rewrite
function multisig(m, pubkeys, sorted, witness) {
if (sorted === void 0) { sorted = false; }
if (witness === void 0) { witness = false; }
var ms = (0, taproot.p2ms)(m, sorted ? (0, taproot._sortPubkeys)(pubkeys) : pubkeys);
return witness ? (0, taproot.p2wsh)(ms) : (0, taproot.p2sh)(ms);
}
taproot.multisig = multisig;
function sortedMultisig(m, pubkeys, witness) {
if (witness === void 0) { witness = false; }
return multisig(m, pubkeys, true, witness);
}
taproot.sortedMultisig = sortedMultisig;
// Copy-pase from bip32 derive, maybe do something like 'bip32.parsePath'?
var HARDENED_OFFSET = 0x80000000;
function bip32Path(path) {
var out = [];
if (!/^[mM]'?/.test(path))
throw new Error('Path must start with "m" or "M"');
if (/^[mM]'?$/.test(path))
return out;
var parts = path.replace(/^[mM]'?\//, '').split('/');
for (var _i = 0, parts_1 = parts; _i < parts_1.length; _i++) {
var c = parts_1[_i];
var m = /^(\d+)('?)$/.exec(c);
if (!m || m.length !== 3)
throw new Error("Invalid child index: ".concat(c));
var idx = +m[1];
if (!Number.isSafeInteger(idx) || idx >= HARDENED_OFFSET)
throw new Error('Invalid index');
// hardened key
if (m[2] === "'")
idx += HARDENED_OFFSET;
out.push(idx);
}
return out;
}
taproot.bip32Path = bip32Path;
function PSBTCombine(psbts) {
if (!psbts || !Array.isArray(psbts) || !psbts.length)
throw new Error('PSBTCombine: wrong PSBT list');
var tx = Transaction.fromPSBT(psbts[0]);
for (var i = 1; i < psbts.length; i++)
tx.combine(Transaction.fromPSBT(psbts[i]));
return tx.toPSBT();
}
taproot.PSBTCombine = PSBTCombine;
function numberToScriptArray(number) {
array = coinjs.numToBytes(number);
let lastIndex = array.length - 1;
while (lastIndex >= 0 && array[lastIndex] === 0) {
lastIndex--;
}
array.splice(lastIndex + 1);
return array;
}
taproot.numberToScriptArray = numberToScriptArray;
})();
//Inserting these two lines so that Paul Miller Github tests can work.
var hex = base.hex;
var btc = taproot;
var Transaction = taproot.Transaction;
var secp256k1_schnorr = secp.schnorr;
var secp256k1 = secp;
var schnorr = secp.schnorr;
//ChatGPT replaced code for deeStrictEqual and should
function deepStrictEqual(actual, expected) {
if (typeof actual !== 'object' || typeof expected !== 'object') {
const result = actual === expected;
console.log(`deepStrictEqual: ${result ? 'Success' : 'Failure'} - Actual: ${actual}, Expected: ${expected}`);
return result;
}
const actualKeys = Object.keys(actual);
const expectedKeys = Object.keys(expected);
if (actualKeys.length !== expectedKeys.length) {
console.log(`deepStrictEqual: Failure - Different number of keys`);
return false;
}
for (const key of actualKeys) {
if (!deepStrictEqual(actual[key], expected[key])) {
console.log(`deepStrictEqual: Failure - Property '${key}' mismatch`);
return false;
}
}
console.log(`deepStrictEqual: Success`);
return true;
}
// Test suite function (replaced with should)
function should(suiteDescription, tests) {
console.log(`Running test suite: ${suiteDescription}`);
tests();
}
// Test runner function
function test(testDescription, testFunction) {
try {
testFunction();
} catch (error) {
logResult(false, `${testDescription} - ${error}`);
}
}
// Log test result
function logResult(result, message) {
if (result) {
console.log(`YESSS ${message}`);
} else {
console.error(`NO!!! ${message}`);
}
}
function throws(func) {
try {
func();
console.log(`throws: Failure - No exception was thrown`);
return false;
} catch (error) {
console.log(`throws: Success - Exception was thrown: ${error}`);
return true;
}
}
// End of ChatGPT test functions
function demonstrateNestedArray(nestedArray) {
console.log("Original nestedArray:");
console.log(nestedArray);
console.log("\nAccessing elements:");
console.log("\nIterating through nestedArray:");
for (var i = 0; i < nestedArray.length; i++) {
if (Array.isArray(nestedArray[i])) {
console.log("Element at index", i, "is an array:", nestedArray[i]);
for (var j = 0; j < nestedArray[i].length; j++) {
console.log(" Element at index", j, ":", nestedArray[i][j]);
}
} else {
console.log("Element at index", i, ":", nestedArray[i]);
}
}
}
//START OF BIP32 SECTION
/*! scure-bip32 - MIT License (c) 2022 Patricio Palladino, Paul Miller (paulmillr.com) */
var bip32 = {};
(function () {
var HDKey = /** @class */ (function () {
var hmac = hashmini.hmac;
var ripemd160 = hashmini.ripemd160;
var sha256 = hashmini.sha256;
var sha512 = hashmini.sha512;
//var _assert_1 = require("@noble/hashes/_assert");
var utils_1 = hashmini.utils;
var modular_1 = secp.utils;
//var base_1 = base;
var Point = secp.Point;
var base58check = (0, base.base58check)(sha256);
function _assert_1(condition, message = "Assertion failed") {
if (!condition) {
throw new Error(message);
}
}
function _assert_1(value, length, message = "Value is not a Uint8Array or does not have the expected length") {
if (!(value instanceof Uint8Array)) {
throw new Error(message);
}
}
const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
var __assign = (this && this.__assign) || function () {
return Object.assign.apply(Object, arguments);
};
function utf8ToBytes(str) {
if (typeof str !== 'string') {
throw new TypeError(`utf8ToBytes expected string, got ${typeof str}`);
}
return new TextEncoder().encode(str);
}
function bytesToNumber(bytes) {
return BigInt("0x".concat((0, utils_1.bytesToHex)(bytes)));
}
function numberToBytes(num) {
return (0, utils_1.hexToBytes)(num.toString(16).padStart(64, '0'));
}
var MASTER_SECRET = (0, utf8ToBytes)('Bitcoin seed');
// Bitcoin hardcoded by default
var BITCOIN_VERSIONS = { private: 0x0488ade4, public: 0x0488b21e };
var HARDENED_OFFSET = 0x80000000;
var hash160 = function (data) { return (0, ripemd160)((0, sha256)(data)); };
var fromU32 = function (data) { return (0, createView)(data).getUint32(0, false); };
var toU32 = function (n) {
if (!Number.isSafeInteger(n) || n < 0 || n > Math.pow(2, 32) - 1) {
throw new Error("Invalid number=".concat(n, ". Should be from 0 to 2 ** 32 - 1"));
}
var buf = new Uint8Array(4);
(0, createView)(buf).setUint32(0, n, false);
return buf;
};
function HDKey(opt) {
this.depth = 0;
this.index = 0;
this.chainCode = null;
this.parentFingerprint = 0;
if (!opt || typeof opt !== 'object') {
throw new Error('HDKey.constructor must not be called directly');
}
this.versions = opt.versions || BITCOIN_VERSIONS;
this.depth = opt.depth || 0;
this.chainCode = opt.chainCode;
this.index = opt.index || 0;
this.parentFingerprint = opt.parentFingerprint || 0;
if (!this.depth) {
if (this.parentFingerprint || this.index) {
throw new Error('HDKey: zero depth with non-zero index/parent fingerprint');
}
}
if (opt.publicKey && opt.privateKey) {
throw new Error('HDKey: publicKey and privateKey at same time.');
}
if (opt.privateKey) {
if (!secp.utils.isValidPrivateKey(opt.privateKey)) {
throw new Error('Invalid private key');
}
this.privKey =
typeof opt.privateKey === 'bigint' ? opt.privateKey : bytesToNumber(opt.privateKey);
this.privKeyBytes = numberToBytes(this.privKey);
this.pubKey = secp.getPublicKey(opt.privateKey, true);
}
else if (opt.publicKey) {
this.pubKey = Point.fromHex(opt.publicKey).toRawBytes(true); // force compressed point
}
else {
throw new Error('HDKey: no public or private key provided');
}
this.pubHash = hash160(this.pubKey);
}
Object.defineProperty(HDKey.prototype, "fingerprint", {
get: function () {
if (!this.pubHash) {
throw new Error('No publicKey set!');
}
return fromU32(this.pubHash);
},
enumerable: false,
configurable: true
});
Object.defineProperty(HDKey.prototype, "identifier", {
get: function () {
return this.pubHash;
},
enumerable: false,
configurable: true
});
Object.defineProperty(HDKey.prototype, "pubKeyHash", {
get: function () {
return this.pubHash;
},
enumerable: false,
configurable: true
});
Object.defineProperty(HDKey.prototype, "privateKey", {
get: function () {
return this.privKeyBytes || null;
},
enumerable: false,
configurable: true
});
Object.defineProperty(HDKey.prototype, "publicKey", {
get: function () {
return this.pubKey || null;
},
enumerable: false,
configurable: true
});
Object.defineProperty(HDKey.prototype, "privateExtendedKey", {
get: function () {
var priv = this.privateKey;
if (!priv) {
throw new Error('No private key');
}
return base58check.encode(this.serialize(this.versions.private, (0, utils_1.concatBytes)(new Uint8Array([0]), priv)));
},
enumerable: false,
configurable: true
});
Object.defineProperty(HDKey.prototype, "publicExtendedKey", {
get: function () {
if (!this.pubKey) {
throw new Error('No public key');
}
return base58check.encode(this.serialize(this.versions.public, this.pubKey));
},
enumerable: false,
configurable: true
});
HDKey.fromMasterSeed = function (seed, versions) {
if (versions === void 0) { versions = BITCOIN_VERSIONS; }
(0, _assert_1)(seed);
if (8 * seed.length < 128 || 8 * seed.length > 512) {
throw new Error("HDKey: wrong seed length=".concat(seed.length, ". Should be between 128 and 512 bits; 256 bits is advised)"));
}
var I = (0, hmac)(sha512, MASTER_SECRET, seed);
return new HDKey({
versions: versions,
chainCode: I.slice(32),
privateKey: I.slice(0, 32),
});
};
HDKey.fromExtendedKey = function (base58key, versions) {
if (versions === void 0) { versions = BITCOIN_VERSIONS; }
// => version(4) || depth(1) || fingerprint(4) || index(4) || chain(32) || key(33)
var keyBuffer = base58check.decode(base58key);
var keyView = (0, createView)(keyBuffer);
var version = keyView.getUint32(0, false);
var opt = {
versions: versions,
depth: keyBuffer[4],
parentFingerprint: keyView.getUint32(5, false),
index: keyView.getUint32(9, false),
chainCode: keyBuffer.slice(13, 45),
};
var key = keyBuffer.slice(45);
var isPriv = key[0] === 0;
if (version !== versions[isPriv ? 'private' : 'public']) {
throw new Error('Version mismatch');
}
if (isPriv) {
return new HDKey(__assign(__assign({}, opt), { privateKey: key.slice(1) }));
}
else {
return new HDKey(__assign(__assign({}, opt), { publicKey: key }));
}
};
HDKey.fromJSON = function (json) {
return HDKey.fromExtendedKey(json.xpriv);
};
HDKey.prototype.derive = function (path) {
if (!/^[mM]'?/.test(path)) {
throw new Error('Path must start with "m" or "M"');
}
if (/^[mM]'?$/.test(path)) {
return this;
}
var parts = path.replace(/^[mM]'?\//, '').split('/');
// tslint:disable-next-line
var child = this;
for (var _i = 0, parts_1 = parts; _i < parts_1.length; _i++) {
var c = parts_1[_i];
var m = /^(\d+)('?)$/.exec(c);
var m1 = m && m[1];
if (!m || m.length !== 3 || typeof m1 !== 'string') {
throw new Error("Invalid child index: ".concat(c));
}
var idx = +m1;
if (!Number.isSafeInteger(idx) || idx >= HARDENED_OFFSET) {
throw new Error('Invalid index');
}
// hardened key
if (m[2] === "'") {
idx += HARDENED_OFFSET;
}
child = child.deriveChild(idx);
}
return child;
};
HDKey.prototype.deriveChild = function (index) {
if (!this.pubKey || !this.chainCode) {
throw new Error('No publicKey or chainCode set');
}
var data = toU32(index);
if (index >= HARDENED_OFFSET) {
// Hardened
var priv = this.privateKey;
if (!priv) {
throw new Error('Could not derive hardened child key');
}
// Hardened child: 0x00 || ser256(kpar) || ser32(index)
data = (0, utils_1.concatBytes)(new Uint8Array([0]), priv, data);
}
else {
// Normal child: serP(point(kpar)) || ser32(index)
data = (0, utils_1.concatBytes)(this.pubKey, data);
}
var I = (0, hmac)(sha512, this.chainCode, data);
var childTweak = bytesToNumber(I.slice(0, 32));
var chainCode = I.slice(32);
if (!secp.utils.isValidPrivateKey(childTweak)) {
throw new Error('Tweak bigger than curve order');
}
var opt = {
versions: this.versions,
chainCode: chainCode,
depth: this.depth + 1,
parentFingerprint: this.fingerprint,
index: index,
};
try {
// Private parent key -> private child key
if (this.privateKey) {
var added = (0, modular_1.mod)(this.privKey + childTweak, secp.CURVE.n);
if (!secp.utils.isValidPrivateKey(added)) {
throw new Error('The tweak was out of range or the resulted private key is invalid');
}
opt.privateKey = added;
}
else {
var added = Point.fromHex(this.pubKey).add(Point.fromPrivateKey(childTweak));
// Cryptographically impossible: hmac-sha512 preimage would need to be found
if (added.equals(Point.ZERO)) {
throw new Error('The tweak was equal to negative P, which made the result key invalid');
}
opt.publicKey = added.toRawBytes(true);
}
return new HDKey(opt);
}
catch (err) {
return this.deriveChild(index + 1);
}
};
HDKey.prototype.sign = function (hash) {
if (!this.privateKey) {
throw new Error('No privateKey set!');
}
(0, _assert_1)(hash, 32);
return secp.sign(hash, this.privKey).toCompactRawBytes();
};
HDKey.prototype.verify = function (hash, signature) {
(0, _assert_1)(hash, 32);
(0, _assert_1)(signature, 64);
if (!this.publicKey) {
throw new Error('No publicKey set!');
}
var sig;
try {
sig = secp.Signature.fromCompact(signature);
}
catch (error) {
return false;
}
return secp.verify(sig, hash, this.publicKey);
};
HDKey.prototype.wipePrivateData = function () {
this.privKey = undefined;
if (this.privKeyBytes) {
this.privKeyBytes.fill(0);
this.privKeyBytes = undefined;
}
return this;
};
HDKey.prototype.toJSON = function () {
return {
xpriv: this.privateExtendedKey,
xpub: this.publicExtendedKey,
};
};
HDKey.prototype.serialize = function (version, key) {
if (!this.chainCode) {
throw new Error('No chainCode set');
}
(0, _assert_1)(key, 33);
// version(4) || depth(1) || fingerprint(4) || index(4) || chain(32) || key(33)
return (0, utils_1.concatBytes)(toU32(version), new Uint8Array([this.depth]), toU32(this.parentFingerprint), toU32(this.index), this.chainCode, key);
};
return HDKey;
}());
bip32.HDKey = HDKey
})();
var HDKey = bip32.HDKey;
Reference in New Issue View Git Blame Copy Permalink