mirror of
https://github.com/ethereum/go-ethereum.git
synced 2026-07-03 19:51:15 +00:00
225 lines
7.3 KiB
Go
225 lines
7.3 KiB
Go
// Copyright 2015 Jeffrey Wilcke, Felix Lange, Gustav Simonsson. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be found in
|
|
// the LICENSE file.
|
|
|
|
//go:build !gofuzz && cgo
|
|
// +build !gofuzz,cgo
|
|
|
|
// Package secp256k1 wraps the bitcoin secp256k1 C library.
|
|
package secp256k1
|
|
|
|
/*
|
|
#cgo CFLAGS: -I./libsecp256k1
|
|
#cgo CFLAGS: -I./libsecp256k1/src/
|
|
|
|
#ifndef NDEBUG
|
|
# define NDEBUG
|
|
#endif
|
|
|
|
#include "./libsecp256k1/src/secp256k1.c"
|
|
#include "./libsecp256k1/src/modules/recovery/main_impl.h"
|
|
#include "./libsecp256k1/src/precomputed_ecmult.c"
|
|
#include "./libsecp256k1/src/precomputed_ecmult_gen.c"
|
|
#include "ext.h"
|
|
|
|
typedef void (*callbackFunc) (const char* msg, void* data);
|
|
extern void secp256k1GoPanicIllegal(const char* msg, void* data);
|
|
extern void secp256k1GoPanicError(const char* msg, void* data);
|
|
|
|
static int secp256k1GoNonceFunctionRfc6979Offset(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
|
|
unsigned int start = 0;
|
|
if (data != NULL) {
|
|
start = *((unsigned int*)data);
|
|
}
|
|
return secp256k1_nonce_function_rfc6979(nonce32, msg32, key32, algo16, NULL, counter + start);
|
|
}
|
|
|
|
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979_offset = secp256k1GoNonceFunctionRfc6979Offset;
|
|
*/
|
|
import "C"
|
|
|
|
import (
|
|
"errors"
|
|
"math/big"
|
|
"unsafe"
|
|
)
|
|
|
|
var context *C.secp256k1_context
|
|
|
|
func init() {
|
|
// around 20 ms on a modern CPU.
|
|
context = C.secp256k1_context_create_sign_verify()
|
|
C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil)
|
|
C.secp256k1_context_set_error_callback(context, C.callbackFunc(C.secp256k1GoPanicError), nil)
|
|
}
|
|
|
|
var (
|
|
ErrInvalidMsgLen = errors.New("invalid message length, need 32 bytes")
|
|
ErrInvalidSignatureLen = errors.New("invalid signature length")
|
|
ErrInvalidRecoveryID = errors.New("invalid signature recovery id")
|
|
ErrInvalidKey = errors.New("invalid private key")
|
|
ErrInvalidPubkey = errors.New("invalid public key")
|
|
ErrSignFailed = errors.New("signing failed")
|
|
ErrRecoverFailed = errors.New("recovery failed")
|
|
)
|
|
|
|
// Sign creates a recoverable ECDSA signature.
|
|
// The produced signature is in the 65-byte [R || S || V] format where V is 0 or 1.
|
|
//
|
|
// The caller is responsible for ensuring that msg cannot be chosen
|
|
// directly by an attacker. It is usually preferable to use a cryptographic
|
|
// hash function on any input before handing it to this function.
|
|
func Sign(msg []byte, seckey []byte) ([]byte, error) {
|
|
if len(msg) != 32 {
|
|
return nil, ErrInvalidMsgLen
|
|
}
|
|
if len(seckey) != 32 {
|
|
return nil, ErrInvalidKey
|
|
}
|
|
seckeydata := (*C.uchar)(unsafe.Pointer(&seckey[0]))
|
|
if C.secp256k1_ec_seckey_verify(context, seckeydata) != 1 {
|
|
return nil, ErrInvalidKey
|
|
}
|
|
|
|
var (
|
|
msgdata = (*C.uchar)(unsafe.Pointer(&msg[0]))
|
|
noncefunc = C.secp256k1_nonce_function_rfc6979
|
|
sigstruct C.secp256k1_ecdsa_recoverable_signature
|
|
)
|
|
if C.secp256k1_ecdsa_sign_recoverable(context, &sigstruct, msgdata, seckeydata, noncefunc, nil) == 0 {
|
|
return nil, ErrSignFailed
|
|
}
|
|
|
|
var (
|
|
sig = make([]byte, 65)
|
|
sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))
|
|
recid C.int
|
|
)
|
|
C.secp256k1_ecdsa_recoverable_signature_serialize_compact(context, sigdata, &recid, &sigstruct)
|
|
sig[64] = byte(recid) // add back recid to get 65 bytes sig
|
|
return sig, nil
|
|
}
|
|
|
|
// SignUnsafe creates a recoverable ECDSA signature, using the given RFC6979 counter
|
|
// as the starting point for nonce generation.
|
|
//
|
|
// The produced signature is in the 65-byte [R || S || V] format where V is 0 or 1.
|
|
//
|
|
// This function is susceptible to chosen plaintext attacks that can leak
|
|
// information about the private key that is used for signing. Callers must
|
|
// be aware that the given msg cannot be chosen by an adversary. Common
|
|
// solution is to hash any input before calculating the signature.
|
|
func SignUnsafe(msg []byte, seckey []byte, counter uint) ([]byte, error) {
|
|
if counter > uint(^uint32(0)) {
|
|
return nil, errors.New("invalid counter")
|
|
}
|
|
if len(msg) != 32 {
|
|
return nil, ErrInvalidMsgLen
|
|
}
|
|
if len(seckey) != 32 {
|
|
return nil, ErrInvalidKey
|
|
}
|
|
seckeydata := (*C.uchar)(unsafe.Pointer(&seckey[0]))
|
|
if C.secp256k1_ec_seckey_verify(context, seckeydata) != 1 {
|
|
return nil, ErrInvalidKey
|
|
}
|
|
|
|
start := C.uint(counter)
|
|
var (
|
|
msgdata = (*C.uchar)(unsafe.Pointer(&msg[0]))
|
|
noncefunc = C.secp256k1_nonce_function_rfc6979_offset
|
|
sigstruct C.secp256k1_ecdsa_recoverable_signature
|
|
)
|
|
if C.secp256k1_ecdsa_sign_recoverable(context, &sigstruct, msgdata, seckeydata, noncefunc, unsafe.Pointer(&start)) == 0 {
|
|
return nil, ErrSignFailed
|
|
}
|
|
|
|
var (
|
|
sig = make([]byte, 65)
|
|
sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))
|
|
recid C.int
|
|
)
|
|
C.secp256k1_ecdsa_recoverable_signature_serialize_compact(context, sigdata, &recid, &sigstruct)
|
|
sig[64] = byte(recid) // add back recid to get 65 bytes sig
|
|
return sig, nil
|
|
}
|
|
|
|
// RecoverPubkey returns the public key of the signer.
|
|
// msg must be the 32-byte hash of the message to be signed.
|
|
// sig must be a 65-byte compact ECDSA signature containing the
|
|
// recovery id as the last element.
|
|
func RecoverPubkey(msg []byte, sig []byte) ([]byte, error) {
|
|
if len(msg) != 32 {
|
|
return nil, ErrInvalidMsgLen
|
|
}
|
|
if err := checkSignature(sig); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var (
|
|
pubkey = make([]byte, 65)
|
|
sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))
|
|
msgdata = (*C.uchar)(unsafe.Pointer(&msg[0]))
|
|
)
|
|
if C.secp256k1_ext_ecdsa_recover(context, (*C.uchar)(unsafe.Pointer(&pubkey[0])), sigdata, msgdata) == 0 {
|
|
return nil, ErrRecoverFailed
|
|
}
|
|
return pubkey, nil
|
|
}
|
|
|
|
// VerifySignature checks that the given pubkey created signature over message.
|
|
// The signature should be in [R || S] format.
|
|
func VerifySignature(pubkey, msg, signature []byte) bool {
|
|
if len(msg) != 32 || len(signature) != 64 || len(pubkey) == 0 {
|
|
return false
|
|
}
|
|
sigdata := (*C.uchar)(unsafe.Pointer(&signature[0]))
|
|
msgdata := (*C.uchar)(unsafe.Pointer(&msg[0]))
|
|
keydata := (*C.uchar)(unsafe.Pointer(&pubkey[0]))
|
|
return C.secp256k1_ext_ecdsa_verify(context, sigdata, msgdata, keydata, C.size_t(len(pubkey))) != 0
|
|
}
|
|
|
|
// DecompressPubkey parses a public key in the 33-byte compressed format.
|
|
// It returns non-nil coordinates if the public key is valid.
|
|
func DecompressPubkey(pubkey []byte) (x, y *big.Int) {
|
|
if len(pubkey) != 33 {
|
|
return nil, nil
|
|
}
|
|
var (
|
|
pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0]))
|
|
pubkeylen = C.size_t(len(pubkey))
|
|
out = make([]byte, 65)
|
|
outdata = (*C.uchar)(unsafe.Pointer(&out[0]))
|
|
outlen = C.size_t(len(out))
|
|
)
|
|
if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 {
|
|
return nil, nil
|
|
}
|
|
return new(big.Int).SetBytes(out[1:33]), new(big.Int).SetBytes(out[33:])
|
|
}
|
|
|
|
// CompressPubkey encodes a public key to 33-byte compressed format.
|
|
func CompressPubkey(x, y *big.Int) []byte {
|
|
var (
|
|
pubkey = S256().Marshal(x, y)
|
|
pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0]))
|
|
pubkeylen = C.size_t(len(pubkey))
|
|
out = make([]byte, 33)
|
|
outdata = (*C.uchar)(unsafe.Pointer(&out[0]))
|
|
outlen = C.size_t(len(out))
|
|
)
|
|
if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 {
|
|
panic("libsecp256k1 error")
|
|
}
|
|
return out
|
|
}
|
|
|
|
func checkSignature(sig []byte) error {
|
|
if len(sig) != 65 {
|
|
return ErrInvalidSignatureLen
|
|
}
|
|
if sig[64] >= 4 {
|
|
return ErrInvalidRecoveryID
|
|
}
|
|
return nil
|
|
}
|