github.com/tickstep/library-go@v0.1.1/crypto/secp256k1/secp256k1.go (about) 1 package secp256k1 2 3 import ( 4 "bytes" 5 "crypto/sha256" 6 "crypto/subtle" 7 "fmt" 8 "github.com/tickstep/library-go/crypto" 9 "io" 10 "math/big" 11 12 secp256k1 "github.com/btcsuite/btcd/btcec" 13 14 // necessary for Bitcoin address format 15 "golang.org/x/crypto/ripemd160" // nolint 16 ) 17 18 //------------------------------------- 19 const ( 20 KeyType = "secp256k1" 21 PrivKeySize = 32 22 ) 23 24 func init() { 25 } 26 27 var _ crypto.PrivKey = PrivKey{} 28 29 // PrivKey implements PrivKey. 30 type PrivKey []byte 31 32 // Bytes marshalls the private key using amino encoding. 33 func (privKey PrivKey) Bytes() []byte { 34 return []byte(privKey) 35 } 36 37 // PubKey performs the point-scalar multiplication from the privKey on the 38 // generator point to get the pubkey. 39 func (privKey PrivKey) PubKey() crypto.PubKey { 40 _, pubkeyObject := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey) 41 42 pk := pubkeyObject.SerializeCompressed() 43 44 return PubKey(pk) 45 } 46 47 // Equals - you probably don't need to use this. 48 // Runs in constant time based on length of the keys. 49 func (privKey PrivKey) Equals(other crypto.PrivKey) bool { 50 if otherSecp, ok := other.(PrivKey); ok { 51 return subtle.ConstantTimeCompare(privKey[:], otherSecp[:]) == 1 52 } 53 return false 54 } 55 56 func (privKey PrivKey) Type() string { 57 return KeyType 58 } 59 60 // GenPrivKey generates a new ECDSA private key on curve secp256k1 private key. 61 // It uses OS randomness to generate the private key. 62 func GenPrivKey() PrivKey { 63 return genPrivKey(crypto.CReader()) 64 } 65 66 // genPrivKey generates a new secp256k1 private key using the provided reader. 67 func genPrivKey(rand io.Reader) PrivKey { 68 var privKeyBytes [PrivKeySize]byte 69 d := new(big.Int) 70 71 for { 72 privKeyBytes = [PrivKeySize]byte{} 73 _, err := io.ReadFull(rand, privKeyBytes[:]) 74 if err != nil { 75 panic(err) 76 } 77 78 d.SetBytes(privKeyBytes[:]) 79 // break if we found a valid point (i.e. > 0 and < N == curverOrder) 80 isValidFieldElement := 0 < d.Sign() && d.Cmp(secp256k1.S256().N) < 0 81 if isValidFieldElement { 82 break 83 } 84 } 85 86 return PrivKey(privKeyBytes[:]) 87 } 88 89 var one = new(big.Int).SetInt64(1) 90 91 // GenPrivKeySecp256k1 hashes the secret with SHA2, and uses 92 // that 32 byte output to create the private key. 93 // 94 // It makes sure the private key is a valid field element by setting: 95 // 96 // c = sha256(secret) 97 // k = (c mod (n − 1)) + 1, where n = curve order. 98 // 99 // NOTE: secret should be the output of a KDF like bcrypt, 100 // if it's derived from user input. 101 func GenPrivKeySecp256k1(secret []byte) PrivKey { 102 secHash := sha256.Sum256(secret) 103 // to guarantee that we have a valid field element, we use the approach of: 104 // "Suite B Implementer’s Guide to FIPS 186-3", A.2.1 105 // https://apps.nsa.gov/iaarchive/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/suite-b-implementers-guide-to-fips-186-3-ecdsa.cfm 106 // see also https://github.com/golang/go/blob/0380c9ad38843d523d9c9804fe300cb7edd7cd3c/src/crypto/ecdsa/ecdsa.go#L89-L101 107 fe := new(big.Int).SetBytes(secHash[:]) 108 n := new(big.Int).Sub(secp256k1.S256().N, one) 109 fe.Mod(fe, n) 110 fe.Add(fe, one) 111 112 feB := fe.Bytes() 113 privKey32 := make([]byte, PrivKeySize) 114 // copy feB over to fixed 32 byte privKey32 and pad (if necessary) 115 copy(privKey32[32-len(feB):32], feB) 116 117 return PrivKey(privKey32) 118 } 119 120 //------------------------------------- 121 122 var _ crypto.PubKey = PubKey{} 123 124 // PubKeySize is comprised of 32 bytes for one field element 125 // (the x-coordinate), plus one byte for the parity of the y-coordinate. 126 const PubKeySize = 33 127 128 // PubKey implements crypto.PubKey. 129 // It is the compressed form of the pubkey. The first byte depends is a 0x02 byte 130 // if the y-coordinate is the lexicographically largest of the two associated with 131 // the x-coordinate. Otherwise the first byte is a 0x03. 132 // This prefix is followed with the x-coordinate. 133 type PubKey []byte 134 135 // Address returns a Bitcoin style addresses: RIPEMD160(SHA256(pubkey)) 136 func (pubKey PubKey) Address() crypto.Address { 137 if len(pubKey) != PubKeySize { 138 panic("length of pubkey is incorrect") 139 } 140 hasherSHA256 := sha256.New() 141 _, _ = hasherSHA256.Write(pubKey) // does not error 142 sha := hasherSHA256.Sum(nil) 143 144 hasherRIPEMD160 := ripemd160.New() 145 _, _ = hasherRIPEMD160.Write(sha) // does not error 146 147 return crypto.Address(hasherRIPEMD160.Sum(nil)) 148 } 149 150 // Bytes returns the pubkey marshaled with amino encoding. 151 func (pubKey PubKey) Bytes() []byte { 152 return []byte(pubKey) 153 } 154 155 func (pubKey PubKey) String() string { 156 return fmt.Sprintf("PubKeySecp256k1{%X}", []byte(pubKey)) 157 } 158 159 func (pubKey PubKey) Equals(other crypto.PubKey) bool { 160 if otherSecp, ok := other.(PubKey); ok { 161 return bytes.Equal(pubKey[:], otherSecp[:]) 162 } 163 return false 164 } 165 166 func (pubKey PubKey) Type() string { 167 return KeyType 168 } 169 170 // used to reject malleable signatures 171 // see: 172 // - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93 173 // - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/crypto.go#L39 174 var secp256k1halfN = new(big.Int).Rsh(secp256k1.S256().N, 1) 175 176 // Sign creates an ECDSA signature on curve Secp256k1, using SHA256 on the msg. 177 // The returned signature will be of the form R || S (in lower-S form). 178 func (privKey PrivKey) Sign(msg []byte) ([]byte, error) { 179 priv, _ := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey) 180 181 sig, err := priv.Sign(crypto.Sha256(msg)) 182 if err != nil { 183 return nil, err 184 } 185 186 sigBytes := serializeSig(sig) 187 return sigBytes, nil 188 } 189 190 // VerifySignature verifies a signature of the form R || S. 191 // It rejects signatures which are not in lower-S form. 192 func (pubKey PubKey) VerifySignature(msg []byte, sigStr []byte) bool { 193 if len(sigStr) != 64 { 194 return false 195 } 196 197 pub, err := secp256k1.ParsePubKey(pubKey, secp256k1.S256()) 198 if err != nil { 199 return false 200 } 201 202 // parse the signature: 203 signature := signatureFromBytes(sigStr) 204 // Reject malleable signatures. libsecp256k1 does this check but btcec doesn't. 205 // see: https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93 206 if signature.S.Cmp(secp256k1halfN) > 0 { 207 return false 208 } 209 210 return signature.Verify(crypto.Sha256(msg), pub) 211 } 212 213 // Read Signature struct from R || S. Caller needs to ensure 214 // that len(sigStr) == 64. 215 func signatureFromBytes(sigStr []byte) *secp256k1.Signature { 216 return &secp256k1.Signature{ 217 R: new(big.Int).SetBytes(sigStr[:32]), 218 S: new(big.Int).SetBytes(sigStr[32:64]), 219 } 220 } 221 222 // Serialize signature to R || S. 223 // R, S are padded to 32 bytes respectively. 224 func serializeSig(sig *secp256k1.Signature) []byte { 225 rBytes := sig.R.Bytes() 226 sBytes := sig.S.Bytes() 227 sigBytes := make([]byte, 64) 228 // 0 pad the byte arrays from the left if they aren't big enough. 229 copy(sigBytes[32-len(rBytes):32], rBytes) 230 copy(sigBytes[64-len(sBytes):64], sBytes) 231 return sigBytes 232 }