cosmos-sdk/crypto/keys/secp256k1/secp256k1_nocgo.go

// +build !libsecp256k1

package secp256k1

import (
	"math/big"

	secp256k1 "github.com/btcsuite/btcd/btcec"

	"github.com/tendermint/tendermint/crypto"
)

// used to reject malleable signatures
// see:
//  - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93
//  - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/crypto.go#L39
var secp256k1halfN = new(big.Int).Rsh(secp256k1.S256().N, 1)

// Sign creates an ECDSA signature on curve Secp256k1, using SHA256 on the msg.
// The returned signature will be of the form R || S (in lower-S form).
func (privKey *PrivKey) Sign(msg []byte) ([]byte, error) {
	priv, _ := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey.Key)
	sig, err := priv.Sign(crypto.Sha256(msg))
	if err != nil {
		return nil, err
	}
	sigBytes := serializeSig(sig)
	return sigBytes, nil
}

// VerifyBytes verifies a signature of the form R || S.
// It rejects signatures which are not in lower-S form.
func (pubKey *PubKey) VerifySignature(msg []byte, sigStr []byte) bool {
	if len(sigStr) != 64 {
		return false
	}
	pub, err := secp256k1.ParsePubKey(pubKey.Key, secp256k1.S256())
	if err != nil {
		return false
	}
	// parse the signature:
	signature := signatureFromBytes(sigStr)
	// Reject malleable signatures. libsecp256k1 does this check but btcec doesn't.
	// see: https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93
	if signature.S.Cmp(secp256k1halfN) > 0 {
		return false
	}
	return signature.Verify(crypto.Sha256(msg), pub)
}

// Read Signature struct from R || S. Caller needs to ensure
// that len(sigStr) == 64.
func signatureFromBytes(sigStr []byte) *secp256k1.Signature {
	return &secp256k1.Signature{
		R: new(big.Int).SetBytes(sigStr[:32]),
		S: new(big.Int).SetBytes(sigStr[32:64]),
	}
}

// Serialize signature to R || S.
// R, S are padded to 32 bytes respectively.
func serializeSig(sig *secp256k1.Signature) []byte {
	rBytes := sig.R.Bytes()
	sBytes := sig.S.Bytes()
	sigBytes := make([]byte, 64)
	// 0 pad the byte arrays from the left if they aren't big enough.
	copy(sigBytes[32-len(rBytes):32], rBytes)
	copy(sigBytes[64-len(sBytes):64], sBytes)
	return sigBytes
}
Migrate Tendermint PubKey types to the SDK (#7047) * Move crypto packages from tm * Revert refactor changes * Fix lint * Move to crypto/keys * Update to tm 0.34-rc3 * Update benchmark tests * Fix tests * Update to tm master Co-authored-by: Aaron Craelius <aaron@regen.network> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> 2020-08-18 06:53:40 -07:00			`// +build !libsecp256k1`

			`package secp256k1`

			`import (`
			`"math/big"`

			`secp256k1 "github.com/btcsuite/btcd/btcec"`

			`"github.com/tendermint/tendermint/crypto"`
			`)`

			`// used to reject malleable signatures`
			`// see:`
			`// - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93`
			`// - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/crypto.go#L39`
			`var secp256k1halfN = new(big.Int).Rsh(secp256k1.S256().N, 1)`

			`// Sign creates an ECDSA signature on curve Secp256k1, using SHA256 on the msg.`
			`// The returned signature will be of the form R \|\| S (in lower-S form).`
PubKey proto types (#7147) * WIP on protobuf keys * Use Type() and Bytes() in sr25519 pub key Equals * Add tests * Add few more tests * Update other pub/priv key types Equals * Fix PrivKey's Sign method * Rename variables in tests * Fix infinite recursive calls * Use tm ed25519 keys * Add Sign and VerifySignature tests * Remove ed25519 and sr25519 references * proto linting * Add proto crypto file * Implement some of the new multisig proto type methods * Add tests for MultisigThresholdPubKey * Add tests for pubkey pb/amino conversion functions * Move crypto types.go and register new proto pubkeys * Add missing pointer ref * Address review comments * panic in MultisigThresholdPubKey VerifySignature * Use internal crypto.PubKey in multisig * Add tests for MultisigThresholdPubKey VerifyMultisignature * Only keep LegacyAminoMultisigThresholdPubKey and move to proto keys to v1 * Remove conversion functions and introduce internal PubKey type * Remove old secp256k1 PubKey and PrivKey * Uncomment test case * Fix linting issues * More linting * Revert tests keys values * Add Amino overrides to proto keys * Add pubkey test * Fix tests * Use threshold isntead of K * Standardize Type * Revert standardize types commit * Add comment * Simplify proto names * Add comment about multisig codec Co-authored-by: Aaron Craelius <aaronc@users.noreply.github.com> Co-authored-by: Amaury Martiny <amaury.martiny@protonmail.com> Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> 2020-09-16 04:08:55 -07:00			`func (privKey *PrivKey) Sign(msg []byte) ([]byte, error) {`
			`priv, _ := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey.Key)`
Migrate Tendermint PubKey types to the SDK (#7047) * Move crypto packages from tm * Revert refactor changes * Fix lint * Move to crypto/keys * Update to tm 0.34-rc3 * Update benchmark tests * Fix tests * Update to tm master Co-authored-by: Aaron Craelius <aaron@regen.network> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> 2020-08-18 06:53:40 -07:00			`sig, err := priv.Sign(crypto.Sha256(msg))`
			`if err != nil {`
			`return nil, err`
			`}`
			`sigBytes := serializeSig(sig)`
			`return sigBytes, nil`
			`}`

			`// VerifyBytes verifies a signature of the form R \|\| S.`
			`// It rejects signatures which are not in lower-S form.`
PubKey proto types (#7147) * WIP on protobuf keys * Use Type() and Bytes() in sr25519 pub key Equals * Add tests * Add few more tests * Update other pub/priv key types Equals * Fix PrivKey's Sign method * Rename variables in tests * Fix infinite recursive calls * Use tm ed25519 keys * Add Sign and VerifySignature tests * Remove ed25519 and sr25519 references * proto linting * Add proto crypto file * Implement some of the new multisig proto type methods * Add tests for MultisigThresholdPubKey * Add tests for pubkey pb/amino conversion functions * Move crypto types.go and register new proto pubkeys * Add missing pointer ref * Address review comments * panic in MultisigThresholdPubKey VerifySignature * Use internal crypto.PubKey in multisig * Add tests for MultisigThresholdPubKey VerifyMultisignature * Only keep LegacyAminoMultisigThresholdPubKey and move to proto keys to v1 * Remove conversion functions and introduce internal PubKey type * Remove old secp256k1 PubKey and PrivKey * Uncomment test case * Fix linting issues * More linting * Revert tests keys values * Add Amino overrides to proto keys * Add pubkey test * Fix tests * Use threshold isntead of K * Standardize Type * Revert standardize types commit * Add comment * Simplify proto names * Add comment about multisig codec Co-authored-by: Aaron Craelius <aaronc@users.noreply.github.com> Co-authored-by: Amaury Martiny <amaury.martiny@protonmail.com> Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> 2020-09-16 04:08:55 -07:00			`func (pubKey *PubKey) VerifySignature(msg []byte, sigStr []byte) bool {`
Migrate Tendermint PubKey types to the SDK (#7047) * Move crypto packages from tm * Revert refactor changes * Fix lint * Move to crypto/keys * Update to tm 0.34-rc3 * Update benchmark tests * Fix tests * Update to tm master Co-authored-by: Aaron Craelius <aaron@regen.network> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> 2020-08-18 06:53:40 -07:00			`if len(sigStr) != 64 {`
			`return false`
			`}`
PubKey proto types (#7147) * WIP on protobuf keys * Use Type() and Bytes() in sr25519 pub key Equals * Add tests * Add few more tests * Update other pub/priv key types Equals * Fix PrivKey's Sign method * Rename variables in tests * Fix infinite recursive calls * Use tm ed25519 keys * Add Sign and VerifySignature tests * Remove ed25519 and sr25519 references * proto linting * Add proto crypto file * Implement some of the new multisig proto type methods * Add tests for MultisigThresholdPubKey * Add tests for pubkey pb/amino conversion functions * Move crypto types.go and register new proto pubkeys * Add missing pointer ref * Address review comments * panic in MultisigThresholdPubKey VerifySignature * Use internal crypto.PubKey in multisig * Add tests for MultisigThresholdPubKey VerifyMultisignature * Only keep LegacyAminoMultisigThresholdPubKey and move to proto keys to v1 * Remove conversion functions and introduce internal PubKey type * Remove old secp256k1 PubKey and PrivKey * Uncomment test case * Fix linting issues * More linting * Revert tests keys values * Add Amino overrides to proto keys * Add pubkey test * Fix tests * Use threshold isntead of K * Standardize Type * Revert standardize types commit * Add comment * Simplify proto names * Add comment about multisig codec Co-authored-by: Aaron Craelius <aaronc@users.noreply.github.com> Co-authored-by: Amaury Martiny <amaury.martiny@protonmail.com> Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> 2020-09-16 04:08:55 -07:00			`pub, err := secp256k1.ParsePubKey(pubKey.Key, secp256k1.S256())`
Migrate Tendermint PubKey types to the SDK (#7047) * Move crypto packages from tm * Revert refactor changes * Fix lint * Move to crypto/keys * Update to tm 0.34-rc3 * Update benchmark tests * Fix tests * Update to tm master Co-authored-by: Aaron Craelius <aaron@regen.network> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> 2020-08-18 06:53:40 -07:00			`if err != nil {`
			`return false`
			`}`
			`// parse the signature:`
			`signature := signatureFromBytes(sigStr)`
			`// Reject malleable signatures. libsecp256k1 does this check but btcec doesn't.`
			`// see: https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93`
			`if signature.S.Cmp(secp256k1halfN) > 0 {`
			`return false`
			`}`
			`return signature.Verify(crypto.Sha256(msg), pub)`
			`}`

			`// Read Signature struct from R \|\| S. Caller needs to ensure`
			`// that len(sigStr) == 64.`
			`func signatureFromBytes(sigStr []byte) *secp256k1.Signature {`
			`return &secp256k1.Signature{`
			`R: new(big.Int).SetBytes(sigStr[:32]),`
			`S: new(big.Int).SetBytes(sigStr[32:64]),`
			`}`
			`}`

			`// Serialize signature to R \|\| S.`
			`// R, S are padded to 32 bytes respectively.`
			`func serializeSig(sig *secp256k1.Signature) []byte {`
			`rBytes := sig.R.Bytes()`
			`sBytes := sig.S.Bytes()`
			`sigBytes := make([]byte, 64)`
			`// 0 pad the byte arrays from the left if they aren't big enough.`
			`copy(sigBytes[32-len(rBytes):32], rBytes)`
			`copy(sigBytes[64-len(sBytes):64], sBytes)`
			`return sigBytes`
			`}`