Fabcoin Core  0.16.2
P2P Digital Currency
pubkey.cpp
Go to the documentation of this file.
1 // Copyright (c) 2009-2017 The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
5 #include <pubkey.h>
6 
7 #include <secp256k1.h>
8 #include <secp256k1_recovery.h>
9 
10 namespace
11 {
12 /* Global secp256k1_context object used for verification. */
13 secp256k1_context* secp256k1_context_verify = nullptr;
14 } // namespace
15 
26 static int ecdsa_signature_parse_der_lax(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
27  size_t rpos, rlen, spos, slen;
28  size_t pos = 0;
29  size_t lenbyte;
30  unsigned char tmpsig[64] = {0};
31  int overflow = 0;
32 
33  /* Hack to initialize sig with a correctly-parsed but invalid signature. */
35 
36  /* Sequence tag byte */
37  if (pos == inputlen || input[pos] != 0x30) {
38  return 0;
39  }
40  pos++;
41 
42  /* Sequence length bytes */
43  if (pos == inputlen) {
44  return 0;
45  }
46  lenbyte = input[pos++];
47  if (lenbyte & 0x80) {
48  lenbyte -= 0x80;
49  if (pos + lenbyte > inputlen) {
50  return 0;
51  }
52  pos += lenbyte;
53  }
54 
55  /* Integer tag byte for R */
56  if (pos == inputlen || input[pos] != 0x02) {
57  return 0;
58  }
59  pos++;
60 
61  /* Integer length for R */
62  if (pos == inputlen) {
63  return 0;
64  }
65  lenbyte = input[pos++];
66  if (lenbyte & 0x80) {
67  lenbyte -= 0x80;
68  if (pos + lenbyte > inputlen) {
69  return 0;
70  }
71  while (lenbyte > 0 && input[pos] == 0) {
72  pos++;
73  lenbyte--;
74  }
75  if (lenbyte >= sizeof(size_t)) {
76  return 0;
77  }
78  rlen = 0;
79  while (lenbyte > 0) {
80  rlen = (rlen << 8) + input[pos];
81  pos++;
82  lenbyte--;
83  }
84  } else {
85  rlen = lenbyte;
86  }
87  if (rlen > inputlen - pos) {
88  return 0;
89  }
90  rpos = pos;
91  pos += rlen;
92 
93  /* Integer tag byte for S */
94  if (pos == inputlen || input[pos] != 0x02) {
95  return 0;
96  }
97  pos++;
98 
99  /* Integer length for S */
100  if (pos == inputlen) {
101  return 0;
102  }
103  lenbyte = input[pos++];
104  if (lenbyte & 0x80) {
105  lenbyte -= 0x80;
106  if (pos + lenbyte > inputlen) {
107  return 0;
108  }
109  while (lenbyte > 0 && input[pos] == 0) {
110  pos++;
111  lenbyte--;
112  }
113  if (lenbyte >= sizeof(size_t)) {
114  return 0;
115  }
116  slen = 0;
117  while (lenbyte > 0) {
118  slen = (slen << 8) + input[pos];
119  pos++;
120  lenbyte--;
121  }
122  } else {
123  slen = lenbyte;
124  }
125  if (slen > inputlen - pos) {
126  return 0;
127  }
128  spos = pos;
129  pos += slen;
130 
131  /* Ignore leading zeroes in R */
132  while (rlen > 0 && input[rpos] == 0) {
133  rlen--;
134  rpos++;
135  }
136  /* Copy R value */
137  if (rlen > 32) {
138  overflow = 1;
139  } else {
140  memcpy(tmpsig + 32 - rlen, input + rpos, rlen);
141  }
142 
143  /* Ignore leading zeroes in S */
144  while (slen > 0 && input[spos] == 0) {
145  slen--;
146  spos++;
147  }
148  /* Copy S value */
149  if (slen > 32) {
150  overflow = 1;
151  } else {
152  memcpy(tmpsig + 64 - slen, input + spos, slen);
153  }
154 
155  if (!overflow) {
156  overflow = !secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
157  }
158  if (overflow) {
159  /* Overwrite the result again with a correctly-parsed but invalid
160  signature if parsing failed. */
161  memset(tmpsig, 0, 64);
162  secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
163  }
164  return 1;
165 }
166 
167 bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {
168  if (!IsValid())
169  return false;
170  secp256k1_pubkey pubkey;
172  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size())) {
173  return false;
174  }
175  if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig, vchSig.data(), vchSig.size())) {
176  return false;
177  }
178  /* libsecp256k1's ECDSA verification requires lower-S signatures, which have
179  * not historically been enforced in Fabcoin, so normalize them first. */
180  secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, &sig, &sig);
181  return secp256k1_ecdsa_verify(secp256k1_context_verify, &sig, hash.begin(), &pubkey);
182 }
183 
184 bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
185  if (vchSig.size() != 65)
186  return false;
187  int recid = (vchSig[0] - 27) & 3;
188  bool fComp = ((vchSig[0] - 27) & 4) != 0;
189  secp256k1_pubkey pubkey;
191  if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_verify, &sig, &vchSig[1], recid)) {
192  return false;
193  }
194  if (!secp256k1_ecdsa_recover(secp256k1_context_verify, &pubkey, &sig, hash.begin())) {
195  return false;
196  }
197  unsigned char pub[65];
198  size_t publen = 65;
199  secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
200  Set(pub, pub + publen);
201  return true;
202 }
203 
204 bool CPubKey::IsFullyValid() const {
205  if (!IsValid())
206  return false;
207  secp256k1_pubkey pubkey;
208  return secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size());
209 }
210 
212  if (!IsValid())
213  return false;
214  secp256k1_pubkey pubkey;
215  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size())) {
216  return false;
217  }
218  unsigned char pub[65];
219  size_t publen = 65;
220  secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
221  Set(pub, pub + publen);
222  return true;
223 }
224 
225 bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const {
226  assert(IsValid());
227  assert((nChild >> 31) == 0);
228  assert(begin() + 33 == end());
229  unsigned char out[64];
230  BIP32Hash(cc, nChild, *begin(), begin()+1, out);
231  memcpy(ccChild.begin(), out+32, 32);
232  secp256k1_pubkey pubkey;
233  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size())) {
234  return false;
235  }
236  if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_verify, &pubkey, out)) {
237  return false;
238  }
239  unsigned char pub[33];
240  size_t publen = 33;
241  secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED);
242  pubkeyChild.Set(pub, pub + publen);
243  return true;
244 }
245 
246 void CExtPubKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {
247  code[0] = nDepth;
248  memcpy(code+1, vchFingerprint, 4);
249  code[5] = (nChild >> 24) & 0xFF; code[6] = (nChild >> 16) & 0xFF;
250  code[7] = (nChild >> 8) & 0xFF; code[8] = (nChild >> 0) & 0xFF;
251  memcpy(code+9, chaincode.begin(), 32);
252  assert(pubkey.size() == 33);
253  memcpy(code+41, pubkey.begin(), 33);
254 }
255 
256 void CExtPubKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) {
257  nDepth = code[0];
258  memcpy(vchFingerprint, code+1, 4);
259  nChild = (code[5] << 24) | (code[6] << 16) | (code[7] << 8) | code[8];
260  memcpy(chaincode.begin(), code+9, 32);
261  pubkey.Set(code+41, code+BIP32_EXTKEY_SIZE);
262 }
263 
264 bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild) const {
265  out.nDepth = nDepth + 1;
266  CKeyID id = pubkey.GetID();
267  memcpy(&out.vchFingerprint[0], &id, 4);
268  out.nChild = _nChild;
269  return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode);
270 }
271 
272 /* static */ bool CPubKey::CheckLowS(const std::vector<unsigned char>& vchSig) {
274  if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig, vchSig.data(), vchSig.size())) {
275  return false;
276  }
277  return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, nullptr, &sig));
278 }
279 
280 /* static */ int ECCVerifyHandle::refcount = 0;
281 
283 {
284  if (refcount == 0) {
285  assert(secp256k1_context_verify == nullptr);
286  secp256k1_context_verify = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
287  assert(secp256k1_context_verify != nullptr);
288  }
289  refcount++;
290 }
291 
293 {
294  refcount--;
295  if (refcount == 0) {
296  assert(secp256k1_context_verify != nullptr);
297  secp256k1_context_destroy(secp256k1_context_verify);
298  secp256k1_context_verify = nullptr;
299  }
300 }
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:477
unsigned char vchFingerprint[4]
Definition: pubkey.h:199
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:274
void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const
Definition: pubkey.cpp:246
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
unsigned char data[64]
Definition: secp256k1.h:67
unsigned int size() const
Simple read-only vector-like interface to the pubkey data.
Definition: pubkey.h:97
void Set(const T pbegin, const T pend)
Initialize a public key using begin/end iterators to byte data.
Definition: pubkey.h:74
static int refcount
Definition: pubkey.h:247
unsigned char nDepth
Definition: pubkey.h:198
static bool CheckLowS(const std::vector< unsigned char > &vchSig)
Check whether a signature is normalized (lower-S).
Definition: pubkey.cpp:272
assert(len-trim+(2 *lenIndices)<=WIDTH)
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:165
ChainCode chaincode
Definition: pubkey.h:201
bytes code
Definition: SmartVM.cpp:45
unsigned char * begin()
Definition: uint256.h:65
unsigned int nChild
Definition: pubkey.h:200
bool Derive(CExtPubKey &out, unsigned int nChild) const
Definition: pubkey.cpp:264
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object.
Definition: secp256k1.c:92
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:160
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export.
Definition: secp256k1.h:159
void Decode(const unsigned char code[BIP32_EXTKEY_SIZE])
Definition: pubkey.cpp:256
bool RecoverCompact(const uint256 &hash, const std::vector< unsigned char > &vchSig)
Recover a public key from a compact signature.
Definition: pubkey.cpp:184
void BIP32Hash(const ChainCode &chainCode, unsigned int nChild, unsigned char header, const unsigned char data[32], unsigned char output[64])
Definition: hash.cpp:72
An encapsulated public key.
Definition: pubkey.h:39
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:150
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:66
const unsigned char * begin() const
Definition: pubkey.h:98
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create.
Definition: secp256k1.h:154
256-bit opaque blob.
Definition: uint256.h:132
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msg32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:170
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:228
void * memcpy(void *a, const void *b, size_t c)
const unsigned int BIP32_EXTKEY_SIZE
secp256k1: const unsigned int PRIVATE_KEY_SIZE = 279; const unsigned int PUBLIC_KEY_SIZE = 65; const ...
Definition: pubkey.h:26
A reference to a CKey: the Hash160 of its serialized public key.
Definition: pubkey.h:29
bool IsFullyValid() const
fully validate whether this is a valid public key (more expensive than IsValid()) ...
Definition: pubkey.cpp:204
bool IsValid() const
Definition: pubkey.h:162
CPubKey pubkey
Definition: pubkey.h:202
bool Derive(CPubKey &pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode &cc) const
Derive BIP32 child pubkey.
Definition: pubkey.cpp:225
bool Verify(const uint256 &hash, const std::vector< unsigned char > &vchSig) const
Verify a DER signature (~72 bytes).
Definition: pubkey.cpp:167
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object.
Definition: secp256k1.c:58
const unsigned char * end() const
Definition: pubkey.h:99
bool Decompress()
Turn this public key into an uncompressed public key.
Definition: pubkey.cpp:211
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:53
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:293