Bitcoin ABC 0.31.8
P2P Digital Currency
pubkey.cpp
Go to the documentation of this file.
1// Copyright (c) 2009-2016 The Bitcoin Core developers
2// Copyright (c) 2017 The Zcash developers
3// Distributed under the MIT software license, see the accompanying
4// file COPYING or http://www.opensource.org/licenses/mit-license.php.
5
6#include <pubkey.h>
7
8#include <secp256k1.h>
9#include <secp256k1_recovery.h>
10#include <secp256k1_schnorr.h>
11
12namespace {
13/* Global secp256k1_context object used for verification. */
14secp256k1_context *secp256k1_context_verify = nullptr;
15} // namespace
16
28int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx,
29 secp256k1_ecdsa_signature *sig,
30 const uint8_t *input, size_t inputlen) {
31 size_t rpos, rlen, spos, slen;
32 size_t pos = 0;
33 size_t lenbyte;
34 uint8_t tmpsig[64] = {0};
35 int overflow = 0;
36
37 /* Hack to initialize sig with a correctly-parsed but invalid signature. */
38 secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
39
40 /* Sequence tag byte */
41 if (pos == inputlen || input[pos] != 0x30) {
42 return 0;
43 }
44 pos++;
45
46 /* Sequence length bytes */
47 if (pos == inputlen) {
48 return 0;
49 }
50 lenbyte = input[pos++];
51 if (lenbyte & 0x80) {
52 lenbyte -= 0x80;
53 if (lenbyte > inputlen - pos) {
54 return 0;
55 }
56 pos += lenbyte;
57 }
58
59 /* Integer tag byte for R */
60 if (pos == inputlen || input[pos] != 0x02) {
61 return 0;
62 }
63 pos++;
64
65 /* Integer length for R */
66 if (pos == inputlen) {
67 return 0;
68 }
69 lenbyte = input[pos++];
70 if (lenbyte & 0x80) {
71 lenbyte -= 0x80;
72 if (lenbyte > inputlen - pos) {
73 return 0;
74 }
75 while (lenbyte > 0 && input[pos] == 0) {
76 pos++;
77 lenbyte--;
78 }
79 static_assert(sizeof(size_t) >= 4, "size_t too small");
80 if (lenbyte >= 4) {
81 return 0;
82 }
83 rlen = 0;
84 while (lenbyte > 0) {
85 rlen = (rlen << 8) + input[pos];
86 pos++;
87 lenbyte--;
88 }
89 } else {
90 rlen = lenbyte;
91 }
92 if (rlen > inputlen - pos) {
93 return 0;
94 }
95 rpos = pos;
96 pos += rlen;
97
98 /* Integer tag byte for S */
99 if (pos == inputlen || input[pos] != 0x02) {
100 return 0;
101 }
102 pos++;
103
104 /* Integer length for S */
105 if (pos == inputlen) {
106 return 0;
107 }
108 lenbyte = input[pos++];
109 if (lenbyte & 0x80) {
110 lenbyte -= 0x80;
111 if (lenbyte > inputlen - pos) {
112 return 0;
113 }
114 while (lenbyte > 0 && input[pos] == 0) {
115 pos++;
116 lenbyte--;
117 }
118 static_assert(sizeof(size_t) >= 4, "size_t too small");
119 if (lenbyte >= 4) {
120 return 0;
121 }
122 slen = 0;
123 while (lenbyte > 0) {
124 slen = (slen << 8) + input[pos];
125 pos++;
126 lenbyte--;
127 }
128 } else {
129 slen = lenbyte;
130 }
131 if (slen > inputlen - pos) {
132 return 0;
133 }
134 spos = pos;
135
136 /* Ignore leading zeroes in R */
137 while (rlen > 0 && input[rpos] == 0) {
138 rlen--;
139 rpos++;
140 }
141 /* Copy R value */
142 if (rlen > 32) {
143 overflow = 1;
144 } else {
145 memcpy(tmpsig + 32 - rlen, input + rpos, rlen);
146 }
147
148 /* Ignore leading zeroes in S */
149 while (slen > 0 && input[spos] == 0) {
150 slen--;
151 spos++;
152 }
153 /* Copy S value */
154 if (slen > 32) {
155 overflow = 1;
156 } else {
157 memcpy(tmpsig + 64 - slen, input + spos, slen);
158 }
159
160 if (!overflow) {
161 overflow = !secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
162 }
163 if (overflow) {
164 /* Overwrite the result again with a correctly-parsed but invalid
165 signature if parsing failed. */
166 memset(tmpsig, 0, 64);
167 secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
168 }
169 return 1;
170}
171
172bool CPubKey::VerifyECDSA(const uint256 &hash,
173 const std::vector<uint8_t> &vchSig) const {
174 if (!IsValid()) {
175 return false;
176 }
177
178 secp256k1_pubkey pubkey;
179 secp256k1_ecdsa_signature sig;
180 assert(secp256k1_context_verify &&
181 "secp256k1_context_verify must be initialized to use CPubKey.");
182 if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch,
183 size())) {
184 return false;
185 }
186 if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig,
187 vchSig.data(), vchSig.size())) {
188 return false;
189 }
194 secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, &sig, &sig);
195 return secp256k1_ecdsa_verify(secp256k1_context_verify, &sig, hash.begin(),
196 &pubkey);
197}
198
199bool CPubKey::VerifySchnorr(
200 const uint256 &hash, const std::array<uint8_t, SCHNORR_SIZE> &sig) const {
201 if (!IsValid()) {
202 return false;
203 }
204
205 secp256k1_pubkey pubkey;
206 if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey,
207 &(*this)[0], size())) {
208 return false;
209 }
210
211 return secp256k1_schnorr_verify(secp256k1_context_verify, sig.data(),
212 hash.begin(), &pubkey);
213}
214
215bool CPubKey::VerifySchnorr(const uint256 &hash,
216 const std::vector<uint8_t> &vchSig) const {
217 if (vchSig.size() != SCHNORR_SIZE) {
218 return false;
219 }
220
221 std::array<uint8_t, SCHNORR_SIZE> sig;
222 std::copy(vchSig.begin(), vchSig.end(), sig.begin());
223
224 return VerifySchnorr(hash, sig);
225}
226
227bool CPubKey::RecoverCompact(const uint256 &hash,
228 const std::vector<uint8_t> &vchSig) {
229 if (vchSig.size() != COMPACT_SIGNATURE_SIZE) {
230 return false;
231 }
232
233 int recid = (vchSig[0] - 27) & 3;
234 bool fComp = ((vchSig[0] - 27) & 4) != 0;
235 secp256k1_pubkey pubkey;
236 secp256k1_ecdsa_recoverable_signature sig;
237 assert(secp256k1_context_verify &&
238 "secp256k1_context_verify must be initialized to use CPubKey.");
239 if (!secp256k1_ecdsa_recoverable_signature_parse_compact(
240 secp256k1_context_verify, &sig, &vchSig[1], recid)) {
241 return false;
242 }
243 if (!secp256k1_ecdsa_recover(secp256k1_context_verify, &pubkey, &sig,
244 hash.begin())) {
245 return false;
246 }
247 uint8_t pub[SIZE];
248 size_t publen = SIZE;
249 secp256k1_ec_pubkey_serialize(
250 secp256k1_context_verify, pub, &publen, &pubkey,
251 fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
252 Set(pub, pub + publen);
253 return true;
254}
255
256bool CPubKey::IsFullyValid() const {
257 if (!IsValid()) {
258 return false;
259 }
260 secp256k1_pubkey pubkey;
261 assert(secp256k1_context_verify &&
262 "secp256k1_context_verify must be initialized to use CPubKey.");
263 return secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch,
264 size());
265}
266
267bool CPubKey::Decompress() {
268 if (!IsValid()) {
269 return false;
270 }
271 secp256k1_pubkey pubkey;
272 assert(secp256k1_context_verify &&
273 "secp256k1_context_verify must be initialized to use CPubKey.");
274 if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch,
275 size())) {
276 return false;
277 }
278 uint8_t pub[SIZE];
279 size_t publen = SIZE;
280 secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen,
281 &pubkey, SECP256K1_EC_UNCOMPRESSED);
282 Set(pub, pub + publen);
283 return true;
284}
285
286bool CPubKey::Derive(CPubKey &pubkeyChild, ChainCode &ccChild,
287 unsigned int nChild, const ChainCode &cc) const {
288 assert(IsValid());
289 assert((nChild >> 31) == 0);
290 assert(size() == COMPRESSED_SIZE);
291 uint8_t out[64];
292 BIP32Hash(cc, nChild, *begin(), begin() + 1, out);
293 memcpy(ccChild.begin(), out + 32, 32);
294 secp256k1_pubkey pubkey;
295 assert(secp256k1_context_verify &&
296 "secp256k1_context_verify must be initialized to use CPubKey.");
297 if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch,
298 size())) {
299 return false;
300 }
301 if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_verify, &pubkey,
302 out)) {
303 return false;
304 }
305 uint8_t pub[COMPRESSED_SIZE];
306 size_t publen = COMPRESSED_SIZE;
307 secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen,
308 &pubkey, SECP256K1_EC_COMPRESSED);
309 pubkeyChild.Set(pub, pub + publen);
310 return true;
311}
312
313void CExtPubKey::Encode(uint8_t code[BIP32_EXTKEY_SIZE]) const {
314 code[0] = nDepth;
315 memcpy(code + 1, vchFingerprint, 4);
316 code[5] = (nChild >> 24) & 0xFF;
317 code[6] = (nChild >> 16) & 0xFF;
318 code[7] = (nChild >> 8) & 0xFF;
319 code[8] = (nChild >> 0) & 0xFF;
320 memcpy(code + 9, chaincode.begin(), 32);
321 assert(pubkey.size() == CPubKey::COMPRESSED_SIZE);
322 memcpy(code + 41, pubkey.begin(), CPubKey::COMPRESSED_SIZE);
323}
324
325void CExtPubKey::Decode(const uint8_t code[BIP32_EXTKEY_SIZE]) {
326 nDepth = code[0];
327 memcpy(vchFingerprint, code + 1, 4);
328 nChild = (code[5] << 24) | (code[6] << 16) | (code[7] << 8) | code[8];
329 memcpy(chaincode.begin(), code + 9, 32);
330 pubkey.Set(code + 41, code + BIP32_EXTKEY_SIZE);
331}
332
333bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild) const {
334 out.nDepth = nDepth + 1;
335 CKeyID id = pubkey.GetID();
336 memcpy(out.vchFingerprint, &id, 4);
337 out.nChild = _nChild;
338 return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode);
339}
340
341bool CPubKey::CheckLowS(
342 const boost::sliced_range<const std::vector<uint8_t>> &vchSig) {
343 secp256k1_ecdsa_signature sig;
344 assert(secp256k1_context_verify &&
345 "secp256k1_context_verify must be initialized to use CPubKey.");
346 if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig,
347 &vchSig.front(), vchSig.size())) {
348 return false;
349 }
350 return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_verify,
351 nullptr, &sig));
352}
353
354/* static */ int ECCVerifyHandle::refcount = 0;
355
356ECCVerifyHandle::ECCVerifyHandle() {
357 if (refcount == 0) {
358 assert(secp256k1_context_verify == nullptr);
359 secp256k1_context_verify =
360 secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
361 assert(secp256k1_context_verify != nullptr);
362 }
363 refcount++;
364}
365
366ECCVerifyHandle::~ECCVerifyHandle() {
367 refcount--;
368 if (refcount == 0) {
369 assert(secp256k1_context_verify != nullptr);
370 secp256k1_context_destroy(secp256k1_context_verify);
371 secp256k1_context_verify = nullptr;
372 }
373}
ctx
secp256k1_context * ctx
Definition: bench_multiset.c:12
CKeyID
A reference to a CKey: the Hash160 of its serialized public key.
Definition: pubkey.h:22
CPubKey
An encapsulated public key.
Definition: pubkey.h:31
CPubKey::GetID
CKeyID GetID() const
Get the KeyID of this public key (hash of its serialization)
Definition: pubkey.h:137
CPubKey::SCHNORR_SIZE
static constexpr unsigned int SCHNORR_SIZE
Definition: pubkey.h:38
CPubKey::COMPRESSED_SIZE
static constexpr unsigned int COMPRESSED_SIZE
Definition: pubkey.h:37
CPubKey::vch
uint8_t vch[SIZE]
see www.keylength.com script supports up to 75 for single byte push
Definition: pubkey.h:53
CPubKey::VerifySchnorr
bool VerifySchnorr(const uint256 &hash, const std::array< uint8_t, SCHNORR_SIZE > &sig) const
Verify a Schnorr signature (=64 bytes).
Definition: pubkey.cpp:199
CPubKey::VerifyECDSA
bool VerifyECDSA(const uint256 &hash, const std::vector< uint8_t > &vchSig) const
Verify a DER-serialized ECDSA signature (~72 bytes).
Definition: pubkey.cpp:172
CPubKey::IsValid
bool IsValid() const
Definition: pubkey.h:147
CPubKey::Decompress
bool Decompress()
Turn this public key into an uncompressed public key.
Definition: pubkey.cpp:267
CPubKey::SIZE
static constexpr unsigned int SIZE
secp256k1:
Definition: pubkey.h:36
CPubKey::IsFullyValid
bool IsFullyValid() const
fully validate whether this is a valid public key (more expensive than IsValid())
Definition: pubkey.cpp:256
CPubKey::size
unsigned int size() const
Simple read-only vector-like interface to the pubkey data.
Definition: pubkey.h:98
CPubKey::RecoverCompact
bool RecoverCompact(const uint256 &hash, const std::vector< uint8_t > &vchSig)
Recover a public key from a compact ECDSA signature.
Definition: pubkey.cpp:227
CPubKey::begin
const uint8_t * begin() const
Definition: pubkey.h:100
CPubKey::CheckLowS
static bool CheckLowS(const boost::sliced_range< const std::vector< uint8_t > > &vchSig)
Check whether a DER-serialized ECDSA signature is normalized (lower-S).
Definition: pubkey.cpp:341
CPubKey::Derive
bool Derive(CPubKey &pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode &cc) const
Derive BIP32 child pubkey.
Definition: pubkey.cpp:286
CPubKey::COMPACT_SIGNATURE_SIZE
static constexpr unsigned int COMPACT_SIGNATURE_SIZE
Definition: pubkey.h:40
CPubKey::Set
void Set(const T pbegin, const T pend)
Initialize a public key using begin/end iterators to byte data.
Definition: pubkey.h:78
ECCVerifyHandle::refcount
static int refcount
Definition: pubkey.h:224
base_blob::begin
uint8_t * begin()
Definition: uint256.h:85
uint256
256-bit opaque blob.
Definition: uint256.h:129
BIP32Hash
void BIP32Hash(const ChainCode &chainCode, uint32_t nChild, uint8_t header, const uint8_t data[32], uint8_t output[64])
Definition: hash.cpp:72
sig
SchnorrSig sig
Definition: processor.cpp:521
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const uint8_t *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:28
BIP32_EXTKEY_SIZE
const unsigned int BIP32_EXTKEY_SIZE
Definition: pubkey.h:19
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:385
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:296
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:152
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:278
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:179
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:450
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:431
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:690
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:180
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:173
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:196
secp256k1_recovery.h
secp256k1_ecdsa_recoverable_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
secp256k1_ecdsa_recover
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:138
secp256k1_schnorr.h
secp256k1_schnorr_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorr_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify a signature created by secp256k1_schnorr_sign.
Definition: main_impl.h:13
CExtPubKey::Encode
void Encode(uint8_t code[BIP32_EXTKEY_SIZE]) const
Definition: pubkey.cpp:313
CExtPubKey::nDepth
uint8_t nDepth
Definition: pubkey.h:194
CExtPubKey::chaincode
ChainCode chaincode
Definition: pubkey.h:197
CExtPubKey::Derive
bool Derive(CExtPubKey &out, unsigned int nChild) const
Definition: pubkey.cpp:333
CExtPubKey::vchFingerprint
uint8_t vchFingerprint[4]
Definition: pubkey.h:195
CExtPubKey::Decode
void Decode(const uint8_t code[BIP32_EXTKEY_SIZE])
Definition: pubkey.cpp:325
CExtPubKey::pubkey
CPubKey pubkey
Definition: pubkey.h:198
CExtPubKey::nChild
unsigned int nChild
Definition: pubkey.h:196
secp256k1_context_struct
Definition: secp256k1.c:69
secp256k1_ecdsa_recoverable_signature
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
Definition: secp256k1_recovery.h:24
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
assert
assert(!tx.IsCoinBase())
Generated on Mon Jul 14 2025 14:14:41 for Bitcoin ABC by doxygen 1.9.4