2010-07-14 17:54:31 +02:00
|
|
|
// Copyright (c) 2009-2010 Satoshi Nakamoto
|
2018-07-27 00:36:45 +02:00
|
|
|
// Copyright (c) 2009-2018 The Bitcoin Core developers
|
2017-06-06 09:21:34 +02:00
|
|
|
// Copyright (c) 2017 The Zcash developers
|
2014-10-26 09:33:52 +01:00
|
|
|
// Distributed under the MIT software license, see the accompanying
|
2012-05-18 16:02:28 +02:00
|
|
|
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
2013-04-13 07:13:08 +02:00
|
|
|
|
2011-05-15 09:11:04 +02:00
|
|
|
#ifndef BITCOIN_KEY_H
|
|
|
|
#define BITCOIN_KEY_H
|
2010-07-14 17:54:31 +02:00
|
|
|
|
2017-11-10 01:57:53 +01:00
|
|
|
#include <pubkey.h>
|
|
|
|
#include <serialize.h>
|
|
|
|
#include <support/allocators/secure.h>
|
|
|
|
#include <uint256.h>
|
2013-04-13 07:13:08 +02:00
|
|
|
|
|
|
|
#include <stdexcept>
|
|
|
|
#include <vector>
|
2011-06-26 16:11:56 +02:00
|
|
|
|
2014-11-19 10:53:46 +01:00
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
/**
|
|
|
|
* secure_allocator is defined in allocators.h
|
2017-06-06 09:21:34 +02:00
|
|
|
* CPrivKey is a serialized private key, with all parameters included
|
|
|
|
* (PRIVATE_KEY_SIZE bytes)
|
2014-10-26 09:33:52 +01:00
|
|
|
*/
|
2011-05-15 09:11:04 +02:00
|
|
|
typedef std::vector<unsigned char, secure_allocator<unsigned char> > CPrivKey;
|
2010-07-14 17:54:31 +02:00
|
|
|
|
2013-05-01 06:52:05 +02:00
|
|
|
/** An encapsulated private key. */
|
2014-09-19 19:21:46 +02:00
|
|
|
class CKey
|
|
|
|
{
|
2017-10-04 15:41:40 +02:00
|
|
|
public:
|
|
|
|
/**
|
|
|
|
* secp256k1:
|
|
|
|
*/
|
|
|
|
static const unsigned int PRIVATE_KEY_SIZE = 279;
|
|
|
|
static const unsigned int COMPRESSED_PRIVATE_KEY_SIZE = 214;
|
|
|
|
/**
|
|
|
|
* see www.keylength.com
|
|
|
|
* script supports up to 75 for single byte push
|
|
|
|
*/
|
|
|
|
static_assert(
|
|
|
|
PRIVATE_KEY_SIZE >= COMPRESSED_PRIVATE_KEY_SIZE,
|
|
|
|
"COMPRESSED_PRIVATE_KEY_SIZE is larger than PRIVATE_KEY_SIZE");
|
|
|
|
|
2013-05-01 06:52:05 +02:00
|
|
|
private:
|
2014-10-26 09:33:52 +01:00
|
|
|
//! Whether this private key is valid. We check for correctness when modifying the key
|
|
|
|
//! data, so fValid should always correspond to the actual state.
|
2013-05-01 06:52:05 +02:00
|
|
|
bool fValid;
|
2011-11-21 02:46:28 +01:00
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
//! Whether the public key corresponding to this private key is (to be) compressed.
|
2013-05-01 06:52:05 +02:00
|
|
|
bool fCompressed;
|
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
//! The actual byte data
|
2016-09-18 08:40:14 +02:00
|
|
|
std::vector<unsigned char, secure_allocator<unsigned char> > keydata;
|
2016-07-19 04:39:46 +02:00
|
|
|
|
2017-03-19 02:13:55 +01:00
|
|
|
//! Check whether the 32-byte array pointed to by vch is valid keydata.
|
2014-09-19 19:21:46 +02:00
|
|
|
bool static Check(const unsigned char* vch);
|
2011-11-21 02:46:28 +01:00
|
|
|
|
2014-09-19 19:21:46 +02:00
|
|
|
public:
|
2014-10-26 09:33:52 +01:00
|
|
|
//! Construct an invalid private key.
|
2014-09-19 19:21:46 +02:00
|
|
|
CKey() : fValid(false), fCompressed(false)
|
|
|
|
{
|
2016-09-18 08:40:14 +02:00
|
|
|
// Important: vch must be 32 bytes in length to not break serialization
|
|
|
|
keydata.resize(32);
|
2013-05-01 06:52:05 +02:00
|
|
|
}
|
2011-11-21 02:46:28 +01:00
|
|
|
|
2014-09-19 19:21:46 +02:00
|
|
|
friend bool operator==(const CKey& a, const CKey& b)
|
|
|
|
{
|
2016-07-19 04:39:46 +02:00
|
|
|
return a.fCompressed == b.fCompressed &&
|
|
|
|
a.size() == b.size() &&
|
2016-09-18 08:40:14 +02:00
|
|
|
memcmp(a.keydata.data(), b.keydata.data(), a.size()) == 0;
|
2013-07-15 01:05:25 +02:00
|
|
|
}
|
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
//! Initialize using begin and end iterators to byte data.
|
2014-09-19 19:21:46 +02:00
|
|
|
template <typename T>
|
|
|
|
void Set(const T pbegin, const T pend, bool fCompressedIn)
|
|
|
|
{
|
2016-09-18 08:40:14 +02:00
|
|
|
if (size_t(pend - pbegin) != keydata.size()) {
|
2013-05-01 06:52:05 +02:00
|
|
|
fValid = false;
|
2016-07-19 04:39:46 +02:00
|
|
|
} else if (Check(&pbegin[0])) {
|
2016-09-18 08:40:14 +02:00
|
|
|
memcpy(keydata.data(), (unsigned char*)&pbegin[0], keydata.size());
|
2013-05-01 06:52:05 +02:00
|
|
|
fValid = true;
|
|
|
|
fCompressed = fCompressedIn;
|
|
|
|
} else {
|
|
|
|
fValid = false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
//! Simple read-only vector-like interface.
|
2016-09-18 08:40:14 +02:00
|
|
|
unsigned int size() const { return (fValid ? keydata.size() : 0); }
|
|
|
|
const unsigned char* begin() const { return keydata.data(); }
|
|
|
|
const unsigned char* end() const { return keydata.data() + size(); }
|
2013-05-01 06:52:05 +02:00
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
//! Check whether this private key is valid.
|
2013-05-01 06:52:05 +02:00
|
|
|
bool IsValid() const { return fValid; }
|
2010-07-14 17:54:31 +02:00
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
//! Check whether the public key corresponding to this private key is (to be) compressed.
|
2013-05-01 06:52:05 +02:00
|
|
|
bool IsCompressed() const { return fCompressed; }
|
2011-06-25 14:57:32 +02:00
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
//! Generate a new private key using a cryptographic PRNG.
|
2012-05-16 18:36:38 +02:00
|
|
|
void MakeNewKey(bool fCompressed);
|
2013-05-01 06:52:05 +02:00
|
|
|
|
2018-08-13 20:18:25 +02:00
|
|
|
//! Negate private key
|
|
|
|
bool Negate();
|
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
/**
|
|
|
|
* Convert the private key to a CPrivKey (serialized OpenSSL private key data).
|
2016-07-19 04:39:46 +02:00
|
|
|
* This is expensive.
|
2014-10-26 09:33:52 +01:00
|
|
|
*/
|
2012-05-16 18:36:38 +02:00
|
|
|
CPrivKey GetPrivKey() const;
|
2013-05-01 06:52:05 +02:00
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
/**
|
|
|
|
* Compute the public key from a private key.
|
|
|
|
* This is expensive.
|
|
|
|
*/
|
2012-05-14 19:07:52 +02:00
|
|
|
CPubKey GetPubKey() const;
|
2011-06-25 14:57:32 +02:00
|
|
|
|
2014-11-06 15:54:50 +01:00
|
|
|
/**
|
|
|
|
* Create a DER-serialized signature.
|
2015-03-27 23:31:44 +01:00
|
|
|
* The test_case parameter tweaks the deterministic nonce.
|
2014-11-06 15:54:50 +01:00
|
|
|
*/
|
2018-07-15 01:03:28 +02:00
|
|
|
bool Sign(const uint256& hash, std::vector<unsigned char>& vchSig, bool grind = true, uint32_t test_case = 0) const;
|
2010-07-14 17:54:31 +02:00
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
/**
|
|
|
|
* Create a compact signature (65 bytes), which allows reconstructing the used public key.
|
|
|
|
* The format is one header byte, followed by two times 32 bytes for the serialized r and s values.
|
|
|
|
* The header byte: 0x1B = first key with even y, 0x1C = first key with odd y,
|
|
|
|
* 0x1D = second key with even y, 0x1E = second key with odd y,
|
|
|
|
* add 0x04 for compressed keys.
|
|
|
|
*/
|
2014-09-19 19:21:46 +02:00
|
|
|
bool SignCompact(const uint256& hash, std::vector<unsigned char>& vchSig) const;
|
2013-07-15 01:05:25 +02:00
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
//! Derive BIP32 child key.
|
2015-04-22 00:09:37 +02:00
|
|
|
bool Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const;
|
2013-10-28 11:20:26 +01:00
|
|
|
|
2014-11-06 10:17:48 +01:00
|
|
|
/**
|
|
|
|
* Verify thoroughly whether a private key and a public key match.
|
|
|
|
* This is done using a different mechanism than just regenerating it.
|
|
|
|
*/
|
|
|
|
bool VerifyPubKey(const CPubKey& vchPubKey) const;
|
|
|
|
|
2014-10-26 09:33:52 +01:00
|
|
|
//! Load private key and check that public key matches.
|
2018-01-23 19:16:56 +01:00
|
|
|
bool Load(const CPrivKey& privkey, const CPubKey& vchPubKey, bool fSkipCheck);
|
2013-07-15 01:05:25 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
struct CExtKey {
|
|
|
|
unsigned char nDepth;
|
|
|
|
unsigned char vchFingerprint[4];
|
|
|
|
unsigned int nChild;
|
2015-04-22 00:09:37 +02:00
|
|
|
ChainCode chaincode;
|
2013-07-15 01:05:25 +02:00
|
|
|
CKey key;
|
|
|
|
|
2014-09-19 19:21:46 +02:00
|
|
|
friend bool operator==(const CExtKey& a, const CExtKey& b)
|
|
|
|
{
|
2016-07-19 04:39:46 +02:00
|
|
|
return a.nDepth == b.nDepth &&
|
|
|
|
memcmp(&a.vchFingerprint[0], &b.vchFingerprint[0], sizeof(vchFingerprint)) == 0 &&
|
|
|
|
a.nChild == b.nChild &&
|
|
|
|
a.chaincode == b.chaincode &&
|
|
|
|
a.key == b.key;
|
2013-07-15 01:05:25 +02:00
|
|
|
}
|
|
|
|
|
2015-06-01 16:35:19 +02:00
|
|
|
void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const;
|
|
|
|
void Decode(const unsigned char code[BIP32_EXTKEY_SIZE]);
|
2014-09-19 19:21:46 +02:00
|
|
|
bool Derive(CExtKey& out, unsigned int nChild) const;
|
2013-07-15 01:05:25 +02:00
|
|
|
CExtPubKey Neuter() const;
|
2018-04-04 17:43:45 +02:00
|
|
|
void SetSeed(const unsigned char* seed, unsigned int nSeedLen);
|
2015-06-01 16:35:19 +02:00
|
|
|
template <typename Stream>
|
2016-10-29 01:29:17 +02:00
|
|
|
void Serialize(Stream& s) const
|
2015-06-01 16:35:19 +02:00
|
|
|
{
|
|
|
|
unsigned int len = BIP32_EXTKEY_SIZE;
|
|
|
|
::WriteCompactSize(s, len);
|
|
|
|
unsigned char code[BIP32_EXTKEY_SIZE];
|
|
|
|
Encode(code);
|
|
|
|
s.write((const char *)&code[0], len);
|
|
|
|
}
|
|
|
|
template <typename Stream>
|
2016-10-29 01:29:17 +02:00
|
|
|
void Unserialize(Stream& s)
|
2015-06-01 16:35:19 +02:00
|
|
|
{
|
|
|
|
unsigned int len = ::ReadCompactSize(s);
|
|
|
|
unsigned char code[BIP32_EXTKEY_SIZE];
|
2017-08-17 21:54:23 +02:00
|
|
|
if (len != BIP32_EXTKEY_SIZE)
|
|
|
|
throw std::runtime_error("Invalid extended key size\n");
|
2015-06-01 16:35:19 +02:00
|
|
|
s.read((char *)&code[0], len);
|
|
|
|
Decode(code);
|
|
|
|
}
|
2010-07-14 17:54:31 +02:00
|
|
|
};
|
2011-05-15 09:11:04 +02:00
|
|
|
|
Update key.cpp to use new libsecp256k1
libsecp256k1's API changed, so update key.cpp to use it.
Libsecp256k1 now has explicit context objects, which makes it completely thread-safe.
In turn, keep an explicit context object in key.cpp, which is explicitly initialized
destroyed. This is not really pretty now, but it's more efficient than the static
initialized object in key.cpp (which made for example bitcoin-tx slow, as for most of
its calls, libsecp256k1 wasn't actually needed).
This also brings in the new blinding support in libsecp256k1. By passing in a random
seed, temporary variables during the elliptic curve computations are altered, in such
a way that if an attacker does not know the blind, observing the internal operations
leaks less information about the keys used. This was implemented by Greg Maxwell.
2015-04-22 23:28:26 +02:00
|
|
|
/** Initialize the elliptic curve support. May not be called twice without calling ECC_Stop first. */
|
2018-09-13 19:36:41 +02:00
|
|
|
void ECC_Start();
|
Update key.cpp to use new libsecp256k1
libsecp256k1's API changed, so update key.cpp to use it.
Libsecp256k1 now has explicit context objects, which makes it completely thread-safe.
In turn, keep an explicit context object in key.cpp, which is explicitly initialized
destroyed. This is not really pretty now, but it's more efficient than the static
initialized object in key.cpp (which made for example bitcoin-tx slow, as for most of
its calls, libsecp256k1 wasn't actually needed).
This also brings in the new blinding support in libsecp256k1. By passing in a random
seed, temporary variables during the elliptic curve computations are altered, in such
a way that if an attacker does not know the blind, observing the internal operations
leaks less information about the keys used. This was implemented by Greg Maxwell.
2015-04-22 23:28:26 +02:00
|
|
|
|
|
|
|
/** Deinitialize the elliptic curve support. No-op if ECC_Start wasn't called first. */
|
2018-09-13 19:36:41 +02:00
|
|
|
void ECC_Stop();
|
Update key.cpp to use new libsecp256k1
libsecp256k1's API changed, so update key.cpp to use it.
Libsecp256k1 now has explicit context objects, which makes it completely thread-safe.
In turn, keep an explicit context object in key.cpp, which is explicitly initialized
destroyed. This is not really pretty now, but it's more efficient than the static
initialized object in key.cpp (which made for example bitcoin-tx slow, as for most of
its calls, libsecp256k1 wasn't actually needed).
This also brings in the new blinding support in libsecp256k1. By passing in a random
seed, temporary variables during the elliptic curve computations are altered, in such
a way that if an attacker does not know the blind, observing the internal operations
leaks less information about the keys used. This was implemented by Greg Maxwell.
2015-04-22 23:28:26 +02:00
|
|
|
|
|
|
|
/** Check that required EC support is available at runtime. */
|
2018-09-13 19:36:41 +02:00
|
|
|
bool ECC_InitSanityCheck();
|
2014-06-03 01:21:03 +02:00
|
|
|
|
2014-08-28 22:21:03 +02:00
|
|
|
#endif // BITCOIN_KEY_H
|