/workdir/bitcoin/src/key.h

Source (jump to first uncovered line)
// Copyright (c) 2009-2010 Satoshi Nakamoto
// Copyright (c) 2009-2022 The Bitcoin Core developers
// Copyright (c) 2017 The Zcash developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#ifndef BITCOIN_KEY_H
#define BITCOIN_KEY_H

#include <pubkey.h>
#include <serialize.h>
#include <support/allocators/secure.h>
#include <uint256.h>

#include <stdexcept>
#include <vector>


/**
 * CPrivKey is a serialized private key, with all parameters included
 * (SIZE bytes)
 */
typedef std::vector<unsigned char, secure_allocator<unsigned char> > CPrivKey;

/** Size of ECDH shared secrets. */
constexpr static size_t ECDH_SECRET_SIZE = CSHA256::OUTPUT_SIZE;

// Used to represent ECDH shared secret (ECDH_SECRET_SIZE bytes)
using ECDHSecret = std::array<std::byte, ECDH_SECRET_SIZE>;

class KeyPair;

/** An encapsulated private key. */
class CKey
{
public:
    /**
     * secp256k1:
     */
    static const unsigned int SIZE            = 279;
    static const unsigned int COMPRESSED_SIZE = 214;
    /**
     * see www.keylength.com
     * script supports up to 75 for single byte push
     */
    static_assert(
        SIZE >= COMPRESSED_SIZE,
        "COMPRESSED_SIZE is larger than SIZE");

private:
    /** Internal data container for private key material. */
    using KeyType = std::array<unsigned char, 32>;

    //! Whether the public key corresponding to this private key is (to be) compressed.
    bool fCompressed{false};

    //! The actual byte data. nullptr for invalid keys.
    secure_unique_ptr<KeyType> keydata;

    //! Check whether the 32-byte array pointed to by vch is valid keydata.
    bool static Check(const unsigned char* vch);

    void MakeKeyData()
    {
        if (!keydata) keydata = make_secure_unique<KeyType>();
    }

    void ClearKeyData()
    {
        keydata.reset();
    }

public:
    CKey() noexcept = default;
    CKey(CKey&&) noexcept = default;
    CKey& operator=(CKey&&) noexcept = default;

    CKey& operator=(const CKey& other)
    {
        if (this != &other) {
            if (other.keydata) {
                MakeKeyData();
                *keydata = *other.keydata;
            } else {
                ClearKeyData();
            }
            fCompressed = other.fCompressed;
        }
        return *this;
    }

    CKey(const CKey& other) { *this = other; }

    friend bool operator==(const CKey& a, const CKey& b)
    {
        return a.fCompressed == b.fCompressed &&
            a.size() == b.size() &&
            memcmp(a.data(), b.data(), a.size()) == 0;
    }

    //! Initialize using begin and end iterators to byte data.
    template <typename T>
    void Set(const T pbegin, const T pend, bool fCompressedIn)
    {
        if (size_t(pend - pbegin) != std::tuple_size_v<KeyType>) {
            ClearKeyData();
        } else if (Check(UCharCast(&pbegin[0]))) {
            MakeKeyData();
            memcpy(keydata->data(), (unsigned char*)&pbegin[0], keydata->size());
            fCompressed = fCompressedIn;
        } else {
            ClearKeyData();
        }
    }

    //! Simple read-only vector-like interface.
    unsigned int size() const { return keydata ? keydata->size() : 0; }
    const std::byte* data() const { return keydata ? reinterpret_cast<const std::byte*>(keydata->data()) : nullptr; }
    const std::byte* begin() const { return data(); }
    const std::byte* end() const { return data() + size(); }

    //! Check whether this private key is valid.
    bool IsValid() const { return !!keydata; }

    //! Check whether the public key corresponding to this private key is (to be) compressed.
    bool IsCompressed() const { return fCompressed; }

    //! Generate a new private key using a cryptographic PRNG.
    void MakeNewKey(bool fCompressed);

    /**
     * Convert the private key to a CPrivKey (serialized OpenSSL private key data).
     * This is expensive.
     */
    CPrivKey GetPrivKey() const;

    /**
     * Compute the public key from a private key.
     * This is expensive.
     */
    CPubKey GetPubKey() const;

    /**
     * Create a DER-serialized signature.
     * The test_case parameter tweaks the deterministic nonce.
     */
    bool Sign(const uint256& hash, std::vector<unsigned char>& vchSig, bool grind = true, uint32_t test_case = 0) const;

    /**
     * Create a compact signature (65 bytes), which allows reconstructing the used public key.
     * The format is one header byte, followed by two times 32 bytes for the serialized r and s values.
     * The header byte: 0x1B = first key with even y, 0x1C = first key with odd y,
     *                  0x1D = second key with even y, 0x1E = second key with odd y,
     *                  add 0x04 for compressed keys.
     */
    bool SignCompact(const uint256& hash, std::vector<unsigned char>& vchSig) const;

    /**
     * Create a BIP-340 Schnorr signature, for the xonly-pubkey corresponding to *this,
     * optionally tweaked by *merkle_root. Additional nonce entropy is provided through
     * aux.
     *
     * merkle_root is used to optionally perform tweaking of the private key, as specified
     * in BIP341:
     * - If merkle_root == nullptr: no tweaking is done, sign with key directly (this is
     *                              used for signatures in BIP342 script).
     * - If merkle_root->IsNull():  sign with key + H_TapTweak(pubkey) (this is used for
     *                              key path spending when no scripts are present).
     * - Otherwise:                 sign with key + H_TapTweak(pubkey || *merkle_root)
     *                              (this is used for key path spending, with specific
     *                              Merkle root of the script tree).
     */
    bool SignSchnorr(const uint256& hash, Span<unsigned char> sig, const uint256* merkle_root, const uint256& aux) const;

    //! Derive BIP32 child key.
    [[nodiscard]] bool Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const;

    /**
     * Verify thoroughly whether a private key and a public key match.
     * This is done using a different mechanism than just regenerating it.
     */
    bool VerifyPubKey(const CPubKey& vchPubKey) const;

    //! Load private key and check that public key matches.
    bool Load(const CPrivKey& privkey, const CPubKey& vchPubKey, bool fSkipCheck);

    /** Create an ellswift-encoded public key for this key, with specified entropy.
     *
     *  entropy must be a 32-byte span with additional entropy to use in the encoding. Every
     *  public key has ~2^256 different encodings, and this function will deterministically pick
     *  one of them, based on entropy. Note that even without truly random entropy, the
     *  resulting encoding will be indistinguishable from uniform to any adversary who does not
     *  know the private key (because the private key itself is always used as entropy as well).
     */
    EllSwiftPubKey EllSwiftCreate(Span<const std::byte> entropy) const;

    /** Compute a BIP324-style ECDH shared secret.
     *
     *  - their_ellswift: EllSwiftPubKey that was received from the other side.
     *  - our_ellswift: EllSwiftPubKey that was sent to the other side (must have been generated
     *                  from *this using EllSwiftCreate()).
     *  - initiating: whether we are the initiating party (true) or responding party (false).
     */
    ECDHSecret ComputeBIP324ECDHSecret(const EllSwiftPubKey& their_ellswift,
                                       const EllSwiftPubKey& our_ellswift,
                                       bool initiating) const;
    /** Compute a KeyPair
     *
     *  Wraps a `secp256k1_keypair` type.
     *
     *  `merkle_root` is used to optionally perform tweaking of
     *  the internal key, as specified in BIP341:
     *
     *  - If merkle_root == nullptr: no tweaking is done, use the internal key directly (this is
     *                               used for signatures in BIP342 script).
     *  - If merkle_root->IsNull():  tweak the internal key with H_TapTweak(pubkey) (this is used for
     *                               key path spending when no scripts are present).
     *  - Otherwise:                 tweak the internal key with H_TapTweak(pubkey || *merkle_root)
     *                               (this is used for key path spending with the
     *                               Merkle root of the script tree).
     */
    KeyPair ComputeKeyPair(const uint256* merkle_root) const;
};

CKey GenerateRandomKey(bool compressed = true) noexcept;

struct CExtKey {
    unsigned char nDepth;
    unsigned char vchFingerprint[4];
    unsigned int nChild;
    ChainCode chaincode;
    CKey key;

    friend bool operator==(const CExtKey& a, const CExtKey& b)
    {
        return a.nDepth == b.nDepth &&
            memcmp(a.vchFingerprint, b.vchFingerprint, sizeof(vchFingerprint)) == 0 &&
            a.nChild == b.nChild &&
            a.chaincode == b.chaincode &&
            a.key == b.key;
    }

    CExtKey() = default;
    CExtKey(const CExtPubKey& xpub, const CKey& key_in) : nDepth(xpub.nDepth), nChild(xpub.nChild), chaincode(xpub.chaincode), key(key_in)
    {
        std::copy(xpub.vchFingerprint, xpub.vchFingerprint + sizeof(xpub.vchFingerprint), vchFingerprint);
    }

    void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const;
    void Decode(const unsigned char code[BIP32_EXTKEY_SIZE]);
    [[nodiscard]] bool Derive(CExtKey& out, unsigned int nChild) const;
    CExtPubKey Neuter() const;
    void SetSeed(Span<const std::byte> seed);
};

/** KeyPair
 *
 *  Wraps a `secp256k1_keypair` type, an opaque data structure for holding a secret and public key.
 *  This is intended for BIP340 keys and allows us to easily determine if the secret key needs to
 *  be negated by checking the parity of the public key. This class primarily intended for passing
 *  secret keys to libsecp256k1 functions expecting a `secp256k1_keypair`. For all other cases,
 *  CKey should be preferred.
 *
 *  A KeyPair can be created from a CKey with an optional merkle_root tweak (per BIP342). See
 *  CKey::ComputeKeyPair for more details.
 */
class KeyPair
{
public:
    KeyPair() noexcept = default;
    KeyPair(KeyPair&&) noexcept = default;
    KeyPair& operator=(KeyPair&&) noexcept = default;
    KeyPair& operator=(const KeyPair& other)
    {
        if (this != &other) {
            if (other.m_keypair) {
                MakeKeyPairData();
                *m_keypair = *other.m_keypair;
            } else {
                ClearKeyPairData();
            }
        }
        return *this;
    }

    KeyPair(const KeyPair& other) { *this = other; }

    friend KeyPair CKey::ComputeKeyPair(const uint256* merkle_root) const;
    [[nodiscard]] bool SignSchnorr(const uint256& hash, Span<unsigned char> sig, const uint256& aux) const;

    //! Check whether this keypair is valid.
    bool IsValid() const { return !!m_keypair; }

private:
    KeyPair(const CKey& key, const uint256* merkle_root);

    using KeyType = std::array<unsigned char, 96>;
    secure_unique_ptr<KeyType> m_keypair;

    void MakeKeyPairData()
    {
        if (!m_keypair) m_keypair = make_secure_unique<KeyType>();
    }

    void ClearKeyPairData()
    {
        m_keypair.reset();
    }
};

/** Check that required EC support is available at runtime. */
bool ECC_InitSanityCheck();

/**
 * RAII class initializing and deinitializing global state for elliptic curve support.
 * Only one instance may be initialized at a time.
 *
 * In the future global ECC state could be removed, and this class could contain
 * state and be passed as an argument to ECC key functions.
 */
class ECC_Context
{
public:
    ECC_Context();
    ~ECC_Context();
};

#endif // BITCOIN_KEY_H

Coverage Report

Created: 2024-08-21 05:08

Line	Count	Source (jump to first uncovered line)
1		// Copyright (c) 2009-2010 Satoshi Nakamoto
2		// Copyright (c) 2009-2022 The Bitcoin Core developers
3		// Copyright (c) 2017 The Zcash developers
4		// Distributed under the MIT software license, see the accompanying
5		// file COPYING or http://www.opensource.org/licenses/mit-license.php.
6
7		#ifndef BITCOIN_KEY_H
8		#define BITCOIN_KEY_H
9
10		#include <pubkey.h>
11		#include <serialize.h>
12		#include <support/allocators/secure.h>
13		#include <uint256.h>
14
15		#include <stdexcept>
16		#include <vector>
17
18
19		/**
20		* CPrivKey is a serialized private key, with all parameters included
21		* (SIZE bytes)
22		*/
23		typedef std::vector<unsigned char, secure_allocator<unsigned char> > CPrivKey;
24
25		/** Size of ECDH shared secrets. */
26		constexpr static size_t ECDH_SECRET_SIZE = CSHA256::OUTPUT_SIZE;
27
28		// Used to represent ECDH shared secret (ECDH_SECRET_SIZE bytes)
29		using ECDHSecret = std::array<std::byte, ECDH_SECRET_SIZE>;
30
31		class KeyPair;
32
33		/** An encapsulated private key. */
34		class CKey
35		{
36		public:
37		/**
38		* secp256k1:
39		*/
40		static const unsigned int SIZE = 279;
41		static const unsigned int COMPRESSED_SIZE = 214;
42		/**
43		* see www.keylength.com
44		* script supports up to 75 for single byte push
45		*/
46		static_assert(
47		SIZE >= COMPRESSED_SIZE,
48		"COMPRESSED_SIZE is larger than SIZE");
49
50		private:
51		/** Internal data container for private key material. */
52		using KeyType = std::array<unsigned char, 32>;
53
54		//! Whether the public key corresponding to this private key is (to be) compressed.
55		bool fCompressed{false};
56
57		//! The actual byte data. nullptr for invalid keys.
58		secure_unique_ptr<KeyType> keydata;
59
60		//! Check whether the 32-byte array pointed to by vch is valid keydata.
61		bool static Check(const unsigned char* vch);
62
63		void MakeKeyData()
64	0	{
65	0	if (!keydata) keydata = make_secure_unique<KeyType>(); Branch (65:13): [True: 0, False: 0]
66	0	}
67
68		void ClearKeyData()
69	0	{
70	0	keydata.reset();
71	0	}
72
73		public:
74	0	CKey() noexcept = default;
75	0	CKey(CKey&&) noexcept = default;
76	0	CKey& operator=(CKey&&) noexcept = default;
77
78		CKey& operator=(const CKey& other)
79	0	{
80	0	if (this != &other) { Branch (80:13): [True: 0, False: 0]
81	0	if (other.keydata) { Branch (81:17): [True: 0, False: 0]
82	0	MakeKeyData();
83	0	keydata = other.keydata;
84	0	} else {
85	0	ClearKeyData();
86	0	}
87	0	fCompressed = other.fCompressed;
88	0	}
89	0	return *this;
90	0	}
91
92	0	CKey(const CKey& other) { *this = other; }
93
94		friend bool operator==(const CKey& a, const CKey& b)
95	0	{
96	0	return a.fCompressed == b.fCompressed && Branch (96:16): [True: 0, False: 0]
97	0	a.size() == b.size() && Branch (97:13): [True: 0, False: 0]
98	0	memcmp(a.data(), b.data(), a.size()) == 0; Branch (98:13): [True: 0, False: 0]
99	0	}
100
101		//! Initialize using begin and end iterators to byte data.
102		template <typename T>
103		void Set(const T pbegin, const T pend, bool fCompressedIn)
104	0	{
105	0	if (size_t(pend - pbegin) != std::tuple_size_v<KeyType>) { Branch (105:13): [True: 0, False: 0] Branch (105:13): [True: 0, False: 0] Branch (105:13): [True: 0, False: 0] Branch (105:13): [True: 0, False: 0] Branch (105:13): [True: 0, False: 0] Branch (105:13): [True: 0, False: 0] Branch (105:13): [True: 0, False: 0]
106	0	ClearKeyData();
107	0	} else if (Check(UCharCast(&pbegin[0]))) { Branch (107:20): [True: 0, False: 0] Branch (107:20): [True: 0, False: 0] Branch (107:20): [True: 0, False: 0] Branch (107:20): [True: 0, False: 0] Branch (107:20): [True: 0, False: 0] Branch (107:20): [True: 0, False: 0] Branch (107:20): [True: 0, False: 0]
108	0	MakeKeyData();
109	0	memcpy(keydata->data(), (unsigned char*)&pbegin[0], keydata->size());
110	0	fCompressed = fCompressedIn;
111	0	} else {
112	0	ClearKeyData();
113	0	}
114	0	} Unexecuted instantiation: void CKey::Set<__gnu_cxx::__normal_iterator<unsigned char const, std::span<unsigned char const, 18446744073709551615ul> > >(__gnu_cxx::__normal_iterator<unsigned char const, std::span<unsigned char const, 18446744073709551615ul> >, __gnu_cxx::__normal_iterator<unsigned char const, std::span<unsigned char const, 18446744073709551615ul> >, bool) Unexecuted instantiation: void CKey::Set<std::byte const>(std::byte const, std::byte const, bool) Unexecuted instantiation: void CKey::Set<unsigned char>(unsigned char, unsigned char, bool) Unexecuted instantiation: void CKey::Set<unsigned char const>(unsigned char const, unsigned char const, bool) Unexecuted instantiation: void CKey::Set<__gnu_cxx::__normal_iterator<unsigned char, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char, std::vector<unsigned char, std::allocator<unsigned char> > >, bool) Unexecuted instantiation: void CKey::Set<std::byte>(std::byte, std::byte, bool) Unexecuted instantiation: void CKey::Set<__gnu_cxx::__normal_iterator<unsigned char, std::vector<unsigned char, secure_allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char, std::vector<unsigned char, secure_allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, secure_allocator<unsigned char> > >, bool)
115
116		//! Simple read-only vector-like interface.
117	0	unsigned int size() const { return keydata ? keydata->size() : 0; } Branch (117:40): [True: 0, False: 0]
118	0	const std::byte* data() const { return keydata ? reinterpret_cast<const std::byte*>(keydata->data()) : nullptr; } Branch (118:44): [True: 0, False: 0]
119	0	const std::byte* begin() const { return data(); }
120	0	const std::byte* end() const { return data() + size(); }
121
122		//! Check whether this private key is valid.
123	0	bool IsValid() const { return !!keydata; }
124
125		//! Check whether the public key corresponding to this private key is (to be) compressed.
126	0	bool IsCompressed() const { return fCompressed; }
127
128		//! Generate a new private key using a cryptographic PRNG.
129		void MakeNewKey(bool fCompressed);
130
131		/**
132		* Convert the private key to a CPrivKey (serialized OpenSSL private key data).
133		* This is expensive.
134		*/
135		CPrivKey GetPrivKey() const;
136
137		/**
138		* Compute the public key from a private key.
139		* This is expensive.
140		*/
141		CPubKey GetPubKey() const;
142
143		/**
144		* Create a DER-serialized signature.
145		* The test_case parameter tweaks the deterministic nonce.
146		*/
147		bool Sign(const uint256& hash, std::vector<unsigned char>& vchSig, bool grind = true, uint32_t test_case = 0) const;
148
149		/**
150		* Create a compact signature (65 bytes), which allows reconstructing the used public key.
151		* The format is one header byte, followed by two times 32 bytes for the serialized r and s values.
152		* The header byte: 0x1B = first key with even y, 0x1C = first key with odd y,
153		* 0x1D = second key with even y, 0x1E = second key with odd y,
154		* add 0x04 for compressed keys.
155		*/
156		bool SignCompact(const uint256& hash, std::vector<unsigned char>& vchSig) const;
157
158		/**
159		* Create a BIP-340 Schnorr signature, for the xonly-pubkey corresponding to *this,
160		* optionally tweaked by *merkle_root. Additional nonce entropy is provided through
161		* aux.
162		*
163		* merkle_root is used to optionally perform tweaking of the private key, as specified
164		* in BIP341:
165		* - If merkle_root == nullptr: no tweaking is done, sign with key directly (this is
166		* used for signatures in BIP342 script).
167		* - If merkle_root->IsNull(): sign with key + H_TapTweak(pubkey) (this is used for
168		* key path spending when no scripts are present).
169		* - Otherwise: sign with key + H_TapTweak(pubkey \|\| *merkle_root)
170		* (this is used for key path spending, with specific
171		* Merkle root of the script tree).
172		*/
173		bool SignSchnorr(const uint256& hash, Span<unsigned char> sig, const uint256* merkle_root, const uint256& aux) const;
174
175		//! Derive BIP32 child key.
176		[[nodiscard]] bool Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const;
177
178		/**
179		* Verify thoroughly whether a private key and a public key match.
180		* This is done using a different mechanism than just regenerating it.
181		*/
182		bool VerifyPubKey(const CPubKey& vchPubKey) const;
183
184		//! Load private key and check that public key matches.
185		bool Load(const CPrivKey& privkey, const CPubKey& vchPubKey, bool fSkipCheck);
186
187		/** Create an ellswift-encoded public key for this key, with specified entropy.
188		*
189		* entropy must be a 32-byte span with additional entropy to use in the encoding. Every
190		* public key has ~2^256 different encodings, and this function will deterministically pick
191		* one of them, based on entropy. Note that even without truly random entropy, the
192		* resulting encoding will be indistinguishable from uniform to any adversary who does not
193		* know the private key (because the private key itself is always used as entropy as well).
194		*/
195		EllSwiftPubKey EllSwiftCreate(Span<const std::byte> entropy) const;
196
197		/** Compute a BIP324-style ECDH shared secret.
198		*
199		* - their_ellswift: EllSwiftPubKey that was received from the other side.
200		* - our_ellswift: EllSwiftPubKey that was sent to the other side (must have been generated
201		* from *this using EllSwiftCreate()).
202		* - initiating: whether we are the initiating party (true) or responding party (false).
203		*/
204		ECDHSecret ComputeBIP324ECDHSecret(const EllSwiftPubKey& their_ellswift,
205		const EllSwiftPubKey& our_ellswift,
206		bool initiating) const;
207		/** Compute a KeyPair
208		*
209		* Wraps a `secp256k1_keypair` type.
210		*
211		* `merkle_root` is used to optionally perform tweaking of
212		* the internal key, as specified in BIP341:
213		*
214		* - If merkle_root == nullptr: no tweaking is done, use the internal key directly (this is
215		* used for signatures in BIP342 script).
216		* - If merkle_root->IsNull(): tweak the internal key with H_TapTweak(pubkey) (this is used for
217		* key path spending when no scripts are present).
218		* - Otherwise: tweak the internal key with H_TapTweak(pubkey \|\| *merkle_root)
219		* (this is used for key path spending with the
220		* Merkle root of the script tree).
221		*/
222		KeyPair ComputeKeyPair(const uint256* merkle_root) const;
223		};
224
225		CKey GenerateRandomKey(bool compressed = true) noexcept;
226
227		struct CExtKey {
228		unsigned char nDepth;
229		unsigned char vchFingerprint[4];
230		unsigned int nChild;
231		ChainCode chaincode;
232		CKey key;
233
234		friend bool operator==(const CExtKey& a, const CExtKey& b)
235	0	{
236	0	return a.nDepth == b.nDepth && Branch (236:16): [True: 0, False: 0]
237	0	memcmp(a.vchFingerprint, b.vchFingerprint, sizeof(vchFingerprint)) == 0 && Branch (237:13): [True: 0, False: 0]
238	0	a.nChild == b.nChild && Branch (238:13): [True: 0, False: 0]
239	0	a.chaincode == b.chaincode && Branch (239:13): [True: 0, False: 0]
240	0	a.key == b.key; Branch (240:13): [True: 0, False: 0]
241	0	}
242
243	0	CExtKey() = default;
244	0	CExtKey(const CExtPubKey& xpub, const CKey& key_in) : nDepth(xpub.nDepth), nChild(xpub.nChild), chaincode(xpub.chaincode), key(key_in)
245	0	{
246	0	std::copy(xpub.vchFingerprint, xpub.vchFingerprint + sizeof(xpub.vchFingerprint), vchFingerprint);
247	0	}
248
249		void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const;
250		void Decode(const unsigned char code[BIP32_EXTKEY_SIZE]);
251		[[nodiscard]] bool Derive(CExtKey& out, unsigned int nChild) const;
252		CExtPubKey Neuter() const;
253		void SetSeed(Span<const std::byte> seed);
254		};
255
256		/** KeyPair
257		*
258		* Wraps a `secp256k1_keypair` type, an opaque data structure for holding a secret and public key.
259		* This is intended for BIP340 keys and allows us to easily determine if the secret key needs to
260		* be negated by checking the parity of the public key. This class primarily intended for passing
261		* secret keys to libsecp256k1 functions expecting a `secp256k1_keypair`. For all other cases,
262		* CKey should be preferred.
263		*
264		* A KeyPair can be created from a CKey with an optional merkle_root tweak (per BIP342). See
265		* CKey::ComputeKeyPair for more details.
266		*/
267		class KeyPair
268		{
269		public:
270		KeyPair() noexcept = default;
271		KeyPair(KeyPair&&) noexcept = default;
272		KeyPair& operator=(KeyPair&&) noexcept = default;
273		KeyPair& operator=(const KeyPair& other)
274	0	{
275	0	if (this != &other) {
276	0	if (other.m_keypair) {
277	0	MakeKeyPairData();
278	0	m_keypair = other.m_keypair;
279	0	} else {
280	0	ClearKeyPairData();
281	0	}
282	0	}
283	0	return *this;
284	0	}
285
286	0	KeyPair(const KeyPair& other) { *this = other; }
287
288		friend KeyPair CKey::ComputeKeyPair(const uint256* merkle_root) const;
289		[[nodiscard]] bool SignSchnorr(const uint256& hash, Span<unsigned char> sig, const uint256& aux) const;
290
291		//! Check whether this keypair is valid.
292	0	bool IsValid() const { return !!m_keypair; }
293
294		private:
295		KeyPair(const CKey& key, const uint256* merkle_root);
296
297		using KeyType = std::array<unsigned char, 96>;
298		secure_unique_ptr<KeyType> m_keypair;
299
300		void MakeKeyPairData()
301	0	{
302	0	if (!m_keypair) m_keypair = make_secure_unique<KeyType>(); Branch (302:13): [True: 0, False: 0]
303	0	}
304
305		void ClearKeyPairData()
306	0	{
307	0	m_keypair.reset();
308	0	}
309		};
310
311		/** Check that required EC support is available at runtime. */
312		bool ECC_InitSanityCheck();
313
314		/**
315		* RAII class initializing and deinitializing global state for elliptic curve support.
316		* Only one instance may be initialized at a time.
317		*
318		* In the future global ECC state could be removed, and this class could contain
319		* state and be passed as an argument to ECC key functions.
320		*/
321		class ECC_Context
322		{
323		public:
324		ECC_Context();
325		~ECC_Context();
326		};
327
328		#endif // BITCOIN_KEY_H