github.com/ethereum/go-ethereum@v1.16.1/crypto/crypto.go (about) 1 // Copyright 2014 The go-ethereum Authors 2 // This file is part of the go-ethereum library. 3 // 4 // The go-ethereum library is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Lesser General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // The go-ethereum library is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Lesser General Public License for more details. 13 // 14 // You should have received a copy of the GNU Lesser General Public License 15 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 16 17 package crypto 18 19 import ( 20 "bufio" 21 "crypto/ecdsa" 22 "crypto/elliptic" 23 "crypto/rand" 24 "encoding/hex" 25 "errors" 26 "fmt" 27 "hash" 28 "io" 29 "math/big" 30 "os" 31 "sync" 32 33 "github.com/ethereum/go-ethereum/common" 34 "github.com/ethereum/go-ethereum/common/math" 35 "github.com/ethereum/go-ethereum/rlp" 36 "golang.org/x/crypto/sha3" 37 ) 38 39 // SignatureLength indicates the byte length required to carry a signature with recovery id. 40 const SignatureLength = 64 + 1 // 64 bytes ECDSA signature + 1 byte recovery id 41 42 // RecoveryIDOffset points to the byte offset within the signature that contains the recovery id. 43 const RecoveryIDOffset = 64 44 45 // DigestLength sets the signature digest exact length 46 const DigestLength = 32 47 48 var ( 49 secp256k1N = S256().Params().N 50 secp256k1halfN = new(big.Int).Div(secp256k1N, big.NewInt(2)) 51 ) 52 53 var errInvalidPubkey = errors.New("invalid secp256k1 public key") 54 55 // EllipticCurve contains curve operations. 56 type EllipticCurve interface { 57 elliptic.Curve 58 59 // Point marshaling/unmarshaing. 60 Marshal(x, y *big.Int) []byte 61 Unmarshal(data []byte) (x, y *big.Int) 62 } 63 64 // KeccakState wraps sha3.state. In addition to the usual hash methods, it also supports 65 // Read to get a variable amount of data from the hash state. Read is faster than Sum 66 // because it doesn't copy the internal state, but also modifies the internal state. 67 type KeccakState interface { 68 hash.Hash 69 Read([]byte) (int, error) 70 } 71 72 // NewKeccakState creates a new KeccakState 73 func NewKeccakState() KeccakState { 74 return sha3.NewLegacyKeccak256().(KeccakState) 75 } 76 77 var hasherPool = sync.Pool{ 78 New: func() any { 79 return sha3.NewLegacyKeccak256().(KeccakState) 80 }, 81 } 82 83 // HashData hashes the provided data using the KeccakState and returns a 32 byte hash 84 func HashData(kh KeccakState, data []byte) (h common.Hash) { 85 kh.Reset() 86 kh.Write(data) 87 kh.Read(h[:]) 88 return h 89 } 90 91 // Keccak256 calculates and returns the Keccak256 hash of the input data. 92 func Keccak256(data ...[]byte) []byte { 93 b := make([]byte, 32) 94 d := hasherPool.Get().(KeccakState) 95 d.Reset() 96 for _, b := range data { 97 d.Write(b) 98 } 99 d.Read(b) 100 hasherPool.Put(d) 101 return b 102 } 103 104 // Keccak256Hash calculates and returns the Keccak256 hash of the input data, 105 // converting it to an internal Hash data structure. 106 func Keccak256Hash(data ...[]byte) (h common.Hash) { 107 d := hasherPool.Get().(KeccakState) 108 d.Reset() 109 for _, b := range data { 110 d.Write(b) 111 } 112 d.Read(h[:]) 113 hasherPool.Put(d) 114 return h 115 } 116 117 // Keccak512 calculates and returns the Keccak512 hash of the input data. 118 func Keccak512(data ...[]byte) []byte { 119 d := sha3.NewLegacyKeccak512() 120 for _, b := range data { 121 d.Write(b) 122 } 123 return d.Sum(nil) 124 } 125 126 // CreateAddress creates an ethereum address given the bytes and the nonce 127 func CreateAddress(b common.Address, nonce uint64) common.Address { 128 data, _ := rlp.EncodeToBytes([]interface{}{b, nonce}) 129 return common.BytesToAddress(Keccak256(data)[12:]) 130 } 131 132 // CreateAddress2 creates an ethereum address given the address bytes, initial 133 // contract code hash and a salt. 134 func CreateAddress2(b common.Address, salt [32]byte, inithash []byte) common.Address { 135 return common.BytesToAddress(Keccak256([]byte{0xff}, b.Bytes(), salt[:], inithash)[12:]) 136 } 137 138 // ToECDSA creates a private key with the given D value. 139 func ToECDSA(d []byte) (*ecdsa.PrivateKey, error) { 140 return toECDSA(d, true) 141 } 142 143 // ToECDSAUnsafe blindly converts a binary blob to a private key. It should almost 144 // never be used unless you are sure the input is valid and want to avoid hitting 145 // errors due to bad origin encoding (0 prefixes cut off). 146 func ToECDSAUnsafe(d []byte) *ecdsa.PrivateKey { 147 priv, _ := toECDSA(d, false) 148 return priv 149 } 150 151 // toECDSA creates a private key with the given D value. The strict parameter 152 // controls whether the key's length should be enforced at the curve size or 153 // it can also accept legacy encodings (0 prefixes). 154 func toECDSA(d []byte, strict bool) (*ecdsa.PrivateKey, error) { 155 priv := new(ecdsa.PrivateKey) 156 priv.PublicKey.Curve = S256() 157 if strict && 8*len(d) != priv.Params().BitSize { 158 return nil, fmt.Errorf("invalid length, need %d bits", priv.Params().BitSize) 159 } 160 priv.D = new(big.Int).SetBytes(d) 161 162 // The priv.D must < N 163 if priv.D.Cmp(secp256k1N) >= 0 { 164 return nil, errors.New("invalid private key, >=N") 165 } 166 // The priv.D must not be zero or negative. 167 if priv.D.Sign() <= 0 { 168 return nil, errors.New("invalid private key, zero or negative") 169 } 170 171 priv.PublicKey.X, priv.PublicKey.Y = S256().ScalarBaseMult(d) 172 if priv.PublicKey.X == nil { 173 return nil, errors.New("invalid private key") 174 } 175 return priv, nil 176 } 177 178 // FromECDSA exports a private key into a binary dump. 179 func FromECDSA(priv *ecdsa.PrivateKey) []byte { 180 if priv == nil { 181 return nil 182 } 183 return math.PaddedBigBytes(priv.D, priv.Params().BitSize/8) 184 } 185 186 // UnmarshalPubkey converts bytes to a secp256k1 public key. 187 func UnmarshalPubkey(pub []byte) (*ecdsa.PublicKey, error) { 188 x, y := S256().Unmarshal(pub) 189 if x == nil { 190 return nil, errInvalidPubkey 191 } 192 if !S256().IsOnCurve(x, y) { 193 return nil, errInvalidPubkey 194 } 195 return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}, nil 196 } 197 198 // FromECDSAPub converts a secp256k1 public key to bytes. 199 // Note: it does not use the curve from pub, instead it always 200 // encodes using secp256k1. 201 func FromECDSAPub(pub *ecdsa.PublicKey) []byte { 202 if pub == nil || pub.X == nil || pub.Y == nil { 203 return nil 204 } 205 return S256().Marshal(pub.X, pub.Y) 206 } 207 208 // HexToECDSA parses a secp256k1 private key. 209 func HexToECDSA(hexkey string) (*ecdsa.PrivateKey, error) { 210 b, err := hex.DecodeString(hexkey) 211 if byteErr, ok := err.(hex.InvalidByteError); ok { 212 return nil, fmt.Errorf("invalid hex character %q in private key", byte(byteErr)) 213 } else if err != nil { 214 return nil, errors.New("invalid hex data for private key") 215 } 216 return ToECDSA(b) 217 } 218 219 // LoadECDSA loads a secp256k1 private key from the given file. 220 func LoadECDSA(file string) (*ecdsa.PrivateKey, error) { 221 fd, err := os.Open(file) 222 if err != nil { 223 return nil, err 224 } 225 defer fd.Close() 226 227 r := bufio.NewReader(fd) 228 buf := make([]byte, 64) 229 n, err := readASCII(buf, r) 230 if err != nil { 231 return nil, err 232 } else if n != len(buf) { 233 return nil, errors.New("key file too short, want 64 hex characters") 234 } 235 if err := checkKeyFileEnd(r); err != nil { 236 return nil, err 237 } 238 239 return HexToECDSA(string(buf)) 240 } 241 242 // readASCII reads into 'buf', stopping when the buffer is full or 243 // when a non-printable control character is encountered. 244 func readASCII(buf []byte, r *bufio.Reader) (n int, err error) { 245 for ; n < len(buf); n++ { 246 buf[n], err = r.ReadByte() 247 switch { 248 case err == io.EOF || buf[n] < '!': 249 return n, nil 250 case err != nil: 251 return n, err 252 } 253 } 254 return n, nil 255 } 256 257 // checkKeyFileEnd skips over additional newlines at the end of a key file. 258 func checkKeyFileEnd(r *bufio.Reader) error { 259 for i := 0; ; i++ { 260 b, err := r.ReadByte() 261 switch { 262 case err == io.EOF: 263 return nil 264 case err != nil: 265 return err 266 case b != '\n' && b != '\r': 267 return fmt.Errorf("invalid character %q at end of key file", b) 268 case i >= 2: 269 return errors.New("key file too long, want 64 hex characters") 270 } 271 } 272 } 273 274 // SaveECDSA saves a secp256k1 private key to the given file with 275 // restrictive permissions. The key data is saved hex-encoded. 276 func SaveECDSA(file string, key *ecdsa.PrivateKey) error { 277 k := hex.EncodeToString(FromECDSA(key)) 278 return os.WriteFile(file, []byte(k), 0600) 279 } 280 281 // GenerateKey generates a new private key. 282 func GenerateKey() (*ecdsa.PrivateKey, error) { 283 return ecdsa.GenerateKey(S256(), rand.Reader) 284 } 285 286 // ValidateSignatureValues verifies whether the signature values are valid with 287 // the given chain rules. The v value is assumed to be either 0 or 1. 288 func ValidateSignatureValues(v byte, r, s *big.Int, homestead bool) bool { 289 if r.Cmp(common.Big1) < 0 || s.Cmp(common.Big1) < 0 { 290 return false 291 } 292 // reject upper range of s values (ECDSA malleability) 293 // see discussion in secp256k1/libsecp256k1/include/secp256k1.h 294 if homestead && s.Cmp(secp256k1halfN) > 0 { 295 return false 296 } 297 // Frontier: allow s to be in full N range 298 return r.Cmp(secp256k1N) < 0 && s.Cmp(secp256k1N) < 0 && (v == 0 || v == 1) 299 } 300 301 func PubkeyToAddress(p ecdsa.PublicKey) common.Address { 302 pubBytes := FromECDSAPub(&p) 303 return common.BytesToAddress(Keccak256(pubBytes[1:])[12:]) 304 } 305 306 func zeroBytes(bytes []byte) { 307 clear(bytes) 308 }