github.com/neatlab/neatio@v1.7.3-0.20220425043230-d903e92fcc75/utilities/crypto/secp256k1/secp256.go (about)

     1  // Copyright 2015 The go-ethereum Authors
     2  // This file is part of the go-ethereum library.
     3  //
     4  // The go-ethereum library is free software: you can redistribute it and/or modify
     5  // it under the terms of the GNU Lesser General Public License as published by
     6  // the Free Software Foundation, either version 3 of the License, or
     7  // (at your option) any later version.
     8  //
     9  // The go-ethereum library is distributed in the hope that it will be useful,
    10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
    11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    12  // GNU Lesser General Public License for more details.
    13  //
    14  // You should have received a copy of the GNU Lesser General Public License
    15  // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
    16  
    17  // Package secp256k1 wraps the bitcoin secp256k1 C library.
    18  package secp256k1
    19  
    20  /*
    21  #cgo CFLAGS: -I./libsecp256k1
    22  #cgo CFLAGS: -I./libsecp256k1/src/
    23  #define USE_NUM_NONE
    24  #define USE_FIELD_10X26
    25  #define USE_FIELD_INV_BUILTIN
    26  #define USE_SCALAR_8X32
    27  #define USE_SCALAR_INV_BUILTIN
    28  #define NDEBUG
    29  #include "./libsecp256k1/src/secp256k1.c"
    30  #include "./libsecp256k1/src/modules/recovery/main_impl.h"
    31  #include "ext.h"
    32  
    33  typedef void (*callbackFunc) (const char* msg, void* data);
    34  extern void secp256k1GoPanicIllegal(const char* msg, void* data);
    35  extern void secp256k1GoPanicError(const char* msg, void* data);
    36  */
    37  import "C"
    38  
    39  import (
    40  	"errors"
    41  	"math/big"
    42  	"unsafe"
    43  )
    44  
    45  var context *C.secp256k1_context
    46  
    47  func init() {
    48  	// around 20 ms on a modern CPU.
    49  	context = C.secp256k1_context_create_sign_verify()
    50  	C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil)
    51  	C.secp256k1_context_set_error_callback(context, C.callbackFunc(C.secp256k1GoPanicError), nil)
    52  }
    53  
    54  var (
    55  	ErrInvalidMsgLen       = errors.New("invalid message length, need 32 bytes")
    56  	ErrInvalidSignatureLen = errors.New("invalid signature length")
    57  	ErrInvalidRecoveryID   = errors.New("invalid signature recovery id")
    58  	ErrInvalidKey          = errors.New("invalid private key")
    59  	ErrInvalidPubkey       = errors.New("invalid public key")
    60  	ErrSignFailed          = errors.New("signing failed")
    61  	ErrRecoverFailed       = errors.New("recovery failed")
    62  )
    63  
    64  // Sign creates a recoverable ECDSA signature.
    65  // The produced signature is in the 65-byte [R || S || V] format where V is 0 or 1.
    66  //
    67  // The caller is responsible for ensuring that msg cannot be chosen
    68  // directly by an attacker. It is usually preferable to use a cryptographic
    69  // hash function on any input before handing it to this function.
    70  func Sign(msg []byte, seckey []byte) ([]byte, error) {
    71  	if len(msg) != 32 {
    72  		return nil, ErrInvalidMsgLen
    73  	}
    74  	if len(seckey) != 32 {
    75  		return nil, ErrInvalidKey
    76  	}
    77  	seckeydata := (*C.uchar)(unsafe.Pointer(&seckey[0]))
    78  	if C.secp256k1_ec_seckey_verify(context, seckeydata) != 1 {
    79  		return nil, ErrInvalidKey
    80  	}
    81  
    82  	var (
    83  		msgdata   = (*C.uchar)(unsafe.Pointer(&msg[0]))
    84  		noncefunc = C.secp256k1_nonce_function_rfc6979
    85  		sigstruct C.secp256k1_ecdsa_recoverable_signature
    86  	)
    87  	if C.secp256k1_ecdsa_sign_recoverable(context, &sigstruct, msgdata, seckeydata, noncefunc, nil) == 0 {
    88  		return nil, ErrSignFailed
    89  	}
    90  
    91  	var (
    92  		sig     = make([]byte, 65)
    93  		sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))
    94  		recid   C.int
    95  	)
    96  	C.secp256k1_ecdsa_recoverable_signature_serialize_compact(context, sigdata, &recid, &sigstruct)
    97  	sig[64] = byte(recid) // add back recid to get 65 bytes sig
    98  	return sig, nil
    99  }
   100  
   101  // RecoverPubkey returns the the public key of the signer.
   102  // msg must be the 32-byte hash of the message to be signed.
   103  // sig must be a 65-byte compact ECDSA signature containing the
   104  // recovery id as the last element.
   105  func RecoverPubkey(msg []byte, sig []byte) ([]byte, error) {
   106  	if len(msg) != 32 {
   107  		return nil, ErrInvalidMsgLen
   108  	}
   109  	if err := checkSignature(sig); err != nil {
   110  		return nil, err
   111  	}
   112  
   113  	var (
   114  		pubkey  = make([]byte, 65)
   115  		sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))
   116  		msgdata = (*C.uchar)(unsafe.Pointer(&msg[0]))
   117  	)
   118  	if C.secp256k1_ext_ecdsa_recover(context, (*C.uchar)(unsafe.Pointer(&pubkey[0])), sigdata, msgdata) == 0 {
   119  		return nil, ErrRecoverFailed
   120  	}
   121  	return pubkey, nil
   122  }
   123  
   124  // VerifySignature checks that the given pubkey created signature over message.
   125  // The signature should be in [R || S] format.
   126  func VerifySignature(pubkey, msg, signature []byte) bool {
   127  	if len(msg) != 32 || len(signature) != 64 || len(pubkey) == 0 {
   128  		return false
   129  	}
   130  	sigdata := (*C.uchar)(unsafe.Pointer(&signature[0]))
   131  	msgdata := (*C.uchar)(unsafe.Pointer(&msg[0]))
   132  	keydata := (*C.uchar)(unsafe.Pointer(&pubkey[0]))
   133  	return C.secp256k1_ext_ecdsa_verify(context, sigdata, msgdata, keydata, C.size_t(len(pubkey))) != 0
   134  }
   135  
   136  // DecompressPubkey parses a public key in the 33-byte compressed format.
   137  // It returns non-nil coordinates if the public key is valid.
   138  func DecompressPubkey(pubkey []byte) (x, y *big.Int) {
   139  	if len(pubkey) != 33 {
   140  		return nil, nil
   141  	}
   142  	var (
   143  		pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0]))
   144  		pubkeylen  = C.size_t(len(pubkey))
   145  		out        = make([]byte, 65)
   146  		outdata    = (*C.uchar)(unsafe.Pointer(&out[0]))
   147  		outlen     = C.size_t(len(out))
   148  	)
   149  	if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 {
   150  		return nil, nil
   151  	}
   152  	return new(big.Int).SetBytes(out[1:33]), new(big.Int).SetBytes(out[33:])
   153  }
   154  
   155  // CompressPubkey encodes a public key to 33-byte compressed format.
   156  func CompressPubkey(x, y *big.Int) []byte {
   157  	var (
   158  		pubkey     = S256().Marshal(x, y)
   159  		pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0]))
   160  		pubkeylen  = C.size_t(len(pubkey))
   161  		out        = make([]byte, 33)
   162  		outdata    = (*C.uchar)(unsafe.Pointer(&out[0]))
   163  		outlen     = C.size_t(len(out))
   164  	)
   165  	if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 {
   166  		panic("libsecp256k1 error")
   167  	}
   168  	return out
   169  }
   170  
   171  func checkSignature(sig []byte) error {
   172  	if len(sig) != 65 {
   173  		return ErrInvalidSignatureLen
   174  	}
   175  	if sig[64] >= 4 {
   176  		return ErrInvalidRecoveryID
   177  	}
   178  	return nil
   179  }