github.com/chain5j/chain5j-pkg@v1.0.7/crypto/signature/secp256k1/btcecv1/pubkey.go (about) 1 // Copyright (c) 2013-2014 The btcsuite developers 2 // Use of this source code is governed by an ISC 3 // license that can be found in the LICENSE file. 4 5 package btcecv1 6 7 import ( 8 "crypto/ecdsa" 9 "errors" 10 "fmt" 11 "math/big" 12 ) 13 14 // These constants define the lengths of serialized public keys. 15 const ( 16 PubKeyBytesLenCompressed = 33 17 PubKeyBytesLenUncompressed = 65 18 PubKeyBytesLenHybrid = 65 19 ) 20 21 func isOdd(a *big.Int) bool { 22 return a.Bit(0) == 1 23 } 24 25 // decompressPoint decompresses a point on the secp256k1 curve given the X point and 26 // the solution to use. 27 func decompressPoint(curve *KoblitzCurve, bigX *big.Int, ybit bool) (*big.Int, error) { 28 var x fieldVal 29 x.SetByteSlice(bigX.Bytes()) 30 31 // Compute x^3 + B mod p. 32 var x3 fieldVal 33 x3.SquareVal(&x).Mul(&x) 34 x3.Add(curve.fieldB).Normalize() 35 36 // Now calculate sqrt mod p of x^3 + B 37 // This code used to do a full sqrt based on tonelli/shanks, 38 // but this was replaced by the algorithms referenced in 39 // https://bitcointalk.org/index.php?topic=162805.msg1712294#msg1712294 40 var y fieldVal 41 y.SqrtVal(&x3).Normalize() 42 if ybit != y.IsOdd() { 43 y.Negate(1).Normalize() 44 } 45 46 // Check that y is a square root of x^3 + B. 47 var y2 fieldVal 48 y2.SquareVal(&y).Normalize() 49 if !y2.Equals(&x3) { 50 return nil, fmt.Errorf("invalid square root") 51 } 52 53 // Verify that y-coord has expected parity. 54 if ybit != y.IsOdd() { 55 return nil, fmt.Errorf("ybit doesn't match oddness") 56 } 57 58 return new(big.Int).SetBytes(y.Bytes()[:]), nil 59 } 60 61 const ( 62 pubkeyCompressed byte = 0x2 // y_bit + x coord 63 pubkeyUncompressed byte = 0x4 // x coord + y coord 64 pubkeyHybrid byte = 0x6 // y_bit + x coord + y coord 65 ) 66 67 // IsCompressedPubKey returns true the the passed serialized public key has 68 // been encoded in compressed format, and false otherwise. 69 func IsCompressedPubKey(pubKey []byte) bool { 70 // The public key is only compressed if it is the correct length and 71 // the format (first byte) is one of the compressed pubkey values. 72 return len(pubKey) == PubKeyBytesLenCompressed && 73 (pubKey[0]&^byte(0x1) == pubkeyCompressed) 74 } 75 76 // ParsePubKey parses a public key for a koblitz curve from a bytestring into a 77 // ecdsa.Publickey, verifying that it is valid. It supports compressed, 78 // uncompressed and hybrid signature formats. 79 func ParsePubKey(pubKeyStr []byte, curve *KoblitzCurve) (key *PublicKey, err error) { 80 pubkey := PublicKey{} 81 pubkey.Curve = curve 82 83 if len(pubKeyStr) == 0 { 84 return nil, errors.New("pubkey string is empty") 85 } 86 87 format := pubKeyStr[0] 88 ybit := (format & 0x1) == 0x1 89 format &= ^byte(0x1) 90 91 switch len(pubKeyStr) { 92 case PubKeyBytesLenUncompressed: 93 if format != pubkeyUncompressed && format != pubkeyHybrid { 94 return nil, fmt.Errorf("invalid magic in pubkey str: "+ 95 "%d", pubKeyStr[0]) 96 } 97 98 pubkey.X = new(big.Int).SetBytes(pubKeyStr[1:33]) 99 pubkey.Y = new(big.Int).SetBytes(pubKeyStr[33:]) 100 // hybrid keys have extra information, make use of it. 101 if format == pubkeyHybrid && ybit != isOdd(pubkey.Y) { 102 return nil, fmt.Errorf("ybit doesn't match oddness") 103 } 104 105 if pubkey.X.Cmp(pubkey.Curve.Params().P) >= 0 { 106 return nil, fmt.Errorf("pubkey X parameter is >= to P") 107 } 108 if pubkey.Y.Cmp(pubkey.Curve.Params().P) >= 0 { 109 return nil, fmt.Errorf("pubkey Y parameter is >= to P") 110 } 111 if !pubkey.Curve.IsOnCurve(pubkey.X, pubkey.Y) { 112 return nil, fmt.Errorf("pubkey isn't on secp256k1 curve") 113 } 114 115 case PubKeyBytesLenCompressed: 116 // format is 0x2 | solution, <X coordinate> 117 // solution determines which solution of the curve we use. 118 // / y^2 = x^3 + Curve.B 119 if format != pubkeyCompressed { 120 return nil, fmt.Errorf("invalid magic in compressed "+ 121 "pubkey string: %d", pubKeyStr[0]) 122 } 123 pubkey.X = new(big.Int).SetBytes(pubKeyStr[1:33]) 124 pubkey.Y, err = decompressPoint(curve, pubkey.X, ybit) 125 if err != nil { 126 return nil, err 127 } 128 129 default: // wrong! 130 return nil, fmt.Errorf("invalid pub key length %d", 131 len(pubKeyStr)) 132 } 133 134 return &pubkey, nil 135 } 136 137 // PublicKey is an ecdsa.PublicKey with additional functions to 138 // serialize in uncompressed, compressed, and hybrid formats. 139 type PublicKey ecdsa.PublicKey 140 141 // ToECDSA returns the public key as a *ecdsa.PublicKey. 142 func (p *PublicKey) ToECDSA() *ecdsa.PublicKey { 143 return (*ecdsa.PublicKey)(p) 144 } 145 146 // SerializeUncompressed serializes a public key in a 65-byte uncompressed 147 // format. 148 func (p *PublicKey) SerializeUncompressed() []byte { 149 b := make([]byte, 0, PubKeyBytesLenUncompressed) 150 b = append(b, pubkeyUncompressed) 151 b = paddedAppend(32, b, p.X.Bytes()) 152 return paddedAppend(32, b, p.Y.Bytes()) 153 } 154 155 // SerializeCompressed serializes a public key in a 33-byte compressed format. 156 func (p *PublicKey) SerializeCompressed() []byte { 157 b := make([]byte, 0, PubKeyBytesLenCompressed) 158 format := pubkeyCompressed 159 if isOdd(p.Y) { 160 format |= 0x1 161 } 162 b = append(b, format) 163 return paddedAppend(32, b, p.X.Bytes()) 164 } 165 166 // SerializeHybrid serializes a public key in a 65-byte hybrid format. 167 func (p *PublicKey) SerializeHybrid() []byte { 168 b := make([]byte, 0, PubKeyBytesLenHybrid) 169 format := pubkeyHybrid 170 if isOdd(p.Y) { 171 format |= 0x1 172 } 173 b = append(b, format) 174 b = paddedAppend(32, b, p.X.Bytes()) 175 return paddedAppend(32, b, p.Y.Bytes()) 176 } 177 178 // IsEqual compares this PublicKey instance to the one passed, returning true if 179 // both PublicKeys are equivalent. A PublicKey is equivalent to another, if they 180 // both have the same X and Y coordinate. 181 func (p *PublicKey) IsEqual(otherPubKey *PublicKey) bool { 182 return p.X.Cmp(otherPubKey.X) == 0 && 183 p.Y.Cmp(otherPubKey.Y) == 0 184 } 185 186 // paddedAppend appends the src byte slice to dst, returning the new slice. 187 // If the length of the source is smaller than the passed size, leading zero 188 // bytes are appended to the dst slice before appending src. 189 func paddedAppend(size uint, dst, src []byte) []byte { 190 for i := 0; i < int(size)-len(src); i++ { 191 dst = append(dst, 0) 192 } 193 return append(dst, src...) 194 }