// +build !libsecp256k1 package secp256k1 import ( "math/big" secp256k1 "github.com/btcsuite/btcd/btcec" "github.com/tendermint/tendermint/crypto" ) // used to reject malleable signatures // see: // - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93 // - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/crypto.go#L39 var secp256k1halfN = new(big.Int).Rsh(secp256k1.S256().N, 1) // Sign creates an ECDSA signature on curve Secp256k1, using SHA256 on the msg. // The returned signature will be of the form R || S (in lower-S form). func (privKey PrivKeySecp256k1) Sign(msg []byte) ([]byte, error) { priv, _ := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey[:]) sig, err := priv.Sign(crypto.Sha256(msg)) if err != nil { return nil, err } sigBytes := serializeSig(sig) return sigBytes, nil } // VerifyBytes verifies a signature of the form R || S. // It rejects signatures which are not in lower-S form. func (pubKey PubKeySecp256k1) VerifyBytes(msg []byte, sigStr []byte) bool { if len(sigStr) != 64 { return false } pub, err := secp256k1.ParsePubKey(pubKey[:], secp256k1.S256()) if err != nil { return false } // parse the signature: signature := signatureFromBytes(sigStr) // Reject malleable signatures. libsecp256k1 does this check but btcec doesn't. // see: https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93 if signature.S.Cmp(secp256k1halfN) > 0 { return false } return signature.Verify(crypto.Sha256(msg), pub) } // Read Signature struct from R || S. Caller needs to ensure // that len(sigStr) == 64. func signatureFromBytes(sigStr []byte) *secp256k1.Signature { return &secp256k1.Signature{ new(big.Int).SetBytes(sigStr[:32]), new(big.Int).SetBytes(sigStr[32:64]), } } // Serialize signature to R || S. // R, S are padded to 32 bytes respectively. func serializeSig(sig *secp256k1.Signature) []byte { rBytes := sig.R.Bytes() sBytes := sig.S.Bytes() sigBytes := make([]byte, 64) // 0 pad the byte arrays from the left if they aren't big enough. copy(sigBytes[32-len(rBytes):32], rBytes) copy(sigBytes[64-len(sBytes):64], sBytes) return sigBytes }