core: implement key recover interops
Implement secp256k1 and secp256r1 recover interops, closes #1003. Note: We have to implement Koblitz-related math to recover keys properly with Neo.Cryptography.Secp256k1Recover interop as far as standard go elliptic package supports short-form Weierstrass curve with a=-3 only (see https://github.com/golang/go/issues/26776 for details). However, it's not the best choise to have a lot of such math in our project, so it would be better to use ready-made solution for Koblitz-related cryptography.
This commit is contained in:
parent
2f90a06db3
commit
6c06bc57cc
7 changed files with 331 additions and 10 deletions
1
go.mod
1
go.mod
|
@ -3,6 +3,7 @@ module github.com/nspcc-dev/neo-go
|
|||
require (
|
||||
github.com/Workiva/go-datastructures v1.0.50
|
||||
github.com/alicebob/miniredis v2.5.0+incompatible
|
||||
github.com/btcsuite/btcd v0.20.1-beta
|
||||
github.com/dgraph-io/badger/v2 v2.0.3
|
||||
github.com/go-redis/redis v6.10.2+incompatible
|
||||
github.com/go-yaml/yaml v2.1.0+incompatible
|
||||
|
|
28
go.sum
28
go.sum
|
@ -13,6 +13,8 @@ github.com/abiosoft/ishell v2.0.0+incompatible h1:zpwIuEHc37EzrsIYah3cpevrIc8Oma
|
|||
github.com/abiosoft/ishell v2.0.0+incompatible/go.mod h1:HQR9AqF2R3P4XXpMpI0NAzgHf/aS6+zVXRj14cVk9qg=
|
||||
github.com/abiosoft/readline v0.0.0-20180607040430-155bce2042db h1:CjPUSXOiYptLbTdr1RceuZgSFDQ7U15ITERUGrUORx8=
|
||||
github.com/abiosoft/readline v0.0.0-20180607040430-155bce2042db/go.mod h1:rB3B4rKii8V21ydCbIzH5hZiCQE7f5E9SzUb/ZZx530=
|
||||
github.com/aead/siphash v1.0.1 h1:FwHfE/T45KPKYuuSAKyyvE+oPWcaQ+CUmFW0bPlM+kg=
|
||||
github.com/aead/siphash v1.0.1/go.mod h1:Nywa3cDsYNNK3gaciGTWPwHt0wlpNV15vwmswBAUSII=
|
||||
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
||||
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
|
||||
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
||||
|
@ -28,6 +30,22 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
|
|||
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
|
||||
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
|
||||
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
|
||||
github.com/btcsuite/btcd v0.20.1-beta h1:Ik4hyJqN8Jfyv3S4AGBOmyouMsYE3EdYODkMbQjwPGw=
|
||||
github.com/btcsuite/btcd v0.20.1-beta/go.mod h1:wVuoA8VJLEcwgqHBwHmzLRazpKxTv13Px/pDuV7OomQ=
|
||||
github.com/btcsuite/btclog v0.0.0-20170628155309-84c8d2346e9f h1:bAs4lUbRJpnnkd9VhRV3jjAVU7DJVjMaK+IsvSeZvFo=
|
||||
github.com/btcsuite/btclog v0.0.0-20170628155309-84c8d2346e9f/go.mod h1:TdznJufoqS23FtqVCzL0ZqgP5MqXbb4fg/WgDys70nA=
|
||||
github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d h1:yJzD/yFppdVCf6ApMkVy8cUxV0XrxdP9rVf6D87/Mng=
|
||||
github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d/go.mod h1:+5NJ2+qvTyV9exUAL/rxXi3DcLg2Ts+ymUAY5y4NvMg=
|
||||
github.com/btcsuite/go-socks v0.0.0-20170105172521-4720035b7bfd h1:R/opQEbFEy9JGkIguV40SvRY1uliPX8ifOvi6ICsFCw=
|
||||
github.com/btcsuite/go-socks v0.0.0-20170105172521-4720035b7bfd/go.mod h1:HHNXQzUsZCxOoE+CPiyCTO6x34Zs86zZUiwtpXoGdtg=
|
||||
github.com/btcsuite/goleveldb v0.0.0-20160330041536-7834afc9e8cd h1:qdGvebPBDuYDPGi1WCPjy1tGyMpmDK8IEapSsszn7HE=
|
||||
github.com/btcsuite/goleveldb v0.0.0-20160330041536-7834afc9e8cd/go.mod h1:F+uVaaLLH7j4eDXPRvw78tMflu7Ie2bzYOH4Y8rRKBY=
|
||||
github.com/btcsuite/snappy-go v0.0.0-20151229074030-0bdef8d06723 h1:ZA/jbKoGcVAnER6pCHPEkGdZOV7U1oLUedErBHCUMs0=
|
||||
github.com/btcsuite/snappy-go v0.0.0-20151229074030-0bdef8d06723/go.mod h1:8woku9dyThutzjeg+3xrA5iCpBRH8XEEg3lh6TiUghc=
|
||||
github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792 h1:R8vQdOQdZ9Y3SkEwmHoWBmX1DNXhXZqlTpq6s4tyJGc=
|
||||
github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792/go.mod h1:ghJtEyQwv5/p4Mg4C0fgbePVuGr935/5ddU9Z3TmDRY=
|
||||
github.com/btcsuite/winsvc v1.0.0 h1:J9B4L7e3oqhXOcm+2IuNApwzQec85lE+QaikUcCs+dk=
|
||||
github.com/btcsuite/winsvc v1.0.0/go.mod h1:jsenWakMcC0zFBFurPLEAyrnc/teJEM1O46fmI40EZs=
|
||||
github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
|
||||
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
|
||||
github.com/cespare/xxhash/v2 v2.1.0 h1:yTUvW7Vhb89inJ+8irsUqiWjh8iT6sQPZiQzI6ReGkA=
|
||||
|
@ -41,6 +59,7 @@ github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc
|
|||
github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
|
||||
github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
|
||||
github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
|
||||
github.com/davecgh/go-spew v0.0.0-20171005155431-ecdeabc65495/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||
|
@ -91,9 +110,15 @@ github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T
|
|||
github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
|
||||
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
|
||||
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
|
||||
github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89 h1:12K8AlpT0/6QUXSfV0yi4Q0jkbq8NDtIKFtF61AoqV0=
|
||||
github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
|
||||
github.com/jrick/logrotate v1.0.0 h1:lQ1bL/n9mBNeIXoTUoYRlK4dHuNJVofX9oWqBtPnSzI=
|
||||
github.com/jrick/logrotate v1.0.0/go.mod h1:LNinyqDIJnpAur+b8yyulnQw/wDuN1+BYKlTRt3OuAQ=
|
||||
github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
|
||||
github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
|
||||
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
|
||||
github.com/kkdai/bstream v0.0.0-20161212061736-f391b8402d23 h1:FOOIBWrEkLgmlgGfMuZT83xIwfPDxEI2OHu6xUmJMFE=
|
||||
github.com/kkdai/bstream v0.0.0-20161212061736-f391b8402d23/go.mod h1:J+Gs4SYgM6CZQHDETBtE9HaSEkGmuNXF86RwHhHUvq4=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
|
||||
|
@ -144,10 +169,12 @@ github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYv
|
|||
github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
|
||||
github.com/onsi/ginkgo v1.6.0 h1:Ix8l273rp3QzYgXSR+c8d1fTG7UPgYkOSELPhiY/YGw=
|
||||
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/ginkgo v1.10.3 h1:OoxbjfXVZyod1fmWYhI7SEyaD8B00ynP3T+D5GiyHOY=
|
||||
github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/gomega v1.4.2 h1:3mYCb7aPxS/RU7TI1y4rkEn1oKmPRjNJLNEXgw7MH2I=
|
||||
github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
|
||||
github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
|
||||
github.com/onsi/gomega v1.7.1 h1:K0jcRCwNQM3vFGh1ppMtDh/+7ApJrjldlX8fA0jDTLQ=
|
||||
github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
|
||||
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
|
||||
|
@ -212,6 +239,7 @@ go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI=
|
|||
go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
|
||||
go.uber.org/zap v1.10.0 h1:ORx85nbTijNz8ljznvCMR1ZBIPKFn3jQrag10X2AsuM=
|
||||
go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
|
||||
golang.org/x/crypto v0.0.0-20170930174604-9419663f5a44/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
|
||||
|
|
|
@ -1,10 +1,13 @@
|
|||
package core
|
||||
|
||||
import (
|
||||
"crypto/elliptic"
|
||||
"errors"
|
||||
"fmt"
|
||||
"math"
|
||||
"math/big"
|
||||
|
||||
"github.com/btcsuite/btcd/btcec"
|
||||
"github.com/nspcc-dev/neo-go/pkg/core/state"
|
||||
"github.com/nspcc-dev/neo-go/pkg/core/storage"
|
||||
"github.com/nspcc-dev/neo-go/pkg/core/transaction"
|
||||
|
@ -600,6 +603,33 @@ func (ic *interopContext) contractMigrate(v *vm.VM) error {
|
|||
return ic.contractDestroy(v)
|
||||
}
|
||||
|
||||
// secp256k1Recover recovers speck256k1 public key.
|
||||
func (ic *interopContext) secp256k1Recover(v *vm.VM) error {
|
||||
return ic.eccRecover(btcec.S256(), v)
|
||||
}
|
||||
|
||||
// secp256r1Recover recovers speck256r1 public key.
|
||||
func (ic *interopContext) secp256r1Recover(v *vm.VM) error {
|
||||
return ic.eccRecover(elliptic.P256(), v)
|
||||
}
|
||||
|
||||
// eccRecover recovers public key using ECCurve set
|
||||
func (ic *interopContext) eccRecover(curve elliptic.Curve, v *vm.VM) error {
|
||||
rBytes := v.Estack().Pop().Bytes()
|
||||
sBytes := v.Estack().Pop().Bytes()
|
||||
r := new(big.Int).SetBytes(rBytes)
|
||||
s := new(big.Int).SetBytes(sBytes)
|
||||
isEven := v.Estack().Pop().Bool()
|
||||
messageHash := v.Estack().Pop().Bytes()
|
||||
pKey, err := keys.KeyRecover(curve, r, s, messageHash, isEven)
|
||||
if err != nil {
|
||||
v.Estack().PushVal([]byte{})
|
||||
return nil
|
||||
}
|
||||
v.Estack().PushVal(pKey.Bytes()[1:])
|
||||
return nil
|
||||
}
|
||||
|
||||
// assetCreate creates an asset.
|
||||
func (ic *interopContext) assetCreate(v *vm.VM) error {
|
||||
if ic.trigger != trigger.Application {
|
||||
|
|
|
@ -1,14 +1,17 @@
|
|||
package core
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"math/big"
|
||||
"testing"
|
||||
|
||||
"github.com/btcsuite/btcd/btcec"
|
||||
"github.com/nspcc-dev/neo-go/pkg/core/block"
|
||||
"github.com/nspcc-dev/neo-go/pkg/core/dao"
|
||||
"github.com/nspcc-dev/neo-go/pkg/core/state"
|
||||
"github.com/nspcc-dev/neo-go/pkg/core/storage"
|
||||
"github.com/nspcc-dev/neo-go/pkg/core/transaction"
|
||||
"github.com/nspcc-dev/neo-go/pkg/crypto/hash"
|
||||
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
||||
"github.com/nspcc-dev/neo-go/pkg/internal/random"
|
||||
"github.com/nspcc-dev/neo-go/pkg/smartcontract"
|
||||
|
@ -457,8 +460,81 @@ func TestAssetGetPrecision(t *testing.T) {
|
|||
require.Equal(t, big.NewInt(int64(assetState.Precision)), precision)
|
||||
}
|
||||
|
||||
func TestSecp256k1Recover(t *testing.T) {
|
||||
v, context, chain := createVM(t)
|
||||
defer chain.Close()
|
||||
|
||||
privateKey, err := btcec.NewPrivateKey(btcec.S256())
|
||||
require.NoError(t, err)
|
||||
message := []byte("The quick brown fox jumps over the lazy dog")
|
||||
signature, err := privateKey.Sign(message)
|
||||
require.NoError(t, err)
|
||||
require.True(t, signature.Verify(message, privateKey.PubKey()))
|
||||
pubKey := keys.PublicKey{
|
||||
X: privateKey.PubKey().X,
|
||||
Y: privateKey.PubKey().Y,
|
||||
}
|
||||
expected := pubKey.Bytes()[1:]
|
||||
|
||||
// We don't know which of two recovered keys suites, so let's try both.
|
||||
putOnStackGetResult := func(isEven bool) []byte {
|
||||
v.Estack().PushVal(message)
|
||||
v.Estack().PushVal(isEven)
|
||||
v.Estack().PushVal(signature.S.Bytes())
|
||||
v.Estack().PushVal(signature.R.Bytes())
|
||||
err = context.secp256k1Recover(v)
|
||||
require.NoError(t, err)
|
||||
return v.Estack().Pop().Value().([]byte)
|
||||
}
|
||||
|
||||
// First one:
|
||||
actualFalse := putOnStackGetResult(false)
|
||||
// Second one:
|
||||
actualTrue := putOnStackGetResult(true)
|
||||
|
||||
require.True(t, bytes.Compare(expected, actualFalse) != bytes.Compare(expected, actualTrue))
|
||||
}
|
||||
|
||||
func TestSecp256r1Recover(t *testing.T) {
|
||||
v, context, chain := createVM(t)
|
||||
defer chain.Close()
|
||||
|
||||
privateKey, err := keys.NewPrivateKey()
|
||||
require.NoError(t, err)
|
||||
message := []byte("The quick brown fox jumps over the lazy dog")
|
||||
messageHash := hash.Sha256(message).BytesBE()
|
||||
signature := privateKey.Sign(message)
|
||||
require.True(t, privateKey.PublicKey().Verify(signature, messageHash))
|
||||
expected := privateKey.PublicKey().Bytes()[1:]
|
||||
|
||||
// We don't know which of two recovered keys suites, so let's try both.
|
||||
putOnStackGetResult := func(isEven bool) []byte {
|
||||
v.Estack().PushVal(messageHash)
|
||||
v.Estack().PushVal(isEven)
|
||||
v.Estack().PushVal(signature[32:64])
|
||||
v.Estack().PushVal(signature[0:32])
|
||||
err = context.secp256r1Recover(v)
|
||||
require.NoError(t, err)
|
||||
return v.Estack().Pop().Value().([]byte)
|
||||
}
|
||||
|
||||
// First one:
|
||||
actualFalse := putOnStackGetResult(false)
|
||||
// Second one:
|
||||
actualTrue := putOnStackGetResult(true)
|
||||
|
||||
require.True(t, bytes.Compare(expected, actualFalse) != bytes.Compare(expected, actualTrue))
|
||||
}
|
||||
|
||||
// Helper functions to create VM, InteropContext, TX, Account, Contract, Asset.
|
||||
|
||||
func createVM(t *testing.T) (*vm.VM, *interopContext, *Blockchain) {
|
||||
v := vm.New()
|
||||
chain := newTestChain(t)
|
||||
context := chain.newInteropContext(trigger.Application, dao.NewSimple(storage.NewMemoryStore()), nil, nil)
|
||||
return v, context, chain
|
||||
}
|
||||
|
||||
func createVMAndPushBlock(t *testing.T) (*vm.VM, *block.Block, *interopContext, *Blockchain) {
|
||||
v := vm.New()
|
||||
block := newDumbBlock()
|
||||
|
|
|
@ -166,6 +166,8 @@ var neoInterops = []interopedFunction{
|
|||
{Name: "Neo.Contract.GetStorageContext", Func: (*interopContext).contractGetStorageContext, Price: 1},
|
||||
{Name: "Neo.Contract.IsPayable", Func: (*interopContext).contractIsPayable, Price: 1},
|
||||
{Name: "Neo.Contract.Migrate", Func: (*interopContext).contractMigrate, Price: 0},
|
||||
{Name: "Neo.Cryptography.Secp256k1Recover", Func: (*interopContext).secp256k1Recover, Price: 100},
|
||||
{Name: "Neo.Cryptography.Secp256r1Recover", Func: (*interopContext).secp256r1Recover, Price: 100},
|
||||
{Name: "Neo.Enumerator.Concat", Func: (*interopContext).enumeratorConcat, Price: 1},
|
||||
{Name: "Neo.Enumerator.Create", Func: (*interopContext).enumeratorCreate, Price: 1},
|
||||
{Name: "Neo.Enumerator.Next", Func: (*interopContext).enumeratorNext, Price: 1},
|
||||
|
|
|
@ -10,6 +10,7 @@ import (
|
|||
"fmt"
|
||||
"math/big"
|
||||
|
||||
"github.com/btcsuite/btcd/btcec"
|
||||
"github.com/nspcc-dev/neo-go/pkg/crypto/hash"
|
||||
"github.com/nspcc-dev/neo-go/pkg/encoding/address"
|
||||
"github.com/nspcc-dev/neo-go/pkg/io"
|
||||
|
@ -134,15 +135,25 @@ func NewPublicKeyFromASN1(data []byte) (*PublicKey, error) {
|
|||
}
|
||||
|
||||
// decodeCompressedY performs decompression of Y coordinate for given X and Y's least significant bit.
|
||||
func decodeCompressedY(x *big.Int, ylsb uint) (*big.Int, error) {
|
||||
c := elliptic.P256()
|
||||
cp := c.Params()
|
||||
three := big.NewInt(3)
|
||||
/* y**2 = x**3 + a*x + b % p */
|
||||
xCubed := new(big.Int).Exp(x, three, cp.P)
|
||||
threeX := new(big.Int).Mul(x, three)
|
||||
threeX.Mod(threeX, cp.P)
|
||||
ySquared := new(big.Int).Sub(xCubed, threeX)
|
||||
// We use here a short-form Weierstrass curve (https://www.hyperelliptic.org/EFD/g1p/auto-shortw.html)
|
||||
// y² = x³ + ax + b. Two types of elliptic curves are supported:
|
||||
// 1. Secp256k1 (Koblitz curve): y² = x³ + b,
|
||||
// 2. Secp256r1 (Random curve): y² = x³ - 3x + b.
|
||||
// To decode compressed curve point we perform the following operation: y = sqrt(x³ + ax + b mod p)
|
||||
// where `p` denotes the order of the underlying curve field
|
||||
func decodeCompressedY(x *big.Int, ylsb uint, curve elliptic.Curve) (*big.Int, error) {
|
||||
var a *big.Int
|
||||
switch curve.(type) {
|
||||
case *btcec.KoblitzCurve:
|
||||
a = big.NewInt(0)
|
||||
default:
|
||||
a = big.NewInt(3)
|
||||
}
|
||||
cp := curve.Params()
|
||||
xCubed := new(big.Int).Exp(x, big.NewInt(3), cp.P)
|
||||
aX := new(big.Int).Mul(x, a)
|
||||
aX.Mod(aX, cp.P)
|
||||
ySquared := new(big.Int).Sub(xCubed, aX)
|
||||
ySquared.Add(ySquared, cp.B)
|
||||
ySquared.Mod(ySquared, cp.P)
|
||||
y := new(big.Int).ModSqrt(ySquared, cp.P)
|
||||
|
@ -196,7 +207,7 @@ func (p *PublicKey) DecodeBinary(r *io.BinReader) {
|
|||
}
|
||||
x = new(big.Int).SetBytes(xbytes)
|
||||
ylsb := uint(prefix & 0x1)
|
||||
y, err = decodeCompressedY(x, ylsb)
|
||||
y, err = decodeCompressedY(x, ylsb, p256)
|
||||
if err != nil {
|
||||
r.Err = err
|
||||
return
|
||||
|
@ -306,3 +317,84 @@ func (p *PublicKey) UnmarshalJSON(data []byte) error {
|
|||
|
||||
return nil
|
||||
}
|
||||
|
||||
// KeyRecover recovers public key from the given signature (r, s) on the given message hash using given elliptic curve.
|
||||
// Algorithm source: SEC 1 Ver 2.0, section 4.1.6, pages 47-48 (https://www.secg.org/sec1-v2.pdf).
|
||||
// Flag isEven denotes Y's least significant bit in decompression algorithm.
|
||||
func KeyRecover(curve elliptic.Curve, r, s *big.Int, messageHash []byte, isEven bool) (PublicKey, error) {
|
||||
var (
|
||||
res PublicKey
|
||||
err error
|
||||
)
|
||||
if r.Cmp(big.NewInt(1)) == -1 || s.Cmp(big.NewInt(1)) == -1 {
|
||||
return res, errors.New("invalid signature")
|
||||
}
|
||||
params := curve.Params()
|
||||
// Calculate h = (Q + 1 + 2 * Sqrt(Q)) / N
|
||||
// num := new(big.Int).Add(new(big.Int).Add(params.P, big.NewInt(1)), new(big.Int).Mul(big.NewInt(2), new(big.Int).Sqrt(params.P)))
|
||||
// h := new(big.Int).Div(num, params.N)
|
||||
// We are skipping this step for secp256k1 and secp256r1 because we know cofactor of these curves (h=1)
|
||||
// (see section 2.4 of http://www.secg.org/sec2-v2.pdf)
|
||||
h := 1
|
||||
for i := 0; i <= h; i++ {
|
||||
// Step 1.1: x = (n * i) + r
|
||||
Rx := new(big.Int).Mul(params.N, big.NewInt(int64(i)))
|
||||
Rx.Add(Rx, r)
|
||||
if Rx.Cmp(params.P) == 1 {
|
||||
break
|
||||
}
|
||||
|
||||
// Steps 1.2 and 1.3: get point R (Ry)
|
||||
var R *big.Int
|
||||
if isEven {
|
||||
R, err = decodeCompressedY(Rx, 0, curve)
|
||||
} else {
|
||||
R, err = decodeCompressedY(Rx, 1, curve)
|
||||
}
|
||||
if err != nil {
|
||||
return res, err
|
||||
}
|
||||
|
||||
// Step 1.4: check n*R is point at infinity
|
||||
nRx, nR := curve.ScalarMult(Rx, R, params.N.Bytes())
|
||||
if nRx.Sign() != 0 || nR.Sign() != 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
// Step 1.5: compute e
|
||||
e := hashToInt(messageHash, curve)
|
||||
|
||||
// Step 1.6: Q = r^-1 (sR-eG)
|
||||
invr := new(big.Int).ModInverse(r, params.N)
|
||||
// First term.
|
||||
invrS := new(big.Int).Mul(invr, s)
|
||||
invrS.Mod(invrS, params.N)
|
||||
sRx, sR := curve.ScalarMult(Rx, R, invrS.Bytes())
|
||||
// Second term.
|
||||
e.Neg(e)
|
||||
e.Mod(e, params.N)
|
||||
e.Mul(e, invr)
|
||||
e.Mod(e, params.N)
|
||||
minuseGx, minuseGy := curve.ScalarBaseMult(e.Bytes())
|
||||
Qx, Qy := curve.Add(sRx, sR, minuseGx, minuseGy)
|
||||
res.X = Qx
|
||||
res.Y = Qy
|
||||
}
|
||||
return res, nil
|
||||
}
|
||||
|
||||
// copied from crypto/ecdsa
|
||||
func hashToInt(hash []byte, c elliptic.Curve) *big.Int {
|
||||
orderBits := c.Params().N.BitLen()
|
||||
orderBytes := (orderBits + 7) / 8
|
||||
if len(hash) > orderBytes {
|
||||
hash = hash[:orderBytes]
|
||||
}
|
||||
|
||||
ret := new(big.Int).SetBytes(hash)
|
||||
excess := len(hash)*8 - orderBits
|
||||
if excess > 0 {
|
||||
ret.Rsh(ret, uint(excess))
|
||||
}
|
||||
return ret
|
||||
}
|
||||
|
|
|
@ -1,12 +1,16 @@
|
|||
package keys
|
||||
|
||||
import (
|
||||
"crypto/elliptic"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"math/big"
|
||||
"math/rand"
|
||||
"sort"
|
||||
"testing"
|
||||
|
||||
"github.com/btcsuite/btcd/btcec"
|
||||
"github.com/nspcc-dev/neo-go/pkg/crypto/hash"
|
||||
"github.com/nspcc-dev/neo-go/pkg/internal/testserdes"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
@ -179,3 +183,91 @@ func TestUnmarshallJSONBadFormat(t *testing.T) {
|
|||
err := json.Unmarshal([]byte(str), actual)
|
||||
require.Error(t, err)
|
||||
}
|
||||
|
||||
func TestRecoverSecp256r1(t *testing.T) {
|
||||
privateKey, err := NewPrivateKey()
|
||||
require.NoError(t, err)
|
||||
message := []byte{72, 101, 108, 108, 111, 87, 111, 114, 108, 100}
|
||||
messageHash := hash.Sha256(message).BytesBE()
|
||||
signature := privateKey.Sign(message)
|
||||
r := new(big.Int).SetBytes(signature[0:32])
|
||||
s := new(big.Int).SetBytes(signature[32:64])
|
||||
require.True(t, privateKey.PublicKey().Verify(signature, messageHash))
|
||||
// To test this properly, we should provide correct isEven flag. This flag denotes which one of
|
||||
// the two recovered R points in decodeCompressedY method should be chosen. Let's suppose that we
|
||||
// don't know which of them suites, so to test KeyRecover we should check both and only
|
||||
// one of them gives us the correct public key.
|
||||
recoveredKeyFalse, err := KeyRecover(elliptic.P256(), r, s, messageHash, false)
|
||||
require.NoError(t, err)
|
||||
recoveredKeyTrue, err := KeyRecover(elliptic.P256(), r, s, messageHash, true)
|
||||
require.NoError(t, err)
|
||||
require.True(t, privateKey.PublicKey().Equal(&recoveredKeyFalse) != privateKey.PublicKey().Equal(&recoveredKeyTrue))
|
||||
}
|
||||
|
||||
func TestRecoverSecp256r1Static(t *testing.T) {
|
||||
// These data were taken from the reference KeyRecoverTest: https://github.com/neo-project/neo/blob/neox-2.x/neo.UnitTests/UT_ECDsa.cs#L22
|
||||
// To update this test, run the reference KeyRecover(ECCurve.Secp256r1) testcase and fetch the following data from it:
|
||||
// privateKey -> b
|
||||
// message -> messageHash
|
||||
// signatures[0] -> r
|
||||
// signatures[1] -> s
|
||||
// v -> isEven
|
||||
// Note, that C# BigInteger has different byte order from that used in Go.
|
||||
b := []byte{123, 245, 126, 56, 3, 123, 197, 199, 26, 31, 212, 186, 120, 195, 168, 153, 57, 108, 234, 49, 107, 203, 44, 207, 185, 212, 187, 129, 74, 43, 225, 69}
|
||||
privateKey, err := NewPrivateKeyFromBytes(b)
|
||||
require.NoError(t, err)
|
||||
messageHash := []byte{72, 101, 108, 108, 111, 87, 111, 114, 108, 100}
|
||||
r := new(big.Int).SetBytes([]byte{1, 85, 226, 63, 133, 113, 217, 188, 249, 22, 213, 203, 225, 199, 32, 131, 118, 23, 28, 101, 139, 211, 13, 111, 242, 158, 193, 227, 196, 106, 3, 4})
|
||||
s := new(big.Int).SetBytes([]byte{65, 174, 206, 164, 81, 34, 76, 104, 5, 49, 51, 20, 221, 183, 157, 199, 199, 47, 78, 137, 172, 99, 212, 110, 129, 72, 236, 59, 250, 81, 200, 13})
|
||||
// Just ensure it's a valid signature.
|
||||
require.True(t, privateKey.PublicKey().Verify(append(r.Bytes(), s.Bytes()...), messageHash))
|
||||
recoveredKey, err := KeyRecover(elliptic.P256(), r, s, messageHash, false)
|
||||
require.NoError(t, err)
|
||||
require.True(t, privateKey.PublicKey().Equal(&recoveredKey))
|
||||
}
|
||||
|
||||
func TestRecoverSecp256k1(t *testing.T) {
|
||||
privateKey, err := btcec.NewPrivateKey(btcec.S256())
|
||||
message := []byte{72, 101, 108, 108, 111, 87, 111, 114, 108, 100}
|
||||
signature, err := privateKey.Sign(message)
|
||||
require.NoError(t, err)
|
||||
require.True(t, signature.Verify(message, privateKey.PubKey()))
|
||||
// To test this properly, we should provide correct isEven flag. This flag denotes which one of
|
||||
// the two recovered R points in decodeCompressedY method should be chosen. Let's suppose that we
|
||||
// don't know which of them suites, so to test KeyRecover we should check both and only
|
||||
// one of them gives us the correct public key.
|
||||
recoveredKeyFalse, err := KeyRecover(btcec.S256(), signature.R, signature.S, message, false)
|
||||
require.NoError(t, err)
|
||||
recoveredKeyTrue, err := KeyRecover(btcec.S256(), signature.R, signature.S, message, true)
|
||||
require.NoError(t, err)
|
||||
require.True(t, (privateKey.PubKey().X.Cmp(recoveredKeyFalse.X) == 0 &&
|
||||
privateKey.PubKey().Y.Cmp(recoveredKeyFalse.Y) == 0) !=
|
||||
(privateKey.PubKey().X.Cmp(recoveredKeyTrue.X) == 0 &&
|
||||
privateKey.PubKey().Y.Cmp(recoveredKeyTrue.Y) == 0))
|
||||
}
|
||||
|
||||
func TestRecoverSecp256k1Static(t *testing.T) {
|
||||
// These data were taken from the reference testcase: https://github.com/neo-project/neo/blob/neox-2.x/neo.UnitTests/UT_ECDsa.cs#L22
|
||||
// To update this test, run the reference KeyRecover(ECCurve.Secp256k1) testcase and fetch the following data from it:
|
||||
// privateKey -> b
|
||||
// message -> messageHash
|
||||
// signatures[0] -> r
|
||||
// signatures[1] -> s
|
||||
// v -> isEven
|
||||
// Note, that C# BigInteger has different byte order from that used in Go.
|
||||
b := []byte{156, 3, 247, 58, 246, 250, 236, 27, 118, 60, 180, 177, 18, 92, 204, 206, 144, 245, 148, 141, 86, 212, 151, 181, 15, 113, 172, 180, 177, 228, 100, 32}
|
||||
_, publicKey := btcec.PrivKeyFromBytes(btcec.S256(), b)
|
||||
messageHash := []byte{72, 101, 108, 108, 111, 87, 111, 114, 108, 100}
|
||||
r := new(big.Int).SetBytes([]byte{88, 169, 242, 111, 210, 184, 180, 46, 67, 108, 176, 77, 57, 250, 58, 36, 110, 81, 225, 65, 90, 47, 215, 91, 27, 227, 57, 6, 9, 228, 100, 50})
|
||||
s := new(big.Int).SetBytes([]byte{86, 150, 81, 190, 17, 181, 212, 241, 184, 36, 136, 116, 232, 207, 46, 45, 149, 167, 15, 98, 113, 137, 66, 98, 214, 165, 38, 232, 98, 96, 79, 197})
|
||||
signature := btcec.Signature{
|
||||
R: r,
|
||||
S: s,
|
||||
}
|
||||
// Just ensure it's a valid signature.
|
||||
require.True(t, signature.Verify(messageHash, publicKey))
|
||||
recoveredKey, err := KeyRecover(btcec.S256(), r, s, messageHash, false)
|
||||
require.NoError(t, err)
|
||||
require.True(t, new(big.Int).SetBytes([]byte{112, 186, 29, 131, 169, 21, 212, 95, 81, 172, 201, 145, 168, 108, 129, 90, 6, 111, 80, 39, 136, 157, 15, 181, 98, 108, 133, 108, 144, 80, 23, 225}).Cmp(recoveredKey.X) == 0)
|
||||
require.True(t, new(big.Int).SetBytes([]byte{187, 102, 202, 42, 152, 133, 222, 55, 137, 228, 154, 80, 182, 35, 133, 14, 55, 165, 36, 64, 178, 55, 13, 112, 224, 143, 66, 143, 208, 18, 2, 211}).Cmp(recoveredKey.Y) == 0)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue