pubkey.h
1 // Copyright (c) 2009-2010 Satoshi Nakamoto 2 // Copyright (c) 2009-present The Bitcoin Core developers 3 // Copyright (c) 2017 The Zcash developers 4 // Distributed under the MIT software license, see the accompanying 5 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 6 7 #ifndef BITCOIN_PUBKEY_H 8 #define BITCOIN_PUBKEY_H 9 10 #include <hash.h> 11 #include <serialize.h> 12 #include <span.h> 13 #include <uint256.h> 14 15 #include <cstring> 16 #include <optional> 17 #include <vector> 18 19 const unsigned int BIP32_EXTKEY_SIZE = 74; 20 const unsigned int BIP32_EXTKEY_WITH_VERSION_SIZE = 78; 21 22 /** A reference to a CKey: the Hash160 of its serialized public key */ 23 class CKeyID : public uint160 24 { 25 public: 26 CKeyID() : uint160() {} 27 explicit CKeyID(const uint160& in) : uint160(in) {} 28 }; 29 30 typedef uint256 ChainCode; 31 32 /** An encapsulated public key. */ 33 class CPubKey 34 { 35 public: 36 /** 37 * secp256k1: 38 */ 39 static constexpr unsigned int SIZE = 65; 40 static constexpr unsigned int COMPRESSED_SIZE = 33; 41 static constexpr unsigned int SIGNATURE_SIZE = 72; 42 static constexpr unsigned int COMPACT_SIGNATURE_SIZE = 65; 43 /** 44 * see www.keylength.com 45 * script supports up to 75 for single byte push 46 */ 47 static_assert( 48 SIZE >= COMPRESSED_SIZE, 49 "COMPRESSED_SIZE is larger than SIZE"); 50 51 private: 52 53 /** 54 * Just store the serialized data. 55 * Its length can very cheaply be computed from the first byte. 56 */ 57 unsigned char vch[SIZE]; 58 59 //! Compute the length of a pubkey with a given first byte. 60 unsigned int static GetLen(unsigned char chHeader) 61 { 62 if (chHeader == 2 || chHeader == 3) 63 return COMPRESSED_SIZE; 64 if (chHeader == 4 || chHeader == 6 || chHeader == 7) 65 return SIZE; 66 return 0; 67 } 68 69 //! Set this key data to be invalid 70 void Invalidate() 71 { 72 vch[0] = 0xFF; 73 } 74 75 public: 76 77 bool static ValidSize(const std::vector<unsigned char> &vch) { 78 return vch.size() > 0 && GetLen(vch[0]) == vch.size(); 79 } 80 81 //! Construct an invalid public key. 82 CPubKey() 83 { 84 Invalidate(); 85 } 86 87 //! Initialize a public key using begin/end iterators to byte data. 88 template <typename T> 89 void Set(const T pbegin, const T pend) 90 { 91 int len = pend == pbegin ? 0 : GetLen(pbegin[0]); 92 if (len && len == (pend - pbegin)) 93 memcpy(vch, (unsigned char*)&pbegin[0], len); 94 else 95 Invalidate(); 96 } 97 98 //! Construct a public key using begin/end iterators to byte data. 99 template <typename T> 100 CPubKey(const T pbegin, const T pend) 101 { 102 Set(pbegin, pend); 103 } 104 105 //! Construct a public key from a byte vector. 106 explicit CPubKey(std::span<const uint8_t> _vch) 107 { 108 Set(_vch.begin(), _vch.end()); 109 } 110 111 //! Simple read-only vector-like interface to the pubkey data. 112 unsigned int size() const { return GetLen(vch[0]); } 113 const unsigned char* data() const { return vch; } 114 const unsigned char* begin() const { return vch; } 115 const unsigned char* end() const { return vch + size(); } 116 const unsigned char& operator[](unsigned int pos) const { return vch[pos]; } 117 118 //! Comparator implementation. 119 friend bool operator==(const CPubKey& a, const CPubKey& b) 120 { 121 return a.vch[0] == b.vch[0] && 122 memcmp(a.vch, b.vch, a.size()) == 0; 123 } 124 friend bool operator<(const CPubKey& a, const CPubKey& b) 125 { 126 return a.vch[0] < b.vch[0] || 127 (a.vch[0] == b.vch[0] && memcmp(a.vch, b.vch, a.size()) < 0); 128 } 129 friend bool operator>(const CPubKey& a, const CPubKey& b) 130 { 131 return a.vch[0] > b.vch[0] || 132 (a.vch[0] == b.vch[0] && memcmp(a.vch, b.vch, a.size()) > 0); 133 } 134 135 //! Implement serialization, as if this was a byte vector. 136 template <typename Stream> 137 void Serialize(Stream& s) const 138 { 139 unsigned int len = size(); 140 ::WriteCompactSize(s, len); 141 s << std::span{vch, len}; 142 } 143 template <typename Stream> 144 void Unserialize(Stream& s) 145 { 146 const unsigned int len(::ReadCompactSize(s)); 147 if (len <= SIZE) { 148 s >> std::span{vch, len}; 149 if (len != size()) { 150 Invalidate(); 151 } 152 } else { 153 // invalid pubkey, skip available data 154 s.ignore(len); 155 Invalidate(); 156 } 157 } 158 159 //! Get the KeyID of this public key (hash of its serialization) 160 CKeyID GetID() const 161 { 162 return CKeyID(Hash160(std::span{vch}.first(size()))); 163 } 164 165 //! Get the 256-bit hash of this public key. 166 uint256 GetHash() const 167 { 168 return Hash(std::span{vch}.first(size())); 169 } 170 171 /* 172 * Check syntactic correctness. 173 * 174 * When setting a pubkey (Set()) or deserializing fails (its header bytes 175 * don't match the length of the data), the size is set to 0. Thus, 176 * by checking size, one can observe whether Set() or deserialization has 177 * failed. 178 * 179 * This does not check for more than that. In particular, it does not verify 180 * that the coordinates correspond to a point on the curve (see IsFullyValid() 181 * for that instead). 182 * 183 * Note that this is consensus critical as CheckECDSASignature() calls it! 184 */ 185 bool IsValid() const 186 { 187 return size() > 0; 188 } 189 190 /** Check if a public key is a syntactically valid compressed or uncompressed key. */ 191 bool IsValidNonHybrid() const noexcept 192 { 193 return size() > 0 && (vch[0] == 0x02 || vch[0] == 0x03 || vch[0] == 0x04); 194 } 195 196 //! fully validate whether this is a valid public key (more expensive than IsValid()) 197 bool IsFullyValid() const; 198 199 //! Check whether this is a compressed public key. 200 bool IsCompressed() const 201 { 202 return size() == COMPRESSED_SIZE; 203 } 204 205 /** 206 * Verify a DER signature (~72 bytes). 207 * If this public key is not fully valid, the return value will be false. 208 */ 209 bool Verify(const uint256& hash, const std::vector<unsigned char>& vchSig) const; 210 211 /** 212 * Check whether a signature is normalized (lower-S). 213 */ 214 static bool CheckLowS(const std::vector<unsigned char>& vchSig); 215 216 //! Recover a public key from a compact signature. 217 bool RecoverCompact(const uint256& hash, const std::vector<unsigned char>& vchSig); 218 219 //! Turn this public key into an uncompressed public key. 220 bool Decompress(); 221 222 //! Derive BIP32 child pubkey. 223 [[nodiscard]] bool Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc, uint256* bip32_tweak_out = nullptr) const; 224 }; 225 226 class XOnlyPubKey 227 { 228 private: 229 uint256 m_keydata; 230 231 public: 232 /** Nothing Up My Sleeve point H 233 * Used as an internal key for provably disabling the key path spend 234 * see BIP341 for more details */ 235 static const XOnlyPubKey NUMS_H; 236 237 /** Construct an empty x-only pubkey. */ 238 XOnlyPubKey() = default; 239 240 XOnlyPubKey(const XOnlyPubKey&) = default; 241 XOnlyPubKey& operator=(const XOnlyPubKey&) = default; 242 243 /** Determine if this pubkey is fully valid. This is true for approximately 50% of all 244 * possible 32-byte arrays. If false, VerifySchnorr, CheckTapTweak and CreateTapTweak 245 * will always fail. */ 246 bool IsFullyValid() const; 247 248 /** Test whether this is the 0 key (the result of default construction). This implies 249 * !IsFullyValid(). */ 250 bool IsNull() const { return m_keydata.IsNull(); } 251 252 /** Construct an x-only pubkey from exactly 32 bytes. */ 253 constexpr explicit XOnlyPubKey(std::span<const unsigned char> bytes) : m_keydata{bytes} {} 254 255 /** Construct an x-only pubkey from a normal pubkey. */ 256 explicit XOnlyPubKey(const CPubKey& pubkey) : XOnlyPubKey(std::span{pubkey}.subspan(1, 32)) {} 257 258 /** Verify a Schnorr signature against this public key. 259 * 260 * sigbytes must be exactly 64 bytes. 261 */ 262 bool VerifySchnorr(const uint256& msg, std::span<const unsigned char> sigbytes) const; 263 264 /** Compute the Taproot tweak as specified in BIP341, with *this as internal 265 * key: 266 * - if merkle_root == nullptr: H_TapTweak(xonly_pubkey) 267 * - otherwise: H_TapTweak(xonly_pubkey || *merkle_root) 268 * 269 * Note that the behavior of this function with merkle_root != nullptr is 270 * consensus critical. 271 */ 272 uint256 ComputeTapTweakHash(const uint256* merkle_root) const; 273 274 /** Verify that this is a Taproot tweaked output point, against a specified internal key, 275 * Merkle root, and parity. */ 276 bool CheckTapTweak(const XOnlyPubKey& internal, const uint256& merkle_root, bool parity) const; 277 278 /** Construct a Taproot tweaked output point with this point as internal key. */ 279 std::optional<std::pair<XOnlyPubKey, bool>> CreateTapTweak(const uint256* merkle_root) const; 280 281 /** Returns a list of CKeyIDs for the CPubKeys that could have been used to create this XOnlyPubKey. 282 * As the CKeyID is the Hash160(full pubkey), the produced CKeyIDs are for the versions of this 283 * XOnlyPubKey with 0x02 and 0x03 prefixes. 284 * This is needed for key lookups since keys are indexed by CKeyID. 285 */ 286 std::vector<CKeyID> GetKeyIDs() const; 287 /** Returns this XOnlyPubKey with 0x02 and 0x03 prefixes */ 288 std::vector<CPubKey> GetCPubKeys() const; 289 290 CPubKey GetEvenCorrespondingCPubKey() const; 291 292 const unsigned char& operator[](int pos) const { return *(m_keydata.begin() + pos); } 293 static constexpr size_t size() { return decltype(m_keydata)::size(); } 294 const unsigned char* data() const { return m_keydata.begin(); } 295 const unsigned char* begin() const { return m_keydata.begin(); } 296 const unsigned char* end() const { return m_keydata.end(); } 297 unsigned char* data() { return m_keydata.begin(); } 298 unsigned char* begin() { return m_keydata.begin(); } 299 unsigned char* end() { return m_keydata.end(); } 300 bool operator==(const XOnlyPubKey& other) const { return m_keydata == other.m_keydata; } 301 bool operator<(const XOnlyPubKey& other) const { return m_keydata < other.m_keydata; } 302 303 //! Implement serialization without length prefixes since it is a fixed length 304 SERIALIZE_METHODS(XOnlyPubKey, obj) { READWRITE(obj.m_keydata); } 305 }; 306 307 /** An ElligatorSwift-encoded public key. */ 308 struct EllSwiftPubKey 309 { 310 private: 311 static constexpr size_t SIZE = 64; 312 std::array<std::byte, SIZE> m_pubkey; 313 314 public: 315 /** Default constructor creates all-zero pubkey (which is valid). */ 316 EllSwiftPubKey() noexcept = default; 317 318 /** Construct a new ellswift public key from a given serialization. */ 319 EllSwiftPubKey(std::span<const std::byte> ellswift) noexcept; 320 321 /** Decode to normal compressed CPubKey (for debugging purposes). */ 322 CPubKey Decode() const; 323 324 // Read-only access for serialization. 325 const std::byte* data() const { return m_pubkey.data(); } 326 static constexpr size_t size() { return SIZE; } 327 auto begin() const { return m_pubkey.cbegin(); } 328 auto end() const { return m_pubkey.cend(); } 329 330 bool friend operator==(const EllSwiftPubKey& a, const EllSwiftPubKey& b) 331 { 332 return a.m_pubkey == b.m_pubkey; 333 } 334 }; 335 336 struct CExtPubKey { 337 unsigned char version[4]; 338 unsigned char nDepth; 339 unsigned char vchFingerprint[4]; 340 unsigned int nChild; 341 ChainCode chaincode; 342 CPubKey pubkey; 343 344 friend bool operator==(const CExtPubKey &a, const CExtPubKey &b) 345 { 346 return a.nDepth == b.nDepth && 347 memcmp(a.vchFingerprint, b.vchFingerprint, sizeof(vchFingerprint)) == 0 && 348 a.nChild == b.nChild && 349 a.chaincode == b.chaincode && 350 a.pubkey == b.pubkey; 351 } 352 353 friend bool operator<(const CExtPubKey &a, const CExtPubKey &b) 354 { 355 if (a.pubkey < b.pubkey) { 356 return true; 357 } else if (a.pubkey > b.pubkey) { 358 return false; 359 } 360 return a.chaincode < b.chaincode; 361 } 362 363 void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const; 364 void Decode(const unsigned char code[BIP32_EXTKEY_SIZE]); 365 void EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const; 366 void DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]); 367 [[nodiscard]] bool Derive(CExtPubKey& out, unsigned int nChild, uint256* bip32_tweak_out = nullptr) const; 368 }; 369 370 #endif // BITCOIN_PUBKEY_H