Bitcoin Core  22.99.0
P2P Digital Currency
pubkey.cpp
Go to the documentation of this file.
1 // Copyright (c) 2009-2020 The Bitcoin Core developers
2 // Copyright (c) 2017 The Zcash developers
3 // Distributed under the MIT software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 
6 #include <pubkey.h>
7 
8 #include <hash.h>
9 #include <secp256k1.h>
10 #include <secp256k1_extrakeys.h>
11 #include <secp256k1_recovery.h>
12 #include <secp256k1_schnorrsig.h>
13 #include <span.h>
14 #include <uint256.h>
15 
16 #include <algorithm>
17 #include <cassert>
18 
19 namespace
20 {
21 /* Global secp256k1_context object used for verification. */
22 secp256k1_context* secp256k1_context_verify = nullptr;
23 } // namespace
24 
35 int ecdsa_signature_parse_der_lax(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
36  size_t rpos, rlen, spos, slen;
37  size_t pos = 0;
38  size_t lenbyte;
39  unsigned char tmpsig[64] = {0};
40  int overflow = 0;
41 
42  /* Hack to initialize sig with a correctly-parsed but invalid signature. */
43  secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
44 
45  /* Sequence tag byte */
46  if (pos == inputlen || input[pos] != 0x30) {
47  return 0;
48  }
49  pos++;
50 
51  /* Sequence length bytes */
52  if (pos == inputlen) {
53  return 0;
54  }
55  lenbyte = input[pos++];
56  if (lenbyte & 0x80) {
57  lenbyte -= 0x80;
58  if (lenbyte > inputlen - pos) {
59  return 0;
60  }
61  pos += lenbyte;
62  }
63 
64  /* Integer tag byte for R */
65  if (pos == inputlen || input[pos] != 0x02) {
66  return 0;
67  }
68  pos++;
69 
70  /* Integer length for R */
71  if (pos == inputlen) {
72  return 0;
73  }
74  lenbyte = input[pos++];
75  if (lenbyte & 0x80) {
76  lenbyte -= 0x80;
77  if (lenbyte > inputlen - pos) {
78  return 0;
79  }
80  while (lenbyte > 0 && input[pos] == 0) {
81  pos++;
82  lenbyte--;
83  }
84  static_assert(sizeof(size_t) >= 4, "size_t too small");
85  if (lenbyte >= 4) {
86  return 0;
87  }
88  rlen = 0;
89  while (lenbyte > 0) {
90  rlen = (rlen << 8) + input[pos];
91  pos++;
92  lenbyte--;
93  }
94  } else {
95  rlen = lenbyte;
96  }
97  if (rlen > inputlen - pos) {
98  return 0;
99  }
100  rpos = pos;
101  pos += rlen;
102 
103  /* Integer tag byte for S */
104  if (pos == inputlen || input[pos] != 0x02) {
105  return 0;
106  }
107  pos++;
108 
109  /* Integer length for S */
110  if (pos == inputlen) {
111  return 0;
112  }
113  lenbyte = input[pos++];
114  if (lenbyte & 0x80) {
115  lenbyte -= 0x80;
116  if (lenbyte > inputlen - pos) {
117  return 0;
118  }
119  while (lenbyte > 0 && input[pos] == 0) {
120  pos++;
121  lenbyte--;
122  }
123  static_assert(sizeof(size_t) >= 4, "size_t too small");
124  if (lenbyte >= 4) {
125  return 0;
126  }
127  slen = 0;
128  while (lenbyte > 0) {
129  slen = (slen << 8) + input[pos];
130  pos++;
131  lenbyte--;
132  }
133  } else {
134  slen = lenbyte;
135  }
136  if (slen > inputlen - pos) {
137  return 0;
138  }
139  spos = pos;
140 
141  /* Ignore leading zeroes in R */
142  while (rlen > 0 && input[rpos] == 0) {
143  rlen--;
144  rpos++;
145  }
146  /* Copy R value */
147  if (rlen > 32) {
148  overflow = 1;
149  } else {
150  memcpy(tmpsig + 32 - rlen, input + rpos, rlen);
151  }
152 
153  /* Ignore leading zeroes in S */
154  while (slen > 0 && input[spos] == 0) {
155  slen--;
156  spos++;
157  }
158  /* Copy S value */
159  if (slen > 32) {
160  overflow = 1;
161  } else {
162  memcpy(tmpsig + 64 - slen, input + spos, slen);
163  }
164 
165  if (!overflow) {
166  overflow = !secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
167  }
168  if (overflow) {
169  /* Overwrite the result again with a correctly-parsed but invalid
170  signature if parsing failed. */
171  memset(tmpsig, 0, 64);
172  secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
173  }
174  return 1;
175 }
176 
177 XOnlyPubKey::XOnlyPubKey(Span<const unsigned char> bytes)
178 {
179  assert(bytes.size() == 32);
180  std::copy(bytes.begin(), bytes.end(), m_keydata.begin());
181 }
182 
183 bool XOnlyPubKey::IsFullyValid() const
184 {
185  secp256k1_xonly_pubkey pubkey;
186  return secp256k1_xonly_pubkey_parse(secp256k1_context_verify, &pubkey, m_keydata.data());
187 }
188 
189 bool XOnlyPubKey::VerifySchnorr(const uint256& msg, Span<const unsigned char> sigbytes) const
190 {
191  assert(sigbytes.size() == 64);
192  secp256k1_xonly_pubkey pubkey;
193  if (!secp256k1_xonly_pubkey_parse(secp256k1_context_verify, &pubkey, m_keydata.data())) return false;
194  return secp256k1_schnorrsig_verify(secp256k1_context_verify, sigbytes.data(), msg.begin(), 32, &pubkey);
195 }
196 
197 static const CHashWriter HASHER_TAPTWEAK = TaggedHash("TapTweak");
198 
199 uint256 XOnlyPubKey::ComputeTapTweakHash(const uint256* merkle_root) const
200 {
201  if (merkle_root == nullptr) {
202  // We have no scripts. The actual tweak does not matter, but follow BIP341 here to
203  // allow for reproducible tweaking.
204  return (CHashWriter(HASHER_TAPTWEAK) << m_keydata).GetSHA256();
205  } else {
206  return (CHashWriter(HASHER_TAPTWEAK) << m_keydata << *merkle_root).GetSHA256();
207  }
208 }
209 
210 bool XOnlyPubKey::CheckTapTweak(const XOnlyPubKey& internal, const uint256& merkle_root, bool parity) const
211 {
212  secp256k1_xonly_pubkey internal_key;
213  if (!secp256k1_xonly_pubkey_parse(secp256k1_context_verify, &internal_key, internal.data())) return false;
214  uint256 tweak = internal.ComputeTapTweakHash(&merkle_root);
215  return secp256k1_xonly_pubkey_tweak_add_check(secp256k1_context_verify, m_keydata.begin(), parity, &internal_key, tweak.begin());
216 }
217 
218 std::optional<std::pair<XOnlyPubKey, bool>> XOnlyPubKey::CreateTapTweak(const uint256* merkle_root) const
219 {
220  secp256k1_xonly_pubkey base_point;
221  if (!secp256k1_xonly_pubkey_parse(secp256k1_context_verify, &base_point, data())) return std::nullopt;
222  secp256k1_pubkey out;
223  uint256 tweak = ComputeTapTweakHash(merkle_root);
224  if (!secp256k1_xonly_pubkey_tweak_add(secp256k1_context_verify, &out, &base_point, tweak.data())) return std::nullopt;
225  int parity = -1;
226  std::pair<XOnlyPubKey, bool> ret;
227  secp256k1_xonly_pubkey out_xonly;
228  if (!secp256k1_xonly_pubkey_from_pubkey(secp256k1_context_verify, &out_xonly, &parity, &out)) return std::nullopt;
229  secp256k1_xonly_pubkey_serialize(secp256k1_context_verify, ret.first.begin(), &out_xonly);
230  assert(parity == 0 || parity == 1);
231  ret.second = parity;
232  return ret;
233 }
234 
235 
236 bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) const {
237  if (!IsValid())
238  return false;
239  secp256k1_pubkey pubkey;
240  secp256k1_ecdsa_signature sig;
241  assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
242  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch, size())) {
243  return false;
244  }
245  if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig, vchSig.data(), vchSig.size())) {
246  return false;
247  }
248  /* libsecp256k1's ECDSA verification requires lower-S signatures, which have
249  * not historically been enforced in Bitcoin, so normalize them first. */
250  secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, &sig, &sig);
251  return secp256k1_ecdsa_verify(secp256k1_context_verify, &sig, hash.begin(), &pubkey);
252 }
253 
254 bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
255  if (vchSig.size() != COMPACT_SIGNATURE_SIZE)
256  return false;
257  int recid = (vchSig[0] - 27) & 3;
258  bool fComp = ((vchSig[0] - 27) & 4) != 0;
259  secp256k1_pubkey pubkey;
260  secp256k1_ecdsa_recoverable_signature sig;
261  assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
262  if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_verify, &sig, &vchSig[1], recid)) {
263  return false;
264  }
265  if (!secp256k1_ecdsa_recover(secp256k1_context_verify, &pubkey, &sig, hash.begin())) {
266  return false;
267  }
268  unsigned char pub[SIZE];
269  size_t publen = SIZE;
270  secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
271  Set(pub, pub + publen);
272  return true;
273 }
274 
275 bool CPubKey::IsFullyValid() const {
276  if (!IsValid())
277  return false;
278  secp256k1_pubkey pubkey;
279  assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
280  return secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch, size());
281 }
282 
283 bool CPubKey::Decompress() {
284  if (!IsValid())
285  return false;
286  secp256k1_pubkey pubkey;
287  assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
288  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch, size())) {
289  return false;
290  }
291  unsigned char pub[SIZE];
292  size_t publen = SIZE;
293  secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
294  Set(pub, pub + publen);
295  return true;
296 }
297 
298 bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const {
299  assert(IsValid());
300  assert((nChild >> 31) == 0);
301  assert(size() == COMPRESSED_SIZE);
302  unsigned char out[64];
303  BIP32Hash(cc, nChild, *begin(), begin()+1, out);
304  memcpy(ccChild.begin(), out+32, 32);
305  secp256k1_pubkey pubkey;
306  assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
307  if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch, size())) {
308  return false;
309  }
310  if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_verify, &pubkey, out)) {
311  return false;
312  }
313  unsigned char pub[COMPRESSED_SIZE];
314  size_t publen = COMPRESSED_SIZE;
315  secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED);
316  pubkeyChild.Set(pub, pub + publen);
317  return true;
318 }
319 
320 void CExtPubKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {
321  code[0] = nDepth;
322  memcpy(code+1, vchFingerprint, 4);
323  code[5] = (nChild >> 24) & 0xFF; code[6] = (nChild >> 16) & 0xFF;
324  code[7] = (nChild >> 8) & 0xFF; code[8] = (nChild >> 0) & 0xFF;
325  memcpy(code+9, chaincode.begin(), 32);
326  assert(pubkey.size() == CPubKey::COMPRESSED_SIZE);
327  memcpy(code+41, pubkey.begin(), CPubKey::COMPRESSED_SIZE);
328 }
329 
330 void CExtPubKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) {
331  nDepth = code[0];
332  memcpy(vchFingerprint, code+1, 4);
333  nChild = (code[5] << 24) | (code[6] << 16) | (code[7] << 8) | code[8];
334  memcpy(chaincode.begin(), code+9, 32);
335  pubkey.Set(code+41, code+BIP32_EXTKEY_SIZE);
336 }
337 
338 bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild) const {
339  out.nDepth = nDepth + 1;
340  CKeyID id = pubkey.GetID();
341  memcpy(out.vchFingerprint, &id, 4);
342  out.nChild = _nChild;
343  return pubkey.Derive(out.pubkey, out.chaincode, _nChild, chaincode);
344 }
345 
346 /* static */ bool CPubKey::CheckLowS(const std::vector<unsigned char>& vchSig) {
347  secp256k1_ecdsa_signature sig;
348  assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
349  if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig, vchSig.data(), vchSig.size())) {
350  return false;
351  }
352  return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, nullptr, &sig));
353 }
354 
355 /* static */ int ECCVerifyHandle::refcount = 0;
356 
357 ECCVerifyHandle::ECCVerifyHandle()
358 {
359  if (refcount == 0) {
360  assert(secp256k1_context_verify == nullptr);
361  secp256k1_context_verify = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
362  assert(secp256k1_context_verify != nullptr);
363  }
364  refcount++;
365 }
366 
367 ECCVerifyHandle::~ECCVerifyHandle()
368 {
369  refcount--;
370  if (refcount == 0) {
371  assert(secp256k1_context_verify != nullptr);
372  secp256k1_context_destroy(secp256k1_context_verify);
373  secp256k1_context_verify = nullptr;
374  }
375 }
376 
377 const secp256k1_context* GetVerifyContext() {
378  return secp256k1_context_verify;
379 }
XOnlyPubKey::CheckTapTweak
bool CheckTapTweak(const XOnlyPubKey &internal, const uint256 &merkle_root, bool parity) const
Verify that this is a Taproot tweaked output point, against a specified internal key,...
Definition: pubkey.cpp:210
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
BIP32_EXTKEY_SIZE
const unsigned int BIP32_EXTKEY_SIZE
Definition: pubkey.h:19
XOnlyPubKey::VerifySchnorr
bool VerifySchnorr(const uint256 &msg, Span< const unsigned char > sigbytes) const
Verify a Schnorr signature against this public key.
Definition: pubkey.cpp:189
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:35
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:184
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:437
secp256k1_context_struct
Definition: secp256k1.c:75
secp256k1_xonly_pubkey_from_pubkey
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context *ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
Definition: main_impl.h:98
base_blob::data
const unsigned char * data() const
Definition: uint256.h:55
GetVerifyContext
const secp256k1_context * GetVerifyContext()
Access to the internal secp256k1 context used for verification.
Definition: pubkey.cpp:377
CPubKey::SIZE
static constexpr unsigned int SIZE
secp256k1:
Definition: pubkey.h:38
uint256.h
CPubKey::Set
void Set(const T pbegin, const T pend)
Initialize a public key using begin/end iterators to byte data.
Definition: pubkey.h:88
CPubKey::Derive
bool Derive(CPubKey &pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode &cc) const
Derive BIP32 child pubkey.
Definition: pubkey.cpp:298
XOnlyPubKey::data
const unsigned char * data() const
Definition: pubkey.h:271
XOnlyPubKey
Definition: pubkey.h:220
secp256k1_recovery.h
CPubKey::vch
unsigned char vch[SIZE]
see www.keylength.com script supports up to 75 for single byte push
Definition: pubkey.h:48
ECCVerifyHandle::ECCVerifyHandle
ECCVerifyHandle()
Definition: pubkey.cpp:357
XOnlyPubKey::XOnlyPubKey
XOnlyPubKey()=default
Construct an empty x-only pubkey.
CPubKey::Decompress
bool Decompress()
Turn this public key into an uncompressed public key.
Definition: pubkey.cpp:283
CKeyID
A reference to a CKey: the Hash160 of its serialized public key.
Definition: pubkey.h:22
CExtPubKey::nDepth
unsigned char nDepth
Definition: pubkey.h:283
pubkey.h
ECCVerifyHandle::refcount
static int refcount
Definition: pubkey.h:312
secp256k1_ecdsa_recoverable_signature
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
Definition: secp256k1_recovery.h:24
CExtPubKey::Decode
void Decode(const unsigned char code[BIP32_EXTKEY_SIZE])
Definition: pubkey.cpp:330
CExtPubKey::Derive
bool Derive(CExtPubKey &out, unsigned int nChild) const
Definition: pubkey.cpp:338
ECCVerifyHandle::~ECCVerifyHandle
~ECCVerifyHandle()
Definition: pubkey.cpp:367
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:202
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:158
secp256k1_schnorrsig_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(const secp256k1_context *ctx, const unsigned char *sig64, const unsigned char *msg, size_t msglen, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(5)
Verify a Schnorr signature.
Definition: main_impl.h:207
CExtPubKey::nChild
unsigned int nChild
Definition: pubkey.h:285
Span::size
constexpr std::size_t size() const noexcept
Definition: span.h:182
Span
A Span is an object that can refer to a contiguous sequence of objects.
Definition: span.h:92
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:456
CPubKey::begin
const unsigned char * begin() const
Definition: pubkey.h:113
secp256k1_schnorrsig.h
XOnlyPubKey::m_keydata
uint256 m_keydata
Definition: pubkey.h:223
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:302
secp256k1.h
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:190
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:284
CExtPubKey::vchFingerprint
unsigned char vchFingerprint[4]
Definition: pubkey.h:284
secp256k1_ecdsa_recover
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:137
CPubKey::Verify
bool Verify(const uint256 &hash, const std::vector< unsigned char > &vchSig) const
Verify a DER signature (~72 bytes).
Definition: pubkey.cpp:236
span.h
Span::begin
constexpr C * begin() const noexcept
Definition: span.h:170
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:191
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:135
CPubKey::size
unsigned int size() const
Simple read-only vector-like interface to the pubkey data.
Definition: pubkey.h:111
CPubKey::COMPRESSED_SIZE
static constexpr unsigned int COMPRESSED_SIZE
Definition: pubkey.h:39
uint256
256-bit opaque blob.
Definition: uint256.h:124
CExtPubKey::Encode
void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const
Definition: pubkey.cpp:320
CPubKey::RecoverCompact
bool RecoverCompact(const uint256 &hash, const std::vector< unsigned char > &vchSig)
Recover a public key from a compact signature.
Definition: pubkey.cpp:254
XOnlyPubKey::IsFullyValid
bool IsFullyValid() const
Determine if this pubkey is fully valid.
Definition: pubkey.cpp:183
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:21
BIP32Hash
void BIP32Hash(const ChainCode &chainCode, unsigned int nChild, unsigned char header, const unsigned char data[32], unsigned char output[64])
Definition: hash.cpp:74
Span::data
constexpr C * data() const noexcept
Definition: span.h:169
CPubKey
An encapsulated public key.
Definition: pubkey.h:32
CExtPubKey::chaincode
ChainCode chaincode
Definition: pubkey.h:286
CPubKey::COMPACT_SIGNATURE_SIZE
static constexpr unsigned int COMPACT_SIGNATURE_SIZE
Definition: pubkey.h:41
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:43
secp256k1_ecdsa_signature::data
unsigned char data[64]
Definition: secp256k1.h:84
HASHER_TAPTWEAK
static const CHashWriter HASHER_TAPTWEAK
Definition: pubkey.cpp:197
CHashWriter
A writer stream (for serialization) that computes a 256-bit hash.
Definition: hash.h:100
CPubKey::IsFullyValid
bool IsFullyValid() const
fully validate whether this is a valid public key (more expensive than IsValid())
Definition: pubkey.cpp:275
hash.h
assert
assert(s1.IsAddrV1Compatible())
XOnlyPubKey::ComputeTapTweakHash
uint256 ComputeTapTweakHash(const uint256 *merkle_root) const
Compute the Taproot tweak as specified in BIP341, with *this as internal key:
Definition: pubkey.cpp:199
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:391
TaggedHash
CHashWriter TaggedHash(const std::string &tag)
Return a CHashWriter primed for tagged hashes (as specified in BIP 340).
Definition: hash.cpp:91
CPubKey::IsValid
bool IsValid() const
Definition: pubkey.h:185
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:695
CExtPubKey::pubkey
CPubKey pubkey
Definition: pubkey.h:287
secp256k1_xonly_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Tweak an x-only public key by adding the generator multiplied with tweak32 to it.
Definition: main_impl.h:117
secp256k1_extrakeys.h
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
CExtPubKey
Definition: pubkey.h:282
Span::end
constexpr C * end() const noexcept
Definition: span.h:171
base_blob::begin
unsigned char * begin()
Definition: uint256.h:58
XOnlyPubKey::CreateTapTweak
std::optional< std::pair< XOnlyPubKey, bool > > CreateTapTweak(const uint256 *merkle_root) const
Construct a Taproot tweaked output point with this point as internal key.
Definition: pubkey.cpp:218
secp256k1_ecdsa_recoverable_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
ctx
static secp256k1_context * ctx
Definition: tests.c:42
CPubKey::GetID
CKeyID GetID() const
Get the KeyID of this public key (hash of its serialization)
Definition: pubkey.h:160
CPubKey::CheckLowS
static bool CheckLowS(const std::vector< unsigned char > &vchSig)
Check whether a signature is normalized (lower-S).
Definition: pubkey.cpp:346
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22
Generated on Wed Aug 4 2021 20:04:25 for Bitcoin Core by   doxygen 1.8.17