2019-12-31 18:35:41 +01:00
|
|
|
// Copyright (c) 2009-2019 The Bitcoin Core developers
|
2017-12-20 17:22:56 +01:00
|
|
|
// Copyright (c) 2017 The Zcash developers
|
2014-11-04 14:34:04 +01:00
|
|
|
// Distributed under the MIT software license, see the accompanying
|
2014-10-28 22:47:18 +01:00
|
|
|
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
|
|
|
|
2020-03-19 23:46:56 +01:00
|
|
|
#include <pubkey.h>
|
2014-10-28 22:47:18 +01:00
|
|
|
|
2015-07-28 20:11:20 +02:00
|
|
|
#include <secp256k1.h>
|
2023-06-26 22:50:21 +02:00
|
|
|
#include <secp256k1_ellswift.h>
|
2015-07-28 20:11:20 +02:00
|
|
|
#include <secp256k1_recovery.h>
|
2014-10-28 22:47:18 +01:00
|
|
|
|
2023-09-08 09:57:53 +02:00
|
|
|
namespace {
|
|
|
|
|
|
|
|
struct Secp256k1SelfTester
|
2015-07-28 20:11:20 +02:00
|
|
|
{
|
2023-09-08 09:57:53 +02:00
|
|
|
Secp256k1SelfTester() {
|
|
|
|
/* Run libsecp256k1 self-test before using the secp256k1_context_static. */
|
|
|
|
secp256k1_selftest();
|
|
|
|
}
|
|
|
|
} SECP256K1_SELFTESTER;
|
|
|
|
|
2017-06-26 13:37:42 +02:00
|
|
|
} // namespace
|
2015-07-28 20:11:20 +02:00
|
|
|
|
|
|
|
/** This function is taken from the libsecp256k1 distribution and implements
|
|
|
|
* DER parsing for ECDSA signatures, while supporting an arbitrary subset of
|
|
|
|
* format violations.
|
|
|
|
*
|
|
|
|
* Supported violations include negative integers, excessive padding, garbage
|
|
|
|
* at the end, and overly long length descriptors. This is safe to use in
|
|
|
|
* Bitcoin because since the activation of BIP66, signatures are verified to be
|
|
|
|
* strict DER before being passed to this module, and we know it supports all
|
|
|
|
* violations present in the blockchain before that point.
|
|
|
|
*/
|
2023-09-08 09:57:53 +02:00
|
|
|
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
|
2015-07-28 20:11:20 +02:00
|
|
|
size_t rpos, rlen, spos, slen;
|
|
|
|
size_t pos = 0;
|
|
|
|
size_t lenbyte;
|
|
|
|
unsigned char tmpsig[64] = {0};
|
|
|
|
int overflow = 0;
|
|
|
|
|
|
|
|
/* Hack to initialize sig with a correctly-parsed but invalid signature. */
|
2023-09-08 09:57:53 +02:00
|
|
|
secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);
|
2015-07-28 20:11:20 +02:00
|
|
|
|
|
|
|
/* Sequence tag byte */
|
|
|
|
if (pos == inputlen || input[pos] != 0x30) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
pos++;
|
|
|
|
|
|
|
|
/* Sequence length bytes */
|
|
|
|
if (pos == inputlen) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
lenbyte = input[pos++];
|
|
|
|
if (lenbyte & 0x80) {
|
|
|
|
lenbyte -= 0x80;
|
2017-12-20 17:22:56 +01:00
|
|
|
if (lenbyte > inputlen - pos) {
|
2015-07-28 20:11:20 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
pos += lenbyte;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Integer tag byte for R */
|
|
|
|
if (pos == inputlen || input[pos] != 0x02) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
pos++;
|
|
|
|
|
|
|
|
/* Integer length for R */
|
|
|
|
if (pos == inputlen) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
lenbyte = input[pos++];
|
|
|
|
if (lenbyte & 0x80) {
|
|
|
|
lenbyte -= 0x80;
|
2017-12-20 17:22:56 +01:00
|
|
|
if (lenbyte > inputlen - pos) {
|
2015-07-28 20:11:20 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
while (lenbyte > 0 && input[pos] == 0) {
|
|
|
|
pos++;
|
|
|
|
lenbyte--;
|
|
|
|
}
|
2017-12-20 17:22:56 +01:00
|
|
|
static_assert(sizeof(size_t) >= 4, "size_t too small");
|
|
|
|
if (lenbyte >= 4) {
|
2015-07-28 20:11:20 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
rlen = 0;
|
|
|
|
while (lenbyte > 0) {
|
|
|
|
rlen = (rlen << 8) + input[pos];
|
|
|
|
pos++;
|
|
|
|
lenbyte--;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
rlen = lenbyte;
|
|
|
|
}
|
|
|
|
if (rlen > inputlen - pos) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
rpos = pos;
|
|
|
|
pos += rlen;
|
|
|
|
|
|
|
|
/* Integer tag byte for S */
|
|
|
|
if (pos == inputlen || input[pos] != 0x02) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
pos++;
|
|
|
|
|
|
|
|
/* Integer length for S */
|
|
|
|
if (pos == inputlen) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
lenbyte = input[pos++];
|
|
|
|
if (lenbyte & 0x80) {
|
|
|
|
lenbyte -= 0x80;
|
2017-12-20 17:22:56 +01:00
|
|
|
if (lenbyte > inputlen - pos) {
|
2015-07-28 20:11:20 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
while (lenbyte > 0 && input[pos] == 0) {
|
|
|
|
pos++;
|
|
|
|
lenbyte--;
|
|
|
|
}
|
2017-12-20 17:22:56 +01:00
|
|
|
static_assert(sizeof(size_t) >= 4, "size_t too small");
|
|
|
|
if (lenbyte >= 4) {
|
2015-07-28 20:11:20 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
slen = 0;
|
|
|
|
while (lenbyte > 0) {
|
|
|
|
slen = (slen << 8) + input[pos];
|
|
|
|
pos++;
|
|
|
|
lenbyte--;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
slen = lenbyte;
|
|
|
|
}
|
|
|
|
if (slen > inputlen - pos) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
spos = pos;
|
|
|
|
|
|
|
|
/* Ignore leading zeroes in R */
|
|
|
|
while (rlen > 0 && input[rpos] == 0) {
|
|
|
|
rlen--;
|
|
|
|
rpos++;
|
|
|
|
}
|
|
|
|
/* Copy R value */
|
|
|
|
if (rlen > 32) {
|
|
|
|
overflow = 1;
|
|
|
|
} else {
|
|
|
|
memcpy(tmpsig + 32 - rlen, input + rpos, rlen);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Ignore leading zeroes in S */
|
|
|
|
while (slen > 0 && input[spos] == 0) {
|
|
|
|
slen--;
|
|
|
|
spos++;
|
|
|
|
}
|
|
|
|
/* Copy S value */
|
|
|
|
if (slen > 32) {
|
|
|
|
overflow = 1;
|
|
|
|
} else {
|
|
|
|
memcpy(tmpsig + 64 - slen, input + spos, slen);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!overflow) {
|
2023-09-08 09:57:53 +02:00
|
|
|
overflow = !secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
|
|
|
if (overflow) {
|
|
|
|
/* Overwrite the result again with a correctly-parsed but invalid
|
|
|
|
signature if parsing failed. */
|
|
|
|
memset(tmpsig, 0, 64);
|
2023-09-08 09:57:53 +02:00
|
|
|
secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
2014-10-28 22:47:18 +01:00
|
|
|
|
|
|
|
bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {
|
|
|
|
if (!IsValid())
|
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_pubkey pubkey;
|
|
|
|
secp256k1_ecdsa_signature sig;
|
2023-09-08 09:57:53 +02:00
|
|
|
if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
|
2014-10-28 22:47:18 +01:00
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
2023-09-08 09:57:53 +02:00
|
|
|
if (!ecdsa_signature_parse_der_lax(&sig, vchSig.data(), vchSig.size())) {
|
2015-07-28 20:11:20 +02:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
/* libsecp256k1's ECDSA verification requires lower-S signatures, which have
|
|
|
|
* not historically been enforced in Bitcoin, so normalize them first. */
|
2023-09-08 09:57:53 +02:00
|
|
|
secp256k1_ecdsa_signature_normalize(secp256k1_context_static, &sig, &sig);
|
|
|
|
return secp256k1_ecdsa_verify(secp256k1_context_static, &sig, hash.begin(), &pubkey);
|
2014-10-28 22:47:18 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
|
2017-12-20 17:22:56 +01:00
|
|
|
if (vchSig.size() != COMPACT_SIGNATURE_SIZE)
|
2014-10-28 22:47:18 +01:00
|
|
|
return false;
|
|
|
|
int recid = (vchSig[0] - 27) & 3;
|
|
|
|
bool fComp = ((vchSig[0] - 27) & 4) != 0;
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_pubkey pubkey;
|
|
|
|
secp256k1_ecdsa_recoverable_signature sig;
|
2023-09-08 09:57:53 +02:00
|
|
|
if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_static, &sig, &vchSig[1], recid)) {
|
2014-10-28 22:47:18 +01:00
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
2023-09-08 09:57:53 +02:00
|
|
|
if (!secp256k1_ecdsa_recover(secp256k1_context_static, &pubkey, &sig, hash.begin())) {
|
2015-07-28 20:11:20 +02:00
|
|
|
return false;
|
|
|
|
}
|
2021-08-09 01:26:00 +02:00
|
|
|
unsigned char pub[SIZE];
|
|
|
|
size_t publen = SIZE;
|
2023-09-08 09:57:53 +02:00
|
|
|
secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
|
2015-07-28 20:11:20 +02:00
|
|
|
Set(pub, pub + publen);
|
2014-10-28 22:47:18 +01:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool CPubKey::IsFullyValid() const {
|
|
|
|
if (!IsValid())
|
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_pubkey pubkey;
|
2023-09-08 09:57:53 +02:00
|
|
|
return secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size());
|
2014-10-28 22:47:18 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
bool CPubKey::Decompress() {
|
|
|
|
if (!IsValid())
|
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_pubkey pubkey;
|
2023-09-08 09:57:53 +02:00
|
|
|
if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
|
2014-10-28 22:47:18 +01:00
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
2021-08-09 01:26:00 +02:00
|
|
|
unsigned char pub[SIZE];
|
|
|
|
size_t publen = SIZE;
|
2023-09-08 09:57:53 +02:00
|
|
|
secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
|
2015-07-28 20:11:20 +02:00
|
|
|
Set(pub, pub + publen);
|
2014-10-28 22:47:18 +01:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2015-04-22 00:09:37 +02:00
|
|
|
bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const {
|
2014-10-28 22:47:18 +01:00
|
|
|
assert(IsValid());
|
|
|
|
assert((nChild >> 31) == 0);
|
2021-08-09 01:26:00 +02:00
|
|
|
assert(size() == COMPRESSED_SIZE);
|
2014-10-28 22:47:18 +01:00
|
|
|
unsigned char out[64];
|
|
|
|
BIP32Hash(cc, nChild, *begin(), begin()+1, out);
|
2015-04-22 00:09:37 +02:00
|
|
|
memcpy(ccChild.begin(), out+32, 32);
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_pubkey pubkey;
|
2023-09-08 09:57:53 +02:00
|
|
|
if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
|
2015-07-28 20:11:20 +02:00
|
|
|
return false;
|
|
|
|
}
|
2023-09-08 09:57:53 +02:00
|
|
|
if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_static, &pubkey, out)) {
|
2015-07-28 20:11:20 +02:00
|
|
|
return false;
|
|
|
|
}
|
2021-08-09 01:26:00 +02:00
|
|
|
unsigned char pub[COMPRESSED_SIZE];
|
|
|
|
size_t publen = COMPRESSED_SIZE;
|
2023-09-08 09:57:53 +02:00
|
|
|
secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED);
|
2015-07-28 20:11:20 +02:00
|
|
|
pubkeyChild.Set(pub, pub + publen);
|
|
|
|
return true;
|
2014-10-28 22:47:18 +01:00
|
|
|
}
|
|
|
|
|
2023-06-26 22:50:21 +02:00
|
|
|
CPubKey EllSwiftPubKey::Decode() const
|
|
|
|
{
|
|
|
|
secp256k1_pubkey pubkey;
|
|
|
|
secp256k1_ellswift_decode(secp256k1_context_static, &pubkey, UCharCast(m_pubkey.data()));
|
|
|
|
|
|
|
|
size_t sz = CPubKey::COMPRESSED_SIZE;
|
|
|
|
std::array<uint8_t, CPubKey::COMPRESSED_SIZE> vch_bytes;
|
|
|
|
|
|
|
|
secp256k1_ec_pubkey_serialize(secp256k1_context_static, vch_bytes.data(), &sz, &pubkey, SECP256K1_EC_COMPRESSED);
|
|
|
|
assert(sz == vch_bytes.size());
|
|
|
|
|
|
|
|
return CPubKey{vch_bytes.begin(), vch_bytes.end()};
|
|
|
|
}
|
|
|
|
|
2017-09-15 13:35:55 +02:00
|
|
|
void CExtPubKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {
|
2014-10-28 22:47:18 +01:00
|
|
|
code[0] = nDepth;
|
|
|
|
memcpy(code+1, vchFingerprint, 4);
|
2021-10-11 03:32:06 +02:00
|
|
|
WriteBE32(code+5, nChild);
|
2015-04-22 00:09:37 +02:00
|
|
|
memcpy(code+9, chaincode.begin(), 32);
|
2021-08-09 01:26:00 +02:00
|
|
|
assert(pubkey.size() == CPubKey::COMPRESSED_SIZE);
|
|
|
|
memcpy(code+41, pubkey.begin(), CPubKey::COMPRESSED_SIZE);
|
2014-10-28 22:47:18 +01:00
|
|
|
}
|
|
|
|
|
2017-09-15 13:35:55 +02:00
|
|
|
void CExtPubKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) {
|
2014-10-28 22:47:18 +01:00
|
|
|
nDepth = code[0];
|
|
|
|
memcpy(vchFingerprint, code+1, 4);
|
2021-10-11 03:32:06 +02:00
|
|
|
nChild = ReadBE32(code+5);
|
2015-04-22 00:09:37 +02:00
|
|
|
memcpy(chaincode.begin(), code+9, 32);
|
2017-09-15 13:35:55 +02:00
|
|
|
pubkey.Set(code+41, code+BIP32_EXTKEY_SIZE);
|
2021-09-02 04:18:59 +02:00
|
|
|
if ((nDepth == 0 && (nChild != 0 || ReadLE32(vchFingerprint) != 0)) || !pubkey.IsFullyValid()) pubkey = CPubKey();
|
2014-10-28 22:47:18 +01:00
|
|
|
}
|
|
|
|
|
2016-09-27 13:25:42 +02:00
|
|
|
bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild) const {
|
2014-10-28 22:47:18 +01:00
|
|
|
out.nDepth = nDepth + 1;
|
|
|
|
CKeyID id = pubkey.GetID();
|
2021-04-26 22:08:35 +02:00
|
|
|
memcpy(out.vchFingerprint, &id, 4);
|
2016-09-27 13:25:42 +02:00
|
|
|
out.nChild = _nChild;
|
|
|
|
return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode);
|
2014-10-28 22:47:18 +01:00
|
|
|
}
|
2015-07-28 20:11:20 +02:00
|
|
|
|
|
|
|
/* static */ bool CPubKey::CheckLowS(const std::vector<unsigned char>& vchSig) {
|
|
|
|
secp256k1_ecdsa_signature sig;
|
2023-09-08 09:57:53 +02:00
|
|
|
if (!ecdsa_signature_parse_der_lax(&sig, vchSig.data(), vchSig.size())) {
|
2015-07-28 20:11:20 +02:00
|
|
|
return false;
|
|
|
|
}
|
2023-09-08 09:57:53 +02:00
|
|
|
return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_static, nullptr, &sig));
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|