Nodejs elliptic verification wrong

Question

I have created some data to encrypt to make sure that the data can't be modified. Using elliptic I created the data then sign it. Then I modify the data. When I verify the data integrity using the generated signature, it returns true.

Am I confused about the use of elliptic?

Here is the code:

const EC = require("elliptic").ec

const ec = new EC("secp256k1")

class Wallet {
    constructor(data, pubKey) {
        this.keyPair = ec.genKeyPair();

        if (typeof (pubKey) !== "undefined")
            this.publicKey = pubKey
        else
            this.publicKey = this.keyPair.getPublic().encode("hex")

        this.data = data

        this.creationDate = Date.now()
    }

    toString() {
        console.log("public key: " + this.publicKey)
    }

    sign() {
        let raw = this.publicKey + this.data + this.creationDate;
        console.log("signing data: " + raw)
        return this.keyPair.sign(raw)
    }

    static verify(wallet, signature) {
        let raw = wallet.publicKey + wallet.data + wallet.creationDate;
        console.log("verifying data: " + raw)
        return ec.keyFromPublic(wallet.publicKey, "hex").verify(raw, signature)
    }
}

module.exports = Wallet

The index file:

const Wallet = require("./Wallet")

let wallet = new Wallet("hello");
wallet.toString()

let signature = wallet.sign()

console.log("\n\nSignature: "+JSON.stringify(signature)+"\n\n")

wallet.data = "world"

console.log("wallet data: "+ wallet.data)

console.log("Verify: "+ (Wallet.verify(wallet, signature)))

console.log("\n\n---------------Another wallet hacking-------------\n\n")

let wallet2 = new Wallet("bar", wallet.publicKey);
wallet2.toString()

let signature2 = wallet2.sign()

console.log("\n\nSignature: "+JSON.stringify(signature)+"\n\n")

console.log("wallet data: "+ wallet2.data)

console.log("Verify: "+ (Wallet.verify(wallet2, signature)))

The output:

public key: 045f349291f48e979d5895dedd523ceadf5f60b8b7e87706565f45d73561b1ba4e836ff6d7f27283cb0fece3a7b08abf37db995eae49666314f5b01954e21958fc
signing data: 045f349291f48e979d5895dedd523ceadf5f60b8b7e87706565f45d73561b1ba4e836ff6d7f27283cb0fece3a7b08abf37db995eae49666314f5b01954e21958fchello1604430087928


Signature: {"r":"9ed97af6f4f3becdfa910c91d4865b9c8d9a317ac47b4b7edbd5d4873ca3b3c3","s":"46e76b801de77ee596a7726b08b1db0cdbd9a6b0404bee7c49be0fccee85e99f","recoveryParam":0}


wallet data: world
verifying data: 045f349291f48e979d5895dedd523ceadf5f60b8b7e87706565f45d73561b1ba4e836ff6d7f27283cb0fece3a7b08abf37db995eae49666314f5b01954e21958fcworld1604430087928
Verify: true


---------------Another wallet hacking-------------


public key: 045f349291f48e979d5895dedd523ceadf5f60b8b7e87706565f45d73561b1ba4e836ff6d7f27283cb0fece3a7b08abf37db995eae49666314f5b01954e21958fc
signing data: 045f349291f48e979d5895dedd523ceadf5f60b8b7e87706565f45d73561b1ba4e836ff6d7f27283cb0fece3a7b08abf37db995eae49666314f5b01954e21958fcbar1604430087974


Signature: {"r":"9ed97af6f4f3becdfa910c91d4865b9c8d9a317ac47b4b7edbd5d4873ca3b3c3","s":"46e76b801de77ee596a7726b08b1db0cdbd9a6b0404bee7c49be0fccee85e99f","recoveryParam":0}


wallet data: bar
verifying data: 045f349291f48e979d5895dedd523ceadf5f60b8b7e87706565f45d73561b1ba4e836ff6d7f27283cb0fece3a7b08abf37db995eae49666314f5b01954e21958fcbar1604430087974
Verify: true

Answer 1

Thanks to the @Topaco answer. I understand elliptic does not sign any kind of content. I also cast the string to an array and elliptic still sign and verify the content wrongly.

It considered

["0","4","3","7","d","0","6","2","d","a","a","7","a","9","5","3","f","a","5","6","5","9","3","2","3","d","d","d","0","7","6","4","e","b","8","a","2","e","9","1","9","6","b","4","d","1","f","6","c","1","8","5","0","9","3","5","a","6","0","b","9","a","6","1","5","6","4","d","1","8","a","5","9","c","b","d","e","2","8","f","6","1","9","5","7","1","0","1","c","4","2","f","b","1","2","b","b","4","2","4","1","3","a","4","3","e","e","4","3","6","8","8","f","1","9","d","a","3","6","f","c","9","1","c","6","1","9","9","6","7","h","e","l","l","o","1","6","0","4","4","4","7","6","8","8","9","2","8"]

the same as

["0","4","3","7","d","0","6","2","d","a","a","7","a","9","5","3","f","a","5","6","5","9","3","2","3","d","d","d","0","7","6","4","e","b","8","a","2","e","9","1","9","6","b","4","d","1","f","6","c","1","8","5","0","9","3","5","a","6","0","b","9","a","6","1","5","6","4","d","1","8","a","5","9","c","b","d","e","2","8","f","6","1","9","5","7","1","0","1","c","4","2","f","b","1","2","b","b","4","2","4","1","3","a","4","3","e","e","4","3","6","8","8","f","1","9","d","a","3","6","f","c","9","1","c","6","1","9","9","6","7","w","o","r","l","d","1","6","0","4","4","4","7","6","8","8","9","2","8"]

The first one contains hello and the second one contains world.

I fixed it by passing a sha256 encoded string to sign and to verify.

I installed the package crypto-js then I encode the string:

const Sha256 = require("crypto-js/sha256")

// Signing
const encContent = Sha256(raw).toString()
this.keyPair.sign(encContent )

// Verifying
const encContent = Sha256(raw).toString()
ec.keyFromPublic(wallet.publicKey, "hex").verify(encContent , signature)