Bitcoin ABC  0.26.3
P2P Digital Currency
pubkey.cpp
Go to the documentation of this file.
1 // Copyright (c) 2009-2016 The Bitcoin Core developers
2 // Copyright (c) 2017 The Zcash developers
3 // Distributed under the MIT software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 
6 #include <pubkey.h>
7 
8 #include <secp256k1.h>
9 #include <secp256k1_recovery.h>
10 #include <secp256k1_schnorr.h>
11 
12 namespace {
13 /* Global secp256k1_context object used for verification. */
14 secp256k1_context *secp256k1_context_verify = nullptr;
15 } // namespace
16 
30  const uint8_t *input, size_t inputlen) {
31  size_t rpos, rlen, spos, slen;
32  size_t pos = 0;
33  size_t lenbyte;
34  uint8_t tmpsig[64] = {0};
35  int overflow = 0;
36 
37  /* Hack to initialize sig with a correctly-parsed but invalid signature. */
39 
40  /* Sequence tag byte */
41  if (pos == inputlen || input[pos] != 0x30) {
42  return 0;
43  }
44  pos++;
45 
46  /* Sequence length bytes */
47  if (pos == inputlen) {
48  return 0;
49  }
50  lenbyte = input[pos++];
51  if (lenbyte & 0x80) {
52  lenbyte -= 0x80;
53  if (lenbyte > inputlen - pos) {
54  return 0;
55  }
56  pos += lenbyte;
57  }
58 
59  /* Integer tag byte for R */
60  if (pos == inputlen || input[pos] != 0x02) {
61  return 0;
62  }
63  pos++;
64 
65  /* Integer length for R */
66  if (pos == inputlen) {
67  return 0;
68  }
69  lenbyte = input[pos++];
70  if (lenbyte & 0x80) {
71  lenbyte -= 0x80;
72  if (lenbyte > inputlen - pos) {
73  return 0;
74  }
75  while (lenbyte > 0 && input[pos] == 0) {
76  pos++;
77  lenbyte--;
78  }
79  static_assert(sizeof(size_t) >= 4, "size_t too small");
80  if (lenbyte >= 4) {
81  return 0;
82  }
83  rlen = 0;
84  while (lenbyte > 0) {
85  rlen = (rlen << 8) + input[pos];
86  pos++;
87  lenbyte--;
88  }
89  } else {
90  rlen = lenbyte;
91  }
92  if (rlen > inputlen - pos) {
93  return 0;
94  }
95  rpos = pos;
96  pos += rlen;
97 
98  /* Integer tag byte for S */
99  if (pos == inputlen || input[pos] != 0x02) {
100  return 0;
101  }
102  pos++;
103 
104  /* Integer length for S */
105  if (pos == inputlen) {
106  return 0;
107  }
108  lenbyte = input[pos++];
109  if (lenbyte & 0x80) {
110  lenbyte -= 0x80;
111  if (lenbyte > inputlen - pos) {
112  return 0;
113  }
114  while (lenbyte > 0 && input[pos] == 0) {
115  pos++;
116  lenbyte--;
117  }
118  static_assert(sizeof(size_t) >= 4, "size_t too small");
119  if (lenbyte >= 4) {
120  return 0;
121  }
122  slen = 0;
123  while (lenbyte > 0) {
124  slen = (slen << 8) + input[pos];
125  pos++;
126  lenbyte--;
127  }
128  } else {
129  slen = lenbyte;
130  }
131  if (slen > inputlen - pos) {
132  return 0;
133  }
134  spos = pos;
135 
136  /* Ignore leading zeroes in R */
137  while (rlen > 0 && input[rpos] == 0) {
138  rlen--;
139  rpos++;
140  }
141  /* Copy R value */
142  if (rlen > 32) {
143  overflow = 1;
144  } else {
145  memcpy(tmpsig + 32 - rlen, input + rpos, rlen);
146  }
147 
148  /* Ignore leading zeroes in S */
149  while (slen > 0 && input[spos] == 0) {
150  slen--;
151  spos++;
152  }
153  /* Copy S value */
154  if (slen > 32) {
155  overflow = 1;
156  } else {
157  memcpy(tmpsig + 64 - slen, input + spos, slen);
158  }
159 
160  if (!overflow) {
161  overflow = !secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
162  }
163  if (overflow) {
164  /* Overwrite the result again with a correctly-parsed but invalid
165  signature if parsing failed. */
166  memset(tmpsig, 0, 64);
168  }
169  return 1;
170 }
171 
172 bool CPubKey::VerifyECDSA(const uint256 &hash,
173  const std::vector<uint8_t> &vchSig) const {
174  if (!IsValid()) {
175  return false;
176  }
177 
178  secp256k1_pubkey pubkey;
180  assert(secp256k1_context_verify &&
181  "secp256k1_context_verify must be initialized to use CPubKey.");
182  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch,
183  size())) {
184  return false;
185  }
186  if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig,
187  vchSig.data(), vchSig.size())) {
188  return false;
189  }
194  secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, &sig, &sig);
195  return secp256k1_ecdsa_verify(secp256k1_context_verify, &sig, hash.begin(),
196  &pubkey);
197 }
198 
200  const uint256 &hash, const std::array<uint8_t, SCHNORR_SIZE> &sig) const {
201  if (!IsValid()) {
202  return false;
203  }
204 
205  secp256k1_pubkey pubkey;
206  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey,
207  &(*this)[0], size())) {
208  return false;
209  }
210 
211  return secp256k1_schnorr_verify(secp256k1_context_verify, sig.data(),
212  hash.begin(), &pubkey);
213 }
214 
216  const std::vector<uint8_t> &vchSig) const {
217  if (vchSig.size() != SCHNORR_SIZE) {
218  return false;
219  }
220 
221  std::array<uint8_t, SCHNORR_SIZE> sig;
222  std::copy(vchSig.begin(), vchSig.end(), sig.begin());
223 
224  return VerifySchnorr(hash, sig);
225 }
226 
228  const std::vector<uint8_t> &vchSig) {
229  if (vchSig.size() != COMPACT_SIGNATURE_SIZE) {
230  return false;
231  }
232 
233  int recid = (vchSig[0] - 27) & 3;
234  bool fComp = ((vchSig[0] - 27) & 4) != 0;
235  secp256k1_pubkey pubkey;
237  assert(secp256k1_context_verify &&
238  "secp256k1_context_verify must be initialized to use CPubKey.");
240  secp256k1_context_verify, &sig, &vchSig[1], recid)) {
241  return false;
242  }
243  if (!secp256k1_ecdsa_recover(secp256k1_context_verify, &pubkey, &sig,
244  hash.begin())) {
245  return false;
246  }
247  uint8_t pub[SIZE];
248  size_t publen = SIZE;
250  secp256k1_context_verify, pub, &publen, &pubkey,
252  Set(pub, pub + publen);
253  return true;
254 }
255 
256 bool CPubKey::IsFullyValid() const {
257  if (!IsValid()) {
258  return false;
259  }
260  secp256k1_pubkey pubkey;
261  assert(secp256k1_context_verify &&
262  "secp256k1_context_verify must be initialized to use CPubKey.");
263  return secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch,
264  size());
265 }
266 
268  if (!IsValid()) {
269  return false;
270  }
271  secp256k1_pubkey pubkey;
272  assert(secp256k1_context_verify &&
273  "secp256k1_context_verify must be initialized to use CPubKey.");
274  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch,
275  size())) {
276  return false;
277  }
278  uint8_t pub[SIZE];
279  size_t publen = SIZE;
280  secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen,
281  &pubkey, SECP256K1_EC_UNCOMPRESSED);
282  Set(pub, pub + publen);
283  return true;
284 }
285 
286 bool CPubKey::Derive(CPubKey &pubkeyChild, ChainCode &ccChild,
287  unsigned int nChild, const ChainCode &cc) const {
288  assert(IsValid());
289  assert((nChild >> 31) == 0);
291  uint8_t out[64];
292  BIP32Hash(cc, nChild, *begin(), begin() + 1, out);
293  memcpy(ccChild.begin(), out + 32, 32);
294  secp256k1_pubkey pubkey;
295  assert(secp256k1_context_verify &&
296  "secp256k1_context_verify must be initialized to use CPubKey.");
297  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch,
298  size())) {
299  return false;
300  }
301  if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_verify, &pubkey,
302  out)) {
303  return false;
304  }
305  uint8_t pub[COMPRESSED_SIZE];
306  size_t publen = COMPRESSED_SIZE;
307  secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen,
308  &pubkey, SECP256K1_EC_COMPRESSED);
309  pubkeyChild.Set(pub, pub + publen);
310  return true;
311 }
312 
313 void CExtPubKey::Encode(uint8_t code[BIP32_EXTKEY_SIZE]) const {
314  code[0] = nDepth;
315  memcpy(code + 1, vchFingerprint, 4);
316  code[5] = (nChild >> 24) & 0xFF;
317  code[6] = (nChild >> 16) & 0xFF;
318  code[7] = (nChild >> 8) & 0xFF;
319  code[8] = (nChild >> 0) & 0xFF;
320  memcpy(code + 9, chaincode.begin(), 32);
322  memcpy(code + 41, pubkey.begin(), CPubKey::COMPRESSED_SIZE);
323 }
324 
325 void CExtPubKey::Decode(const uint8_t code[BIP32_EXTKEY_SIZE]) {
326  nDepth = code[0];
327  memcpy(vchFingerprint, code + 1, 4);
328  nChild = (code[5] << 24) | (code[6] << 16) | (code[7] << 8) | code[8];
329  memcpy(chaincode.begin(), code + 9, 32);
330  pubkey.Set(code + 41, code + BIP32_EXTKEY_SIZE);
331 }
332 
333 bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild) const {
334  out.nDepth = nDepth + 1;
335  CKeyID id = pubkey.GetID();
336  memcpy(&out.vchFingerprint[0], &id, 4);
337  out.nChild = _nChild;
338  return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode);
339 }
340 
342  const boost::sliced_range<const std::vector<uint8_t>> &vchSig) {
344  assert(secp256k1_context_verify &&
345  "secp256k1_context_verify must be initialized to use CPubKey.");
346  if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig,
347  &vchSig.front(), vchSig.size())) {
348  return false;
349  }
350  return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_verify,
351  nullptr, &sig));
352 }
353 
354 /* static */ int ECCVerifyHandle::refcount = 0;
355 
357  if (refcount == 0) {
358  assert(secp256k1_context_verify == nullptr);
359  secp256k1_context_verify =
361  assert(secp256k1_context_verify != nullptr);
362  }
363  refcount++;
364 }
365 
367  refcount--;
368  if (refcount == 0) {
369  assert(secp256k1_context_verify != nullptr);
370  secp256k1_context_destroy(secp256k1_context_verify);
371  secp256k1_context_verify = nullptr;
372  }
373 }
secp256k1_context * ctx
A reference to a CKey: the Hash160 of its serialized public key.
Definition: pubkey.h:22
An encapsulated public key.
Definition: pubkey.h:31
const uint8_t * begin() const
Definition: pubkey.h:100
CKeyID GetID() const
Get the KeyID of this public key (hash of its serialization)
Definition: pubkey.h:140
static constexpr unsigned int SCHNORR_SIZE
Definition: pubkey.h:38
static constexpr unsigned int COMPRESSED_SIZE
Definition: pubkey.h:37
uint8_t vch[SIZE]
see www.keylength.com script supports up to 75 for single byte push
Definition: pubkey.h:46
bool VerifySchnorr(const uint256 &hash, const std::array< uint8_t, SCHNORR_SIZE > &sig) const
Verify a Schnorr signature (=64 bytes).
Definition: pubkey.cpp:199
bool VerifyECDSA(const uint256 &hash, const std::vector< uint8_t > &vchSig) const
Verify a DER-serialized ECDSA signature (~72 bytes).
Definition: pubkey.cpp:172
bool IsValid() const
Definition: pubkey.h:152
bool Decompress()
Turn this public key into an uncompressed public key.
Definition: pubkey.cpp:267
static constexpr unsigned int SIZE
secp256k1:
Definition: pubkey.h:36
bool IsFullyValid() const
fully validate whether this is a valid public key (more expensive than IsValid())
Definition: pubkey.cpp:256
unsigned int size() const
Simple read-only vector-like interface to the pubkey data.
Definition: pubkey.h:98
static bool CheckLowS(const boost::sliced_range< const std::vector< uint8_t >> &vchSig)
Check whether a DER-serialized ECDSA signature is normalized (lower-S).
Definition: pubkey.cpp:341
bool RecoverCompact(const uint256 &hash, const std::vector< uint8_t > &vchSig)
Recover a public key from a compact ECDSA signature.
Definition: pubkey.cpp:227
bool Derive(CPubKey &pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode &cc) const
Derive BIP32 child pubkey.
Definition: pubkey.cpp:286
static constexpr unsigned int COMPACT_SIGNATURE_SIZE
Definition: pubkey.h:40
void Set(const T pbegin, const T pend)
Initialize a public key using begin/end iterators to byte data.
Definition: pubkey.h:78
static int refcount
Definition: pubkey.h:229
uint8_t * begin()
Definition: uint256.h:83
256-bit opaque blob.
Definition: uint256.h:127
void BIP32Hash(const ChainCode &chainCode, uint32_t nChild, uint8_t header, const uint8_t data[32], uint8_t output[64])
Definition: hash.cpp:71
SchnorrSig sig
Definition: processor.cpp:423
int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const uint8_t *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:28
const unsigned int BIP32_EXTKEY_SIZE
Definition: pubkey.h:19
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:359
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:296
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:278
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:152
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:176
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:424
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:405
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:664
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:177
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:170
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:196
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:138
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorr_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify a signature created by secp256k1_schnorr_sign.
Definition: main_impl.h:13
void Encode(uint8_t code[BIP32_EXTKEY_SIZE]) const
Definition: pubkey.cpp:313
uint8_t nDepth
Definition: pubkey.h:199
ChainCode chaincode
Definition: pubkey.h:202
bool Derive(CExtPubKey &out, unsigned int nChild) const
Definition: pubkey.cpp:333
uint8_t vchFingerprint[4]
Definition: pubkey.h:200
void Decode(const uint8_t code[BIP32_EXTKEY_SIZE])
Definition: pubkey.cpp:325
CPubKey pubkey
Definition: pubkey.h:203
unsigned int nChild
Definition: pubkey.h:201
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:80
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:67
assert(!tx.IsCoinBase())