|
|
@ -2,6 +2,7 @@ |
|
|
|
// Distributed under the MIT/X11 software license, see the accompanying
|
|
|
|
// Distributed under the MIT/X11 software license, see the accompanying
|
|
|
|
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
|
|
|
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#include <openssl/bn.h> |
|
|
|
#include <openssl/ecdsa.h> |
|
|
|
#include <openssl/ecdsa.h> |
|
|
|
#include <openssl/rand.h> |
|
|
|
#include <openssl/rand.h> |
|
|
|
#include <openssl/obj_mac.h> |
|
|
|
#include <openssl/obj_mac.h> |
|
|
@ -253,6 +254,57 @@ public: |
|
|
|
ECDSA_SIG_free(sig); |
|
|
|
ECDSA_SIG_free(sig); |
|
|
|
return ret; |
|
|
|
return ret; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static bool TweakSecret(unsigned char vchSecretOut[32], const unsigned char vchSecretIn[32], const unsigned char vchTweak[32]) |
|
|
|
|
|
|
|
{ |
|
|
|
|
|
|
|
bool ret = true; |
|
|
|
|
|
|
|
BN_CTX *ctx = BN_CTX_new(); |
|
|
|
|
|
|
|
BN_CTX_start(ctx); |
|
|
|
|
|
|
|
BIGNUM *bnSecret = BN_CTX_get(ctx); |
|
|
|
|
|
|
|
BIGNUM *bnTweak = BN_CTX_get(ctx); |
|
|
|
|
|
|
|
BIGNUM *bnOrder = BN_CTX_get(ctx); |
|
|
|
|
|
|
|
EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp256k1); |
|
|
|
|
|
|
|
EC_GROUP_get_order(group, bnOrder, ctx); // what a grossly inefficient way to get the (constant) group order...
|
|
|
|
|
|
|
|
BN_bin2bn(vchTweak, 32, bnTweak); |
|
|
|
|
|
|
|
if (BN_cmp(bnTweak, bnOrder) >= 0) |
|
|
|
|
|
|
|
ret = false; // extremely unlikely
|
|
|
|
|
|
|
|
BN_bin2bn(vchSecretIn, 32, bnSecret); |
|
|
|
|
|
|
|
BN_add(bnSecret, bnSecret, bnTweak); |
|
|
|
|
|
|
|
BN_nnmod(bnSecret, bnSecret, bnOrder, ctx); |
|
|
|
|
|
|
|
if (BN_is_zero(bnSecret)) |
|
|
|
|
|
|
|
ret = false; // ridiculously unlikely
|
|
|
|
|
|
|
|
int nBits = BN_num_bits(bnSecret); |
|
|
|
|
|
|
|
memset(vchSecretOut, 0, 32); |
|
|
|
|
|
|
|
BN_bn2bin(bnSecret, &vchSecretOut[32-(nBits+7)/8]); |
|
|
|
|
|
|
|
EC_GROUP_free(group); |
|
|
|
|
|
|
|
BN_CTX_end(ctx); |
|
|
|
|
|
|
|
BN_CTX_free(ctx); |
|
|
|
|
|
|
|
return ret; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
bool TweakPublic(const unsigned char vchTweak[32]) { |
|
|
|
|
|
|
|
bool ret = true; |
|
|
|
|
|
|
|
BN_CTX *ctx = BN_CTX_new(); |
|
|
|
|
|
|
|
BN_CTX_start(ctx); |
|
|
|
|
|
|
|
BIGNUM *bnTweak = BN_CTX_get(ctx); |
|
|
|
|
|
|
|
BIGNUM *bnOrder = BN_CTX_get(ctx); |
|
|
|
|
|
|
|
BIGNUM *bnOne = BN_CTX_get(ctx); |
|
|
|
|
|
|
|
const EC_GROUP *group = EC_KEY_get0_group(pkey); |
|
|
|
|
|
|
|
EC_GROUP_get_order(group, bnOrder, ctx); // what a grossly inefficient way to get the (constant) group order...
|
|
|
|
|
|
|
|
BN_bin2bn(vchTweak, 32, bnTweak); |
|
|
|
|
|
|
|
if (BN_cmp(bnTweak, bnOrder) >= 0) |
|
|
|
|
|
|
|
ret = false; // extremely unlikely
|
|
|
|
|
|
|
|
EC_POINT *point = EC_POINT_dup(EC_KEY_get0_public_key(pkey), group); |
|
|
|
|
|
|
|
BN_one(bnOne); |
|
|
|
|
|
|
|
EC_POINT_mul(group, point, bnTweak, point, bnOne, ctx); |
|
|
|
|
|
|
|
if (EC_POINT_is_at_infinity(group, point)) |
|
|
|
|
|
|
|
ret = false; // ridiculously unlikely
|
|
|
|
|
|
|
|
EC_KEY_set_public_key(pkey, point); |
|
|
|
|
|
|
|
EC_POINT_free(point); |
|
|
|
|
|
|
|
BN_CTX_end(ctx); |
|
|
|
|
|
|
|
BN_CTX_free(ctx); |
|
|
|
|
|
|
|
return ret; |
|
|
|
|
|
|
|
} |
|
|
|
}; |
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
}; // end of anonymous namespace
|
|
|
|
}; // end of anonymous namespace
|
|
|
@ -393,3 +445,131 @@ bool CPubKey::Decompress() { |
|
|
|
key.GetPubKey(*this, false); |
|
|
|
key.GetPubKey(*this, false); |
|
|
|
return true; |
|
|
|
return true; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void static BIP32Hash(const unsigned char chainCode[32], unsigned int nChild, unsigned char header, const unsigned char data[32], unsigned char output[64]) { |
|
|
|
|
|
|
|
unsigned char num[4]; |
|
|
|
|
|
|
|
num[0] = (nChild >> 24) & 0xFF; |
|
|
|
|
|
|
|
num[1] = (nChild >> 16) & 0xFF; |
|
|
|
|
|
|
|
num[2] = (nChild >> 8) & 0xFF; |
|
|
|
|
|
|
|
num[3] = (nChild >> 0) & 0xFF; |
|
|
|
|
|
|
|
HMAC_SHA512_CTX ctx; |
|
|
|
|
|
|
|
HMAC_SHA512_Init(&ctx, chainCode, 32); |
|
|
|
|
|
|
|
HMAC_SHA512_Update(&ctx, &header, 1); |
|
|
|
|
|
|
|
HMAC_SHA512_Update(&ctx, data, 32); |
|
|
|
|
|
|
|
HMAC_SHA512_Update(&ctx, num, 4); |
|
|
|
|
|
|
|
HMAC_SHA512_Final(output, &ctx); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
bool CKey::Derive(CKey& keyChild, unsigned char ccChild[32], unsigned int nChild, const unsigned char cc[32]) const { |
|
|
|
|
|
|
|
assert(IsValid()); |
|
|
|
|
|
|
|
assert(IsCompressed()); |
|
|
|
|
|
|
|
unsigned char out[64]; |
|
|
|
|
|
|
|
LockObject(out); |
|
|
|
|
|
|
|
if ((nChild >> 31) == 0) { |
|
|
|
|
|
|
|
CPubKey pubkey = GetPubKey(); |
|
|
|
|
|
|
|
assert(pubkey.begin() + 33 == pubkey.end()); |
|
|
|
|
|
|
|
BIP32Hash(cc, nChild, *pubkey.begin(), pubkey.begin()+1, out); |
|
|
|
|
|
|
|
} else { |
|
|
|
|
|
|
|
assert(begin() + 32 == end()); |
|
|
|
|
|
|
|
BIP32Hash(cc, nChild, 0, begin(), out); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
memcpy(ccChild, out+32, 32); |
|
|
|
|
|
|
|
bool ret = CECKey::TweakSecret((unsigned char*)keyChild.begin(), begin(), out); |
|
|
|
|
|
|
|
UnlockObject(out); |
|
|
|
|
|
|
|
keyChild.fCompressed = true; |
|
|
|
|
|
|
|
keyChild.fValid = ret; |
|
|
|
|
|
|
|
return ret; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
bool CPubKey::Derive(CPubKey& pubkeyChild, unsigned char ccChild[32], unsigned int nChild, const unsigned char cc[32]) const { |
|
|
|
|
|
|
|
assert(IsValid()); |
|
|
|
|
|
|
|
assert((nChild >> 31) == 0); |
|
|
|
|
|
|
|
assert(begin() + 33 == end()); |
|
|
|
|
|
|
|
unsigned char out[64]; |
|
|
|
|
|
|
|
BIP32Hash(cc, nChild, *begin(), begin()+1, out); |
|
|
|
|
|
|
|
memcpy(ccChild, out+32, 32); |
|
|
|
|
|
|
|
CECKey key; |
|
|
|
|
|
|
|
bool ret = key.SetPubKey(*this); |
|
|
|
|
|
|
|
ret &= key.TweakPublic(out); |
|
|
|
|
|
|
|
key.GetPubKey(pubkeyChild, true); |
|
|
|
|
|
|
|
return ret; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
bool CExtKey::Derive(CExtKey &out, unsigned int nChild) const { |
|
|
|
|
|
|
|
out.nDepth = nDepth + 1; |
|
|
|
|
|
|
|
CKeyID id = key.GetPubKey().GetID(); |
|
|
|
|
|
|
|
memcpy(&out.vchFingerprint[0], &id, 4); |
|
|
|
|
|
|
|
out.nChild = nChild; |
|
|
|
|
|
|
|
return key.Derive(out.key, out.vchChainCode, nChild, vchChainCode); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void CExtKey::SetMaster(const unsigned char *seed, unsigned int nSeedLen) { |
|
|
|
|
|
|
|
static const char hashkey[] = {'B','i','t','c','o','i','n',' ','s','e','e','d'}; |
|
|
|
|
|
|
|
HMAC_SHA512_CTX ctx; |
|
|
|
|
|
|
|
HMAC_SHA512_Init(&ctx, hashkey, sizeof(hashkey)); |
|
|
|
|
|
|
|
HMAC_SHA512_Update(&ctx, seed, nSeedLen); |
|
|
|
|
|
|
|
unsigned char out[64]; |
|
|
|
|
|
|
|
LockObject(out); |
|
|
|
|
|
|
|
HMAC_SHA512_Final(out, &ctx); |
|
|
|
|
|
|
|
key.Set(&out[0], &out[32], true); |
|
|
|
|
|
|
|
memcpy(vchChainCode, &out[32], 32); |
|
|
|
|
|
|
|
UnlockObject(out); |
|
|
|
|
|
|
|
nDepth = 0; |
|
|
|
|
|
|
|
nChild = 0; |
|
|
|
|
|
|
|
memset(vchFingerprint, 0, sizeof(vchFingerprint)); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CExtPubKey CExtKey::Neuter() const { |
|
|
|
|
|
|
|
CExtPubKey ret; |
|
|
|
|
|
|
|
ret.nDepth = nDepth; |
|
|
|
|
|
|
|
memcpy(&ret.vchFingerprint[0], &vchFingerprint[0], 4); |
|
|
|
|
|
|
|
ret.nChild = nChild; |
|
|
|
|
|
|
|
ret.pubkey = key.GetPubKey(); |
|
|
|
|
|
|
|
memcpy(&ret.vchChainCode[0], &vchChainCode[0], 32); |
|
|
|
|
|
|
|
return ret; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void CExtKey::Encode(unsigned char code[74]) const { |
|
|
|
|
|
|
|
code[0] = nDepth; |
|
|
|
|
|
|
|
memcpy(code+1, vchFingerprint, 4); |
|
|
|
|
|
|
|
code[5] = (nChild >> 24) & 0xFF; code[6] = (nChild >> 16) & 0xFF; |
|
|
|
|
|
|
|
code[7] = (nChild >> 8) & 0xFF; code[8] = (nChild >> 0) & 0xFF; |
|
|
|
|
|
|
|
memcpy(code+9, vchChainCode, 32); |
|
|
|
|
|
|
|
code[41] = 0; |
|
|
|
|
|
|
|
assert(key.size() == 32); |
|
|
|
|
|
|
|
memcpy(code+42, key.begin(), 32); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void CExtKey::Decode(const unsigned char code[74]) { |
|
|
|
|
|
|
|
nDepth = code[0]; |
|
|
|
|
|
|
|
memcpy(vchFingerprint, code+1, 4); |
|
|
|
|
|
|
|
nChild = (code[5] << 24) | (code[6] << 16) | (code[7] << 8) | code[8]; |
|
|
|
|
|
|
|
memcpy(vchChainCode, code+9, 32); |
|
|
|
|
|
|
|
key.Set(code+42, code+74, true); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void CExtPubKey::Encode(unsigned char code[74]) const { |
|
|
|
|
|
|
|
code[0] = nDepth; |
|
|
|
|
|
|
|
memcpy(code+1, vchFingerprint, 4); |
|
|
|
|
|
|
|
code[5] = (nChild >> 24) & 0xFF; code[6] = (nChild >> 16) & 0xFF; |
|
|
|
|
|
|
|
code[7] = (nChild >> 8) & 0xFF; code[8] = (nChild >> 0) & 0xFF; |
|
|
|
|
|
|
|
memcpy(code+9, vchChainCode, 32); |
|
|
|
|
|
|
|
assert(pubkey.size() == 33); |
|
|
|
|
|
|
|
memcpy(code+41, pubkey.begin(), 33); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void CExtPubKey::Decode(const unsigned char code[74]) { |
|
|
|
|
|
|
|
nDepth = code[0]; |
|
|
|
|
|
|
|
memcpy(vchFingerprint, code+1, 4); |
|
|
|
|
|
|
|
nChild = (code[5] << 24) | (code[6] << 16) | (code[7] << 8) | code[8]; |
|
|
|
|
|
|
|
memcpy(vchChainCode, code+9, 32); |
|
|
|
|
|
|
|
pubkey.Set(code+41, code+74); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
bool CExtPubKey::Derive(CExtPubKey &out, unsigned int nChild) const { |
|
|
|
|
|
|
|
out.nDepth = nDepth + 1; |
|
|
|
|
|
|
|
CKeyID id = pubkey.GetID(); |
|
|
|
|
|
|
|
memcpy(&out.vchFingerprint[0], &id, 4); |
|
|
|
|
|
|
|
out.nChild = nChild; |
|
|
|
|
|
|
|
return pubkey.Derive(out.pubkey, out.vchChainCode, nChild, vchChainCode); |
|
|
|
|
|
|
|
} |
|
|
|