2020-08-18 06:53:40 -07:00
|
|
|
|
package secp256k1
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"crypto/sha256"
|
|
|
|
|
"crypto/subtle"
|
|
|
|
|
"fmt"
|
|
|
|
|
"io"
|
|
|
|
|
"math/big"
|
|
|
|
|
|
|
|
|
|
secp256k1 "github.com/btcsuite/btcd/btcec"
|
2020-10-28 03:24:41 -07:00
|
|
|
|
"github.com/tendermint/tendermint/crypto"
|
2020-09-23 10:04:26 -07:00
|
|
|
|
"golang.org/x/crypto/ripemd160" // nolint: staticcheck // necessary for Bitcoin address format
|
|
|
|
|
|
2020-09-16 04:08:55 -07:00
|
|
|
|
"github.com/cosmos/cosmos-sdk/codec"
|
|
|
|
|
cryptotypes "github.com/cosmos/cosmos-sdk/crypto/types"
|
2020-09-25 01:41:16 -07:00
|
|
|
|
"github.com/cosmos/cosmos-sdk/types/errors"
|
2020-08-18 06:53:40 -07:00
|
|
|
|
)
|
|
|
|
|
|
2020-09-16 04:08:55 -07:00
|
|
|
|
var _ cryptotypes.PrivKey = &PrivKey{}
|
|
|
|
|
var _ codec.AminoMarshaler = &PrivKey{}
|
2020-08-18 06:53:40 -07:00
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
PrivKeySize = 32
|
|
|
|
|
keyType = "secp256k1"
|
2020-08-28 09:02:38 -07:00
|
|
|
|
PrivKeyName = "tendermint/PrivKeySecp256k1"
|
|
|
|
|
PubKeyName = "tendermint/PubKeySecp256k1"
|
2020-08-18 06:53:40 -07:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Bytes returns the byte representation of the Private Key.
|
2020-09-16 04:08:55 -07:00
|
|
|
|
func (privKey *PrivKey) Bytes() []byte {
|
|
|
|
|
return privKey.Key
|
2020-08-18 06:53:40 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// PubKey performs the point-scalar multiplication from the privKey on the
|
|
|
|
|
// generator point to get the pubkey.
|
2020-11-09 08:01:43 -08:00
|
|
|
|
func (privKey *PrivKey) PubKey() cryptotypes.PubKey {
|
2020-09-16 04:08:55 -07:00
|
|
|
|
_, pubkeyObject := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey.Key)
|
|
|
|
|
pk := pubkeyObject.SerializeCompressed()
|
|
|
|
|
return &PubKey{Key: pk}
|
2020-08-18 06:53:40 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Equals - you probably don't need to use this.
|
2020-09-16 04:08:55 -07:00
|
|
|
|
// Runs in constant time based on length of the
|
2020-11-09 08:01:43 -08:00
|
|
|
|
func (privKey *PrivKey) Equals(other cryptotypes.LedgerPrivKey) bool {
|
2020-09-16 04:08:55 -07:00
|
|
|
|
return privKey.Type() == other.Type() && subtle.ConstantTimeCompare(privKey.Bytes(), other.Bytes()) == 1
|
2020-08-18 06:53:40 -07:00
|
|
|
|
}
|
|
|
|
|
|
2020-09-16 04:08:55 -07:00
|
|
|
|
func (privKey *PrivKey) Type() string {
|
2020-08-18 06:53:40 -07:00
|
|
|
|
return keyType
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-16 04:08:55 -07:00
|
|
|
|
// MarshalAmino overrides Amino binary marshalling.
|
|
|
|
|
func (privKey PrivKey) MarshalAmino() ([]byte, error) {
|
|
|
|
|
return privKey.Key, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// UnmarshalAmino overrides Amino binary marshalling.
|
|
|
|
|
func (privKey *PrivKey) UnmarshalAmino(bz []byte) error {
|
2020-09-25 01:41:16 -07:00
|
|
|
|
if len(bz) != PrivKeySize {
|
|
|
|
|
return fmt.Errorf("invalid privkey size")
|
2020-09-16 04:08:55 -07:00
|
|
|
|
}
|
2020-09-25 01:41:16 -07:00
|
|
|
|
privKey.Key = bz
|
2020-09-16 04:08:55 -07:00
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// MarshalAminoJSON overrides Amino JSON marshalling.
|
|
|
|
|
func (privKey PrivKey) MarshalAminoJSON() ([]byte, error) {
|
|
|
|
|
// When we marshal to Amino JSON, we don't marshal the "key" field itself,
|
|
|
|
|
// just its contents (i.e. the key bytes).
|
|
|
|
|
return privKey.MarshalAmino()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// UnmarshalAminoJSON overrides Amino JSON marshalling.
|
|
|
|
|
func (privKey *PrivKey) UnmarshalAminoJSON(bz []byte) error {
|
|
|
|
|
return privKey.UnmarshalAmino(bz)
|
|
|
|
|
}
|
|
|
|
|
|
2020-08-18 06:53:40 -07:00
|
|
|
|
// GenPrivKey generates a new ECDSA private key on curve secp256k1 private key.
|
|
|
|
|
// It uses OS randomness to generate the private key.
|
2020-09-16 04:08:55 -07:00
|
|
|
|
func GenPrivKey() *PrivKey {
|
|
|
|
|
return &PrivKey{Key: genPrivKey(crypto.CReader())}
|
2020-08-18 06:53:40 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// genPrivKey generates a new secp256k1 private key using the provided reader.
|
2020-09-16 04:08:55 -07:00
|
|
|
|
func genPrivKey(rand io.Reader) []byte {
|
2020-08-18 06:53:40 -07:00
|
|
|
|
var privKeyBytes [PrivKeySize]byte
|
|
|
|
|
d := new(big.Int)
|
|
|
|
|
for {
|
|
|
|
|
privKeyBytes = [PrivKeySize]byte{}
|
|
|
|
|
_, err := io.ReadFull(rand, privKeyBytes[:])
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
d.SetBytes(privKeyBytes[:])
|
|
|
|
|
// break if we found a valid point (i.e. > 0 and < N == curverOrder)
|
|
|
|
|
isValidFieldElement := 0 < d.Sign() && d.Cmp(secp256k1.S256().N) < 0
|
|
|
|
|
if isValidFieldElement {
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-16 04:08:55 -07:00
|
|
|
|
return privKeyBytes[:]
|
2020-08-18 06:53:40 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var one = new(big.Int).SetInt64(1)
|
|
|
|
|
|
|
|
|
|
// GenPrivKeyFromSecret hashes the secret with SHA2, and uses
|
|
|
|
|
// that 32 byte output to create the private key.
|
|
|
|
|
//
|
|
|
|
|
// It makes sure the private key is a valid field element by setting:
|
|
|
|
|
//
|
|
|
|
|
// c = sha256(secret)
|
|
|
|
|
// k = (c mod (n − 1)) + 1, where n = curve order.
|
|
|
|
|
//
|
|
|
|
|
// NOTE: secret should be the output of a KDF like bcrypt,
|
|
|
|
|
// if it's derived from user input.
|
2020-09-16 04:08:55 -07:00
|
|
|
|
func GenPrivKeyFromSecret(secret []byte) *PrivKey {
|
2020-08-18 06:53:40 -07:00
|
|
|
|
secHash := sha256.Sum256(secret)
|
|
|
|
|
// to guarantee that we have a valid field element, we use the approach of:
|
|
|
|
|
// "Suite B Implementer’s Guide to FIPS 186-3", A.2.1
|
|
|
|
|
// https://apps.nsa.gov/iaarchive/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/suite-b-implementers-guide-to-fips-186-3-ecdsa.cfm
|
|
|
|
|
// see also https://github.com/golang/go/blob/0380c9ad38843d523d9c9804fe300cb7edd7cd3c/src/crypto/ecdsa/ecdsa.go#L89-L101
|
|
|
|
|
fe := new(big.Int).SetBytes(secHash[:])
|
|
|
|
|
n := new(big.Int).Sub(secp256k1.S256().N, one)
|
|
|
|
|
fe.Mod(fe, n)
|
|
|
|
|
fe.Add(fe, one)
|
|
|
|
|
|
|
|
|
|
feB := fe.Bytes()
|
|
|
|
|
privKey32 := make([]byte, PrivKeySize)
|
|
|
|
|
// copy feB over to fixed 32 byte privKey32 and pad (if necessary)
|
|
|
|
|
copy(privKey32[32-len(feB):32], feB)
|
|
|
|
|
|
2020-09-16 04:08:55 -07:00
|
|
|
|
return &PrivKey{Key: privKey32}
|
2020-08-18 06:53:40 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//-------------------------------------
|
|
|
|
|
|
2020-09-16 04:08:55 -07:00
|
|
|
|
var _ cryptotypes.PubKey = &PubKey{}
|
|
|
|
|
var _ codec.AminoMarshaler = &PubKey{}
|
2020-08-18 06:53:40 -07:00
|
|
|
|
|
|
|
|
|
// PubKeySize is comprised of 32 bytes for one field element
|
|
|
|
|
// (the x-coordinate), plus one byte for the parity of the y-coordinate.
|
|
|
|
|
const PubKeySize = 33
|
|
|
|
|
|
|
|
|
|
// Address returns a Bitcoin style addresses: RIPEMD160(SHA256(pubkey))
|
2020-09-16 04:08:55 -07:00
|
|
|
|
func (pubKey *PubKey) Address() crypto.Address {
|
|
|
|
|
if len(pubKey.Key) != PubKeySize {
|
2020-08-18 06:53:40 -07:00
|
|
|
|
panic("length of pubkey is incorrect")
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-15 07:32:51 -08:00
|
|
|
|
sha := sha256.Sum256(pubKey.Key)
|
2020-08-18 06:53:40 -07:00
|
|
|
|
hasherRIPEMD160 := ripemd160.New()
|
2021-02-15 07:32:51 -08:00
|
|
|
|
hasherRIPEMD160.Write(sha[:]) // does not error
|
2020-08-18 06:53:40 -07:00
|
|
|
|
return crypto.Address(hasherRIPEMD160.Sum(nil))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Bytes returns the pubkey byte format.
|
2020-09-16 04:08:55 -07:00
|
|
|
|
func (pubKey *PubKey) Bytes() []byte {
|
|
|
|
|
return pubKey.Key
|
2020-08-18 06:53:40 -07:00
|
|
|
|
}
|
|
|
|
|
|
2020-09-16 04:08:55 -07:00
|
|
|
|
func (pubKey *PubKey) String() string {
|
|
|
|
|
return fmt.Sprintf("PubKeySecp256k1{%X}", pubKey.Key)
|
2020-08-18 06:53:40 -07:00
|
|
|
|
}
|
|
|
|
|
|
2020-09-16 04:08:55 -07:00
|
|
|
|
func (pubKey *PubKey) Type() string {
|
2020-08-18 06:53:40 -07:00
|
|
|
|
return keyType
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-09 08:01:43 -08:00
|
|
|
|
func (pubKey *PubKey) Equals(other cryptotypes.PubKey) bool {
|
2020-09-16 04:08:55 -07:00
|
|
|
|
return pubKey.Type() == other.Type() && bytes.Equal(pubKey.Bytes(), other.Bytes())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// MarshalAmino overrides Amino binary marshalling.
|
|
|
|
|
func (pubKey PubKey) MarshalAmino() ([]byte, error) {
|
|
|
|
|
return pubKey.Key, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// UnmarshalAmino overrides Amino binary marshalling.
|
|
|
|
|
func (pubKey *PubKey) UnmarshalAmino(bz []byte) error {
|
2020-09-25 01:41:16 -07:00
|
|
|
|
if len(bz) != PubKeySize {
|
|
|
|
|
return errors.Wrap(errors.ErrInvalidPubKey, "invalid pubkey size")
|
2020-08-18 06:53:40 -07:00
|
|
|
|
}
|
2020-09-25 01:41:16 -07:00
|
|
|
|
pubKey.Key = bz
|
2020-09-16 04:08:55 -07:00
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// MarshalAminoJSON overrides Amino JSON marshalling.
|
|
|
|
|
func (pubKey PubKey) MarshalAminoJSON() ([]byte, error) {
|
|
|
|
|
// When we marshal to Amino JSON, we don't marshal the "key" field itself,
|
|
|
|
|
// just its contents (i.e. the key bytes).
|
|
|
|
|
return pubKey.MarshalAmino()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// UnmarshalAminoJSON overrides Amino JSON marshalling.
|
|
|
|
|
func (pubKey *PubKey) UnmarshalAminoJSON(bz []byte) error {
|
|
|
|
|
return pubKey.UnmarshalAmino(bz)
|
2020-08-18 06:53:40 -07:00
|
|
|
|
}
|