/tmp/bitcoin/src/pubkey.cpp

Source
// Copyright (c) 2009-present The Bitcoin Core developers
// Copyright (c) 2017 The Zcash developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#include <pubkey.h>

#include <hash.h>
#include <secp256k1.h>
#include <secp256k1_ellswift.h>
#include <secp256k1_extrakeys.h>
#include <secp256k1_recovery.h>
#include <secp256k1_schnorrsig.h>
#include <span.h>
#include <uint256.h>
#include <util/strencodings.h>

#include <algorithm>
#include <cassert>

using namespace util::hex_literals;

namespace {

struct Secp256k1SelfTester
{
    Secp256k1SelfTester() {
        /* Run libsecp256k1 self-test before using the secp256k1_context_static. */
        secp256k1_selftest();
    }
} SECP256K1_SELFTESTER;

} // namespace

/** This function is taken from the libsecp256k1 distribution and implements
 *  DER parsing for ECDSA signatures, while supporting an arbitrary subset of
 *  format violations.
 *
 *  Supported violations include negative integers, excessive padding, garbage
 *  at the end, and overly long length descriptors. This is safe to use in
 *  Bitcoin because since the activation of BIP66, signatures are verified to be
 *  strict DER before being passed to this module, and we know it supports all
 *  violations present in the blockchain before that point.
 */
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
    size_t rpos, rlen, spos, slen;
    size_t pos = 0;
    size_t lenbyte;
    unsigned char tmpsig[64] = {0};
    int overflow = 0;

    /* Hack to initialize sig with a correctly-parsed but invalid signature. */
    secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);

    /* Sequence tag byte */
    if (pos == inputlen || input[pos] != 0x30) {
        return 0;
    }
    pos++;

    /* Sequence length bytes */
    if (pos == inputlen) {
        return 0;
    }
    lenbyte = input[pos++];
    if (lenbyte & 0x80) {
        lenbyte -= 0x80;
        if (lenbyte > inputlen - pos) {
            return 0;
        }
        pos += lenbyte;
    }

    /* Integer tag byte for R */
    if (pos == inputlen || input[pos] != 0x02) {
        return 0;
    }
    pos++;

    /* Integer length for R */
    if (pos == inputlen) {
        return 0;
    }
    lenbyte = input[pos++];
    if (lenbyte & 0x80) {
        lenbyte -= 0x80;
        if (lenbyte > inputlen - pos) {
            return 0;
        }
        while (lenbyte > 0 && input[pos] == 0) {
            pos++;
            lenbyte--;
        }
        static_assert(sizeof(size_t) >= 4, "size_t too small");
        if (lenbyte >= 4) {
            return 0;
        }
        rlen = 0;
        while (lenbyte > 0) {
            rlen = (rlen << 8) + input[pos];
            pos++;
            lenbyte--;
        }
    } else {
        rlen = lenbyte;
    }
    if (rlen > inputlen - pos) {
        return 0;
    }
    rpos = pos;
    pos += rlen;

    /* Integer tag byte for S */
    if (pos == inputlen || input[pos] != 0x02) {
        return 0;
    }
    pos++;

    /* Integer length for S */
    if (pos == inputlen) {
        return 0;
    }
    lenbyte = input[pos++];
    if (lenbyte & 0x80) {
        lenbyte -= 0x80;
        if (lenbyte > inputlen - pos) {
            return 0;
        }
        while (lenbyte > 0 && input[pos] == 0) {
            pos++;
            lenbyte--;
        }
        static_assert(sizeof(size_t) >= 4, "size_t too small");
        if (lenbyte >= 4) {
            return 0;
        }
        slen = 0;
        while (lenbyte > 0) {
            slen = (slen << 8) + input[pos];
            pos++;
            lenbyte--;
        }
    } else {
        slen = lenbyte;
    }
    if (slen > inputlen - pos) {
        return 0;
    }
    spos = pos;

    /* Ignore leading zeroes in R */
    while (rlen > 0 && input[rpos] == 0) {
        rlen--;
        rpos++;
    }
    /* Copy R value */
    if (rlen > 32) {
        overflow = 1;
    } else {
        memcpy(tmpsig + 32 - rlen, input + rpos, rlen);
    }

    /* Ignore leading zeroes in S */
    while (slen > 0 && input[spos] == 0) {
        slen--;
        spos++;
    }
    /* Copy S value */
    if (slen > 32) {
        overflow = 1;
    } else {
        memcpy(tmpsig + 64 - slen, input + spos, slen);
    }

    if (!overflow) {
        overflow = !secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);
    }
    if (overflow) {
        /* Overwrite the result again with a correctly-parsed but invalid
           signature if parsing failed. */
        memset(tmpsig, 0, 64);
        secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);
    }
    return 1;
}

/** Nothing Up My Sleeve (NUMS) point
 *
 *  NUMS_H is a point with an unknown discrete logarithm, constructed by taking the sha256 of 'g'
 *  (uncompressed encoding), which happens to be a point on the curve.
 *
 *  For an example script for calculating H, refer to the unit tests in
 *  ./test/functional/test_framework/crypto/secp256k1.py
 */
constexpr XOnlyPubKey XOnlyPubKey::NUMS_H{
    // Use immediate lambda to work around GCC-14 bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117966
    []() consteval { return XOnlyPubKey{"50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0"_hex_u8}; }(),
};

std::vector<CPubKey> XOnlyPubKey::GetCPubKeys() const
{
    std::vector<CPubKey> out;
    unsigned char b[33] = {0x02};
    std::copy(m_keydata.begin(), m_keydata.end(), b + 1);
    CPubKey fullpubkey;
    fullpubkey.Set(b, b + 33);
    out.push_back(fullpubkey);
    b[0] = 0x03;
    fullpubkey.Set(b, b + 33);
    out.push_back(fullpubkey);
    return out;
}

std::vector<CKeyID> XOnlyPubKey::GetKeyIDs() const
{
    std::vector<CKeyID> out;
    for (const CPubKey& pk : GetCPubKeys()) {
        out.push_back(pk.GetID());
    }
    return out;
}

CPubKey XOnlyPubKey::GetEvenCorrespondingCPubKey() const
{
    unsigned char full_key[CPubKey::COMPRESSED_SIZE] = {0x02};
    std::copy(begin(), end(), full_key + 1);
    return CPubKey{full_key};
}

bool XOnlyPubKey::IsFullyValid() const
{
    secp256k1_xonly_pubkey pubkey;
    return secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey, m_keydata.data());
}

bool XOnlyPubKey::VerifySchnorr(const uint256& msg, std::span<const unsigned char> sigbytes) const
{
    assert(sigbytes.size() == 64);
    secp256k1_xonly_pubkey pubkey;
    if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey, m_keydata.data())) return false;
    return secp256k1_schnorrsig_verify(secp256k1_context_static, sigbytes.data(), msg.begin(), 32, &pubkey);
}

static const HashWriter HASHER_TAPTWEAK{TaggedHash("TapTweak")};

uint256 XOnlyPubKey::ComputeTapTweakHash(const uint256* merkle_root) const
{
    if (merkle_root == nullptr) {
        // We have no scripts. The actual tweak does not matter, but follow BIP341 here to
        // allow for reproducible tweaking.
        return (HashWriter{HASHER_TAPTWEAK} << m_keydata).GetSHA256();
    } else {
        return (HashWriter{HASHER_TAPTWEAK} << m_keydata << *merkle_root).GetSHA256();
    }
}

bool XOnlyPubKey::CheckTapTweak(const XOnlyPubKey& internal, const uint256& merkle_root, bool parity) const
{
    secp256k1_xonly_pubkey internal_key;
    if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &internal_key, internal.data())) return false;
    uint256 tweak = internal.ComputeTapTweakHash(&merkle_root);
    return secp256k1_xonly_pubkey_tweak_add_check(secp256k1_context_static, m_keydata.begin(), parity, &internal_key, tweak.begin());
}

std::optional<std::pair<XOnlyPubKey, bool>> XOnlyPubKey::CreateTapTweak(const uint256* merkle_root) const
{
    secp256k1_xonly_pubkey base_point;
    if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &base_point, data())) return std::nullopt;
    secp256k1_pubkey out;
    uint256 tweak = ComputeTapTweakHash(merkle_root);
    if (!secp256k1_xonly_pubkey_tweak_add(secp256k1_context_static, &out, &base_point, tweak.data())) return std::nullopt;
    int parity = -1;
    std::pair<XOnlyPubKey, bool> ret;
    secp256k1_xonly_pubkey out_xonly;
    if (!secp256k1_xonly_pubkey_from_pubkey(secp256k1_context_static, &out_xonly, &parity, &out)) return std::nullopt;
    secp256k1_xonly_pubkey_serialize(secp256k1_context_static, ret.first.begin(), &out_xonly);
    assert(parity == 0 || parity == 1);
    ret.second = parity;
    return ret;
}


bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {
    if (!IsValid())
        return false;
    secp256k1_pubkey pubkey;
    secp256k1_ecdsa_signature sig;
    if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
        return false;
    }
    if (!ecdsa_signature_parse_der_lax(&sig, vchSig.data(), vchSig.size())) {
        return false;
    }
    /* libsecp256k1's ECDSA verification requires lower-S signatures, which have
     * not historically been enforced in Bitcoin, so normalize them first. */
    secp256k1_ecdsa_signature_normalize(secp256k1_context_static, &sig, &sig);
    return secp256k1_ecdsa_verify(secp256k1_context_static, &sig, hash.begin(), &pubkey);
}

bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
    if (vchSig.size() != COMPACT_SIGNATURE_SIZE)
        return false;
    int recid = (vchSig[0] - 27) & 3;
    bool fComp = ((vchSig[0] - 27) & 4) != 0;
    secp256k1_pubkey pubkey;
    secp256k1_ecdsa_recoverable_signature sig;
    if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_static, &sig, &vchSig[1], recid)) {
        return false;
    }
    if (!secp256k1_ecdsa_recover(secp256k1_context_static, &pubkey, &sig, hash.begin())) {
        return false;
    }
    unsigned char pub[SIZE];
    size_t publen = SIZE;
    secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
    Set(pub, pub + publen);
    return true;
}

bool CPubKey::IsFullyValid() const {
    if (!IsValid())
        return false;
    secp256k1_pubkey pubkey;
    return secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size());
}

bool CPubKey::Decompress() {
    if (!IsValid())
        return false;
    secp256k1_pubkey pubkey;
    if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
        return false;
    }
    unsigned char pub[SIZE];
    size_t publen = SIZE;
    secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
    Set(pub, pub + publen);
    return true;
}

bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc, uint256* bip32_tweak_out) const {
    assert(IsValid());
    assert((nChild >> 31) == 0);
    assert(size() == COMPRESSED_SIZE);
    unsigned char out[64];
    BIP32Hash(cc, nChild, *begin(), begin()+1, out);
    memcpy(ccChild.begin(), out+32, 32);
    if (bip32_tweak_out) {
        memcpy(bip32_tweak_out->begin(), out, 32);
    }
    secp256k1_pubkey pubkey;
    if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
        return false;
    }
    if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_static, &pubkey, out)) {
        return false;
    }
    unsigned char pub[COMPRESSED_SIZE];
    size_t publen = COMPRESSED_SIZE;
    secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED);
    pubkeyChild.Set(pub, pub + publen);
    return true;
}

EllSwiftPubKey::EllSwiftPubKey(std::span<const std::byte> ellswift) noexcept
{
    assert(ellswift.size() == SIZE);
    std::copy(ellswift.begin(), ellswift.end(), m_pubkey.begin());
}

CPubKey EllSwiftPubKey::Decode() const
{
    secp256k1_pubkey pubkey;
    secp256k1_ellswift_decode(secp256k1_context_static, &pubkey, UCharCast(m_pubkey.data()));

    size_t sz = CPubKey::COMPRESSED_SIZE;
    std::array<uint8_t, CPubKey::COMPRESSED_SIZE> vch_bytes;

    secp256k1_ec_pubkey_serialize(secp256k1_context_static, vch_bytes.data(), &sz, &pubkey, SECP256K1_EC_COMPRESSED);
    assert(sz == vch_bytes.size());

    return CPubKey{vch_bytes.begin(), vch_bytes.end()};
}

void CExtPubKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {
    code[0] = nDepth;
    memcpy(code+1, vchFingerprint, 4);
    WriteBE32(code+5, nChild);
    memcpy(code+9, chaincode.begin(), 32);
    assert(pubkey.size() == CPubKey::COMPRESSED_SIZE);
    memcpy(code+41, pubkey.begin(), CPubKey::COMPRESSED_SIZE);
}

void CExtPubKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) {
    nDepth = code[0];
    memcpy(vchFingerprint, code+1, 4);
    nChild = ReadBE32(code+5);
    memcpy(chaincode.begin(), code+9, 32);
    pubkey.Set(code+41, code+BIP32_EXTKEY_SIZE);
    if ((nDepth == 0 && (nChild != 0 || ReadLE32(vchFingerprint) != 0)) || !pubkey.IsFullyValid()) pubkey = CPubKey();
}

void CExtPubKey::EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const
{
    memcpy(code, version, 4);
    Encode(&code[4]);
}

void CExtPubKey::DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE])
{
    memcpy(version, code, 4);
    Decode(&code[4]);
}

bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild, uint256* bip32_tweak_out) const {
    if (nDepth == std::numeric_limits<unsigned char>::max()) return false;
    out.nDepth = nDepth + 1;
    CKeyID id = pubkey.GetID();
    memcpy(out.vchFingerprint, &id, 4);
    out.nChild = _nChild;
    return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode, bip32_tweak_out);
}

/* static */ bool CPubKey::CheckLowS(const std::vector<unsigned char>& vchSig) {
    secp256k1_ecdsa_signature sig;
    if (!ecdsa_signature_parse_der_lax(&sig, vchSig.data(), vchSig.size())) {
        return false;
    }
    return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_static, nullptr, &sig));
}

Coverage Report

Created: 2026-05-06 07:53

Line	Count	Source
1		// Copyright (c) 2009-present The Bitcoin Core developers
2		// Copyright (c) 2017 The Zcash developers
3		// Distributed under the MIT software license, see the accompanying
4		// file COPYING or http://www.opensource.org/licenses/mit-license.php.
5
6		#include <pubkey.h>
7
8		#include <hash.h>
9		#include <secp256k1.h>
10		#include <secp256k1_ellswift.h>
11		#include <secp256k1_extrakeys.h>
12		#include <secp256k1_recovery.h>
13		#include <secp256k1_schnorrsig.h>
14		#include <span.h>
15		#include <uint256.h>
16		#include <util/strencodings.h>
17
18		#include <algorithm>
19		#include <cassert>
20
21		using namespace util::hex_literals;
22
23		namespace {
24
25		struct Secp256k1SelfTester
26		{
27	1.48k	Secp256k1SelfTester() {
28		/* Run libsecp256k1 self-test before using the secp256k1_context_static. */
29	1.48k	secp256k1_selftest();
30	1.48k	}
31		} SECP256K1_SELFTESTER;
32
33		} // namespace
34
35		/** This function is taken from the libsecp256k1 distribution and implements
36		* DER parsing for ECDSA signatures, while supporting an arbitrary subset of
37		* format violations.
38		*
39		* Supported violations include negative integers, excessive padding, garbage
40		* at the end, and overly long length descriptors. This is safe to use in
41		* Bitcoin because since the activation of BIP66, signatures are verified to be
42		* strict DER before being passed to this module, and we know it supports all
43		* violations present in the blockchain before that point.
44		*/
45	192k	int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
46	192k	size_t rpos, rlen, spos, slen;
47	192k	size_t pos = 0;
48	192k	size_t lenbyte;
49	192k	unsigned char tmpsig[64] = {0};
50	192k	int overflow = 0;
51
52		/* Hack to initialize sig with a correctly-parsed but invalid signature. */
53	192k	secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);
54
55		/* Sequence tag byte */
56	192k	if (pos == inputlen \|\| input[pos] != 0x30) {
57	548	return 0;
58	548	}
59	191k	pos++;
60
61		/* Sequence length bytes */
62	191k	if (pos == inputlen) {
63	0	return 0;
64	0	}
65	191k	lenbyte = input[pos++];
66	191k	if (lenbyte & 0x80) {
67	0	lenbyte -= 0x80;
68	0	if (lenbyte > inputlen - pos) {
69	0	return 0;
70	0	}
71	0	pos += lenbyte;
72	0	}
73
74		/* Integer tag byte for R */
75	191k	if (pos == inputlen \|\| input[pos] != 0x02) {
76	0	return 0;
77	0	}
78	191k	pos++;
79
80		/* Integer length for R */
81	191k	if (pos == inputlen) {
82	0	return 0;
83	0	}
84	191k	lenbyte = input[pos++];
85	191k	if (lenbyte & 0x80) {
86	0	lenbyte -= 0x80;
87	0	if (lenbyte > inputlen - pos) {
88	0	return 0;
89	0	}
90	0	while (lenbyte > 0 && input[pos] == 0) {
91	0	pos++;
92	0	lenbyte--;
93	0	}
94	0	static_assert(sizeof(size_t) >= 4, "size_t too small");
95	0	if (lenbyte >= 4) {
96	0	return 0;
97	0	}
98	0	rlen = 0;
99	0	while (lenbyte > 0) {
100	0	rlen = (rlen << 8) + input[pos];
101	0	pos++;
102	0	lenbyte--;
103	0	}
104	191k	} else {
105	191k	rlen = lenbyte;
106	191k	}
107	191k	if (rlen > inputlen - pos) {
108	0	return 0;
109	0	}
110	191k	rpos = pos;
111	191k	pos += rlen;
112
113		/* Integer tag byte for S */
114	191k	if (pos == inputlen \|\| input[pos] != 0x02) {
115	0	return 0;
116	0	}
117	191k	pos++;
118
119		/* Integer length for S */
120	191k	if (pos == inputlen) {
121	0	return 0;
122	0	}
123	191k	lenbyte = input[pos++];
124	191k	if (lenbyte & 0x80) {
125	0	lenbyte -= 0x80;
126	0	if (lenbyte > inputlen - pos) {
127	0	return 0;
128	0	}
129	0	while (lenbyte > 0 && input[pos] == 0) {
130	0	pos++;
131	0	lenbyte--;
132	0	}
133	0	static_assert(sizeof(size_t) >= 4, "size_t too small");
134	0	if (lenbyte >= 4) {
135	0	return 0;
136	0	}
137	0	slen = 0;
138	0	while (lenbyte > 0) {
139	0	slen = (slen << 8) + input[pos];
140	0	pos++;
141	0	lenbyte--;
142	0	}
143	191k	} else {
144	191k	slen = lenbyte;
145	191k	}
146	191k	if (slen > inputlen - pos) {
147	0	return 0;
148	0	}
149	191k	spos = pos;
150
151		/* Ignore leading zeroes in R */
152	223k	while (rlen > 0 && input[rpos] == 0) {
153	31.2k	rlen--;
154	31.2k	rpos++;
155	31.2k	}
156		/* Copy R value */
157	191k	if (rlen > 32) {
158	1	overflow = 1;
159	191k	} else {
160	191k	memcpy(tmpsig + 32 - rlen, input + rpos, rlen);
161	191k	}
162
163		/* Ignore leading zeroes in S */
164	195k	while (slen > 0 && input[spos] == 0) {
165	3.25k	slen--;
166	3.25k	spos++;
167	3.25k	}
168		/* Copy S value */
169	191k	if (slen > 32) {
170	0	overflow = 1;
171	191k	} else {
172	191k	memcpy(tmpsig + 64 - slen, input + spos, slen);
173	191k	}
174
175	191k	if (!overflow) {
176	191k	overflow = !secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);
177	191k	}
178	191k	if (overflow) {
179		/* Overwrite the result again with a correctly-parsed but invalid
180		signature if parsing failed. */
181	1	memset(tmpsig, 0, 64);
182	1	secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);
183	1	}
184	191k	return 1;
185	191k	}
186
187		/** Nothing Up My Sleeve (NUMS) point
188		*
189		* NUMS_H is a point with an unknown discrete logarithm, constructed by taking the sha256 of 'g'
190		* (uncompressed encoding), which happens to be a point on the curve.
191		*
192		* For an example script for calculating H, refer to the unit tests in
193		* ./test/functional/test_framework/crypto/secp256k1.py
194		*/
195		constexpr XOnlyPubKey XOnlyPubKey::NUMS_H{
196		// Use immediate lambda to work around GCC-14 bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117966
197		[]() consteval { return XOnlyPubKey{"50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0"_hex_u8}; }(),
198		};
199
200		std::vector<CPubKey> XOnlyPubKey::GetCPubKeys() const
201	391k	{
202	391k	std::vector<CPubKey> out;
203	391k	unsigned char b[33] = {0x02};
204	391k	std::copy(m_keydata.begin(), m_keydata.end(), b + 1);
205	391k	CPubKey fullpubkey;
206	391k	fullpubkey.Set(b, b + 33);
207	391k	out.push_back(fullpubkey);
208	391k	b[0] = 0x03;
209	391k	fullpubkey.Set(b, b + 33);
210	391k	out.push_back(fullpubkey);
211	391k	return out;
212	391k	}
213
214		std::vector<CKeyID> XOnlyPubKey::GetKeyIDs() const
215	391k	{
216	391k	std::vector<CKeyID> out;
217	782k	for (const CPubKey& pk : GetCPubKeys()) {
218	782k	out.push_back(pk.GetID());
219	782k	}
220	391k	return out;
221	391k	}
222
223		CPubKey XOnlyPubKey::GetEvenCorrespondingCPubKey() const
224	132k	{
225	132k	unsigned char full_key[CPubKey::COMPRESSED_SIZE] = {0x02};
226	132k	std::copy(begin(), end(), full_key + 1);
227	132k	return CPubKey{full_key};
228	132k	}
229
230		bool XOnlyPubKey::IsFullyValid() const
231	149k	{
232	149k	secp256k1_xonly_pubkey pubkey;
233	149k	return secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey, m_keydata.data());
234	149k	}
235
236		bool XOnlyPubKey::VerifySchnorr(const uint256& msg, std::span<const unsigned char> sigbytes) const
237	17.2k	{
238	17.2k	assert(sigbytes.size() == 64);
239	17.2k	secp256k1_xonly_pubkey pubkey;
240	17.2k	if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey, m_keydata.data())) return false;
241	17.2k	return secp256k1_schnorrsig_verify(secp256k1_context_static, sigbytes.data(), msg.begin(), 32, &pubkey);
242	17.2k	}
243
244		static const HashWriter HASHER_TAPTWEAK{TaggedHash("TapTweak")};
245
246		uint256 XOnlyPubKey::ComputeTapTweakHash(const uint256* merkle_root) const
247	217k	{
248	217k	if (merkle_root == nullptr) {
249		// We have no scripts. The actual tweak does not matter, but follow BIP341 here to
250		// allow for reproducible tweaking.
251	113k	return (HashWriter{HASHER_TAPTWEAK} << m_keydata).GetSHA256();
252	113k	} else {
253	104k	return (HashWriter{HASHER_TAPTWEAK} << m_keydata << *merkle_root).GetSHA256();
254	104k	}
255	217k	}
256
257		bool XOnlyPubKey::CheckTapTweak(const XOnlyPubKey& internal, const uint256& merkle_root, bool parity) const
258	85.8k	{
259	85.8k	secp256k1_xonly_pubkey internal_key;
260	85.8k	if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &internal_key, internal.data())) return false;
261	85.8k	uint256 tweak = internal.ComputeTapTweakHash(&merkle_root);
262	85.8k	return secp256k1_xonly_pubkey_tweak_add_check(secp256k1_context_static, m_keydata.begin(), parity, &internal_key, tweak.begin());
263	85.8k	}
264
265		std::optional<std::pair<XOnlyPubKey, bool>> XOnlyPubKey::CreateTapTweak(const uint256* merkle_root) const
266	130k	{
267	130k	secp256k1_xonly_pubkey base_point;
268	130k	if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &base_point, data())) return std::nullopt;
269	130k	secp256k1_pubkey out;
270	130k	uint256 tweak = ComputeTapTweakHash(merkle_root);
271	130k	if (!secp256k1_xonly_pubkey_tweak_add(secp256k1_context_static, &out, &base_point, tweak.data())) return std::nullopt;
272	130k	int parity = -1;
273	130k	std::pair<XOnlyPubKey, bool> ret;
274	130k	secp256k1_xonly_pubkey out_xonly;
275	130k	if (!secp256k1_xonly_pubkey_from_pubkey(secp256k1_context_static, &out_xonly, &parity, &out)) return std::nullopt;
276	130k	secp256k1_xonly_pubkey_serialize(secp256k1_context_static, ret.first.begin(), &out_xonly);
277	130k	assert(parity == 0 \|\| parity == 1);
278	130k	ret.second = parity;
279	130k	return ret;
280	130k	}
281
282
283	129k	bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {
284	129k	if (!IsValid())
285	0	return false;
286	129k	secp256k1_pubkey pubkey;
287	129k	secp256k1_ecdsa_signature sig;
288	129k	if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
289	0	return false;
290	0	}
291	129k	if (!ecdsa_signature_parse_der_lax(&sig, vchSig.data(), vchSig.size())) {
292	548	return false;
293	548	}
294		/* libsecp256k1's ECDSA verification requires lower-S signatures, which have
295		* not historically been enforced in Bitcoin, so normalize them first. */
296	129k	secp256k1_ecdsa_signature_normalize(secp256k1_context_static, &sig, &sig);
297	129k	return secp256k1_ecdsa_verify(secp256k1_context_static, &sig, hash.begin(), &pubkey);
298	129k	}
299
300	77	bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
301	77	if (vchSig.size() != COMPACT_SIGNATURE_SIZE)
302	0	return false;
303	77	int recid = (vchSig[0] - 27) & 3;
304	77	bool fComp = ((vchSig[0] - 27) & 4) != 0;
305	77	secp256k1_pubkey pubkey;
306	77	secp256k1_ecdsa_recoverable_signature sig;
307	77	if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_static, &sig, &vchSig[1], recid)) {
308	0	return false;
309	0	}
310	77	if (!secp256k1_ecdsa_recover(secp256k1_context_static, &pubkey, &sig, hash.begin())) {
311	1	return false;
312	1	}
313	76	unsigned char pub[SIZE];
314	76	size_t publen = SIZE;
315	76	secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
316	76	Set(pub, pub + publen);
317	76	return true;
318	77	}
319
320	57.5k	bool CPubKey::IsFullyValid() const {
321	57.5k	if (!IsValid())
322	18.5k	return false;
323	38.9k	secp256k1_pubkey pubkey;
324	38.9k	return secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size());
325	57.5k	}
326
327	132	bool CPubKey::Decompress() {
328	132	if (!IsValid())
329	0	return false;
330	132	secp256k1_pubkey pubkey;
331	132	if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
332	2	return false;
333	2	}
334	130	unsigned char pub[SIZE];
335	130	size_t publen = SIZE;
336	130	secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
337	130	Set(pub, pub + publen);
338	130	return true;
339	132	}
340
341	661k	bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc, uint256* bip32_tweak_out) const {
342	661k	assert(IsValid());
343	661k	assert((nChild >> 31) == 0);
344	661k	assert(size() == COMPRESSED_SIZE);
345	661k	unsigned char out[64];
346	661k	BIP32Hash(cc, nChild, *begin(), begin()+1, out);
347	661k	memcpy(ccChild.begin(), out+32, 32);
348	661k	if (bip32_tweak_out) {
349	2.79k	memcpy(bip32_tweak_out->begin(), out, 32);
350	2.79k	}
351	661k	secp256k1_pubkey pubkey;
352	661k	if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
353	0	return false;
354	0	}
355	661k	if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_static, &pubkey, out)) {
356	0	return false;
357	0	}
358	661k	unsigned char pub[COMPRESSED_SIZE];
359	661k	size_t publen = COMPRESSED_SIZE;
360	661k	secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED);
361	661k	pubkeyChild.Set(pub, pub + publen);
362	661k	return true;
363	661k	}
364
365		EllSwiftPubKey::EllSwiftPubKey(std::span<const std::byte> ellswift) noexcept
366	659	{
367	659	assert(ellswift.size() == SIZE);
368	659	std::copy(ellswift.begin(), ellswift.end(), m_pubkey.begin());
369	659	}
370
371		CPubKey EllSwiftPubKey::Decode() const
372	4	{
373	4	secp256k1_pubkey pubkey;
374	4	secp256k1_ellswift_decode(secp256k1_context_static, &pubkey, UCharCast(m_pubkey.data()));
375
376	4	size_t sz = CPubKey::COMPRESSED_SIZE;
377	4	std::array<uint8_t, CPubKey::COMPRESSED_SIZE> vch_bytes;
378
379	4	secp256k1_ec_pubkey_serialize(secp256k1_context_static, vch_bytes.data(), &sz, &pubkey, SECP256K1_EC_COMPRESSED);
380	4	assert(sz == vch_bytes.size());
381
382	4	return CPubKey{vch_bytes.begin(), vch_bytes.end()};
383	4	}
384
385	162k	void CExtPubKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {
386	162k	code[0] = nDepth;
387	162k	memcpy(code+1, vchFingerprint, 4);
388	162k	WriteBE32(code+5, nChild);
389	162k	memcpy(code+9, chaincode.begin(), 32);
390	162k	assert(pubkey.size() == CPubKey::COMPRESSED_SIZE);
391	162k	memcpy(code+41, pubkey.begin(), CPubKey::COMPRESSED_SIZE);
392	162k	}
393
394	11.6k	void CExtPubKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) {
395	11.6k	nDepth = code[0];
396	11.6k	memcpy(vchFingerprint, code+1, 4);
397	11.6k	nChild = ReadBE32(code+5);
398	11.6k	memcpy(chaincode.begin(), code+9, 32);
399	11.6k	pubkey.Set(code+41, code+BIP32_EXTKEY_SIZE);
400	11.6k	if ((nDepth == 0 && (nChild != 0 \|\| ReadLE32(vchFingerprint) != 0)) \|\| !pubkey.IsFullyValid()) pubkey = CPubKey();
401	11.6k	}
402
403		void CExtPubKey::EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const
404	3	{
405	3	memcpy(code, version, 4);
406	3	Encode(&code[4]);
407	3	}
408
409		void CExtPubKey::DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE])
410	3	{
411	3	memcpy(version, code, 4);
412	3	Decode(&code[4]);
413	3	}
414
415	661k	bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild, uint256* bip32_tweak_out) const {
416	661k	if (nDepth == std::numeric_limits<unsigned char>::max()) return false;
417	661k	out.nDepth = nDepth + 1;
418	661k	CKeyID id = pubkey.GetID();
419	661k	memcpy(out.vchFingerprint, &id, 4);
420	661k	out.nChild = _nChild;
421	661k	return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode, bip32_tweak_out);
422	661k	}
423
424	62.5k	/* static */ bool CPubKey::CheckLowS(const std::vector<unsigned char>& vchSig) {
425	62.5k	secp256k1_ecdsa_signature sig;
426	62.5k	if (!ecdsa_signature_parse_der_lax(&sig, vchSig.data(), vchSig.size())) {
427	0	return false;
428	0	}
429	62.5k	return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_static, nullptr, &sig));
430	62.5k	}