github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/secp256.go (about) 1 // Copyright 2015 Jeffrey Wilcke, Felix Lange, Gustav Simonsson. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be found in 3 // the LICENSE file. 4 5 //go:build !gofuzz && cgo 6 // +build !gofuzz,cgo 7 8 // Package secp256k1 wraps the bitcoin secp256k1 C library. 9 package secp256k1 10 11 /* 12 #cgo CFLAGS: -I./libsecp256k1 13 #cgo CFLAGS: -I./libsecp256k1/src/ 14 15 #ifndef NDEBUG 16 # define NDEBUG 17 #endif 18 19 #include "./libsecp256k1/src/secp256k1.c" 20 #include "./libsecp256k1/src/modules/recovery/main_impl.h" 21 #include "./libsecp256k1/src/precomputed_ecmult.c" 22 #include "./libsecp256k1/src/precomputed_ecmult_gen.c" 23 #include "ext.h" 24 25 typedef void (*callbackFunc) (const char* msg, void* data); 26 extern void secp256k1GoPanicIllegal(const char* msg, void* data); 27 extern void secp256k1GoPanicError(const char* msg, void* data); 28 */ 29 import "C" 30 31 import ( 32 "errors" 33 "math/big" 34 "unsafe" 35 ) 36 37 var context *C.secp256k1_context 38 39 func init() { 40 // around 20 ms on a modern CPU. 41 context = C.secp256k1_context_create_sign_verify() 42 C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil) 43 C.secp256k1_context_set_error_callback(context, C.callbackFunc(C.secp256k1GoPanicError), nil) 44 } 45 46 var ( 47 ErrInvalidMsgLen = errors.New("invalid message length, need 32 bytes") 48 ErrInvalidSignatureLen = errors.New("invalid signature length") 49 ErrInvalidRecoveryID = errors.New("invalid signature recovery id") 50 ErrInvalidKey = errors.New("invalid private key") 51 ErrInvalidPubkey = errors.New("invalid public key") 52 ErrSignFailed = errors.New("signing failed") 53 ErrRecoverFailed = errors.New("recovery failed") 54 ) 55 56 // Sign creates a recoverable ECDSA signature. 57 // The produced signature is in the 65-byte [R || S || V] format where V is 0 or 1. 58 // 59 // The caller is responsible for ensuring that msg cannot be chosen 60 // directly by an attacker. It is usually preferable to use a cryptographic 61 // hash function on any input before handing it to this function. 62 func Sign(msg []byte, seckey []byte) ([]byte, error) { 63 if len(msg) != 32 { 64 return nil, ErrInvalidMsgLen 65 } 66 if len(seckey) != 32 { 67 return nil, ErrInvalidKey 68 } 69 seckeydata := (*C.uchar)(unsafe.Pointer(&seckey[0])) 70 if C.secp256k1_ec_seckey_verify(context, seckeydata) != 1 { 71 return nil, ErrInvalidKey 72 } 73 74 var ( 75 msgdata = (*C.uchar)(unsafe.Pointer(&msg[0])) 76 noncefunc = C.secp256k1_nonce_function_rfc6979 77 sigstruct C.secp256k1_ecdsa_recoverable_signature 78 ) 79 if C.secp256k1_ecdsa_sign_recoverable(context, &sigstruct, msgdata, seckeydata, noncefunc, nil) == 0 { 80 return nil, ErrSignFailed 81 } 82 83 var ( 84 sig = make([]byte, 65) 85 sigdata = (*C.uchar)(unsafe.Pointer(&sig[0])) 86 recid C.int 87 ) 88 C.secp256k1_ecdsa_recoverable_signature_serialize_compact(context, sigdata, &recid, &sigstruct) 89 sig[64] = byte(recid) // add back recid to get 65 bytes sig 90 return sig, nil 91 } 92 93 // RecoverPubkey returns the public key of the signer. 94 // msg must be the 32-byte hash of the message to be signed. 95 // sig must be a 65-byte compact ECDSA signature containing the 96 // recovery id as the last element. 97 func RecoverPubkey(msg []byte, sig []byte) ([]byte, error) { 98 if len(msg) != 32 { 99 return nil, ErrInvalidMsgLen 100 } 101 if err := checkSignature(sig); err != nil { 102 return nil, err 103 } 104 105 var ( 106 pubkey = make([]byte, 65) 107 sigdata = (*C.uchar)(unsafe.Pointer(&sig[0])) 108 msgdata = (*C.uchar)(unsafe.Pointer(&msg[0])) 109 ) 110 if C.secp256k1_ext_ecdsa_recover(context, (*C.uchar)(unsafe.Pointer(&pubkey[0])), sigdata, msgdata) == 0 { 111 return nil, ErrRecoverFailed 112 } 113 return pubkey, nil 114 } 115 116 // VerifySignature checks that the given pubkey created signature over message. 117 // The signature should be in [R || S] format. 118 func VerifySignature(pubkey, msg, signature []byte) bool { 119 if len(msg) != 32 || len(signature) != 64 || len(pubkey) == 0 { 120 return false 121 } 122 sigdata := (*C.uchar)(unsafe.Pointer(&signature[0])) 123 msgdata := (*C.uchar)(unsafe.Pointer(&msg[0])) 124 keydata := (*C.uchar)(unsafe.Pointer(&pubkey[0])) 125 return C.secp256k1_ext_ecdsa_verify(context, sigdata, msgdata, keydata, C.size_t(len(pubkey))) != 0 126 } 127 128 // DecompressPubkey parses a public key in the 33-byte compressed format. 129 // It returns non-nil coordinates if the public key is valid. 130 func DecompressPubkey(pubkey []byte) (x, y *big.Int) { 131 if len(pubkey) != 33 { 132 return nil, nil 133 } 134 var ( 135 pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0])) 136 pubkeylen = C.size_t(len(pubkey)) 137 out = make([]byte, 65) 138 outdata = (*C.uchar)(unsafe.Pointer(&out[0])) 139 outlen = C.size_t(len(out)) 140 ) 141 if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 { 142 return nil, nil 143 } 144 return new(big.Int).SetBytes(out[1:33]), new(big.Int).SetBytes(out[33:]) 145 } 146 147 // CompressPubkey encodes a public key to 33-byte compressed format. 148 func CompressPubkey(x, y *big.Int) []byte { 149 var ( 150 pubkey = S256().Marshal(x, y) 151 pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0])) 152 pubkeylen = C.size_t(len(pubkey)) 153 out = make([]byte, 33) 154 outdata = (*C.uchar)(unsafe.Pointer(&out[0])) 155 outlen = C.size_t(len(out)) 156 ) 157 if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 { 158 panic("libsecp256k1 error") 159 } 160 return out 161 } 162 163 func checkSignature(sig []byte) error { 164 if len(sig) != 65 { 165 return ErrInvalidSignatureLen 166 } 167 if sig[64] >= 4 { 168 return ErrInvalidRecoveryID 169 } 170 return nil 171 }