github.com/amazechain/amc@v0.1.3/common/transaction/transaction_signing.go (about) 1 // Copyright 2022 The AmazeChain Authors 2 // This file is part of the AmazeChain library. 3 // 4 // The AmazeChain library is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Lesser General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // The AmazeChain library is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Lesser General Public License for more details. 13 // 14 // You should have received a copy of the GNU Lesser General Public License 15 // along with the AmazeChain library. If not, see <http://www.gnu.org/licenses/>. 16 17 package transaction 18 19 import ( 20 "crypto/ecdsa" 21 "errors" 22 "fmt" 23 "github.com/amazechain/amc/common/crypto" 24 "github.com/amazechain/amc/common/hash" 25 "github.com/amazechain/amc/common/types" 26 "github.com/amazechain/amc/common/u256" 27 "github.com/amazechain/amc/params" 28 "github.com/holiman/uint256" 29 "math/big" 30 ) 31 32 var ( 33 ErrInvalidSig = errors.New("invalid transaction v, r, s values") 34 ErrTxTypeNotSupported = errors.New("transaction type not supported") 35 ErrInvalidChainId = errors.New("invalid chain id for signer") 36 ) 37 38 // sigCache is used to cache the derived sender and contains 39 // the signer used to derive it. 40 type sigCache struct { 41 signer Signer 42 from types.Address 43 } 44 45 // MakeSigner returns a Signer based on the given chain config and block number. 46 func MakeSigner(config *params.ChainConfig, blockNumber *big.Int) Signer { 47 var signer Signer 48 switch { 49 case config.IsLondon(blockNumber.Uint64()): 50 signer = NewLondonSigner(config.ChainID) 51 case config.IsBerlin(blockNumber.Uint64()): 52 signer = NewEIP2930Signer(config.ChainID) 53 case config.IsEip1559FeeCollector(blockNumber.Uint64()): 54 signer = NewEIP155Signer(config.ChainID) 55 case config.IsHomestead(blockNumber.Uint64()): 56 signer = HomesteadSigner{} 57 default: 58 signer = FrontierSigner{} 59 } 60 return signer 61 } 62 63 // LatestSignerForChainID returns the 'most permissive' Signer available. Specifically, 64 // this enables support for EIP-155 replay protection and all implemented EIP-2718 65 // transaction types if chainID is non-nil. 66 // 67 // Use this in transaction-handling code where the current block number and fork 68 // configuration are unknown. If you have a ChainConfig, use LatestSigner instead. 69 // If you have a ChainConfig and know the current block number, use MakeSigner instead. 70 func LatestSignerForChainID(chainID *big.Int) Signer { 71 if chainID == nil { 72 return HomesteadSigner{} 73 } 74 return NewLondonSigner(chainID) 75 } 76 77 // SignNewTx creates a transaction and signs it. 78 func SignNewTx(prv *ecdsa.PrivateKey, s Signer, txdata TxData) (*Transaction, error) { 79 tx := NewTx(txdata) 80 h := s.Hash(tx) 81 sig, err := crypto.Sign(h[:], prv) 82 if err != nil { 83 return nil, err 84 } 85 return tx.WithSignature(s, sig) 86 } 87 88 // SignTx signs the transaction using the given signer and private key. 89 func SignTx(tx *Transaction, s Signer, prv *ecdsa.PrivateKey) (*Transaction, error) { 90 h := s.Hash(tx) 91 sig, err := crypto.Sign(h[:], prv) 92 if err != nil { 93 return nil, err 94 } 95 return tx.WithSignature(s, sig) 96 } 97 98 // Sender returns the address derived from the signature (V, R, S) using secp256k1 99 // elliptic curve and an error if it failed deriving or upon an incorrect 100 // signature. 101 // 102 // Sender may cache the address, allowing it to be used regardless of 103 // signing method. The cache is invalidated if the cached signer does 104 // not match the signer used in the current call. 105 func Sender(signer Signer, tx *Transaction) (types.Address, error) { 106 if sc := tx.from.Load(); sc != nil { 107 sigCache := sc.(sigCache) 108 // If the signer used to derive from in a previous 109 // call is not the same as used current, invalidate 110 // the cache. 111 if sigCache.signer.Equal(signer) { 112 return sigCache.from, nil 113 } 114 } 115 116 addr, err := signer.Sender(tx) 117 if err != nil { 118 return types.Address{}, err 119 } 120 tx.from.Store(sigCache{signer: signer, from: addr}) 121 return addr, nil 122 } 123 124 // Signer encapsulates transaction signature handling. The name of this type is slightly 125 // misleading because Signers don't actually sign, they're just for validating and 126 // processing of signatures. 127 // 128 // Note that this interface is not a stable API and may change at any time to accommodate 129 // new protocol rules. 130 type Signer interface { 131 // Sender returns the sender address of the transaction. 132 Sender(tx *Transaction) (types.Address, error) 133 134 // SignatureValues returns the raw R, S, V values corresponding to the 135 // given signature. 136 SignatureValues(tx *Transaction, sig []byte) (r, s, v *big.Int, err error) 137 ChainID() *big.Int 138 139 // Hash returns 'signature hash', i.e. the transaction hash that is signed by the 140 // private key. This hash does not uniquely identify the transaction. 141 Hash(tx *Transaction) types.Hash 142 143 // Equal returns true if the given signer is the same as the receiver. 144 Equal(Signer) bool 145 } 146 147 type londonSigner struct{ eip2930Signer } 148 149 // NewLondonSigner returns a signer that accepts 150 // - EIP-1559 dynamic fee transactions 151 // - EIP-2930 access list transactions, 152 // - EIP-155 replay protected transactions, and 153 // - legacy Homestead transactions. 154 func NewLondonSigner(chainId *big.Int) Signer { 155 return londonSigner{eip2930Signer{NewEIP155Signer(chainId)}} 156 } 157 158 func (s londonSigner) Sender(tx *Transaction) (types.Address, error) { 159 if tx.Type() != DynamicFeeTxType { 160 return s.eip2930Signer.Sender(tx) 161 } 162 V, R, S := tx.RawSignatureValues() 163 // DynamicFee txs are defined to use 0 and 1 as their recovery 164 // id, add 27 to become equivalent to unprotected Homestead signatures. 165 V1 := new(big.Int).Add(V.ToBig(), big.NewInt(27)) 166 chainId, _ := uint256.FromBig(s.chainId) 167 id := tx.ChainId() 168 if id.Cmp(chainId) != 0 { 169 return types.Address{}, ErrInvalidChainId 170 } 171 return recoverPlain(s.Hash(tx), R.ToBig(), S.ToBig(), V1, true) 172 } 173 174 func (s londonSigner) Equal(s2 Signer) bool { 175 x, ok := s2.(londonSigner) 176 return ok && x.chainId.Cmp(s.chainId) == 0 177 } 178 179 func (s londonSigner) SignatureValues(tx *Transaction, sig []byte) (R, S, V *big.Int, err error) { 180 txdata, ok := tx.inner.(*DynamicFeeTx) 181 if !ok { 182 return s.eip2930Signer.SignatureValues(tx, sig) 183 } 184 // Check that chain ID of tx matches the signer. We also accept ID zero here, 185 // because it indicates that the chain ID was not specified in the tx. 186 chainId, _ := uint256.FromBig(s.chainId) 187 if txdata.ChainID.Sign() != 0 && txdata.ChainID.Cmp(chainId) != 0 { 188 return nil, nil, nil, ErrInvalidChainId 189 } 190 R, S, _ = decodeSignature(sig) 191 V = big.NewInt(int64(sig[64])) 192 return R, S, V, nil 193 } 194 195 // Hash returns the hash to be signed by the sender. 196 // It does not uniquely identify the transaction. 197 func (s londonSigner) Hash(tx *Transaction) types.Hash { 198 if tx.Type() != DynamicFeeTxType { 199 return s.eip2930Signer.Hash(tx) 200 } 201 return hash.PrefixedRlpHash( 202 tx.Type(), 203 []interface{}{ 204 s.chainId, 205 tx.Nonce(), 206 tx.GasTipCap(), 207 tx.GasFeeCap(), 208 tx.Gas(), 209 tx.To(), 210 tx.Value(), 211 tx.Data(), 212 tx.AccessList(), 213 }) 214 } 215 216 type eip2930Signer struct{ EIP155Signer } 217 218 // NewEIP2930Signer returns a signer that accepts EIP-2930 access list transactions, 219 // EIP-155 replay protected transactions, and legacy Homestead transactions. 220 func NewEIP2930Signer(chainId *big.Int) Signer { 221 return eip2930Signer{NewEIP155Signer(chainId)} 222 } 223 224 func (s eip2930Signer) ChainID() *big.Int { 225 return s.chainId 226 } 227 228 func (s eip2930Signer) Equal(s2 Signer) bool { 229 x, ok := s2.(eip2930Signer) 230 return ok && x.chainId.Cmp(s.chainId) == 0 231 } 232 233 func (s eip2930Signer) Sender(tx *Transaction) (types.Address, error) { 234 V, R, S := tx.RawSignatureValues() 235 V1 := V.ToBig() 236 switch tx.Type() { 237 case LegacyTxType: 238 if !tx.Protected() { 239 return HomesteadSigner{}.Sender(tx) 240 } 241 V1 = new(big.Int).Sub(V1, s.chainIdMul) 242 V1.Sub(V1, big8) 243 case AccessListTxType: 244 // AL txs are defined to use 0 and 1 as their recovery 245 // id, add 27 to become equivalent to unprotected Homestead signatures. 246 V1 = new(big.Int).Add(V1, big.NewInt(27)) 247 default: 248 return types.Address{}, ErrTxTypeNotSupported 249 } 250 chainId, _ := uint256.FromBig(s.chainId) 251 id := tx.ChainId() 252 if id.Cmp(chainId) != 0 { 253 return types.Address{}, ErrInvalidChainId 254 } 255 return recoverPlain(s.Hash(tx), R.ToBig(), S.ToBig(), V1, true) 256 } 257 258 func (s eip2930Signer) SignatureValues(tx *Transaction, sig []byte) (R, S, V *big.Int, err error) { 259 switch txdata := tx.inner.(type) { 260 case *LegacyTx: 261 return s.EIP155Signer.SignatureValues(tx, sig) 262 case *AccessListTx: 263 // Check that chain ID of tx matches the signer. We also accept ID zero here, 264 // because it indicates that the chain ID was not specified in the tx. 265 chainId, _ := uint256.FromBig(s.chainId) 266 if txdata.ChainID.Sign() != 0 && txdata.ChainID.Cmp(chainId) != 0 { 267 return nil, nil, nil, ErrInvalidChainId 268 } 269 R, S, _ = decodeSignature(sig) 270 V = big.NewInt(int64(sig[64])) 271 default: 272 return nil, nil, nil, ErrTxTypeNotSupported 273 } 274 return R, S, V, nil 275 } 276 277 // Hash returns the hash to be signed by the sender. 278 // It does not uniquely identify the transaction. 279 func (s eip2930Signer) Hash(tx *Transaction) types.Hash { 280 switch tx.Type() { 281 case LegacyTxType: 282 return hash.RlpHash([]interface{}{ 283 tx.Nonce(), 284 tx.GasPrice(), 285 tx.Gas(), 286 tx.To(), 287 tx.Value(), 288 tx.Data(), 289 s.chainId, uint(0), uint(0), 290 }) 291 case AccessListTxType: 292 return hash.PrefixedRlpHash( 293 tx.Type(), 294 []interface{}{ 295 s.chainId, 296 tx.Nonce(), 297 tx.GasPrice(), 298 tx.Gas(), 299 tx.To(), 300 tx.Value(), 301 tx.Data(), 302 tx.AccessList(), 303 }) 304 default: 305 // This _should_ not happen, but in case someone sends in a bad 306 // json struct via RPC, it's probably more prudent to return an 307 // empty hash instead of killing the node with a panic 308 //panic("Unsupported transaction type: %d", tx.typ) 309 return types.Hash{} 310 } 311 } 312 313 // EIP155Signer implements Signer using the EIP-155 rules. This accepts transactions which 314 // are replay-protected as well as unprotected homestead transactions. 315 type EIP155Signer struct { 316 chainId, chainIdMul *big.Int 317 } 318 319 func NewEIP155Signer(chainId *big.Int) EIP155Signer { 320 if chainId == nil { 321 chainId = new(big.Int) 322 } 323 return EIP155Signer{ 324 chainId: chainId, 325 chainIdMul: new(big.Int).Mul(chainId, big.NewInt(2)), 326 } 327 } 328 329 func (s EIP155Signer) ChainID() *big.Int { 330 return s.chainId 331 } 332 333 func (s EIP155Signer) Equal(s2 Signer) bool { 334 eip155, ok := s2.(EIP155Signer) 335 return ok && eip155.chainId.Cmp(s.chainId) == 0 336 } 337 338 var big8 = big.NewInt(8) 339 340 func (s EIP155Signer) Sender(tx *Transaction) (types.Address, error) { 341 if tx.Type() != LegacyTxType { 342 return types.Address{}, ErrTxTypeNotSupported 343 } 344 if !tx.Protected() { 345 return HomesteadSigner{}.Sender(tx) 346 } 347 chainId, _ := uint256.FromBig(s.chainId) 348 id := tx.ChainId() 349 if id.Cmp(chainId) != 0 { 350 return types.Address{}, ErrInvalidChainId 351 } 352 V, R, S := tx.RawSignatureValues() 353 V1 := V.ToBig() 354 V1 = new(big.Int).Sub(V1, s.chainIdMul) 355 V1.Sub(V1, big8) 356 return recoverPlain(s.Hash(tx), R.ToBig(), S.ToBig(), V1, true) 357 } 358 359 // SignatureValues returns signature values. This signature 360 // needs to be in the [R || S || V] format where V is 0 or 1. 361 func (s EIP155Signer) SignatureValues(tx *Transaction, sig []byte) (R, S, V *big.Int, err error) { 362 if tx.Type() != LegacyTxType { 363 return nil, nil, nil, ErrTxTypeNotSupported 364 } 365 R, S, V = decodeSignature(sig) 366 if s.chainId.Sign() != 0 { 367 V = big.NewInt(int64(sig[64] + 35)) 368 V.Add(V, s.chainIdMul) 369 } 370 return R, S, V, nil 371 } 372 373 // Hash returns the hash to be signed by the sender. 374 // It does not uniquely identify the transaction. 375 func (s EIP155Signer) Hash(tx *Transaction) types.Hash { 376 return hash.RlpHash([]interface{}{ 377 tx.Nonce(), 378 tx.GasPrice(), 379 tx.Gas(), 380 tx.To(), 381 tx.Value(), 382 tx.Data(), 383 s.chainId, uint(0), uint(0), 384 }) 385 } 386 387 // HomesteadTransaction implements TransactionInterface using the 388 // homestead rules. 389 type HomesteadSigner struct{ FrontierSigner } 390 391 func (s HomesteadSigner) ChainID() *big.Int { 392 return nil 393 } 394 395 func (s HomesteadSigner) Equal(s2 Signer) bool { 396 _, ok := s2.(HomesteadSigner) 397 return ok 398 } 399 400 // SignatureValues returns signature values. This signature 401 // needs to be in the [R || S || V] format where V is 0 or 1. 402 func (hs HomesteadSigner) SignatureValues(tx *Transaction, sig []byte) (r, s, v *big.Int, err error) { 403 return hs.FrontierSigner.SignatureValues(tx, sig) 404 } 405 406 func (hs HomesteadSigner) Sender(tx *Transaction) (types.Address, error) { 407 if tx.Type() != LegacyTxType { 408 return types.Address{}, ErrTxTypeNotSupported 409 } 410 v, r, s := tx.RawSignatureValues() 411 return recoverPlain(hs.Hash(tx), r.ToBig(), s.ToBig(), v.ToBig(), true) 412 } 413 414 type FrontierSigner struct{} 415 416 func (s FrontierSigner) ChainID() *big.Int { 417 return nil 418 } 419 420 func (s FrontierSigner) Equal(s2 Signer) bool { 421 _, ok := s2.(FrontierSigner) 422 return ok 423 } 424 425 func (fs FrontierSigner) Sender(tx *Transaction) (types.Address, error) { 426 if tx.Type() != LegacyTxType { 427 return types.Address{}, ErrTxTypeNotSupported 428 } 429 v, r, s := tx.RawSignatureValues() 430 return recoverPlain(fs.Hash(tx), r.ToBig(), s.ToBig(), v.ToBig(), false) 431 } 432 433 // SignatureValues returns signature values. This signature 434 // needs to be in the [R || S || V] format where V is 0 or 1. 435 func (fs FrontierSigner) SignatureValues(tx *Transaction, sig []byte) (r, s, v *big.Int, err error) { 436 if tx.Type() != LegacyTxType { 437 return nil, nil, nil, ErrTxTypeNotSupported 438 } 439 r, s, v = decodeSignature(sig) 440 return r, s, v, nil 441 } 442 443 // Hash returns the hash to be signed by the sender. 444 // It does not uniquely identify the transaction. 445 func (fs FrontierSigner) Hash(tx *Transaction) types.Hash { 446 return hash.RlpHash([]interface{}{ 447 tx.Nonce(), 448 tx.GasPrice(), 449 tx.Gas(), 450 tx.To(), 451 tx.Value(), 452 tx.Data(), 453 }) 454 } 455 456 func decodeSignature(sig []byte) (r, s, v *big.Int) { 457 if len(sig) != crypto.SignatureLength { 458 panic(fmt.Sprintf("wrong size for signature: got %d, want %d", len(sig), crypto.SignatureLength)) 459 } 460 r = new(big.Int).SetBytes(sig[:32]) 461 s = new(big.Int).SetBytes(sig[32:64]) 462 v = new(big.Int).SetBytes([]byte{sig[64] + 27}) 463 return r, s, v 464 } 465 466 func recoverPlain(sighash types.Hash, R, S, Vb *big.Int, homestead bool) (types.Address, error) { 467 if Vb.BitLen() > 8 { 468 return types.Address{}, ErrInvalidSig 469 } 470 V := byte(Vb.Uint64() - 27) 471 lr, _ := uint256.FromBig(R) 472 ls, _ := uint256.FromBig(S) 473 if !crypto.ValidateSignatureValues(V, lr, ls, homestead) { 474 return types.Address{}, ErrInvalidSig 475 } 476 // encode the signature in uncompressed format 477 r, s := R.Bytes(), S.Bytes() 478 sig := make([]byte, crypto.SignatureLength) 479 copy(sig[32-len(r):32], r) 480 copy(sig[64-len(s):64], s) 481 sig[64] = V 482 // recover the public key from the signature 483 pub, err := crypto.Ecrecover(sighash[:], sig) 484 if err != nil { 485 return types.Address{}, err 486 } 487 if len(pub) == 0 || pub[0] != 4 { 488 return types.Address{}, errors.New("invalid public key") 489 } 490 var addr types.Address 491 copy(addr[:], crypto.Keccak256(pub[1:])[12:]) 492 return addr, nil 493 } 494 495 // deriveChainID derives the chain id from the given v parameter 496 func DeriveChainId(v *uint256.Int) *uint256.Int { 497 if v.IsUint64() { 498 v := v.Uint64() 499 if v == 27 || v == 28 { 500 return new(uint256.Int) 501 } 502 return new(uint256.Int).SetUint64((v - 35) / 2) 503 } 504 r := new(uint256.Int).Sub(v, u256.Num35) 505 return r.Div(r, u256.Num2) 506 }