github.1485827954.workers.dev/ethereum/go-ethereum@v1.14.3/crypto/signature_nocgo.go (about)

     1  // Copyright 2017 The go-ethereum Authors
     2  // This file is part of the go-ethereum library.
     3  //
     4  // The go-ethereum library is free software: you can redistribute it and/or modify
     5  // it under the terms of the GNU Lesser General Public License as published by
     6  // the Free Software Foundation, either version 3 of the License, or
     7  // (at your option) any later version.
     8  //
     9  // The go-ethereum library is distributed in the hope that it will be useful,
    10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
    11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    12  // GNU Lesser General Public License for more details.
    13  //
    14  // You should have received a copy of the GNU Lesser General Public License
    15  // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
    16  
    17  //go:build nacl || js || !cgo || gofuzz
    18  // +build nacl js !cgo gofuzz
    19  
    20  package crypto
    21  
    22  import (
    23  	"crypto/ecdsa"
    24  	"errors"
    25  	"fmt"
    26  	"math/big"
    27  
    28  	"github.com/btcsuite/btcd/btcec/v2"
    29  	btc_ecdsa "github.com/btcsuite/btcd/btcec/v2/ecdsa"
    30  )
    31  
    32  // Ecrecover returns the uncompressed public key that created the given signature.
    33  func Ecrecover(hash, sig []byte) ([]byte, error) {
    34  	pub, err := sigToPub(hash, sig)
    35  	if err != nil {
    36  		return nil, err
    37  	}
    38  	bytes := pub.SerializeUncompressed()
    39  	return bytes, err
    40  }
    41  
    42  func sigToPub(hash, sig []byte) (*btcec.PublicKey, error) {
    43  	if len(sig) != SignatureLength {
    44  		return nil, errors.New("invalid signature")
    45  	}
    46  	// Convert to btcec input format with 'recovery id' v at the beginning.
    47  	btcsig := make([]byte, SignatureLength)
    48  	btcsig[0] = sig[RecoveryIDOffset] + 27
    49  	copy(btcsig[1:], sig)
    50  
    51  	pub, _, err := btc_ecdsa.RecoverCompact(btcsig, hash)
    52  	return pub, err
    53  }
    54  
    55  // SigToPub returns the public key that created the given signature.
    56  func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) {
    57  	pub, err := sigToPub(hash, sig)
    58  	if err != nil {
    59  		return nil, err
    60  	}
    61  	// We need to explicitly set the curve here, because we're wrapping
    62  	// the original curve to add (un-)marshalling
    63  	return &ecdsa.PublicKey{
    64  		Curve: S256(),
    65  		X:     pub.X(),
    66  		Y:     pub.Y(),
    67  	}, nil
    68  }
    69  
    70  // Sign calculates an ECDSA signature.
    71  //
    72  // This function is susceptible to chosen plaintext attacks that can leak
    73  // information about the private key that is used for signing. Callers must
    74  // be aware that the given hash cannot be chosen by an adversary. Common
    75  // solution is to hash any input before calculating the signature.
    76  //
    77  // The produced signature is in the [R || S || V] format where V is 0 or 1.
    78  func Sign(hash []byte, prv *ecdsa.PrivateKey) ([]byte, error) {
    79  	if len(hash) != 32 {
    80  		return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(hash))
    81  	}
    82  	if prv.Curve != S256() {
    83  		return nil, errors.New("private key curve is not secp256k1")
    84  	}
    85  	// ecdsa.PrivateKey -> btcec.PrivateKey
    86  	var priv btcec.PrivateKey
    87  	if overflow := priv.Key.SetByteSlice(prv.D.Bytes()); overflow || priv.Key.IsZero() {
    88  		return nil, errors.New("invalid private key")
    89  	}
    90  	defer priv.Zero()
    91  	sig, err := btc_ecdsa.SignCompact(&priv, hash, false) // ref uncompressed pubkey
    92  	if err != nil {
    93  		return nil, err
    94  	}
    95  	// Convert to Ethereum signature format with 'recovery id' v at the end.
    96  	v := sig[0] - 27
    97  	copy(sig, sig[1:])
    98  	sig[RecoveryIDOffset] = v
    99  	return sig, nil
   100  }
   101  
   102  // VerifySignature checks that the given public key created signature over hash.
   103  // The public key should be in compressed (33 bytes) or uncompressed (65 bytes) format.
   104  // The signature should have the 64 byte [R || S] format.
   105  func VerifySignature(pubkey, hash, signature []byte) bool {
   106  	if len(signature) != 64 {
   107  		return false
   108  	}
   109  	var r, s btcec.ModNScalar
   110  	if r.SetByteSlice(signature[:32]) {
   111  		return false // overflow
   112  	}
   113  	if s.SetByteSlice(signature[32:]) {
   114  		return false
   115  	}
   116  	sig := btc_ecdsa.NewSignature(&r, &s)
   117  	key, err := btcec.ParsePubKey(pubkey)
   118  	if err != nil {
   119  		return false
   120  	}
   121  	// Reject malleable signatures. libsecp256k1 does this check but btcec doesn't.
   122  	if s.IsOverHalfOrder() {
   123  		return false
   124  	}
   125  	return sig.Verify(hash, key)
   126  }
   127  
   128  // DecompressPubkey parses a public key in the 33-byte compressed format.
   129  func DecompressPubkey(pubkey []byte) (*ecdsa.PublicKey, error) {
   130  	if len(pubkey) != 33 {
   131  		return nil, errors.New("invalid compressed public key length")
   132  	}
   133  	key, err := btcec.ParsePubKey(pubkey)
   134  	if err != nil {
   135  		return nil, err
   136  	}
   137  	// We need to explicitly set the curve here, because we're wrapping
   138  	// the original curve to add (un-)marshalling
   139  	return &ecdsa.PublicKey{
   140  		Curve: S256(),
   141  		X:     key.X(),
   142  		Y:     key.Y(),
   143  	}, nil
   144  }
   145  
   146  // CompressPubkey encodes a public key to the 33-byte compressed format. The
   147  // provided PublicKey must be valid. Namely, the coordinates must not be larger
   148  // than 32 bytes each, they must be less than the field prime, and it must be a
   149  // point on the secp256k1 curve. This is the case for a PublicKey constructed by
   150  // elliptic.Unmarshal (see UnmarshalPubkey), or by ToECDSA and ecdsa.GenerateKey
   151  // when constructing a PrivateKey.
   152  func CompressPubkey(pubkey *ecdsa.PublicKey) []byte {
   153  	// NOTE: the coordinates may be validated with
   154  	// btcec.ParsePubKey(FromECDSAPub(pubkey))
   155  	var x, y btcec.FieldVal
   156  	x.SetByteSlice(pubkey.X.Bytes())
   157  	y.SetByteSlice(pubkey.Y.Bytes())
   158  	return btcec.NewPublicKey(&x, &y).SerializeCompressed()
   159  }
   160  
   161  // S256 returns an instance of the secp256k1 curve.
   162  func S256() EllipticCurve {
   163  	return btCurve{btcec.S256()}
   164  }
   165  
   166  type btCurve struct {
   167  	*btcec.KoblitzCurve
   168  }
   169  
   170  // Marshal converts a point given as (x, y) into a byte slice.
   171  func (curve btCurve) Marshal(x, y *big.Int) []byte {
   172  	byteLen := (curve.Params().BitSize + 7) / 8
   173  
   174  	ret := make([]byte, 1+2*byteLen)
   175  	ret[0] = 4 // uncompressed point
   176  
   177  	x.FillBytes(ret[1 : 1+byteLen])
   178  	y.FillBytes(ret[1+byteLen : 1+2*byteLen])
   179  
   180  	return ret
   181  }
   182  
   183  // Unmarshal converts a point, serialised by Marshal, into an x, y pair. On
   184  // error, x = nil.
   185  func (curve btCurve) Unmarshal(data []byte) (x, y *big.Int) {
   186  	byteLen := (curve.Params().BitSize + 7) / 8
   187  	if len(data) != 1+2*byteLen {
   188  		return nil, nil
   189  	}
   190  	if data[0] != 4 { // uncompressed form
   191  		return nil, nil
   192  	}
   193  	x = new(big.Int).SetBytes(data[1 : 1+byteLen])
   194  	y = new(big.Int).SetBytes(data[1+byteLen:])
   195  	return
   196  }