From 54f3bedf38a2fe4c1a03e979e5f0503e0f8db367 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sat, 2 Sep 2023 17:31:39 -0500 Subject: [PATCH 1/5] verifySignature: return `false` if the id is invalid --- event.test.ts | 23 ++++++++++++++++++++++- event.ts | 8 +++++++- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/event.test.ts b/event.test.ts index 625447a..ca19e8c 100644 --- a/event.test.ts +++ b/event.test.ts @@ -278,6 +278,27 @@ describe('Event', () => { expect(isValid).toEqual(false) }) + + it('should return false for an invalid event id', () => { + const privateKey = 'd217c1ff2f8a65c3e3a1740db3b9f58b8c848bb45e26d00ed4714e4a0f4ceecf' + + const event = finishEvent( + { + kind: 1, + tags: [], + content: 'Hello, world!', + created_at: 1617932115, + }, + privateKey, + ) + + // tamper with the id + event.id = event.id.replace(/0/g, '1') + + const isValid = verifySignature(event) + + expect(isValid).toEqual(false) + }) }) describe('getSignature', () => { @@ -296,9 +317,9 @@ describe('Event', () => { const sig = getSignature(unsignedEvent, privateKey) // verify the signature - // @ts-expect-error const isValid = verifySignature({ ...unsignedEvent, + id: getEventHash(unsignedEvent), sig, }) diff --git a/event.ts b/event.ts index e0440fb..75dc650 100644 --- a/event.ts +++ b/event.ts @@ -115,8 +115,14 @@ export function validateEvent(event: T): event is T & UnsignedEvent { /** Verify the event's signature. This function mutates the event with a `verified` symbol, making it idempotent. */ export function verifySignature(event: Event): event is VerifiedEvent { if (typeof event[verifiedSymbol] === 'boolean') return event[verifiedSymbol] + + const hash = getEventHash(event) + if (hash !== event.id) { + return false + } + try { - event[verifiedSymbol] = schnorr.verify(event.sig, getEventHash(event), event.pubkey) + event[verifiedSymbol] = schnorr.verify(event.sig, hash, event.pubkey) return event[verifiedSymbol] } catch (err) { return false From 62bf592d72daaf6f12f7284923ccd3e8e5936741 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sat, 2 Sep 2023 17:36:53 -0500 Subject: [PATCH 2/5] finishEvent: return a VerifiedEvent --- event.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/event.ts b/event.ts index 75dc650..3fe6c62 100644 --- a/event.ts +++ b/event.ts @@ -71,11 +71,12 @@ export function getBlankEvent(kind: K | Kind.Blank = Kind.Blank) { } } -export function finishEvent(t: EventTemplate, privateKey: string): Event { - let event = t as Event +export function finishEvent(t: EventTemplate, privateKey: string): VerifiedEvent { + const event = t as VerifiedEvent event.pubkey = getPublicKey(privateKey) event.id = getEventHash(event) event.sig = getSignature(event, privateKey) + event[verifiedSymbol] = true return event } From 8325d4351ef76ec7892ccb442da99e646723659c Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sat, 2 Sep 2023 17:40:00 -0500 Subject: [PATCH 3/5] just format --- pool.ts | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pool.ts b/pool.ts index bda36bb..7635812 100644 --- a/pool.ts +++ b/pool.ts @@ -79,10 +79,13 @@ export class SimplePool { let eosesMissing = relays.length let eoseSent = false - let eoseTimeout = setTimeout(() => { - eoseSent = true - for (let cb of eoseListeners.values()) cb() - }, opts?.eoseSubTimeout || this.eoseSubTimeout) + let eoseTimeout = setTimeout( + () => { + eoseSent = true + for (let cb of eoseListeners.values()) cb() + }, + opts?.eoseSubTimeout || this.eoseSubTimeout, + ) relays .filter((r, i, a) => a.indexOf(r) === i) From d88761907a5bc82bea4d381b6b63d8ab3fba8e3d Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sat, 2 Sep 2023 18:08:09 -0500 Subject: [PATCH 4/5] verifySignature: set verifiedSymbol to false on failure, DRY return values --- event.test.ts | 7 ++++--- event.ts | 7 +++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/event.test.ts b/event.test.ts index ca19e8c..8e937e0 100644 --- a/event.test.ts +++ b/event.test.ts @@ -7,6 +7,7 @@ import { verifySignature, getSignature, Kind, + verifiedSymbol, } from './event.ts' import { getPublicKey } from './keys.ts' @@ -236,7 +237,7 @@ describe('Event', () => { it('should return false for an invalid event signature', () => { const privateKey = 'd217c1ff2f8a65c3e3a1740db3b9f58b8c848bb45e26d00ed4714e4a0f4ceecf' - const event = finishEvent( + const { [verifiedSymbol]: _, ...event } = finishEvent( { kind: Kind.Text, tags: [], @@ -260,7 +261,7 @@ describe('Event', () => { const privateKey2 = '5b4a34f4e4b23c63ad55a35e3f84a3b53d96dbf266edf521a8358f71d19cbf67' const publicKey2 = getPublicKey(privateKey2) - const event = finishEvent( + const { [verifiedSymbol]: _, ...event } = finishEvent( { kind: Kind.Text, tags: [], @@ -282,7 +283,7 @@ describe('Event', () => { it('should return false for an invalid event id', () => { const privateKey = 'd217c1ff2f8a65c3e3a1740db3b9f58b8c848bb45e26d00ed4714e4a0f4ceecf' - const event = finishEvent( + const { [verifiedSymbol]: _, ...event } = finishEvent( { kind: 1, tags: [], diff --git a/event.ts b/event.ts index 3fe6c62..6ddaf11 100644 --- a/event.ts +++ b/event.ts @@ -119,14 +119,13 @@ export function verifySignature(event: Event): event is Ver const hash = getEventHash(event) if (hash !== event.id) { - return false + return (event[verifiedSymbol] = false) } try { - event[verifiedSymbol] = schnorr.verify(event.sig, hash, event.pubkey) - return event[verifiedSymbol] + return (event[verifiedSymbol] = schnorr.verify(event.sig, hash, event.pubkey)) } catch (err) { - return false + return (event[verifiedSymbol] = false) } } From 41265a19f5da6e1afcba8a2afbc13677261b285e Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sun, 3 Sep 2023 12:12:42 -0500 Subject: [PATCH 5/5] event.test: tamper with things in a more evil way --- event.test.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/event.test.ts b/event.test.ts index 8e937e0..ff91ac6 100644 --- a/event.test.ts +++ b/event.test.ts @@ -248,7 +248,7 @@ describe('Event', () => { ) // tamper with the signature - event.sig = event.sig.replace(/0/g, '1') + event.sig = event.sig.replace(/^.{3}/g, '666') const isValid = verifySignature(event) @@ -294,7 +294,7 @@ describe('Event', () => { ) // tamper with the id - event.id = event.id.replace(/0/g, '1') + event.id = event.id.replace(/^.{3}/g, '666') const isValid = verifySignature(event)