This repository has been archived by the owner on May 13, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 30
/
crypto.go
191 lines (169 loc) · 4.98 KB
/
crypto.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
// Copyright (c) 2021 Blockwatch Data Inc.
// Author: alex@blockwatch.cc
package tezos
import (
"fmt"
"math/big"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/sha512"
"github.com/decred/dcrd/dcrec/secp256k1/v4"
"golang.org/x/crypto/nacl/secretbox"
"golang.org/x/crypto/pbkdf2"
)
// ecNormalizeSignature ensures strict compliance with the EC spec by returning
// S mod n for the appropriate keys curve.
//
// Details:
//
// Step #6 of the ECDSA algorithm [x] defines an `S` value mod n[0],
// but most signers (OpenSSL, SoftHSM, YubiHSM) don't return a strict modulo.
// This variability was exploited with transaction malleability in Bitcoin,
// leading to BIP#62. BIP#62 Rule #5[1] requires that signatures return a
// strict S = ... mod n which this function forces implemented in btcd here [2]
// [0]: https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
// [1]: https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki#new-rules
// [2]: https://github.com/btcsuite/btcd/blob/master/btcec/signature.go#L49
//
// See also Ecadlabs Signatory:
// https://github.com/ecadlabs/signatory/blob/f57871c2300cb5a53236ea5fcb4f203012b4fe41/pkg/cryptoutils/crypto.go#L17
func ecNormalizeSignature(r, s *big.Int, c elliptic.Curve) (*big.Int, *big.Int) {
r = new(big.Int).Set(r)
s = new(big.Int).Set(s)
order := c.Params().N
quo := new(big.Int).Quo(order, new(big.Int).SetInt64(2))
if s.Cmp(quo) > 0 {
s = s.Sub(order, s)
}
return r, s
}
func ecSign(sk *ecdsa.PrivateKey, hash []byte) ([]byte, error) {
r, s, err := ecdsa.Sign(rand.Reader, sk, hash)
if err != nil {
return nil, err
}
// normalize
r, s = ecNormalizeSignature(r, s, sk.Curve)
// serialize
buf := make([]byte, 64)
r.FillBytes(buf[:32])
s.FillBytes(buf[32:])
return buf, nil
}
func ecVerifySignature(pk *ecdsa.PublicKey, hash []byte, sig Signature) bool {
r := new(big.Int).SetBytes(sig.Data[:32])
s := new(big.Int).SetBytes(sig.Data[32:])
return ecdsa.Verify(pk, hash, r, s)
}
func ecPrivateKeyFromBytes(b []byte, curve elliptic.Curve) (key *ecdsa.PrivateKey, err error) {
k := new(big.Int).SetBytes(b)
curveOrder := curve.Params().N
if k.Cmp(curveOrder) >= 0 {
return nil, fmt.Errorf("tezos: invalid private key for curve %s", curve.Params().Name)
}
priv := &ecdsa.PrivateKey{
PublicKey: ecdsa.PublicKey{
Curve: curve,
},
D: k,
}
// https://cs.opensource.google/go/go/+/refs/tags/go1.17.5:src/crypto/ecdsa/ecdsa.go;l=149
priv.PublicKey.X, priv.PublicKey.Y = curve.ScalarBaseMult(k.Bytes())
return priv, nil
}
// See https://github.com/golang/go/blob/master/src/crypto/elliptic/elliptic.go
func ecUnmarshalCompressed(curve elliptic.Curve, data []byte) (pk *ecdsa.PublicKey, err error) {
byteLen := (curve.Params().BitSize + 7) / 8
if len(data) != 1+byteLen {
return nil, fmt.Errorf("tezos: (%s) invalid public key length: %d", curve.Params().Name, len(data))
}
if data[0] != 2 && data[0] != 3 { // compressed form
return nil, fmt.Errorf("tezos: (%s) invalid public key compression", curve.Params().Name)
}
p := curve.Params().P
x := new(big.Int).SetBytes(data[1:])
if x.Cmp(p) >= 0 {
return nil, fmt.Errorf("tezos: (%s) invalid public key", curve.Params().Name)
}
// secp256k1 polynomial: x³ + b
// P-* polynomial: x³ - 3x + b
y := new(big.Int).Mul(x, x)
y.Mul(y, x)
if curve != secp256k1.S256() {
x1 := new(big.Int).Lsh(x, 1)
x1.Add(x1, x)
y.Sub(y, x1)
}
y.Add(y, curve.Params().B)
y.Mod(y, curve.Params().P)
y.ModSqrt(y, p)
if y == nil {
return nil, fmt.Errorf("tezos: (%s) invalid public key", curve.Params().Name)
}
if byte(y.Bit(0)) != data[0]&1 {
y.Neg(y).Mod(y, p)
}
if !curve.IsOnCurve(x, y) {
return nil, fmt.Errorf("tezos: (%s) invalid public key", curve.Params().Name)
}
pk = &ecdsa.PublicKey{
Curve: curve,
X: x,
Y: y,
}
return
}
const (
encIterations = 32768
encKeyLen = 32
)
func decryptPrivateKey(enc []byte, fn PassphraseFunc) ([]byte, error) {
if fn == nil {
return nil, ErrPassphrase
}
passphrase, err := fn()
if err != nil {
return nil, err
}
if len(passphrase) == 0 {
return nil, ErrPassphrase
}
salt, box := enc[:8], enc[8:]
secretboxKey := pbkdf2.Key(passphrase, salt, encIterations, encKeyLen, sha512.New)
var (
tmp [32]byte
nonce [24]byte // implicitly 0x00..
)
copy(tmp[:], secretboxKey)
dec, ok := secretbox.Open(nil, box, &nonce, &tmp)
if !ok {
return nil, fmt.Errorf("tezos: private key decrypt failed")
}
return dec, nil
}
func encryptPrivateKey(key []byte, fn PassphraseFunc) ([]byte, error) {
if fn == nil {
return nil, ErrPassphrase
}
passphrase, err := fn()
if err != nil {
return nil, err
}
if len(passphrase) == 0 {
return nil, ErrPassphrase
}
salt := make([]byte, 8)
_, err = rand.Read(salt)
if err != nil {
return nil, err
}
secretboxKey := pbkdf2.Key(passphrase, salt, encIterations, encKeyLen, sha512.New)
var (
tmp [32]byte
nonce [24]byte // implicitly 0x00..
)
copy(tmp[:], secretboxKey)
enc := secretbox.Seal(nil, key, &nonce, &tmp)
return append(salt, enc...), nil
}