1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
|
// Copyright (c) 2009-2010 Satoshi Nakamoto
// Copyright (c) 2009-2022 The Bitcoin Core developers
// Copyright (c) 2017 The Zcash developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#ifndef BITCOIN_KEY_H
#define BITCOIN_KEY_H
#include <pubkey.h>
#include <serialize.h>
#include <support/allocators/secure.h>
#include <uint256.h>
#include <stdexcept>
#include <vector>
/**
* CPrivKey is a serialized private key, with all parameters included
* (SIZE bytes)
*/
typedef std::vector<unsigned char, secure_allocator<unsigned char> > CPrivKey;
/** Size of ECDH shared secrets. */
constexpr static size_t ECDH_SECRET_SIZE = CSHA256::OUTPUT_SIZE;
// Used to represent ECDH shared secret (ECDH_SECRET_SIZE bytes)
using ECDHSecret = std::array<std::byte, ECDH_SECRET_SIZE>;
class KeyPair;
/** An encapsulated private key. */
class CKey
{
public:
/**
* secp256k1:
*/
static const unsigned int SIZE = 279;
static const unsigned int COMPRESSED_SIZE = 214;
/**
* see www.keylength.com
* script supports up to 75 for single byte push
*/
static_assert(
SIZE >= COMPRESSED_SIZE,
"COMPRESSED_SIZE is larger than SIZE");
private:
/** Internal data container for private key material. */
using KeyType = std::array<unsigned char, 32>;
//! Whether the public key corresponding to this private key is (to be) compressed.
bool fCompressed{false};
//! The actual byte data. nullptr for invalid keys.
secure_unique_ptr<KeyType> keydata;
//! Check whether the 32-byte array pointed to by vch is valid keydata.
bool static Check(const unsigned char* vch);
void MakeKeyData()
{
if (!keydata) keydata = make_secure_unique<KeyType>();
}
void ClearKeyData()
{
keydata.reset();
}
public:
CKey() noexcept = default;
CKey(CKey&&) noexcept = default;
CKey& operator=(CKey&&) noexcept = default;
CKey& operator=(const CKey& other)
{
if (this != &other) {
if (other.keydata) {
MakeKeyData();
*keydata = *other.keydata;
} else {
ClearKeyData();
}
fCompressed = other.fCompressed;
}
return *this;
}
CKey(const CKey& other) { *this = other; }
friend bool operator==(const CKey& a, const CKey& b)
{
return a.fCompressed == b.fCompressed &&
a.size() == b.size() &&
memcmp(a.data(), b.data(), a.size()) == 0;
}
//! Initialize using begin and end iterators to byte data.
template <typename T>
void Set(const T pbegin, const T pend, bool fCompressedIn)
{
if (size_t(pend - pbegin) != std::tuple_size_v<KeyType>) {
ClearKeyData();
} else if (Check(UCharCast(&pbegin[0]))) {
MakeKeyData();
memcpy(keydata->data(), (unsigned char*)&pbegin[0], keydata->size());
fCompressed = fCompressedIn;
} else {
ClearKeyData();
}
}
//! Simple read-only vector-like interface.
unsigned int size() const { return keydata ? keydata->size() : 0; }
const std::byte* data() const { return keydata ? reinterpret_cast<const std::byte*>(keydata->data()) : nullptr; }
const std::byte* begin() const { return data(); }
const std::byte* end() const { return data() + size(); }
//! Check whether this private key is valid.
bool IsValid() const { return !!keydata; }
//! Check whether the public key corresponding to this private key is (to be) compressed.
bool IsCompressed() const { return fCompressed; }
//! Generate a new private key using a cryptographic PRNG.
void MakeNewKey(bool fCompressed);
/**
* Convert the private key to a CPrivKey (serialized OpenSSL private key data).
* This is expensive.
*/
CPrivKey GetPrivKey() const;
/**
* Compute the public key from a private key.
* This is expensive.
*/
CPubKey GetPubKey() const;
/**
* Create a DER-serialized signature.
* The test_case parameter tweaks the deterministic nonce.
*/
bool Sign(const uint256& hash, std::vector<unsigned char>& vchSig, bool grind = true, uint32_t test_case = 0) const;
/**
* Create a compact signature (65 bytes), which allows reconstructing the used public key.
* The format is one header byte, followed by two times 32 bytes for the serialized r and s values.
* The header byte: 0x1B = first key with even y, 0x1C = first key with odd y,
* 0x1D = second key with even y, 0x1E = second key with odd y,
* add 0x04 for compressed keys.
*/
bool SignCompact(const uint256& hash, std::vector<unsigned char>& vchSig) const;
/**
* Create a BIP-340 Schnorr signature, for the xonly-pubkey corresponding to *this,
* optionally tweaked by *merkle_root. Additional nonce entropy is provided through
* aux.
*
* merkle_root is used to optionally perform tweaking of the private key, as specified
* in BIP341:
* - If merkle_root == nullptr: no tweaking is done, sign with key directly (this is
* used for signatures in BIP342 script).
* - If merkle_root->IsNull(): sign with key + H_TapTweak(pubkey) (this is used for
* key path spending when no scripts are present).
* - Otherwise: sign with key + H_TapTweak(pubkey || *merkle_root)
* (this is used for key path spending, with specific
* Merkle root of the script tree).
*/
bool SignSchnorr(const uint256& hash, Span<unsigned char> sig, const uint256* merkle_root, const uint256& aux) const;
//! Derive BIP32 child key.
[[nodiscard]] bool Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const;
/**
* Verify thoroughly whether a private key and a public key match.
* This is done using a different mechanism than just regenerating it.
*/
bool VerifyPubKey(const CPubKey& vchPubKey) const;
//! Load private key and check that public key matches.
bool Load(const CPrivKey& privkey, const CPubKey& vchPubKey, bool fSkipCheck);
/** Create an ellswift-encoded public key for this key, with specified entropy.
*
* entropy must be a 32-byte span with additional entropy to use in the encoding. Every
* public key has ~2^256 different encodings, and this function will deterministically pick
* one of them, based on entropy. Note that even without truly random entropy, the
* resulting encoding will be indistinguishable from uniform to any adversary who does not
* know the private key (because the private key itself is always used as entropy as well).
*/
EllSwiftPubKey EllSwiftCreate(Span<const std::byte> entropy) const;
/** Compute a BIP324-style ECDH shared secret.
*
* - their_ellswift: EllSwiftPubKey that was received from the other side.
* - our_ellswift: EllSwiftPubKey that was sent to the other side (must have been generated
* from *this using EllSwiftCreate()).
* - initiating: whether we are the initiating party (true) or responding party (false).
*/
ECDHSecret ComputeBIP324ECDHSecret(const EllSwiftPubKey& their_ellswift,
const EllSwiftPubKey& our_ellswift,
bool initiating) const;
/** Compute a KeyPair
*
* Wraps a `secp256k1_keypair` type.
*
* `merkle_root` is used to optionally perform tweaking of
* the internal key, as specified in BIP341:
*
* - If merkle_root == nullptr: no tweaking is done, use the internal key directly (this is
* used for signatures in BIP342 script).
* - If merkle_root->IsNull(): tweak the internal key with H_TapTweak(pubkey) (this is used for
* key path spending when no scripts are present).
* - Otherwise: tweak the internal key with H_TapTweak(pubkey || *merkle_root)
* (this is used for key path spending with the
* Merkle root of the script tree).
*/
KeyPair ComputeKeyPair(const uint256* merkle_root) const;
};
CKey GenerateRandomKey(bool compressed = true) noexcept;
struct CExtKey {
unsigned char nDepth;
unsigned char vchFingerprint[4];
unsigned int nChild;
ChainCode chaincode;
CKey key;
friend bool operator==(const CExtKey& a, const CExtKey& b)
{
return a.nDepth == b.nDepth &&
memcmp(a.vchFingerprint, b.vchFingerprint, sizeof(vchFingerprint)) == 0 &&
a.nChild == b.nChild &&
a.chaincode == b.chaincode &&
a.key == b.key;
}
CExtKey() = default;
CExtKey(const CExtPubKey& xpub, const CKey& key_in) : nDepth(xpub.nDepth), nChild(xpub.nChild), chaincode(xpub.chaincode), key(key_in)
{
std::copy(xpub.vchFingerprint, xpub.vchFingerprint + sizeof(xpub.vchFingerprint), vchFingerprint);
}
void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const;
void Decode(const unsigned char code[BIP32_EXTKEY_SIZE]);
[[nodiscard]] bool Derive(CExtKey& out, unsigned int nChild) const;
CExtPubKey Neuter() const;
void SetSeed(Span<const std::byte> seed);
};
/** KeyPair
*
* Wraps a `secp256k1_keypair` type, an opaque data structure for holding a secret and public key.
* This is intended for BIP340 keys and allows us to easily determine if the secret key needs to
* be negated by checking the parity of the public key. This class primarily intended for passing
* secret keys to libsecp256k1 functions expecting a `secp256k1_keypair`. For all other cases,
* CKey should be preferred.
*
* A KeyPair can be created from a CKey with an optional merkle_root tweak (per BIP342). See
* CKey::ComputeKeyPair for more details.
*/
class KeyPair
{
public:
KeyPair() noexcept = default;
KeyPair(KeyPair&&) noexcept = default;
KeyPair& operator=(KeyPair&&) noexcept = default;
KeyPair& operator=(const KeyPair& other)
{
if (this != &other) {
if (other.m_keypair) {
MakeKeyPairData();
*m_keypair = *other.m_keypair;
} else {
ClearKeyPairData();
}
}
return *this;
}
KeyPair(const KeyPair& other) { *this = other; }
friend KeyPair CKey::ComputeKeyPair(const uint256* merkle_root) const;
[[nodiscard]] bool SignSchnorr(const uint256& hash, Span<unsigned char> sig, const uint256& aux) const;
//! Check whether this keypair is valid.
bool IsValid() const { return !!m_keypair; }
private:
KeyPair(const CKey& key, const uint256* merkle_root);
using KeyType = std::array<unsigned char, 96>;
secure_unique_ptr<KeyType> m_keypair;
void MakeKeyPairData()
{
if (!m_keypair) m_keypair = make_secure_unique<KeyType>();
}
void ClearKeyPairData()
{
m_keypair.reset();
}
};
/** Check that required EC support is available at runtime. */
bool ECC_InitSanityCheck();
/**
* RAII class initializing and deinitializing global state for elliptic curve support.
* Only one instance may be initialized at a time.
*
* In the future global ECC state could be removed, and this class could contain
* state and be passed as an argument to ECC key functions.
*/
class ECC_Context
{
public:
ECC_Context();
~ECC_Context();
};
#endif // BITCOIN_KEY_H
|