Cryptography

Returns the address that signed a hashed message (hash) with signature or an error. This will not return address(0) without also returning an error description. Errors are documented using an enum (error type) and a bytes32 providing additional information about the error.

If no error is returned, then the address can be used for verification purposes.

The ecrecover EVM precompile allows for malleable (non-unique) signatures: this function rejects them by requiring the s value to be in the lower half order, and the v value to be either 27 or 28.

NOTE: This function only supports 65-byte signatures. ERC-2098 short signatures are rejected. This restriction is DEPRECATED and will be removed in v6.0. Developers SHOULD NOT use signatures as unique identifiers; use hash invalidation or nonces for replay protection.

verification to be secure: it is possible to craft signatures that recover to arbitrary addresses for non-hashed data. A safe way to ensure this is by receiving a hash of the original message (which may otherwise be too long), and then calling MessageHashUtils.toEthSignedMessageHash on it.

Documentation for signature generation:

• with Web3.js
• with ethers

Variant of ECDSA.tryRecover that takes a signature in calldata

Returns the address that signed a hashed message (hash) with signature. This address can then be used for verification purposes.

The ecrecover EVM precompile allows for malleable (non-unique) signatures: this function rejects them by requiring the s value to be in the lower half order, and the v value to be either 27 or 28.

NOTE: This function only supports 65-byte signatures. ERC-2098 short signatures are rejected. This restriction is DEPRECATED and will be removed in v6.0. Developers SHOULD NOT use signatures as unique identifiers; use hash invalidation or nonces for replay protection.

verification to be secure: it is possible to craft signatures that recover to arbitrary addresses for non-hashed data. A safe way to ensure this is by receiving a hash of the original message (which may otherwise be too long), and then calling MessageHashUtils.toEthSignedMessageHash on it.

Variant of ECDSA.recover that takes a signature in calldata

Overload of ECDSA.tryRecover that receives the r and vs short-signature fields separately.

See ERC-2098 short signatures

Overload of ECDSA.recover that receives the r and vs` short-signature fields separately.

Overload of ECDSA.tryRecover that receives the v, r and s signature fields separately.

Overload of ECDSA.recover that receives the v, r and s signature fields separately.

Parse a signature into its v, r and s components. Supports 65-byte and 64-byte (ERC-2098) formats. Returns (0,0,0) for invalid signatures. Consider skipping ECDSA.tryRecover or ECDSA.recover if so.

Variant of CAIP10.parse that takes a signature in calldata

The signature derives the address(0).

The signature has an invalid length.

The signature has an S value that is in the upper half order.

Initializes the domain separator and parameter caches.

The meaning of name and version is specified in EIP-712:

• name: the user readable name of the signing domain, i.e. the name of the DApp or the protocol.
• version: the current major version of the signing domain.

NOTE: These parameters cannot be changed except through a xref:learn::upgrading-smart-contracts[smart contract upgrade].

Returns the domain separator for the current chain.

Given an already hashed struct, this function returns the hash of the fully encoded EIP712 message for this domain.

This hash can be used together with ECDSA.recover to obtain the signer of a message. For example:

bytes32 digest = _hashTypedDataV4(keccak256(abi.encode(
    keccak256("Mail(address to,string contents)"),
    mailTo,
    keccak256(bytes(mailContents))
)));
address signer = ECDSA.recover(digest, signature);

returns the fields and values that describe the domain separator used by this contract for EIP-712 signature.

The name parameter for the EIP712 domain.

NOTE: By default this function reads _name which is an immutable value. It only reads from storage if necessary (in case the value is too large to fit in a ShortString).

The version parameter for the EIP712 domain.

NOTE: By default this function reads _version which is an immutable value. It only reads from storage if necessary (in case the value is too large to fit in a ShortString).

Commutative Keccak256 hash of a sorted pair of bytes32. Frequently used when working with merkle proofs.

NOTE: Equivalent to the standardNodeHash in our JavaScript library.

Implementation of keccak256(abi.encode(a, b)) that doesn't allocate or expand memory.

Returns true if a leaf can be proved to be a part of a Merkle tree defined by root. For this, a proof must be provided, containing sibling hashes on the branch from the leaf to the root of the tree. Each pair of leaves and each pair of pre-images are assumed to be sorted.

This version handles proofs in memory with the default hashing function.

Returns the rebuilt hash obtained by traversing a Merkle tree up from leaf using proof. A proof is valid if and only if the rebuilt hash matches the root of the tree. When processing the proof, the pairs of leaves & pre-images are assumed to be sorted.

This version handles proofs in memory with the default hashing function.

Returns true if a leaf can be proved to be a part of a Merkle tree defined by root. For this, a proof must be provided, containing sibling hashes on the branch from the leaf to the root of the tree. Each pair of leaves and each pair of pre-images are assumed to be sorted.

This version handles proofs in memory with a custom hashing function.

Returns the rebuilt hash obtained by traversing a Merkle tree up from leaf using proof. A proof is valid if and only if the rebuilt hash matches the root of the tree. When processing the proof, the pairs of leaves & pre-images are assumed to be sorted.

This version handles proofs in memory with a custom hashing function.

Returns true if a leaf can be proved to be a part of a Merkle tree defined by root. For this, a proof must be provided, containing sibling hashes on the branch from the leaf to the root of the tree. Each pair of leaves and each pair of pre-images are assumed to be sorted.

This version handles proofs in calldata with the default hashing function.

Returns the rebuilt hash obtained by traversing a Merkle tree up from leaf using proof. A proof is valid if and only if the rebuilt hash matches the root of the tree. When processing the proof, the pairs of leaves & pre-images are assumed to be sorted.

This version handles proofs in calldata with the default hashing function.

Returns true if a leaf can be proved to be a part of a Merkle tree defined by root. For this, a proof must be provided, containing sibling hashes on the branch from the leaf to the root of the tree. Each pair of leaves and each pair of pre-images are assumed to be sorted.

This version handles proofs in calldata with a custom hashing function.

Returns the rebuilt hash obtained by traversing a Merkle tree up from leaf using proof. A proof is valid if and only if the rebuilt hash matches the root of the tree. When processing the proof, the pairs of leaves & pre-images are assumed to be sorted.

This version handles proofs in calldata with a custom hashing function.

Returns true if the leaves can be simultaneously proven to be a part of a Merkle tree defined by root, according to proof and proofFlags as described in MerkleProof.processMultiProof.

This version handles multiproofs in memory with the default hashing function.

CAUTION: Not all Merkle trees admit multiproofs. See MerkleProof.processMultiProof for details.

NOTE: Consider the case where root == proof[0] && leaves.length == 0 as it will return true. The leaves must be validated independently. See MerkleProof.processMultiProof.

Returns the root of a tree reconstructed from leaves and sibling nodes in proof. The reconstruction proceeds by incrementally reconstructing all inner nodes by combining a leaf/inner node with either another leaf/inner node or a proof sibling node, depending on whether each proofFlags item is true or false respectively.

This version handles multiproofs in memory with the default hashing function.

CAUTION: Not all Merkle trees admit multiproofs. To use multiproofs, it is sufficient to ensure that: 1) the tree is complete (but not necessarily perfect), 2) the leaves to be proven are in the opposite order they are in the tree (i.e., as seen from right to left starting at the deepest layer and continuing at the next layer).

NOTE: The empty set (i.e. the case where proof.length == 1 && leaves.length == 0) is considered a no-op, and therefore a valid multiproof (i.e. it returns proof[0]). Consider disallowing this case if you're not validating the leaves elsewhere.

Returns true if the leaves can be simultaneously proven to be a part of a Merkle tree defined by root, according to proof and proofFlags as described in MerkleProof.processMultiProof.

This version handles multiproofs in memory with a custom hashing function.

CAUTION: Not all Merkle trees admit multiproofs. See MerkleProof.processMultiProof for details.

NOTE: Consider the case where root == proof[0] && leaves.length == 0 as it will return true. The leaves must be validated independently. See MerkleProof.processMultiProof.

Returns the root of a tree reconstructed from leaves and sibling nodes in proof. The reconstruction proceeds by incrementally reconstructing all inner nodes by combining a leaf/inner node with either another leaf/inner node or a proof sibling node, depending on whether each proofFlags item is true or false respectively.

This version handles multiproofs in memory with a custom hashing function.

CAUTION: Not all Merkle trees admit multiproofs. To use multiproofs, it is sufficient to ensure that: 1) the tree is complete (but not necessarily perfect), 2) the leaves to be proven are in the opposite order they are in the tree (i.e., as seen from right to left starting at the deepest layer and continuing at the next layer).

NOTE: The empty set (i.e. the case where proof.length == 1 && leaves.length == 0) is considered a no-op, and therefore a valid multiproof (i.e. it returns proof[0]). Consider disallowing this case if you're not validating the leaves elsewhere.

Returns true if the leaves can be simultaneously proven to be a part of a Merkle tree defined by root, according to proof and proofFlags as described in MerkleProof.processMultiProof.

This version handles multiproofs in calldata with the default hashing function.

CAUTION: Not all Merkle trees admit multiproofs. See MerkleProof.processMultiProof for details.

NOTE: Consider the case where root == proof[0] && leaves.length == 0 as it will return true. The leaves must be validated independently. See MerkleProof.processMultiProofCalldata.

Returns the root of a tree reconstructed from leaves and sibling nodes in proof. The reconstruction proceeds by incrementally reconstructing all inner nodes by combining a leaf/inner node with either another leaf/inner node or a proof sibling node, depending on whether each proofFlags item is true or false respectively.

This version handles multiproofs in calldata with the default hashing function.

CAUTION: Not all Merkle trees admit multiproofs. To use multiproofs, it is sufficient to ensure that: 1) the tree is complete (but not necessarily perfect), 2) the leaves to be proven are in the opposite order they are in the tree (i.e., as seen from right to left starting at the deepest layer and continuing at the next layer).

NOTE: The empty set (i.e. the case where proof.length == 1 && leaves.length == 0) is considered a no-op, and therefore a valid multiproof (i.e. it returns proof[0]). Consider disallowing this case if you're not validating the leaves elsewhere.

Returns true if the leaves can be simultaneously proven to be a part of a Merkle tree defined by root, according to proof and proofFlags as described in MerkleProof.processMultiProof.

This version handles multiproofs in calldata with a custom hashing function.

CAUTION: Not all Merkle trees admit multiproofs. See MerkleProof.processMultiProof for details.

NOTE: Consider the case where root == proof[0] && leaves.length == 0 as it will return true. The leaves must be validated independently. See MerkleProof.processMultiProofCalldata.

Returns the root of a tree reconstructed from leaves and sibling nodes in proof. The reconstruction proceeds by incrementally reconstructing all inner nodes by combining a leaf/inner node with either another leaf/inner node or a proof sibling node, depending on whether each proofFlags item is true or false respectively.

This version handles multiproofs in calldata with a custom hashing function.

CAUTION: Not all Merkle trees admit multiproofs. To use multiproofs, it is sufficient to ensure that: 1) the tree is complete (but not necessarily perfect), 2) the leaves to be proven are in the opposite order they are in the tree (i.e., as seen from right to left starting at the deepest layer and continuing at the next layer).

NOTE: The empty set (i.e. the case where proof.length == 1 && leaves.length == 0) is considered a no-op, and therefore a valid multiproof (i.e. it returns proof[0]). Consider disallowing this case if you're not validating the leaves elsewhere.

The multiproof provided is not valid.

Returns the keccak256 digest of an ERC-191 signed data with version 0x45 (personal_sign messages).

The digest is calculated by prefixing a bytes32 messageHash with "\x19Ethereum Signed Message:\n32" and hashing the result. It corresponds with the hash signed when using the eth_sign JSON-RPC method.

NOTE: The messageHash parameter is intended to be the result of hashing a raw message with keccak256, although any bytes32 value can be safely used because the final digest will be re-hashed.

See ECDSA.recover.

Returns the keccak256 digest of an ERC-191 signed data with version 0x45 (personal_sign messages).

The digest is calculated by prefixing an arbitrary message with "\x19Ethereum Signed Message:\n" + len(message) and hashing the result. It corresponds with the hash signed when using the eth_sign JSON-RPC method.

See ECDSA.recover.

Returns the keccak256 digest of an ERC-191 signed data with version 0x00 (data with intended validator).

The digest is calculated by prefixing an arbitrary data with "\x19\x00" and the intended validator address. Then hashing the result.

See ECDSA.recover.

Variant of #MessageHashUtils-toDataWithIntendedValidatorHash-address-bytes- optimized for cases where data is a bytes32.

Returns the keccak256 digest of an EIP-712 typed data (ERC-191 version 0x01).

The digest is calculated from a domainSeparator and a structHash, by prefixing them with \x19\x01 and hashing the result. It corresponds to the hash signed by the eth_signTypedData JSON-RPC method as part of EIP-712.

See ECDSA.recover.

Verifies a secp256r1 signature using the RIP-7212 precompile and falls back to the Solidity implementation if the precompile is not available. This version should work on all chains, but requires the deployment of more bytecode.

Same as IERC7913SignatureVerifier.verify, but it will revert if the required precompile is not available.

Make sure any logic (code or precompile) deployed at that address is the expected one, otherwise the returned value may be misinterpreted as a positive boolean.

Same as IERC7913SignatureVerifier.verify, but only the Solidity implementation is used.

Public key recovery

Checks if (x, y) are valid coordinates of a point on the curve. In particular this function checks that x < P and y < P.

Same as RSA.pkcs1Sha256 but using SHA256 to calculate the digest of data.

Verifies a PKCSv1.5 signature given a digest according to the verification method described in section 8.2.2 of RFC8017 with support for explicit or implicit NULL parameters in the DigestInfo (no other optional parameters are supported).

2048 bits. If you use a smaller key, consider replacing it with a larger, more secure, one.

digest, public key and (valid signature), it will return true every time. Consider including an onchain nonce or unique identifier in the message to prevent replay attacks.

That is the default value many libraries use, such as OpenSSL. Developers may choose to reject public keys using a low exponent out of security concerns.

Checks if a signature is valid for a given signer and data hash. If the signer has code, the signature is validated against it using ERC-1271, otherwise it's validated using ECDSA.recover.

NOTE: Unlike ECDSA signatures, contract signatures are revocable, and the outcome of this function can thus change through time. It could return true at block N and false at block N+1 (or the opposite).

NOTE: For an extended version of this function that supports ERC-7913 signatures, see #SignatureChecker-isValidSignatureNow-bytes-bytes32-bytes-.

Variant of SignatureChecker.isValidSignatureNow that takes a signature in calldata

Checks if a signature is valid for a given signer and data hash. The signature is validated against the signer smart contract using ERC-1271.

NOTE: Unlike ECDSA signatures, contract signatures are revocable, and the outcome of this function can thus change through time. It could return true at block N and false at block N+1 (or the opposite).

Verifies a signature for a given ERC-7913 signer and hash.

The signer is a bytes object that is the concatenation of an address and optionally a key: verifier || key. A signer must be at least 20 bytes long.

Verification is done as follows:

• If signer.length < 20: verification fails
• If signer.length == 20: verification is done using SignatureChecker.isValidSignatureNow
• Otherwise: verification is done using IERC7913SignatureVerifier

NOTE: Unlike ECDSA signatures, contract signatures are revocable, and the outcome of this function can thus change through time. It could return true at block N and false at block N+1 (or the opposite).

Verifies multiple ERC-7913 signatures for a given hash using a set of signers. Returns false if the number of signers and signatures is not the same.

The signers should be ordered by their keccak256 hash to ensure efficient duplication check. Unordered signers are supported, but the uniqueness check will be more expensive.

NOTE: Unlike ECDSA signatures, contract signatures are revocable, and the outcome of this function can thus change through time. It could return true at block N and false at block N+1 (or the opposite).

Performs standard verification of a WebAuthn Authentication Assertion.

Performs verification of a WebAuthn Authentication Assertion. This variants allow the caller to select whether of not to require the UV flag (step 17).

Verifies:

1. Type is "webauthn.get" (see WebAuthn._validateExpectedTypeHash)
2. Challenge matches the expected value (see WebAuthn._validateChallenge)
3. Cryptographic signature is valid for the given public key
4. confirming physical user presence during authentication
5. (if requireUV is true) confirming stronger user authentication (biometrics/PIN)
6. Backup Eligibility (BE) and Backup State (BS) bits relationship is valid

Verifies that calldata bytes (input) represents a valid WebAuthnAuth object. If encoding is valid, returns true and the calldata view at the object. Otherwise, returns false and an invalid calldata object.

NOTE: The returned auth object should not be accessed if success is false. Trying to access the data may cause revert/panic.

Nest a signature for a given EIP-712 type into a nested signature for the domain of the app.

Counterpart of ERC7739Utils.decodeTypedDataSig to extract the original signature and the nested components.

Parses a nested signature into its components.

Constructed as follows:

signature ‖ APP_DOMAIN_SEPARATOR ‖ contentsHash ‖ contentsDescr ‖ uint16(contentsDescr.length)

• signature is the signature for the (ERC-7739) nested struct hash. This signature indirectly signs over the original "contents" hash (from the app) and the account's domain separator.
• APP_DOMAIN_SEPARATOR is the EIP-712 EIP712._domainSeparatorV4 of the application smart contract that is requesting the signature verification (though ERC-1271).
• contentsHash is the hash of the underlying data structure or message.
• contentsDescr is a descriptor of the "contents" part of the the EIP-712 type of the nested signature.

NOTE: This function returns empty if the input format is invalid instead of reverting. data instead.

Nests an ERC-191 digest into a PersonalSign EIP-712 struct, and returns the corresponding struct hash. This struct hash must be combined with a domain separator, using MessageHashUtils.toTypedDataHash before being verified/recovered.

This is used to simulates the personal_sign RPC method in the context of smart contracts.

Nests an EIP-712 hash (contents) into a TypedDataSign EIP-712 struct, and returns the corresponding struct hash. This struct hash must be combined with a domain separator, using MessageHashUtils.toTypedDataHash before being verified/recovered.

Variant of #ERC7739Utils-typedDataSignStructHash-string-string-bytes32-bytes- that takes a content descriptor and decodes the contentsName and contentsType out of it.

Compute the EIP-712 typehash of the TypedDataSign structure for a given type (and typename).

Parse the type name out of the ERC-7739 contents type description. Supports both the implicit and explicit modes.

Following ERC-7739 specifications, a contentsName is considered invalid if it's empty or it contains any of the following bytes , )\x00

If the contentsType is invalid, this returns an empty string. Otherwise, the return string has non-zero length.

Signature validation algorithm.

cryptographic verification. It is important to review and test thoroughly before deployment. Consider using one of the signature verification libraries (xref:api:utils/cryptography#ECDSA[ECDSA], xref:api:utils/cryptography#P256[P256] or xref:api:utils/cryptography#RSA[RSA]).

Returns a slice of the set of authorized signers.

Using start = 0 and end = type(uint64).max will return the entire set of signers.

can be expensive. This is designed for view accessors queried without gas fees. Using it in state-changing functions may become uncallable if the slice grows too large.

Returns the number of authorized signers

Returns whether the signer is an authorized signer.

Returns the minimum number of signers required to approve a multisignature operation.

Adds the newSigners to those allowed to sign on behalf of this contract. Internal version without access control.

Requirements:

• Each of newSigners must be at least 20 bytes long. Reverts with MultiSignerERC7913.MultiSignerERC7913InvalidSigner if not.
• Each of newSigners must not be authorized. See MultiSignerERC7913.isSigner. Reverts with MultiSignerERC7913.MultiSignerERC7913AlreadyExists if so.

Removes the oldSigners from the authorized signers. Internal version without access control.

Requirements:

• Each of oldSigners must be authorized. See MultiSignerERC7913.isSigner. Otherwise MultiSignerERC7913.MultiSignerERC7913NonexistentSigner is thrown.
• See MultiSignerERC7913._validateReachableThreshold for the threshold validation.

Sets the signatures threshold required to approve a multisignature operation. Internal version without access control.

Requirements:

• See MultiSignerERC7913._validateReachableThreshold for the threshold validation.

Validates the current threshold is reachable.

Requirements:

• The MultiSignerERC7913.getSignerCount must be greater or equal than to the MultiSignerERC7913.threshold. Throws MultiSignerERC7913.MultiSignerERC7913UnreachableThreshold if not.

Decodes, validates the signature and checks the signers are authorized. See MultiSignerERC7913._validateSignatures and MultiSignerERC7913._validateThreshold for more details.

Example of signature encoding:

// Encode signers (verifier || key)
bytes memory signer1 = abi.encodePacked(verifier1, key1);
bytes memory signer2 = abi.encodePacked(verifier2, key2);

// Order signers by their id
if (keccak256(signer1) > keccak256(signer2)) {
    (signer1, signer2) = (signer2, signer1);
    (signature1, signature2) = (signature2, signature1);
}

// Assign ordered signers and signatures
bytes[] memory signers = new bytes[](2);
bytes[] memory signatures = new bytes[](2);
signers[0] = signer1;
signatures[0] = signature1;
signers[1] = signer2;
signatures[1] = signature2;

// Encode the multi signature
bytes memory signature = abi.encode(signers, signatures);

Requirements:

• The signature must be encoded as abi.encode(signers, signatures).

Validates the signatures using the signers and their corresponding signatures. Returns whether the signers are authorized and the signatures are valid for the given hash.

See SignatureChecker.areValidSignaturesNow for more details.

Requirements:

• The signatures and signers arrays must be equal in length. Returns false otherwise.

Validates that the number of signers meets the MultiSignerERC7913.threshold requirement. Assumes the signers were already validated. See MultiSignerERC7913._validateSignatures for more details.

Emitted when a signer is added.

Emitted when a signers is removed.

Emitted when the threshold is updated.

The signer already exists.

The signer does not exist.

The signer is less than 20 bytes long.

The threshold is zero.

The threshold is unreachable given the number of signers.

Gets the weight of a signer. Returns 0 if the signer is not authorized.

Gets the total weight of all signers.

Sets weights for multiple signers at once. Internal version without access control.

Requirements:

• signers and weights arrays must have the same length. Reverts with MultiSignerERC7913Weighted.MultiSignerERC7913WeightedMismatchedLength on mismatch.
• Each signer must exist in the set of authorized signers. Otherwise reverts with MultiSignerERC7913.MultiSignerERC7913NonexistentSigner
• Each weight must be greater than 0. Otherwise reverts with MultiSignerERC7913Weighted.MultiSignerERC7913WeightedInvalidWeight
• See MultiSignerERC7913._validateReachableThreshold for the threshold validation.

Emits MultiSignerERC7913Weighted.ERC7913SignerWeightChanged for each signer.

See MultiSignerERC7913._addSigners.

In cases where MultiSignerERC7913Weighted.totalWeight is almost type(uint64).max (due to a large _totalExtraWeight), adding new signers could cause the MultiSignerERC7913Weighted.totalWeight computation to overflow. Adding a MultiSignerERC7913Weighted.totalWeight calls after the new signers are added ensures no such overflow happens.

See MultiSignerERC7913._removeSigners.

Just like MultiSignerERC7913._addSigners, this function does not emit MultiSignerERC7913Weighted.ERC7913SignerWeightChanged events. The MultiSignerERC7913.ERC7913SignerRemoved event emitted by MultiSignerERC7913._removeSigners is enough to track weights here.

Sets the threshold for the multisignature operation. Internal version without access control.

Requirements:

• The MultiSignerERC7913Weighted.totalWeight must be >= the MultiSignerERC7913.threshold. Otherwise reverts with MultiSignerERC7913.MultiSignerERC7913UnreachableThreshold

NOTE: This function intentionally does not call super._validateReachableThreshold because the base implementation assumes each signer has a weight of 1, which is a subset of this weighted implementation. Consider that multiple implementations of this function may exist in the contract, so important side effects may be missed depending on the linearization order.

Validates that the total weight of signers meets the threshold requirement.

NOTE: This function intentionally does not call super._validateThreshold because the base implementation assumes each signer has a weight of 1, which is a subset of this weighted implementation. Consider that multiple implementations of this function may exist in the contract, so important side effects may be missed depending on the linearization order.

Emitted when a signer's weight is changed.

NOTE: Not emitted in MultiSignerERC7913._addSigners or MultiSignerERC7913._removeSigners. Indexers must rely on MultiSignerERC7913.ERC7913SignerAdded and MultiSignerERC7913.ERC7913SignerRemoved to index a default weight of 1. See MultiSignerERC7913Weighted.signerWeight.

Thrown when a signer's weight is invalid.

Thrown when the arrays lengths don't match. See MultiSignerERC7913Weighted._setSignerWeights.

Sets the signer with the address of the native signer. This function should be called during construction or through an initializer.

Return the signer's address.

Signature validation algorithm.

cryptographic verification. It is important to review and test thoroughly before deployment. Consider using one of the signature verification libraries (xref:api:utils/cryptography#ECDSA[ECDSA], xref:api:utils/cryptography#P256[P256] or xref:api:utils/cryptography#RSA[RSA]).

Validates the signature using the EOA's address (i.e. address(this)).

Return the ERC-7913 signer (i.e. verifier || key).

Sets the signer (i.e. verifier || key) with an ERC-7913 formatted signer.

Verifies a signature using #SignatureChecker-isValidSignatureNow-bytes-bytes32-bytes- with SignerECDSA.signer, hash and signature.

Sets the signer with a P256 public key. This function should be called during construction or through an initializer.

Return the signer's P256 public key.

Signature validation algorithm.

cryptographic verification. It is important to review and test thoroughly before deployment. Consider using one of the signature verification libraries (xref:api:utils/cryptography#ECDSA[ECDSA], xref:api:utils/cryptography#P256[P256] or xref:api:utils/cryptography#RSA[RSA]).

Sets the signer with a RSA public key. This function should be called during construction or through an initializer.

Return the signer's RSA public key.

See AbstractSigner._rawSignatureValidation. Verifies a PKCSv1.5 signature by calling xref:api:utils/cryptography#RSA-pkcs1Sha256-bytes-bytes-bytes-bytes-[RSA.pkcs1Sha256].

provided hash is used as the M (message) and rehashed using SHA256 according to EMSA-PKCS1-v1_5 encoding as per section 9.2 (step 1) of the RFC.

Validates a raw signature using the WebAuthn authentication assertion.

In case the signature can't be validated, it falls back to the SignerP256._rawSignatureValidation method for raw P256 signature validation by passing the raw r and s values from the signature.

Attempts validating the signature in a nested EIP-712 type.

A nested EIP-712 type might be presented in 2 different ways:

• As a nested EIP-712 typed data
• As a personal signature (an EIP-712 mimic of the eth_personalSign for a smart contract)

Verifies signature as a valid signature of hash by key.

MUST return the bytes4 magic value IERC7913SignatureVerifier.verify.selector if the signature is valid. SHOULD return 0xffffffff or revert if the signature is not valid. SHOULD return 0xffffffff or revert if the key is empty

Verifies signature as a valid signature of hash by key.

MUST return the bytes4 magic value IERC7913SignatureVerifier.verify.selector if the signature is valid. SHOULD return 0xffffffff or revert if the signature is not valid. SHOULD return 0xffffffff or revert if the key is empty

Verifies signature as a valid signature of hash by key.

MUST return the bytes4 magic value IERC7913SignatureVerifier.verify.selector if the signature is valid. SHOULD return 0xffffffff or revert if the signature is not valid. SHOULD return 0xffffffff or revert if the key is empty