2015-07-07 03:54:22 +03:00
|
|
|
// Copyright 2014 The go-ethereum Authors
|
2015-07-22 19:48:40 +03:00
|
|
|
// This file is part of the go-ethereum library.
|
2015-07-07 03:54:22 +03:00
|
|
|
//
|
2015-07-23 19:35:11 +03:00
|
|
|
// The go-ethereum library is free software: you can redistribute it and/or modify
|
2015-07-07 03:54:22 +03:00
|
|
|
// it under the terms of the GNU Lesser General Public License as published by
|
|
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
|
|
// (at your option) any later version.
|
|
|
|
//
|
2015-07-22 19:48:40 +03:00
|
|
|
// The go-ethereum library is distributed in the hope that it will be useful,
|
2015-07-07 03:54:22 +03:00
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
2015-07-22 19:48:40 +03:00
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
2015-07-07 03:54:22 +03:00
|
|
|
// GNU Lesser General Public License for more details.
|
|
|
|
//
|
|
|
|
// You should have received a copy of the GNU Lesser General Public License
|
2015-07-22 19:48:40 +03:00
|
|
|
// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
|
2015-07-07 03:54:22 +03:00
|
|
|
|
2014-10-31 13:37:43 +02:00
|
|
|
package crypto
|
2014-06-29 17:57:12 +03:00
|
|
|
|
|
|
|
import (
|
2020-04-08 17:01:11 +03:00
|
|
|
"bufio"
|
2014-12-10 01:03:21 +02:00
|
|
|
"crypto/ecdsa"
|
|
|
|
"crypto/elliptic"
|
|
|
|
"crypto/rand"
|
2017-02-18 11:24:12 +03:00
|
|
|
"encoding/hex"
|
|
|
|
"errors"
|
2017-05-23 14:58:03 +03:00
|
|
|
"fmt"
|
2020-06-30 12:59:06 +03:00
|
|
|
"hash"
|
2015-02-10 13:29:50 +02:00
|
|
|
"io"
|
2015-03-25 16:58:52 +02:00
|
|
|
"io/ioutil"
|
2015-06-01 21:27:20 +03:00
|
|
|
"math/big"
|
2015-02-10 13:29:50 +02:00
|
|
|
"os"
|
2014-10-08 13:00:50 +03:00
|
|
|
|
2015-03-16 18:27:24 +02:00
|
|
|
"github.com/ethereum/go-ethereum/common"
|
2017-05-23 14:58:03 +03:00
|
|
|
"github.com/ethereum/go-ethereum/common/math"
|
2015-03-17 12:19:23 +02:00
|
|
|
"github.com/ethereum/go-ethereum/rlp"
|
2019-01-04 01:15:26 +03:00
|
|
|
"golang.org/x/crypto/sha3"
|
2017-02-18 11:24:12 +03:00
|
|
|
)
|
|
|
|
|
2019-08-22 16:14:06 +03:00
|
|
|
//SignatureLength indicates the byte length required to carry a signature with recovery id.
|
|
|
|
const SignatureLength = 64 + 1 // 64 bytes ECDSA signature + 1 byte recovery id
|
|
|
|
|
|
|
|
// RecoveryIDOffset points to the byte offset within the signature that contains the recovery id.
|
|
|
|
const RecoveryIDOffset = 64
|
|
|
|
|
|
|
|
// DigestLength sets the signature digest exact length
|
|
|
|
const DigestLength = 32
|
|
|
|
|
2017-02-18 11:24:12 +03:00
|
|
|
var (
|
2018-05-09 02:17:09 +03:00
|
|
|
secp256k1N, _ = new(big.Int).SetString("fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141", 16)
|
|
|
|
secp256k1halfN = new(big.Int).Div(secp256k1N, big.NewInt(2))
|
2014-06-29 17:57:12 +03:00
|
|
|
)
|
|
|
|
|
2018-06-12 16:26:08 +03:00
|
|
|
var errInvalidPubkey = errors.New("invalid secp256k1 public key")
|
|
|
|
|
2020-06-30 12:59:06 +03:00
|
|
|
// KeccakState wraps sha3.state. In addition to the usual hash methods, it also supports
|
|
|
|
// Read to get a variable amount of data from the hash state. Read is faster than Sum
|
|
|
|
// because it doesn't copy the internal state, but also modifies the internal state.
|
|
|
|
type KeccakState interface {
|
|
|
|
hash.Hash
|
|
|
|
Read([]byte) (int, error)
|
|
|
|
}
|
|
|
|
|
2017-03-05 18:38:34 +03:00
|
|
|
// Keccak256 calculates and returns the Keccak256 hash of the input data.
|
2016-02-21 20:40:27 +02:00
|
|
|
func Keccak256(data ...[]byte) []byte {
|
2020-06-30 12:59:06 +03:00
|
|
|
b := make([]byte, 32)
|
|
|
|
d := sha3.NewLegacyKeccak256().(KeccakState)
|
2015-01-27 15:29:33 +02:00
|
|
|
for _, b := range data {
|
|
|
|
d.Write(b)
|
|
|
|
}
|
2020-06-30 12:59:06 +03:00
|
|
|
d.Read(b)
|
|
|
|
return b
|
2014-06-29 17:57:12 +03:00
|
|
|
}
|
2014-06-29 18:08:33 +03:00
|
|
|
|
2017-03-05 18:38:34 +03:00
|
|
|
// Keccak256Hash calculates and returns the Keccak256 hash of the input data,
|
|
|
|
// converting it to an internal Hash data structure.
|
2016-02-21 20:40:27 +02:00
|
|
|
func Keccak256Hash(data ...[]byte) (h common.Hash) {
|
2020-06-30 12:59:06 +03:00
|
|
|
d := sha3.NewLegacyKeccak256().(KeccakState)
|
2015-03-16 18:27:24 +02:00
|
|
|
for _, b := range data {
|
|
|
|
d.Write(b)
|
|
|
|
}
|
2020-06-30 12:59:06 +03:00
|
|
|
d.Read(h[:])
|
2015-03-16 18:27:24 +02:00
|
|
|
return h
|
|
|
|
}
|
|
|
|
|
2017-03-05 18:38:34 +03:00
|
|
|
// Keccak512 calculates and returns the Keccak512 hash of the input data.
|
|
|
|
func Keccak512(data ...[]byte) []byte {
|
2019-01-04 01:15:26 +03:00
|
|
|
d := sha3.NewLegacyKeccak512()
|
2017-03-05 18:38:34 +03:00
|
|
|
for _, b := range data {
|
|
|
|
d.Write(b)
|
|
|
|
}
|
|
|
|
return d.Sum(nil)
|
|
|
|
}
|
|
|
|
|
2018-05-09 02:17:09 +03:00
|
|
|
// CreateAddress creates an ethereum address given the bytes and the nonce
|
2015-03-17 12:19:23 +02:00
|
|
|
func CreateAddress(b common.Address, nonce uint64) common.Address {
|
|
|
|
data, _ := rlp.EncodeToBytes([]interface{}{b, nonce})
|
2016-02-21 20:40:27 +02:00
|
|
|
return common.BytesToAddress(Keccak256(data)[12:])
|
2014-06-29 18:08:33 +03:00
|
|
|
}
|
2014-10-08 13:00:50 +03:00
|
|
|
|
2018-07-24 17:22:03 +03:00
|
|
|
// CreateAddress2 creates an ethereum address given the address bytes, initial
|
2018-10-04 18:15:37 +03:00
|
|
|
// contract code hash and a salt.
|
|
|
|
func CreateAddress2(b common.Address, salt [32]byte, inithash []byte) common.Address {
|
|
|
|
return common.BytesToAddress(Keccak256([]byte{0xff}, b.Bytes(), salt[:], inithash)[12:])
|
2018-07-24 17:22:03 +03:00
|
|
|
}
|
|
|
|
|
2017-02-18 11:24:12 +03:00
|
|
|
// ToECDSA creates a private key with the given D value.
|
2017-05-23 14:58:03 +03:00
|
|
|
func ToECDSA(d []byte) (*ecdsa.PrivateKey, error) {
|
2017-06-01 10:24:40 +03:00
|
|
|
return toECDSA(d, true)
|
|
|
|
}
|
|
|
|
|
2017-12-15 00:55:18 +03:00
|
|
|
// ToECDSAUnsafe blindly converts a binary blob to a private key. It should almost
|
2017-06-01 10:24:40 +03:00
|
|
|
// never be used unless you are sure the input is valid and want to avoid hitting
|
|
|
|
// errors due to bad origin encoding (0 prefixes cut off).
|
|
|
|
func ToECDSAUnsafe(d []byte) *ecdsa.PrivateKey {
|
|
|
|
priv, _ := toECDSA(d, false)
|
|
|
|
return priv
|
|
|
|
}
|
|
|
|
|
|
|
|
// toECDSA creates a private key with the given D value. The strict parameter
|
|
|
|
// controls whether the key's length should be enforced at the curve size or
|
|
|
|
// it can also accept legacy encodings (0 prefixes).
|
|
|
|
func toECDSA(d []byte, strict bool) (*ecdsa.PrivateKey, error) {
|
2014-12-10 15:17:10 +02:00
|
|
|
priv := new(ecdsa.PrivateKey)
|
2017-02-18 11:24:12 +03:00
|
|
|
priv.PublicKey.Curve = S256()
|
2017-06-01 10:24:40 +03:00
|
|
|
if strict && 8*len(d) != priv.Params().BitSize {
|
2017-05-23 14:58:03 +03:00
|
|
|
return nil, fmt.Errorf("invalid length, need %d bits", priv.Params().BitSize)
|
|
|
|
}
|
|
|
|
priv.D = new(big.Int).SetBytes(d)
|
2018-01-02 12:55:03 +03:00
|
|
|
|
|
|
|
// The priv.D must < N
|
2018-05-09 02:17:09 +03:00
|
|
|
if priv.D.Cmp(secp256k1N) >= 0 {
|
2018-01-02 12:55:03 +03:00
|
|
|
return nil, fmt.Errorf("invalid private key, >=N")
|
|
|
|
}
|
|
|
|
// The priv.D must not be zero or negative.
|
|
|
|
if priv.D.Sign() <= 0 {
|
|
|
|
return nil, fmt.Errorf("invalid private key, zero or negative")
|
|
|
|
}
|
|
|
|
|
2017-05-23 14:58:03 +03:00
|
|
|
priv.PublicKey.X, priv.PublicKey.Y = priv.PublicKey.Curve.ScalarBaseMult(d)
|
2017-12-12 00:49:09 +03:00
|
|
|
if priv.PublicKey.X == nil {
|
|
|
|
return nil, errors.New("invalid private key")
|
|
|
|
}
|
2017-05-23 14:58:03 +03:00
|
|
|
return priv, nil
|
2014-12-10 01:03:21 +02:00
|
|
|
}
|
|
|
|
|
2017-06-01 10:24:40 +03:00
|
|
|
// FromECDSA exports a private key into a binary dump.
|
|
|
|
func FromECDSA(priv *ecdsa.PrivateKey) []byte {
|
|
|
|
if priv == nil {
|
2014-12-12 23:24:04 +02:00
|
|
|
return nil
|
|
|
|
}
|
2017-06-01 10:24:40 +03:00
|
|
|
return math.PaddedBigBytes(priv.D, priv.Params().BitSize/8)
|
2014-12-10 01:03:21 +02:00
|
|
|
}
|
|
|
|
|
2018-06-12 16:26:08 +03:00
|
|
|
// UnmarshalPubkey converts bytes to a secp256k1 public key.
|
|
|
|
func UnmarshalPubkey(pub []byte) (*ecdsa.PublicKey, error) {
|
2017-02-18 11:24:12 +03:00
|
|
|
x, y := elliptic.Unmarshal(S256(), pub)
|
2018-06-12 16:26:08 +03:00
|
|
|
if x == nil {
|
|
|
|
return nil, errInvalidPubkey
|
|
|
|
}
|
|
|
|
return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}, nil
|
2014-12-10 15:17:10 +02:00
|
|
|
}
|
|
|
|
|
2014-12-12 23:24:04 +02:00
|
|
|
func FromECDSAPub(pub *ecdsa.PublicKey) []byte {
|
2015-01-30 14:24:20 +02:00
|
|
|
if pub == nil || pub.X == nil || pub.Y == nil {
|
2014-12-12 23:24:04 +02:00
|
|
|
return nil
|
|
|
|
}
|
2017-02-18 11:24:12 +03:00
|
|
|
return elliptic.Marshal(S256(), pub.X, pub.Y)
|
2014-12-12 23:24:04 +02:00
|
|
|
}
|
|
|
|
|
2015-02-10 13:29:50 +02:00
|
|
|
// HexToECDSA parses a secp256k1 private key.
|
|
|
|
func HexToECDSA(hexkey string) (*ecdsa.PrivateKey, error) {
|
|
|
|
b, err := hex.DecodeString(hexkey)
|
2020-04-08 17:01:11 +03:00
|
|
|
if byteErr, ok := err.(hex.InvalidByteError); ok {
|
|
|
|
return nil, fmt.Errorf("invalid hex character %q in private key", byte(byteErr))
|
|
|
|
} else if err != nil {
|
|
|
|
return nil, errors.New("invalid hex data for private key")
|
2015-02-10 13:29:50 +02:00
|
|
|
}
|
2017-05-23 14:58:03 +03:00
|
|
|
return ToECDSA(b)
|
2015-02-10 13:29:50 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// LoadECDSA loads a secp256k1 private key from the given file.
|
|
|
|
func LoadECDSA(file string) (*ecdsa.PrivateKey, error) {
|
|
|
|
fd, err := os.Open(file)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer fd.Close()
|
2015-04-09 11:59:37 +03:00
|
|
|
|
2020-04-08 17:01:11 +03:00
|
|
|
r := bufio.NewReader(fd)
|
|
|
|
buf := make([]byte, 64)
|
|
|
|
n, err := readASCII(buf, r)
|
2015-04-09 11:59:37 +03:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2020-04-08 17:01:11 +03:00
|
|
|
} else if n != len(buf) {
|
|
|
|
return nil, fmt.Errorf("key file too short, want 64 hex characters")
|
|
|
|
}
|
|
|
|
if err := checkKeyFileEnd(r); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return HexToECDSA(string(buf))
|
|
|
|
}
|
|
|
|
|
|
|
|
// readASCII reads into 'buf', stopping when the buffer is full or
|
|
|
|
// when a non-printable control character is encountered.
|
|
|
|
func readASCII(buf []byte, r *bufio.Reader) (n int, err error) {
|
|
|
|
for ; n < len(buf); n++ {
|
|
|
|
buf[n], err = r.ReadByte()
|
|
|
|
switch {
|
|
|
|
case err == io.EOF || buf[n] < '!':
|
|
|
|
return n, nil
|
|
|
|
case err != nil:
|
|
|
|
return n, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return n, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// checkKeyFileEnd skips over additional newlines at the end of a key file.
|
|
|
|
func checkKeyFileEnd(r *bufio.Reader) error {
|
|
|
|
for i := 0; ; i++ {
|
|
|
|
b, err := r.ReadByte()
|
|
|
|
switch {
|
|
|
|
case err == io.EOF:
|
|
|
|
return nil
|
|
|
|
case err != nil:
|
|
|
|
return err
|
|
|
|
case b != '\n' && b != '\r':
|
|
|
|
return fmt.Errorf("invalid character %q at end of key file", b)
|
|
|
|
case i >= 2:
|
|
|
|
return errors.New("key file too long, want 64 hex characters")
|
|
|
|
}
|
2015-04-09 11:59:37 +03:00
|
|
|
}
|
2015-02-10 13:29:50 +02:00
|
|
|
}
|
|
|
|
|
2015-04-19 02:33:00 +03:00
|
|
|
// SaveECDSA saves a secp256k1 private key to the given file with
|
|
|
|
// restrictive permissions. The key data is saved hex-encoded.
|
2015-03-23 15:00:06 +02:00
|
|
|
func SaveECDSA(file string, key *ecdsa.PrivateKey) error {
|
2015-04-09 11:59:37 +03:00
|
|
|
k := hex.EncodeToString(FromECDSA(key))
|
|
|
|
return ioutil.WriteFile(file, []byte(k), 0600)
|
2015-03-23 15:00:06 +02:00
|
|
|
}
|
|
|
|
|
2020-04-08 17:01:11 +03:00
|
|
|
// GenerateKey generates a new private key.
|
2014-12-10 15:17:10 +02:00
|
|
|
func GenerateKey() (*ecdsa.PrivateKey, error) {
|
2017-02-18 11:24:12 +03:00
|
|
|
return ecdsa.GenerateKey(S256(), rand.Reader)
|
2014-12-10 15:17:10 +02:00
|
|
|
}
|
|
|
|
|
2017-01-05 13:35:23 +03:00
|
|
|
// ValidateSignatureValues verifies whether the signature values are valid with
|
|
|
|
// the given chain rules. The v value is assumed to be either 0 or 1.
|
2015-11-27 16:40:29 +02:00
|
|
|
func ValidateSignatureValues(v byte, r, s *big.Int, homestead bool) bool {
|
2015-09-21 16:48:15 +03:00
|
|
|
if r.Cmp(common.Big1) < 0 || s.Cmp(common.Big1) < 0 {
|
2015-06-01 21:27:20 +03:00
|
|
|
return false
|
|
|
|
}
|
2015-11-27 16:40:29 +02:00
|
|
|
// reject upper range of s values (ECDSA malleability)
|
|
|
|
// see discussion in secp256k1/libsecp256k1/include/secp256k1.h
|
2018-05-09 02:17:09 +03:00
|
|
|
if homestead && s.Cmp(secp256k1halfN) > 0 {
|
2015-11-27 16:40:29 +02:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
// Frontier: allow s to be in full N range
|
2018-05-09 02:17:09 +03:00
|
|
|
return r.Cmp(secp256k1N) < 0 && s.Cmp(secp256k1N) < 0 && (v == 0 || v == 1)
|
2014-12-10 01:03:21 +02:00
|
|
|
}
|
2015-01-21 00:55:13 +02:00
|
|
|
|
2015-06-04 17:52:23 +03:00
|
|
|
func PubkeyToAddress(p ecdsa.PublicKey) common.Address {
|
2015-01-25 03:07:20 +02:00
|
|
|
pubBytes := FromECDSAPub(&p)
|
2016-02-21 20:40:27 +02:00
|
|
|
return common.BytesToAddress(Keccak256(pubBytes[1:])[12:])
|
2015-01-25 03:07:20 +02:00
|
|
|
}
|
2015-09-28 12:19:23 +03:00
|
|
|
|
|
|
|
func zeroBytes(bytes []byte) {
|
|
|
|
for i := range bytes {
|
|
|
|
bytes[i] = 0
|
|
|
|
}
|
|
|
|
}
|