nectargraphenebase.ecdsasig module

nectargraphenebase.ecdsasig.compressedPubkey(pk: VerifyingKey | Any) → bytes

Return the 33-byte compressed secp256k1 public key for the given public-key object.

Accepts either an ecdsa.keys.VerifyingKey or an object exposing public_numbers().x and .y (such as a cryptography EllipticCurvePublicKey). The output is 1 byte (0x02 if y is even, 0x03 if y is odd) followed by the 32-byte big-endian X coordinate.

Parameters:: pk: Public-key object (ecdsa.VerifyingKey or object with public_numbers().x and .y).
Returns:: bytes: 33-byte compressed public key (prefix + 32-byte X).

nectargraphenebase.ecdsasig.recoverPubkeyParameter(message: bytes | str | None, digest: bytes, signature: bytes, pubkey: PublicKey | EllipticCurvePublicKey) → int | None

Determine the ECDSA recovery parameter (0–3) that, when used with the given digest and 64-byte signature (R||S), reproduces the provided public key.

Attempts each recovery index i in 0..3, recovers a candidate public key, and compares its compressed form to the compressed form of the supplied pubkey. If a match is found returns the matching index; otherwise returns None.

Parameters that need clarification: - message: the original message (will be encoded as UTF-8 if not bytes) and is used when recovering a cryptography public key variant. - digest: the message hash used for recovery. - signature: 64-byte R||S signature (bytes-like). - pubkey: the expected public key to match; may be a cryptography/ec or ecdsa-like public key object.

Returns:: int: matching recovery parameter in 0..3, or None if no match is found.

nectargraphenebase.ecdsasig.recover_public_key(digest: bytes, signature: bytes, i: int, message: bytes | None = None) → VerifyingKey | EllipticCurvePublicKey | None

Recover the secp256k1 public key from an ECDSA signature and message hash.

If message is provided the function will construct a cryptography EllipticCurvePublicKey from the recovered point and verify the signature against the message; on success it returns that cryptography public key. If message is None the function returns an ecdsa.VerifyingKey built from the recovered point after verifying the signature against the provided digest. If verification fails, returns None (when message is None) or raises a verification exception (when message is provided).

Parameters:

digest (bytes): The message hash (big-endian) used when signing. signature (bytes): 64-byte signature consisting of r||s (raw concatenation). i (int): Recovery identifier (0..3) selecting which of the possible curve points to use. message (bytes or str, optional): Original message to verify against; if a str it is

encoded as UTF-8. When provided the function returns a cryptography public key and performs verification using ECDSA-SHA256.

Returns:

cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey: when message is provided and verification succeeds;
ecdsa.keys.VerifyingKey: when message is None and digest-based verification succeeds;
None: when message is None and verification fails.

Raises:

cryptography.exceptions.InvalidSignature: If message is provided and signature verification fails.

nectargraphenebase.ecdsasig.sign_message(message: str | bytes, wif: str, hashfn: Callable = <built-in function openssl_sha256>) → bytes

Sign a message using a private key in Wallet Import Format (WIF) and return a compact, canonical ECDSA signature.

Signs the provided message with secp256k1 ECDSA-SHA256 using the private key derived from the given WIF. The function repeats signing as needed until it produces a canonical 64-byte R||S signature (both R and S encoded as 32 bytes). It also computes the recovery parameter for the signature and encodes it into the first byte of the returned blob.

Parameters:: message (bytes or str): Message to sign. If a str is provided it is encoded as UTF-8 before hashing. wif (str): Private key in Wallet Import Format (WIF). hashfn (callable, optional): Hash function to apply to the message prior to recovery-parameter computation; defaults to hashlib.sha256.
Returns:: bytes: 65-byte compact signature: 1-byte recovery/version prefix (recovery parameter adjusted for compact/compressed form) followed by the 64-byte R||S sequence.

nectargraphenebase.ecdsasig.verify_message(message: str | bytes, signature: str | bytes, hashfn: Callable = <built-in function openssl_sha256>, recover_parameter: int | None = None) → bytes | None

Verify an ECDSA secp256k1 signature against a message and return the signer’s compressed public key.

Parameters:

message (bytes or str): The message to verify. If a str, it will be UTF-8 encoded. signature (bytes or str): 65-byte compact signature where the first byte encodes the recovery parameter/version and the remaining 64 bytes are R||S. If a str, it will be UTF-8 encoded. hashfn (callable): Hash function constructor used to compute the digest of the message (default: hashlib.sha256). Note: The actual verification uses SHA256 regardless of this parameter. recover_parameter (int, optional): Explicit recovery parameter (0–3). If omitted, it is extracted from the signature’s first byte.

Returns:

bytes: The 33-byte compressed public key of the recovered signer on successful verification.

Notes:

The function computes the digest of message with hashfn, recovers the public key using the recovery parameter, converts the 64-byte R||S into DER form, and verifies the signature with ECDSA-SHA256.
If the recovery parameter cannot be determined from the signature, None is returned.
Cryptographic verification errors (e.g., invalid signature) will propagate as raised exceptions.