1 // Copyright (c) 2009-2010 Satoshi Nakamoto
2 // Copyright (c) 2011 The Bitcoin developers
3 // Distributed under the MIT/X11 software license, see the accompanying
4 // file license.txt or http://www.opensource.org/licenses/mit-license.php.
11 #include <openssl/ec.h>
12 #include <openssl/ecdsa.h>
13 #include <openssl/obj_mac.h>
15 #include "serialize.h"
20 // const unsigned int PRIVATE_KEY_SIZE = 192;
21 // const unsigned int PUBLIC_KEY_SIZE = 41;
22 // const unsigned int SIGNATURE_SIZE = 48;
25 // const unsigned int PRIVATE_KEY_SIZE = 222;
26 // const unsigned int PUBLIC_KEY_SIZE = 49;
27 // const unsigned int SIGNATURE_SIZE = 57;
30 // const unsigned int PRIVATE_KEY_SIZE = 250;
31 // const unsigned int PUBLIC_KEY_SIZE = 57;
32 // const unsigned int SIGNATURE_SIZE = 66;
35 // const unsigned int PRIVATE_KEY_SIZE = 279;
36 // const unsigned int PUBLIC_KEY_SIZE = 65;
37 // const unsigned int SIGNATURE_SIZE = 72;
39 // see www.keylength.com
40 // script supports up to 75 for single byte push
42 int static inline EC_KEY_regenerate_key(EC_KEY *eckey, BIGNUM *priv_key)
46 EC_POINT *pub_key = NULL;
50 const EC_GROUP *group = EC_KEY_get0_group(eckey);
52 if ((ctx = BN_CTX_new()) == NULL)
55 pub_key = EC_POINT_new(group);
60 if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx))
63 EC_KEY_set_private_key(eckey,priv_key);
64 EC_KEY_set_public_key(eckey,pub_key);
71 EC_POINT_free(pub_key);
78 int static inline ECDSA_SIG_recover_key_GFp(EC_KEY *eckey, ECDSA_SIG *ecsig, const unsigned char *msg, int msglen, int recid, int check)
99 const EC_GROUP *group = EC_KEY_get0_group(eckey);
100 if ((ctx = BN_CTX_new()) == NULL) { ret = -1; goto err; }
102 order = BN_CTX_get(ctx);
103 if (!EC_GROUP_get_order(group, order, ctx)) { ret = -2; goto err; }
105 if (!BN_copy(x, order)) { ret=-1; goto err; }
106 if (!BN_mul_word(x, i)) { ret=-1; goto err; }
107 if (!BN_add(x, x, ecsig->r)) { ret=-1; goto err; }
108 field = BN_CTX_get(ctx);
109 if (!EC_GROUP_get_curve_GFp(group, field, NULL, NULL, ctx)) { ret=-2; goto err; }
110 if (BN_cmp(x, field) >= 0) { ret=0; goto err; }
111 if ((R = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }
112 if (!EC_POINT_set_compressed_coordinates_GFp(group, R, x, recid % 2, ctx)) { ret=0; goto err; }
115 if ((O = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }
116 if (!EC_POINT_mul(group, O, NULL, R, order, ctx)) { ret=-2; goto err; }
117 if (!EC_POINT_is_at_infinity(group, O)) { ret = 0; goto err; }
119 if ((Q = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }
120 n = EC_GROUP_get_degree(group);
122 if (!BN_bin2bn(msg, msglen, e)) { ret=-1; goto err; }
123 if (8*msglen > n) BN_rshift(e, e, 8-(n & 7));
124 zero = BN_CTX_get(ctx);
125 if (!BN_zero(zero)) { ret=-1; goto err; }
126 if (!BN_mod_sub(e, zero, e, order, ctx)) { ret=-1; goto err; }
127 rr = BN_CTX_get(ctx);
128 if (!BN_mod_inverse(rr, ecsig->r, order, ctx)) { ret=-1; goto err; }
129 sor = BN_CTX_get(ctx);
130 if (!BN_mod_mul(sor, ecsig->s, rr, order, ctx)) { ret=-1; goto err; }
131 eor = BN_CTX_get(ctx);
132 if (!BN_mod_mul(eor, e, rr, order, ctx)) { ret=-1; goto err; }
133 if (!EC_POINT_mul(group, Q, eor, R, sor, ctx)) { ret=-2; goto err; }
134 if (!EC_KEY_set_public_key(eckey, Q)) { ret=-2; goto err; }
143 if (R != NULL) EC_POINT_free(R);
144 if (O != NULL) EC_POINT_free(O);
145 if (Q != NULL) EC_POINT_free(Q);
149 class key_error : public std::runtime_error
152 explicit key_error(const std::string& str) : std::runtime_error(str) {}
156 // secure_allocator is defined in serialize.h
157 typedef std::vector<unsigned char, secure_allocator<unsigned char> > CPrivKey;
158 typedef std::vector<unsigned char, secure_allocator<unsigned char> > CSecret;
169 pkey = EC_KEY_new_by_curve_name(NID_secp256k1);
171 throw key_error("CKey::CKey() : EC_KEY_new_by_curve_name failed");
177 pkey = EC_KEY_dup(b.pkey);
179 throw key_error("CKey::CKey(const CKey&) : EC_KEY_dup failed");
183 CKey& operator=(const CKey& b)
185 if (!EC_KEY_copy(pkey, b.pkey))
186 throw key_error("CKey::operator=(const CKey&) : EC_KEY_copy failed");
203 if (!EC_KEY_generate_key(pkey))
204 throw key_error("CKey::MakeNewKey() : EC_KEY_generate_key failed");
208 bool SetPrivKey(const CPrivKey& vchPrivKey)
210 const unsigned char* pbegin = &vchPrivKey[0];
211 if (!d2i_ECPrivateKey(&pkey, &pbegin, vchPrivKey.size()))
217 bool SetSecret(const CSecret& vchSecret)
220 pkey = EC_KEY_new_by_curve_name(NID_secp256k1);
222 throw key_error("CKey::SetSecret() : EC_KEY_new_by_curve_name failed");
223 if (vchSecret.size() != 32)
224 throw key_error("CKey::SetSecret() : secret must be 32 bytes");
225 BIGNUM *bn = BN_bin2bn(&vchSecret[0],32,BN_new());
227 throw key_error("CKey::SetSecret() : BN_bin2bn failed");
228 if (!EC_KEY_regenerate_key(pkey,bn))
229 throw key_error("CKey::SetSecret() : EC_KEY_regenerate_key failed");
235 CSecret GetSecret() const
239 const BIGNUM *bn = EC_KEY_get0_private_key(pkey);
240 int nBytes = BN_num_bytes(bn);
242 throw key_error("CKey::GetSecret() : EC_KEY_get0_private_key failed");
243 int n=BN_bn2bin(bn,&vchRet[32 - nBytes]);
245 throw key_error("CKey::GetSecret(): BN_bn2bin failed");
249 CPrivKey GetPrivKey() const
251 unsigned int nSize = i2d_ECPrivateKey(pkey, NULL);
253 throw key_error("CKey::GetPrivKey() : i2d_ECPrivateKey failed");
254 CPrivKey vchPrivKey(nSize, 0);
255 unsigned char* pbegin = &vchPrivKey[0];
256 if (i2d_ECPrivateKey(pkey, &pbegin) != nSize)
257 throw key_error("CKey::GetPrivKey() : i2d_ECPrivateKey returned unexpected size");
261 bool SetPubKey(const std::vector<unsigned char>& vchPubKey)
263 const unsigned char* pbegin = &vchPubKey[0];
264 if (!o2i_ECPublicKey(&pkey, &pbegin, vchPubKey.size()))
270 std::vector<unsigned char> GetPubKey() const
272 unsigned int nSize = i2o_ECPublicKey(pkey, NULL);
274 throw key_error("CKey::GetPubKey() : i2o_ECPublicKey failed");
275 std::vector<unsigned char> vchPubKey(nSize, 0);
276 unsigned char* pbegin = &vchPubKey[0];
277 if (i2o_ECPublicKey(pkey, &pbegin) != nSize)
278 throw key_error("CKey::GetPubKey() : i2o_ECPublicKey returned unexpected size");
282 bool Sign(uint256 hash, std::vector<unsigned char>& vchSig)
285 unsigned char pchSig[10000];
286 unsigned int nSize = 0;
287 if (!ECDSA_sign(0, (unsigned char*)&hash, sizeof(hash), pchSig, &nSize, pkey))
289 vchSig.resize(nSize);
290 memcpy(&vchSig[0], pchSig, nSize);
294 // create a compact signature (65 bytes), which allows reconstructing the used public key
295 bool SignCompact(uint256 hash, std::vector<unsigned char>& vchSig)
298 ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey);
303 int nBitsR = BN_num_bits(sig->r);
304 int nBitsS = BN_num_bits(sig->s);
305 if (nBitsR <= 256 && nBitsS <= 256)
308 for (int i=0; i<4; i++)
312 if (ECDSA_SIG_recover_key_GFp(keyRec.pkey, sig, (unsigned char*)&hash, sizeof(hash), i, 1) == 1)
313 if (keyRec.GetPubKey() == this->GetPubKey())
321 throw key_error("CKEy::SignCompact() : unable to construct recoverable key");
323 vchSig[0] = nRecId+27;
324 BN_bn2bin(sig->r,&vchSig[33-(nBitsR+7)/8]);
325 BN_bn2bin(sig->s,&vchSig[65-(nBitsS+7)/8]);
332 // reconstruct public key from a compact signature
333 bool SetCompactSignature(uint256 hash, const std::vector<unsigned char>& vchSig)
335 if (vchSig.size() != 65)
337 if (vchSig[0]<27 || vchSig[0]>=31)
339 ECDSA_SIG *sig = ECDSA_SIG_new();
340 BN_bin2bn(&vchSig[1],32,sig->r);
341 BN_bin2bn(&vchSig[33],32,sig->s);
344 pkey = EC_KEY_new_by_curve_name(NID_secp256k1);
345 if (ECDSA_SIG_recover_key_GFp(pkey, sig, (unsigned char*)&hash, sizeof(hash), vchSig[0] - 27, 0) == 1)
354 bool Verify(uint256 hash, const std::vector<unsigned char>& vchSig)
356 // -1 = error, 0 = bad sig, 1 = good
357 if (ECDSA_verify(0, (unsigned char*)&hash, sizeof(hash), &vchSig[0], vchSig.size(), pkey) != 1)
362 bool VerifyCompact(uint256 hash, const std::vector<unsigned char>& vchSig)
365 if (!key.SetCompactSignature(hash, vchSig))
367 if (GetPubKey() != key.GetPubKey())
372 CBitcoinAddress GetAddress() const
374 return CBitcoinAddress(GetPubKey());