176 lines
6.2 KiB
C++
176 lines
6.2 KiB
C++
// Copyright (c) 2009-2014 The Bitcoin Core developers
|
|
// Copyright (c) 2017-2022 The Zcash developers
|
|
// Distributed under the MIT software license, see the accompanying
|
|
// file COPYING or https://www.opensource.org/licenses/mit-license.php .
|
|
|
|
#include "pubkey.h"
|
|
|
|
#include <secp256k1.h>
|
|
#include <secp256k1_recovery.h>
|
|
|
|
namespace
|
|
{
|
|
/* Global secp256k1_context object used for verification. */
|
|
secp256k1_context* secp256k1_context_verify = NULL;
|
|
}
|
|
|
|
|
|
bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {
|
|
if (!IsValid())
|
|
return false;
|
|
secp256k1_pubkey pubkey;
|
|
secp256k1_ecdsa_signature sig;
|
|
if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size())) {
|
|
return false;
|
|
}
|
|
if (vchSig.size() == 0) {
|
|
return false;
|
|
}
|
|
/* Zcash, unlike Bitcoin, has always enforced strict DER signatures. */
|
|
if (!secp256k1_ecdsa_signature_parse_der(secp256k1_context_verify, &sig, &vchSig[0], vchSig.size())) {
|
|
return false;
|
|
}
|
|
/* libsecp256k1's ECDSA verification requires lower-S signatures, which have
|
|
* not historically been enforced in Bitcoin or Zcash, so normalize them first. */
|
|
secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, &sig, &sig);
|
|
return secp256k1_ecdsa_verify(secp256k1_context_verify, &sig, hash.begin(), &pubkey);
|
|
}
|
|
|
|
bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
|
|
if (vchSig.size() != COMPACT_SIGNATURE_SIZE)
|
|
return false;
|
|
int recid = (vchSig[0] - 27) & 3;
|
|
bool fComp = ((vchSig[0] - 27) & 4) != 0;
|
|
secp256k1_pubkey pubkey;
|
|
secp256k1_ecdsa_recoverable_signature sig;
|
|
if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_verify, &sig, &vchSig[1], recid)) {
|
|
return false;
|
|
}
|
|
if (!secp256k1_ecdsa_recover(secp256k1_context_verify, &pubkey, &sig, hash.begin())) {
|
|
return false;
|
|
}
|
|
unsigned char pub[PUBLIC_KEY_SIZE];
|
|
size_t publen = PUBLIC_KEY_SIZE;
|
|
secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
|
|
Set(pub, pub + publen);
|
|
return true;
|
|
}
|
|
|
|
bool CPubKey::IsFullyValid() const {
|
|
if (!IsValid())
|
|
return false;
|
|
secp256k1_pubkey pubkey;
|
|
return secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size());
|
|
}
|
|
|
|
bool CPubKey::Decompress() {
|
|
if (!IsValid())
|
|
return false;
|
|
secp256k1_pubkey pubkey;
|
|
if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size())) {
|
|
return false;
|
|
}
|
|
unsigned char pub[PUBLIC_KEY_SIZE];
|
|
size_t publen = PUBLIC_KEY_SIZE;
|
|
secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
|
|
Set(pub, pub + publen);
|
|
return true;
|
|
}
|
|
|
|
bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const {
|
|
assert(IsValid());
|
|
assert((nChild >> 31) == 0);
|
|
assert(size() == COMPRESSED_PUBLIC_KEY_SIZE);
|
|
unsigned char out[64];
|
|
BIP32Hash(cc, nChild, *begin(), begin()+1, out);
|
|
memcpy(ccChild.begin(), out+32, 32);
|
|
secp256k1_pubkey pubkey;
|
|
if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size())) {
|
|
return false;
|
|
}
|
|
if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_verify, &pubkey, out)) {
|
|
return false;
|
|
}
|
|
unsigned char pub[COMPRESSED_PUBLIC_KEY_SIZE];
|
|
size_t publen = COMPRESSED_PUBLIC_KEY_SIZE;
|
|
secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED);
|
|
pubkeyChild.Set(pub, pub + publen);
|
|
return true;
|
|
}
|
|
|
|
std::optional<CChainablePubKey> CChainablePubKey::Derive(unsigned int nChild) const {
|
|
CPubKey pubkeyChild;
|
|
ChainCode ccChild;
|
|
if (pubkey.Derive(pubkeyChild, ccChild, nChild, chaincode)) {
|
|
return CChainablePubKey::FromParts(ccChild, pubkeyChild);
|
|
} else {
|
|
return std::nullopt;
|
|
}
|
|
}
|
|
|
|
void CExtPubKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {
|
|
code[0] = nDepth;
|
|
memcpy(code+1, vchFingerprint, 4);
|
|
code[5] = (nChild >> 24) & 0xFF; code[6] = (nChild >> 16) & 0xFF;
|
|
code[7] = (nChild >> 8) & 0xFF; code[8] = (nChild >> 0) & 0xFF;
|
|
memcpy(code+9, chaincode.begin(), 32);
|
|
assert(pubkey.size() == CPubKey::COMPRESSED_PUBLIC_KEY_SIZE);
|
|
memcpy(code+41, pubkey.begin(), CPubKey::COMPRESSED_PUBLIC_KEY_SIZE);
|
|
}
|
|
|
|
void CExtPubKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) {
|
|
nDepth = code[0];
|
|
memcpy(vchFingerprint, code+1, 4);
|
|
nChild = (code[5] << 24) | (code[6] << 16) | (code[7] << 8) | code[8];
|
|
memcpy(chaincode.begin(), code+9, 32);
|
|
pubkey.Set(code+41, code+BIP32_EXTKEY_SIZE);
|
|
}
|
|
|
|
bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild) const {
|
|
out.nDepth = nDepth + 1;
|
|
CKeyID id = pubkey.GetID();
|
|
memcpy(&out.vchFingerprint[0], &id, 4);
|
|
out.nChild = _nChild;
|
|
return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode);
|
|
}
|
|
|
|
/* static */ bool CPubKey::CheckLowS(const std::vector<unsigned char>& vchSig) {
|
|
secp256k1_ecdsa_signature sig;
|
|
|
|
/* Zcash, unlike Bitcoin, has always enforced strict DER signatures. */
|
|
if (!secp256k1_ecdsa_signature_parse_der(secp256k1_context_verify, &sig, &vchSig[0], vchSig.size())) {
|
|
return false;
|
|
}
|
|
return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, NULL, &sig));
|
|
}
|
|
|
|
/* static */ std::optional<CChainablePubKey> CChainablePubKey::FromParts(ChainCode chaincode, CPubKey pubkey) {
|
|
if (pubkey.IsCompressed()) {
|
|
return CChainablePubKey(chaincode, pubkey);
|
|
} else {
|
|
return std::nullopt;
|
|
}
|
|
}
|
|
|
|
/* static */ int ECCVerifyHandle::refcount = 0;
|
|
|
|
ECCVerifyHandle::ECCVerifyHandle()
|
|
{
|
|
if (refcount == 0) {
|
|
assert(secp256k1_context_verify == NULL);
|
|
secp256k1_context_verify = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
|
|
assert(secp256k1_context_verify != NULL);
|
|
}
|
|
refcount++;
|
|
}
|
|
|
|
ECCVerifyHandle::~ECCVerifyHandle()
|
|
{
|
|
refcount--;
|
|
if (refcount == 0) {
|
|
assert(secp256k1_context_verify != NULL);
|
|
secp256k1_context_destroy(secp256k1_context_verify);
|
|
secp256k1_context_verify = NULL;
|
|
}
|
|
}
|