github.com/digdeepmining/go-atheios@v1.5.13-0.20180902133602-d5687a2e6f43/crypto/secp256k1/secp256.go (about) 1 // Copyright 2015 The go-ethereum Authors 2 // This file is part of the go-ethereum library. 3 // 4 // The go-ethereum library is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Lesser General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // The go-ethereum library is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Lesser General Public License for more details. 13 // 14 // You should have received a copy of the GNU Lesser General Public License 15 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 16 17 // Package secp256k1 wraps the bitcoin secp256k1 C library. 18 package secp256k1 19 20 /* 21 #cgo CFLAGS: -I./libsecp256k1 22 #cgo CFLAGS: -I./libsecp256k1/src/ 23 #define USE_NUM_NONE 24 #define USE_FIELD_10X26 25 #define USE_FIELD_INV_BUILTIN 26 #define USE_SCALAR_8X32 27 #define USE_SCALAR_INV_BUILTIN 28 #define NDEBUG 29 #include "./libsecp256k1/src/secp256k1.c" 30 #include "./libsecp256k1/src/modules/recovery/main_impl.h" 31 #include "ext.h" 32 33 typedef void (*callbackFunc) (const char* msg, void* data); 34 extern void secp256k1GoPanicIllegal(const char* msg, void* data); 35 extern void secp256k1GoPanicError(const char* msg, void* data); 36 */ 37 import "C" 38 39 import ( 40 "errors" 41 "math/big" 42 "unsafe" 43 ) 44 45 var ( 46 context *C.secp256k1_context 47 N *big.Int 48 HalfN *big.Int 49 ) 50 51 func init() { 52 N, _ = new(big.Int).SetString("fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141", 16) 53 // N / 2 == 57896044618658097711785492504343953926418782139537452191302581570759080747168 54 HalfN, _ = new(big.Int).SetString("7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0", 16) 55 56 // around 20 ms on a modern CPU. 57 context = C.secp256k1_context_create_sign_verify() 58 C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil) 59 C.secp256k1_context_set_error_callback(context, C.callbackFunc(C.secp256k1GoPanicError), nil) 60 } 61 62 var ( 63 ErrInvalidMsgLen = errors.New("invalid message length, need 32 bytes") 64 ErrInvalidSignatureLen = errors.New("invalid signature length") 65 ErrInvalidRecoveryID = errors.New("invalid signature recovery id") 66 ErrInvalidKey = errors.New("invalid private key") 67 ErrSignFailed = errors.New("signing failed") 68 ErrRecoverFailed = errors.New("recovery failed") 69 ) 70 71 // Sign creates a recoverable ECDSA signature. 72 // The produced signature is in the 65-byte [R || S || V] format where V is 0 or 1. 73 // 74 // The caller is responsible for ensuring that msg cannot be chosen 75 // directly by an attacker. It is usually preferable to use a cryptographic 76 // hash function on any input before handing it to this function. 77 func Sign(msg []byte, seckey []byte) ([]byte, error) { 78 if len(msg) != 32 { 79 return nil, ErrInvalidMsgLen 80 } 81 if len(seckey) != 32 { 82 return nil, ErrInvalidKey 83 } 84 seckeydata := (*C.uchar)(unsafe.Pointer(&seckey[0])) 85 if C.secp256k1_ec_seckey_verify(context, seckeydata) != 1 { 86 return nil, ErrInvalidKey 87 } 88 89 var ( 90 msgdata = (*C.uchar)(unsafe.Pointer(&msg[0])) 91 noncefunc = C.secp256k1_nonce_function_rfc6979 92 sigstruct C.secp256k1_ecdsa_recoverable_signature 93 ) 94 if C.secp256k1_ecdsa_sign_recoverable(context, &sigstruct, msgdata, seckeydata, noncefunc, nil) == 0 { 95 return nil, ErrSignFailed 96 } 97 98 var ( 99 sig = make([]byte, 65) 100 sigdata = (*C.uchar)(unsafe.Pointer(&sig[0])) 101 recid C.int 102 ) 103 C.secp256k1_ecdsa_recoverable_signature_serialize_compact(context, sigdata, &recid, &sigstruct) 104 sig[64] = byte(recid) // add back recid to get 65 bytes sig 105 return sig, nil 106 } 107 108 // RecoverPubkey returns the the public key of the signer. 109 // msg must be the 32-byte hash of the message to be signed. 110 // sig must be a 65-byte compact ECDSA signature containing the 111 // recovery id as the last element. 112 func RecoverPubkey(msg []byte, sig []byte) ([]byte, error) { 113 if len(msg) != 32 { 114 return nil, ErrInvalidMsgLen 115 } 116 if err := checkSignature(sig); err != nil { 117 return nil, err 118 } 119 120 var ( 121 pubkey = make([]byte, 65) 122 sigdata = (*C.uchar)(unsafe.Pointer(&sig[0])) 123 msgdata = (*C.uchar)(unsafe.Pointer(&msg[0])) 124 ) 125 if C.secp256k1_ecdsa_recover_pubkey(context, (*C.uchar)(unsafe.Pointer(&pubkey[0])), sigdata, msgdata) == 0 { 126 return nil, ErrRecoverFailed 127 } 128 return pubkey, nil 129 } 130 131 func checkSignature(sig []byte) error { 132 if len(sig) != 65 { 133 return ErrInvalidSignatureLen 134 } 135 if sig[64] >= 4 { 136 return ErrInvalidRecoveryID 137 } 138 return nil 139 } 140 141 // reads num into buf as big-endian bytes. 142 func readBits(buf []byte, num *big.Int) { 143 const wordLen = int(unsafe.Sizeof(big.Word(0))) 144 i := len(buf) 145 for _, d := range num.Bits() { 146 for j := 0; j < wordLen && i > 0; j++ { 147 i-- 148 buf[i] = byte(d) 149 d >>= 8 150 } 151 } 152 }