Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright (c) 2009-2010 Satoshi Nakamoto |
2 | | // Copyright (c) 2009-present The Bitcoin Core developers |
3 | | // Copyright (c) 2017 The Zcash developers |
4 | | // Distributed under the MIT software license, see the accompanying |
5 | | // file COPYING or http://www.opensource.org/licenses/mit-license.php. |
6 | | |
7 | | #ifndef BITCOIN_KEY_H |
8 | | #define BITCOIN_KEY_H |
9 | | |
10 | | #include <pubkey.h> |
11 | | #include <serialize.h> |
12 | | #include <support/allocators/secure.h> |
13 | | #include <uint256.h> |
14 | | |
15 | | #include <stdexcept> |
16 | | #include <vector> |
17 | | |
18 | | |
19 | | /** |
20 | | * CPrivKey is a serialized private key, with all parameters included |
21 | | * (SIZE bytes) |
22 | | */ |
23 | | typedef std::vector<unsigned char, secure_allocator<unsigned char> > CPrivKey; |
24 | | |
25 | | /** Size of ECDH shared secrets. */ |
26 | | constexpr static size_t ECDH_SECRET_SIZE = CSHA256::OUTPUT_SIZE; |
27 | | |
28 | | // Used to represent ECDH shared secret (ECDH_SECRET_SIZE bytes) |
29 | | using ECDHSecret = std::array<std::byte, ECDH_SECRET_SIZE>; |
30 | | |
31 | | class KeyPair; |
32 | | |
33 | | /** An encapsulated private key. */ |
34 | | class CKey |
35 | | { |
36 | | public: |
37 | | /** |
38 | | * secp256k1: |
39 | | */ |
40 | | static const unsigned int SIZE = 279; |
41 | | static const unsigned int COMPRESSED_SIZE = 214; |
42 | | /** |
43 | | * see www.keylength.com |
44 | | * script supports up to 75 for single byte push |
45 | | */ |
46 | | static_assert( |
47 | | SIZE >= COMPRESSED_SIZE, |
48 | | "COMPRESSED_SIZE is larger than SIZE"); |
49 | | |
50 | | private: |
51 | | /** Internal data container for private key material. */ |
52 | | using KeyType = std::array<unsigned char, 32>; |
53 | | |
54 | | //! Whether the public key corresponding to this private key is (to be) compressed. |
55 | | bool fCompressed{false}; |
56 | | |
57 | | //! The actual byte data. nullptr for invalid keys. |
58 | | secure_unique_ptr<KeyType> keydata; |
59 | | |
60 | | //! Check whether the 32-byte array pointed to by vch is valid keydata. |
61 | | bool static Check(const unsigned char* vch); |
62 | | |
63 | | void MakeKeyData() |
64 | 2.95M | { |
65 | 2.95M | if (!keydata) keydata = make_secure_unique<KeyType>(); |
66 | 2.95M | } |
67 | | |
68 | | void ClearKeyData() |
69 | 645 | { |
70 | 645 | keydata.reset(); |
71 | 645 | } |
72 | | |
73 | | public: |
74 | 2.69M | CKey() noexcept = default; |
75 | 0 | CKey(CKey&&) noexcept = default; |
76 | 5.17k | CKey& operator=(CKey&&) noexcept = default; |
77 | | |
78 | | CKey& operator=(const CKey& other) |
79 | 2.26M | { |
80 | 2.26M | if (this != &other) { |
81 | 2.26M | if (other.keydata) { |
82 | 2.26M | MakeKeyData(); |
83 | 2.26M | *keydata = *other.keydata; |
84 | 2.26M | } else { |
85 | 0 | ClearKeyData(); |
86 | 0 | } |
87 | 2.26M | fCompressed = other.fCompressed; |
88 | 2.26M | } |
89 | 2.26M | return *this; |
90 | 2.26M | } |
91 | | |
92 | 810k | CKey(const CKey& other) { *this = other; } |
93 | | |
94 | | friend bool operator==(const CKey& a, const CKey& b) |
95 | 8.11k | { |
96 | 8.11k | return a.fCompressed == b.fCompressed && |
97 | 8.11k | a.size() == b.size() && |
98 | 8.11k | memcmp(a.data(), b.data(), a.size()) == 0; |
99 | 8.11k | } |
100 | | |
101 | | //! Initialize using begin and end iterators to byte data. |
102 | | template <typename T> |
103 | | void Set(const T pbegin, const T pend, bool fCompressedIn) |
104 | 689k | { |
105 | 689k | if (size_t(pend - pbegin) != std::tuple_size_v<KeyType>) { |
106 | 2 | ClearKeyData(); |
107 | 689k | } else if (Check(UCharCast(&pbegin[0]))) { |
108 | 688k | MakeKeyData(); |
109 | 688k | memcpy(keydata->data(), (unsigned char*)&pbegin[0], keydata->size()); |
110 | 688k | fCompressed = fCompressedIn; |
111 | 688k | } else { |
112 | 643 | ClearKeyData(); |
113 | 643 | } |
114 | 689k | } _ZN4CKey3SetIN9__gnu_cxx17__normal_iteratorIPKhSt4spanIS3_Lm18446744073709551615EEEEEEvT_S8_b Line | Count | Source | 104 | 2.32k | { | 105 | 2.32k | if (size_t(pend - pbegin) != std::tuple_size_v<KeyType>) { | 106 | 2 | ClearKeyData(); | 107 | 2.31k | } else if (Check(UCharCast(&pbegin[0]))) { | 108 | 2.31k | MakeKeyData(); | 109 | 2.31k | memcpy(keydata->data(), (unsigned char*)&pbegin[0], keydata->size()); | 110 | 2.31k | fCompressed = fCompressedIn; | 111 | 2.31k | } else { | 112 | 2 | ClearKeyData(); | 113 | 2 | } | 114 | 2.32k | } |
_ZN4CKey3SetIPKSt4byteEEvT_S4_b Line | Count | Source | 104 | 482k | { | 105 | 482k | if (size_t(pend - pbegin) != std::tuple_size_v<KeyType>) { | 106 | 0 | ClearKeyData(); | 107 | 482k | } else if (Check(UCharCast(&pbegin[0]))) { | 108 | 482k | MakeKeyData(); | 109 | 482k | memcpy(keydata->data(), (unsigned char*)&pbegin[0], keydata->size()); | 110 | 482k | fCompressed = fCompressedIn; | 111 | 482k | } else { | 112 | 0 | ClearKeyData(); | 113 | 0 | } | 114 | 482k | } |
Unexecuted instantiation: _ZN4CKey3SetIPhEEvT_S2_b Unexecuted instantiation: _ZN4CKey3SetIPSt4byteEEvT_S3_b _ZN4CKey3SetIN9__gnu_cxx17__normal_iteratorIPhSt6vectorIhSaIhEEEEEEvT_S8_b Line | Count | Source | 104 | 91.6k | { | 105 | 91.6k | if (size_t(pend - pbegin) != std::tuple_size_v<KeyType>) { | 106 | 0 | ClearKeyData(); | 107 | 91.6k | } else if (Check(UCharCast(&pbegin[0]))) { | 108 | 91.0k | MakeKeyData(); | 109 | 91.0k | memcpy(keydata->data(), (unsigned char*)&pbegin[0], keydata->size()); | 110 | 91.0k | fCompressed = fCompressedIn; | 111 | 91.0k | } else { | 112 | 641 | ClearKeyData(); | 113 | 641 | } | 114 | 91.6k | } |
_ZN4CKey3SetIPKhEEvT_S3_b Line | Count | Source | 104 | 112k | { | 105 | 112k | if (size_t(pend - pbegin) != std::tuple_size_v<KeyType>) { | 106 | 0 | ClearKeyData(); | 107 | 112k | } else if (Check(UCharCast(&pbegin[0]))) { | 108 | 112k | MakeKeyData(); | 109 | 112k | memcpy(keydata->data(), (unsigned char*)&pbegin[0], keydata->size()); | 110 | 112k | fCompressed = fCompressedIn; | 111 | 112k | } else { | 112 | 0 | ClearKeyData(); | 113 | 0 | } | 114 | 112k | } |
Unexecuted instantiation: _ZN4CKey3SetIN9__gnu_cxx17__normal_iteratorIPhSt6vectorIh16secure_allocatorIhEEEEEEvT_S9_b |
115 | | |
116 | | //! Simple read-only vector-like interface. |
117 | 233k | unsigned int size() const { return keydata ? keydata->size() : 0; } |
118 | 3.61M | const std::byte* data() const { return keydata ? reinterpret_cast<const std::byte*>(keydata->data()) : nullptr; } |
119 | 3.54M | const std::byte* begin() const { return data(); } |
120 | 22.9k | const std::byte* end() const { return data() + size(); } |
121 | | |
122 | | //! Check whether this private key is valid. |
123 | 944k | bool IsValid() const { return !!keydata; } |
124 | | |
125 | | //! Check whether the public key corresponding to this private key is (to be) compressed. |
126 | 577k | bool IsCompressed() const { return fCompressed; } |
127 | | |
128 | | //! Generate a new private key using a cryptographic PRNG. |
129 | | void MakeNewKey(bool fCompressed); |
130 | | |
131 | | /** |
132 | | * Convert the private key to a CPrivKey (serialized OpenSSL private key data). |
133 | | * This is expensive. |
134 | | */ |
135 | | CPrivKey GetPrivKey() const; |
136 | | |
137 | | /** |
138 | | * Compute the public key from a private key. |
139 | | * This is expensive. |
140 | | */ |
141 | | CPubKey GetPubKey() const; |
142 | | |
143 | | /** |
144 | | * Create a DER-serialized signature. |
145 | | * The test_case parameter tweaks the deterministic nonce. |
146 | | */ |
147 | | bool Sign(const uint256& hash, std::vector<unsigned char>& vchSig, bool grind = true, uint32_t test_case = 0) const; |
148 | | |
149 | | /** |
150 | | * Create a compact signature (65 bytes), which allows reconstructing the used public key. |
151 | | * The format is one header byte, followed by two times 32 bytes for the serialized r and s values. |
152 | | * The header byte: 0x1B = first key with even y, 0x1C = first key with odd y, |
153 | | * 0x1D = second key with even y, 0x1E = second key with odd y, |
154 | | * add 0x04 for compressed keys. |
155 | | */ |
156 | | bool SignCompact(const uint256& hash, std::vector<unsigned char>& vchSig) const; |
157 | | |
158 | | /** |
159 | | * Create a BIP-340 Schnorr signature, for the xonly-pubkey corresponding to *this, |
160 | | * optionally tweaked by *merkle_root. Additional nonce entropy is provided through |
161 | | * aux. |
162 | | * |
163 | | * merkle_root is used to optionally perform tweaking of the private key, as specified |
164 | | * in BIP341: |
165 | | * - If merkle_root == nullptr: no tweaking is done, sign with key directly (this is |
166 | | * used for signatures in BIP342 script). |
167 | | * - If merkle_root->IsNull(): sign with key + H_TapTweak(pubkey) (this is used for |
168 | | * key path spending when no scripts are present). |
169 | | * - Otherwise: sign with key + H_TapTweak(pubkey || *merkle_root) |
170 | | * (this is used for key path spending, with specific |
171 | | * Merkle root of the script tree). |
172 | | */ |
173 | | bool SignSchnorr(const uint256& hash, std::span<unsigned char> sig, const uint256* merkle_root, const uint256& aux) const; |
174 | | |
175 | | //! Derive BIP32 child key. |
176 | | [[nodiscard]] bool Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const; |
177 | | |
178 | | /** |
179 | | * Verify thoroughly whether a private key and a public key match. |
180 | | * This is done using a different mechanism than just regenerating it. |
181 | | */ |
182 | | bool VerifyPubKey(const CPubKey& vchPubKey) const; |
183 | | |
184 | | //! Load private key and check that public key matches. |
185 | | bool Load(const CPrivKey& privkey, const CPubKey& vchPubKey, bool fSkipCheck); |
186 | | |
187 | | /** Create an ellswift-encoded public key for this key, with specified entropy. |
188 | | * |
189 | | * entropy must be a 32-byte span with additional entropy to use in the encoding. Every |
190 | | * public key has ~2^256 different encodings, and this function will deterministically pick |
191 | | * one of them, based on entropy. Note that even without truly random entropy, the |
192 | | * resulting encoding will be indistinguishable from uniform to any adversary who does not |
193 | | * know the private key (because the private key itself is always used as entropy as well). |
194 | | */ |
195 | | EllSwiftPubKey EllSwiftCreate(std::span<const std::byte> entropy) const; |
196 | | |
197 | | /** Compute a BIP324-style ECDH shared secret. |
198 | | * |
199 | | * - their_ellswift: EllSwiftPubKey that was received from the other side. |
200 | | * - our_ellswift: EllSwiftPubKey that was sent to the other side (must have been generated |
201 | | * from *this using EllSwiftCreate()). |
202 | | * - initiating: whether we are the initiating party (true) or responding party (false). |
203 | | */ |
204 | | ECDHSecret ComputeBIP324ECDHSecret(const EllSwiftPubKey& their_ellswift, |
205 | | const EllSwiftPubKey& our_ellswift, |
206 | | bool initiating) const; |
207 | | /** Compute a KeyPair |
208 | | * |
209 | | * Wraps a `secp256k1_keypair` type. |
210 | | * |
211 | | * `merkle_root` is used to optionally perform tweaking of |
212 | | * the internal key, as specified in BIP341: |
213 | | * |
214 | | * - If merkle_root == nullptr: no tweaking is done, use the internal key directly (this is |
215 | | * used for signatures in BIP342 script). |
216 | | * - If merkle_root->IsNull(): tweak the internal key with H_TapTweak(pubkey) (this is used for |
217 | | * key path spending when no scripts are present). |
218 | | * - Otherwise: tweak the internal key with H_TapTweak(pubkey || *merkle_root) |
219 | | * (this is used for key path spending with the |
220 | | * Merkle root of the script tree). |
221 | | */ |
222 | | KeyPair ComputeKeyPair(const uint256* merkle_root) const; |
223 | | }; |
224 | | |
225 | | CKey GenerateRandomKey(bool compressed = true) noexcept; |
226 | | |
227 | | struct CExtKey { |
228 | | unsigned char nDepth; |
229 | | unsigned char vchFingerprint[4]; |
230 | | unsigned int nChild; |
231 | | ChainCode chaincode; |
232 | | CKey key; |
233 | | |
234 | | friend bool operator==(const CExtKey& a, const CExtKey& b) |
235 | 3 | { |
236 | 3 | return a.nDepth == b.nDepth && |
237 | 3 | memcmp(a.vchFingerprint, b.vchFingerprint, sizeof(vchFingerprint)) == 0 && |
238 | 3 | a.nChild == b.nChild && |
239 | 3 | a.chaincode == b.chaincode && |
240 | 3 | a.key == b.key; |
241 | 3 | } |
242 | | |
243 | 1.04M | CExtKey() = default; |
244 | 0 | CExtKey(const CExtPubKey& xpub, const CKey& key_in) : nDepth(xpub.nDepth), nChild(xpub.nChild), chaincode(xpub.chaincode), key(key_in) |
245 | 0 | { |
246 | 0 | std::copy(xpub.vchFingerprint, xpub.vchFingerprint + sizeof(xpub.vchFingerprint), vchFingerprint); |
247 | 0 | } |
248 | | |
249 | | void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const; |
250 | | void Decode(const unsigned char code[BIP32_EXTKEY_SIZE]); |
251 | | [[nodiscard]] bool Derive(CExtKey& out, unsigned int nChild) const; |
252 | | CExtPubKey Neuter() const; |
253 | | void SetSeed(std::span<const std::byte> seed); |
254 | | }; |
255 | | |
256 | | /** KeyPair |
257 | | * |
258 | | * Wraps a `secp256k1_keypair` type, an opaque data structure for holding a secret and public key. |
259 | | * This is intended for BIP340 keys and allows us to easily determine if the secret key needs to |
260 | | * be negated by checking the parity of the public key. This class primarily intended for passing |
261 | | * secret keys to libsecp256k1 functions expecting a `secp256k1_keypair`. For all other cases, |
262 | | * CKey should be preferred. |
263 | | * |
264 | | * A KeyPair can be created from a CKey with an optional merkle_root tweak (per BIP342). See |
265 | | * CKey::ComputeKeyPair for more details. |
266 | | */ |
267 | | class KeyPair |
268 | | { |
269 | | public: |
270 | | KeyPair() noexcept = default; |
271 | | KeyPair(KeyPair&&) noexcept = default; |
272 | | KeyPair& operator=(KeyPair&&) noexcept = default; |
273 | | KeyPair& operator=(const KeyPair& other) |
274 | 0 | { |
275 | 0 | if (this != &other) { |
276 | 0 | if (other.m_keypair) { |
277 | 0 | MakeKeyPairData(); |
278 | 0 | *m_keypair = *other.m_keypair; |
279 | 0 | } else { |
280 | 0 | ClearKeyPairData(); |
281 | 0 | } |
282 | 0 | } |
283 | 0 | return *this; |
284 | 0 | } |
285 | | |
286 | 0 | KeyPair(const KeyPair& other) { *this = other; } |
287 | | |
288 | | friend KeyPair CKey::ComputeKeyPair(const uint256* merkle_root) const; |
289 | | [[nodiscard]] bool SignSchnorr(const uint256& hash, std::span<unsigned char> sig, const uint256& aux) const; |
290 | | |
291 | | //! Check whether this keypair is valid. |
292 | 40.1k | bool IsValid() const { return !!m_keypair; } |
293 | | |
294 | | private: |
295 | | KeyPair(const CKey& key, const uint256* merkle_root); |
296 | | |
297 | | using KeyType = std::array<unsigned char, 96>; |
298 | | secure_unique_ptr<KeyType> m_keypair; |
299 | | |
300 | | void MakeKeyPairData() |
301 | 40.1k | { |
302 | 40.1k | if (!m_keypair) m_keypair = make_secure_unique<KeyType>(); |
303 | 40.1k | } |
304 | | |
305 | | void ClearKeyPairData() |
306 | 0 | { |
307 | 0 | m_keypair.reset(); |
308 | 0 | } |
309 | | }; |
310 | | |
311 | | /** Check that required EC support is available at runtime. */ |
312 | | bool ECC_InitSanityCheck(); |
313 | | |
314 | | /** |
315 | | * RAII class initializing and deinitializing global state for elliptic curve support. |
316 | | * Only one instance may be initialized at a time. |
317 | | * |
318 | | * In the future global ECC state could be removed, and this class could contain |
319 | | * state and be passed as an argument to ECC key functions. |
320 | | */ |
321 | | class ECC_Context |
322 | | { |
323 | | public: |
324 | | ECC_Context(); |
325 | | ~ECC_Context(); |
326 | | }; |
327 | | |
328 | | #endif // BITCOIN_KEY_H |