pubkey.cpp
1 // Copyright (c) 2009-2022 The Bitcoin Core developers 2 // Copyright (c) 2017 The Zcash developers 3 // Distributed under the MIT software license, see the accompanying 4 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 5 6 #include <pubkey.h> 7 8 #include <hash.h> 9 #include <secp256k1.h> 10 #include <secp256k1_ellswift.h> 11 #include <secp256k1_extrakeys.h> 12 #include <secp256k1_recovery.h> 13 #include <secp256k1_schnorrsig.h> 14 #include <span.h> 15 #include <uint256.h> 16 17 #include <algorithm> 18 #include <cassert> 19 20 namespace { 21 22 struct Secp256k1SelfTester 23 { 24 Secp256k1SelfTester() { 25 /* Run libsecp256k1 self-test before using the secp256k1_context_static. */ 26 secp256k1_selftest(); 27 } 28 } SECP256K1_SELFTESTER; 29 30 } // namespace 31 32 /** This function is taken from the libsecp256k1 distribution and implements 33 * DER parsing for ECDSA signatures, while supporting an arbitrary subset of 34 * format violations. 35 * 36 * Supported violations include negative integers, excessive padding, garbage 37 * at the end, and overly long length descriptors. This is safe to use in 38 * Bitcoin because since the activation of BIP66, signatures are verified to be 39 * strict DER before being passed to this module, and we know it supports all 40 * violations present in the blockchain before that point. 41 */ 42 int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { 43 size_t rpos, rlen, spos, slen; 44 size_t pos = 0; 45 size_t lenbyte; 46 unsigned char tmpsig[64] = {0}; 47 int overflow = 0; 48 49 /* Hack to initialize sig with a correctly-parsed but invalid signature. */ 50 secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig); 51 52 /* Sequence tag byte */ 53 if (pos == inputlen || input[pos] != 0x30) { 54 return 0; 55 } 56 pos++; 57 58 /* Sequence length bytes */ 59 if (pos == inputlen) { 60 return 0; 61 } 62 lenbyte = input[pos++]; 63 if (lenbyte & 0x80) { 64 lenbyte -= 0x80; 65 if (lenbyte > inputlen - pos) { 66 return 0; 67 } 68 pos += lenbyte; 69 } 70 71 /* Integer tag byte for R */ 72 if (pos == inputlen || input[pos] != 0x02) { 73 return 0; 74 } 75 pos++; 76 77 /* Integer length for R */ 78 if (pos == inputlen) { 79 return 0; 80 } 81 lenbyte = input[pos++]; 82 if (lenbyte & 0x80) { 83 lenbyte -= 0x80; 84 if (lenbyte > inputlen - pos) { 85 return 0; 86 } 87 while (lenbyte > 0 && input[pos] == 0) { 88 pos++; 89 lenbyte--; 90 } 91 static_assert(sizeof(size_t) >= 4, "size_t too small"); 92 if (lenbyte >= 4) { 93 return 0; 94 } 95 rlen = 0; 96 while (lenbyte > 0) { 97 rlen = (rlen << 8) + input[pos]; 98 pos++; 99 lenbyte--; 100 } 101 } else { 102 rlen = lenbyte; 103 } 104 if (rlen > inputlen - pos) { 105 return 0; 106 } 107 rpos = pos; 108 pos += rlen; 109 110 /* Integer tag byte for S */ 111 if (pos == inputlen || input[pos] != 0x02) { 112 return 0; 113 } 114 pos++; 115 116 /* Integer length for S */ 117 if (pos == inputlen) { 118 return 0; 119 } 120 lenbyte = input[pos++]; 121 if (lenbyte & 0x80) { 122 lenbyte -= 0x80; 123 if (lenbyte > inputlen - pos) { 124 return 0; 125 } 126 while (lenbyte > 0 && input[pos] == 0) { 127 pos++; 128 lenbyte--; 129 } 130 static_assert(sizeof(size_t) >= 4, "size_t too small"); 131 if (lenbyte >= 4) { 132 return 0; 133 } 134 slen = 0; 135 while (lenbyte > 0) { 136 slen = (slen << 8) + input[pos]; 137 pos++; 138 lenbyte--; 139 } 140 } else { 141 slen = lenbyte; 142 } 143 if (slen > inputlen - pos) { 144 return 0; 145 } 146 spos = pos; 147 148 /* Ignore leading zeroes in R */ 149 while (rlen > 0 && input[rpos] == 0) { 150 rlen--; 151 rpos++; 152 } 153 /* Copy R value */ 154 if (rlen > 32) { 155 overflow = 1; 156 } else { 157 memcpy(tmpsig + 32 - rlen, input + rpos, rlen); 158 } 159 160 /* Ignore leading zeroes in S */ 161 while (slen > 0 && input[spos] == 0) { 162 slen--; 163 spos++; 164 } 165 /* Copy S value */ 166 if (slen > 32) { 167 overflow = 1; 168 } else { 169 memcpy(tmpsig + 64 - slen, input + spos, slen); 170 } 171 172 if (!overflow) { 173 overflow = !secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig); 174 } 175 if (overflow) { 176 /* Overwrite the result again with a correctly-parsed but invalid 177 signature if parsing failed. */ 178 memset(tmpsig, 0, 64); 179 secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig); 180 } 181 return 1; 182 } 183 184 XOnlyPubKey::XOnlyPubKey(Span<const unsigned char> bytes) 185 { 186 assert(bytes.size() == 32); 187 std::copy(bytes.begin(), bytes.end(), m_keydata.begin()); 188 } 189 190 std::vector<CKeyID> XOnlyPubKey::GetKeyIDs() const 191 { 192 std::vector<CKeyID> out; 193 // For now, use the old full pubkey-based key derivation logic. As it is indexed by 194 // Hash160(full pubkey), we need to return both a version prefixed with 0x02, and one 195 // with 0x03. 196 unsigned char b[33] = {0x02}; 197 std::copy(m_keydata.begin(), m_keydata.end(), b + 1); 198 CPubKey fullpubkey; 199 fullpubkey.Set(b, b + 33); 200 out.push_back(fullpubkey.GetID()); 201 b[0] = 0x03; 202 fullpubkey.Set(b, b + 33); 203 out.push_back(fullpubkey.GetID()); 204 return out; 205 } 206 207 CPubKey XOnlyPubKey::GetEvenCorrespondingCPubKey() const 208 { 209 unsigned char full_key[CPubKey::COMPRESSED_SIZE] = {0x02}; 210 std::copy(begin(), end(), full_key + 1); 211 return CPubKey{full_key}; 212 } 213 214 bool XOnlyPubKey::IsFullyValid() const 215 { 216 secp256k1_xonly_pubkey pubkey; 217 return secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey, m_keydata.data()); 218 } 219 220 bool XOnlyPubKey::VerifySchnorr(const uint256& msg, Span<const unsigned char> sigbytes) const 221 { 222 assert(sigbytes.size() == 64); 223 secp256k1_xonly_pubkey pubkey; 224 if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey, m_keydata.data())) return false; 225 return secp256k1_schnorrsig_verify(secp256k1_context_static, sigbytes.data(), msg.begin(), 32, &pubkey); 226 } 227 228 static const HashWriter HASHER_TAPTWEAK{TaggedHash("TapTweak")}; 229 230 uint256 XOnlyPubKey::ComputeTapTweakHash(const uint256* merkle_root) const 231 { 232 if (merkle_root == nullptr) { 233 // We have no scripts. The actual tweak does not matter, but follow BIP341 here to 234 // allow for reproducible tweaking. 235 return (HashWriter{HASHER_TAPTWEAK} << m_keydata).GetSHA256(); 236 } else { 237 return (HashWriter{HASHER_TAPTWEAK} << m_keydata << *merkle_root).GetSHA256(); 238 } 239 } 240 241 bool XOnlyPubKey::CheckTapTweak(const XOnlyPubKey& internal, const uint256& merkle_root, bool parity) const 242 { 243 secp256k1_xonly_pubkey internal_key; 244 if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &internal_key, internal.data())) return false; 245 uint256 tweak = internal.ComputeTapTweakHash(&merkle_root); 246 return secp256k1_xonly_pubkey_tweak_add_check(secp256k1_context_static, m_keydata.begin(), parity, &internal_key, tweak.begin()); 247 } 248 249 std::optional<std::pair<XOnlyPubKey, bool>> XOnlyPubKey::CreateTapTweak(const uint256* merkle_root) const 250 { 251 secp256k1_xonly_pubkey base_point; 252 if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &base_point, data())) return std::nullopt; 253 secp256k1_pubkey out; 254 uint256 tweak = ComputeTapTweakHash(merkle_root); 255 if (!secp256k1_xonly_pubkey_tweak_add(secp256k1_context_static, &out, &base_point, tweak.data())) return std::nullopt; 256 int parity = -1; 257 std::pair<XOnlyPubKey, bool> ret; 258 secp256k1_xonly_pubkey out_xonly; 259 if (!secp256k1_xonly_pubkey_from_pubkey(secp256k1_context_static, &out_xonly, &parity, &out)) return std::nullopt; 260 secp256k1_xonly_pubkey_serialize(secp256k1_context_static, ret.first.begin(), &out_xonly); 261 assert(parity == 0 || parity == 1); 262 ret.second = parity; 263 return ret; 264 } 265 266 267 bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) const { 268 if (!IsValid()) 269 return false; 270 secp256k1_pubkey pubkey; 271 secp256k1_ecdsa_signature sig; 272 if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) { 273 return false; 274 } 275 if (!ecdsa_signature_parse_der_lax(&sig, vchSig.data(), vchSig.size())) { 276 return false; 277 } 278 /* libsecp256k1's ECDSA verification requires lower-S signatures, which have 279 * not historically been enforced in Bitcoin, so normalize them first. */ 280 secp256k1_ecdsa_signature_normalize(secp256k1_context_static, &sig, &sig); 281 return secp256k1_ecdsa_verify(secp256k1_context_static, &sig, hash.begin(), &pubkey); 282 } 283 284 bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) { 285 if (vchSig.size() != COMPACT_SIGNATURE_SIZE) 286 return false; 287 int recid = (vchSig[0] - 27) & 3; 288 bool fComp = ((vchSig[0] - 27) & 4) != 0; 289 secp256k1_pubkey pubkey; 290 secp256k1_ecdsa_recoverable_signature sig; 291 if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_static, &sig, &vchSig[1], recid)) { 292 return false; 293 } 294 if (!secp256k1_ecdsa_recover(secp256k1_context_static, &pubkey, &sig, hash.begin())) { 295 return false; 296 } 297 unsigned char pub[SIZE]; 298 size_t publen = SIZE; 299 secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED); 300 Set(pub, pub + publen); 301 return true; 302 } 303 304 bool CPubKey::IsFullyValid() const { 305 if (!IsValid()) 306 return false; 307 secp256k1_pubkey pubkey; 308 return secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size()); 309 } 310 311 bool CPubKey::Decompress() { 312 if (!IsValid()) 313 return false; 314 secp256k1_pubkey pubkey; 315 if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) { 316 return false; 317 } 318 unsigned char pub[SIZE]; 319 size_t publen = SIZE; 320 secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED); 321 Set(pub, pub + publen); 322 return true; 323 } 324 325 bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const { 326 assert(IsValid()); 327 assert((nChild >> 31) == 0); 328 assert(size() == COMPRESSED_SIZE); 329 unsigned char out[64]; 330 BIP32Hash(cc, nChild, *begin(), begin()+1, out); 331 memcpy(ccChild.begin(), out+32, 32); 332 secp256k1_pubkey pubkey; 333 if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) { 334 return false; 335 } 336 if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_static, &pubkey, out)) { 337 return false; 338 } 339 unsigned char pub[COMPRESSED_SIZE]; 340 size_t publen = COMPRESSED_SIZE; 341 secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED); 342 pubkeyChild.Set(pub, pub + publen); 343 return true; 344 } 345 346 EllSwiftPubKey::EllSwiftPubKey(Span<const std::byte> ellswift) noexcept 347 { 348 assert(ellswift.size() == SIZE); 349 std::copy(ellswift.begin(), ellswift.end(), m_pubkey.begin()); 350 } 351 352 CPubKey EllSwiftPubKey::Decode() const 353 { 354 secp256k1_pubkey pubkey; 355 secp256k1_ellswift_decode(secp256k1_context_static, &pubkey, UCharCast(m_pubkey.data())); 356 357 size_t sz = CPubKey::COMPRESSED_SIZE; 358 std::array<uint8_t, CPubKey::COMPRESSED_SIZE> vch_bytes; 359 360 secp256k1_ec_pubkey_serialize(secp256k1_context_static, vch_bytes.data(), &sz, &pubkey, SECP256K1_EC_COMPRESSED); 361 assert(sz == vch_bytes.size()); 362 363 return CPubKey{vch_bytes.begin(), vch_bytes.end()}; 364 } 365 366 void CExtPubKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const { 367 code[0] = nDepth; 368 memcpy(code+1, vchFingerprint, 4); 369 WriteBE32(code+5, nChild); 370 memcpy(code+9, chaincode.begin(), 32); 371 assert(pubkey.size() == CPubKey::COMPRESSED_SIZE); 372 memcpy(code+41, pubkey.begin(), CPubKey::COMPRESSED_SIZE); 373 } 374 375 void CExtPubKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) { 376 nDepth = code[0]; 377 memcpy(vchFingerprint, code+1, 4); 378 nChild = ReadBE32(code+5); 379 memcpy(chaincode.begin(), code+9, 32); 380 pubkey.Set(code+41, code+BIP32_EXTKEY_SIZE); 381 if ((nDepth == 0 && (nChild != 0 || ReadLE32(vchFingerprint) != 0)) || !pubkey.IsFullyValid()) pubkey = CPubKey(); 382 } 383 384 void CExtPubKey::EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const 385 { 386 memcpy(code, version, 4); 387 Encode(&code[4]); 388 } 389 390 void CExtPubKey::DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) 391 { 392 memcpy(version, code, 4); 393 Decode(&code[4]); 394 } 395 396 bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild) const { 397 if (nDepth == std::numeric_limits<unsigned char>::max()) return false; 398 out.nDepth = nDepth + 1; 399 CKeyID id = pubkey.GetID(); 400 memcpy(out.vchFingerprint, &id, 4); 401 out.nChild = _nChild; 402 return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode); 403 } 404 405 /* static */ bool CPubKey::CheckLowS(const std::vector<unsigned char>& vchSig) { 406 secp256k1_ecdsa_signature sig; 407 if (!ecdsa_signature_parse_der_lax(&sig, vchSig.data(), vchSig.size())) { 408 return false; 409 } 410 return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_static, nullptr, &sig)); 411 }