Possible Fix: Issue #60263 (Crypto cant sign/verify prehashed inputs)

[codermapuche]

Use case:

const crypto = require('crypto');

const message		 	= Buffer.from('LmM8PqCO1QIpTse0s+MQEJ7YXOSZuqyjPCJ4tIZ+OrU=', 'base64'),
			prehash 	 	= crypto.createHash('sha256').update(message).digest();

const namedCurve 	= 'secp256k1',
			keyPair 	 	= crypto.generateKeyPairSync('ec', { namedCurve }),
			signature		= crypto.sign(null, prehash, {
											key					: keyPair.privateKey,
											dsaEncoding	: 'ieee-p1363'
										});

console.log(crypto.verify(null, message, {
	key					: keyPair.publicKey,
	dsaEncoding	: 'ieee-p1363'
}, signature), ' message internal-internal (must be false)');

console.log(crypto.verify(null, prehash, {
	key					: keyPair.publicKey,
	dsaEncoding	: 'ieee-p1363'
}, signature), ' prehash internal-internal (must be true)');

// Simple unitary test:
const PUBLIC_KEY_PEM = '-----BEGIN PUBLIC KEY-----\n' +
										 	'MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAE6Yvel06IICYJZ/XsuPEFTpDt0aU8dwLK\n' +
										 	'jvgxyYTeZ/vlS49/PDRIr5JDz+QNWFB9ZM9tf4i9SdT0LVtlgRj3dQ==\n' +
										 	'-----END PUBLIC KEY-----',
			publicKey 		 = crypto.createPublicKey(PUBLIC_KEY_PEM),
			signOfPreHash  = Buffer.from('Djv4wD3eWu8lHI3DrN2Dypdrirj+J1rfJD5O1B/Tw8sYy38jms77neECQ0S9LHpnWun+Jb9iOZNbYjH+CoVUnA==', 'base64');
			
console.log('== BUG HERE ==');

console.log(crypto.verify(null, message, {
	key					: publicKey,
	dsaEncoding	: 'ieee-p1363'
}, signOfPreHash), ' message external-internal (must be false)');

console.log(crypto.verify(null, prehash, {
	key					: publicKey,
	dsaEncoding	: 'ieee-p1363'
}, signOfPreHash), ' prehash external-internal (must be true)');

[nodejs-github-bot]

Review requested:

• @nodejs/crypto
• @nodejs/security-wg

[panva]

This is not a bug fix. Prehashing, external_mu, or ph variants of ed25519 are simply not supported and they would require a different approach than the one in the PR which already conflicts with ml-dsa, ed25519/448 or defaulting to sha256 for ecdsa/rsa.

[ChALkeR]

The only actual pre-hashing usecase in the wild is 'ec', { namedCurve: 'secp256k1' } likely

Perhaps this could be special-cased to allow null digest there, while not affecting all other curves/algos?
Not necessarily in this PR/approach, but generally speaking

@panva wdyt?

[panva]

@ChALkeR generally speaking if there was a sound extension proposal for the existing single-shot APIs that would deal with ml-dsa external_mu, ed25519ph, and prehashed ecdsa/rsa in a non-breaking manner - sure.

[ChALkeR]

@panva I'm thinking more of a change that would only allow prehashed secp256k1
Without any changes to anything else

That would way easier to implement/support, and will likely close the reason why people want this
(as libsecp256k1 has no prehashing, also is what #60263 uses)

I.e. it could be added on curve-by-curve basis, not blocking on a supporting everything at once (and just keep throwing on unsupported)

That will also protect against regressions when new algos are introduced

[codermapuche]

@ChALkeR that approach makes sense for targeted support. The main use case I’m addressing comes from porting Ethereum protocols to node:crypto, which has three specific requirements:

1. Support for keccak256 as the hash algorithm.
2. Access to recovery parameters (r, s, and recovery id) from the signature.
3. Signing raw, fixed-length bytes for the DevP2P handshake, without additional internal hashing (this issue/pr).

Adding prehashed secp256k1 only for these cases would satisfy this use case, while avoiding regressions and keeping other algorithms unchanged.

Adding "raw" as a keyword for the algorithm parameter could handle this cleanly without breaking existing behavior. It would allow signing prehashed or fixed-length data directly, covering the use case while keeping all other algorithms unchanged and consistent.

[ChALkeR]

@codermapuche Do you want to propose that as a PR?

It also should check input and reject everything that is not 32-byte (for secp256k1), as truncation on those is unobvious to consumers / might be a source of bugs

[ChALkeR]

@codermapuche Also note that you won't be to plug this in as libsecp256k1 replacement directly without more steps/checks. There are more things differing this from libsecp256k1

1. Extra entropy is always present when signing. That should not be turned off.
2. Signatures are non-normalized, you likely have to parse and normalize them if you want normalized ones.
   I don't think Node.js should be the place for that. But it's not compute-intensive and could be done very fast in JS.
3. Verify accepts non-normalized signatures.
4. No schnorr.

[ChALkeR]

I'm also unsure if signing would be even faster than https://www.npmjs.com/package/@noble/curves for your usecase.

[panva]

This would be my rough expectation.

crypto.sign(algorithm, message, {
  key,
  messageType: crypto.constants.MESSAGE_TYPE_RAW // RAW is current behaviour & default, other options crypto.constants.MESSAGE_TYPE_DIGEST (covers RSA, ECDSA, Ed25519ph, Ed448ph), crypto.constants.MESSAGE_TYPE_EXTERNAL_MU
})

crypto.verify(algorithm, message, {
	key,
  messageType: crypto.constants.MESSAGE_TYPE_RAW // RAW is current behaviour & default, other options crypto.constants.MESSAGE_TYPE_DIGEST (covers RSA, ECDSA, Ed25519ph, Ed448ph), crypto.constants.MESSAGE_TYPE_EXTERNAL_MU
}, signature)

I'm not supportive of singling out secp256k1 ECDSA.