|
| 1 | +from io import BytesIO |
| 2 | + |
| 3 | +import hashlib |
| 4 | +import hmac |
| 5 | + |
| 6 | +from buidl.helper import ( |
| 7 | + big_endian_to_int, |
| 8 | + encode_base58_checksum, |
| 9 | + encode_bech32_checksum, |
| 10 | + hash160, |
| 11 | + hash256, |
| 12 | + int_to_big_endian, |
| 13 | + raw_decode_base58, |
| 14 | +) |
| 15 | +from buidl._libsec import ffi, lib |
| 16 | + |
| 17 | + |
| 18 | +GLOBAL_CTX = ffi.gc( |
| 19 | + lib.secp256k1_context_create( |
| 20 | + lib.SECP256K1_CONTEXT_SIGN | lib.SECP256K1_CONTEXT_VERIFY |
| 21 | + ), |
| 22 | + lib.secp256k1_context_destroy, |
| 23 | +) |
| 24 | +P = 2 ** 256 - 2 ** 32 - 977 |
| 25 | +N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 |
| 26 | + |
| 27 | + |
| 28 | +class S256Point: |
| 29 | + def __init__(self, csec=None, usec=None): |
| 30 | + if usec: |
| 31 | + self.usec = usec |
| 32 | + self.csec = None |
| 33 | + sec_cache = usec |
| 34 | + elif csec: |
| 35 | + self.csec = csec |
| 36 | + self.usec = None |
| 37 | + sec_cache = csec |
| 38 | + else: |
| 39 | + raise RuntimeError("need a serialization") |
| 40 | + self.c = ffi.new("secp256k1_pubkey *") |
| 41 | + if not lib.secp256k1_ec_pubkey_parse( |
| 42 | + GLOBAL_CTX, self.c, sec_cache, len(sec_cache) |
| 43 | + ): |
| 44 | + raise ValueError("libsecp256k1 produced error") |
| 45 | + |
| 46 | + def __eq__(self, other): |
| 47 | + return self.sec() == other.sec() |
| 48 | + |
| 49 | + def __repr__(self): |
| 50 | + return "S256Point({})".format(self.sec(compressed=False).hex()) |
| 51 | + |
| 52 | + def __rmul__(self, coefficient): |
| 53 | + coef = coefficient % N |
| 54 | + new_key = ffi.new("secp256k1_pubkey *") |
| 55 | + s = self.sec(compressed=False) |
| 56 | + lib.secp256k1_ec_pubkey_parse(GLOBAL_CTX, new_key, s, len(s)) |
| 57 | + lib.secp256k1_ec_pubkey_tweak_mul(GLOBAL_CTX, new_key, coef.to_bytes(32, "big")) |
| 58 | + serialized = ffi.new("unsigned char [65]") |
| 59 | + output_len = ffi.new("size_t *", 65) |
| 60 | + lib.secp256k1_ec_pubkey_serialize( |
| 61 | + GLOBAL_CTX, serialized, output_len, new_key, lib.SECP256K1_EC_UNCOMPRESSED |
| 62 | + ) |
| 63 | + return self.__class__(usec=bytes(serialized)) |
| 64 | + |
| 65 | + def __add__(self, scalar): |
| 66 | + """Multiplies scalar by generator, adds result to current point""" |
| 67 | + coef = scalar % N |
| 68 | + new_key = ffi.new("secp256k1_pubkey *") |
| 69 | + s = self.sec(compressed=False) |
| 70 | + lib.secp256k1_ec_pubkey_parse(GLOBAL_CTX, new_key, s, len(s)) |
| 71 | + lib.secp256k1_ec_pubkey_tweak_add(GLOBAL_CTX, new_key, coef.to_bytes(32, "big")) |
| 72 | + serialized = ffi.new("unsigned char [65]") |
| 73 | + output_len = ffi.new("size_t *", 65) |
| 74 | + lib.secp256k1_ec_pubkey_serialize( |
| 75 | + GLOBAL_CTX, serialized, output_len, new_key, lib.SECP256K1_EC_UNCOMPRESSED |
| 76 | + ) |
| 77 | + return self.__class__(usec=bytes(serialized)) |
| 78 | + |
| 79 | + def verify(self, z, sig): |
| 80 | + msg = z.to_bytes(32, "big") |
| 81 | + sig_data = sig.cdata() |
| 82 | + return lib.secp256k1_ecdsa_verify(GLOBAL_CTX, sig_data, msg, self.c) |
| 83 | + |
| 84 | + def sec(self, compressed=True): |
| 85 | + """returns the binary version of the SEC format""" |
| 86 | + if compressed: |
| 87 | + if not self.csec: |
| 88 | + serialized = ffi.new("unsigned char [33]") |
| 89 | + output_len = ffi.new("size_t *", 33) |
| 90 | + |
| 91 | + lib.secp256k1_ec_pubkey_serialize( |
| 92 | + GLOBAL_CTX, |
| 93 | + serialized, |
| 94 | + output_len, |
| 95 | + self.c, |
| 96 | + lib.SECP256K1_EC_COMPRESSED, |
| 97 | + ) |
| 98 | + self.csec = bytes(ffi.buffer(serialized, 33)) |
| 99 | + return self.csec |
| 100 | + else: |
| 101 | + if not self.usec: |
| 102 | + serialized = ffi.new("unsigned char [65]") |
| 103 | + output_len = ffi.new("size_t *", 65) |
| 104 | + |
| 105 | + lib.secp256k1_ec_pubkey_serialize( |
| 106 | + GLOBAL_CTX, |
| 107 | + serialized, |
| 108 | + output_len, |
| 109 | + self.c, |
| 110 | + lib.SECP256K1_EC_UNCOMPRESSED, |
| 111 | + ) |
| 112 | + self.usec = bytes(ffi.buffer(serialized, 65)) |
| 113 | + return self.usec |
| 114 | + |
| 115 | + def hash160(self, compressed=True): |
| 116 | + # get the sec |
| 117 | + sec = self.sec(compressed) |
| 118 | + # hash160 the sec |
| 119 | + return hash160(sec) |
| 120 | + |
| 121 | + def p2pkh_script(self, compressed=True): |
| 122 | + """Returns the p2pkh Script object""" |
| 123 | + h160 = self.hash160(compressed) |
| 124 | + # avoid circular dependency |
| 125 | + from buidl.script import P2PKHScriptPubKey |
| 126 | + |
| 127 | + return P2PKHScriptPubKey(h160) |
| 128 | + |
| 129 | + def p2wpkh_script(self): |
| 130 | + """Returns the p2wpkh Script object""" |
| 131 | + h160 = self.hash160(True) |
| 132 | + # avoid circular dependency |
| 133 | + from buidl.script import P2WPKHScriptPubKey |
| 134 | + |
| 135 | + return P2WPKHScriptPubKey(h160) |
| 136 | + |
| 137 | + def p2sh_p2wpkh_redeem_script(self): |
| 138 | + """Returns the RedeemScript for a p2sh-p2wpkh redemption""" |
| 139 | + return self.p2wpkh_script().redeem_script() |
| 140 | + |
| 141 | + def address(self, compressed=True, testnet=False): |
| 142 | + """Returns the p2pkh address string""" |
| 143 | + return self.p2pkh_script(compressed).address(testnet) |
| 144 | + |
| 145 | + def bech32_address(self, testnet=False): |
| 146 | + """Returns the p2wpkh bech32 address string""" |
| 147 | + return self.p2wpkh_script().address(testnet) |
| 148 | + |
| 149 | + def p2sh_p2wpkh_address(self, testnet=False): |
| 150 | + """Returns the p2sh-p2wpkh base58 address string""" |
| 151 | + return self.p2wpkh_script().p2sh_address(testnet) |
| 152 | + |
| 153 | + def verify_message(self, message, sig): |
| 154 | + """Verify a message in the form of bytes. Assumes that the z |
| 155 | + is calculated using hash256 interpreted as a big-endian integer""" |
| 156 | + # calculate the hash256 of the message |
| 157 | + h256 = hash256(message) |
| 158 | + # z is the big-endian interpretation. use big_endian_to_int |
| 159 | + z = big_endian_to_int(h256) |
| 160 | + # verify the message using the self.verify method |
| 161 | + return self.verify(z, sig) |
| 162 | + |
| 163 | + @classmethod |
| 164 | + def parse(self, sec_bin): |
| 165 | + """returns a Point object from a SEC binary (not hex)""" |
| 166 | + if sec_bin[0] == 4: |
| 167 | + x = int.from_bytes(sec_bin[1:33], "big") |
| 168 | + y = int.from_bytes(sec_bin[33:65], "big") |
| 169 | + return S256Point(usec=sec_bin) |
| 170 | + else: |
| 171 | + return S256Point(csec=sec_bin) |
| 172 | + |
| 173 | + |
| 174 | +G = S256Point( |
| 175 | + usec=bytes.fromhex( |
| 176 | + "0479be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8" |
| 177 | + ) |
| 178 | +) |
| 179 | + |
| 180 | + |
| 181 | +class Signature: |
| 182 | + def __init__(self, der=None, c=None): |
| 183 | + if der: |
| 184 | + self.der_cache = der |
| 185 | + self.c = ffi.new("secp256k1_ecdsa_signature *") |
| 186 | + if not lib.secp256k1_ecdsa_signature_parse_der( |
| 187 | + GLOBAL_CTX, self.c, der, len(der) |
| 188 | + ): |
| 189 | + raise RuntimeError("badly formatted signature {}".format(der.hex())) |
| 190 | + elif c: |
| 191 | + self.c = c |
| 192 | + self.der_cache = None |
| 193 | + else: |
| 194 | + raise RuntimeError("need der or c object") |
| 195 | + |
| 196 | + def __eq__(self, other): |
| 197 | + return self.der() == other.der() |
| 198 | + |
| 199 | + def __repr__(self): |
| 200 | + return "Signature()".format(self.der().hex()) |
| 201 | + |
| 202 | + def der(self): |
| 203 | + if not self.der_cache: |
| 204 | + der = ffi.new("unsigned char[72]") |
| 205 | + der_length = ffi.new("size_t *", 72) |
| 206 | + lib.secp256k1_ecdsa_signature_serialize_der( |
| 207 | + GLOBAL_CTX, der, der_length, self.c |
| 208 | + ) |
| 209 | + self.der_cache = bytes(ffi.buffer(der, der_length[0])) |
| 210 | + return self.der_cache |
| 211 | + |
| 212 | + def cdata(self): |
| 213 | + return self.c |
| 214 | + |
| 215 | + @classmethod |
| 216 | + def parse(cls, der): |
| 217 | + return cls(der=der) |
| 218 | + |
| 219 | + |
| 220 | +class PrivateKey: |
| 221 | + def __init__(self, secret, testnet=False): |
| 222 | + self.secret = secret |
| 223 | + self.point = secret * G |
| 224 | + self.testnet = testnet |
| 225 | + |
| 226 | + def hex(self): |
| 227 | + return "{:x}".format(self.secret).zfill(64) |
| 228 | + |
| 229 | + def sign(self, z): |
| 230 | + secret = self.secret.to_bytes(32, "big") |
| 231 | + msg = z.to_bytes(32, "big") |
| 232 | + csig = ffi.new("secp256k1_ecdsa_signature *") |
| 233 | + if not lib.secp256k1_ecdsa_sign( |
| 234 | + GLOBAL_CTX, csig, msg, secret, ffi.NULL, ffi.NULL |
| 235 | + ): |
| 236 | + raise RuntimeError("something went wrong with c signing") |
| 237 | + sig = Signature(c=csig) |
| 238 | + if not self.point.verify(z, sig): |
| 239 | + raise RuntimeError("something went wrong with signing") |
| 240 | + return sig |
| 241 | + |
| 242 | + def deterministic_k(self, z): |
| 243 | + k = b"\x00" * 32 |
| 244 | + v = b"\x01" * 32 |
| 245 | + if z > N: |
| 246 | + z -= N |
| 247 | + z_bytes = int_to_big_endian(z, 32) |
| 248 | + secret_bytes = int_to_big_endian(self.secret, 32) |
| 249 | + s256 = hashlib.sha256 |
| 250 | + k = hmac.new(k, v + b"\x00" + secret_bytes + z_bytes, s256).digest() |
| 251 | + v = hmac.new(k, v, s256).digest() |
| 252 | + k = hmac.new(k, v + b"\x01" + secret_bytes + z_bytes, s256).digest() |
| 253 | + v = hmac.new(k, v, s256).digest() |
| 254 | + while True: |
| 255 | + v = hmac.new(k, v, s256).digest() |
| 256 | + candidate = big_endian_to_int(v) |
| 257 | + if candidate >= 1 and candidate < N: |
| 258 | + return candidate |
| 259 | + k = hmac.new(k, v + b"\x00", s256).digest() |
| 260 | + v = hmac.new(k, v, s256).digest() |
| 261 | + |
| 262 | + def sign_message(self, message): |
| 263 | + """Sign a message in the form of bytes instead of the z. The z should |
| 264 | + be assumed to be the hash256 of the message interpreted as a big-endian |
| 265 | + integer.""" |
| 266 | + # compute the hash256 of the message |
| 267 | + h256 = hash256(message) |
| 268 | + # z is the big-endian interpretation. use big_endian_to_int |
| 269 | + z = big_endian_to_int(h256) |
| 270 | + # sign the message using the self.sign method |
| 271 | + return self.sign(z) |
| 272 | + |
| 273 | + @classmethod |
| 274 | + def parse(cls, wif): |
| 275 | + """Converts WIF to a PrivateKey object""" |
| 276 | + raw = raw_decode_base58(wif) |
| 277 | + if len(raw) == 34: # compressed |
| 278 | + if raw[-1] != 1: |
| 279 | + raise ValueError("Invalid WIF") |
| 280 | + raw = raw[:-1] |
| 281 | + secret = big_endian_to_int(raw[1:]) |
| 282 | + if raw[0] == 0xEF: |
| 283 | + testnet = True |
| 284 | + elif raw[0] == 0x80: |
| 285 | + testnet = False |
| 286 | + else: |
| 287 | + raise ValueError("Invalid WIF") |
| 288 | + return cls(secret, testnet=testnet) |
| 289 | + |
| 290 | + def wif(self, compressed=True): |
| 291 | + # convert the secret from integer to a 32-bytes in big endian using num.to_bytes(32, 'big') |
| 292 | + secret_bytes = self.secret.to_bytes(32, "big") |
| 293 | + # prepend b'\xef' on testnet, b'\x80' on mainnet |
| 294 | + if self.testnet: |
| 295 | + prefix = b"\xef" |
| 296 | + else: |
| 297 | + prefix = b"\x80" |
| 298 | + # append b'\x01' if compressed |
| 299 | + if compressed: |
| 300 | + suffix = b"\x01" |
| 301 | + else: |
| 302 | + suffix = b"" |
| 303 | + # encode_base58_checksum the whole thing |
| 304 | + return encode_base58_checksum(prefix + secret_bytes + suffix) |
0 commit comments