github.com/jimmyx0x/go-ethereum@v1.10.28/crypto/secp256k1/secp256.go (about) 1 // Copyright 2015 Jeffrey Wilcke, Felix Lange, Gustav Simonsson. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be found in 3 // the LICENSE file. 4 5 //go:build !gofuzz && cgo 6 // +build !gofuzz,cgo 7 8 // Package secp256k1 wraps the bitcoin secp256k1 C library. 9 package secp256k1 10 11 /* 12 #cgo CFLAGS: -I./libsecp256k1 13 #cgo CFLAGS: -I./libsecp256k1/src/ 14 15 #ifdef __SIZEOF_INT128__ 16 # define HAVE___INT128 17 # define USE_FIELD_5X52 18 # define USE_SCALAR_4X64 19 #else 20 # define USE_FIELD_10X26 21 # define USE_SCALAR_8X32 22 #endif 23 24 #define USE_ENDOMORPHISM 25 #define USE_NUM_NONE 26 #define USE_FIELD_INV_BUILTIN 27 #define USE_SCALAR_INV_BUILTIN 28 #define NDEBUG 29 #include "./libsecp256k1/src/secp256k1.c" 30 #include "./libsecp256k1/src/modules/recovery/main_impl.h" 31 #include "ext.h" 32 33 typedef void (*callbackFunc) (const char* msg, void* data); 34 extern void secp256k1GoPanicIllegal(const char* msg, void* data); 35 extern void secp256k1GoPanicError(const char* msg, void* data); 36 */ 37 import "C" 38 39 import ( 40 "errors" 41 "math/big" 42 "unsafe" 43 ) 44 45 var context *C.secp256k1_context 46 47 func init() { 48 // around 20 ms on a modern CPU. 49 context = C.secp256k1_context_create_sign_verify() 50 C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil) 51 C.secp256k1_context_set_error_callback(context, C.callbackFunc(C.secp256k1GoPanicError), nil) 52 } 53 54 var ( 55 ErrInvalidMsgLen = errors.New("invalid message length, need 32 bytes") 56 ErrInvalidSignatureLen = errors.New("invalid signature length") 57 ErrInvalidRecoveryID = errors.New("invalid signature recovery id") 58 ErrInvalidKey = errors.New("invalid private key") 59 ErrInvalidPubkey = errors.New("invalid public key") 60 ErrSignFailed = errors.New("signing failed") 61 ErrRecoverFailed = errors.New("recovery failed") 62 ) 63 64 // Sign creates a recoverable ECDSA signature. 65 // The produced signature is in the 65-byte [R || S || V] format where V is 0 or 1. 66 // 67 // The caller is responsible for ensuring that msg cannot be chosen 68 // directly by an attacker. It is usually preferable to use a cryptographic 69 // hash function on any input before handing it to this function. 70 func Sign(msg []byte, seckey []byte) ([]byte, error) { 71 if len(msg) != 32 { 72 return nil, ErrInvalidMsgLen 73 } 74 if len(seckey) != 32 { 75 return nil, ErrInvalidKey 76 } 77 seckeydata := (*C.uchar)(unsafe.Pointer(&seckey[0])) 78 if C.secp256k1_ec_seckey_verify(context, seckeydata) != 1 { 79 return nil, ErrInvalidKey 80 } 81 82 var ( 83 msgdata = (*C.uchar)(unsafe.Pointer(&msg[0])) 84 noncefunc = C.secp256k1_nonce_function_rfc6979 85 sigstruct C.secp256k1_ecdsa_recoverable_signature 86 ) 87 if C.secp256k1_ecdsa_sign_recoverable(context, &sigstruct, msgdata, seckeydata, noncefunc, nil) == 0 { 88 return nil, ErrSignFailed 89 } 90 91 var ( 92 sig = make([]byte, 65) 93 sigdata = (*C.uchar)(unsafe.Pointer(&sig[0])) 94 recid C.int 95 ) 96 C.secp256k1_ecdsa_recoverable_signature_serialize_compact(context, sigdata, &recid, &sigstruct) 97 sig[64] = byte(recid) // add back recid to get 65 bytes sig 98 return sig, nil 99 } 100 101 // RecoverPubkey returns the public key of the signer. 102 // msg must be the 32-byte hash of the message to be signed. 103 // sig must be a 65-byte compact ECDSA signature containing the 104 // recovery id as the last element. 105 func RecoverPubkey(msg []byte, sig []byte) ([]byte, error) { 106 if len(msg) != 32 { 107 return nil, ErrInvalidMsgLen 108 } 109 if err := checkSignature(sig); err != nil { 110 return nil, err 111 } 112 113 var ( 114 pubkey = make([]byte, 65) 115 sigdata = (*C.uchar)(unsafe.Pointer(&sig[0])) 116 msgdata = (*C.uchar)(unsafe.Pointer(&msg[0])) 117 ) 118 if C.secp256k1_ext_ecdsa_recover(context, (*C.uchar)(unsafe.Pointer(&pubkey[0])), sigdata, msgdata) == 0 { 119 return nil, ErrRecoverFailed 120 } 121 return pubkey, nil 122 } 123 124 // VerifySignature checks that the given pubkey created signature over message. 125 // The signature should be in [R || S] format. 126 func VerifySignature(pubkey, msg, signature []byte) bool { 127 if len(msg) != 32 || len(signature) != 64 || len(pubkey) == 0 { 128 return false 129 } 130 sigdata := (*C.uchar)(unsafe.Pointer(&signature[0])) 131 msgdata := (*C.uchar)(unsafe.Pointer(&msg[0])) 132 keydata := (*C.uchar)(unsafe.Pointer(&pubkey[0])) 133 return C.secp256k1_ext_ecdsa_verify(context, sigdata, msgdata, keydata, C.size_t(len(pubkey))) != 0 134 } 135 136 // DecompressPubkey parses a public key in the 33-byte compressed format. 137 // It returns non-nil coordinates if the public key is valid. 138 func DecompressPubkey(pubkey []byte) (x, y *big.Int) { 139 if len(pubkey) != 33 { 140 return nil, nil 141 } 142 var ( 143 pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0])) 144 pubkeylen = C.size_t(len(pubkey)) 145 out = make([]byte, 65) 146 outdata = (*C.uchar)(unsafe.Pointer(&out[0])) 147 outlen = C.size_t(len(out)) 148 ) 149 if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 { 150 return nil, nil 151 } 152 return new(big.Int).SetBytes(out[1:33]), new(big.Int).SetBytes(out[33:]) 153 } 154 155 // CompressPubkey encodes a public key to 33-byte compressed format. 156 func CompressPubkey(x, y *big.Int) []byte { 157 var ( 158 pubkey = S256().Marshal(x, y) 159 pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0])) 160 pubkeylen = C.size_t(len(pubkey)) 161 out = make([]byte, 33) 162 outdata = (*C.uchar)(unsafe.Pointer(&out[0])) 163 outlen = C.size_t(len(out)) 164 ) 165 if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 { 166 panic("libsecp256k1 error") 167 } 168 return out 169 } 170 171 func checkSignature(sig []byte) error { 172 if len(sig) != 65 { 173 return ErrInvalidSignatureLen 174 } 175 if sig[64] >= 4 { 176 return ErrInvalidRecoveryID 177 } 178 return nil 179 }