// Copyright 2014 The go-ethereum Authors // This file is part of the go-ethereum library. // // The go-ethereum library is free software: you can redistribute it and/or modify // it under the terms of the GNU Lesser General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // The go-ethereum library is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU Lesser General Public License for more details. // // You should have received a copy of the GNU Lesser General Public License // along with the go-ethereum library. If not, see . package crypto import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "crypto/sha256" "fmt" "io" "io/ioutil" "math/big" "os" "encoding/hex" "errors" "github.com/ethereum/go-ethereum/common" "github.com/ethereum/go-ethereum/crypto/ecies" "github.com/ethereum/go-ethereum/crypto/secp256k1" "github.com/ethereum/go-ethereum/crypto/sha3" "github.com/ethereum/go-ethereum/rlp" "golang.org/x/crypto/ripemd160" ) func Keccak256(data ...[]byte) []byte { d := sha3.NewKeccak256() for _, b := range data { d.Write(b) } return d.Sum(nil) } func Keccak256Hash(data ...[]byte) (h common.Hash) { d := sha3.NewKeccak256() for _, b := range data { d.Write(b) } d.Sum(h[:0]) return h } // Deprecated: For backward compatibility as other packages depend on these func Sha3(data ...[]byte) []byte { return Keccak256(data...) } func Sha3Hash(data ...[]byte) common.Hash { return Keccak256Hash(data...) } // Creates an ethereum address given the bytes and the nonce func CreateAddress(b common.Address, nonce uint64) common.Address { data, _ := rlp.EncodeToBytes([]interface{}{b, nonce}) return common.BytesToAddress(Keccak256(data)[12:]) } func Sha256(data []byte) []byte { hash := sha256.Sum256(data) return hash[:] } func Ripemd160(data []byte) []byte { ripemd := ripemd160.New() ripemd.Write(data) return ripemd.Sum(nil) } // Ecrecover returns the public key for the private key that was used to // calculate the signature. // // Note: secp256k1 expects the recover id to be either 0, 1. Ethereum // signatures have a recover id with an offset of 27. Callers must take // this into account and if "recovering" from an Ethereum signature adjust. func Ecrecover(hash, sig []byte) ([]byte, error) { return secp256k1.RecoverPubkey(hash, sig) } // New methods using proper ecdsa keys from the stdlib func ToECDSA(prv []byte) *ecdsa.PrivateKey { if len(prv) == 0 { return nil } priv := new(ecdsa.PrivateKey) priv.PublicKey.Curve = secp256k1.S256() priv.D = common.BigD(prv) priv.PublicKey.X, priv.PublicKey.Y = secp256k1.S256().ScalarBaseMult(prv) return priv } func FromECDSA(prv *ecdsa.PrivateKey) []byte { if prv == nil { return nil } return prv.D.Bytes() } func ToECDSAPub(pub []byte) *ecdsa.PublicKey { if len(pub) == 0 { return nil } x, y := elliptic.Unmarshal(secp256k1.S256(), pub) return &ecdsa.PublicKey{Curve: secp256k1.S256(), X: x, Y: y} } func FromECDSAPub(pub *ecdsa.PublicKey) []byte { if pub == nil || pub.X == nil || pub.Y == nil { return nil } return elliptic.Marshal(secp256k1.S256(), pub.X, pub.Y) } // HexToECDSA parses a secp256k1 private key. func HexToECDSA(hexkey string) (*ecdsa.PrivateKey, error) { b, err := hex.DecodeString(hexkey) if err != nil { return nil, errors.New("invalid hex string") } if len(b) != 32 { return nil, errors.New("invalid length, need 256 bits") } return ToECDSA(b), nil } // LoadECDSA loads a secp256k1 private key from the given file. // The key data is expected to be hex-encoded. func LoadECDSA(file string) (*ecdsa.PrivateKey, error) { buf := make([]byte, 64) fd, err := os.Open(file) if err != nil { return nil, err } defer fd.Close() if _, err := io.ReadFull(fd, buf); err != nil { return nil, err } key, err := hex.DecodeString(string(buf)) if err != nil { return nil, err } return ToECDSA(key), nil } // SaveECDSA saves a secp256k1 private key to the given file with // restrictive permissions. The key data is saved hex-encoded. func SaveECDSA(file string, key *ecdsa.PrivateKey) error { k := hex.EncodeToString(FromECDSA(key)) return ioutil.WriteFile(file, []byte(k), 0600) } func GenerateKey() (*ecdsa.PrivateKey, error) { return ecdsa.GenerateKey(secp256k1.S256(), rand.Reader) } func ValidateSignatureValues(v byte, r, s *big.Int, homestead bool) bool { if r.Cmp(common.Big1) < 0 || s.Cmp(common.Big1) < 0 { return false } vint := uint32(v) // reject upper range of s values (ECDSA malleability) // see discussion in secp256k1/libsecp256k1/include/secp256k1.h if homestead && s.Cmp(secp256k1.HalfN) > 0 { return false } // Frontier: allow s to be in full N range if s.Cmp(secp256k1.N) >= 0 { return false } if r.Cmp(secp256k1.N) < 0 && (vint == 27 || vint == 28) { return true } else { return false } } func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) { s, err := Ecrecover(hash, sig) if err != nil { return nil, err } x, y := elliptic.Unmarshal(secp256k1.S256(), s) return &ecdsa.PublicKey{Curve: secp256k1.S256(), X: x, Y: y}, nil } // Sign calculates an ECDSA signature. // This function is susceptible to choosen plaintext attacks that can leak // information about the private key that is used for signing. Callers must // be aware that the given hash cannot be choosen by an adversery. Common // solution is to hash any input before calculating the signature. // // Note: the calculated signature is not Ethereum compliant. The yellow paper // dictates Ethereum singature to have a V value with and offset of 27 v in [27,28]. // Use SignEthereum to get an Ethereum compliant signature. func Sign(data []byte, prv *ecdsa.PrivateKey) (sig []byte, err error) { if len(data) != 32 { return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(data)) } seckey := common.LeftPadBytes(prv.D.Bytes(), prv.Params().BitSize/8) defer zeroBytes(seckey) sig, err = secp256k1.Sign(data, seckey) return } // SignEthereum calculates an Ethereum ECDSA signature. // This function is susceptible to choosen plaintext attacks that can leak // information about the private key that is used for signing. Callers must // be aware that the given hash cannot be freely choosen by an adversery. // Common solution is to hash the message before calculating the signature. func SignEthereum(data []byte, prv *ecdsa.PrivateKey) ([]byte, error) { sig, err := Sign(data, prv) if err != nil { return nil, err } sig[64] += 27 // as described in the yellow paper return sig, err } func Encrypt(pub *ecdsa.PublicKey, message []byte) ([]byte, error) { return ecies.Encrypt(rand.Reader, ecies.ImportECDSAPublic(pub), message, nil, nil) } func Decrypt(prv *ecdsa.PrivateKey, ct []byte) ([]byte, error) { key := ecies.ImportECDSA(prv) return key.Decrypt(rand.Reader, ct, nil, nil) } func PubkeyToAddress(p ecdsa.PublicKey) common.Address { pubBytes := FromECDSAPub(&p) return common.BytesToAddress(Keccak256(pubBytes[1:])[12:]) } func zeroBytes(bytes []byte) { for i := range bytes { bytes[i] = 0 } }