PageRenderTime 1871ms CodeModel.GetById 28ms RepoModel.GetById 0ms app.codeStats 0ms

/src/key.cpp

https://gitlab.com/Quetzalcoatl/VekitaCoin
C++ | 420 lines | 345 code | 50 blank | 25 comment | 96 complexity | 56921618ad6036696a4741db7d0c47d6 MD5 | raw file
    

  1. // Copyright (c) 2009-2014 The Bitcoin developers
    2. 

  2. // Distributed under the MIT/X11 software license, see the accompanying
    3. 

  3. // file COPYING or http://www.opensource.org/licenses/mit-license.php.
    4. 

  4. 

  5. #include <openssl/ecdsa.h>
    6. 

  6. #include <openssl/rand.h>
    7. 

  7. #include <openssl/obj_mac.h>
    8. 

  8. 

  9. #include "key.h"
    10. 

  10. 

  11. 

  12. // anonymous namespace with local implementation code (OpenSSL interaction)
    13. 

  13. namespace {
    14. 

  14. 

  15. // Generate a private key from just the secret parameter
    16. 

  16. int EC_KEY_regenerate_key(EC_KEY *eckey, BIGNUM *priv_key)
    17. 

  17. {
    18. 

  18.     int ok = 0;
    19. 

  19.     BN_CTX *ctx = NULL;
    20. 

  20.     EC_POINT *pub_key = NULL;
    21. 

  21. 

  22.     if (!eckey) return 0;
    23. 

  23. 

  24.     const EC_GROUP *group = EC_KEY_get0_group(eckey);
    25. 

  25. 

  26.     if ((ctx = BN_CTX_new()) == NULL)
    27. 

  27.         goto err;
    28. 

  28. 

  29.     pub_key = EC_POINT_new(group);
    30. 

  30. 

  31.     if (pub_key == NULL)
    32. 

  32.         goto err;
    33. 

  33. 

  34.     if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx))
    35. 

  35.         goto err;
    36. 

  36. 

  37.     EC_KEY_set_private_key(eckey,priv_key);
    38. 

  38.     EC_KEY_set_public_key(eckey,pub_key);
    39. 

  39. 

  40.     ok = 1;
    41. 

  41. 

  42. err:
    43. 

  43. 

  44.     if (pub_key)
    45. 

  45.         EC_POINT_free(pub_key);
    46. 

  46.     if (ctx != NULL)
    47. 

  47.         BN_CTX_free(ctx);
    48. 

  48. 

  49.     return(ok);
    50. 

  50. }
    51. 

  51. 

  52. // Perform ECDSA key recovery (see SEC1 4.1.6) for curves over (mod p)-fields
    53. 

  53. // recid selects which key is recovered
    54. 

  54. // if check is non-zero, additional checks are performed
    55. 

  55. int ECDSA_SIG_recover_key_GFp(EC_KEY *eckey, ECDSA_SIG *ecsig, const unsigned char *msg, int msglen, int recid, int check)
    56. 

  56. {
    57. 

  57.     if (!eckey) return 0;
    58. 

  58. 

  59.     int ret = 0;
    60. 

  60.     BN_CTX *ctx = NULL;
    61. 

  61. 

  62.     BIGNUM *x = NULL;
    63. 

  63.     BIGNUM *e = NULL;
    64. 

  64.     BIGNUM *order = NULL;
    65. 

  65.     BIGNUM *sor = NULL;
    66. 

  66.     BIGNUM *eor = NULL;
    67. 

  67.     BIGNUM *field = NULL;
    68. 

  68.     EC_POINT *R = NULL;
    69. 

  69.     EC_POINT *O = NULL;
    70. 

  70.     EC_POINT *Q = NULL;
    71. 

  71.     BIGNUM *rr = NULL;
    72. 

  72.     BIGNUM *zero = NULL;
    73. 

  73.     int n = 0;
    74. 

  74.     int i = recid / 2;
    75. 

  75. 

  76.     const EC_GROUP *group = EC_KEY_get0_group(eckey);
    77. 

  77.     if ((ctx = BN_CTX_new()) == NULL) { ret = -1; goto err; }
    78. 

  78.     BN_CTX_start(ctx);
    79. 

  79.     order = BN_CTX_get(ctx);
    80. 

  80.     if (!EC_GROUP_get_order(group, order, ctx)) { ret = -2; goto err; }
    81. 

  81.     x = BN_CTX_get(ctx);
    82. 

  82.     if (!BN_copy(x, order)) { ret=-1; goto err; }
    83. 

  83.     if (!BN_mul_word(x, i)) { ret=-1; goto err; }
    84. 

  84.     if (!BN_add(x, x, ecsig->r)) { ret=-1; goto err; }
    85. 

  85.     field = BN_CTX_get(ctx);
    86. 

  86.     if (!EC_GROUP_get_curve_GFp(group, field, NULL, NULL, ctx)) { ret=-2; goto err; }
    87. 

  87.     if (BN_cmp(x, field) >= 0) { ret=0; goto err; }
    88. 

  88.     if ((R = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }
    89. 

  89.     if (!EC_POINT_set_compressed_coordinates_GFp(group, R, x, recid % 2, ctx)) { ret=0; goto err; }
    90. 

  90.     if (check)
    91. 

  91.     {
    92. 

  92.         if ((O = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }
    93. 

  93.         if (!EC_POINT_mul(group, O, NULL, R, order, ctx)) { ret=-2; goto err; }
    94. 

  94.         if (!EC_POINT_is_at_infinity(group, O)) { ret = 0; goto err; }
    95. 

  95.     }
    96. 

  96.     if ((Q = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }
    97. 

  97.     n = EC_GROUP_get_degree(group);
    98. 

  98.     e = BN_CTX_get(ctx);
    99. 

  99.     if (!BN_bin2bn(msg, msglen, e)) { ret=-1; goto err; }
    100. 

  100.     if (8*msglen > n) BN_rshift(e, e, 8-(n & 7));
    101. 

  101.     zero = BN_CTX_get(ctx);
    102. 

  102.     if (!BN_zero(zero)) { ret=-1; goto err; }
    103. 

  103.     if (!BN_mod_sub(e, zero, e, order, ctx)) { ret=-1; goto err; }
    104. 

  104.     rr = BN_CTX_get(ctx);
    105. 

  105.     if (!BN_mod_inverse(rr, ecsig->r, order, ctx)) { ret=-1; goto err; }
    106. 

  106.     sor = BN_CTX_get(ctx);
    107. 

  107.     if (!BN_mod_mul(sor, ecsig->s, rr, order, ctx)) { ret=-1; goto err; }
    108. 

  108.     eor = BN_CTX_get(ctx);
    109. 

  109.     if (!BN_mod_mul(eor, e, rr, order, ctx)) { ret=-1; goto err; }
    110. 

  110.     if (!EC_POINT_mul(group, Q, eor, R, sor, ctx)) { ret=-2; goto err; }
    111. 

  111.     if (!EC_KEY_set_public_key(eckey, Q)) { ret=-2; goto err; }
    112. 

  112. 

  113.     ret = 1;
    114. 

  114. 

  115. err:
    116. 

  116.     if (ctx) {
    117. 

  117.         BN_CTX_end(ctx);
    118. 

  118.         BN_CTX_free(ctx);
    119. 

  119.     }
    120. 

  120.     if (R != NULL) EC_POINT_free(R);
    121. 

  121.     if (O != NULL) EC_POINT_free(O);
    122. 

  122.     if (Q != NULL) EC_POINT_free(Q);
    123. 

  123.     return ret;
    124. 

  124. }
    125. 

  125. 

  126. // RAII Wrapper around OpenSSL's EC_KEY
    127. 

  127. class CECKey {
    128. 

  128. private:
    129. 

  129.     EC_KEY *pkey;
    130. 

  130. 

  131. public:
    132. 

  132.     CECKey() {
    133. 

  133.         pkey = EC_KEY_new_by_curve_name(NID_secp256k1);
    134. 

  134.         assert(pkey != NULL);
    135. 

  135.     }
    136. 

  136. 

  137.     ~CECKey() {
    138. 

  138.         EC_KEY_free(pkey);
    139. 

  139.     }
    140. 

  140. 

  141.     void GetSecretBytes(unsigned char vch[32]) const {
    142. 

  142.         const BIGNUM *bn = EC_KEY_get0_private_key(pkey);
    143. 

  143.         assert(bn);
    144. 

  144.         int nBytes = BN_num_bytes(bn);
    145. 

  145.         int n=BN_bn2bin(bn,&vch[32 - nBytes]);
    146. 

  146.         assert(n == nBytes);
    147. 

  147.         memset(vch, 0, 32 - nBytes);
    148. 

  148.     }
    149. 

  149. 

  150.     void SetSecretBytes(const unsigned char vch[32]) {
    151. 

  151.         BIGNUM bn;
    152. 

  152.         BN_init(&bn);
    153. 

  153.         assert(BN_bin2bn(vch, 32, &bn));
    154. 

  154.         assert(EC_KEY_regenerate_key(pkey, &bn));
    155. 

  155.         BN_clear_free(&bn);
    156. 

  156.     }
    157. 

  157. 

  158.     void GetPrivKey(CPrivKey &privkey, bool fCompressed) {
    159. 

  159.         EC_KEY_set_conv_form(pkey, fCompressed ? POINT_CONVERSION_COMPRESSED : POINT_CONVERSION_UNCOMPRESSED);
    160. 

  160.         int nSize = i2d_ECPrivateKey(pkey, NULL);
    161. 

  161.         assert(nSize);
    162. 

  162.         privkey.resize(nSize);
    163. 

  163.         unsigned char* pbegin = &privkey[0];
    164. 

  164.         int nSize2 = i2d_ECPrivateKey(pkey, &pbegin);
    165. 

  165.         assert(nSize == nSize2);
    166. 

  166.     }
    167. 

  167. 

  168.     bool SetPrivKey(const CPrivKey &privkey) {
    169. 

  169.         const unsigned char* pbegin = &privkey[0];
    170. 

  170.         if (d2i_ECPrivateKey(&pkey, &pbegin, privkey.size())) {
    171. 

  171.             // d2i_ECPrivateKey returns true if parsing succeeds.
    172. 

  172.             // This doesn't necessarily mean the key is valid.
    173. 

  173.             if (EC_KEY_check_key(pkey))
    174. 

  174.                 return true;
    175. 

  175.         }
    176. 

  176.         return false;
    177. 

  177.     }
    178. 

  178. 

  179.     void GetPubKey(CPubKey &pubkey, bool fCompressed) {
    180. 

  180.         EC_KEY_set_conv_form(pkey, fCompressed ? POINT_CONVERSION_COMPRESSED : POINT_CONVERSION_UNCOMPRESSED);
    181. 

  181.         int nSize = i2o_ECPublicKey(pkey, NULL);
    182. 

  182.         assert(nSize);
    183. 

  183.         assert(nSize <= 65);
    184. 

  184.         unsigned char c[65];
    185. 

  185.         unsigned char *pbegin = c;
    186. 

  186.         int nSize2 = i2o_ECPublicKey(pkey, &pbegin);
    187. 

  187.         assert(nSize == nSize2);
    188. 

  188.         pubkey.Set(&c[0], &c[nSize]);
    189. 

  189.     }
    190. 

  190. 

  191.     bool SetPubKey(const CPubKey &pubkey) {
    192. 

  192.         const unsigned char* pbegin = pubkey.begin();
    193. 

  193.         return o2i_ECPublicKey(&pkey, &pbegin, pubkey.size());
    194. 

  194.     }
    195. 

  195. 

  196.     bool Sign(const uint256 &hash, std::vector<unsigned char>& vchSig) {
    197. 

  197.         unsigned int nSize = ECDSA_size(pkey);
    198. 

  198.         vchSig.resize(nSize); // Make sure it is big enough
    199. 

  199.         assert(ECDSA_sign(0, (unsigned char*)&hash, sizeof(hash), &vchSig[0], &nSize, pkey));
    200. 

  200.         vchSig.resize(nSize); // Shrink to fit actual size
    201. 

  201.         return true;
    202. 

  202.     }
    203. 

  203. 

  204.     bool Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
    205. 

  205.         if (vchSig.empty())
    206. 

  206.             return false;
    207. 

  207. 

  208.         // New versions of OpenSSL will reject non-canonical DER signatures. de/re-serialize first.
    209. 

  209.         unsigned char *norm_der = NULL;
    210. 

  210.         ECDSA_SIG *norm_sig = ECDSA_SIG_new();
    211. 

  211.         const unsigned char* sigptr = &vchSig[0];
    212. 

  212.         assert(norm_sig);
    213. 

  213.         if (d2i_ECDSA_SIG(&norm_sig, &sigptr, vchSig.size()) == NULL)
    214. 

  214.         {
    215. 

  215.             /* As of OpenSSL 1.0.0p d2i_ECDSA_SIG frees and nulls the pointer on
    216. 

  216.              * error. But OpenSSL's own use of this function redundantly frees the
    217. 

  217.              * result. As ECDSA_SIG_free(NULL) is a no-op, and in the absence of a
    218. 

  218.              * clear contract for the function behaving the same way is more
    219. 

  219.              * conservative.
    220. 

  220.              */
    221. 

  221.             ECDSA_SIG_free(norm_sig);
    222. 

  222.             return false;
    223. 

  223.         }
    224. 

  224.         int derlen = i2d_ECDSA_SIG(norm_sig, &norm_der);
    225. 

  225.         ECDSA_SIG_free(norm_sig);
    226. 

  226.         if (derlen <= 0)
    227. 

  227.             return false;
    228. 

  228. 

  229.         // -1 = error, 0 = bad sig, 1 = good
    230. 

  230.         bool ret = ECDSA_verify(0, (unsigned char*)&hash, sizeof(hash), norm_der, derlen, pkey) == 1;
    231. 

  231.         OPENSSL_free(norm_der);
    232. 

  232.         return ret;
    233. 

  233.     }
    234. 

  234. 

  235.     bool SignCompact(const uint256 &hash, unsigned char *p64, int &rec) {
    236. 

  236.         bool fOk = false;
    237. 

  237.         ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey);
    238. 

  238.         if (sig==NULL)
    239. 

  239.             return false;
    240. 

  240.         memset(p64, 0, 64);
    241. 

  241.         int nBitsR = BN_num_bits(sig->r);
    242. 

  242.         int nBitsS = BN_num_bits(sig->s);
    243. 

  243.         if (nBitsR <= 256 && nBitsS <= 256) {
    244. 

  244.             CPubKey pubkey;
    245. 

  245.             GetPubKey(pubkey, true);
    246. 

  246.             for (int i=0; i<4; i++) {
    247. 

  247.                 CECKey keyRec;
    248. 

  248.                 if (ECDSA_SIG_recover_key_GFp(keyRec.pkey, sig, (unsigned char*)&hash, sizeof(hash), i, 1) == 1) {
    249. 

  249.                     CPubKey pubkeyRec;
    250. 

  250.                     keyRec.GetPubKey(pubkeyRec, true);
    251. 

  251.                     if (pubkeyRec == pubkey) {
    252. 

  252.                         rec = i;
    253. 

  253.                         fOk = true;
    254. 

  254.                         break;
    255. 

  255.                     }
    256. 

  256.                 }
    257. 

  257.             }
    258. 

  258.             assert(fOk);
    259. 

  259.             BN_bn2bin(sig->r,&p64[32-(nBitsR+7)/8]);
    260. 

  260.             BN_bn2bin(sig->s,&p64[64-(nBitsS+7)/8]);
    261. 

  261.         }
    262. 

  262.         ECDSA_SIG_free(sig);
    263. 

  263.         return fOk;
    264. 

  264.     }
    265. 

  265. 

  266.     // reconstruct public key from a compact signature
    267. 

  267.     // This is only slightly more CPU intensive than just verifying it.
    268. 

  268.     // If this function succeeds, the recovered public key is guaranteed to be valid
    269. 

  269.     // (the signature is a valid signature of the given data for that key)
    270. 

  270.     bool Recover(const uint256 &hash, const unsigned char *p64, int rec)
    271. 

  271.     {
    272. 

  272.         if (rec<0 || rec>=3)
    273. 

  273.             return false;
    274. 

  274.         ECDSA_SIG *sig = ECDSA_SIG_new();
    275. 

  275.         BN_bin2bn(&p64[0],  32, sig->r);
    276. 

  276.         BN_bin2bn(&p64[32], 32, sig->s);
    277. 

  277.         bool ret = ECDSA_SIG_recover_key_GFp(pkey, sig, (unsigned char*)&hash, sizeof(hash), rec, 0) == 1;
    278. 

  278.         ECDSA_SIG_free(sig);
    279. 

  279.         return ret;
    280. 

  280.     }
    281. 

  281. };
    282. 

  282. 

  283. }; // end of anonymous namespace
    284. 

  284. 

  285. bool CKey::Check(const unsigned char *vch) {
    286. 

  286.     // Do not convert to OpenSSL's data structures for range-checking keys,
    287. 

  287.     // it's easy enough to do directly.
    288. 

  288.     static const unsigned char vchMax[32] = {
    289. 

  289.         0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
    290. 

  290.         0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
    291. 

  291.         0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
    292. 

  292.         0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
    293. 

  293.     };
    294. 

  294.     bool fIsZero = true;
    295. 

  295.     for (int i=0; i<32 && fIsZero; i++)
    296. 

  296.         if (vch[i] != 0)
    297. 

  297.             fIsZero = false;
    298. 

  298.     if (fIsZero)
    299. 

  299.         return false;
    300. 

  300.     for (int i=0; i<32; i++) {
    301. 

  301.         if (vch[i] < vchMax[i])
    302. 

  302.             return true;
    303. 

  303.         if (vch[i] > vchMax[i])
    304. 

  304.             return false;
    305. 

  305.     }
    306. 

  306.     return true;
    307. 

  307. }
    308. 

  308. 

  309. void CKey::MakeNewKey(bool fCompressedIn) {
    310. 

  310.     do {
    311. 

  311.         RAND_bytes(vch, sizeof(vch));
    312. 

  312.     } while (!Check(vch));
    313. 

  313.     fValid = true;
    314. 

  314.     fCompressed = fCompressedIn;
    315. 

  315. }
    316. 

  316. 

  317. bool CKey::SetPrivKey(const CPrivKey &privkey, bool fCompressedIn) {
    318. 

  318.     CECKey key;
    319. 

  319.     if (!key.SetPrivKey(privkey))
    320. 

  320.         return false;
    321. 

  321.     key.GetSecretBytes(vch);
    322. 

  322.     fCompressed = fCompressedIn;
    323. 

  323.     fValid = true;
    324. 

  324.     return true;
    325. 

  325. }
    326. 

  326. 

  327. CPrivKey CKey::GetPrivKey() const {
    328. 

  328.     assert(fValid);
    329. 

  329.     CECKey key;
    330. 

  330.     key.SetSecretBytes(vch);
    331. 

  331.     CPrivKey privkey;
    332. 

  332.     key.GetPrivKey(privkey, fCompressed);
    333. 

  333.     return privkey;
    334. 

  334. }
    335. 

  335. 

  336. CPubKey CKey::GetPubKey() const {
    337. 

  337.     assert(fValid);
    338. 

  338.     CECKey key;
    339. 

  339.     key.SetSecretBytes(vch);
    340. 

  340.     CPubKey pubkey;
    341. 

  341.     key.GetPubKey(pubkey, fCompressed);
    342. 

  342.     return pubkey;
    343. 

  343. }
    344. 

  344. 

  345. bool CKey::Sign(const uint256 &hash, std::vector<unsigned char>& vchSig) const {
    346. 

  346.     if (!fValid)
    347. 

  347.         return false;
    348. 

  348.     CECKey key;
    349. 

  349.     key.SetSecretBytes(vch);
    350. 

  350.     return key.Sign(hash, vchSig);
    351. 

  351. }
    352. 

  352. 

  353. bool CKey::SignCompact(const uint256 &hash, std::vector<unsigned char>& vchSig) const {
    354. 

  354.     if (!fValid)
    355. 

  355.         return false;
    356. 

  356.     CECKey key;
    357. 

  357.     key.SetSecretBytes(vch);
    358. 

  358.     vchSig.resize(65);
    359. 

  359.     int rec = -1;
    360. 

  360.     if (!key.SignCompact(hash, &vchSig[1], rec))
    361. 

  361.         return false;
    362. 

  362.     assert(rec != -1);
    363. 

  363.     vchSig[0] = 27 + rec + (fCompressed ? 4 : 0);
    364. 

  364.     return true;
    365. 

  365. }
    366. 

  366. 

  367. bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {
    368. 

  368.     if (!IsValid())
    369. 

  369.         return false;
    370. 

  370.     CECKey key;
    371. 

  371.     if (!key.SetPubKey(*this))
    372. 

  372.         return false;
    373. 

  373.     if (!key.Verify(hash, vchSig))
    374. 

  374.         return false;
    375. 

  375.     return true;
    376. 

  376. }
    377. 

  377. 

  378. bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
    379. 

  379.     if (vchSig.size() != 65)
    380. 

  380.         return false;
    381. 

  381.     CECKey key;
    382. 

  382.     if (!key.Recover(hash, &vchSig[1], (vchSig[0] - 27) & ~4))
    383. 

  383.         return false;
    384. 

  384.     key.GetPubKey(*this, (vchSig[0] - 27) & 4);
    385. 

  385.     return true;
    386. 

  386. }
    387. 

  387. 

  388. bool CPubKey::VerifyCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {
    389. 

  389.     if (!IsValid())
    390. 

  390.         return false;
    391. 

  391.     if (vchSig.size() != 65)
    392. 

  392.         return false;
    393. 

  393.     CECKey key;
    394. 

  394.     if (!key.Recover(hash, &vchSig[1], (vchSig[0] - 27) & ~4))
    395. 

  395.         return false;
    396. 

  396.     CPubKey pubkeyRec;
    397. 

  397.     key.GetPubKey(pubkeyRec, IsCompressed());
    398. 

  398.     if (*this != pubkeyRec)
    399. 

  399.         return false;
    400. 

  400.     return true;
    401. 

  401. }
    402. 

  402. 

  403. bool CPubKey::IsFullyValid() const {
    404. 

  404.     if (!IsValid())
    405. 

  405.         return false;
    406. 

  406.     CECKey key;
    407. 

  407.     if (!key.SetPubKey(*this))
    408. 

  408.         return false;
    409. 

  409.     return true;
    410. 

  410. }
    411. 

  411. 

  412. bool CPubKey::Decompress() {
    413. 

  413.     if (!IsValid())
    414. 

  414.         return false;
    415. 

  415.     CECKey key;
    416. 

  416.     if (!key.SetPubKey(*this))
    417. 

  417.         return false;
    418. 

  418.     key.GetPubKey(*this, false);
    419. 

  419.     return true;
    420. 

  420. }
    421. 

  421.