Web3 Message Signing – Sign Message with Web3 and Verify Using OpenZeppelin-Solidity ECDSA.sol

ecrecoveropenzeppelin-contractssignatureweb3js

I'm trying to get a little example working with ECDSA.sol here: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/cryptography/ECDSA.sol

This contract:

Generate a random(ish) bytes32 (stub for a future message digest).
Morph it into an EthSignedHash with keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", hash));
Use ecrecover to work out who signed a message.

pragma solidity 0.5.8;

import "../../node_modules/openzeppelin-solidity/contracts/cryptography/ECDSA.sol";

contract Sigs {

    using ECDSA for bytes32;

    function rndHash() public view returns(bytes32) {
        return keccak256(abi.encodePacked(block.number));
    }

    function ethSignedHash(bytes32 messageHash) public pure returns(bytes32) {
        return messageHash.toEthSignedMessageHash();
    }

    function recover(bytes32 hash, bytes memory signature) public pure returns(address) {
        return hash.recover(signature);
    }
}

On the client side:

Conjure up a random(ish) message.
Make an ethHash of the message.
Sign it.
Send ethHash and the signature to ecRecover and get the signer address.

I'm not sure what I'm missing. I think the original message hash should be signed and EIP-712 does the "Ethereum Signing", so I should send the "Ethereum Hash" to ecrecover (as implemented in ECDSA.sol). In any case, no combination brings any joy.

var Sigs = artifacts.require("./Junk/Sigs");

contract("Sigs", accounts => {

  var signer;

  beforeEach(async () => {
    signer = accounts[0];
    sigs = await Sigs.new({from: signer}); 
  });

  it("should recover signer address.", async () =>  {

    console.log("SIGNER: ", signer);

    var random  = await sigs.rndHash({from: signer});
    var ethHash = await sigs.ethSignedHash(random);

    // four possible combinations tried for the next step :/
    var signature = await web3.eth.sign(random, signer);    // sign the random hash or the ethHash
    var recovered = await sigs.recover(ethHash, signature); // recover from the random hash or the ethHash

    console.log("random1: ", random);
    console.log("signature: ", signature);
    console.log("recovered: ", recovered);

    assert.strictEqual(recovered, signer, "The recovered signature does not match the signer.");

  });    
});

I'd be very grateful if someone can sort me out.

Truffle v5.0.41 (core: 5.0.41)
Solidity - 0.5.8 (solc-js)
Node v8.10.0
Web3.js v1.2.1

Thanks!

Update

For anyone else who happens across this, this is the revised, passing test.

const Sigs = artifacts.require("./Junk/Sigs");
const EthCrypto = require("eth-crypto");

contract("Sigs", accounts => {

  var signer;

  beforeEach(async () => {
    signer = accounts[0];
    sigs = await Sigs.new({from: signer}); 
  });

  it("should recover signer address.", async () =>  {

    console.log("SIGNER: ", signer);

    var message = "0x1234";
    console.log("message: ", message);
    var msgHash    = await sigs.messageHash(message);
    var ethHash = await sigs.ethSignedHash(msgHash);

    var signature = await web3.eth.sign(msgHash, signer);    // sign the mesage hash
    signature = signature.substr(0, 130) + (signature.substr(130) == "00" ? "1b" : "1c"); // v: 0,1 => 27,28
    var recovered = await sigs.recover(ethHash, signature); // recover from the ethHash

    console.log("msgHash: ", msgHash);
    console.log("ethHash: ", ethHash);
    console.log("signature: ", signature);
    console.log("recovered: ", recovered);

    assert.strictEqual(recovered, signer, "The recovered signature does not match the signer.");

  });    
});

Best Answer

The problem is that eth.sign returns a signature where v is 0 or 1 and ecrecover expect it to be 27 or 28.

A note in the documentation for web3 v0.20 is clear:

Note that if you are using ecrecover, v will be either "00" or "01". As a result, in order to use this value, you will have to parse it to an integer and then add 27. This will result in either a 27 or a 28.

You have to do something like this

var signature = await web3.eth.sign(random, signer);    // sign the random hash or the ethHash
signature = signature.substr(0, 130) + (signature.substr(130) == "00" ? "1b" : "1c");
var recovered = await sigs.recover(ethHash, signature); // recover from the random hash or the ethHash

Related Solutions

Signature – Verification of Externally-Created ECDSA Signatures in Solidity

The main issue is that you're signing "TEST" but then trying to recover the signer as though you signed a hash of "\x19Ethereum Signed Message:\n4TEST".

I'm also not confident you're emitting the public key properly, but you presumably only want the address anyway. Here's some working code:

Go:

package main

import (
    "crypto/ecdsa"
    "fmt"

    "crypto/rand"
    "encoding/hex"
    "github.com/ethereum/go-ethereum/common/math"
    "github.com/ethereum/go-ethereum/crypto"
    "github.com/ethereum/go-ethereum/crypto/secp256k1"
    "github.com/miguelmota/go-solidity-sha3"
)

func main() {
    key, err := ecdsa.GenerateKey(crypto.S256(), rand.Reader)
    if err != nil {
        panic(err)
    }

    message := "TEST"
    // Turn the message into a 32-byte hash
    hash := solsha3.SoliditySHA3(solsha3.String(message))
    // Prefix and then hash to mimic behavior of eth_sign
    prefixed := solsha3.SoliditySHA3(solsha3.String("\x19Ethereum Signed Message:\n32" + hex.EncodeToString(hash)))
    sig, err := secp256k1.Sign(prefixed, math.PaddedBigBytes(key.D, 32))
    if err != nil {
        panic(err)
    }

    fmt.Println("private key:", hex.EncodeToString(math.PaddedBigBytes(key.D, 32)))
    fmt.Println("address:", hex.EncodeToString(crypto.PubkeyToAddress(key.PublicKey).Bytes()))
    fmt.Println("message:", hex.EncodeToString(prefixed))
    fmt.Println("signature:", hex.EncodeToString(sig))
}

Solidity (values come from the Go program's output):

pragma solidity ^0.4.24;

contract Test {
    function recover(bytes32 hash, bytes sig)
        internal
        pure
        returns (address)
    {
        bytes32 r;
        bytes32 s;
        uint8 v;

        // Check the signature length
        if (sig.length != 65) {
            return (address(0));
        }

        // Divide the signature in r, s and v variables
        // ecrecover takes the signature parameters, and the only way to get them
        // currently is to use assembly.
        // solium-disable-next-line security/no-inline-assembly
        assembly {
            r := mload(add(sig, 32))
            s := mload(add(sig, 64))
            v := byte(0, mload(add(sig, 96)))
        }

        // Version of signature should be 27 or 28, but 0 and 1 are also possible versions
        if (v < 27) {
            v += 27;
        }

        // If the version is correct return the signer address
        if (v != 27 && v != 28) {
            return (address(0));
        } else {
            // solium-disable-next-line arg-overflow
            return ecrecover(hash, v, r, s);
        }
    }

    function verifySignature() public pure returns (bool) {
        bytes32 message = 0x2b350a58f723b94ef3992ad0d3046f2398aef2fe117dc3a36737fb29df4a706a;
        bytes memory sig = hex"e6ca6508de09cbb639216743721076bc8beb7bb45e796e0e3422872f9f0fcd362e693be7ca40e2123dd1efaf71ebb94d38052458281ad3b69ec8977c8294928400";
        address addr = 0x8e6a1f13a9c6b9443fea4393291308ac4c965b69;

        return recover(message, sig) == addr;
    }
}

Web3 Recover Address – common issues and fix

The issue I was having was that I was using the public key to sign my message. I should have been using a private key.

Since you can't get a private key from a public key, I searched online for a private key/public key pair and hardcoded the value for my test.

Best Answer

Related Solutions

Signature – Verification of Externally-Created ECDSA Signatures in Solidity

Web3 Recover Address – common issues and fix

Related Topic