1 // Copyright (c) 2009-2016 The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
8 #include <secp256k1_recovery.h>
12 /* Global secp256k1_context object used for verification. */
13 secp256k1_context
* secp256k1_context_verify
= nullptr;
16 /** This function is taken from the libsecp256k1 distribution and implements
17 * DER parsing for ECDSA signatures, while supporting an arbitrary subset of
20 * Supported violations include negative integers, excessive padding, garbage
21 * at the end, and overly long length descriptors. This is safe to use in
22 * Bitcoin because since the activation of BIP66, signatures are verified to be
23 * strict DER before being passed to this module, and we know it supports all
24 * violations present in the blockchain before that point.
26 static int ecdsa_signature_parse_der_lax(const secp256k1_context
* ctx
, secp256k1_ecdsa_signature
* sig
, const unsigned char *input
, size_t inputlen
) {
27 size_t rpos
, rlen
, spos
, slen
;
30 unsigned char tmpsig
[64] = {0};
33 /* Hack to initialize sig with a correctly-parsed but invalid signature. */
34 secp256k1_ecdsa_signature_parse_compact(ctx
, sig
, tmpsig
);
36 /* Sequence tag byte */
37 if (pos
== inputlen
|| input
[pos
] != 0x30) {
42 /* Sequence length bytes */
43 if (pos
== inputlen
) {
46 lenbyte
= input
[pos
++];
49 if (pos
+ lenbyte
> inputlen
) {
55 /* Integer tag byte for R */
56 if (pos
== inputlen
|| input
[pos
] != 0x02) {
61 /* Integer length for R */
62 if (pos
== inputlen
) {
65 lenbyte
= input
[pos
++];
68 if (pos
+ lenbyte
> inputlen
) {
71 while (lenbyte
> 0 && input
[pos
] == 0) {
75 if (lenbyte
>= sizeof(size_t)) {
80 rlen
= (rlen
<< 8) + input
[pos
];
87 if (rlen
> inputlen
- pos
) {
93 /* Integer tag byte for S */
94 if (pos
== inputlen
|| input
[pos
] != 0x02) {
99 /* Integer length for S */
100 if (pos
== inputlen
) {
103 lenbyte
= input
[pos
++];
104 if (lenbyte
& 0x80) {
106 if (pos
+ lenbyte
> inputlen
) {
109 while (lenbyte
> 0 && input
[pos
] == 0) {
113 if (lenbyte
>= sizeof(size_t)) {
117 while (lenbyte
> 0) {
118 slen
= (slen
<< 8) + input
[pos
];
125 if (slen
> inputlen
- pos
) {
130 /* Ignore leading zeroes in R */
131 while (rlen
> 0 && input
[rpos
] == 0) {
139 memcpy(tmpsig
+ 32 - rlen
, input
+ rpos
, rlen
);
142 /* Ignore leading zeroes in S */
143 while (slen
> 0 && input
[spos
] == 0) {
151 memcpy(tmpsig
+ 64 - slen
, input
+ spos
, slen
);
155 overflow
= !secp256k1_ecdsa_signature_parse_compact(ctx
, sig
, tmpsig
);
158 /* Overwrite the result again with a correctly-parsed but invalid
159 signature if parsing failed. */
160 memset(tmpsig
, 0, 64);
161 secp256k1_ecdsa_signature_parse_compact(ctx
, sig
, tmpsig
);
166 bool CPubKey::Verify(const uint256
&hash
, const std::vector
<unsigned char>& vchSig
) const {
169 secp256k1_pubkey pubkey
;
170 secp256k1_ecdsa_signature sig
;
171 if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify
, &pubkey
, &(*this)[0], size())) {
174 if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify
, &sig
, vchSig
.data(), vchSig
.size())) {
177 /* libsecp256k1's ECDSA verification requires lower-S signatures, which have
178 * not historically been enforced in Bitcoin, so normalize them first. */
179 secp256k1_ecdsa_signature_normalize(secp256k1_context_verify
, &sig
, &sig
);
180 return secp256k1_ecdsa_verify(secp256k1_context_verify
, &sig
, hash
.begin(), &pubkey
);
183 bool CPubKey::RecoverCompact(const uint256
&hash
, const std::vector
<unsigned char>& vchSig
) {
184 if (vchSig
.size() != 65)
186 int recid
= (vchSig
[0] - 27) & 3;
187 bool fComp
= ((vchSig
[0] - 27) & 4) != 0;
188 secp256k1_pubkey pubkey
;
189 secp256k1_ecdsa_recoverable_signature sig
;
190 if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_verify
, &sig
, &vchSig
[1], recid
)) {
193 if (!secp256k1_ecdsa_recover(secp256k1_context_verify
, &pubkey
, &sig
, hash
.begin())) {
196 unsigned char pub
[65];
198 secp256k1_ec_pubkey_serialize(secp256k1_context_verify
, pub
, &publen
, &pubkey
, fComp
? SECP256K1_EC_COMPRESSED
: SECP256K1_EC_UNCOMPRESSED
);
199 Set(pub
, pub
+ publen
);
203 bool CPubKey::IsFullyValid() const {
206 secp256k1_pubkey pubkey
;
207 return secp256k1_ec_pubkey_parse(secp256k1_context_verify
, &pubkey
, &(*this)[0], size());
210 bool CPubKey::Decompress() {
213 secp256k1_pubkey pubkey
;
214 if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify
, &pubkey
, &(*this)[0], size())) {
217 unsigned char pub
[65];
219 secp256k1_ec_pubkey_serialize(secp256k1_context_verify
, pub
, &publen
, &pubkey
, SECP256K1_EC_UNCOMPRESSED
);
220 Set(pub
, pub
+ publen
);
224 bool CPubKey::Derive(CPubKey
& pubkeyChild
, ChainCode
&ccChild
, unsigned int nChild
, const ChainCode
& cc
) const {
226 assert((nChild
>> 31) == 0);
227 assert(begin() + 33 == end());
228 unsigned char out
[64];
229 BIP32Hash(cc
, nChild
, *begin(), begin()+1, out
);
230 memcpy(ccChild
.begin(), out
+32, 32);
231 secp256k1_pubkey pubkey
;
232 if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify
, &pubkey
, &(*this)[0], size())) {
235 if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_verify
, &pubkey
, out
)) {
238 unsigned char pub
[33];
240 secp256k1_ec_pubkey_serialize(secp256k1_context_verify
, pub
, &publen
, &pubkey
, SECP256K1_EC_COMPRESSED
);
241 pubkeyChild
.Set(pub
, pub
+ publen
);
245 void CExtPubKey::Encode(unsigned char code
[BIP32_EXTKEY_SIZE
]) const {
247 memcpy(code
+1, vchFingerprint
, 4);
248 code
[5] = (nChild
>> 24) & 0xFF; code
[6] = (nChild
>> 16) & 0xFF;
249 code
[7] = (nChild
>> 8) & 0xFF; code
[8] = (nChild
>> 0) & 0xFF;
250 memcpy(code
+9, chaincode
.begin(), 32);
251 assert(pubkey
.size() == 33);
252 memcpy(code
+41, pubkey
.begin(), 33);
255 void CExtPubKey::Decode(const unsigned char code
[BIP32_EXTKEY_SIZE
]) {
257 memcpy(vchFingerprint
, code
+1, 4);
258 nChild
= (code
[5] << 24) | (code
[6] << 16) | (code
[7] << 8) | code
[8];
259 memcpy(chaincode
.begin(), code
+9, 32);
260 pubkey
.Set(code
+41, code
+BIP32_EXTKEY_SIZE
);
263 bool CExtPubKey::Derive(CExtPubKey
&out
, unsigned int _nChild
) const {
264 out
.nDepth
= nDepth
+ 1;
265 CKeyID id
= pubkey
.GetID();
266 memcpy(&out
.vchFingerprint
[0], &id
, 4);
267 out
.nChild
= _nChild
;
268 return pubkey
.Derive(out
.pubkey
, out
.chaincode
, _nChild
, chaincode
);
271 /* static */ bool CPubKey::CheckLowS(const std::vector
<unsigned char>& vchSig
) {
272 secp256k1_ecdsa_signature sig
;
273 if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify
, &sig
, vchSig
.data(), vchSig
.size())) {
276 return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_verify
, nullptr, &sig
));
279 /* static */ int ECCVerifyHandle::refcount
= 0;
281 ECCVerifyHandle::ECCVerifyHandle()
284 assert(secp256k1_context_verify
== nullptr);
285 secp256k1_context_verify
= secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
);
286 assert(secp256k1_context_verify
!= nullptr);
291 ECCVerifyHandle::~ECCVerifyHandle()
295 assert(secp256k1_context_verify
!= nullptr);
296 secp256k1_context_destroy(secp256k1_context_verify
);
297 secp256k1_context_verify
= nullptr;