github.com/aquanetwork/aquachain@v1.7.8/crypto/secp256k1/secp256.go (about) 1 // Copyright 2015 Jeffrey Wilcke, Felix Lange, Gustav Simonsson. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be found in 3 // the LICENSE file. 4 5 // +build cgo gccgo !nocgo 6 7 // Package secp256k1 wraps the bitcoin secp256k1 C library. 8 package secp256k1 9 10 /* 11 #cgo CFLAGS: -I./libsecp256k1 12 #cgo CFLAGS: -I./libsecp256k1/src/ 13 #define USE_NUM_NONE 14 #define USE_FIELD_10X26 15 #define USE_FIELD_INV_BUILTIN 16 #define USE_SCALAR_8X32 17 #define USE_SCALAR_INV_BUILTIN 18 #define NDEBUG 19 #include "./libsecp256k1/src/secp256k1.c" 20 #include "./libsecp256k1/src/modules/recovery/main_impl.h" 21 #include "ext.h" 22 23 typedef void (*callbackFunc) (const char* msg, void* data); 24 extern void secp256k1GoPanicIllegal(const char* msg, void* data); 25 extern void secp256k1GoPanicError(const char* msg, void* data); 26 */ 27 import "C" 28 29 import ( 30 "errors" 31 "math/big" 32 "unsafe" 33 ) 34 35 var context *C.secp256k1_context 36 37 func init() { 38 // around 20 ms on a modern CPU. 39 context = C.secp256k1_context_create_sign_verify() 40 C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil) 41 C.secp256k1_context_set_error_callback(context, C.callbackFunc(C.secp256k1GoPanicError), nil) 42 } 43 44 var ( 45 ErrInvalidMsgLen = errors.New("invalid message length, need 32 bytes") 46 ErrInvalidSignatureLen = errors.New("invalid signature length") 47 ErrInvalidRecoveryID = errors.New("invalid signature recovery id") 48 ErrInvalidKey = errors.New("invalid private key") 49 ErrInvalidPubkey = errors.New("invalid public key") 50 ErrSignFailed = errors.New("signing failed") 51 ErrRecoverFailed = errors.New("recovery failed") 52 ) 53 54 // Sign creates a recoverable ECDSA signature. 55 // The produced signature is in the 65-byte [R || S || V] format where V is 0 or 1. 56 // 57 // The caller is responsible for ensuring that msg cannot be chosen 58 // directly by an attacker. It is usually preferable to use a cryptographic 59 // hash function on any input before handing it to this function. 60 func Sign(msg []byte, seckey []byte) ([]byte, error) { 61 if len(msg) != 32 { 62 return nil, ErrInvalidMsgLen 63 } 64 if len(seckey) != 32 { 65 return nil, ErrInvalidKey 66 } 67 seckeydata := (*C.uchar)(unsafe.Pointer(&seckey[0])) 68 if C.secp256k1_ec_seckey_verify(context, seckeydata) != 1 { 69 return nil, ErrInvalidKey 70 } 71 72 var ( 73 msgdata = (*C.uchar)(unsafe.Pointer(&msg[0])) 74 noncefunc = C.secp256k1_nonce_function_rfc6979 75 sigstruct C.secp256k1_ecdsa_recoverable_signature 76 ) 77 if C.secp256k1_ecdsa_sign_recoverable(context, &sigstruct, msgdata, seckeydata, noncefunc, nil) == 0 { 78 return nil, ErrSignFailed 79 } 80 81 var ( 82 sig = make([]byte, 65) 83 sigdata = (*C.uchar)(unsafe.Pointer(&sig[0])) 84 recid C.int 85 ) 86 C.secp256k1_ecdsa_recoverable_signature_serialize_compact(context, sigdata, &recid, &sigstruct) 87 sig[64] = byte(recid) // add back recid to get 65 bytes sig 88 return sig, nil 89 } 90 91 // RecoverPubkey returns the the public key of the signer. 92 // msg must be the 32-byte hash of the message to be signed. 93 // sig must be a 65-byte compact ECDSA signature containing the 94 // recovery id as the last element. 95 func RecoverPubkey(msg []byte, sig []byte) ([]byte, error) { 96 if len(msg) != 32 { 97 return nil, ErrInvalidMsgLen 98 } 99 if err := checkSignature(sig); err != nil { 100 return nil, err 101 } 102 103 var ( 104 pubkey = make([]byte, 65) 105 sigdata = (*C.uchar)(unsafe.Pointer(&sig[0])) 106 msgdata = (*C.uchar)(unsafe.Pointer(&msg[0])) 107 ) 108 if C.secp256k1_ext_ecdsa_recover(context, (*C.uchar)(unsafe.Pointer(&pubkey[0])), sigdata, msgdata) == 0 { 109 return nil, ErrRecoverFailed 110 } 111 return pubkey, nil 112 } 113 114 // VerifySignature checks that the given pubkey created signature over message. 115 // The signature should be in [R || S] format. 116 func VerifySignature(pubkey, msg, signature []byte) bool { 117 if len(msg) != 32 || len(signature) != 64 || len(pubkey) == 0 { 118 return false 119 } 120 sigdata := (*C.uchar)(unsafe.Pointer(&signature[0])) 121 msgdata := (*C.uchar)(unsafe.Pointer(&msg[0])) 122 keydata := (*C.uchar)(unsafe.Pointer(&pubkey[0])) 123 return C.secp256k1_ext_ecdsa_verify(context, sigdata, msgdata, keydata, C.size_t(len(pubkey))) != 0 124 } 125 126 // DecompressPubkey parses a public key in the 33-byte compressed format. 127 // It returns non-nil coordinates if the public key is valid. 128 func DecompressPubkey(pubkey []byte) (x, y *big.Int) { 129 if len(pubkey) != 33 { 130 return nil, nil 131 } 132 var ( 133 pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0])) 134 pubkeylen = C.size_t(len(pubkey)) 135 out = make([]byte, 65) 136 outdata = (*C.uchar)(unsafe.Pointer(&out[0])) 137 outlen = C.size_t(len(out)) 138 ) 139 if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 { 140 return nil, nil 141 } 142 return new(big.Int).SetBytes(out[1:33]), new(big.Int).SetBytes(out[33:]) 143 } 144 145 // CompressPubkey encodes a public key to 33-byte compressed format. 146 func CompressPubkey(x, y *big.Int) []byte { 147 var ( 148 pubkey = S256().Marshal(x, y) 149 pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0])) 150 pubkeylen = C.size_t(len(pubkey)) 151 out = make([]byte, 33) 152 outdata = (*C.uchar)(unsafe.Pointer(&out[0])) 153 outlen = C.size_t(len(out)) 154 ) 155 if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 { 156 panic("libsecp256k1 error") 157 } 158 return out 159 } 160 161 func checkSignature(sig []byte) error { 162 if len(sig) != 65 { 163 return ErrInvalidSignatureLen 164 } 165 if sig[64] >= 4 { 166 return ErrInvalidRecoveryID 167 } 168 return nil 169 }