github.com/theQRL/go-zond@v0.1.1/crypto/signature_nocgo.go (about)

     1  // Copyright 2017 The go-ethereum Authors
     2  // This file is part of the go-ethereum library.
     3  //
     4  // The go-ethereum library is free software: you can redistribute it and/or modify
     5  // it under the terms of the GNU Lesser General Public License as published by
     6  // the Free Software Foundation, either version 3 of the License, or
     7  // (at your option) any later version.
     8  //
     9  // The go-ethereum library is distributed in the hope that it will be useful,
    10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
    11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    12  // GNU Lesser General Public License for more details.
    13  //
    14  // You should have received a copy of the GNU Lesser General Public License
    15  // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
    16  
    17  //go:build nacl || js || !cgo || gofuzz
    18  // +build nacl js !cgo gofuzz
    19  
    20  package crypto
    21  
    22  import (
    23  	"crypto/ecdsa"
    24  	"crypto/elliptic"
    25  	"errors"
    26  	"fmt"
    27  
    28  	"github.com/btcsuite/btcd/btcec/v2"
    29  	btc_ecdsa "github.com/btcsuite/btcd/btcec/v2/ecdsa"
    30  )
    31  
    32  // Ecrecover returns the uncompressed public key that created the given signature.
    33  func Ecrecover(hash, sig []byte) ([]byte, error) {
    34  	pub, err := sigToPub(hash, sig)
    35  	if err != nil {
    36  		return nil, err
    37  	}
    38  	bytes := pub.SerializeUncompressed()
    39  	return bytes, err
    40  }
    41  
    42  func sigToPub(hash, sig []byte) (*btcec.PublicKey, error) {
    43  	if len(sig) != SignatureLength {
    44  		return nil, errors.New("invalid signature")
    45  	}
    46  	// Convert to btcec input format with 'recovery id' v at the beginning.
    47  	btcsig := make([]byte, SignatureLength)
    48  	btcsig[0] = sig[RecoveryIDOffset] + 27
    49  	copy(btcsig[1:], sig)
    50  
    51  	pub, _, err := btc_ecdsa.RecoverCompact(btcsig, hash)
    52  	return pub, err
    53  }
    54  
    55  // SigToPub returns the public key that created the given signature.
    56  func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) {
    57  	pub, err := sigToPub(hash, sig)
    58  	if err != nil {
    59  		return nil, err
    60  	}
    61  	return pub.ToECDSA(), nil
    62  }
    63  
    64  // Sign calculates an ECDSA signature.
    65  //
    66  // This function is susceptible to chosen plaintext attacks that can leak
    67  // information about the private key that is used for signing. Callers must
    68  // be aware that the given hash cannot be chosen by an adversary. Common
    69  // solution is to hash any input before calculating the signature.
    70  //
    71  // The produced signature is in the [R || S || V] format where V is 0 or 1.
    72  func Sign(hash []byte, prv *ecdsa.PrivateKey) ([]byte, error) {
    73  	if len(hash) != 32 {
    74  		return nil, fmt.Errorf("hash is required to be exactly 32 bytes (%d)", len(hash))
    75  	}
    76  	if prv.Curve != btcec.S256() {
    77  		return nil, errors.New("private key curve is not secp256k1")
    78  	}
    79  	// ecdsa.PrivateKey -> btcec.PrivateKey
    80  	var priv btcec.PrivateKey
    81  	if overflow := priv.Key.SetByteSlice(prv.D.Bytes()); overflow || priv.Key.IsZero() {
    82  		return nil, errors.New("invalid private key")
    83  	}
    84  	defer priv.Zero()
    85  	sig, err := btc_ecdsa.SignCompact(&priv, hash, false) // ref uncompressed pubkey
    86  	if err != nil {
    87  		return nil, err
    88  	}
    89  	// Convert to Ethereum signature format with 'recovery id' v at the end.
    90  	v := sig[0] - 27
    91  	copy(sig, sig[1:])
    92  	sig[RecoveryIDOffset] = v
    93  	return sig, nil
    94  }
    95  
    96  // VerifySignature checks that the given public key created signature over hash.
    97  // The public key should be in compressed (33 bytes) or uncompressed (65 bytes) format.
    98  // The signature should have the 64 byte [R || S] format.
    99  func VerifySignature(pubkey, hash, signature []byte) bool {
   100  	if len(signature) != 64 {
   101  		return false
   102  	}
   103  	var r, s btcec.ModNScalar
   104  	if r.SetByteSlice(signature[:32]) {
   105  		return false // overflow
   106  	}
   107  	if s.SetByteSlice(signature[32:]) {
   108  		return false
   109  	}
   110  	sig := btc_ecdsa.NewSignature(&r, &s)
   111  	key, err := btcec.ParsePubKey(pubkey)
   112  	if err != nil {
   113  		return false
   114  	}
   115  	// Reject malleable signatures. libsecp256k1 does this check but btcec doesn't.
   116  	if s.IsOverHalfOrder() {
   117  		return false
   118  	}
   119  	return sig.Verify(hash, key)
   120  }
   121  
   122  // DecompressPubkey parses a public key in the 33-byte compressed format.
   123  func DecompressPubkey(pubkey []byte) (*ecdsa.PublicKey, error) {
   124  	if len(pubkey) != 33 {
   125  		return nil, errors.New("invalid compressed public key length")
   126  	}
   127  	key, err := btcec.ParsePubKey(pubkey)
   128  	if err != nil {
   129  		return nil, err
   130  	}
   131  	return key.ToECDSA(), nil
   132  }
   133  
   134  // CompressPubkey encodes a public key to the 33-byte compressed format. The
   135  // provided PublicKey must be valid. Namely, the coordinates must not be larger
   136  // than 32 bytes each, they must be less than the field prime, and it must be a
   137  // point on the secp256k1 curve. This is the case for a PublicKey constructed by
   138  // elliptic.Unmarshal (see UnmarshalPubkey), or by ToECDSA and ecdsa.GenerateKey
   139  // when constructing a PrivateKey.
   140  func CompressPubkey(pubkey *ecdsa.PublicKey) []byte {
   141  	// NOTE: the coordinates may be validated with
   142  	// btcec.ParsePubKey(FromECDSAPub(pubkey))
   143  	var x, y btcec.FieldVal
   144  	x.SetByteSlice(pubkey.X.Bytes())
   145  	y.SetByteSlice(pubkey.Y.Bytes())
   146  	return btcec.NewPublicKey(&x, &y).SerializeCompressed()
   147  }
   148  
   149  // S256 returns an instance of the secp256k1 curve.
   150  func S256() elliptic.Curve {
   151  	return btcec.S256()
   152  }