github.com/googgoog/go-ethereum@v1.9.7/crypto/secp256k1/secp256.go (about)

     1  // Copyright 2015 Jeffrey Wilcke, Felix Lange, Gustav Simonsson. All rights reserved.
     2  // Use of this source code is governed by a BSD-style license that can be found in
     3  // the LICENSE file.
     4  
     5  // Package secp256k1 wraps the bitcoin secp256k1 C library.
     6  package secp256k1
     7  
     8  /*
     9  #cgo CFLAGS: -I./libsecp256k1
    10  #cgo CFLAGS: -I./libsecp256k1/src/
    11  #define USE_NUM_NONE
    12  #define USE_FIELD_10X26
    13  #define USE_FIELD_INV_BUILTIN
    14  #define USE_SCALAR_8X32
    15  #define USE_SCALAR_INV_BUILTIN
    16  #define NDEBUG
    17  #include "./libsecp256k1/src/secp256k1.c"
    18  #include "./libsecp256k1/src/modules/recovery/main_impl.h"
    19  #include "ext.h"
    20  
    21  typedef void (*callbackFunc) (const char* msg, void* data);
    22  extern void secp256k1GoPanicIllegal(const char* msg, void* data);
    23  extern void secp256k1GoPanicError(const char* msg, void* data);
    24  */
    25  import "C"
    26  
    27  import (
    28  	"errors"
    29  	"math/big"
    30  	"unsafe"
    31  )
    32  
    33  var context *C.secp256k1_context
    34  
    35  func init() {
    36  	// around 20 ms on a modern CPU.
    37  	context = C.secp256k1_context_create_sign_verify()
    38  	C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil)
    39  	C.secp256k1_context_set_error_callback(context, C.callbackFunc(C.secp256k1GoPanicError), nil)
    40  }
    41  
    42  var (
    43  	ErrInvalidMsgLen       = errors.New("invalid message length, need 32 bytes")
    44  	ErrInvalidSignatureLen = errors.New("invalid signature length")
    45  	ErrInvalidRecoveryID   = errors.New("invalid signature recovery id")
    46  	ErrInvalidKey          = errors.New("invalid private key")
    47  	ErrInvalidPubkey       = errors.New("invalid public key")
    48  	ErrSignFailed          = errors.New("signing failed")
    49  	ErrRecoverFailed       = errors.New("recovery failed")
    50  )
    51  
    52  // Sign creates a recoverable ECDSA signature.
    53  // The produced signature is in the 65-byte [R || S || V] format where V is 0 or 1.
    54  //
    55  // The caller is responsible for ensuring that msg cannot be chosen
    56  // directly by an attacker. It is usually preferable to use a cryptographic
    57  // hash function on any input before handing it to this function.
    58  func Sign(msg []byte, seckey []byte) ([]byte, error) {
    59  	if len(msg) != 32 {
    60  		return nil, ErrInvalidMsgLen
    61  	}
    62  	if len(seckey) != 32 {
    63  		return nil, ErrInvalidKey
    64  	}
    65  	seckeydata := (*C.uchar)(unsafe.Pointer(&seckey[0]))
    66  	if C.secp256k1_ec_seckey_verify(context, seckeydata) != 1 {
    67  		return nil, ErrInvalidKey
    68  	}
    69  
    70  	var (
    71  		msgdata   = (*C.uchar)(unsafe.Pointer(&msg[0]))
    72  		noncefunc = C.secp256k1_nonce_function_rfc6979
    73  		sigstruct C.secp256k1_ecdsa_recoverable_signature
    74  	)
    75  	if C.secp256k1_ecdsa_sign_recoverable(context, &sigstruct, msgdata, seckeydata, noncefunc, nil) == 0 {
    76  		return nil, ErrSignFailed
    77  	}
    78  
    79  	var (
    80  		sig     = make([]byte, 65)
    81  		sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))
    82  		recid   C.int
    83  	)
    84  	C.secp256k1_ecdsa_recoverable_signature_serialize_compact(context, sigdata, &recid, &sigstruct)
    85  	sig[64] = byte(recid) // add back recid to get 65 bytes sig
    86  	return sig, nil
    87  }
    88  
    89  // RecoverPubkey returns the public key of the signer.
    90  // msg must be the 32-byte hash of the message to be signed.
    91  // sig must be a 65-byte compact ECDSA signature containing the
    92  // recovery id as the last element.
    93  func RecoverPubkey(msg []byte, sig []byte) ([]byte, error) {
    94  	if len(msg) != 32 {
    95  		return nil, ErrInvalidMsgLen
    96  	}
    97  	if err := checkSignature(sig); err != nil {
    98  		return nil, err
    99  	}
   100  
   101  	var (
   102  		pubkey  = make([]byte, 65)
   103  		sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))
   104  		msgdata = (*C.uchar)(unsafe.Pointer(&msg[0]))
   105  	)
   106  	if C.secp256k1_ext_ecdsa_recover(context, (*C.uchar)(unsafe.Pointer(&pubkey[0])), sigdata, msgdata) == 0 {
   107  		return nil, ErrRecoverFailed
   108  	}
   109  	return pubkey, nil
   110  }
   111  
   112  // VerifySignature checks that the given pubkey created signature over message.
   113  // The signature should be in [R || S] format.
   114  func VerifySignature(pubkey, msg, signature []byte) bool {
   115  	if len(msg) != 32 || len(signature) != 64 || len(pubkey) == 0 {
   116  		return false
   117  	}
   118  	sigdata := (*C.uchar)(unsafe.Pointer(&signature[0]))
   119  	msgdata := (*C.uchar)(unsafe.Pointer(&msg[0]))
   120  	keydata := (*C.uchar)(unsafe.Pointer(&pubkey[0]))
   121  	return C.secp256k1_ext_ecdsa_verify(context, sigdata, msgdata, keydata, C.size_t(len(pubkey))) != 0
   122  }
   123  
   124  // DecompressPubkey parses a public key in the 33-byte compressed format.
   125  // It returns non-nil coordinates if the public key is valid.
   126  func DecompressPubkey(pubkey []byte) (x, y *big.Int) {
   127  	if len(pubkey) != 33 {
   128  		return nil, nil
   129  	}
   130  	var (
   131  		pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0]))
   132  		pubkeylen  = C.size_t(len(pubkey))
   133  		out        = make([]byte, 65)
   134  		outdata    = (*C.uchar)(unsafe.Pointer(&out[0]))
   135  		outlen     = C.size_t(len(out))
   136  	)
   137  	if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 {
   138  		return nil, nil
   139  	}
   140  	return new(big.Int).SetBytes(out[1:33]), new(big.Int).SetBytes(out[33:])
   141  }
   142  
   143  // CompressPubkey encodes a public key to 33-byte compressed format.
   144  func CompressPubkey(x, y *big.Int) []byte {
   145  	var (
   146  		pubkey     = S256().Marshal(x, y)
   147  		pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0]))
   148  		pubkeylen  = C.size_t(len(pubkey))
   149  		out        = make([]byte, 33)
   150  		outdata    = (*C.uchar)(unsafe.Pointer(&out[0]))
   151  		outlen     = C.size_t(len(out))
   152  	)
   153  	if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 {
   154  		panic("libsecp256k1 error")
   155  	}
   156  	return out
   157  }
   158  
   159  func checkSignature(sig []byte) error {
   160  	if len(sig) != 65 {
   161  		return ErrInvalidSignatureLen
   162  	}
   163  	if sig[64] >= 4 {
   164  		return ErrInvalidRecoveryID
   165  	}
   166  	return nil
   167  }