/workdir/bitcoin/src/key.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright (c) 2009-2022 The Bitcoin Core developers |
2 | | // Copyright (c) 2017 The Zcash developers |
3 | | // Distributed under the MIT software license, see the accompanying |
4 | | // file COPYING or http://www.opensource.org/licenses/mit-license.php. |
5 | | |
6 | | #include <key.h> |
7 | | |
8 | | #include <crypto/common.h> |
9 | | #include <crypto/hmac_sha512.h> |
10 | | #include <hash.h> |
11 | | #include <random.h> |
12 | | |
13 | | #include <secp256k1.h> |
14 | | #include <secp256k1_ellswift.h> |
15 | | #include <secp256k1_extrakeys.h> |
16 | | #include <secp256k1_recovery.h> |
17 | | #include <secp256k1_schnorrsig.h> |
18 | | |
19 | | static secp256k1_context* secp256k1_context_sign = nullptr; |
20 | | |
21 | | /** These functions are taken from the libsecp256k1 distribution and are very ugly. */ |
22 | | |
23 | | /** |
24 | | * This parses a format loosely based on a DER encoding of the ECPrivateKey type from |
25 | | * section C.4 of SEC 1 <https://www.secg.org/sec1-v2.pdf>, with the following caveats: |
26 | | * |
27 | | * * The octet-length of the SEQUENCE must be encoded as 1 or 2 octets. It is not |
28 | | * required to be encoded as one octet if it is less than 256, as DER would require. |
29 | | * * The octet-length of the SEQUENCE must not be greater than the remaining |
30 | | * length of the key encoding, but need not match it (i.e. the encoding may contain |
31 | | * junk after the encoded SEQUENCE). |
32 | | * * The privateKey OCTET STRING is zero-filled on the left to 32 octets. |
33 | | * * Anything after the encoding of the privateKey OCTET STRING is ignored, whether |
34 | | * or not it is validly encoded DER. |
35 | | * |
36 | | * out32 must point to an output buffer of length at least 32 bytes. |
37 | | */ |
38 | 0 | int ec_seckey_import_der(const secp256k1_context* ctx, unsigned char *out32, const unsigned char *seckey, size_t seckeylen) { |
39 | 0 | const unsigned char *end = seckey + seckeylen; |
40 | 0 | memset(out32, 0, 32); |
41 | | /* sequence header */ |
42 | 0 | if (end - seckey < 1 || *seckey != 0x30u) { Branch (42:9): [True: 0, False: 0]
Branch (42:29): [True: 0, False: 0]
|
43 | 0 | return 0; |
44 | 0 | } |
45 | 0 | seckey++; |
46 | | /* sequence length constructor */ |
47 | 0 | if (end - seckey < 1 || !(*seckey & 0x80u)) { Branch (47:9): [True: 0, False: 0]
Branch (47:29): [True: 0, False: 0]
|
48 | 0 | return 0; |
49 | 0 | } |
50 | 0 | ptrdiff_t lenb = *seckey & ~0x80u; seckey++; |
51 | 0 | if (lenb < 1 || lenb > 2) { Branch (51:9): [True: 0, False: 0]
Branch (51:21): [True: 0, False: 0]
|
52 | 0 | return 0; |
53 | 0 | } |
54 | 0 | if (end - seckey < lenb) { Branch (54:9): [True: 0, False: 0]
|
55 | 0 | return 0; |
56 | 0 | } |
57 | | /* sequence length */ |
58 | 0 | ptrdiff_t len = seckey[lenb-1] | (lenb > 1 ? seckey[lenb-2] << 8 : 0u); Branch (58:39): [True: 0, False: 0]
|
59 | 0 | seckey += lenb; |
60 | 0 | if (end - seckey < len) { Branch (60:9): [True: 0, False: 0]
|
61 | 0 | return 0; |
62 | 0 | } |
63 | | /* sequence element 0: version number (=1) */ |
64 | 0 | if (end - seckey < 3 || seckey[0] != 0x02u || seckey[1] != 0x01u || seckey[2] != 0x01u) { Branch (64:9): [True: 0, False: 0]
Branch (64:29): [True: 0, False: 0]
Branch (64:51): [True: 0, False: 0]
Branch (64:73): [True: 0, False: 0]
|
65 | 0 | return 0; |
66 | 0 | } |
67 | 0 | seckey += 3; |
68 | | /* sequence element 1: octet string, up to 32 bytes */ |
69 | 0 | if (end - seckey < 2 || seckey[0] != 0x04u) { Branch (69:9): [True: 0, False: 0]
Branch (69:29): [True: 0, False: 0]
|
70 | 0 | return 0; |
71 | 0 | } |
72 | 0 | ptrdiff_t oslen = seckey[1]; |
73 | 0 | seckey += 2; |
74 | 0 | if (oslen > 32 || end - seckey < oslen) { Branch (74:9): [True: 0, False: 0]
Branch (74:23): [True: 0, False: 0]
|
75 | 0 | return 0; |
76 | 0 | } |
77 | 0 | memcpy(out32 + (32 - oslen), seckey, oslen); |
78 | 0 | if (!secp256k1_ec_seckey_verify(ctx, out32)) { Branch (78:9): [True: 0, False: 0]
|
79 | 0 | memset(out32, 0, 32); |
80 | 0 | return 0; |
81 | 0 | } |
82 | 0 | return 1; |
83 | 0 | } |
84 | | |
85 | | /** |
86 | | * This serializes to a DER encoding of the ECPrivateKey type from section C.4 of SEC 1 |
87 | | * <https://www.secg.org/sec1-v2.pdf>. The optional parameters and publicKey fields are |
88 | | * included. |
89 | | * |
90 | | * seckey must point to an output buffer of length at least CKey::SIZE bytes. |
91 | | * seckeylen must initially be set to the size of the seckey buffer. Upon return it |
92 | | * will be set to the number of bytes used in the buffer. |
93 | | * key32 must point to a 32-byte raw private key. |
94 | | */ |
95 | 0 | int ec_seckey_export_der(const secp256k1_context *ctx, unsigned char *seckey, size_t *seckeylen, const unsigned char *key32, bool compressed) { |
96 | 0 | assert(*seckeylen >= CKey::SIZE); |
97 | 0 | secp256k1_pubkey pubkey; |
98 | 0 | size_t pubkeylen = 0; |
99 | 0 | if (!secp256k1_ec_pubkey_create(ctx, &pubkey, key32)) { Branch (99:9): [True: 0, False: 0]
|
100 | 0 | *seckeylen = 0; |
101 | 0 | return 0; |
102 | 0 | } |
103 | 0 | if (compressed) { Branch (103:9): [True: 0, False: 0]
|
104 | 0 | static const unsigned char begin[] = { |
105 | 0 | 0x30,0x81,0xD3,0x02,0x01,0x01,0x04,0x20 |
106 | 0 | }; |
107 | 0 | static const unsigned char middle[] = { |
108 | 0 | 0xA0,0x81,0x85,0x30,0x81,0x82,0x02,0x01,0x01,0x30,0x2C,0x06,0x07,0x2A,0x86,0x48, |
109 | 0 | 0xCE,0x3D,0x01,0x01,0x02,0x21,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, |
110 | 0 | 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, |
111 | 0 | 0xFF,0xFF,0xFE,0xFF,0xFF,0xFC,0x2F,0x30,0x06,0x04,0x01,0x00,0x04,0x01,0x07,0x04, |
112 | 0 | 0x21,0x02,0x79,0xBE,0x66,0x7E,0xF9,0xDC,0xBB,0xAC,0x55,0xA0,0x62,0x95,0xCE,0x87, |
113 | 0 | 0x0B,0x07,0x02,0x9B,0xFC,0xDB,0x2D,0xCE,0x28,0xD9,0x59,0xF2,0x81,0x5B,0x16,0xF8, |
114 | 0 | 0x17,0x98,0x02,0x21,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, |
115 | 0 | 0xFF,0xFF,0xFF,0xFF,0xFE,0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,0xBF,0xD2,0x5E, |
116 | 0 | 0x8C,0xD0,0x36,0x41,0x41,0x02,0x01,0x01,0xA1,0x24,0x03,0x22,0x00 |
117 | 0 | }; |
118 | 0 | unsigned char *ptr = seckey; |
119 | 0 | memcpy(ptr, begin, sizeof(begin)); ptr += sizeof(begin); |
120 | 0 | memcpy(ptr, key32, 32); ptr += 32; |
121 | 0 | memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle); |
122 | 0 | pubkeylen = CPubKey::COMPRESSED_SIZE; |
123 | 0 | secp256k1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED); |
124 | 0 | ptr += pubkeylen; |
125 | 0 | *seckeylen = ptr - seckey; |
126 | 0 | assert(*seckeylen == CKey::COMPRESSED_SIZE); |
127 | 0 | } else { |
128 | 0 | static const unsigned char begin[] = { |
129 | 0 | 0x30,0x82,0x01,0x13,0x02,0x01,0x01,0x04,0x20 |
130 | 0 | }; |
131 | 0 | static const unsigned char middle[] = { |
132 | 0 | 0xA0,0x81,0xA5,0x30,0x81,0xA2,0x02,0x01,0x01,0x30,0x2C,0x06,0x07,0x2A,0x86,0x48, |
133 | 0 | 0xCE,0x3D,0x01,0x01,0x02,0x21,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, |
134 | 0 | 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, |
135 | 0 | 0xFF,0xFF,0xFE,0xFF,0xFF,0xFC,0x2F,0x30,0x06,0x04,0x01,0x00,0x04,0x01,0x07,0x04, |
136 | 0 | 0x41,0x04,0x79,0xBE,0x66,0x7E,0xF9,0xDC,0xBB,0xAC,0x55,0xA0,0x62,0x95,0xCE,0x87, |
137 | 0 | 0x0B,0x07,0x02,0x9B,0xFC,0xDB,0x2D,0xCE,0x28,0xD9,0x59,0xF2,0x81,0x5B,0x16,0xF8, |
138 | 0 | 0x17,0x98,0x48,0x3A,0xDA,0x77,0x26,0xA3,0xC4,0x65,0x5D,0xA4,0xFB,0xFC,0x0E,0x11, |
139 | 0 | 0x08,0xA8,0xFD,0x17,0xB4,0x48,0xA6,0x85,0x54,0x19,0x9C,0x47,0xD0,0x8F,0xFB,0x10, |
140 | 0 | 0xD4,0xB8,0x02,0x21,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, |
141 | 0 | 0xFF,0xFF,0xFF,0xFF,0xFE,0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,0xBF,0xD2,0x5E, |
142 | 0 | 0x8C,0xD0,0x36,0x41,0x41,0x02,0x01,0x01,0xA1,0x44,0x03,0x42,0x00 |
143 | 0 | }; |
144 | 0 | unsigned char *ptr = seckey; |
145 | 0 | memcpy(ptr, begin, sizeof(begin)); ptr += sizeof(begin); |
146 | 0 | memcpy(ptr, key32, 32); ptr += 32; |
147 | 0 | memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle); |
148 | 0 | pubkeylen = CPubKey::SIZE; |
149 | 0 | secp256k1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_UNCOMPRESSED); |
150 | 0 | ptr += pubkeylen; |
151 | 0 | *seckeylen = ptr - seckey; |
152 | 0 | assert(*seckeylen == CKey::SIZE); |
153 | 0 | } |
154 | 0 | return 1; |
155 | 0 | } |
156 | | |
157 | 0 | bool CKey::Check(const unsigned char *vch) { |
158 | 0 | return secp256k1_ec_seckey_verify(secp256k1_context_sign, vch); |
159 | 0 | } |
160 | | |
161 | 0 | void CKey::MakeNewKey(bool fCompressedIn) { |
162 | 0 | MakeKeyData(); |
163 | 0 | do { |
164 | 0 | GetStrongRandBytes(*keydata); |
165 | 0 | } while (!Check(keydata->data())); Branch (165:14): [True: 0, False: 0]
|
166 | 0 | fCompressed = fCompressedIn; |
167 | 0 | } |
168 | | |
169 | 0 | CPrivKey CKey::GetPrivKey() const { |
170 | 0 | assert(keydata); |
171 | 0 | CPrivKey seckey; |
172 | 0 | int ret; |
173 | 0 | size_t seckeylen; |
174 | 0 | seckey.resize(SIZE); |
175 | 0 | seckeylen = SIZE; |
176 | 0 | ret = ec_seckey_export_der(secp256k1_context_sign, seckey.data(), &seckeylen, UCharCast(begin()), fCompressed); |
177 | 0 | assert(ret); |
178 | 0 | seckey.resize(seckeylen); |
179 | 0 | return seckey; |
180 | 0 | } |
181 | | |
182 | 0 | CPubKey CKey::GetPubKey() const { |
183 | 0 | assert(keydata); |
184 | 0 | secp256k1_pubkey pubkey; |
185 | 0 | size_t clen = CPubKey::SIZE; |
186 | 0 | CPubKey result; |
187 | 0 | int ret = secp256k1_ec_pubkey_create(secp256k1_context_sign, &pubkey, UCharCast(begin())); |
188 | 0 | assert(ret); |
189 | 0 | secp256k1_ec_pubkey_serialize(secp256k1_context_sign, (unsigned char*)result.begin(), &clen, &pubkey, fCompressed ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED); Branch (189:107): [True: 0, False: 0]
|
190 | 0 | assert(result.size() == clen); |
191 | 0 | assert(result.IsValid()); |
192 | 0 | return result; |
193 | 0 | } |
194 | | |
195 | | // Check that the sig has a low R value and will be less than 71 bytes |
196 | | bool SigHasLowR(const secp256k1_ecdsa_signature* sig) |
197 | 0 | { |
198 | 0 | unsigned char compact_sig[64]; |
199 | 0 | secp256k1_ecdsa_signature_serialize_compact(secp256k1_context_sign, compact_sig, sig); |
200 | | |
201 | | // In DER serialization, all values are interpreted as big-endian, signed integers. The highest bit in the integer indicates |
202 | | // its signed-ness; 0 is positive, 1 is negative. When the value is interpreted as a negative integer, it must be converted |
203 | | // to a positive value by prepending a 0x00 byte so that the highest bit is 0. We can avoid this prepending by ensuring that |
204 | | // our highest bit is always 0, and thus we must check that the first byte is less than 0x80. |
205 | 0 | return compact_sig[0] < 0x80; |
206 | 0 | } |
207 | | |
208 | 0 | bool CKey::Sign(const uint256 &hash, std::vector<unsigned char>& vchSig, bool grind, uint32_t test_case) const { |
209 | 0 | if (!keydata) Branch (209:9): [True: 0, False: 0]
|
210 | 0 | return false; |
211 | 0 | vchSig.resize(CPubKey::SIGNATURE_SIZE); |
212 | 0 | size_t nSigLen = CPubKey::SIGNATURE_SIZE; |
213 | 0 | unsigned char extra_entropy[32] = {0}; |
214 | 0 | WriteLE32(extra_entropy, test_case); |
215 | 0 | secp256k1_ecdsa_signature sig; |
216 | 0 | uint32_t counter = 0; |
217 | 0 | int ret = secp256k1_ecdsa_sign(secp256k1_context_sign, &sig, hash.begin(), UCharCast(begin()), secp256k1_nonce_function_rfc6979, (!grind && test_case) ? extra_entropy : nullptr); Branch (217:135): [True: 0, False: 0]
Branch (217:145): [True: 0, False: 0]
|
218 | | |
219 | | // Grind for low R |
220 | 0 | while (ret && !SigHasLowR(&sig) && grind) { Branch (220:12): [True: 0, False: 0]
Branch (220:19): [True: 0, False: 0]
Branch (220:40): [True: 0, False: 0]
|
221 | 0 | WriteLE32(extra_entropy, ++counter); |
222 | 0 | ret = secp256k1_ecdsa_sign(secp256k1_context_sign, &sig, hash.begin(), UCharCast(begin()), secp256k1_nonce_function_rfc6979, extra_entropy); |
223 | 0 | } |
224 | 0 | assert(ret); |
225 | 0 | secp256k1_ecdsa_signature_serialize_der(secp256k1_context_sign, vchSig.data(), &nSigLen, &sig); |
226 | 0 | vchSig.resize(nSigLen); |
227 | | // Additional verification step to prevent using a potentially corrupted signature |
228 | 0 | secp256k1_pubkey pk; |
229 | 0 | ret = secp256k1_ec_pubkey_create(secp256k1_context_sign, &pk, UCharCast(begin())); |
230 | 0 | assert(ret); |
231 | 0 | ret = secp256k1_ecdsa_verify(secp256k1_context_static, &sig, hash.begin(), &pk); |
232 | 0 | assert(ret); |
233 | 0 | return true; |
234 | 0 | } |
235 | | |
236 | 0 | bool CKey::VerifyPubKey(const CPubKey& pubkey) const { |
237 | 0 | if (pubkey.IsCompressed() != fCompressed) { Branch (237:9): [True: 0, False: 0]
|
238 | 0 | return false; |
239 | 0 | } |
240 | 0 | unsigned char rnd[8]; |
241 | 0 | std::string str = "Bitcoin key verification\n"; |
242 | 0 | GetRandBytes(rnd); |
243 | 0 | uint256 hash{Hash(str, rnd)}; |
244 | 0 | std::vector<unsigned char> vchSig; |
245 | 0 | Sign(hash, vchSig); |
246 | 0 | return pubkey.Verify(hash, vchSig); |
247 | 0 | } |
248 | | |
249 | 0 | bool CKey::SignCompact(const uint256 &hash, std::vector<unsigned char>& vchSig) const { |
250 | 0 | if (!keydata) Branch (250:9): [True: 0, False: 0]
|
251 | 0 | return false; |
252 | 0 | vchSig.resize(CPubKey::COMPACT_SIGNATURE_SIZE); |
253 | 0 | int rec = -1; |
254 | 0 | secp256k1_ecdsa_recoverable_signature rsig; |
255 | 0 | int ret = secp256k1_ecdsa_sign_recoverable(secp256k1_context_sign, &rsig, hash.begin(), UCharCast(begin()), secp256k1_nonce_function_rfc6979, nullptr); |
256 | 0 | assert(ret); |
257 | 0 | ret = secp256k1_ecdsa_recoverable_signature_serialize_compact(secp256k1_context_sign, &vchSig[1], &rec, &rsig); |
258 | 0 | assert(ret); |
259 | 0 | assert(rec != -1); |
260 | 0 | vchSig[0] = 27 + rec + (fCompressed ? 4 : 0); Branch (260:29): [True: 0, False: 0]
|
261 | | // Additional verification step to prevent using a potentially corrupted signature |
262 | 0 | secp256k1_pubkey epk, rpk; |
263 | 0 | ret = secp256k1_ec_pubkey_create(secp256k1_context_sign, &epk, UCharCast(begin())); |
264 | 0 | assert(ret); |
265 | 0 | ret = secp256k1_ecdsa_recover(secp256k1_context_static, &rpk, &rsig, hash.begin()); |
266 | 0 | assert(ret); |
267 | 0 | ret = secp256k1_ec_pubkey_cmp(secp256k1_context_static, &epk, &rpk); |
268 | 0 | assert(ret == 0); |
269 | 0 | return true; |
270 | 0 | } |
271 | | |
272 | | bool CKey::SignSchnorr(const uint256& hash, Span<unsigned char> sig, const uint256* merkle_root, const uint256& aux) const |
273 | 0 | { |
274 | 0 | KeyPair kp = ComputeKeyPair(merkle_root); |
275 | 0 | return kp.SignSchnorr(hash, sig, aux); |
276 | 0 | } |
277 | | |
278 | 0 | bool CKey::Load(const CPrivKey &seckey, const CPubKey &vchPubKey, bool fSkipCheck=false) { |
279 | 0 | MakeKeyData(); |
280 | 0 | if (!ec_seckey_import_der(secp256k1_context_sign, (unsigned char*)begin(), seckey.data(), seckey.size())) { Branch (280:9): [True: 0, False: 0]
|
281 | 0 | ClearKeyData(); |
282 | 0 | return false; |
283 | 0 | } |
284 | 0 | fCompressed = vchPubKey.IsCompressed(); |
285 | |
|
286 | 0 | if (fSkipCheck) Branch (286:9): [True: 0, False: 0]
|
287 | 0 | return true; |
288 | | |
289 | 0 | return VerifyPubKey(vchPubKey); |
290 | 0 | } |
291 | | |
292 | 0 | bool CKey::Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const { |
293 | 0 | assert(IsValid()); |
294 | 0 | assert(IsCompressed()); |
295 | 0 | std::vector<unsigned char, secure_allocator<unsigned char>> vout(64); |
296 | 0 | if ((nChild >> 31) == 0) { Branch (296:9): [True: 0, False: 0]
|
297 | 0 | CPubKey pubkey = GetPubKey(); |
298 | 0 | assert(pubkey.size() == CPubKey::COMPRESSED_SIZE); |
299 | 0 | BIP32Hash(cc, nChild, *pubkey.begin(), pubkey.begin()+1, vout.data()); |
300 | 0 | } else { |
301 | 0 | assert(size() == 32); |
302 | 0 | BIP32Hash(cc, nChild, 0, UCharCast(begin()), vout.data()); |
303 | 0 | } |
304 | 0 | memcpy(ccChild.begin(), vout.data()+32, 32); |
305 | 0 | keyChild.Set(begin(), begin() + 32, true); |
306 | 0 | bool ret = secp256k1_ec_seckey_tweak_add(secp256k1_context_sign, (unsigned char*)keyChild.begin(), vout.data()); |
307 | 0 | if (!ret) keyChild.ClearKeyData(); Branch (307:9): [True: 0, False: 0]
|
308 | 0 | return ret; |
309 | 0 | } |
310 | | |
311 | | EllSwiftPubKey CKey::EllSwiftCreate(Span<const std::byte> ent32) const |
312 | 0 | { |
313 | 0 | assert(keydata); |
314 | 0 | assert(ent32.size() == 32); |
315 | 0 | std::array<std::byte, EllSwiftPubKey::size()> encoded_pubkey; |
316 | |
|
317 | 0 | auto success = secp256k1_ellswift_create(secp256k1_context_sign, |
318 | 0 | UCharCast(encoded_pubkey.data()), |
319 | 0 | keydata->data(), |
320 | 0 | UCharCast(ent32.data())); |
321 | | |
322 | | // Should always succeed for valid keys (asserted above). |
323 | 0 | assert(success); |
324 | 0 | return {encoded_pubkey}; |
325 | 0 | } |
326 | | |
327 | | ECDHSecret CKey::ComputeBIP324ECDHSecret(const EllSwiftPubKey& their_ellswift, const EllSwiftPubKey& our_ellswift, bool initiating) const |
328 | 0 | { |
329 | 0 | assert(keydata); |
330 | | |
331 | 0 | ECDHSecret output; |
332 | | // BIP324 uses the initiator as party A, and the responder as party B. Remap the inputs |
333 | | // accordingly: |
334 | 0 | bool success = secp256k1_ellswift_xdh(secp256k1_context_sign, |
335 | 0 | UCharCast(output.data()), |
336 | 0 | UCharCast(initiating ? our_ellswift.data() : their_ellswift.data()), Branch (336:53): [True: 0, False: 0]
|
337 | 0 | UCharCast(initiating ? their_ellswift.data() : our_ellswift.data()), Branch (337:53): [True: 0, False: 0]
|
338 | 0 | keydata->data(), |
339 | 0 | initiating ? 0 : 1, Branch (339:43): [True: 0, False: 0]
|
340 | 0 | secp256k1_ellswift_xdh_hash_function_bip324, |
341 | 0 | nullptr); |
342 | | // Should always succeed for valid keys (assert above). |
343 | 0 | assert(success); |
344 | 0 | return output; |
345 | 0 | } |
346 | | |
347 | | KeyPair CKey::ComputeKeyPair(const uint256* merkle_root) const |
348 | 0 | { |
349 | 0 | return KeyPair(*this, merkle_root); |
350 | 0 | } |
351 | | |
352 | | CKey GenerateRandomKey(bool compressed) noexcept |
353 | 0 | { |
354 | 0 | CKey key; |
355 | 0 | key.MakeNewKey(/*fCompressed=*/compressed); |
356 | 0 | return key; |
357 | 0 | } |
358 | | |
359 | 0 | bool CExtKey::Derive(CExtKey &out, unsigned int _nChild) const { |
360 | 0 | if (nDepth == std::numeric_limits<unsigned char>::max()) return false; Branch (360:9): [True: 0, False: 0]
|
361 | 0 | out.nDepth = nDepth + 1; |
362 | 0 | CKeyID id = key.GetPubKey().GetID(); |
363 | 0 | memcpy(out.vchFingerprint, &id, 4); |
364 | 0 | out.nChild = _nChild; |
365 | 0 | return key.Derive(out.key, out.chaincode, _nChild, chaincode); |
366 | 0 | } |
367 | | |
368 | | void CExtKey::SetSeed(Span<const std::byte> seed) |
369 | 0 | { |
370 | 0 | static const unsigned char hashkey[] = {'B','i','t','c','o','i','n',' ','s','e','e','d'}; |
371 | 0 | std::vector<unsigned char, secure_allocator<unsigned char>> vout(64); |
372 | 0 | CHMAC_SHA512{hashkey, sizeof(hashkey)}.Write(UCharCast(seed.data()), seed.size()).Finalize(vout.data()); |
373 | 0 | key.Set(vout.data(), vout.data() + 32, true); |
374 | 0 | memcpy(chaincode.begin(), vout.data() + 32, 32); |
375 | 0 | nDepth = 0; |
376 | 0 | nChild = 0; |
377 | 0 | memset(vchFingerprint, 0, sizeof(vchFingerprint)); |
378 | 0 | } |
379 | | |
380 | 0 | CExtPubKey CExtKey::Neuter() const { |
381 | 0 | CExtPubKey ret; |
382 | 0 | ret.nDepth = nDepth; |
383 | 0 | memcpy(ret.vchFingerprint, vchFingerprint, 4); |
384 | 0 | ret.nChild = nChild; |
385 | 0 | ret.pubkey = key.GetPubKey(); |
386 | 0 | ret.chaincode = chaincode; |
387 | 0 | return ret; |
388 | 0 | } |
389 | | |
390 | 0 | void CExtKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const { |
391 | 0 | code[0] = nDepth; |
392 | 0 | memcpy(code+1, vchFingerprint, 4); |
393 | 0 | WriteBE32(code+5, nChild); |
394 | 0 | memcpy(code+9, chaincode.begin(), 32); |
395 | 0 | code[41] = 0; |
396 | 0 | assert(key.size() == 32); |
397 | 0 | memcpy(code+42, key.begin(), 32); |
398 | 0 | } |
399 | | |
400 | 0 | void CExtKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) { |
401 | 0 | nDepth = code[0]; |
402 | 0 | memcpy(vchFingerprint, code+1, 4); |
403 | 0 | nChild = ReadBE32(code+5); |
404 | 0 | memcpy(chaincode.begin(), code+9, 32); |
405 | 0 | key.Set(code+42, code+BIP32_EXTKEY_SIZE, true); |
406 | 0 | if ((nDepth == 0 && (nChild != 0 || ReadLE32(vchFingerprint) != 0)) || code[41] != 0) key = CKey(); Branch (406:10): [True: 0, False: 0]
Branch (406:26): [True: 0, False: 0]
Branch (406:41): [True: 0, False: 0]
Branch (406:76): [True: 0, False: 0]
|
407 | 0 | } |
408 | | |
409 | | KeyPair::KeyPair(const CKey& key, const uint256* merkle_root) |
410 | 0 | { |
411 | 0 | static_assert(std::tuple_size<KeyType>() == sizeof(secp256k1_keypair)); |
412 | 0 | MakeKeyPairData(); |
413 | 0 | auto keypair = reinterpret_cast<secp256k1_keypair*>(m_keypair->data()); |
414 | 0 | bool success = secp256k1_keypair_create(secp256k1_context_sign, keypair, UCharCast(key.data())); |
415 | 0 | if (success && merkle_root) { Branch (415:9): [True: 0, False: 0]
Branch (415:20): [True: 0, False: 0]
|
416 | 0 | secp256k1_xonly_pubkey pubkey; |
417 | 0 | unsigned char pubkey_bytes[32]; |
418 | 0 | assert(secp256k1_keypair_xonly_pub(secp256k1_context_sign, &pubkey, nullptr, keypair)); |
419 | 0 | assert(secp256k1_xonly_pubkey_serialize(secp256k1_context_sign, pubkey_bytes, &pubkey)); |
420 | 0 | uint256 tweak = XOnlyPubKey(pubkey_bytes).ComputeTapTweakHash(merkle_root->IsNull() ? nullptr : merkle_root); Branch (420:71): [True: 0, False: 0]
|
421 | 0 | success = secp256k1_keypair_xonly_tweak_add(secp256k1_context_static, keypair, tweak.data()); |
422 | 0 | } |
423 | 0 | if (!success) ClearKeyPairData(); Branch (423:9): [True: 0, False: 0]
|
424 | 0 | } |
425 | | |
426 | | bool KeyPair::SignSchnorr(const uint256& hash, Span<unsigned char> sig, const uint256& aux) const |
427 | 0 | { |
428 | 0 | assert(sig.size() == 64); |
429 | 0 | if (!IsValid()) return false; Branch (429:9): [True: 0, False: 0]
|
430 | 0 | auto keypair = reinterpret_cast<const secp256k1_keypair*>(m_keypair->data()); |
431 | 0 | bool ret = secp256k1_schnorrsig_sign32(secp256k1_context_sign, sig.data(), hash.data(), keypair, aux.data()); |
432 | 0 | if (ret) { Branch (432:9): [True: 0, False: 0]
|
433 | | // Additional verification step to prevent using a potentially corrupted signature |
434 | 0 | secp256k1_xonly_pubkey pubkey_verify; |
435 | 0 | ret = secp256k1_keypair_xonly_pub(secp256k1_context_static, &pubkey_verify, nullptr, keypair); |
436 | 0 | ret &= secp256k1_schnorrsig_verify(secp256k1_context_static, sig.data(), hash.begin(), 32, &pubkey_verify); |
437 | 0 | } |
438 | 0 | if (!ret) memory_cleanse(sig.data(), sig.size()); Branch (438:9): [True: 0, False: 0]
|
439 | 0 | return ret; |
440 | 0 | } |
441 | | |
442 | 0 | bool ECC_InitSanityCheck() { |
443 | 0 | CKey key = GenerateRandomKey(); |
444 | 0 | CPubKey pubkey = key.GetPubKey(); |
445 | 0 | return key.VerifyPubKey(pubkey); |
446 | 0 | } |
447 | | |
448 | | /** Initialize the elliptic curve support. May not be called twice without calling ECC_Stop first. */ |
449 | 0 | static void ECC_Start() { |
450 | 0 | assert(secp256k1_context_sign == nullptr); |
451 | | |
452 | 0 | secp256k1_context *ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE); |
453 | 0 | assert(ctx != nullptr); |
454 | | |
455 | 0 | { |
456 | | // Pass in a random blinding seed to the secp256k1 context. |
457 | 0 | std::vector<unsigned char, secure_allocator<unsigned char>> vseed(32); |
458 | 0 | GetRandBytes(vseed); |
459 | 0 | bool ret = secp256k1_context_randomize(ctx, vseed.data()); |
460 | 0 | assert(ret); |
461 | 0 | } |
462 | | |
463 | 0 | secp256k1_context_sign = ctx; |
464 | 0 | } |
465 | | |
466 | | /** Deinitialize the elliptic curve support. No-op if ECC_Start wasn't called first. */ |
467 | 1 | static void ECC_Stop() { |
468 | 1 | secp256k1_context *ctx = secp256k1_context_sign; |
469 | 1 | secp256k1_context_sign = nullptr; |
470 | | |
471 | 1 | if (ctx) { Branch (471:9): [True: 1, False: 0]
|
472 | 1 | secp256k1_context_destroy(ctx); |
473 | 1 | } |
474 | 1 | } |
475 | | |
476 | | ECC_Context::ECC_Context() |
477 | 0 | { |
478 | 0 | ECC_Start(); |
479 | 0 | } |
480 | | |
481 | | ECC_Context::~ECC_Context() |
482 | 1 | { |
483 | 1 | ECC_Stop(); |
484 | 1 | } |