From 0b884b92b392e9780db3eb782fa4742561c30cef Mon Sep 17 00:00:00 2001 From: Roman Khimov Date: Wed, 4 Sep 2019 23:03:25 +0300 Subject: [PATCH 1/6] crypto: use PrivateKey to generate a key pair It makes no sense to provide an API for throw-away public keys, so obtain it via a new real keypair generation where appropriate (and that's only needed for testing). --- pkg/core/account_state_test.go | 9 +++++---- pkg/crypto/elliptic_curve.go | 18 ------------------ pkg/crypto/keys/publickey_test.go | 5 ++++- 3 files changed, 9 insertions(+), 23 deletions(-) diff --git a/pkg/core/account_state_test.go b/pkg/core/account_state_test.go index ae157f07e..1452211ed 100644 --- a/pkg/core/account_state_test.go +++ b/pkg/core/account_state_test.go @@ -4,7 +4,6 @@ import ( "bytes" "testing" - "github.com/CityOfZion/neo-go/pkg/crypto" "github.com/CityOfZion/neo-go/pkg/crypto/keys" "github.com/CityOfZion/neo-go/pkg/util" "github.com/stretchr/testify/assert" @@ -18,9 +17,11 @@ func TestDecodeEncodeAccountState(t *testing.T) { ) for i := 0; i < n; i++ { balances[randomUint256()] = util.Fixed8(int64(randomInt(1, 10000))) - votes[i] = &keys.PublicKey{ - ECPoint: crypto.RandomECPoint(), - } + k, err := keys.NewPrivateKey() + assert.Nil(t, err) + p, err := k.PublicKey() + assert.Nil(t, err) + votes[i] = p } a := &AccountState{ diff --git a/pkg/crypto/elliptic_curve.go b/pkg/crypto/elliptic_curve.go index c2b2edebc..371f92db1 100644 --- a/pkg/crypto/elliptic_curve.go +++ b/pkg/crypto/elliptic_curve.go @@ -5,7 +5,6 @@ package crypto import ( "bytes" - "crypto/rand" "encoding/binary" "encoding/hex" "errors" @@ -63,23 +62,6 @@ func NewEllipticCurve() EllipticCurve { return c } -// RandomECPoint returns a random generated ECPoint, mostly used -// for testing. -func RandomECPoint() ECPoint { - c := NewEllipticCurve() - b := make([]byte, c.N.BitLen()/8+8) - if _, err := io.ReadFull(rand.Reader, b); err != nil { - return ECPoint{} - } - - d := new(big.Int).SetBytes(b) - d.Mod(d, new(big.Int).Sub(c.N, big.NewInt(1))) - d.Add(d, big.NewInt(1)) - - q := new(big.Int).SetBytes(d.Bytes()) - return c.ScalarBaseMult(q) -} - // ECPointFromReader return a new point from the given reader. // f == 4, 6 or 7 are not implemented. func ECPointFromReader(r io.Reader) (point ECPoint, err error) { diff --git a/pkg/crypto/keys/publickey_test.go b/pkg/crypto/keys/publickey_test.go index cddd76c5d..0ca4f4fbd 100644 --- a/pkg/crypto/keys/publickey_test.go +++ b/pkg/crypto/keys/publickey_test.go @@ -22,7 +22,10 @@ func TestEncodeDecodeInfinity(t *testing.T) { func TestEncodeDecodePublicKey(t *testing.T) { for i := 0; i < 4; i++ { - p := &PublicKey{crypto.RandomECPoint()} + k, err := NewPrivateKey() + assert.Nil(t, err) + p, err := k.PublicKey() + assert.Nil(t, err) buf := new(bytes.Buffer) assert.Nil(t, p.EncodeBinary(buf)) From f0fbe9f6c90fe59c510fdb2f5a1fa08a9f412edc Mon Sep 17 00:00:00 2001 From: Roman Khimov Date: Thu, 5 Sep 2019 00:12:39 +0300 Subject: [PATCH 2/6] crypto: drop home-grown elliptic crypto, use crypto/elliptic As NEO uses P256 we can use standard crypto/elliptic library for almost everything, the only exception being decompression of the Y coordinate. For some reason the standard library only supports uncompressed format in its Marshal()/Unmarshal() functions. elliptic.P256() is known to have constant-time implementation, so it fixes #245 (and the decompression using big.Int operates on public key, so nobody really cares about that part being constant-time). New decompress function is inspired by https://stackoverflow.com/questions/46283760, even though the previous one really did the same thing just in a little less obvious way. --- pkg/crypto/elliptic_curve.go | 256 ------------------------------ pkg/crypto/keys/private_key.go | 25 +-- pkg/crypto/keys/publickey.go | 69 ++++++-- pkg/crypto/keys/publickey_test.go | 3 +- pkg/crypto/modular_arithmetic.go | 61 ------- 5 files changed, 66 insertions(+), 348 deletions(-) delete mode 100644 pkg/crypto/elliptic_curve.go delete mode 100644 pkg/crypto/modular_arithmetic.go diff --git a/pkg/crypto/elliptic_curve.go b/pkg/crypto/elliptic_curve.go deleted file mode 100644 index 371f92db1..000000000 --- a/pkg/crypto/elliptic_curve.go +++ /dev/null @@ -1,256 +0,0 @@ -package crypto - -// Original work completed by @vsergeev: https://github.com/vsergeev/btckeygenie -// Expanded and tweaked upon here under MIT license. - -import ( - "bytes" - "encoding/binary" - "encoding/hex" - "errors" - "fmt" - "io" - "math/big" - - "github.com/CityOfZion/neo-go/pkg/util" -) - -type ( - // EllipticCurve represents the parameters of a short Weierstrass equation elliptic - // curve. - EllipticCurve struct { - A *big.Int - B *big.Int - P *big.Int - G ECPoint - N *big.Int - H *big.Int - } - - // ECPoint represents a point on the EllipticCurve. - ECPoint struct { - X *big.Int - Y *big.Int - } -) - -// NewEllipticCurve returns a ready to use EllipticCurve with preconfigured -// fields for the NEO protocol. -func NewEllipticCurve() EllipticCurve { - c := EllipticCurve{} - - c.P, _ = new(big.Int).SetString( - "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", 16, - ) - c.A, _ = new(big.Int).SetString( - "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC", 16, - ) - c.B, _ = new(big.Int).SetString( - "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B", 16, - ) - c.G.X, _ = new(big.Int).SetString( - "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296", 16, - ) - c.G.Y, _ = new(big.Int).SetString( - "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5", 16, - ) - c.N, _ = new(big.Int).SetString( - "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", 16, - ) - c.H, _ = new(big.Int).SetString("01", 16) - - return c -} - -// ECPointFromReader return a new point from the given reader. -// f == 4, 6 or 7 are not implemented. -func ECPointFromReader(r io.Reader) (point ECPoint, err error) { - var f uint8 - if err = binary.Read(r, binary.LittleEndian, &f); err != nil { - return - } - - // Infinity - if f == 0 { - return ECPoint{ - X: new(big.Int), - Y: new(big.Int), - }, nil - } - - if f == 2 || f == 3 { - y := new(big.Int).SetBytes([]byte{f & 1}) - data := make([]byte, 32) - if err = binary.Read(r, binary.LittleEndian, data); err != nil { - return - } - data = util.ArrayReverse(data) - data = append(data, byte(0x00)) - - return ECPoint{ - X: new(big.Int).SetBytes(data), - Y: y, - }, nil - } - return -} - -// EncodeBinary encodes the point to the given io.Writer. -func (p ECPoint) EncodeBinary(w io.Writer) error { - bx := p.X.Bytes() - padded := append( - bytes.Repeat( - []byte{0x00}, - 32-len(bx), - ), - bx..., - ) - - prefix := byte(0x03) - if p.Y.Bit(0) == 0 { - prefix = byte(0x02) - } - buf := make([]byte, len(padded)+1) - buf[0] = prefix - copy(buf[1:], padded) - - return binary.Write(w, binary.LittleEndian, buf) -} - -// String implements the Stringer interface. -func (p *ECPoint) String() string { - if p.IsInfinity() { - return "00" - } - bx := hex.EncodeToString(p.X.Bytes()) - by := hex.EncodeToString(p.Y.Bytes()) - return fmt.Sprintf("%s%s", bx, by) -} - -// IsInfinity checks if point P is infinity on EllipticCurve ec. -func (p *ECPoint) IsInfinity() bool { - return p.X == nil && p.Y == nil -} - -// IsInfinity checks if point P is infinity on EllipticCurve ec. -func (c *EllipticCurve) IsInfinity(P ECPoint) bool { - return P.X == nil && P.Y == nil -} - -// IsOnCurve checks if point P is on EllipticCurve ec. -func (c *EllipticCurve) IsOnCurve(P ECPoint) bool { - if c.IsInfinity(P) { - return false - } - lhs := mulMod(P.Y, P.Y, c.P) - rhs := addMod( - addMod( - expMod(P.X, big.NewInt(3), c.P), - mulMod(c.A, P.X, c.P), c.P), - c.B, c.P) - - return lhs.Cmp(rhs) == 0 -} - -// Add computes R = P + Q on EllipticCurve ec. -func (c *EllipticCurve) Add(P, Q ECPoint) (R ECPoint) { - // See rules 1-5 on SEC1 pg.7 http://www.secg.org/collateral/sec1_final.pdf - if c.IsInfinity(P) && c.IsInfinity(Q) { - R.X = nil - R.Y = nil - } else if c.IsInfinity(P) { - R.X = new(big.Int).Set(Q.X) - R.Y = new(big.Int).Set(Q.Y) - } else if c.IsInfinity(Q) { - R.X = new(big.Int).Set(P.X) - R.Y = new(big.Int).Set(P.Y) - } else if P.X.Cmp(Q.X) == 0 && addMod(P.Y, Q.Y, c.P).Sign() == 0 { - R.X = nil - R.Y = nil - } else if P.X.Cmp(Q.X) == 0 && P.Y.Cmp(Q.Y) == 0 && P.Y.Sign() != 0 { - num := addMod( - mulMod(big.NewInt(3), - mulMod(P.X, P.X, c.P), c.P), - c.A, c.P) - den := invMod(mulMod(big.NewInt(2), P.Y, c.P), c.P) - lambda := mulMod(num, den, c.P) - R.X = subMod( - mulMod(lambda, lambda, c.P), - mulMod(big.NewInt(2), P.X, c.P), - c.P) - R.Y = subMod( - mulMod(lambda, subMod(P.X, R.X, c.P), c.P), - P.Y, c.P) - } else if P.X.Cmp(Q.X) != 0 { - num := subMod(Q.Y, P.Y, c.P) - den := invMod(subMod(Q.X, P.X, c.P), c.P) - lambda := mulMod(num, den, c.P) - R.X = subMod( - subMod( - mulMod(lambda, lambda, c.P), - P.X, c.P), - Q.X, c.P) - R.Y = subMod( - mulMod(lambda, - subMod(P.X, R.X, c.P), c.P), - P.Y, c.P) - } else { - panic(fmt.Sprintf("Unsupported point addition: %v + %v", P, Q)) - } - - return R -} - -// ScalarMult computes Q = k * P on EllipticCurve ec. -func (c *EllipticCurve) ScalarMult(k *big.Int, P ECPoint) (Q ECPoint) { - // Implementation based on pseudocode here: - // https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#Montgomery_ladder - var R0 ECPoint - var R1 ECPoint - - R0.X = nil - R0.Y = nil - R1.X = new(big.Int).Set(P.X) - R1.Y = new(big.Int).Set(P.Y) - - for i := c.N.BitLen() - 1; i >= 0; i-- { - if k.Bit(i) == 0 { - R1 = c.Add(R0, R1) - R0 = c.Add(R0, R0) - } else { - R0 = c.Add(R0, R1) - R1 = c.Add(R1, R1) - } - } - return R0 -} - -// ScalarBaseMult computes Q = k * G on EllipticCurve ec. -func (c *EllipticCurve) ScalarBaseMult(k *big.Int) (Q ECPoint) { - return c.ScalarMult(k, c.G) -} - -// Decompress decompresses coordinate x and ylsb (y's least significant bit) into a ECPoint P on EllipticCurve ec. -func (c *EllipticCurve) Decompress(x *big.Int, ylsb uint) (P ECPoint, err error) { - /* y**2 = x**3 + a*x + b % p */ - rhs := addMod( - addMod( - expMod(x, big.NewInt(3), c.P), - mulMod(c.A, x, c.P), - c.P), - c.B, c.P) - - y := sqrtMod(rhs, c.P) - if y.Bit(0) != (ylsb & 0x1) { - y = subMod(big.NewInt(0), y, c.P) - } - - P.X = x - P.Y = y - - if !c.IsOnCurve(P) { - return P, errors.New("compressed (x, ylsb) not on curve") - } - - return P, nil -} diff --git a/pkg/crypto/keys/private_key.go b/pkg/crypto/keys/private_key.go index 9e35590ed..bffda5080 100644 --- a/pkg/crypto/keys/private_key.go +++ b/pkg/crypto/keys/private_key.go @@ -10,10 +10,8 @@ import ( "encoding/hex" "errors" "fmt" - "io" "math/big" - "github.com/CityOfZion/neo-go/pkg/crypto" "github.com/nspcc-dev/rfc6979" ) @@ -24,18 +22,11 @@ type PrivateKey struct { // NewPrivateKey creates a new random private key. func NewPrivateKey() (*PrivateKey, error) { - c := crypto.NewEllipticCurve() - b := make([]byte, c.N.BitLen()/8+8) - if _, err := io.ReadFull(rand.Reader, b); err != nil { + priv, _, _, err := elliptic.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { return nil, err } - - d := new(big.Int).SetBytes(b) - d.Mod(d, new(big.Int).Sub(c.N, big.NewInt(1))) - d.Add(d, big.NewInt(1)) - - p := &PrivateKey{b: d.Bytes()} - return p, nil + return &PrivateKey{b: priv}, nil } // NewPrivateKeyFromHex returns a PrivateKey created from the @@ -72,16 +63,16 @@ func (p *PrivateKey) PublicKey() (*PublicKey, error) { var ( err error pk PublicKey - c = crypto.NewEllipticCurve() + c = elliptic.P256() q = new(big.Int).SetBytes(p.b) ) - point := c.ScalarBaseMult(q) - if !c.IsOnCurve(point) { + x, y := c.ScalarBaseMult(q.Bytes()) + if !c.IsOnCurve(x, y) { return nil, errors.New("failed to derive public key using elliptic curve") } - bx := point.X.Bytes() + bx := x.Bytes() padded := append( bytes.Repeat( []byte{0x00}, @@ -91,7 +82,7 @@ func (p *PrivateKey) PublicKey() (*PublicKey, error) { ) prefix := []byte{0x03} - if point.Y.Bit(0) == 0 { + if y.Bit(0) == 0 { prefix = []byte{0x02} } b := append(prefix, padded...) diff --git a/pkg/crypto/keys/publickey.go b/pkg/crypto/keys/publickey.go index d5ea7e419..1f1228bd0 100644 --- a/pkg/crypto/keys/publickey.go +++ b/pkg/crypto/keys/publickey.go @@ -7,6 +7,7 @@ import ( "crypto/x509" "encoding/binary" "encoding/hex" + "fmt" "io" "math/big" @@ -35,9 +36,10 @@ func (keys PublicKeys) Less(i, j int) bool { } // PublicKey represents a public key and provides a high level -// API around the ECPoint. +// API around the X/Y point. type PublicKey struct { - crypto.ECPoint + X *big.Int + Y *big.Int } // NewPublicKeyFromString return a public key created from the @@ -58,7 +60,7 @@ func NewPublicKeyFromString(s string) (*PublicKey, error) { // Bytes returns the byte array representation of the public key. func (p *PublicKey) Bytes() []byte { - if p.IsInfinity() { + if p.isInfinity() { return []byte{0x00} } @@ -89,14 +91,38 @@ func NewPublicKeyFromRawBytes(data []byte) (*PublicKey, error) { return nil, errors.New("given bytes aren't ECDSA public key") } key := PublicKey{ - crypto.ECPoint{ - X: pk.X, - Y: pk.Y, - }, + X: pk.X, + Y: pk.Y, } return &key, nil } +// decodeCompressedY performs decompression of Y coordinate for given X and Y's least significant bit +func decodeCompressedY(x *big.Int, ylsb uint) (*big.Int, error) { + c := elliptic.P256() + cp := c.Params() + three := big.NewInt(3) + /* y**2 = x**3 + a*x + b % p */ + xCubed := new(big.Int).Exp(x, three, cp.P) + threeX := new(big.Int).Mul(x, three) + threeX.Mod(threeX, cp.P) + ySquared := new(big.Int).Sub(xCubed, threeX) + ySquared.Add(ySquared, cp.B) + ySquared.Mod(ySquared, cp.P) + y := new(big.Int).ModSqrt(ySquared, cp.P) + if y == nil { + return nil, errors.New("error computing Y for compressed point") + } + if y.Bit(0) != ylsb { + y.Neg(y) + y.Mod(y, cp.P) + } + if !c.IsOnCurve(x, y) { + return nil, errors.New("compressed (x, ylsb) not on curve") + } + return y, nil +} + // DecodeBytes decodes a PublicKey from the given slice of bytes. func (p *PublicKey) DecodeBytes(data []byte) error { l := len(data) @@ -104,19 +130,22 @@ func (p *PublicKey) DecodeBytes(data []byte) error { switch prefix := data[0]; prefix { // Infinity case 0x00: - p.ECPoint = crypto.ECPoint{} + p.X = nil + p.Y = nil // Compressed public keys case 0x02, 0x03: if l < 33 { return errors.Errorf("bad binary size(%d)", l) } - c := crypto.NewEllipticCurve() - var err error - p.ECPoint, err = c.Decompress(new(big.Int).SetBytes(data[1:]), uint(prefix&0x1)) + x := new(big.Int).SetBytes(data[1:]) + ylsb := uint(prefix&0x1) + y, err := decodeCompressedY(x, ylsb) if err != nil { return err } + p.X = x + p.Y = y case 0x04: if l < 66 { return errors.Errorf("bad binary size(%d)", l) @@ -141,7 +170,8 @@ func (p *PublicKey) DecodeBinary(r io.Reader) error { // Infinity switch prefix { case 0x00: - p.ECPoint = crypto.ECPoint{} + p.X = nil + p.Y = nil return nil // Compressed public keys case 0x02, 0x03: @@ -206,3 +236,18 @@ func (p *PublicKey) Verify(signature []byte, hash []byte) bool { sBytes := new(big.Int).SetBytes(signature[32:64]) return ecdsa.Verify(publicKey, hash, rBytes, sBytes) } + +// isInfinity checks if point P is infinity on EllipticCurve ec. +func (p *PublicKey) isInfinity() bool { + return p.X == nil && p.Y == nil +} + +// String implements the Stringer interface. +func (p *PublicKey) String() string { + if p.isInfinity() { + return "00" + } + bx := hex.EncodeToString(p.X.Bytes()) + by := hex.EncodeToString(p.Y.Bytes()) + return fmt.Sprintf("%s%s", bx, by) +} diff --git a/pkg/crypto/keys/publickey_test.go b/pkg/crypto/keys/publickey_test.go index 0ca4f4fbd..edb2a1113 100644 --- a/pkg/crypto/keys/publickey_test.go +++ b/pkg/crypto/keys/publickey_test.go @@ -5,12 +5,11 @@ import ( "encoding/hex" "testing" - "github.com/CityOfZion/neo-go/pkg/crypto" "github.com/stretchr/testify/assert" ) func TestEncodeDecodeInfinity(t *testing.T) { - key := &PublicKey{crypto.ECPoint{}} + key := &PublicKey{} buf := new(bytes.Buffer) assert.Nil(t, key.EncodeBinary(buf)) assert.Equal(t, 1, buf.Len()) diff --git a/pkg/crypto/modular_arithmetic.go b/pkg/crypto/modular_arithmetic.go deleted file mode 100644 index 54e02b263..000000000 --- a/pkg/crypto/modular_arithmetic.go +++ /dev/null @@ -1,61 +0,0 @@ -package crypto - -import "math/big" - -// addMod computes z = (x + y) % p. -func addMod(x *big.Int, y *big.Int, p *big.Int) (z *big.Int) { - z = new(big.Int).Add(x, y) - z.Mod(z, p) - return z -} - -// subMod computes z = (x - y) % p. -func subMod(x *big.Int, y *big.Int, p *big.Int) (z *big.Int) { - z = new(big.Int).Sub(x, y) - z.Mod(z, p) - return z -} - -// mulMod computes z = (x * y) % p. -func mulMod(x *big.Int, y *big.Int, p *big.Int) (z *big.Int) { - n := new(big.Int).Set(x) - z = big.NewInt(0) - - for i := 0; i < y.BitLen(); i++ { - if y.Bit(i) == 1 { - z = addMod(z, n, p) - } - n = addMod(n, n, p) - } - - return z -} - -// invMod computes z = (1/x) % p. -func invMod(x *big.Int, p *big.Int) (z *big.Int) { - z = new(big.Int).ModInverse(x, p) - return z -} - -// expMod computes z = (x^e) % p. -func expMod(x *big.Int, y *big.Int, p *big.Int) (z *big.Int) { - z = new(big.Int).Exp(x, y, p) - return z -} - -// sqrtMod computes z = sqrt(x) % p. -func sqrtMod(x *big.Int, p *big.Int) (z *big.Int) { - /* assert that p % 4 == 3 */ - if new(big.Int).Mod(p, big.NewInt(4)).Cmp(big.NewInt(3)) != 0 { - panic("p is not equal to 3 mod 4!") - } - - /* z = sqrt(x) % p = x^((p+1)/4) % p */ - - /* e = (p+1)/4 */ - e := new(big.Int).Add(p, big.NewInt(1)) - e = e.Rsh(e, 2) - - z = expMod(x, e, p) - return z -} From 60bc2e8053effd7c28f7057444850e504aebd3a5 Mon Sep 17 00:00:00 2001 From: Roman Khimov Date: Thu, 5 Sep 2019 08:44:08 +0300 Subject: [PATCH 3/6] keys: simplify PublicKey() for PrivateKey Public key is just a point, so use the coordinates obtained previously to initialize the PublicKey structure without jumping through the hoops of encoding/decoding. --- pkg/crypto/keys/private_key.go | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/pkg/crypto/keys/private_key.go b/pkg/crypto/keys/private_key.go index bffda5080..75c659cd0 100644 --- a/pkg/crypto/keys/private_key.go +++ b/pkg/crypto/keys/private_key.go @@ -1,7 +1,6 @@ package keys import ( - "bytes" "crypto/ecdsa" "crypto/elliptic" "crypto/rand" @@ -61,8 +60,6 @@ func NewPrivateKeyFromRawBytes(b []byte) (*PrivateKey, error) { // PublicKey derives the public key from the private key. func (p *PrivateKey) PublicKey() (*PublicKey, error) { var ( - err error - pk PublicKey c = elliptic.P256() q = new(big.Int).SetBytes(p.b) ) @@ -72,25 +69,7 @@ func (p *PrivateKey) PublicKey() (*PublicKey, error) { return nil, errors.New("failed to derive public key using elliptic curve") } - bx := x.Bytes() - padded := append( - bytes.Repeat( - []byte{0x00}, - 32-len(bx), - ), - bx..., - ) - - prefix := []byte{0x03} - if y.Bit(0) == 0 { - prefix = []byte{0x02} - } - b := append(prefix, padded...) - - if err = pk.DecodeBytes(b); err != nil { - return nil, err - } - return &pk, nil + return &PublicKey{X: x, Y: y}, nil } // NewPrivateKeyFromWIF returns a NEO PrivateKey from the given From 2c3e92923f70db55fb7d5dfd010c42f81b21a1c1 Mon Sep 17 00:00:00 2001 From: Roman Khimov Date: Thu, 5 Sep 2019 09:35:02 +0300 Subject: [PATCH 4/6] keys: simplify error handling for PublicKey() and associated PublicKey() for PrivateKey now just can't fail and it makes no sense to return an error from it. There is a lot of associated functionality for which this also is true, so adjust it accordingly and simplify a lot of code. --- pkg/core/account_state_test.go | 4 +--- pkg/crypto/keys/nep2.go | 12 +++------- pkg/crypto/keys/nep2_test.go | 6 ++--- pkg/crypto/keys/private_key.go | 36 +++++++++++++---------------- pkg/crypto/keys/private_key_test.go | 8 +++---- pkg/crypto/keys/publickey_test.go | 3 +-- pkg/crypto/keys/sign_verify_test.go | 5 ++-- pkg/crypto/keys/wif.go | 9 +++----- pkg/rpc/txBuilder.go | 8 ++----- pkg/wallet/account.go | 23 ++++++------------ 10 files changed, 40 insertions(+), 74 deletions(-) diff --git a/pkg/core/account_state_test.go b/pkg/core/account_state_test.go index 1452211ed..82009be0d 100644 --- a/pkg/core/account_state_test.go +++ b/pkg/core/account_state_test.go @@ -19,9 +19,7 @@ func TestDecodeEncodeAccountState(t *testing.T) { balances[randomUint256()] = util.Fixed8(int64(randomInt(1, 10000))) k, err := keys.NewPrivateKey() assert.Nil(t, err) - p, err := k.PublicKey() - assert.Nil(t, err) - votes[i] = p + votes[i] = k.PublicKey() } a := &AccountState{ diff --git a/pkg/crypto/keys/nep2.go b/pkg/crypto/keys/nep2.go index fc40fb899..c67888792 100644 --- a/pkg/crypto/keys/nep2.go +++ b/pkg/crypto/keys/nep2.go @@ -44,10 +44,7 @@ func NEP2ScryptParams() ScryptParams { // NEP2Encrypt encrypts a the PrivateKey using a given passphrase // under the NEP-2 standard. func NEP2Encrypt(priv *PrivateKey, passphrase string) (s string, err error) { - address, err := priv.Address() - if err != nil { - return s, err - } + address := priv.Address() addrHash := hash.Checksum([]byte(address)) // Normalize the passphrase according to the NFC standard. @@ -119,14 +116,11 @@ func NEP2Decrypt(key, passphrase string) (s string, err error) { return s, errors.New("password mismatch") } - return privKey.WIF() + return privKey.WIF(), nil } func compareAddressHash(priv *PrivateKey, inhash []byte) bool { - address, err := priv.Address() - if err != nil { - return false - } + address := priv.Address() addrHash := hash.Checksum([]byte(address)) return bytes.Equal(addrHash, inhash) } diff --git a/pkg/crypto/keys/nep2_test.go b/pkg/crypto/keys/nep2_test.go index e3a7a1ebc..995677a7a 100644 --- a/pkg/crypto/keys/nep2_test.go +++ b/pkg/crypto/keys/nep2_test.go @@ -31,12 +31,10 @@ func TestNEP2Decrypt(t *testing.T) { assert.Equal(t, testCase.PrivateKey, privKey.String()) - wif, err := privKey.WIF() - assert.Nil(t, err) + wif := privKey.WIF() assert.Equal(t, testCase.Wif, wif) - address, err := privKey.Address() - assert.Nil(t, err) + address := privKey.Address() assert.Equal(t, testCase.Address, address) } } diff --git a/pkg/crypto/keys/private_key.go b/pkg/crypto/keys/private_key.go index 75c659cd0..5ae6acad1 100644 --- a/pkg/crypto/keys/private_key.go +++ b/pkg/crypto/keys/private_key.go @@ -7,7 +7,6 @@ import ( "crypto/sha256" "crypto/x509" "encoding/hex" - "errors" "fmt" "math/big" @@ -58,18 +57,15 @@ func NewPrivateKeyFromRawBytes(b []byte) (*PrivateKey, error) { } // PublicKey derives the public key from the private key. -func (p *PrivateKey) PublicKey() (*PublicKey, error) { +func (p *PrivateKey) PublicKey() *PublicKey { var ( c = elliptic.P256() q = new(big.Int).SetBytes(p.b) ) x, y := c.ScalarBaseMult(q.Bytes()) - if !c.IsOnCurve(x, y) { - return nil, errors.New("failed to derive public key using elliptic curve") - } - return &PublicKey{X: x, Y: y}, nil + return &PublicKey{X: x, Y: y} } // NewPrivateKeyFromWIF returns a NEO PrivateKey from the given @@ -85,27 +81,27 @@ func NewPrivateKeyFromWIF(wif string) (*PrivateKey, error) { // WIF returns the (wallet import format) of the PrivateKey. // Good documentation about this process can be found here: // https://en.bitcoin.it/wiki/Wallet_import_format -func (p *PrivateKey) WIF() (string, error) { - return WIFEncode(p.b, WIFVersion, true) +func (p *PrivateKey) WIF() string { + w, err := WIFEncode(p.b, WIFVersion, true) + // The only way WIFEncode() can fail is if we're to give it a key of + // wrong size, but we have a proper key here, aren't we? + if err != nil { + panic(err) + } + return w } // Address derives the public NEO address that is coupled with the private key, and // returns it as a string. -func (p *PrivateKey) Address() (string, error) { - pk, err := p.PublicKey() - if err != nil { - return "", err - } - return pk.Address(), nil +func (p *PrivateKey) Address() string { + pk := p.PublicKey() + return pk.Address() } // Signature creates the signature using the private key. -func (p *PrivateKey) Signature() ([]byte, error) { - pk, err := p.PublicKey() - if err != nil { - return nil, err - } - return pk.Signature(), nil +func (p *PrivateKey) Signature() []byte { + pk := p.PublicKey() + return pk.Signature() } // Sign signs arbitrary length data using the private key. diff --git a/pkg/crypto/keys/private_key_test.go b/pkg/crypto/keys/private_key_test.go index dc45ef547..ea021b6ea 100644 --- a/pkg/crypto/keys/private_key_test.go +++ b/pkg/crypto/keys/private_key_test.go @@ -14,14 +14,12 @@ func TestPrivateKey(t *testing.T) { for _, testCase := range keytestcases.Arr { privKey, err := NewPrivateKeyFromHex(testCase.PrivateKey) assert.Nil(t, err) - address, err := privKey.Address() - assert.Nil(t, err) + address := privKey.Address() assert.Equal(t, testCase.Address, address) - wif, err := privKey.WIF() - assert.Nil(t, err) + wif := privKey.WIF() assert.Equal(t, testCase.Wif, wif) - pubKey, _ := privKey.PublicKey() + pubKey := privKey.PublicKey() assert.Equal(t, hex.EncodeToString(pubKey.Bytes()), testCase.PublicKey) } } diff --git a/pkg/crypto/keys/publickey_test.go b/pkg/crypto/keys/publickey_test.go index edb2a1113..34c0b334d 100644 --- a/pkg/crypto/keys/publickey_test.go +++ b/pkg/crypto/keys/publickey_test.go @@ -23,8 +23,7 @@ func TestEncodeDecodePublicKey(t *testing.T) { for i := 0; i < 4; i++ { k, err := NewPrivateKey() assert.Nil(t, err) - p, err := k.PublicKey() - assert.Nil(t, err) + p := k.PublicKey() buf := new(bytes.Buffer) assert.Nil(t, p.EncodeBinary(buf)) diff --git a/pkg/crypto/keys/sign_verify_test.go b/pkg/crypto/keys/sign_verify_test.go index 3eb5c1b8e..3c359d6ff 100755 --- a/pkg/crypto/keys/sign_verify_test.go +++ b/pkg/crypto/keys/sign_verify_test.go @@ -15,8 +15,7 @@ func TestPubKeyVerify(t *testing.T) { assert.Nil(t, err) signedData, err := privKey.Sign(data) assert.Nil(t, err) - pubKey, err := privKey.PublicKey() - assert.Nil(t, err) + pubKey := privKey.PublicKey() result := pubKey.Verify(signedData, hashedData.Bytes()) expected := true assert.Equal(t, expected, result) @@ -29,7 +28,7 @@ func TestWrongPubKey(t *testing.T) { signedData, _ := privKey.Sign(sample) secondPrivKey, _ := NewPrivateKey() - wrongPubKey, _ := secondPrivKey.PublicKey() + wrongPubKey := secondPrivKey.PublicKey() actual := wrongPubKey.Verify(signedData, hashedData.Bytes()) expcted := false diff --git a/pkg/crypto/keys/wif.go b/pkg/crypto/keys/wif.go index 4fcd71860..df856412f 100644 --- a/pkg/crypto/keys/wif.go +++ b/pkg/crypto/keys/wif.go @@ -92,7 +92,7 @@ func WIFDecode(wif string, version byte) (*WIF, error) { } // GetVerificationScript returns NEO VM bytecode with checksig command for the public key. -func (wif WIF) GetVerificationScript() ([]byte, error) { +func (wif WIF) GetVerificationScript() []byte { const ( pushbytes33 = 0x21 checksig = 0xac @@ -101,11 +101,8 @@ func (wif WIF) GetVerificationScript() ([]byte, error) { vScript []byte pubkey *PublicKey ) - pubkey, err := wif.PrivateKey.PublicKey() - if err != nil { - return nil, err - } + pubkey = wif.PrivateKey.PublicKey() vScript = append([]byte{pushbytes33}, pubkey.Bytes()...) vScript = append(vScript, checksig) - return vScript, nil + return vScript } diff --git a/pkg/rpc/txBuilder.go b/pkg/rpc/txBuilder.go index 401af25fd..3109c1424 100644 --- a/pkg/rpc/txBuilder.go +++ b/pkg/rpc/txBuilder.go @@ -25,9 +25,7 @@ func CreateRawContractTransaction(params ContractTxParams) (*transaction.Transac wif, assetID, address, amount, balancer = params.wif, params.assetID, params.address, params.value, params.balancer ) - if fromAddress, err = wif.PrivateKey.Address(); err != nil { - return nil, errs.Wrapf(err, "Failed to take address from WIF: %v", wif.S) - } + fromAddress = wif.PrivateKey.Address() if fromAddressHash, err = crypto.Uint160DecodeAddress(fromAddress); err != nil { return nil, errs.Wrapf(err, "Failed to take script hash from address: %v", fromAddress) @@ -59,9 +57,7 @@ func CreateRawContractTransaction(params ContractTxParams) (*transaction.Transac if witness.InvocationScript, err = GetInvocationScript(tx, wif); err != nil { return nil, errs.Wrap(err, "Failed to create invocation script") } - if witness.VerificationScript, err = wif.GetVerificationScript(); err != nil { - return nil, errs.Wrap(err, "Failed to create verification script") - } + witness.VerificationScript = wif.GetVerificationScript() tx.Scripts = append(tx.Scripts, &witness) tx.Hash() diff --git a/pkg/wallet/account.go b/pkg/wallet/account.go index 401665b65..6f4677d37 100644 --- a/pkg/wallet/account.go +++ b/pkg/wallet/account.go @@ -57,7 +57,7 @@ func NewAccount() (*Account, error) { if err != nil { return nil, err } - return newAccountFromPrivateKey(priv) + return newAccountFromPrivateKey(priv), nil } // DecryptAccount decrypt the encryptedWIF with the given passphrase and @@ -87,23 +87,14 @@ func NewAccountFromWIF(wif string) (*Account, error) { if err != nil { return nil, err } - return newAccountFromPrivateKey(privKey) + return newAccountFromPrivateKey(privKey), nil } // newAccountFromPrivateKey created a wallet from the given PrivateKey. -func newAccountFromPrivateKey(p *keys.PrivateKey) (*Account, error) { - pubKey, err := p.PublicKey() - if err != nil { - return nil, err - } - pubAddr, err := p.Address() - if err != nil { - return nil, err - } - wif, err := p.WIF() - if err != nil { - return nil, err - } +func newAccountFromPrivateKey(p *keys.PrivateKey) *Account { + pubKey := p.PublicKey() + pubAddr := p.Address() + wif := p.WIF() a := &Account{ publicKey: pubKey.Bytes(), @@ -112,5 +103,5 @@ func newAccountFromPrivateKey(p *keys.PrivateKey) (*Account, error) { wif: wif, } - return a, nil + return a } From f12194f3b0028128f80828e5906cb359e2f41c82 Mon Sep 17 00:00:00 2001 From: Roman Khimov Date: Thu, 5 Sep 2019 11:58:34 +0300 Subject: [PATCH 5/6] keys: deduplicate DecodeBytes/DecodeBinary for PrivateKey They shared prefix logic for no good reason, don't do that. --- pkg/crypto/keys/publickey.go | 85 +++++++++++++++--------------------- 1 file changed, 36 insertions(+), 49 deletions(-) diff --git a/pkg/crypto/keys/publickey.go b/pkg/crypto/keys/publickey.go index 1f1228bd0..ab0e06b3f 100644 --- a/pkg/crypto/keys/publickey.go +++ b/pkg/crypto/keys/publickey.go @@ -125,72 +125,59 @@ func decodeCompressedY(x *big.Int, ylsb uint) (*big.Int, error) { // DecodeBytes decodes a PublicKey from the given slice of bytes. func (p *PublicKey) DecodeBytes(data []byte) error { - l := len(data) - - switch prefix := data[0]; prefix { - // Infinity - case 0x00: - p.X = nil - p.Y = nil - // Compressed public keys - case 0x02, 0x03: - if l < 33 { - return errors.Errorf("bad binary size(%d)", l) - } - - x := new(big.Int).SetBytes(data[1:]) - ylsb := uint(prefix&0x1) - y, err := decodeCompressedY(x, ylsb) - if err != nil { - return err - } - p.X = x - p.Y = y - case 0x04: - if l < 66 { - return errors.Errorf("bad binary size(%d)", l) - } - p.X = new(big.Int).SetBytes(data[2:34]) - p.Y = new(big.Int).SetBytes(data[34:66]) - default: - return errors.Errorf("invalid prefix %d", prefix) - } - - return nil + var datab []byte + copy(datab, data) + b := bytes.NewBuffer(datab) + return p.DecodeBinary(b) } // DecodeBinary decodes a PublicKey from the given io.Reader. func (p *PublicKey) DecodeBinary(r io.Reader) error { - var prefix, size uint8 + var prefix uint8 + var x, y *big.Int + var err error - if err := binary.Read(r, binary.LittleEndian, &prefix); err != nil { + if err = binary.Read(r, binary.LittleEndian, &prefix); err != nil { return err } // Infinity switch prefix { case 0x00: - p.X = nil - p.Y = nil - return nil - // Compressed public keys + // noop, initialized to nil case 0x02, 0x03: - size = 32 + // Compressed public keys + xbytes := make([]byte, 32) + if _, err := io.ReadFull(r, xbytes); err != nil { + return err + } + x = new(big.Int).SetBytes(xbytes) + ylsb := uint(prefix&0x1) + y, err = decodeCompressedY(x, ylsb) + if err != nil { + return err + } case 0x04: - size = 65 + xbytes := make([]byte, 32) + ybytes := make([]byte, 32) + if _, err = io.ReadFull(r, xbytes); err != nil { + return err + } + if _, err = io.ReadFull(r, ybytes); err != nil { + return err + } + c := elliptic.P256() + x = new(big.Int).SetBytes(xbytes) + y = new(big.Int).SetBytes(ybytes) + if !c.IsOnCurve(x, y) { + return errors.New("point given is not on curve P256") + } default: return errors.Errorf("invalid prefix %d", prefix) } + p.X, p.Y = x, y - data := make([]byte, size+1) // prefix + size - - if _, err := io.ReadFull(r, data[1:]); err != nil { - return err - } - - data[0] = prefix - - return p.DecodeBytes(data) + return nil } // EncodeBinary encodes a PublicKey to the given io.Writer. From e537dc9ee4b8b54315c8e31a5a2d6d4b51209d87 Mon Sep 17 00:00:00 2001 From: Roman Khimov Date: Thu, 5 Sep 2019 12:31:03 +0300 Subject: [PATCH 6/6] keys: improve publick key checks with a check against P ANSI X9.62 says that if x or y coordinate are greater than or equal to curve.Params().P, the conversion should return an error (see ANSI X9.62:2005 Section A.5.8 Step b, which invokes Section A.5.5, which does the check and rejects when x or y are too big. See https://github.com/golang/go/issues/20482 for more details. --- pkg/crypto/keys/publickey.go | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/pkg/crypto/keys/publickey.go b/pkg/crypto/keys/publickey.go index ab0e06b3f..ba823839c 100644 --- a/pkg/crypto/keys/publickey.go +++ b/pkg/crypto/keys/publickey.go @@ -117,9 +117,6 @@ func decodeCompressedY(x *big.Int, ylsb uint) (*big.Int, error) { y.Neg(y) y.Mod(y, cp.P) } - if !c.IsOnCurve(x, y) { - return nil, errors.New("compressed (x, ylsb) not on curve") - } return y, nil } @@ -145,6 +142,7 @@ func (p *PublicKey) DecodeBinary(r io.Reader) error { switch prefix { case 0x00: // noop, initialized to nil + return nil case 0x02, 0x03: // Compressed public keys xbytes := make([]byte, 32) @@ -166,15 +164,19 @@ func (p *PublicKey) DecodeBinary(r io.Reader) error { if _, err = io.ReadFull(r, ybytes); err != nil { return err } - c := elliptic.P256() x = new(big.Int).SetBytes(xbytes) y = new(big.Int).SetBytes(ybytes) - if !c.IsOnCurve(x, y) { - return errors.New("point given is not on curve P256") - } default: return errors.Errorf("invalid prefix %d", prefix) } + c := elliptic.P256() + cp := c.Params() + if !c.IsOnCurve(x, y) { + return errors.New("enccoded point is not on the P256 curve") + } + if x.Cmp(cp.P) >= 0 || y.Cmp(cp.P) >= 0 { + return errors.New("enccoded point is not correct (X or Y is bigger than P") + } p.X, p.Y = x, y return nil