Hi @wshbair, thank you for publishing this, your code has helped me a lot implementing AWS KMS based Ethereum signing. I really appreciate it. ๐
After days of messing with the ASN1 encoding and identifying the right r,s,v values to get on the "good" side of the curve, it's finally working.
Question for you, don't you need to sign the final Tx Object?
On line 52 of your script, you're signing the EthAddress of your account.
|
encoded_msg = EthAddr |
|
var msgHash = util.keccak(encoded_msg) // msg to be signed is the generated ethereum address |
On lines 106 and 107, you're not signing the transaction object itself. You're still using the r
and s
values from the original signature that was generated by signing the eth address.
|
const txParams = { |
|
nonce: '0x0', |
|
gasPrice: '0x09184e72a00', |
|
gasLimit: '0x27100', |
|
to: '0x4D8519890C77217A352d3cC978B0b74165154421', |
|
value: '0x00', |
|
chainId: 4 |
|
}; |
|
|
|
const tx = new EthereumTx(txParams, {'chain':'rinkeby'}) |
|
tx.r=rs.r |
|
tx.s=rs.s |
|
tx.v=v |
|
const serializedTx = tx.serialize().toString('hex') |
I'm doing the same thing in my script but the transaction won't go through if I'm not signing the actual transaction object again, i.e. if I'm using the initial values of r
and s
the transaction will fail. That's why I'm signing the actual transaction object again (see code below, you can see 2 signatures being generated).
let ethAddrHash = ethutil.keccak(Buffer.from(ethAddr));
// signing the 1st time
// we're signing the hash of our ethereum address
let sig = await findEthereumSig(ethAddrHash);
let recoveredPubAddr = findRightKey(ethAddrHash, sig.r, sig.s, ethAddr);
const txParams: TxData = {
nonce: await web3.eth.getTransactionCount(ethAddr),
gasPrice: '0x0918400000',
gasLimit: 160000,
to: '0x0000000000000000000000000000000000000000',
value: '0x00',
data: '0x00',
r: sig.r.toBuffer(), // using r from the first signature
s: sig.s.toBuffer(), // using s from the first signature
v: recoveredPubAddr.v
}
console.log(txParams);
const tx = new Transaction(txParams, {
chain: 'kovan',
});
// signing the 2nd time
// this time we're signing the hash of the actual transaction
let txHash = tx.hash(false);
sig = await findEthereumSig(txHash);
recoveredPubAddr = findRightKey(txHash, sig.r, sig.s, ethAddr);
tx.r = sig.r.toBuffer(); // replacing r based on 2nd sig
tx.s = sig.s.toBuffer(); // replacing s based on 2nd sig
tx.v = new BN(recoveredPubAddr.v).toBuffer();
console.log(tx.getSenderAddress().toString('hex'));
// Send signed tx to ethereum network
const serializedTx = tx.serialize().toString('hex');
web3.eth.sendSignedTransaction('0x' + serializedTx)
I was wondering if you have found a way to avoid the second signature. Since building the sig is a tedious process, I'd like to run it only once.
One more thing, if you want to avoid the while
loop, you can use the inverted value of s
to be on the good side of the curve. (I used BN instead of BigNumber) Code:
let secp256k1N = new BN("fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141", 16); // max value on the curve
let secp256k1halfN = secp256k1N.div(new BN(2)); // half of the curve
// Because of EIP-2 not all elliptic curve signatures are accepted
// the value of s needs to be SMALLER than half of the curve
// i.e. we need to flip s if it's greater than half of the curve
if (s.gt(secp256k1halfN)) {
console.log("s is on the wrong side of the curve... flipping - tempsig: " + tempsig + " length: " + tempsig.length);
// According to EIP2 https://github.com/ethereum/EIPs/blob/master/EIPS/eip-2.md
// if s < half the curve we need to invert it
// s = curve.n - s
s = secp256k1N.sub(s);
console.log("new s: " + s.toString(10));
return { r, s }
}
// if s is less than half of the curve, we're on the "good" side of the curve, we can just return
return { r, s }
Thanks again for your code. It was fun implementing this based on your flow.