// Copyright (c) 2009-2010 Satoshi Nakamoto // Copyright (c) 2009-2019 The Bitcoin Core developers // Copyright (c) 2017 The Zcash developers // Distributed under the MIT software license, see the accompanying // file COPYING or http://www.opensource.org/licenses/mit-license.php. #ifndef BITCOIN_KEY_H #define BITCOIN_KEY_H #include #include #include #include #include #include /** * CPrivKey is a serialized private key, with all parameters included * (SIZE bytes) */ typedef std::vector > CPrivKey; /** Size of ECDH shared secrets. */ constexpr static size_t ECDH_SECRET_SIZE = CSHA256::OUTPUT_SIZE; // Used to represent ECDH shared secret (ECDH_SECRET_SIZE bytes) using ECDHSecret = std::array; /** An encapsulated private key. */ class CKey { public: /** * secp256k1: */ static const unsigned int SIZE = 279; static const unsigned int COMPRESSED_SIZE = 214; /** * see www.keylength.com * script supports up to 75 for single byte push */ static_assert( SIZE >= COMPRESSED_SIZE, "COMPRESSED_SIZE is larger than SIZE"); private: //! Whether this private key is valid. We check for correctness when modifying the key //! data, so fValid should always correspond to the actual state. bool fValid; //! Whether the public key corresponding to this private key is (to be) compressed. bool fCompressed; //! The actual byte data std::vector > keydata; //! Check whether the 32-byte array pointed to by vch is valid keydata. bool static Check(const unsigned char* vch); public: //! Construct an invalid private key. CKey() : fValid(false), fCompressed(false) { // Important: vch must be 32 bytes in length to not break serialization keydata.resize(32); } friend bool operator==(const CKey& a, const CKey& b) { return a.fCompressed == b.fCompressed && a.size() == b.size() && memcmp(a.keydata.data(), b.keydata.data(), a.size()) == 0; } //! Initialize using begin and end iterators to byte data. template void Set(const T pbegin, const T pend, bool fCompressedIn) { if (size_t(pend - pbegin) != keydata.size()) { fValid = false; } else if (Check(&pbegin[0])) { memcpy(keydata.data(), (unsigned char*)&pbegin[0], keydata.size()); fValid = true; fCompressed = fCompressedIn; } else { fValid = false; } } //! Simple read-only vector-like interface. unsigned int size() const { return (fValid ? keydata.size() : 0); } const unsigned char* data() const { return keydata.data(); } const unsigned char* begin() const { return keydata.data(); } const unsigned char* end() const { return keydata.data() + size(); } //! Check whether this private key is valid. bool IsValid() const { return fValid; } //! Check whether the public key corresponding to this private key is (to be) compressed. bool IsCompressed() const { return fCompressed; } //! Generate a new private key using a cryptographic PRNG. void MakeNewKey(bool fCompressed); //! Negate private key bool Negate(); /** * Convert the private key to a CPrivKey (serialized OpenSSL private key data). * This is expensive. */ CPrivKey GetPrivKey() const; /** * Compute the public key from a private key. * This is expensive. */ CPubKey GetPubKey() const; /** * Create a DER-serialized signature. * The test_case parameter tweaks the deterministic nonce. */ bool Sign(const uint256& hash, std::vector& vchSig, bool grind = true, uint32_t test_case = 0) const; /** * Create a compact signature (65 bytes), which allows reconstructing the used public key. * The format is one header byte, followed by two times 32 bytes for the serialized r and s values. * The header byte: 0x1B = first key with even y, 0x1C = first key with odd y, * 0x1D = second key with even y, 0x1E = second key with odd y, * add 0x04 for compressed keys. */ bool SignCompact(const uint256& hash, std::vector& vchSig) const; //! Derive BIP32 child key. bool Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const; /** * Verify thoroughly whether a private key and a public key match. * This is done using a different mechanism than just regenerating it. */ bool VerifyPubKey(const CPubKey& vchPubKey) const; //! Load private key and check that public key matches. bool Load(const CPrivKey& privkey, const CPubKey& vchPubKey, bool fSkipCheck); /** Create an ellswift-encoded public key for this key, with specified entropy. * * entropy must be a 32-byte span with additional entropy to use in the encoding. Every * public key has ~2^256 different encodings, and this function will deterministically pick * one of them, based on entropy. Note that even without truly random entropy, the * resulting encoding will be indistinguishable from uniform to any adversary who does not * know the private key (because the private key itself is always used as entropy as well). */ EllSwiftPubKey EllSwiftCreate(Span entropy) const; /** Compute a BIP324-style ECDH shared secret. * * - their_ellswift: EllSwiftPubKey that was received from the other side. * - our_ellswift: EllSwiftPubKey that was sent to the other side (must have been generated * from *this using EllSwiftCreate()). * - initiating: whether we are the initiating party (true) or responding party (false). */ ECDHSecret ComputeBIP324ECDHSecret(const EllSwiftPubKey& their_ellswift, const EllSwiftPubKey& our_ellswift, bool initiating) const; }; struct CExtKey { unsigned char nDepth; unsigned char vchFingerprint[4]; unsigned int nChild; ChainCode chaincode; CKey key; friend bool operator==(const CExtKey& a, const CExtKey& b) { return a.nDepth == b.nDepth && memcmp(a.vchFingerprint, b.vchFingerprint, sizeof(vchFingerprint)) == 0 && a.nChild == b.nChild && a.chaincode == b.chaincode && a.key == b.key; } void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const; void Decode(const unsigned char code[BIP32_EXTKEY_SIZE]); bool Derive(CExtKey& out, unsigned int nChild) const; CExtPubKey Neuter() const; void SetSeed(Span seed); }; /** Initialize the elliptic curve support. May not be called twice without calling ECC_Stop first. */ void ECC_Start(); /** Deinitialize the elliptic curve support. No-op if ECC_Start wasn't called first. */ void ECC_Stop(); /** Check that required EC support is available at runtime. */ bool ECC_InitSanityCheck(); #endif // BITCOIN_KEY_H