2017-11-09 19:34:51 +01:00
|
|
|
/*
|
|
|
|
|
* This file is part of the Flowee project
|
|
|
|
|
* Copyright (c) 2009-2015 The Bitcoin Core developers
|
2025-10-14 22:38:54 +02:00
|
|
|
* Copyright (C) 2019-2025 Tom Zander <tom@flowee.org>
|
2017-11-09 19:34:51 +01:00
|
|
|
*
|
|
|
|
|
* This program is free software: you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
2014-10-28 17:47:18 -04:00
|
|
|
|
2023-11-24 18:01:36 +01:00
|
|
|
#include "PublicKey.h"
|
2021-01-05 22:05:25 +01:00
|
|
|
#include <hash.h>
|
2014-10-28 17:47:18 -04:00
|
|
|
|
2015-07-28 20:11:20 +02:00
|
|
|
#include <secp256k1.h>
|
|
|
|
|
#include <secp256k1_recovery.h>
|
2019-04-17 23:21:14 +02:00
|
|
|
#include <secp256k1_schnorr.h>
|
2014-10-28 17:47:18 -04:00
|
|
|
|
2015-07-28 20:11:20 +02:00
|
|
|
namespace
|
|
|
|
|
{
|
|
|
|
|
/* Global secp256k1_context object used for verification. */
|
2019-11-13 15:11:39 +01:00
|
|
|
secp256k1_context* secp256k1_context_verify = nullptr;
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** This function is taken from the libsecp256k1 distribution and implements
|
|
|
|
|
* DER parsing for ECDSA signatures, while supporting an arbitrary subset of
|
|
|
|
|
* format violations.
|
|
|
|
|
*
|
|
|
|
|
* Supported violations include negative integers, excessive padding, garbage
|
|
|
|
|
* at the end, and overly long length descriptors. This is safe to use in
|
|
|
|
|
* Bitcoin because since the activation of BIP66, signatures are verified to be
|
|
|
|
|
* strict DER before being passed to this module, and we know it supports all
|
|
|
|
|
* violations present in the blockchain before that point.
|
|
|
|
|
*/
|
|
|
|
|
static int ecdsa_signature_parse_der_lax(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
|
|
|
|
|
size_t rpos, rlen, spos, slen;
|
|
|
|
|
size_t pos = 0;
|
|
|
|
|
size_t lenbyte;
|
|
|
|
|
unsigned char tmpsig[64] = {0};
|
|
|
|
|
int overflow = 0;
|
|
|
|
|
|
|
|
|
|
/* Hack to initialize sig with a correctly-parsed but invalid signature. */
|
|
|
|
|
secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
|
|
|
|
|
|
|
|
|
|
/* Sequence tag byte */
|
|
|
|
|
if (pos == inputlen || input[pos] != 0x30) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
pos++;
|
|
|
|
|
|
|
|
|
|
/* Sequence length bytes */
|
|
|
|
|
if (pos == inputlen) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
lenbyte = input[pos++];
|
|
|
|
|
if (lenbyte & 0x80) {
|
|
|
|
|
lenbyte -= 0x80;
|
|
|
|
|
if (pos + lenbyte > inputlen) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
pos += lenbyte;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Integer tag byte for R */
|
|
|
|
|
if (pos == inputlen || input[pos] != 0x02) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
pos++;
|
|
|
|
|
|
|
|
|
|
/* Integer length for R */
|
|
|
|
|
if (pos == inputlen) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
lenbyte = input[pos++];
|
|
|
|
|
if (lenbyte & 0x80) {
|
|
|
|
|
lenbyte -= 0x80;
|
|
|
|
|
if (pos + lenbyte > inputlen) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
while (lenbyte > 0 && input[pos] == 0) {
|
|
|
|
|
pos++;
|
|
|
|
|
lenbyte--;
|
|
|
|
|
}
|
|
|
|
|
if (lenbyte >= sizeof(size_t)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
rlen = 0;
|
|
|
|
|
while (lenbyte > 0) {
|
|
|
|
|
rlen = (rlen << 8) + input[pos];
|
|
|
|
|
pos++;
|
|
|
|
|
lenbyte--;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
rlen = lenbyte;
|
|
|
|
|
}
|
|
|
|
|
if (rlen > inputlen - pos) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
rpos = pos;
|
|
|
|
|
pos += rlen;
|
|
|
|
|
|
|
|
|
|
/* Integer tag byte for S */
|
|
|
|
|
if (pos == inputlen || input[pos] != 0x02) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
pos++;
|
|
|
|
|
|
|
|
|
|
/* Integer length for S */
|
|
|
|
|
if (pos == inputlen) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
lenbyte = input[pos++];
|
|
|
|
|
if (lenbyte & 0x80) {
|
|
|
|
|
lenbyte -= 0x80;
|
|
|
|
|
if (pos + lenbyte > inputlen) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
while (lenbyte > 0 && input[pos] == 0) {
|
|
|
|
|
pos++;
|
|
|
|
|
lenbyte--;
|
|
|
|
|
}
|
|
|
|
|
if (lenbyte >= sizeof(size_t)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
slen = 0;
|
|
|
|
|
while (lenbyte > 0) {
|
|
|
|
|
slen = (slen << 8) + input[pos];
|
|
|
|
|
pos++;
|
|
|
|
|
lenbyte--;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
slen = lenbyte;
|
|
|
|
|
}
|
|
|
|
|
if (slen > inputlen - pos) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
spos = pos;
|
|
|
|
|
pos += slen;
|
|
|
|
|
|
|
|
|
|
/* Ignore leading zeroes in R */
|
|
|
|
|
while (rlen > 0 && input[rpos] == 0) {
|
|
|
|
|
rlen--;
|
|
|
|
|
rpos++;
|
|
|
|
|
}
|
|
|
|
|
/* Copy R value */
|
|
|
|
|
if (rlen > 32) {
|
|
|
|
|
overflow = 1;
|
|
|
|
|
} else {
|
|
|
|
|
memcpy(tmpsig + 32 - rlen, input + rpos, rlen);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Ignore leading zeroes in S */
|
|
|
|
|
while (slen > 0 && input[spos] == 0) {
|
|
|
|
|
slen--;
|
|
|
|
|
spos++;
|
|
|
|
|
}
|
|
|
|
|
/* Copy S value */
|
|
|
|
|
if (slen > 32) {
|
|
|
|
|
overflow = 1;
|
|
|
|
|
} else {
|
|
|
|
|
memcpy(tmpsig + 64 - slen, input + spos, slen);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!overflow) {
|
|
|
|
|
overflow = !secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
|
|
|
|
|
}
|
|
|
|
|
if (overflow) {
|
|
|
|
|
/* Overwrite the result again with a correctly-parsed but invalid
|
|
|
|
|
signature if parsing failed. */
|
|
|
|
|
memset(tmpsig, 0, 64);
|
|
|
|
|
secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2014-10-28 17:47:18 -04:00
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
bool PublicKey::verifyECDSA(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {
|
2021-04-19 11:58:00 +02:00
|
|
|
if (!isValid())
|
2014-10-28 17:47:18 -04:00
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_pubkey pubkey;
|
|
|
|
|
secp256k1_ecdsa_signature sig;
|
|
|
|
|
if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size())) {
|
2014-10-28 17:47:18 -04:00
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
|
|
|
|
if (vchSig.size() == 0) {
|
2014-10-28 17:47:18 -04:00
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
|
|
|
|
if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig, &vchSig[0], vchSig.size())) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
/* libsecp256k1's ECDSA verification requires lower-S signatures, which have
|
|
|
|
|
* not historically been enforced in Bitcoin, so normalize them first. */
|
|
|
|
|
secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, &sig, &sig);
|
2025-10-14 22:38:54 +02:00
|
|
|
return secp256k1_ecdsa_verify(secp256k1_context_verify, &sig, hash.begin(), &pubkey) == 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool PublicKey::verifyCompact(const uint256 &hash, const std::vector<unsigned char> &vchSig) const
|
|
|
|
|
{
|
|
|
|
|
if (!isValid() || vchSig.size() != 65)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
secp256k1_ecdsa_recoverable_signature sig;
|
|
|
|
|
const int recid = (vchSig[0] - 27) & 3;
|
|
|
|
|
if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_verify, &sig, &vchSig[1], recid)) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
secp256k1_ecdsa_signature convertedSig;
|
|
|
|
|
if (!secp256k1_ecdsa_recoverable_signature_convert(secp256k1_context_verify, &convertedSig, &sig))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
secp256k1_pubkey pubkey;
|
|
|
|
|
if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size()))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return secp256k1_ecdsa_verify(secp256k1_context_verify, &convertedSig, hash.begin(), &pubkey) == 1;
|
2019-04-17 23:21:14 +02:00
|
|
|
}
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
bool PublicKey::verifySchnorr(const uint256 &hash, const std::vector<uint8_t> &vchSig) const
|
2019-04-17 23:21:14 +02:00
|
|
|
{
|
2021-04-19 11:58:00 +02:00
|
|
|
if (!isValid())
|
2019-04-17 23:21:14 +02:00
|
|
|
return false;
|
|
|
|
|
if (vchSig.size() != 64)
|
|
|
|
|
return false;
|
|
|
|
|
secp256k1_pubkey pubkey;
|
|
|
|
|
if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size()))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return secp256k1_schnorr_verify(secp256k1_context_verify, &vchSig[0], hash.begin(), &pubkey);
|
2014-10-28 17:47:18 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
bool PublicKey::recoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
|
2014-10-28 17:47:18 -04:00
|
|
|
if (vchSig.size() != 65)
|
|
|
|
|
return false;
|
|
|
|
|
int recid = (vchSig[0] - 27) & 3;
|
|
|
|
|
bool fComp = ((vchSig[0] - 27) & 4) != 0;
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_pubkey pubkey;
|
|
|
|
|
secp256k1_ecdsa_recoverable_signature sig;
|
|
|
|
|
if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_verify, &sig, &vchSig[1], recid)) {
|
2014-10-28 17:47:18 -04:00
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
|
|
|
|
if (!secp256k1_ecdsa_recover(secp256k1_context_verify, &pubkey, &sig, hash.begin())) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
unsigned char pub[65];
|
|
|
|
|
size_t publen = 65;
|
|
|
|
|
secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
|
2021-04-19 11:58:00 +02:00
|
|
|
setData(pub, pub + publen);
|
2014-10-28 17:47:18 -04:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
bool PublicKey::isFullyValid() const {
|
2021-04-19 11:58:00 +02:00
|
|
|
if (!isValid())
|
2014-10-28 17:47:18 -04:00
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_pubkey pubkey;
|
|
|
|
|
return secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size());
|
2014-10-28 17:47:18 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
bool PublicKey::isCompressed() const
|
2019-11-13 15:11:39 +01:00
|
|
|
{
|
|
|
|
|
return size() == 33;
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
bool PublicKey::decompress() {
|
2021-04-19 11:58:00 +02:00
|
|
|
if (!isValid())
|
2014-10-28 17:47:18 -04:00
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_pubkey pubkey;
|
|
|
|
|
if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size())) {
|
2014-10-28 17:47:18 -04:00
|
|
|
return false;
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
|
|
|
|
unsigned char pub[65];
|
|
|
|
|
size_t publen = 65;
|
|
|
|
|
secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
|
2021-04-19 11:58:00 +02:00
|
|
|
setData(pub, pub + publen);
|
2014-10-28 17:47:18 -04:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
bool PublicKey::derive(PublicKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const {
|
2021-04-19 11:58:00 +02:00
|
|
|
assert(isValid());
|
2014-10-28 17:47:18 -04:00
|
|
|
assert((nChild >> 31) == 0);
|
|
|
|
|
assert(begin() + 33 == end());
|
|
|
|
|
unsigned char out[64];
|
|
|
|
|
BIP32Hash(cc, nChild, *begin(), begin()+1, out);
|
2015-04-21 18:09:37 -04:00
|
|
|
memcpy(ccChild.begin(), out+32, 32);
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_pubkey pubkey;
|
|
|
|
|
if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size())) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_verify, &pubkey, out)) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
unsigned char pub[33];
|
|
|
|
|
size_t publen = 33;
|
|
|
|
|
secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED);
|
2021-04-19 11:58:00 +02:00
|
|
|
pubkeyChild.setData(pub, pub + publen);
|
2015-07-28 20:11:20 +02:00
|
|
|
return true;
|
2014-10-28 17:47:18 -04:00
|
|
|
}
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
KeyId PublicKey::getKeyId() const
|
2019-11-13 15:11:39 +01:00
|
|
|
{
|
2022-07-06 21:52:47 +02:00
|
|
|
return KeyId(Hash160(vch, vch + size()));
|
2019-11-13 15:11:39 +01:00
|
|
|
}
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
uint256 PublicKey::createHash() const
|
2019-11-13 15:11:39 +01:00
|
|
|
{
|
|
|
|
|
return Hash(vch, vch + size());
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
bool PublicKey::isValid() const
|
2019-11-13 15:11:39 +01:00
|
|
|
{
|
|
|
|
|
return size() > 0;
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-06 21:56:34 +02:00
|
|
|
bool PublicKey::checkLowS(const std::vector<unsigned char>& vchSig) {
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_ecdsa_signature sig;
|
|
|
|
|
if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig, &vchSig[0], vchSig.size())) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2019-11-13 15:11:39 +01:00
|
|
|
return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, nullptr, &sig));
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* static */ int ECCVerifyHandle::refcount = 0;
|
|
|
|
|
|
|
|
|
|
ECCVerifyHandle::ECCVerifyHandle()
|
|
|
|
|
{
|
|
|
|
|
if (refcount == 0) {
|
2019-11-13 15:11:39 +01:00
|
|
|
assert(secp256k1_context_verify == nullptr);
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_context_verify = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
|
2019-11-13 15:11:39 +01:00
|
|
|
assert(secp256k1_context_verify != nullptr);
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
|
|
|
|
refcount++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ECCVerifyHandle::~ECCVerifyHandle()
|
|
|
|
|
{
|
|
|
|
|
refcount--;
|
|
|
|
|
if (refcount == 0) {
|
2019-11-13 15:11:39 +01:00
|
|
|
assert(secp256k1_context_verify != nullptr);
|
2015-07-28 20:11:20 +02:00
|
|
|
secp256k1_context_destroy(secp256k1_context_verify);
|
2019-11-13 15:11:39 +01:00
|
|
|
secp256k1_context_verify = nullptr;
|
2015-07-28 20:11:20 +02:00
|
|
|
}
|
|
|
|
|
}
|
