github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/examples/ecdsa.c

github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/examples/ecdsa.c (about)

     1  /*************************************************************************
     2   * Written in 2020-2022 by Elichai Turkel                                *
     3   * To the extent possible under law, the author(s) have dedicated all    *
     4   * copyright and related and neighboring rights to the software in this  *
     5   * file to the public domain worldwide. This software is distributed     *
     6   * without any warranty. For the CC0 Public Domain Dedication, see       *
     7   * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 *
     8   *************************************************************************/
     9  
    10  #include <stdio.h>
    11  #include <stdlib.h>
    12  #include <assert.h>
    13  #include <string.h>
    14  
    15  #include <secp256k1.h>
    16  
    17  #include "examples_util.h"
    18  
    19  int main(void) {
    20      /* Instead of signing the message directly, we must sign a 32-byte hash.
    21       * Here the message is "Hello, world!" and the hash function was SHA-256.
    22       * An actual implementation should just call SHA-256, but this example
    23       * hardcodes the output to avoid depending on an additional library.
    24       * See https://bitcoin.stackexchange.com/questions/81115/if-someone-wanted-to-pretend-to-be-satoshi-by-posting-a-fake-signature-to-defrau/81116#81116 */
    25      unsigned char msg_hash[32] = {
    26          0x31, 0x5F, 0x5B, 0xDB, 0x76, 0xD0, 0x78, 0xC4,
    27          0x3B, 0x8A, 0xC0, 0x06, 0x4E, 0x4A, 0x01, 0x64,
    28          0x61, 0x2B, 0x1F, 0xCE, 0x77, 0xC8, 0x69, 0x34,
    29          0x5B, 0xFC, 0x94, 0xC7, 0x58, 0x94, 0xED, 0xD3,
    30      };
    31      unsigned char seckey[32];
    32      unsigned char randomize[32];
    33      unsigned char compressed_pubkey[33];
    34      unsigned char serialized_signature[64];
    35      size_t len;
    36      int is_signature_valid, is_signature_valid2;
    37      int return_val;
    38      secp256k1_pubkey pubkey;
    39      secp256k1_ecdsa_signature sig;
    40      /* Before we can call actual API functions, we need to create a "context". */
    41      secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
    42      if (!fill_random(randomize, sizeof(randomize))) {
    43          printf("Failed to generate randomness\n");
    44          return EXIT_FAILURE;
    45      }
    46      /* Randomizing the context is recommended to protect against side-channel
    47       * leakage See `secp256k1_context_randomize` in secp256k1.h for more
    48       * information about it. This should never fail. */
    49      return_val = secp256k1_context_randomize(ctx, randomize);
    50      assert(return_val);
    51  
    52      /*** Key Generation ***/
    53      if (!fill_random(seckey, sizeof(seckey))) {
    54          printf("Failed to generate randomness\n");
    55          return EXIT_FAILURE;
    56      }
    57      /* If the secret key is zero or out of range (greater than secp256k1's
    58      * order), we fail. Note that the probability of this occurring is negligible
    59      * with a properly functioning random number generator. */
    60      if (!secp256k1_ec_seckey_verify(ctx, seckey)) {
    61          printf("Generated secret key is invalid. This indicates an issue with the random number generator.\n");
    62          return EXIT_FAILURE;
    63      }
    64  
    65      /* Public key creation using a valid context with a verified secret key should never fail */
    66      return_val = secp256k1_ec_pubkey_create(ctx, &pubkey, seckey);
    67      assert(return_val);
    68  
    69      /* Serialize the pubkey in a compressed form(33 bytes). Should always return 1. */
    70      len = sizeof(compressed_pubkey);
    71      return_val = secp256k1_ec_pubkey_serialize(ctx, compressed_pubkey, &len, &pubkey, SECP256K1_EC_COMPRESSED);
    72      assert(return_val);
    73      /* Should be the same size as the size of the output, because we passed a 33 byte array. */
    74      assert(len == sizeof(compressed_pubkey));
    75  
    76      /*** Signing ***/
    77  
    78      /* Generate an ECDSA signature `noncefp` and `ndata` allows you to pass a
    79       * custom nonce function, passing `NULL` will use the RFC-6979 safe default.
    80       * Signing with a valid context, verified secret key
    81       * and the default nonce function should never fail. */
    82      return_val = secp256k1_ecdsa_sign(ctx, &sig, msg_hash, seckey, NULL, NULL);
    83      assert(return_val);
    84  
    85      /* Serialize the signature in a compact form. Should always return 1
    86       * according to the documentation in secp256k1.h. */
    87      return_val = secp256k1_ecdsa_signature_serialize_compact(ctx, serialized_signature, &sig);
    88      assert(return_val);
    89  
    90  
    91      /*** Verification ***/
    92  
    93      /* Deserialize the signature. This will return 0 if the signature can't be parsed correctly. */
    94      if (!secp256k1_ecdsa_signature_parse_compact(ctx, &sig, serialized_signature)) {
    95          printf("Failed parsing the signature\n");
    96          return EXIT_FAILURE;
    97      }
    98  
    99      /* Deserialize the public key. This will return 0 if the public key can't be parsed correctly. */
   100      if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, compressed_pubkey, sizeof(compressed_pubkey))) {
   101          printf("Failed parsing the public key\n");
   102          return EXIT_FAILURE;
   103      }
   104  
   105      /* Verify a signature. This will return 1 if it's valid and 0 if it's not. */
   106      is_signature_valid = secp256k1_ecdsa_verify(ctx, &sig, msg_hash, &pubkey);
   107  
   108      printf("Is the signature valid? %s\n", is_signature_valid ? "true" : "false");
   109      printf("Secret Key: ");
   110      print_hex(seckey, sizeof(seckey));
   111      printf("Public Key: ");
   112      print_hex(compressed_pubkey, sizeof(compressed_pubkey));
   113      printf("Signature: ");
   114      print_hex(serialized_signature, sizeof(serialized_signature));
   115  
   116      /* This will clear everything from the context and free the memory */
   117      secp256k1_context_destroy(ctx);
   118  
   119      /* Bonus example: if all we need is signature verification (and no key
   120         generation or signing), we don't need to use a context created via
   121         secp256k1_context_create(). We can simply use the static (i.e., global)
   122         context secp256k1_context_static. See its description in
   123         include/secp256k1.h for details. */
   124      is_signature_valid2 = secp256k1_ecdsa_verify(secp256k1_context_static,
   125                                                   &sig, msg_hash, &pubkey);
   126      assert(is_signature_valid2 == is_signature_valid);
   127  
   128      /* It's best practice to try to clear secrets from memory after using them.
   129       * This is done because some bugs can allow an attacker to leak memory, for
   130       * example through "out of bounds" array access (see Heartbleed), or the OS
   131       * swapping them to disk. Hence, we overwrite the secret key buffer with zeros.
   132       *
   133       * Here we are preventing these writes from being optimized out, as any good compiler
   134       * will remove any writes that aren't used. */
   135      secure_erase(seckey, sizeof(seckey));
   136  
   137      return EXIT_SUCCESS;
   138  }