442 lines
14 KiB
Go
442 lines
14 KiB
Go
// Copyright (c) 2017 The btcsuite developers
|
|
// Copyright (c) 2019 The Decred developers
|
|
// Use of this source code is governed by an ISC
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package bech32
|
|
|
|
import (
|
|
"strings"
|
|
)
|
|
|
|
// charset is the set of characters used in the data section of bech32 strings.
|
|
// Note that this is ordered, such that for a given charset[i], i is the binary
|
|
// value of the character.
|
|
const charset = "qpzry9x8gf2tvdw0s3jn54khce6mua7l"
|
|
|
|
// gen encodes the generator polynomial for the bech32 BCH checksum.
|
|
var gen = []int{0x3b6a57b2, 0x26508e6d, 0x1ea119fa, 0x3d4233dd, 0x2a1462b3}
|
|
|
|
// toBytes converts each character in the string 'chars' to the value of the
|
|
// index of the correspoding character in 'charset'.
|
|
func toBytes(chars string) ([]byte, error) {
|
|
decoded := make([]byte, 0, len(chars))
|
|
for i := 0; i < len(chars); i++ {
|
|
index := strings.IndexByte(charset, chars[i])
|
|
if index < 0 {
|
|
return nil, ErrNonCharsetChar(chars[i])
|
|
}
|
|
decoded = append(decoded, byte(index))
|
|
}
|
|
return decoded, nil
|
|
}
|
|
|
|
// bech32Polymod calculates the BCH checksum for a given hrp, values and
|
|
// checksum data. Checksum is optional, and if nil a 0 checksum is assumed.
|
|
//
|
|
// Values and checksum (if provided) MUST be encoded as 5 bits per element (base
|
|
// 32), otherwise the results are undefined.
|
|
//
|
|
// For more details on the polymod calculation, please refer to BIP 173.
|
|
func bech32Polymod(hrp string, values, checksum []byte) int {
|
|
chk := 1
|
|
|
|
// Account for the high bits of the HRP in the checksum.
|
|
for i := 0; i < len(hrp); i++ {
|
|
b := chk >> 25
|
|
hiBits := int(hrp[i]) >> 5
|
|
chk = (chk&0x1ffffff)<<5 ^ hiBits
|
|
for i := 0; i < 5; i++ {
|
|
if (b>>uint(i))&1 == 1 {
|
|
chk ^= gen[i]
|
|
}
|
|
}
|
|
}
|
|
|
|
// Account for the separator (0) between high and low bits of the HRP.
|
|
// x^0 == x, so we eliminate the redundant xor used in the other rounds.
|
|
b := chk >> 25
|
|
chk = (chk & 0x1ffffff) << 5
|
|
for i := 0; i < 5; i++ {
|
|
if (b>>uint(i))&1 == 1 {
|
|
chk ^= gen[i]
|
|
}
|
|
}
|
|
|
|
// Account for the low bits of the HRP.
|
|
for i := 0; i < len(hrp); i++ {
|
|
b := chk >> 25
|
|
loBits := int(hrp[i]) & 31
|
|
chk = (chk&0x1ffffff)<<5 ^ loBits
|
|
for i := 0; i < 5; i++ {
|
|
if (b>>uint(i))&1 == 1 {
|
|
chk ^= gen[i]
|
|
}
|
|
}
|
|
}
|
|
|
|
// Account for the values.
|
|
for _, v := range values {
|
|
b := chk >> 25
|
|
chk = (chk&0x1ffffff)<<5 ^ int(v)
|
|
for i := 0; i < 5; i++ {
|
|
if (b>>uint(i))&1 == 1 {
|
|
chk ^= gen[i]
|
|
}
|
|
}
|
|
}
|
|
|
|
if checksum == nil {
|
|
// A nil checksum is used during encoding, so assume all bytes are zero.
|
|
// x^0 == x, so we eliminate the redundant xor used in the other rounds.
|
|
for v := 0; v < 6; v++ {
|
|
b := chk >> 25
|
|
chk = (chk & 0x1ffffff) << 5
|
|
for i := 0; i < 5; i++ {
|
|
if (b>>uint(i))&1 == 1 {
|
|
chk ^= gen[i]
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
// Checksum is provided during decoding, so use it.
|
|
for _, v := range checksum {
|
|
b := chk >> 25
|
|
chk = (chk&0x1ffffff)<<5 ^ int(v)
|
|
for i := 0; i < 5; i++ {
|
|
if (b>>uint(i))&1 == 1 {
|
|
chk ^= gen[i]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return chk
|
|
}
|
|
|
|
// writeBech32Checksum calculates the checksum data expected for a string that
|
|
// will have the given hrp and payload data and writes it to the provided string
|
|
// builder.
|
|
//
|
|
// The payload data MUST be encoded as a base 32 (5 bits per element) byte slice
|
|
// and the hrp MUST only use the allowed character set (ascii chars between 33
|
|
// and 126), otherwise the results are undefined.
|
|
//
|
|
// For more details on the checksum calculation, please refer to BIP 173.
|
|
func writeBech32Checksum(hrp string, data []byte, bldr *strings.Builder,
|
|
version Version) {
|
|
|
|
bech32Const := int(VersionToConsts[version])
|
|
polymod := bech32Polymod(hrp, data, nil) ^ bech32Const
|
|
for i := 0; i < 6; i++ {
|
|
b := byte((polymod >> uint(5*(5-i))) & 31)
|
|
|
|
// This can't fail, given we explicitly cap the previous b byte by the
|
|
// first 31 bits.
|
|
c := charset[b]
|
|
bldr.WriteByte(c)
|
|
}
|
|
}
|
|
|
|
// bech32VerifyChecksum verifies whether the bech32 string specified by the
|
|
// provided hrp and payload data (encoded as 5 bits per element byte slice) has
|
|
// the correct checksum suffix. The version of bech32 used (bech32 OG, or
|
|
// bech32m) is also returned to allow the caller to perform proper address
|
|
// validation (segwitv0 should use bech32, v1+ should use bech32m).
|
|
//
|
|
// Data MUST have more than 6 elements, otherwise this function panics.
|
|
//
|
|
// For more details on the checksum verification, please refer to BIP 173.
|
|
func bech32VerifyChecksum(hrp string, data []byte) (Version, bool) {
|
|
checksum := data[len(data)-6:]
|
|
values := data[:len(data)-6]
|
|
polymod := bech32Polymod(hrp, values, checksum)
|
|
|
|
// Before BIP-350, we'd always check this against a static constant of
|
|
// 1 to know if the checksum was computed properly. As we want to
|
|
// generically support decoding for bech32m as well as bech32, we'll
|
|
// look up the returned value and compare it to the set of defined
|
|
// constants.
|
|
bech32Version, ok := ConstsToVersion[ChecksumConst(polymod)]
|
|
if ok {
|
|
return bech32Version, true
|
|
}
|
|
|
|
return VersionUnknown, false
|
|
}
|
|
|
|
// DecodeNoLimit is a bech32 checksum version aware arbitrary string length
|
|
// decoder. This function will return the version of the decoded checksum
|
|
// constant so higher level validation can be performed to ensure the correct
|
|
// version of bech32 was used when encoding.
|
|
func decodeNoLimit(bech string) (string, []byte, Version, error) {
|
|
// The minimum allowed size of a bech32 string is 8 characters, since it
|
|
// needs a non-empty HRP, a separator, and a 6 character checksum.
|
|
if len(bech) < 8 {
|
|
return "", nil, VersionUnknown, ErrInvalidLength(len(bech))
|
|
}
|
|
|
|
// Only ASCII characters between 33 and 126 are allowed.
|
|
var hasLower, hasUpper bool
|
|
for i := 0; i < len(bech); i++ {
|
|
if bech[i] < 33 || bech[i] > 126 {
|
|
return "", nil, VersionUnknown, ErrInvalidCharacter(bech[i])
|
|
}
|
|
|
|
// The characters must be either all lowercase or all uppercase. Testing
|
|
// directly with ascii codes is safe here, given the previous test.
|
|
hasLower = hasLower || (bech[i] >= 97 && bech[i] <= 122)
|
|
hasUpper = hasUpper || (bech[i] >= 65 && bech[i] <= 90)
|
|
if hasLower && hasUpper {
|
|
return "", nil, VersionUnknown, ErrMixedCase{}
|
|
}
|
|
}
|
|
|
|
// Bech32 standard uses only the lowercase for of strings for checksum
|
|
// calculation.
|
|
if hasUpper {
|
|
bech = strings.ToLower(bech)
|
|
}
|
|
|
|
// The string is invalid if the last '1' is non-existent, it is the
|
|
// first character of the string (no human-readable part) or one of the
|
|
// last 6 characters of the string (since checksum cannot contain '1').
|
|
one := strings.LastIndexByte(bech, '1')
|
|
if one < 1 || one+7 > len(bech) {
|
|
return "", nil, VersionUnknown, ErrInvalidSeparatorIndex(one)
|
|
}
|
|
|
|
// The human-readable part is everything before the last '1'.
|
|
hrp := bech[:one]
|
|
data := bech[one+1:]
|
|
|
|
// Each character corresponds to the byte with value of the index in
|
|
// 'charset'.
|
|
decoded, err := toBytes(data)
|
|
if err != nil {
|
|
return "", nil, VersionUnknown, err
|
|
}
|
|
|
|
// Verify if the checksum (stored inside decoded[:]) is valid, given the
|
|
// previously decoded hrp.
|
|
bech32Version, ok := bech32VerifyChecksum(hrp, decoded)
|
|
if !ok {
|
|
// Invalid checksum. Calculate what it should have been, so that the
|
|
// error contains this information.
|
|
|
|
// Extract the payload bytes and actual checksum in the string.
|
|
actual := bech[len(bech)-6:]
|
|
payload := decoded[:len(decoded)-6]
|
|
|
|
// Calculate the expected checksum, given the hrp and payload
|
|
// data. We'll actually compute _both_ possibly valid checksum
|
|
// to further aide in debugging.
|
|
var expectedBldr strings.Builder
|
|
expectedBldr.Grow(6)
|
|
writeBech32Checksum(hrp, payload, &expectedBldr, Version0)
|
|
expectedVersion0 := expectedBldr.String()
|
|
|
|
var b strings.Builder
|
|
b.Grow(6)
|
|
writeBech32Checksum(hrp, payload, &expectedBldr, VersionM)
|
|
expectedVersionM := expectedBldr.String()
|
|
|
|
err = ErrInvalidChecksum{
|
|
Expected: expectedVersion0,
|
|
ExpectedM: expectedVersionM,
|
|
Actual: actual,
|
|
}
|
|
return "", nil, VersionUnknown, err
|
|
}
|
|
|
|
// We exclude the last 6 bytes, which is the checksum.
|
|
return hrp, decoded[:len(decoded)-6], bech32Version, nil
|
|
}
|
|
|
|
// DecodeNoLimit decodes a bech32 encoded string, returning the human-readable
|
|
// part and the data part excluding the checksum. This function does NOT
|
|
// validate against the BIP-173 maximum length allowed for bech32 strings and
|
|
// is meant for use in custom applications (such as lightning network payment
|
|
// requests), NOT on-chain addresses.
|
|
//
|
|
// Note that the returned data is 5-bit (base32) encoded and the human-readable
|
|
// part will be lowercase.
|
|
func DecodeNoLimit(bech string) (string, []byte, error) {
|
|
hrp, data, _, err := decodeNoLimit(bech)
|
|
return hrp, data, err
|
|
}
|
|
|
|
// Decode decodes a bech32 encoded string, returning the human-readable part and
|
|
// the data part excluding the checksum.
|
|
//
|
|
// Note that the returned data is 5-bit (base32) encoded and the human-readable
|
|
// part will be lowercase.
|
|
func Decode(bech string) (string, []byte, error) {
|
|
// The maximum allowed length for a bech32 string is 90.
|
|
if len(bech) > 90 {
|
|
return "", nil, ErrInvalidLength(len(bech))
|
|
}
|
|
|
|
hrp, data, _, err := decodeNoLimit(bech)
|
|
return hrp, data, err
|
|
}
|
|
|
|
// DecodeGeneric is identical to the existing Decode method, but will also
|
|
// return bech32 version that matches the decoded checksum. This method should
|
|
// be used when decoding segwit addresses, as it enables additional
|
|
// verification to ensure the proper checksum is used.
|
|
func DecodeGeneric(bech string) (string, []byte, Version, error) {
|
|
// The maximum allowed length for a bech32 string is 90.
|
|
if len(bech) > 90 {
|
|
return "", nil, VersionUnknown, ErrInvalidLength(len(bech))
|
|
}
|
|
|
|
return decodeNoLimit(bech)
|
|
}
|
|
|
|
// encodeGeneric is the base bech32 encoding function that is aware of the
|
|
// existence of the checksum versions. This method is private, as the Encode
|
|
// and EncodeM methods are intended to be used instead.
|
|
func encodeGeneric(hrp string, data []byte,
|
|
version Version) (string, error) {
|
|
|
|
// The resulting bech32 string is the concatenation of the lowercase
|
|
// hrp, the separator 1, data and the 6-byte checksum.
|
|
hrp = strings.ToLower(hrp)
|
|
var bldr strings.Builder
|
|
bldr.Grow(len(hrp) + 1 + len(data) + 6)
|
|
bldr.WriteString(hrp)
|
|
bldr.WriteString("1")
|
|
|
|
// Write the data part, using the bech32 charset.
|
|
for _, b := range data {
|
|
if int(b) >= len(charset) {
|
|
return "", ErrInvalidDataByte(b)
|
|
}
|
|
bldr.WriteByte(charset[b])
|
|
}
|
|
|
|
// Calculate and write the checksum of the data.
|
|
writeBech32Checksum(hrp, data, &bldr, version)
|
|
|
|
return bldr.String(), nil
|
|
}
|
|
|
|
// Encode encodes a byte slice into a bech32 string with the given
|
|
// human-readable part (HRP). The HRP will be converted to lowercase if needed
|
|
// since mixed cased encodings are not permitted and lowercase is used for
|
|
// checksum purposes. Note that the bytes must each encode 5 bits (base32).
|
|
func Encode(hrp string, data []byte) (string, error) {
|
|
return encodeGeneric(hrp, data, Version0)
|
|
}
|
|
|
|
// EncodeM is the exactly same as the Encode method, but it uses the new
|
|
// bech32m constant instead of the original one. It should be used whenever one
|
|
// attempts to encode a segwit address of v1 and beyond.
|
|
func EncodeM(hrp string, data []byte) (string, error) {
|
|
return encodeGeneric(hrp, data, VersionM)
|
|
}
|
|
|
|
// ConvertBits converts a byte slice where each byte is encoding fromBits bits,
|
|
// to a byte slice where each byte is encoding toBits bits.
|
|
func ConvertBits(data []byte, fromBits, toBits uint8, pad bool) ([]byte, error) {
|
|
if fromBits < 1 || fromBits > 8 || toBits < 1 || toBits > 8 {
|
|
return nil, ErrInvalidBitGroups{}
|
|
}
|
|
|
|
// Determine the maximum size the resulting array can have after base
|
|
// conversion, so that we can size it a single time. This might be off
|
|
// by a byte depending on whether padding is used or not and if the input
|
|
// data is a multiple of both fromBits and toBits, but we ignore that and
|
|
// just size it to the maximum possible.
|
|
maxSize := len(data)*int(fromBits)/int(toBits) + 1
|
|
|
|
// The final bytes, each byte encoding toBits bits.
|
|
regrouped := make([]byte, 0, maxSize)
|
|
|
|
// Keep track of the next byte we create and how many bits we have
|
|
// added to it out of the toBits goal.
|
|
nextByte := byte(0)
|
|
filledBits := uint8(0)
|
|
|
|
for _, b := range data {
|
|
|
|
// Discard unused bits.
|
|
b <<= 8 - fromBits
|
|
|
|
// How many bits remaining to extract from the input data.
|
|
remFromBits := fromBits
|
|
for remFromBits > 0 {
|
|
// How many bits remaining to be added to the next byte.
|
|
remToBits := toBits - filledBits
|
|
|
|
// The number of bytes to next extract is the minimum of
|
|
// remFromBits and remToBits.
|
|
toExtract := remFromBits
|
|
if remToBits < toExtract {
|
|
toExtract = remToBits
|
|
}
|
|
|
|
// Add the next bits to nextByte, shifting the already
|
|
// added bits to the left.
|
|
nextByte = (nextByte << toExtract) | (b >> (8 - toExtract))
|
|
|
|
// Discard the bits we just extracted and get ready for
|
|
// next iteration.
|
|
b <<= toExtract
|
|
remFromBits -= toExtract
|
|
filledBits += toExtract
|
|
|
|
// If the nextByte is completely filled, we add it to
|
|
// our regrouped bytes and start on the next byte.
|
|
if filledBits == toBits {
|
|
regrouped = append(regrouped, nextByte)
|
|
filledBits = 0
|
|
nextByte = 0
|
|
}
|
|
}
|
|
}
|
|
|
|
// We pad any unfinished group if specified.
|
|
if pad && filledBits > 0 {
|
|
nextByte <<= toBits - filledBits
|
|
regrouped = append(regrouped, nextByte)
|
|
filledBits = 0
|
|
nextByte = 0
|
|
}
|
|
|
|
// Any incomplete group must be <= 4 bits, and all zeroes.
|
|
if filledBits > 0 && (filledBits > 4 || nextByte != 0) {
|
|
return nil, ErrInvalidIncompleteGroup{}
|
|
}
|
|
|
|
return regrouped, nil
|
|
}
|
|
|
|
// EncodeFromBase256 converts a base256-encoded byte slice into a base32-encoded
|
|
// byte slice and then encodes it into a bech32 string with the given
|
|
// human-readable part (HRP). The HRP will be converted to lowercase if needed
|
|
// since mixed cased encodings are not permitted and lowercase is used for
|
|
// checksum purposes.
|
|
func EncodeFromBase256(hrp string, data []byte) (string, error) {
|
|
converted, err := ConvertBits(data, 8, 5, true)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return Encode(hrp, converted)
|
|
}
|
|
|
|
// DecodeToBase256 decodes a bech32-encoded string into its associated
|
|
// human-readable part (HRP) and base32-encoded data, converts that data to a
|
|
// base256-encoded byte slice and returns it along with the lowercase HRP.
|
|
func DecodeToBase256(bech string) (string, []byte, error) {
|
|
hrp, data, err := Decode(bech)
|
|
if err != nil {
|
|
return "", nil, err
|
|
}
|
|
converted, err := ConvertBits(data, 5, 8, false)
|
|
if err != nil {
|
|
return "", nil, err
|
|
}
|
|
return hrp, converted, nil
|
|
}
|