starwels
/
starwels
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4729 Commits
3 Branches
Tree: 51ed9ec971
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '51ed9ec971'
${ noResults }
starwels/src/key.cpp

key.cpp 19KB
Normal View History Raw

Bump Year Number to 2013
7 years ago
Add GetSecret() and GetKeys() to CKeyStore
9 years ago
Update License in File Headers I originally created a pull to replace the "COPYING" in crypter.cpp and crypter.h, but it turned out that COPYING was actually the correct file.
8 years ago
Add GetSecret() and GetKeys() to CKeyStore
9 years ago
Cleanup code using forward declarations. Use misc methods of avoiding unnecesary header includes. Replace int typedefs with int##_t from stdint.h. Replace PRI64[xdu] with PRI[xdu]64 from inttypes.h. Normalize QT_VERSION ifs where possible. Resolve some indirect dependencies as direct ones. Remove extern declarations from .cpp files.
8 years ago
BIP32 derivation implementation
7 years ago
Add GetSecret() and GetKeys() to CKeyStore
9 years ago
Refactor: move code from key.h to key.cpp
8 years ago
Cleanup code using forward declarations. Use misc methods of avoiding unnecesary header includes. Replace int typedefs with int##_t from stdint.h. Replace PRI64[xdu] with PRI[xdu]64 from inttypes.h. Normalize QT_VERSION ifs where possible. Resolve some indirect dependencies as direct ones. Remove extern declarations from .cpp files.
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Add GetSecret() and GetKeys() to CKeyStore
9 years ago
Bugfix: Fix a variety of misspellings
8 years ago
Add GetSecret() and GetKeys() to CKeyStore
9 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
fix a memory leak in key.cpp - add EC_KEY_free() in CKey::Reset() when pkey != NULL - init pkey with NULL in CKey constructor
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
Fix minor backward incompatibility The key refactor changed the way unencrypted private keys with compressed public key are stored in the wallet. Apparently older versions relied on this to verify the correctness of stored keys. Note that earlier pre-release versions do risk creating wallets that can not be opened by 0.8.3 and earlier.
7 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
improve wallet load time by removing duplicated calls to EC_KEY_check_key and adding a hash for vchPubKey/vchPrivKey entries in wallet.dat backwards compatible with previous wallet.dat format
7 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
improve wallet load time by removing duplicated calls to EC_KEY_check_key and adding a hash for vchPubKey/vchPrivKey entries in wallet.dat backwards compatible with previous wallet.dat format
7 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Only create signatures with even S, and verification mode to check. To fix a minor malleability found by Sergio Lerner (reported here: https://bitcointalk.org/index.php?topic=8392.msg1245898#msg1245898) The problem is that if (R,S) is a valid ECDSA signature for a given message and public key, (R,-S) is also valid. Modulo N (the order of the secp256k1 curve), this means that both (R,S) and (R,N-S) are valid. Given that N is odd, S and N-S have a different lowest bit. We solve the problem by forcing signatures to have an even S value, excluding one of the alternatives. This commit just changes the signing code to always produce even S values, and adds a verification mode to check it. This code is not enabled anywhere yet. Existing tests in key_tests.cpp verify that the produced signatures are still valid.
8 years ago
Use 'low S' as malleability breaker rather than 'even S'
7 years ago
Only create signatures with even S, and verification mode to check. To fix a minor malleability found by Sergio Lerner (reported here: https://bitcointalk.org/index.php?topic=8392.msg1245898#msg1245898) The problem is that if (R,S) is a valid ECDSA signature for a given message and public key, (R,-S) is also valid. Modulo N (the order of the secp256k1 curve), this means that both (R,S) and (R,N-S) are valid. Given that N is odd, S and N-S have a different lowest bit. We solve the problem by forcing signatures to have an even S value, excluding one of the alternatives. This commit just changes the signing code to always produce even S values, and adds a verification mode to check it. This code is not enabled anywhere yet. Existing tests in key_tests.cpp verify that the produced signatures are still valid.
8 years ago
Use 'low S' as malleability breaker rather than 'even S'
7 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Only create signatures with even S, and verification mode to check. To fix a minor malleability found by Sergio Lerner (reported here: https://bitcointalk.org/index.php?topic=8392.msg1245898#msg1245898) The problem is that if (R,S) is a valid ECDSA signature for a given message and public key, (R,-S) is also valid. Modulo N (the order of the secp256k1 curve), this means that both (R,S) and (R,N-S) are valid. Given that N is odd, S and N-S have a different lowest bit. We solve the problem by forcing signatures to have an even S value, excluding one of the alternatives. This commit just changes the signing code to always produce even S values, and adds a verification mode to check it. This code is not enabled anywhere yet. Existing tests in key_tests.cpp verify that the produced signatures are still valid.
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Handle corrupt wallets gracefully. Corrupt wallets used to cause a DB_RUNRECOVERY uncaught exception and a crash. This commit does three things: 1) Runs a BDB verify early in the startup process, and if there is a low-level problem with the database: + Moves the bad wallet.dat to wallet.timestamp.bak + Runs a 'salvage' operation to get key/value pairs, and writes them to a new wallet.dat + Continues with startup. 2) Much more tolerant of serialization errors. All errors in deserialization are reported by tolerated EXCEPT for errors related to reading keypairs or master key records-- those are reported and then shut down, so the user can get help (or recover from a backup). 3) Adds a new -salvagewallet option, which: + Moves the wallet.dat to wallet.timestamp.bak + extracts ONLY keypairs and master keys into a new wallet.dat + soft-sets -rescan, to recreate transaction history This was tested by randomly corrupting testnet wallets using a little python script I wrote (https://gist.github.com/3812689)
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Handle corrupt wallets gracefully. Corrupt wallets used to cause a DB_RUNRECOVERY uncaught exception and a crash. This commit does three things: 1) Runs a BDB verify early in the startup process, and if there is a low-level problem with the database: + Moves the bad wallet.dat to wallet.timestamp.bak + Runs a 'salvage' operation to get key/value pairs, and writes them to a new wallet.dat + Continues with startup. 2) Much more tolerant of serialization errors. All errors in deserialization are reported by tolerated EXCEPT for errors related to reading keypairs or master key records-- those are reported and then shut down, so the user can get help (or recover from a backup). 3) Adds a new -salvagewallet option, which: + Moves the wallet.dat to wallet.timestamp.bak + extracts ONLY keypairs and master keys into a new wallet.dat + soft-sets -rescan, to recreate transaction history This was tested by randomly corrupting testnet wallets using a little python script I wrote (https://gist.github.com/3812689)
8 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
BIP32 derivation implementation
7 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Fix minor backward incompatibility The key refactor changed the way unencrypted private keys with compressed public key are stored in the wallet. Apparently older versions relied on this to verify the correctness of stored keys. Note that earlier pre-release versions do risk creating wallets that can not be opened by 0.8.3 and earlier.
7 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
improve wallet load time by removing duplicated calls to EC_KEY_check_key and adding a hash for vchPubKey/vchPrivKey entries in wallet.dat backwards compatible with previous wallet.dat format
7 years ago
verify vchPubKey matches calculated public key unless fSkipCheck is set
7 years ago
improve wallet load time by removing duplicated calls to EC_KEY_check_key and adding a hash for vchPubKey/vchPrivKey entries in wallet.dat backwards compatible with previous wallet.dat format
7 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Handle corrupt wallets gracefully. Corrupt wallets used to cause a DB_RUNRECOVERY uncaught exception and a crash. This commit does three things: 1) Runs a BDB verify early in the startup process, and if there is a low-level problem with the database: + Moves the bad wallet.dat to wallet.timestamp.bak + Runs a 'salvage' operation to get key/value pairs, and writes them to a new wallet.dat + Continues with startup. 2) Much more tolerant of serialization errors. All errors in deserialization are reported by tolerated EXCEPT for errors related to reading keypairs or master key records-- those are reported and then shut down, so the user can get help (or recover from a backup). 3) Adds a new -salvagewallet option, which: + Moves the wallet.dat to wallet.timestamp.bak + extracts ONLY keypairs and master keys into a new wallet.dat + soft-sets -rescan, to recreate transaction history This was tested by randomly corrupting testnet wallets using a little python script I wrote (https://gist.github.com/3812689)
8 years ago
CSecret/CKey -> CKey/CPubKey split/refactor
7 years ago
Refactor: move code from key.h to key.cpp
8 years ago
BIP32 derivation implementation
7 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615 
  1. // Copyright (c) 2009-2013 The Bitcoin developers

  2. // Distributed under the MIT/X11 software license, see the accompanying

  3. // file COPYING or http://www.opensource.org/licenses/mit-license.php.

  4. 

  5. #include "key.h"

  6. 

  7. #include <openssl/bn.h>

  8. #include <openssl/ecdsa.h>

  9. #include <openssl/obj_mac.h>

  10. #include <openssl/rand.h>

  11. 

  12. // anonymous namespace with local implementation code (OpenSSL interaction)

  13. namespace {

  14. 

  15. // Generate a private key from just the secret parameter

  16. int EC_KEY_regenerate_key(EC_KEY *eckey, BIGNUM *priv_key)

  17. {

  18.     int ok = 0;

  19.     BN_CTX *ctx = NULL;

  20.     EC_POINT *pub_key = NULL;

  21. 

  22.     if (!eckey) return 0;

  23. 

  24.     const EC_GROUP *group = EC_KEY_get0_group(eckey);

  25. 

  26.     if ((ctx = BN_CTX_new()) == NULL)

  27.         goto err;

  28. 

  29.     pub_key = EC_POINT_new(group);

  30. 

  31.     if (pub_key == NULL)

  32.         goto err;

  33. 

  34.     if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx))

  35.         goto err;

  36. 

  37.     EC_KEY_set_private_key(eckey,priv_key);

  38.     EC_KEY_set_public_key(eckey,pub_key);

  39. 

  40.     ok = 1;

  41. 

  42. err:

  43. 

  44.     if (pub_key)

  45.         EC_POINT_free(pub_key);

  46.     if (ctx != NULL)

  47.         BN_CTX_free(ctx);

  48. 

  49.     return(ok);

  50. }

  51. 

  52. // Perform ECDSA key recovery (see SEC1 4.1.6) for curves over (mod p)-fields

  53. // recid selects which key is recovered

  54. // if check is non-zero, additional checks are performed

  55. int ECDSA_SIG_recover_key_GFp(EC_KEY *eckey, ECDSA_SIG *ecsig, const unsigned char *msg, int msglen, int recid, int check)

  56. {

  57.     if (!eckey) return 0;

  58. 

  59.     int ret = 0;

  60.     BN_CTX *ctx = NULL;

  61. 

  62.     BIGNUM *x = NULL;

  63.     BIGNUM *e = NULL;

  64.     BIGNUM *order = NULL;

  65.     BIGNUM *sor = NULL;

  66.     BIGNUM *eor = NULL;

  67.     BIGNUM *field = NULL;

  68.     EC_POINT *R = NULL;

  69.     EC_POINT *O = NULL;

  70.     EC_POINT *Q = NULL;

  71.     BIGNUM *rr = NULL;

  72.     BIGNUM *zero = NULL;

  73.     int n = 0;

  74.     int i = recid / 2;

  75. 

  76.     const EC_GROUP *group = EC_KEY_get0_group(eckey);

  77.     if ((ctx = BN_CTX_new()) == NULL) { ret = -1; goto err; }

  78.     BN_CTX_start(ctx);

  79.     order = BN_CTX_get(ctx);

  80.     if (!EC_GROUP_get_order(group, order, ctx)) { ret = -2; goto err; }

  81.     x = BN_CTX_get(ctx);

  82.     if (!BN_copy(x, order)) { ret=-1; goto err; }

  83.     if (!BN_mul_word(x, i)) { ret=-1; goto err; }

  84.     if (!BN_add(x, x, ecsig->r)) { ret=-1; goto err; }

  85.     field = BN_CTX_get(ctx);

  86.     if (!EC_GROUP_get_curve_GFp(group, field, NULL, NULL, ctx)) { ret=-2; goto err; }

  87.     if (BN_cmp(x, field) >= 0) { ret=0; goto err; }

  88.     if ((R = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }

  89.     if (!EC_POINT_set_compressed_coordinates_GFp(group, R, x, recid % 2, ctx)) { ret=0; goto err; }

  90.     if (check)

  91.     {

  92.         if ((O = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }

  93.         if (!EC_POINT_mul(group, O, NULL, R, order, ctx)) { ret=-2; goto err; }

  94.         if (!EC_POINT_is_at_infinity(group, O)) { ret = 0; goto err; }

  95.     }

  96.     if ((Q = EC_POINT_new(group)) == NULL) { ret = -2; goto err; }

  97.     n = EC_GROUP_get_degree(group);

  98.     e = BN_CTX_get(ctx);

  99.     if (!BN_bin2bn(msg, msglen, e)) { ret=-1; goto err; }

  100.     if (8*msglen > n) BN_rshift(e, e, 8-(n & 7));

  101.     zero = BN_CTX_get(ctx);

  102.     if (!BN_zero(zero)) { ret=-1; goto err; }

  103.     if (!BN_mod_sub(e, zero, e, order, ctx)) { ret=-1; goto err; }

  104.     rr = BN_CTX_get(ctx);

  105.     if (!BN_mod_inverse(rr, ecsig->r, order, ctx)) { ret=-1; goto err; }

  106.     sor = BN_CTX_get(ctx);

  107.     if (!BN_mod_mul(sor, ecsig->s, rr, order, ctx)) { ret=-1; goto err; }

  108.     eor = BN_CTX_get(ctx);

  109.     if (!BN_mod_mul(eor, e, rr, order, ctx)) { ret=-1; goto err; }

  110.     if (!EC_POINT_mul(group, Q, eor, R, sor, ctx)) { ret=-2; goto err; }

  111.     if (!EC_KEY_set_public_key(eckey, Q)) { ret=-2; goto err; }

  112. 

  113.     ret = 1;

  114. 

  115. err:

  116.     if (ctx) {

  117.         BN_CTX_end(ctx);

  118.         BN_CTX_free(ctx);

  119.     }

  120.     if (R != NULL) EC_POINT_free(R);

  121.     if (O != NULL) EC_POINT_free(O);

  122.     if (Q != NULL) EC_POINT_free(Q);

  123.     return ret;

  124. }

  125. 

  126. // RAII Wrapper around OpenSSL's EC_KEY

  127. class CECKey {

  128. private:

  129.     EC_KEY *pkey;

  130. 

  131. public:

  132.     CECKey() {

  133.         pkey = EC_KEY_new_by_curve_name(NID_secp256k1);

  134.         assert(pkey != NULL);

  135.     }

  136. 

  137.     ~CECKey() {

  138.         EC_KEY_free(pkey);

  139.     }

  140. 

  141.     void GetSecretBytes(unsigned char vch[32]) const {

  142.         const BIGNUM *bn = EC_KEY_get0_private_key(pkey);

  143.         assert(bn);

  144.         int nBytes = BN_num_bytes(bn);

  145.         int n=BN_bn2bin(bn,&vch[32 - nBytes]);

  146.         assert(n == nBytes);

  147.         memset(vch, 0, 32 - nBytes);

  148.     }

  149. 

  150.     void SetSecretBytes(const unsigned char vch[32]) {

  151.         BIGNUM bn;

  152.         BN_init(&bn);

  153.         assert(BN_bin2bn(vch, 32, &bn));

  154.         assert(EC_KEY_regenerate_key(pkey, &bn));

  155.         BN_clear_free(&bn);

  156.     }

  157. 

  158.     void GetPrivKey(CPrivKey &privkey, bool fCompressed) {

  159.         EC_KEY_set_conv_form(pkey, fCompressed ? POINT_CONVERSION_COMPRESSED : POINT_CONVERSION_UNCOMPRESSED);

  160.         int nSize = i2d_ECPrivateKey(pkey, NULL);

  161.         assert(nSize);

  162.         privkey.resize(nSize);

  163.         unsigned char* pbegin = &privkey[0];

  164.         int nSize2 = i2d_ECPrivateKey(pkey, &pbegin);

  165.         assert(nSize == nSize2);

  166.     }

  167. 

  168.     bool SetPrivKey(const CPrivKey &privkey, bool fSkipCheck=false) {

  169.         const unsigned char* pbegin = &privkey[0];

  170.         if (d2i_ECPrivateKey(&pkey, &pbegin, privkey.size())) {

  171.             if(fSkipCheck)

  172.                 return true;

  173.             

  174.             // d2i_ECPrivateKey returns true if parsing succeeds.

  175.             // This doesn't necessarily mean the key is valid.

  176.             if (EC_KEY_check_key(pkey))

  177.                 return true;

  178.         }

  179.         return false;

  180.     }

  181. 

  182.     void GetPubKey(CPubKey &pubkey, bool fCompressed) {

  183.         EC_KEY_set_conv_form(pkey, fCompressed ? POINT_CONVERSION_COMPRESSED : POINT_CONVERSION_UNCOMPRESSED);

  184.         int nSize = i2o_ECPublicKey(pkey, NULL);

  185.         assert(nSize);

  186.         assert(nSize <= 65);

  187.         unsigned char c[65];

  188.         unsigned char *pbegin = c;

  189.         int nSize2 = i2o_ECPublicKey(pkey, &pbegin);

  190.         assert(nSize == nSize2);

  191.         pubkey.Set(&c[0], &c[nSize]);

  192.     }

  193. 

  194.     bool SetPubKey(const CPubKey &pubkey) {

  195.         const unsigned char* pbegin = pubkey.begin();

  196.         return o2i_ECPublicKey(&pkey, &pbegin, pubkey.size());

  197.     }

  198. 

  199.     bool Sign(const uint256 &hash, std::vector<unsigned char>& vchSig) {

  200.         vchSig.clear();

  201.         ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey);

  202.         if (sig == NULL)

  203.             return false;

  204.         BN_CTX *ctx = BN_CTX_new();

  205.         BN_CTX_start(ctx);

  206.         const EC_GROUP *group = EC_KEY_get0_group(pkey);

  207.         BIGNUM *order = BN_CTX_get(ctx);

  208.         BIGNUM *halforder = BN_CTX_get(ctx);

  209.         EC_GROUP_get_order(group, order, ctx);

  210.         BN_rshift1(halforder, order);

  211.         if (BN_cmp(sig->s, halforder) > 0) {

  212.             // enforce low S values, by negating the value (modulo the order) if above order/2.

  213.             BN_sub(sig->s, order, sig->s);

  214.         }

  215.         BN_CTX_end(ctx);

  216.         BN_CTX_free(ctx);

  217.         unsigned int nSize = ECDSA_size(pkey);

  218.         vchSig.resize(nSize); // Make sure it is big enough

  219.         unsigned char *pos = &vchSig[0];

  220.         nSize = i2d_ECDSA_SIG(sig, &pos);

  221.         ECDSA_SIG_free(sig);

  222.         vchSig.resize(nSize); // Shrink to fit actual size

  223.         return true;

  224.     }

  225. 

  226.     bool Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) {

  227.         // -1 = error, 0 = bad sig, 1 = good

  228.         if (ECDSA_verify(0, (unsigned char*)&hash, sizeof(hash), &vchSig[0], vchSig.size(), pkey) != 1)

  229.             return false;

  230.         return true;

  231.     }

  232. 

  233.     bool SignCompact(const uint256 &hash, unsigned char *p64, int &rec) {

  234.         bool fOk = false;

  235.         ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey);

  236.         if (sig==NULL)

  237.             return false;

  238.         memset(p64, 0, 64);

  239.         int nBitsR = BN_num_bits(sig->r);

  240.         int nBitsS = BN_num_bits(sig->s);

  241.         if (nBitsR <= 256 && nBitsS <= 256) {

  242.             CPubKey pubkey;

  243.             GetPubKey(pubkey, true);

  244.             for (int i=0; i<4; i++) {

  245.                 CECKey keyRec;

  246.                 if (ECDSA_SIG_recover_key_GFp(keyRec.pkey, sig, (unsigned char*)&hash, sizeof(hash), i, 1) == 1) {

  247.                     CPubKey pubkeyRec;

  248.                     keyRec.GetPubKey(pubkeyRec, true);

  249.                     if (pubkeyRec == pubkey) {

  250.                         rec = i;

  251.                         fOk = true;

  252.                         break;

  253.                     }

  254.                 }

  255.             }

  256.             assert(fOk);

  257.             BN_bn2bin(sig->r,&p64[32-(nBitsR+7)/8]);

  258.             BN_bn2bin(sig->s,&p64[64-(nBitsS+7)/8]);

  259.         }

  260.         ECDSA_SIG_free(sig);

  261.         return fOk;

  262.     }

  263. 

  264.     // reconstruct public key from a compact signature

  265.     // This is only slightly more CPU intensive than just verifying it.

  266.     // If this function succeeds, the recovered public key is guaranteed to be valid

  267.     // (the signature is a valid signature of the given data for that key)

  268.     bool Recover(const uint256 &hash, const unsigned char *p64, int rec)

  269.     {

  270.         if (rec<0 || rec>=3)

  271.             return false;

  272.         ECDSA_SIG *sig = ECDSA_SIG_new();

  273.         BN_bin2bn(&p64[0],  32, sig->r);

  274.         BN_bin2bn(&p64[32], 32, sig->s);

  275.         bool ret = ECDSA_SIG_recover_key_GFp(pkey, sig, (unsigned char*)&hash, sizeof(hash), rec, 0) == 1;

  276.         ECDSA_SIG_free(sig);

  277.         return ret;

  278.     }

  279. 

  280.     static bool TweakSecret(unsigned char vchSecretOut[32], const unsigned char vchSecretIn[32], const unsigned char vchTweak[32])

  281.     {

  282.         bool ret = true;

  283.         BN_CTX *ctx = BN_CTX_new();

  284.         BN_CTX_start(ctx);

  285.         BIGNUM *bnSecret = BN_CTX_get(ctx);

  286.         BIGNUM *bnTweak = BN_CTX_get(ctx);

  287.         BIGNUM *bnOrder = BN_CTX_get(ctx);

  288.         EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp256k1);

  289.         EC_GROUP_get_order(group, bnOrder, ctx); // what a grossly inefficient way to get the (constant) group order...

  290.         BN_bin2bn(vchTweak, 32, bnTweak);

  291.         if (BN_cmp(bnTweak, bnOrder) >= 0)

  292.             ret = false; // extremely unlikely

  293.         BN_bin2bn(vchSecretIn, 32, bnSecret);

  294.         BN_add(bnSecret, bnSecret, bnTweak);

  295.         BN_nnmod(bnSecret, bnSecret, bnOrder, ctx);

  296.         if (BN_is_zero(bnSecret))

  297.             ret = false; // ridiculously unlikely

  298.         int nBits = BN_num_bits(bnSecret);

  299.         memset(vchSecretOut, 0, 32);

  300.         BN_bn2bin(bnSecret, &vchSecretOut[32-(nBits+7)/8]);

  301.         EC_GROUP_free(group);

  302.         BN_CTX_end(ctx);

  303.         BN_CTX_free(ctx);

  304.         return ret;

  305.     }

  306. 

  307.     bool TweakPublic(const unsigned char vchTweak[32]) {

  308.         bool ret = true;

  309.         BN_CTX *ctx = BN_CTX_new();

  310.         BN_CTX_start(ctx);

  311.         BIGNUM *bnTweak = BN_CTX_get(ctx);

  312.         BIGNUM *bnOrder = BN_CTX_get(ctx);

  313.         BIGNUM *bnOne = BN_CTX_get(ctx);

  314.         const EC_GROUP *group = EC_KEY_get0_group(pkey);

  315.         EC_GROUP_get_order(group, bnOrder, ctx); // what a grossly inefficient way to get the (constant) group order...

  316.         BN_bin2bn(vchTweak, 32, bnTweak);

  317.         if (BN_cmp(bnTweak, bnOrder) >= 0)

  318.             ret = false; // extremely unlikely

  319.         EC_POINT *point = EC_POINT_dup(EC_KEY_get0_public_key(pkey), group);

  320.         BN_one(bnOne);

  321.         EC_POINT_mul(group, point, bnTweak, point, bnOne, ctx);

  322.         if (EC_POINT_is_at_infinity(group, point))

  323.             ret = false; // ridiculously unlikely

  324.         EC_KEY_set_public_key(pkey, point);

  325.         EC_POINT_free(point);

  326.         BN_CTX_end(ctx);

  327.         BN_CTX_free(ctx);

  328.         return ret;

  329.     }

  330. };

  331. 

  332. }; // end of anonymous namespace

  333. 

  334. bool CKey::Check(const unsigned char *vch) {

  335.     // Do not convert to OpenSSL's data structures for range-checking keys,

  336.     // it's easy enough to do directly.

  337.     static const unsigned char vchMax[32] = {

  338.         0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,

  339.         0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,

  340.         0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,

  341.         0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40

  342.     };

  343.     bool fIsZero = true;

  344.     for (int i=0; i<32 && fIsZero; i++)

  345.         if (vch[i] != 0)

  346.             fIsZero = false;

  347.     if (fIsZero)

  348.         return false;

  349.     for (int i=0; i<32; i++) {

  350.         if (vch[i] < vchMax[i])

  351.             return true;

  352.         if (vch[i] > vchMax[i])

  353.             return false;

  354.     }

  355.     return true;

  356. }

  357. 

  358. void CKey::MakeNewKey(bool fCompressedIn) {

  359.     do {

  360.         RAND_bytes(vch, sizeof(vch));

  361.     } while (!Check(vch));

  362.     fValid = true;

  363.     fCompressed = fCompressedIn;

  364. }

  365. 

  366. bool CKey::SetPrivKey(const CPrivKey &privkey, bool fCompressedIn) {

  367.     CECKey key;

  368.     if (!key.SetPrivKey(privkey))

  369.         return false;

  370.     key.GetSecretBytes(vch);

  371.     fCompressed = fCompressedIn;

  372.     fValid = true;

  373.     return true;

  374. }

  375. 

  376. CPrivKey CKey::GetPrivKey() const {

  377.     assert(fValid);

  378.     CECKey key;

  379.     key.SetSecretBytes(vch);

  380.     CPrivKey privkey;

  381.     key.GetPrivKey(privkey, fCompressed);

  382.     return privkey;

  383. }

  384. 

  385. CPubKey CKey::GetPubKey() const {

  386.     assert(fValid);

  387.     CECKey key;

  388.     key.SetSecretBytes(vch);

  389.     CPubKey pubkey;

  390.     key.GetPubKey(pubkey, fCompressed);

  391.     return pubkey;

  392. }

  393. 

  394. bool CKey::Sign(const uint256 &hash, std::vector<unsigned char>& vchSig) const {

  395.     if (!fValid)

  396.         return false;

  397.     CECKey key;

  398.     key.SetSecretBytes(vch);

  399.     return key.Sign(hash, vchSig);

  400. }

  401. 

  402. bool CKey::SignCompact(const uint256 &hash, std::vector<unsigned char>& vchSig) const {

  403.     if (!fValid)

  404.         return false;

  405.     CECKey key;

  406.     key.SetSecretBytes(vch);

  407.     vchSig.resize(65);

  408.     int rec = -1;

  409.     if (!key.SignCompact(hash, &vchSig[1], rec))

  410.         return false;

  411.     assert(rec != -1);

  412.     vchSig[0] = 27 + rec + (fCompressed ? 4 : 0);

  413.     return true;

  414. }

  415. 

  416. bool CKey::Load(CPrivKey &privkey, CPubKey &vchPubKey, bool fSkipCheck=false) {

  417.     CECKey key;

  418.     if (!key.SetPrivKey(privkey, fSkipCheck))

  419.         return false;

  420.     

  421.     key.GetSecretBytes(vch);

  422.     fCompressed = vchPubKey.IsCompressed();

  423.     fValid = true;

  424.     

  425.     if (fSkipCheck)

  426.         return true;

  427.     

  428.     if (GetPubKey() != vchPubKey)

  429.         return false;

  430.     

  431.     return true;

  432. }

  433. 

  434. bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {

  435.     if (!IsValid())

  436.         return false;

  437.     CECKey key;

  438.     if (!key.SetPubKey(*this))

  439.         return false;

  440.     if (!key.Verify(hash, vchSig))

  441.         return false;

  442.     return true;

  443. }

  444. 

  445. bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {

  446.     if (vchSig.size() != 65)

  447.         return false;

  448.     CECKey key;

  449.     if (!key.Recover(hash, &vchSig[1], (vchSig[0] - 27) & ~4))

  450.         return false;

  451.     key.GetPubKey(*this, (vchSig[0] - 27) & 4);

  452.     return true;

  453. }

  454. 

  455. bool CPubKey::VerifyCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {

  456.     if (!IsValid())

  457.         return false;

  458.     if (vchSig.size() != 65)

  459.         return false;

  460.     CECKey key;

  461.     if (!key.Recover(hash, &vchSig[1], (vchSig[0] - 27) & ~4))

  462.         return false;

  463.     CPubKey pubkeyRec;

  464.     key.GetPubKey(pubkeyRec, IsCompressed());

  465.     if (*this != pubkeyRec)

  466.         return false;

  467.     return true;

  468. }

  469. 

  470. bool CPubKey::IsFullyValid() const {

  471.     if (!IsValid())

  472.         return false;

  473.     CECKey key;

  474.     if (!key.SetPubKey(*this))

  475.         return false;

  476.     return true;

  477. }

  478. 

  479. bool CPubKey::Decompress() {

  480.     if (!IsValid())

  481.         return false;

  482.     CECKey key;

  483.     if (!key.SetPubKey(*this))

  484.         return false;

  485.     key.GetPubKey(*this, false);

  486.     return true;

  487. }

  488. 

  489. void static BIP32Hash(const unsigned char chainCode[32], unsigned int nChild, unsigned char header, const unsigned char data[32], unsigned char output[64]) {

  490.     unsigned char num[4];

  491.     num[0] = (nChild >> 24) & 0xFF;

  492.     num[1] = (nChild >> 16) & 0xFF;

  493.     num[2] = (nChild >>  8) & 0xFF;

  494.     num[3] = (nChild >>  0) & 0xFF;

  495.     HMAC_SHA512_CTX ctx;

  496.     HMAC_SHA512_Init(&ctx, chainCode, 32);

  497.     HMAC_SHA512_Update(&ctx, &header, 1);

  498.     HMAC_SHA512_Update(&ctx, data, 32);

  499.     HMAC_SHA512_Update(&ctx, num, 4);

  500.     HMAC_SHA512_Final(output, &ctx);

  501. }

  502. 

  503. bool CKey::Derive(CKey& keyChild, unsigned char ccChild[32], unsigned int nChild, const unsigned char cc[32]) const {

  504.     assert(IsValid());

  505.     assert(IsCompressed());

  506.     unsigned char out[64];

  507.     LockObject(out);

  508.     if ((nChild >> 31) == 0) {

  509.         CPubKey pubkey = GetPubKey();

  510.         assert(pubkey.begin() + 33 == pubkey.end());

  511.         BIP32Hash(cc, nChild, *pubkey.begin(), pubkey.begin()+1, out);

  512.     } else {

  513.         assert(begin() + 32 == end());

  514.         BIP32Hash(cc, nChild, 0, begin(), out);

  515.     }

  516.     memcpy(ccChild, out+32, 32);

  517.     bool ret = CECKey::TweakSecret((unsigned char*)keyChild.begin(), begin(), out);

  518.     UnlockObject(out);

  519.     keyChild.fCompressed = true;

  520.     keyChild.fValid = ret;

  521.     return ret;

  522. }

  523. 

  524. bool CPubKey::Derive(CPubKey& pubkeyChild, unsigned char ccChild[32], unsigned int nChild, const unsigned char cc[32]) const {

  525.     assert(IsValid());

  526.     assert((nChild >> 31) == 0);

  527.     assert(begin() + 33 == end());

  528.     unsigned char out[64];

  529.     BIP32Hash(cc, nChild, *begin(), begin()+1, out);

  530.     memcpy(ccChild, out+32, 32);

  531.     CECKey key;

  532.     bool ret = key.SetPubKey(*this);

  533.     ret &= key.TweakPublic(out);

  534.     key.GetPubKey(pubkeyChild, true);

  535.     return ret;

  536. }

  537. 

  538. bool CExtKey::Derive(CExtKey &out, unsigned int nChild) const {

  539.     out.nDepth = nDepth + 1;

  540.     CKeyID id = key.GetPubKey().GetID();

  541.     memcpy(&out.vchFingerprint[0], &id, 4);

  542.     out.nChild = nChild;

  543.     return key.Derive(out.key, out.vchChainCode, nChild, vchChainCode);

  544. }

  545. 

  546. void CExtKey::SetMaster(const unsigned char *seed, unsigned int nSeedLen) {

  547.     static const char hashkey[] = {'B','i','t','c','o','i','n',' ','s','e','e','d'};

  548.     HMAC_SHA512_CTX ctx;

  549.     HMAC_SHA512_Init(&ctx, hashkey, sizeof(hashkey));

  550.     HMAC_SHA512_Update(&ctx, seed, nSeedLen);

  551.     unsigned char out[64];

  552.     LockObject(out);

  553.     HMAC_SHA512_Final(out, &ctx);

  554.     key.Set(&out[0], &out[32], true);

  555.     memcpy(vchChainCode, &out[32], 32);

  556.     UnlockObject(out);

  557.     nDepth = 0;

  558.     nChild = 0;

  559.     memset(vchFingerprint, 0, sizeof(vchFingerprint));

  560. }

  561. 

  562. CExtPubKey CExtKey::Neuter() const {

  563.     CExtPubKey ret;

  564.     ret.nDepth = nDepth;

  565.     memcpy(&ret.vchFingerprint[0], &vchFingerprint[0], 4);

  566.     ret.nChild = nChild;

  567.     ret.pubkey = key.GetPubKey();

  568.     memcpy(&ret.vchChainCode[0], &vchChainCode[0], 32);

  569.     return ret;

  570. }

  571. 

  572. void CExtKey::Encode(unsigned char code[74]) const {

  573.     code[0] = nDepth;

  574.     memcpy(code+1, vchFingerprint, 4);

  575.     code[5] = (nChild >> 24) & 0xFF; code[6] = (nChild >> 16) & 0xFF;

  576.     code[7] = (nChild >>  8) & 0xFF; code[8] = (nChild >>  0) & 0xFF;

  577.     memcpy(code+9, vchChainCode, 32);

  578.     code[41] = 0;

  579.     assert(key.size() == 32);

  580.     memcpy(code+42, key.begin(), 32);

  581. }

  582. 

  583. void CExtKey::Decode(const unsigned char code[74]) {

  584.     nDepth = code[0];

  585.     memcpy(vchFingerprint, code+1, 4);

  586.     nChild = (code[5] << 24) | (code[6] << 16) | (code[7] << 8) | code[8];

  587.     memcpy(vchChainCode, code+9, 32);

  588.     key.Set(code+42, code+74, true);

  589. }

  590. 

  591. void CExtPubKey::Encode(unsigned char code[74]) const {

  592.     code[0] = nDepth;

  593.     memcpy(code+1, vchFingerprint, 4);

  594.     code[5] = (nChild >> 24) & 0xFF; code[6] = (nChild >> 16) & 0xFF;

  595.     code[7] = (nChild >>  8) & 0xFF; code[8] = (nChild >>  0) & 0xFF;

  596.     memcpy(code+9, vchChainCode, 32);

  597.     assert(pubkey.size() == 33);

  598.     memcpy(code+41, pubkey.begin(), 33);

  599. }

  600. 

  601. void CExtPubKey::Decode(const unsigned char code[74]) {

  602.     nDepth = code[0];

  603.     memcpy(vchFingerprint, code+1, 4);

  604.     nChild = (code[5] << 24) | (code[6] << 16) | (code[7] << 8) | code[8];

  605.     memcpy(vchChainCode, code+9, 32);

  606.     pubkey.Set(code+41, code+74);

  607. }

  608. 

  609. bool CExtPubKey::Derive(CExtPubKey &out, unsigned int nChild) const {

  610.     out.nDepth = nDepth + 1;

  611.     CKeyID id = pubkey.GetID();

  612.     memcpy(&out.vchFingerprint[0], &id, 4);

  613.     out.nChild = nChild;

  614.     return pubkey.Derive(out.pubkey, out.vchChainCode, nChild, vchChainCode);

  615. }