From 86b1c847af544a953b8c26f10e024172eaf2a24a Mon Sep 17 00:00:00 2001
From: Islam Amin <islamamin@bitgo.com>
Date: Wed, 17 Apr 2024 19:42:02 -0400
Subject: [PATCH] feat(sdk-lib-mpc): add utility to verify dkls signatures

Ticket: HSM-341
---
 modules/sdk-lib-mpc/package.json              |  3 +-
 .../sdk-lib-mpc/src/tss/ecdsa-dkls/util.ts    | 35 +++++++++++++++++++
 .../test/unit/tss/ecdsa/dklsDsg.ts            | 29 ++++++---------
 3 files changed, 48 insertions(+), 19 deletions(-)

diff --git a/modules/sdk-lib-mpc/package.json b/modules/sdk-lib-mpc/package.json
index 138a3cebfd..2426626a1a 100644
--- a/modules/sdk-lib-mpc/package.json
+++ b/modules/sdk-lib-mpc/package.json
@@ -45,7 +45,8 @@
     "cbor": "^9.0.1",
     "libsodium-wrappers-sumo": "^0.7.9",
     "openpgp": "5.10.1",
-    "paillier-bigint": "3.3.0"
+    "paillier-bigint": "3.3.0",
+    "secp256k1": "5.0.0"
   },
   "devDependencies": {
     "@types/lodash": "^4.14.151",
diff --git a/modules/sdk-lib-mpc/src/tss/ecdsa-dkls/util.ts b/modules/sdk-lib-mpc/src/tss/ecdsa-dkls/util.ts
index c45ac9be4e..22da197704 100644
--- a/modules/sdk-lib-mpc/src/tss/ecdsa-dkls/util.ts
+++ b/modules/sdk-lib-mpc/src/tss/ecdsa-dkls/util.ts
@@ -3,6 +3,10 @@ import { Secp256k1Curve } from '../../curves';
 import { bigIntFromBufferBE, bigIntToBufferBE } from '../../util';
 import { DeserializedDklsSignature } from './types';
 import { decode } from 'cbor';
+import * as secp256k1 from 'secp256k1';
+import { Hash, createHash } from 'crypto';
+
+const delimeter = ':';
 
 /**
  * Combines partial signatures from parties participating in DSG.
@@ -27,3 +31,34 @@ export function combinePartialSignatures(round4MessagePayloads: Uint8Array[], rH
     S: new Uint8Array(bigIntToBufferBE(normalizedSig.s)),
   };
 }
+
+/**
+ * Verify a DKLs Signature and serialize it to recid:r:s:publickey format.
+ * @param message - message that was signed.
+ * @param dklsSignature - R and S values of the ECDSA signature.
+ * @param commonKeychain - public key appended to chaincode in hex.
+ * @param hash - optional hash function to apply on message before verifying. Default is sha256.
+ * @param shouldHash - flag to determine whether message should be hashed before verifying.
+ * @returns {string} - serialized signature in `recid:r:s:publickey` format
+ */
+export function verifyAndConvertDklsSignature(
+  message: Buffer,
+  dklsSignature: DeserializedDklsSignature,
+  commonKeychain: string,
+  hash?: Hash,
+  shouldHash = true
+): string {
+  const messageToVerify = shouldHash ? (hash || createHash('sha256')).update(message).digest() : message;
+  const pub0 = secp256k1.ecdsaRecover(Buffer.concat([dklsSignature.R, dklsSignature.S]), 0, messageToVerify, true);
+  const pub1 = secp256k1.ecdsaRecover(Buffer.concat([dklsSignature.R, dklsSignature.S]), 1, messageToVerify, true);
+  const truePub = commonKeychain.slice(0, 66);
+  let recId = 0;
+  if (truePub === Buffer.from(pub1).toString('hex')) {
+    recId = 1;
+  } else if (truePub !== Buffer.from(pub0).toString('hex')) {
+    throw Error('Invalid Signature');
+  }
+  return `${recId}${delimeter}${Buffer.from(dklsSignature.R).toString('hex')}${delimeter}${Buffer.from(
+    dklsSignature.S
+  ).toString('hex')}${delimeter}${commonKeychain.slice(0, 66)}`;
+}
diff --git a/modules/sdk-lib-mpc/test/unit/tss/ecdsa/dklsDsg.ts b/modules/sdk-lib-mpc/test/unit/tss/ecdsa/dklsDsg.ts
index 6f9200f254..e1ab00cb70 100644
--- a/modules/sdk-lib-mpc/test/unit/tss/ecdsa/dklsDsg.ts
+++ b/modules/sdk-lib-mpc/test/unit/tss/ecdsa/dklsDsg.ts
@@ -5,7 +5,7 @@ import should from 'should';
 import { Keyshare } from '@silencelaboratories/dkls-wasm-ll-node';
 import { decode } from 'cbor';
 import { Secp256k1Bip32HdTree, bigIntFromBufferBE, bigIntToBufferBE } from '../../../../src';
-import * as secp256k1 from 'secp256k1';
+import { verifyAndConvertDklsSignature } from '../../../../src/tss/ecdsa-dkls/util';
 
 describe('DKLS Dsg 2x3', function () {
   const vectors = [
@@ -112,24 +112,17 @@ describe('DKLS Dsg 2x3', function () {
       const chaincode = bigIntFromBufferBE(Buffer.from(decode(keyShare.toBytes()).root_chain_code));
       const hdTree = new Secp256k1Bip32HdTree();
       const derivedKey = hdTree.publicDerive({ pk: pk, chaincode: chaincode }, vector.derivationPath);
-      const pub1 = secp256k1.ecdsaRecover(
-        Buffer.concat([party1.signature.R, party1.signature.S]),
-        0,
-        crypto.createHash('sha256').update(Buffer.from(vector.msgToSign, 'hex')).digest(),
-        true
-      );
-      const pub2 = secp256k1.ecdsaRecover(
-        Buffer.concat([party1.signature.R, party1.signature.S]),
-        1,
-        crypto.createHash('sha256').update(Buffer.from(vector.msgToSign, 'hex')).digest(),
-        true
-      );
       const derivedPub =
-        vector.derivationPath === 'm' ? keyShare.publicKey : new Uint8Array(bigIntToBufferBE(derivedKey.pk));
-      (
-        (pub1.every((p) => derivedPub.includes(p)) && derivedPub.every((p) => pub1.includes(p))) ||
-        (pub2.every((p) => derivedPub.includes(p)) && derivedPub.every((p) => pub2.includes(p)))
-      ).should.equal(true);
+        vector.derivationPath === 'm'
+          ? Buffer.from(keyShare.publicKey).toString('hex')
+          : bigIntToBufferBE(derivedKey.pk).toString('hex');
+      const convertedSignature = verifyAndConvertDklsSignature(
+        Buffer.from(vector.msgToSign, 'hex'),
+        party1.signature,
+        derivedPub
+      );
+      should.exist(convertedSignature);
+      convertedSignature.split(':').length.should.equal(4);
     });
   });