Bitcoin Core  22.99.0
P2P Digital Currency
pubkey.cpp
Go to the documentation of this file.
1 // Copyright (c) 2009-2020 The Bitcoin Core developers
2 // Copyright (c) 2017 The Zcash developers
3 // Distributed under the MIT software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 
6 #include <pubkey.h>
7 
8 #include <hash.h>
9 #include <secp256k1.h>
10 #include <secp256k1_extrakeys.h>
11 #include <secp256k1_recovery.h>
12 #include <secp256k1_schnorrsig.h>
13 #include <span.h>
14 #include <uint256.h>
15 
16 #include <algorithm>
17 #include <cassert>
18 
19 namespace
20 {
21 /* Global secp256k1_context object used for verification. */
22 secp256k1_context* secp256k1_context_verify = nullptr;
23 } // namespace
24 
35 int ecdsa_signature_parse_der_lax(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
36  size_t rpos, rlen, spos, slen;
37  size_t pos = 0;
38  size_t lenbyte;
39  unsigned char tmpsig[64] = {0};
40  int overflow = 0;
41 
42  /* Hack to initialize sig with a correctly-parsed but invalid signature. */
44 
45  /* Sequence tag byte */
46  if (pos == inputlen || input[pos] != 0x30) {
47  return 0;
48  }
49  pos++;
50 
51  /* Sequence length bytes */
52  if (pos == inputlen) {
53  return 0;
54  }
55  lenbyte = input[pos++];
56  if (lenbyte & 0x80) {
57  lenbyte -= 0x80;
58  if (lenbyte > inputlen - pos) {
59  return 0;
60  }
61  pos += lenbyte;
62  }
63 
64  /* Integer tag byte for R */
65  if (pos == inputlen || input[pos] != 0x02) {
66  return 0;
67  }
68  pos++;
69 
70  /* Integer length for R */
71  if (pos == inputlen) {
72  return 0;
73  }
74  lenbyte = input[pos++];
75  if (lenbyte & 0x80) {
76  lenbyte -= 0x80;
77  if (lenbyte > inputlen - pos) {
78  return 0;
79  }
80  while (lenbyte > 0 && input[pos] == 0) {
81  pos++;
82  lenbyte--;
83  }
84  static_assert(sizeof(size_t) >= 4, "size_t too small");
85  if (lenbyte >= 4) {
86  return 0;
87  }
88  rlen = 0;
89  while (lenbyte > 0) {
90  rlen = (rlen << 8) + input[pos];
91  pos++;
92  lenbyte--;
93  }
94  } else {
95  rlen = lenbyte;
96  }
97  if (rlen > inputlen - pos) {
98  return 0;
99  }
100  rpos = pos;
101  pos += rlen;
102 
103  /* Integer tag byte for S */
104  if (pos == inputlen || input[pos] != 0x02) {
105  return 0;
106  }
107  pos++;
108 
109  /* Integer length for S */
110  if (pos == inputlen) {
111  return 0;
112  }
113  lenbyte = input[pos++];
114  if (lenbyte & 0x80) {
115  lenbyte -= 0x80;
116  if (lenbyte > inputlen - pos) {
117  return 0;
118  }
119  while (lenbyte > 0 && input[pos] == 0) {
120  pos++;
121  lenbyte--;
122  }
123  static_assert(sizeof(size_t) >= 4, "size_t too small");
124  if (lenbyte >= 4) {
125  return 0;
126  }
127  slen = 0;
128  while (lenbyte > 0) {
129  slen = (slen << 8) + input[pos];
130  pos++;
131  lenbyte--;
132  }
133  } else {
134  slen = lenbyte;
135  }
136  if (slen > inputlen - pos) {
137  return 0;
138  }
139  spos = pos;
140 
141  /* Ignore leading zeroes in R */
142  while (rlen > 0 && input[rpos] == 0) {
143  rlen--;
144  rpos++;
145  }
146  /* Copy R value */
147  if (rlen > 32) {
148  overflow = 1;
149  } else {
150  memcpy(tmpsig + 32 - rlen, input + rpos, rlen);
151  }
152 
153  /* Ignore leading zeroes in S */
154  while (slen > 0 && input[spos] == 0) {
155  slen--;
156  spos++;
157  }
158  /* Copy S value */
159  if (slen > 32) {
160  overflow = 1;
161  } else {
162  memcpy(tmpsig + 64 - slen, input + spos, slen);
163  }
164 
165  if (!overflow) {
166  overflow = !secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
167  }
168  if (overflow) {
169  /* Overwrite the result again with a correctly-parsed but invalid
170  signature if parsing failed. */
171  memset(tmpsig, 0, 64);
173  }
174  return 1;
175 }
176 
178 {
179  assert(bytes.size() == 32);
180  std::copy(bytes.begin(), bytes.end(), m_keydata.begin());
181 }
182 
183 std::vector<CKeyID> XOnlyPubKey::GetKeyIDs() const
184 {
185  std::vector<CKeyID> out;
186  // For now, use the old full pubkey-based key derivation logic. As it is indexed by
187  // Hash160(full pubkey), we need to return both a version prefixed with 0x02, and one
188  // with 0x03.
189  unsigned char b[33] = {0x02};
190  std::copy(m_keydata.begin(), m_keydata.end(), b + 1);
191  CPubKey fullpubkey;
192  fullpubkey.Set(b, b + 33);
193  out.push_back(fullpubkey.GetID());
194  b[0] = 0x03;
195  fullpubkey.Set(b, b + 33);
196  out.push_back(fullpubkey.GetID());
197  return out;
198 }
199 
201 {
202  secp256k1_xonly_pubkey pubkey;
203  return secp256k1_xonly_pubkey_parse(secp256k1_context_verify, &pubkey, m_keydata.data());
204 }
205 
207 {
208  assert(sigbytes.size() == 64);
209  secp256k1_xonly_pubkey pubkey;
210  if (!secp256k1_xonly_pubkey_parse(secp256k1_context_verify, &pubkey, m_keydata.data())) return false;
211  return secp256k1_schnorrsig_verify(secp256k1_context_verify, sigbytes.data(), msg.begin(), 32, &pubkey);
212 }
213 
214 static const CHashWriter HASHER_TAPTWEAK = TaggedHash("TapTweak");
215 
217 {
218  if (merkle_root == nullptr) {
219  // We have no scripts. The actual tweak does not matter, but follow BIP341 here to
220  // allow for reproducible tweaking.
221  return (CHashWriter(HASHER_TAPTWEAK) << m_keydata).GetSHA256();
222  } else {
223  return (CHashWriter(HASHER_TAPTWEAK) << m_keydata << *merkle_root).GetSHA256();
224  }
225 }
226 
227 bool XOnlyPubKey::CheckTapTweak(const XOnlyPubKey& internal, const uint256& merkle_root, bool parity) const
228 {
229  secp256k1_xonly_pubkey internal_key;
230  if (!secp256k1_xonly_pubkey_parse(secp256k1_context_verify, &internal_key, internal.data())) return false;
231  uint256 tweak = internal.ComputeTapTweakHash(&merkle_root);
232  return secp256k1_xonly_pubkey_tweak_add_check(secp256k1_context_verify, m_keydata.begin(), parity, &internal_key, tweak.begin());
233 }
234 
235 std::optional<std::pair<XOnlyPubKey, bool>> XOnlyPubKey::CreateTapTweak(const uint256* merkle_root) const
236 {
237  secp256k1_xonly_pubkey base_point;
238  if (!secp256k1_xonly_pubkey_parse(secp256k1_context_verify, &base_point, data())) return std::nullopt;
239  secp256k1_pubkey out;
240  uint256 tweak = ComputeTapTweakHash(merkle_root);
241  if (!secp256k1_xonly_pubkey_tweak_add(secp256k1_context_verify, &out, &base_point, tweak.data())) return std::nullopt;
242  int parity = -1;
243  std::pair<XOnlyPubKey, bool> ret;
244  secp256k1_xonly_pubkey out_xonly;
245  if (!secp256k1_xonly_pubkey_from_pubkey(secp256k1_context_verify, &out_xonly, &parity, &out)) return std::nullopt;
246  secp256k1_xonly_pubkey_serialize(secp256k1_context_verify, ret.first.begin(), &out_xonly);
247  assert(parity == 0 || parity == 1);
248  ret.second = parity;
249  return ret;
250 }
251 
252 
253 bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {
254  if (!IsValid())
255  return false;
256  secp256k1_pubkey pubkey;
258  assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
259  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch, size())) {
260  return false;
261  }
262  if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig, vchSig.data(), vchSig.size())) {
263  return false;
264  }
265  /* libsecp256k1's ECDSA verification requires lower-S signatures, which have
266  * not historically been enforced in Bitcoin, so normalize them first. */
267  secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, &sig, &sig);
268  return secp256k1_ecdsa_verify(secp256k1_context_verify, &sig, hash.begin(), &pubkey);
269 }
270 
271 bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
272  if (vchSig.size() != COMPACT_SIGNATURE_SIZE)
273  return false;
274  int recid = (vchSig[0] - 27) & 3;
275  bool fComp = ((vchSig[0] - 27) & 4) != 0;
276  secp256k1_pubkey pubkey;
278  assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
279  if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_verify, &sig, &vchSig[1], recid)) {
280  return false;
281  }
282  if (!secp256k1_ecdsa_recover(secp256k1_context_verify, &pubkey, &sig, hash.begin())) {
283  return false;
284  }
285  unsigned char pub[SIZE];
286  size_t publen = SIZE;
287  secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
288  Set(pub, pub + publen);
289  return true;
290 }
291 
292 bool CPubKey::IsFullyValid() const {
293  if (!IsValid())
294  return false;
295  secp256k1_pubkey pubkey;
296  assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
297  return secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch, size());
298 }
299 
301  if (!IsValid())
302  return false;
303  secp256k1_pubkey pubkey;
304  assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
305  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch, size())) {
306  return false;
307  }
308  unsigned char pub[SIZE];
309  size_t publen = SIZE;
310  secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
311  Set(pub, pub + publen);
312  return true;
313 }
314 
315 bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const {
316  assert(IsValid());
317  assert((nChild >> 31) == 0);
319  unsigned char out[64];
320  BIP32Hash(cc, nChild, *begin(), begin()+1, out);
321  memcpy(ccChild.begin(), out+32, 32);
322  secp256k1_pubkey pubkey;
323  assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
324  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch, size())) {
325  return false;
326  }
327  if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_verify, &pubkey, out)) {
328  return false;
329  }
330  unsigned char pub[COMPRESSED_SIZE];
331  size_t publen = COMPRESSED_SIZE;
332  secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED);
333  pubkeyChild.Set(pub, pub + publen);
334  return true;
335 }
336 
337 void CExtPubKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {
338  code[0] = nDepth;
339  memcpy(code+1, vchFingerprint, 4);
340  WriteBE32(code+5, nChild);
341  memcpy(code+9, chaincode.begin(), 32);
343  memcpy(code+41, pubkey.begin(), CPubKey::COMPRESSED_SIZE);
344 }
345 
346 void CExtPubKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) {
347  nDepth = code[0];
348  memcpy(vchFingerprint, code+1, 4);
349  nChild = ReadBE32(code+5);
350  memcpy(chaincode.begin(), code+9, 32);
351  pubkey.Set(code+41, code+BIP32_EXTKEY_SIZE);
352  if ((nDepth == 0 && (nChild != 0 || ReadLE32(vchFingerprint) != 0)) || !pubkey.IsFullyValid()) pubkey = CPubKey();
353 }
354 
355 bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild) const {
356  out.nDepth = nDepth + 1;
357  CKeyID id = pubkey.GetID();
358  memcpy(out.vchFingerprint, &id, 4);
359  out.nChild = _nChild;
360  return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode);
361 }
362 
363 /* static */ bool CPubKey::CheckLowS(const std::vector<unsigned char>& vchSig) {
365  assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
366  if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig, vchSig.data(), vchSig.size())) {
367  return false;
368  }
369  return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, nullptr, &sig));
370 }
371 
372 /* static */ int ECCVerifyHandle::refcount = 0;
373 
375 {
376  if (refcount == 0) {
377  assert(secp256k1_context_verify == nullptr);
378  secp256k1_context_verify = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
379  assert(secp256k1_context_verify != nullptr);
380  }
381  refcount++;
382 }
383 
385 {
386  refcount--;
387  if (refcount == 0) {
388  assert(secp256k1_context_verify != nullptr);
389  secp256k1_context_destroy(secp256k1_context_verify);
390  secp256k1_context_verify = nullptr;
391  }
392 }
393 
395  return secp256k1_context_verify;
396 }
XOnlyPubKey::CheckTapTweak
bool CheckTapTweak(const XOnlyPubKey &internal, const uint256 &merkle_root, bool parity) const
Verify that this is a Taproot tweaked output point, against a specified internal key,...
Definition: pubkey.cpp:227
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
BIP32_EXTKEY_SIZE
const unsigned int BIP32_EXTKEY_SIZE
Definition: pubkey.h:19
XOnlyPubKey::VerifySchnorr
bool VerifySchnorr(const uint256 &msg, Span< const unsigned char > sigbytes) const
Verify a Schnorr signature against this public key.
Definition: pubkey.cpp:206
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:35
ReadLE32
static uint32_t ReadLE32(const unsigned char *ptr)
Definition: common.h:24
assert
assert(!tx.IsCoinBase())
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:184
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:437
secp256k1_context_struct
Definition: secp256k1.c:75
secp256k1_xonly_pubkey_from_pubkey
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context *ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
Definition: main_impl.h:98
base_blob::data
const unsigned char * data() const
Definition: uint256.h:55
GetVerifyContext
const secp256k1_context * GetVerifyContext()
Access to the internal secp256k1 context used for verification.
Definition: pubkey.cpp:394
CPubKey::SIZE
static constexpr unsigned int SIZE
secp256k1:
Definition: pubkey.h:38
uint256.h
CPubKey::Set
void Set(const T pbegin, const T pend)
Initialize a public key using begin/end iterators to byte data.
Definition: pubkey.h:88
CPubKey::Derive
bool Derive(CPubKey &pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode &cc) const
Derive BIP32 child pubkey.
Definition: pubkey.cpp:315
XOnlyPubKey::data
const unsigned char * data() const
Definition: pubkey.h:276
XOnlyPubKey
Definition: pubkey.h:220
secp256k1_recovery.h
CPubKey::vch
unsigned char vch[SIZE]
see www.keylength.com script supports up to 75 for single byte push
Definition: pubkey.h:48
ECCVerifyHandle::ECCVerifyHandle
ECCVerifyHandle()
Definition: pubkey.cpp:374
ReadBE32
static uint32_t ReadBE32(const unsigned char *ptr)
Definition: common.h:63
XOnlyPubKey::XOnlyPubKey
XOnlyPubKey()=default
Construct an empty x-only pubkey.
CPubKey::Decompress
bool Decompress()
Turn this public key into an uncompressed public key.
Definition: pubkey.cpp:300
CKeyID
A reference to a CKey: the Hash160 of its serialized public key.
Definition: pubkey.h:22
CExtPubKey::nDepth
unsigned char nDepth
Definition: pubkey.h:288
pubkey.h
ECCVerifyHandle::refcount
static int refcount
Definition: pubkey.h:317
secp256k1_ecdsa_recoverable_signature
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
Definition: secp256k1_recovery.h:24
CExtPubKey::Decode
void Decode(const unsigned char code[BIP32_EXTKEY_SIZE])
Definition: pubkey.cpp:346
CExtPubKey::Derive
bool Derive(CExtPubKey &out, unsigned int nChild) const
Definition: pubkey.cpp:355
ECCVerifyHandle::~ECCVerifyHandle
~ECCVerifyHandle()
Definition: pubkey.cpp:384
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:202
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:158
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:207
CExtPubKey::nChild
unsigned int nChild
Definition: pubkey.h:290
Span::size
constexpr std::size_t size() const noexcept
Definition: span.h:182
Span
A Span is an object that can refer to a contiguous sequence of objects.
Definition: span.h:92
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:456
CPubKey::begin
const unsigned char * begin() const
Definition: pubkey.h:113
secp256k1_schnorrsig.h
XOnlyPubKey::m_keydata
uint256 m_keydata
Definition: pubkey.h:223
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:302
secp256k1.h
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:190
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:284
CExtPubKey::vchFingerprint
unsigned char vchFingerprint[4]
Definition: pubkey.h:289
secp256k1_ecdsa_recover
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:137
CPubKey::Verify
bool Verify(const uint256 &hash, const std::vector< unsigned char > &vchSig) const
Verify a DER signature (~72 bytes).
Definition: pubkey.cpp:253
span.h
WriteBE32
static void WriteBE32(unsigned char *ptr, uint32_t x)
Definition: common.h:77
Span::begin
constexpr C * begin() const noexcept
Definition: span.h:170
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:191
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
CPubKey::size
unsigned int size() const
Simple read-only vector-like interface to the pubkey data.
Definition: pubkey.h:111
CPubKey::COMPRESSED_SIZE
static constexpr unsigned int COMPRESSED_SIZE
Definition: pubkey.h:39
uint256
256-bit opaque blob.
Definition: uint256.h:124
CExtPubKey::Encode
void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const
Definition: pubkey.cpp:337
CPubKey::RecoverCompact
bool RecoverCompact(const uint256 &hash, const std::vector< unsigned char > &vchSig)
Recover a public key from a compact signature.
Definition: pubkey.cpp:271
XOnlyPubKey::IsFullyValid
bool IsFullyValid() const
Determine if this pubkey is fully valid.
Definition: pubkey.cpp:200
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:21
BIP32Hash
void BIP32Hash(const ChainCode &chainCode, unsigned int nChild, unsigned char header, const unsigned char data[32], unsigned char output[64])
Definition: hash.cpp:75
Span::data
constexpr C * data() const noexcept
Definition: span.h:169
CPubKey
An encapsulated public key.
Definition: pubkey.h:32
CExtPubKey::chaincode
ChainCode chaincode
Definition: pubkey.h:291
CPubKey::COMPACT_SIGNATURE_SIZE
static constexpr unsigned int COMPACT_SIGNATURE_SIZE
Definition: pubkey.h:41
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:43
secp256k1_ecdsa_signature::data
unsigned char data[64]
Definition: secp256k1.h:84
HASHER_TAPTWEAK
static const CHashWriter HASHER_TAPTWEAK
Definition: pubkey.cpp:214
CHashWriter
A writer stream (for serialization) that computes a 256-bit hash.
Definition: hash.h:100
XOnlyPubKey::GetKeyIDs
std::vector< CKeyID > GetKeyIDs() const
Returns a list of CKeyIDs for the CPubKeys that could have been used to create this XOnlyPubKey.
Definition: pubkey.cpp:183
CPubKey::IsFullyValid
bool IsFullyValid() const
fully validate whether this is a valid public key (more expensive than IsValid())
Definition: pubkey.cpp:292
hash.h
XOnlyPubKey::ComputeTapTweakHash
uint256 ComputeTapTweakHash(const uint256 *merkle_root) const
Compute the Taproot tweak as specified in BIP341, with *this as internal key:
Definition: pubkey.cpp:216
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:391
TaggedHash
CHashWriter TaggedHash(const std::string &tag)
Return a CHashWriter primed for tagged hashes (as specified in BIP 340).
Definition: hash.cpp:89
CPubKey::IsValid
bool IsValid() const
Definition: pubkey.h:185
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:695
CExtPubKey::pubkey
CPubKey pubkey
Definition: pubkey.h:292
secp256k1_xonly_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Tweak an x-only public key by adding the generator multiplied with tweak32 to it.
Definition: main_impl.h:117
secp256k1_extrakeys.h
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
CExtPubKey
Definition: pubkey.h:287
Span::end
constexpr C * end() const noexcept
Definition: span.h:171
base_blob::begin
unsigned char * begin()
Definition: uint256.h:58
XOnlyPubKey::CreateTapTweak
std::optional< std::pair< XOnlyPubKey, bool > > CreateTapTweak(const uint256 *merkle_root) const
Construct a Taproot tweaked output point with this point as internal key.
Definition: pubkey.cpp:235
secp256k1_ecdsa_recoverable_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
ctx
static secp256k1_context * ctx
Definition: tests.c:42
CPubKey::GetID
CKeyID GetID() const
Get the KeyID of this public key (hash of its serialization)
Definition: pubkey.h:160
CPubKey::CheckLowS
static bool CheckLowS(const std::vector< unsigned char > &vchSig)
Check whether a signature is normalized (lower-S).
Definition: pubkey.cpp:363
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
base_blob::end
unsigned char * end()
Definition: uint256.h:63