LCOV - code coverage report
Current view: top level - src - key.cpp (source / functions) Coverage Total Hit
Test: test_bitcoin_coverage.info Lines: 97.2 % 283 275
Test Date: 2024-11-04 04:45:35 Functions: 100.0 % 29 29
Branches: 56.9 % 246 140

             Branch data     Line data    Source code
       1                 :             : // Copyright (c) 2009-2022 The Bitcoin Core developers
       2                 :             : // Copyright (c) 2017 The Zcash developers
       3                 :             : // Distributed under the MIT software license, see the accompanying
       4                 :             : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
       5                 :             : 
       6                 :             : #include <key.h>
       7                 :             : 
       8                 :             : #include <crypto/common.h>
       9                 :             : #include <crypto/hmac_sha512.h>
      10                 :             : #include <hash.h>
      11                 :             : #include <random.h>
      12                 :             : 
      13                 :             : #include <secp256k1.h>
      14                 :             : #include <secp256k1_ellswift.h>
      15                 :             : #include <secp256k1_extrakeys.h>
      16                 :             : #include <secp256k1_recovery.h>
      17                 :             : #include <secp256k1_schnorrsig.h>
      18                 :             : 
      19                 :             : static secp256k1_context* secp256k1_context_sign = nullptr;
      20                 :             : 
      21                 :             : /** These functions are taken from the libsecp256k1 distribution and are very ugly. */
      22                 :             : 
      23                 :             : /**
      24                 :             :  * This parses a format loosely based on a DER encoding of the ECPrivateKey type from
      25                 :             :  * section C.4 of SEC 1 <https://www.secg.org/sec1-v2.pdf>, with the following caveats:
      26                 :             :  *
      27                 :             :  * * The octet-length of the SEQUENCE must be encoded as 1 or 2 octets. It is not
      28                 :             :  *   required to be encoded as one octet if it is less than 256, as DER would require.
      29                 :             :  * * The octet-length of the SEQUENCE must not be greater than the remaining
      30                 :             :  *   length of the key encoding, but need not match it (i.e. the encoding may contain
      31                 :             :  *   junk after the encoded SEQUENCE).
      32                 :             :  * * The privateKey OCTET STRING is zero-filled on the left to 32 octets.
      33                 :             :  * * Anything after the encoding of the privateKey OCTET STRING is ignored, whether
      34                 :             :  *   or not it is validly encoded DER.
      35                 :             :  *
      36                 :             :  * out32 must point to an output buffer of length at least 32 bytes.
      37                 :             :  */
      38                 :          18 : int ec_seckey_import_der(const secp256k1_context* ctx, unsigned char *out32, const unsigned char *seckey, size_t seckeylen) {
      39                 :          18 :     const unsigned char *end = seckey + seckeylen;
      40         [ +  - ]:          18 :     memset(out32, 0, 32);
      41                 :             :     /* sequence header */
      42   [ +  -  +  - ]:          18 :     if (end - seckey < 1 || *seckey != 0x30u) {
      43                 :             :         return 0;
      44                 :             :     }
      45                 :          18 :     seckey++;
      46                 :             :     /* sequence length constructor */
      47   [ +  -  +  - ]:          18 :     if (end - seckey < 1 || !(*seckey & 0x80u)) {
      48                 :             :         return 0;
      49                 :             :     }
      50                 :          18 :     ptrdiff_t lenb = *seckey & ~0x80u; seckey++;
      51         [ +  - ]:          18 :     if (lenb < 1 || lenb > 2) {
      52                 :             :         return 0;
      53                 :             :     }
      54         [ +  - ]:          18 :     if (end - seckey < lenb) {
      55                 :             :         return 0;
      56                 :             :     }
      57                 :             :     /* sequence length */
      58         [ -  + ]:          18 :     ptrdiff_t len = seckey[lenb-1] | (lenb > 1 ? seckey[lenb-2] << 8 : 0u);
      59                 :          18 :     seckey += lenb;
      60         [ +  - ]:          18 :     if (end - seckey < len) {
      61                 :             :         return 0;
      62                 :             :     }
      63                 :             :     /* sequence element 0: version number (=1) */
      64   [ +  -  +  -  :          18 :     if (end - seckey < 3 || seckey[0] != 0x02u || seckey[1] != 0x01u || seckey[2] != 0x01u) {
             +  -  +  - ]
      65                 :             :         return 0;
      66                 :             :     }
      67                 :          18 :     seckey += 3;
      68                 :             :     /* sequence element 1: octet string, up to 32 bytes */
      69   [ +  -  +  - ]:          18 :     if (end - seckey < 2 || seckey[0] != 0x04u) {
      70                 :             :         return 0;
      71                 :             :     }
      72                 :          18 :     ptrdiff_t oslen = seckey[1];
      73                 :          18 :     seckey += 2;
      74   [ +  -  +  - ]:          18 :     if (oslen > 32 || end - seckey < oslen) {
      75                 :             :         return 0;
      76                 :             :     }
      77                 :          18 :     memcpy(out32 + (32 - oslen), seckey, oslen);
      78         [ -  + ]:          18 :     if (!secp256k1_ec_seckey_verify(ctx, out32)) {
      79                 :           0 :         memset(out32, 0, 32);
      80                 :           0 :         return 0;
      81                 :             :     }
      82                 :             :     return 1;
      83                 :             : }
      84                 :             : 
      85                 :             : /**
      86                 :             :  * This serializes to a DER encoding of the ECPrivateKey type from section C.4 of SEC 1
      87                 :             :  * <https://www.secg.org/sec1-v2.pdf>. The optional parameters and publicKey fields are
      88                 :             :  * included.
      89                 :             :  *
      90                 :             :  * seckey must point to an output buffer of length at least CKey::SIZE bytes.
      91                 :             :  * seckeylen must initially be set to the size of the seckey buffer. Upon return it
      92                 :             :  * will be set to the number of bytes used in the buffer.
      93                 :             :  * key32 must point to a 32-byte raw private key.
      94                 :             :  */
      95                 :        1335 : int ec_seckey_export_der(const secp256k1_context *ctx, unsigned char *seckey, size_t *seckeylen, const unsigned char *key32, bool compressed) {
      96         [ -  + ]:        1335 :     assert(*seckeylen >= CKey::SIZE);
      97                 :        1335 :     secp256k1_pubkey pubkey;
      98                 :        1335 :     size_t pubkeylen = 0;
      99         [ -  + ]:        1335 :     if (!secp256k1_ec_pubkey_create(ctx, &pubkey, key32)) {
     100                 :           0 :         *seckeylen = 0;
     101                 :           0 :         return 0;
     102                 :             :     }
     103         [ +  + ]:        1335 :     if (compressed) {
     104                 :        1325 :         static const unsigned char begin[] = {
     105                 :             :             0x30,0x81,0xD3,0x02,0x01,0x01,0x04,0x20
     106                 :             :         };
     107                 :        1325 :         static const unsigned char middle[] = {
     108                 :             :             0xA0,0x81,0x85,0x30,0x81,0x82,0x02,0x01,0x01,0x30,0x2C,0x06,0x07,0x2A,0x86,0x48,
     109                 :             :             0xCE,0x3D,0x01,0x01,0x02,0x21,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     110                 :             :             0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     111                 :             :             0xFF,0xFF,0xFE,0xFF,0xFF,0xFC,0x2F,0x30,0x06,0x04,0x01,0x00,0x04,0x01,0x07,0x04,
     112                 :             :             0x21,0x02,0x79,0xBE,0x66,0x7E,0xF9,0xDC,0xBB,0xAC,0x55,0xA0,0x62,0x95,0xCE,0x87,
     113                 :             :             0x0B,0x07,0x02,0x9B,0xFC,0xDB,0x2D,0xCE,0x28,0xD9,0x59,0xF2,0x81,0x5B,0x16,0xF8,
     114                 :             :             0x17,0x98,0x02,0x21,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     115                 :             :             0xFF,0xFF,0xFF,0xFF,0xFE,0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,0xBF,0xD2,0x5E,
     116                 :             :             0x8C,0xD0,0x36,0x41,0x41,0x02,0x01,0x01,0xA1,0x24,0x03,0x22,0x00
     117                 :             :         };
     118                 :        1325 :         unsigned char *ptr = seckey;
     119                 :        1325 :         memcpy(ptr, begin, sizeof(begin)); ptr += sizeof(begin);
     120                 :        1325 :         memcpy(ptr, key32, 32); ptr += 32;
     121                 :        1325 :         memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle);
     122                 :        1325 :         pubkeylen = CPubKey::COMPRESSED_SIZE;
     123                 :        1325 :         secp256k1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED);
     124                 :        1325 :         ptr += pubkeylen;
     125                 :        1325 :         *seckeylen = ptr - seckey;
     126         [ -  + ]:        1325 :         assert(*seckeylen == CKey::COMPRESSED_SIZE);
     127                 :             :     } else {
     128                 :          10 :         static const unsigned char begin[] = {
     129                 :             :             0x30,0x82,0x01,0x13,0x02,0x01,0x01,0x04,0x20
     130                 :             :         };
     131                 :          10 :         static const unsigned char middle[] = {
     132                 :             :             0xA0,0x81,0xA5,0x30,0x81,0xA2,0x02,0x01,0x01,0x30,0x2C,0x06,0x07,0x2A,0x86,0x48,
     133                 :             :             0xCE,0x3D,0x01,0x01,0x02,0x21,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     134                 :             :             0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     135                 :             :             0xFF,0xFF,0xFE,0xFF,0xFF,0xFC,0x2F,0x30,0x06,0x04,0x01,0x00,0x04,0x01,0x07,0x04,
     136                 :             :             0x41,0x04,0x79,0xBE,0x66,0x7E,0xF9,0xDC,0xBB,0xAC,0x55,0xA0,0x62,0x95,0xCE,0x87,
     137                 :             :             0x0B,0x07,0x02,0x9B,0xFC,0xDB,0x2D,0xCE,0x28,0xD9,0x59,0xF2,0x81,0x5B,0x16,0xF8,
     138                 :             :             0x17,0x98,0x48,0x3A,0xDA,0x77,0x26,0xA3,0xC4,0x65,0x5D,0xA4,0xFB,0xFC,0x0E,0x11,
     139                 :             :             0x08,0xA8,0xFD,0x17,0xB4,0x48,0xA6,0x85,0x54,0x19,0x9C,0x47,0xD0,0x8F,0xFB,0x10,
     140                 :             :             0xD4,0xB8,0x02,0x21,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     141                 :             :             0xFF,0xFF,0xFF,0xFF,0xFE,0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,0xBF,0xD2,0x5E,
     142                 :             :             0x8C,0xD0,0x36,0x41,0x41,0x02,0x01,0x01,0xA1,0x44,0x03,0x42,0x00
     143                 :             :         };
     144                 :          10 :         unsigned char *ptr = seckey;
     145                 :          10 :         memcpy(ptr, begin, sizeof(begin)); ptr += sizeof(begin);
     146                 :          10 :         memcpy(ptr, key32, 32); ptr += 32;
     147                 :          10 :         memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle);
     148                 :          10 :         pubkeylen = CPubKey::SIZE;
     149                 :          10 :         secp256k1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
     150                 :          10 :         ptr += pubkeylen;
     151                 :          10 :         *seckeylen = ptr - seckey;
     152         [ -  + ]:          10 :         assert(*seckeylen == CKey::SIZE);
     153                 :             :     }
     154                 :             :     return 1;
     155                 :             : }
     156                 :             : 
     157                 :       17241 : bool CKey::Check(const unsigned char *vch) {
     158                 :       17241 :     return secp256k1_ec_seckey_verify(secp256k1_context_sign, vch);
     159                 :             : }
     160                 :             : 
     161                 :         220 : void CKey::MakeNewKey(bool fCompressedIn) {
     162                 :         220 :     MakeKeyData();
     163                 :         220 :     do {
     164                 :         220 :         GetStrongRandBytes(*keydata);
     165         [ -  + ]:         220 :     } while (!Check(keydata->data()));
     166                 :         220 :     fCompressed = fCompressedIn;
     167                 :         220 : }
     168                 :             : 
     169                 :        1335 : CPrivKey CKey::GetPrivKey() const {
     170         [ -  + ]:        1335 :     assert(keydata);
     171                 :        1335 :     CPrivKey seckey;
     172                 :        1335 :     int ret;
     173                 :        1335 :     size_t seckeylen;
     174         [ +  - ]:        1335 :     seckey.resize(SIZE);
     175                 :        1335 :     seckeylen = SIZE;
     176   [ +  -  +  - ]:        2670 :     ret = ec_seckey_export_der(secp256k1_context_sign, seckey.data(), &seckeylen, UCharCast(begin()), fCompressed);
     177         [ -  + ]:        1335 :     assert(ret);
     178         [ +  - ]:        1335 :     seckey.resize(seckeylen);
     179                 :        1335 :     return seckey;
     180                 :           0 : }
     181                 :             : 
     182                 :       30055 : CPubKey CKey::GetPubKey() const {
     183         [ -  + ]:       30055 :     assert(keydata);
     184                 :       30055 :     secp256k1_pubkey pubkey;
     185                 :       30055 :     size_t clen = CPubKey::SIZE;
     186                 :       30055 :     CPubKey result;
     187                 :       30055 :     int ret = secp256k1_ec_pubkey_create(secp256k1_context_sign, &pubkey, UCharCast(begin()));
     188         [ -  + ]:       30055 :     assert(ret);
     189         [ +  + ]:       30141 :     secp256k1_ec_pubkey_serialize(secp256k1_context_sign, (unsigned char*)result.begin(), &clen, &pubkey, fCompressed ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
     190         [ -  + ]:       30055 :     assert(result.size() == clen);
     191   [ -  +  -  + ]:       60110 :     assert(result.IsValid());
     192                 :       30055 :     return result;
     193                 :             : }
     194                 :             : 
     195                 :             : // Check that the sig has a low R value and will be less than 71 bytes
     196                 :       23726 : bool SigHasLowR(const secp256k1_ecdsa_signature* sig)
     197                 :             : {
     198                 :       23726 :     unsigned char compact_sig[64];
     199                 :       23726 :     secp256k1_ecdsa_signature_serialize_compact(secp256k1_context_sign, compact_sig, sig);
     200                 :             : 
     201                 :             :     // In DER serialization, all values are interpreted as big-endian, signed integers. The highest bit in the integer indicates
     202                 :             :     // its signed-ness; 0 is positive, 1 is negative. When the value is interpreted as a negative integer, it must be converted
     203                 :             :     // to a positive value by prepending a 0x00 byte so that the highest bit is 0. We can avoid this prepending by ensuring that
     204                 :             :     // our highest bit is always 0, and thus we must check that the first byte is less than 0x80.
     205                 :       23726 :     return compact_sig[0] < 0x80;
     206                 :             : }
     207                 :             : 
     208                 :       12434 : bool CKey::Sign(const uint256 &hash, std::vector<unsigned char>& vchSig, bool grind, uint32_t test_case) const {
     209         [ +  - ]:       12434 :     if (!keydata)
     210                 :             :         return false;
     211                 :       12434 :     vchSig.resize(CPubKey::SIGNATURE_SIZE);
     212                 :       12434 :     size_t nSigLen = CPubKey::SIGNATURE_SIZE;
     213                 :       12434 :     unsigned char extra_entropy[32] = {0};
     214                 :       12434 :     WriteLE32(extra_entropy, test_case);
     215                 :       12434 :     secp256k1_ecdsa_signature sig;
     216                 :       12434 :     uint32_t counter = 0;
     217   [ +  +  +  - ]:       36103 :     int ret = secp256k1_ecdsa_sign(secp256k1_context_sign, &sig, hash.begin(), UCharCast(begin()), secp256k1_nonce_function_rfc6979, (!grind && test_case) ? extra_entropy : nullptr);
     218                 :             : 
     219                 :             :     // Grind for low R
     220   [ +  -  +  +  :       36160 :     while (ret && !SigHasLowR(&sig) && grind) {
                   +  + ]
     221                 :       11292 :         WriteLE32(extra_entropy, ++counter);
     222         [ +  - ]:       22584 :         ret = secp256k1_ecdsa_sign(secp256k1_context_sign, &sig, hash.begin(), UCharCast(begin()), secp256k1_nonce_function_rfc6979, extra_entropy);
     223                 :             :     }
     224         [ -  + ]:       12434 :     assert(ret);
     225                 :       12434 :     secp256k1_ecdsa_signature_serialize_der(secp256k1_context_sign, vchSig.data(), &nSigLen, &sig);
     226                 :       12434 :     vchSig.resize(nSigLen);
     227                 :             :     // Additional verification step to prevent using a potentially corrupted signature
     228                 :       12434 :     secp256k1_pubkey pk;
     229         [ +  - ]:       24868 :     ret = secp256k1_ec_pubkey_create(secp256k1_context_sign, &pk, UCharCast(begin()));
     230         [ -  + ]:       12434 :     assert(ret);
     231                 :       12434 :     ret = secp256k1_ecdsa_verify(secp256k1_context_static, &sig, hash.begin(), &pk);
     232         [ -  + ]:       12434 :     assert(ret);
     233                 :             :     return true;
     234                 :             : }
     235                 :             : 
     236                 :        5064 : bool CKey::VerifyPubKey(const CPubKey& pubkey) const {
     237         [ +  + ]:        5064 :     if (pubkey.IsCompressed() != fCompressed) {
     238                 :             :         return false;
     239                 :             :     }
     240                 :        5056 :     unsigned char rnd[8];
     241                 :        5056 :     std::string str = "Bitcoin key verification\n";
     242                 :        5056 :     GetRandBytes(rnd);
     243         [ +  - ]:        5056 :     uint256 hash{Hash(str, rnd)};
     244                 :        5056 :     std::vector<unsigned char> vchSig;
     245         [ +  - ]:        5056 :     Sign(hash, vchSig);
     246         [ +  - ]:        5056 :     return pubkey.Verify(hash, vchSig);
     247                 :        5056 : }
     248                 :             : 
     249                 :          70 : bool CKey::SignCompact(const uint256 &hash, std::vector<unsigned char>& vchSig) const {
     250         [ +  + ]:          70 :     if (!keydata)
     251                 :             :         return false;
     252                 :          69 :     vchSig.resize(CPubKey::COMPACT_SIGNATURE_SIZE);
     253                 :          69 :     int rec = -1;
     254                 :          69 :     secp256k1_ecdsa_recoverable_signature rsig;
     255         [ +  - ]:         138 :     int ret = secp256k1_ecdsa_sign_recoverable(secp256k1_context_sign, &rsig, hash.begin(), UCharCast(begin()), secp256k1_nonce_function_rfc6979, nullptr);
     256         [ -  + ]:          69 :     assert(ret);
     257                 :          69 :     ret = secp256k1_ecdsa_recoverable_signature_serialize_compact(secp256k1_context_sign, &vchSig[1], &rec, &rsig);
     258         [ -  + ]:          69 :     assert(ret);
     259         [ -  + ]:          69 :     assert(rec != -1);
     260   [ +  +  +  - ]:         103 :     vchSig[0] = 27 + rec + (fCompressed ? 4 : 0);
     261                 :             :     // Additional verification step to prevent using a potentially corrupted signature
     262                 :          69 :     secp256k1_pubkey epk, rpk;
     263         [ +  - ]:         138 :     ret = secp256k1_ec_pubkey_create(secp256k1_context_sign, &epk, UCharCast(begin()));
     264         [ -  + ]:          69 :     assert(ret);
     265                 :          69 :     ret = secp256k1_ecdsa_recover(secp256k1_context_static, &rpk, &rsig, hash.begin());
     266         [ -  + ]:          69 :     assert(ret);
     267                 :          69 :     ret = secp256k1_ec_pubkey_cmp(secp256k1_context_static, &epk, &rpk);
     268         [ -  + ]:          69 :     assert(ret == 0);
     269                 :             :     return true;
     270                 :             : }
     271                 :             : 
     272                 :         378 : bool CKey::SignSchnorr(const uint256& hash, Span<unsigned char> sig, const uint256* merkle_root, const uint256& aux) const
     273                 :             : {
     274                 :         378 :     KeyPair kp = ComputeKeyPair(merkle_root);
     275         [ +  - ]:         378 :     return kp.SignSchnorr(hash, sig, aux);
     276                 :         378 : }
     277                 :             : 
     278                 :          18 : bool CKey::Load(const CPrivKey &seckey, const CPubKey &vchPubKey, bool fSkipCheck=false) {
     279                 :          18 :     MakeKeyData();
     280   [ +  -  -  + ]:          36 :     if (!ec_seckey_import_der(secp256k1_context_sign, (unsigned char*)begin(), seckey.data(), seckey.size())) {
     281                 :           0 :         ClearKeyData();
     282                 :           0 :         return false;
     283                 :             :     }
     284         [ -  + ]:          18 :     fCompressed = vchPubKey.IsCompressed();
     285                 :             : 
     286         [ -  + ]:          18 :     if (fSkipCheck)
     287                 :             :         return true;
     288                 :             : 
     289                 :           0 :     return VerifyPubKey(vchPubKey);
     290                 :             : }
     291                 :             : 
     292                 :       11156 : bool CKey::Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const {
     293         [ -  + ]:       11156 :     assert(IsValid());
     294         [ -  + ]:       11156 :     assert(IsCompressed());
     295                 :       11156 :     std::vector<unsigned char, secure_allocator<unsigned char>> vout(64);
     296         [ +  + ]:       11156 :     if ((nChild >> 31) == 0) {
     297         [ +  - ]:        1085 :         CPubKey pubkey = GetPubKey();
     298         [ -  + ]:        1085 :         assert(pubkey.size() == CPubKey::COMPRESSED_SIZE);
     299         [ +  - ]:        1085 :         BIP32Hash(cc, nChild, *pubkey.begin(), pubkey.begin()+1, vout.data());
     300                 :             :     } else {
     301         [ +  - ]:       10071 :         assert(size() == 32);
     302         [ +  - ]:       10071 :         BIP32Hash(cc, nChild, 0, UCharCast(begin()), vout.data());
     303                 :             :     }
     304         [ +  - ]:       11156 :     memcpy(ccChild.begin(), vout.data()+32, 32);
     305   [ +  -  +  - ]:       22312 :     keyChild.Set(begin(), begin() + 32, true);
     306   [ +  -  +  - ]:       22312 :     bool ret = secp256k1_ec_seckey_tweak_add(secp256k1_context_sign, (unsigned char*)keyChild.begin(), vout.data());
     307         [ -  + ]:       11156 :     if (!ret) keyChild.ClearKeyData();
     308                 :       11156 :     return ret;
     309                 :       11156 : }
     310                 :             : 
     311                 :         154 : EllSwiftPubKey CKey::EllSwiftCreate(Span<const std::byte> ent32) const
     312                 :             : {
     313         [ -  + ]:         154 :     assert(keydata);
     314         [ -  + ]:         154 :     assert(ent32.size() == 32);
     315                 :         154 :     std::array<std::byte, EllSwiftPubKey::size()> encoded_pubkey;
     316                 :             : 
     317                 :         154 :     auto success = secp256k1_ellswift_create(secp256k1_context_sign,
     318                 :             :                                              UCharCast(encoded_pubkey.data()),
     319                 :         154 :                                              keydata->data(),
     320                 :             :                                              UCharCast(ent32.data()));
     321                 :             : 
     322                 :             :     // Should always succeed for valid keys (asserted above).
     323         [ -  + ]:         154 :     assert(success);
     324                 :         154 :     return {encoded_pubkey};
     325                 :             : }
     326                 :             : 
     327                 :         244 : ECDHSecret CKey::ComputeBIP324ECDHSecret(const EllSwiftPubKey& their_ellswift, const EllSwiftPubKey& our_ellswift, bool initiating) const
     328                 :             : {
     329         [ -  + ]:         244 :     assert(keydata);
     330                 :             : 
     331                 :         244 :     ECDHSecret output;
     332                 :             :     // BIP324 uses the initiator as party A, and the responder as party B. Remap the inputs
     333                 :             :     // accordingly:
     334         [ +  + ]:         488 :     bool success = secp256k1_ellswift_xdh(secp256k1_context_sign,
     335                 :             :                                           UCharCast(output.data()),
     336                 :         244 :                                           UCharCast(initiating ? our_ellswift.data() : their_ellswift.data()),
     337                 :         244 :                                           UCharCast(initiating ? their_ellswift.data() : our_ellswift.data()),
     338                 :         244 :                                           keydata->data(),
     339                 :             :                                           initiating ? 0 : 1,
     340                 :             :                                           secp256k1_ellswift_xdh_hash_function_bip324,
     341                 :         244 :                                           nullptr);
     342                 :             :     // Should always succeed for valid keys (assert above).
     343         [ -  + ]:         244 :     assert(success);
     344                 :         244 :     return output;
     345                 :             : }
     346                 :             : 
     347                 :         422 : KeyPair CKey::ComputeKeyPair(const uint256* merkle_root) const
     348                 :             : {
     349                 :         422 :     return KeyPair(*this, merkle_root);
     350                 :             : }
     351                 :             : 
     352                 :         162 : CKey GenerateRandomKey(bool compressed) noexcept
     353                 :             : {
     354                 :         162 :     CKey key;
     355                 :         162 :     key.MakeNewKey(/*fCompressed=*/compressed);
     356                 :         162 :     return key;
     357                 :             : }
     358                 :             : 
     359                 :       11157 : bool CExtKey::Derive(CExtKey &out, unsigned int _nChild) const {
     360         [ +  + ]:       11157 :     if (nDepth == std::numeric_limits<unsigned char>::max()) return false;
     361                 :       11156 :     out.nDepth = nDepth + 1;
     362                 :       11156 :     CKeyID id = key.GetPubKey().GetID();
     363                 :       11156 :     memcpy(out.vchFingerprint, &id, 4);
     364                 :       11156 :     out.nChild = _nChild;
     365                 :       11156 :     return key.Derive(out.key, out.chaincode, _nChild, chaincode);
     366                 :             : }
     367                 :             : 
     368                 :        2042 : void CExtKey::SetSeed(Span<const std::byte> seed)
     369                 :             : {
     370                 :        2042 :     static const unsigned char hashkey[] = {'B','i','t','c','o','i','n',' ','s','e','e','d'};
     371                 :        2042 :     std::vector<unsigned char, secure_allocator<unsigned char>> vout(64);
     372   [ +  -  +  -  :        2042 :     CHMAC_SHA512{hashkey, sizeof(hashkey)}.Write(UCharCast(seed.data()), seed.size()).Finalize(vout.data());
                   +  - ]
     373         [ +  - ]:        2042 :     key.Set(vout.data(), vout.data() + 32, true);
     374                 :        2042 :     memcpy(chaincode.begin(), vout.data() + 32, 32);
     375                 :        2042 :     nDepth = 0;
     376                 :        2042 :     nChild = 0;
     377                 :        2042 :     memset(vchFingerprint, 0, sizeof(vchFingerprint));
     378                 :        2042 : }
     379                 :             : 
     380                 :        4628 : CExtPubKey CExtKey::Neuter() const {
     381                 :        4628 :     CExtPubKey ret;
     382                 :        4628 :     ret.nDepth = nDepth;
     383                 :        4628 :     memcpy(ret.vchFingerprint, vchFingerprint, 4);
     384                 :        4628 :     ret.nChild = nChild;
     385                 :        4628 :     ret.pubkey = key.GetPubKey();
     386                 :        4628 :     ret.chaincode = chaincode;
     387                 :        4628 :     return ret;
     388                 :             : }
     389                 :             : 
     390                 :         268 : void CExtKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {
     391                 :         268 :     code[0] = nDepth;
     392                 :         268 :     memcpy(code+1, vchFingerprint, 4);
     393                 :         268 :     WriteBE32(code+5, nChild);
     394         [ -  + ]:         268 :     memcpy(code+9, chaincode.begin(), 32);
     395                 :         268 :     code[41] = 0;
     396         [ -  + ]:         268 :     assert(key.size() == 32);
     397                 :         268 :     memcpy(code+42, key.begin(), 32);
     398                 :         268 : }
     399                 :             : 
     400                 :         159 : void CExtKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) {
     401                 :         159 :     nDepth = code[0];
     402                 :         159 :     memcpy(vchFingerprint, code+1, 4);
     403                 :         159 :     nChild = ReadBE32(code+5);
     404                 :         159 :     memcpy(chaincode.begin(), code+9, 32);
     405                 :         159 :     key.Set(code+42, code+BIP32_EXTKEY_SIZE, true);
     406   [ +  +  +  +  :         159 :     if ((nDepth == 0 && (nChild != 0 || ReadLE32(vchFingerprint) != 0)) || code[41] != 0) key = CKey();
             +  +  +  + ]
     407                 :         159 : }
     408                 :             : 
     409         [ +  - ]:         422 : KeyPair::KeyPair(const CKey& key, const uint256* merkle_root)
     410                 :             : {
     411                 :         422 :     static_assert(std::tuple_size<KeyType>() == sizeof(secp256k1_keypair));
     412         [ +  - ]:         422 :     MakeKeyPairData();
     413         [ +  - ]:         422 :     auto keypair = reinterpret_cast<secp256k1_keypair*>(m_keypair->data());
     414   [ +  -  +  - ]:         844 :     bool success = secp256k1_keypair_create(secp256k1_context_sign, keypair, UCharCast(key.data()));
     415         [ +  + ]:         422 :     if (success && merkle_root) {
     416                 :         105 :         secp256k1_xonly_pubkey pubkey;
     417                 :         105 :         unsigned char pubkey_bytes[32];
     418   [ +  -  -  + ]:         105 :         assert(secp256k1_keypair_xonly_pub(secp256k1_context_sign, &pubkey, nullptr, keypair));
     419   [ +  -  -  + ]:         105 :         assert(secp256k1_xonly_pubkey_serialize(secp256k1_context_sign, pubkey_bytes, &pubkey));
     420   [ +  +  +  - ]:         195 :         uint256 tweak = XOnlyPubKey(pubkey_bytes).ComputeTapTweakHash(merkle_root->IsNull() ? nullptr : merkle_root);
     421         [ +  - ]:         105 :         success = secp256k1_keypair_xonly_tweak_add(secp256k1_context_static, keypair, tweak.data());
     422                 :             :     }
     423         [ -  + ]:         422 :     if (!success) ClearKeyPairData();
     424                 :         422 : }
     425                 :             : 
     426                 :         422 : bool KeyPair::SignSchnorr(const uint256& hash, Span<unsigned char> sig, const uint256& aux) const
     427                 :             : {
     428         [ -  + ]:         422 :     assert(sig.size() == 64);
     429         [ +  - ]:         422 :     if (!IsValid()) return false;
     430                 :         422 :     auto keypair = reinterpret_cast<const secp256k1_keypair*>(m_keypair->data());
     431                 :         422 :     bool ret = secp256k1_schnorrsig_sign32(secp256k1_context_sign, sig.data(), hash.data(), keypair, aux.data());
     432         [ +  - ]:         422 :     if (ret) {
     433                 :             :         // Additional verification step to prevent using a potentially corrupted signature
     434                 :         422 :         secp256k1_xonly_pubkey pubkey_verify;
     435                 :         422 :         ret = secp256k1_keypair_xonly_pub(secp256k1_context_static, &pubkey_verify, nullptr, keypair);
     436                 :         422 :         ret &= secp256k1_schnorrsig_verify(secp256k1_context_static, sig.data(), hash.begin(), 32, &pubkey_verify);
     437                 :             :     }
     438         [ -  + ]:         422 :     if (!ret) memory_cleanse(sig.data(), sig.size());
     439                 :             :     return ret;
     440                 :             : }
     441                 :             : 
     442                 :           1 : bool ECC_InitSanityCheck() {
     443                 :           1 :     CKey key = GenerateRandomKey();
     444         [ +  - ]:           1 :     CPubKey pubkey = key.GetPubKey();
     445         [ +  - ]:           1 :     return key.VerifyPubKey(pubkey);
     446                 :           1 : }
     447                 :             : 
     448                 :             : /** Initialize the elliptic curve support. May not be called twice without calling ECC_Stop first. */
     449                 :         616 : static void ECC_Start() {
     450         [ -  + ]:         616 :     assert(secp256k1_context_sign == nullptr);
     451                 :             : 
     452                 :         616 :     secp256k1_context *ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
     453         [ -  + ]:         616 :     assert(ctx != nullptr);
     454                 :             : 
     455                 :         616 :     {
     456                 :             :         // Pass in a random blinding seed to the secp256k1 context.
     457                 :         616 :         std::vector<unsigned char, secure_allocator<unsigned char>> vseed(32);
     458                 :         616 :         GetRandBytes(vseed);
     459         [ +  - ]:         616 :         bool ret = secp256k1_context_randomize(ctx, vseed.data());
     460         [ -  + ]:         616 :         assert(ret);
     461                 :         616 :     }
     462                 :             : 
     463                 :         616 :     secp256k1_context_sign = ctx;
     464                 :         616 : }
     465                 :             : 
     466                 :             : /** Deinitialize the elliptic curve support. No-op if ECC_Start wasn't called first. */
     467                 :         615 : static void ECC_Stop() {
     468                 :         615 :     secp256k1_context *ctx = secp256k1_context_sign;
     469                 :         615 :     secp256k1_context_sign = nullptr;
     470                 :             : 
     471         [ +  - ]:         615 :     if (ctx) {
     472                 :         615 :         secp256k1_context_destroy(ctx);
     473                 :             :     }
     474                 :         615 : }
     475                 :             : 
     476                 :         616 : ECC_Context::ECC_Context()
     477                 :             : {
     478                 :         616 :     ECC_Start();
     479                 :         616 : }
     480                 :             : 
     481                 :         615 : ECC_Context::~ECC_Context()
     482                 :             : {
     483                 :         615 :     ECC_Stop();
     484                 :         615 : }
        

Generated by: LCOV version 2.0-1