github.com/googgoog/go-ethereum@v1.9.7/crypto/secp256k1/secp256.go (about) 1 // Copyright 2015 Jeffrey Wilcke, Felix Lange, Gustav Simonsson. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be found in 3 // the LICENSE file. 4 5 // Package secp256k1 wraps the bitcoin secp256k1 C library. 6 package secp256k1 7 8 /* 9 #cgo CFLAGS: -I./libsecp256k1 10 #cgo CFLAGS: -I./libsecp256k1/src/ 11 #define USE_NUM_NONE 12 #define USE_FIELD_10X26 13 #define USE_FIELD_INV_BUILTIN 14 #define USE_SCALAR_8X32 15 #define USE_SCALAR_INV_BUILTIN 16 #define NDEBUG 17 #include "./libsecp256k1/src/secp256k1.c" 18 #include "./libsecp256k1/src/modules/recovery/main_impl.h" 19 #include "ext.h" 20 21 typedef void (*callbackFunc) (const char* msg, void* data); 22 extern void secp256k1GoPanicIllegal(const char* msg, void* data); 23 extern void secp256k1GoPanicError(const char* msg, void* data); 24 */ 25 import "C" 26 27 import ( 28 "errors" 29 "math/big" 30 "unsafe" 31 ) 32 33 var context *C.secp256k1_context 34 35 func init() { 36 // around 20 ms on a modern CPU. 37 context = C.secp256k1_context_create_sign_verify() 38 C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil) 39 C.secp256k1_context_set_error_callback(context, C.callbackFunc(C.secp256k1GoPanicError), nil) 40 } 41 42 var ( 43 ErrInvalidMsgLen = errors.New("invalid message length, need 32 bytes") 44 ErrInvalidSignatureLen = errors.New("invalid signature length") 45 ErrInvalidRecoveryID = errors.New("invalid signature recovery id") 46 ErrInvalidKey = errors.New("invalid private key") 47 ErrInvalidPubkey = errors.New("invalid public key") 48 ErrSignFailed = errors.New("signing failed") 49 ErrRecoverFailed = errors.New("recovery failed") 50 ) 51 52 // Sign creates a recoverable ECDSA signature. 53 // The produced signature is in the 65-byte [R || S || V] format where V is 0 or 1. 54 // 55 // The caller is responsible for ensuring that msg cannot be chosen 56 // directly by an attacker. It is usually preferable to use a cryptographic 57 // hash function on any input before handing it to this function. 58 func Sign(msg []byte, seckey []byte) ([]byte, error) { 59 if len(msg) != 32 { 60 return nil, ErrInvalidMsgLen 61 } 62 if len(seckey) != 32 { 63 return nil, ErrInvalidKey 64 } 65 seckeydata := (*C.uchar)(unsafe.Pointer(&seckey[0])) 66 if C.secp256k1_ec_seckey_verify(context, seckeydata) != 1 { 67 return nil, ErrInvalidKey 68 } 69 70 var ( 71 msgdata = (*C.uchar)(unsafe.Pointer(&msg[0])) 72 noncefunc = C.secp256k1_nonce_function_rfc6979 73 sigstruct C.secp256k1_ecdsa_recoverable_signature 74 ) 75 if C.secp256k1_ecdsa_sign_recoverable(context, &sigstruct, msgdata, seckeydata, noncefunc, nil) == 0 { 76 return nil, ErrSignFailed 77 } 78 79 var ( 80 sig = make([]byte, 65) 81 sigdata = (*C.uchar)(unsafe.Pointer(&sig[0])) 82 recid C.int 83 ) 84 C.secp256k1_ecdsa_recoverable_signature_serialize_compact(context, sigdata, &recid, &sigstruct) 85 sig[64] = byte(recid) // add back recid to get 65 bytes sig 86 return sig, nil 87 } 88 89 // RecoverPubkey returns the public key of the signer. 90 // msg must be the 32-byte hash of the message to be signed. 91 // sig must be a 65-byte compact ECDSA signature containing the 92 // recovery id as the last element. 93 func RecoverPubkey(msg []byte, sig []byte) ([]byte, error) { 94 if len(msg) != 32 { 95 return nil, ErrInvalidMsgLen 96 } 97 if err := checkSignature(sig); err != nil { 98 return nil, err 99 } 100 101 var ( 102 pubkey = make([]byte, 65) 103 sigdata = (*C.uchar)(unsafe.Pointer(&sig[0])) 104 msgdata = (*C.uchar)(unsafe.Pointer(&msg[0])) 105 ) 106 if C.secp256k1_ext_ecdsa_recover(context, (*C.uchar)(unsafe.Pointer(&pubkey[0])), sigdata, msgdata) == 0 { 107 return nil, ErrRecoverFailed 108 } 109 return pubkey, nil 110 } 111 112 // VerifySignature checks that the given pubkey created signature over message. 113 // The signature should be in [R || S] format. 114 func VerifySignature(pubkey, msg, signature []byte) bool { 115 if len(msg) != 32 || len(signature) != 64 || len(pubkey) == 0 { 116 return false 117 } 118 sigdata := (*C.uchar)(unsafe.Pointer(&signature[0])) 119 msgdata := (*C.uchar)(unsafe.Pointer(&msg[0])) 120 keydata := (*C.uchar)(unsafe.Pointer(&pubkey[0])) 121 return C.secp256k1_ext_ecdsa_verify(context, sigdata, msgdata, keydata, C.size_t(len(pubkey))) != 0 122 } 123 124 // DecompressPubkey parses a public key in the 33-byte compressed format. 125 // It returns non-nil coordinates if the public key is valid. 126 func DecompressPubkey(pubkey []byte) (x, y *big.Int) { 127 if len(pubkey) != 33 { 128 return nil, nil 129 } 130 var ( 131 pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0])) 132 pubkeylen = C.size_t(len(pubkey)) 133 out = make([]byte, 65) 134 outdata = (*C.uchar)(unsafe.Pointer(&out[0])) 135 outlen = C.size_t(len(out)) 136 ) 137 if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 { 138 return nil, nil 139 } 140 return new(big.Int).SetBytes(out[1:33]), new(big.Int).SetBytes(out[33:]) 141 } 142 143 // CompressPubkey encodes a public key to 33-byte compressed format. 144 func CompressPubkey(x, y *big.Int) []byte { 145 var ( 146 pubkey = S256().Marshal(x, y) 147 pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0])) 148 pubkeylen = C.size_t(len(pubkey)) 149 out = make([]byte, 33) 150 outdata = (*C.uchar)(unsafe.Pointer(&out[0])) 151 outlen = C.size_t(len(out)) 152 ) 153 if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 { 154 panic("libsecp256k1 error") 155 } 156 return out 157 } 158 159 func checkSignature(sig []byte) error { 160 if len(sig) != 65 { 161 return ErrInvalidSignatureLen 162 } 163 if sig[64] >= 4 { 164 return ErrInvalidRecoveryID 165 } 166 return nil 167 }