steem-js icon indicating copy to clipboard operation
steem-js copied to clipboard

Published 20 hours ago verified publisher icon steemit

BUG on `steem.auth.isWif()`

Open raphaelsoul opened this issue 7 years ago • 2 comments

isWif() has a bug due to native javascript runtime.

Expected behavior

const fakePrivKey = '5Kcj7dncqhFKHFUH8MMrk5BvAvjnLTZRYZchk2Lhx4HdqVqq9J6';
const validPrivKey = '5Kcj7dncqhFKHFUH8MMrk5BvAvjnLTZRYZchk2Lhx4HdqVqq9J5';

The validPrivKey is generate by a scripts calls steem-js API. and edit last code to '6' we got an invalid privkey which should not pass checksum validation.

steem.auth.isWif('5Kcj7dncqhFKHFUH8MMrk5BvAvjnLTZRYZchk2Lhx4HdqVqq9J6'); // true
steem.auth.wifIsValid('5Kcj7dncqhFKHFUH8MMrk5BvAvjnLTZRYZchk2Lhx4HdqVqq9J6'); // false

Exept both to false.

Actual behavior

isWif return true to an modified privkey with broken checksum.

Environment information

can be reproduced both in browser and node.js

https://github.com/steemit/steem-js/blob/master/src/auth/ecc/src/key_private.js#L65 the bug occurs in this line

// <Buffer e3 2a 54 ff>
// <Buffer e3 2a 54 fe>
const sum = new Buffer([0xe3, 0x2a, 0x54, 0xff]);
const sum2 = new Buffer([0xe3, 0x2a, 0x54, 0xfe]);
console.log(sum, sum2, sum.toString() === sum.toString()); // expect false, but return true!

raphaelsoul avatar Jun 29 '18 02:06 raphaelsoul

A workround example

const checkPrivKey = (privKey) => {
  return PrivateKey.fromWif(privKey).toString() === privKey;
}

raphaelsoul avatar Jun 29 '18 03:06 raphaelsoul

have simply fixed here. Could I send a PR? https://github.com/steemit/steem-js/commit/acff06b039d5883e4e2395d10014a67ba8130d77?diff=split

raphaelsoul avatar Jun 29 '18 03:06 raphaelsoul