Bitcoin Core  27.99.0
P2P Digital Currency
pubkey.h
Go to the documentation of this file.
1 // Copyright (c) 2009-2010 Satoshi Nakamoto
2 // Copyright (c) 2009-2022 The Bitcoin Core developers
3 // Copyright (c) 2017 The Zcash developers
4 // Distributed under the MIT software license, see the accompanying
5 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
6 
7 #ifndef BITCOIN_PUBKEY_H
8 #define BITCOIN_PUBKEY_H
9 
10 #include <hash.h>
11 #include <serialize.h>
12 #include <span.h>
13 #include <uint256.h>
14 
15 #include <cstring>
16 #include <optional>
17 #include <vector>
18 
19 const unsigned int BIP32_EXTKEY_SIZE = 74;
20 const unsigned int BIP32_EXTKEY_WITH_VERSION_SIZE = 78;
21 
23 class CKeyID : public uint160
24 {
25 public:
26  CKeyID() : uint160() {}
27  explicit CKeyID(const uint160& in) : uint160(in) {}
28 };
29 
31 
33 class CPubKey
34 {
35 public:
39  static constexpr unsigned int SIZE = 65;
40  static constexpr unsigned int COMPRESSED_SIZE = 33;
41  static constexpr unsigned int SIGNATURE_SIZE = 72;
42  static constexpr unsigned int COMPACT_SIGNATURE_SIZE = 65;
47  static_assert(
49  "COMPRESSED_SIZE is larger than SIZE");
50 
51 private:
52 
57  unsigned char vch[SIZE];
58 
60  unsigned int static GetLen(unsigned char chHeader)
61  {
62  if (chHeader == 2 || chHeader == 3)
63  return COMPRESSED_SIZE;
64  if (chHeader == 4 || chHeader == 6 || chHeader == 7)
65  return SIZE;
66  return 0;
67  }
68 
70  void Invalidate()
71  {
72  vch[0] = 0xFF;
73  }
74 
75 public:
76 
77  bool static ValidSize(const std::vector<unsigned char> &vch) {
78  return vch.size() > 0 && GetLen(vch[0]) == vch.size();
79  }
80 
83  {
84  Invalidate();
85  }
86 
88  template <typename T>
89  void Set(const T pbegin, const T pend)
90  {
91  int len = pend == pbegin ? 0 : GetLen(pbegin[0]);
92  if (len && len == (pend - pbegin))
93  memcpy(vch, (unsigned char*)&pbegin[0], len);
94  else
95  Invalidate();
96  }
97 
99  template <typename T>
100  CPubKey(const T pbegin, const T pend)
101  {
102  Set(pbegin, pend);
103  }
104 
107  {
108  Set(_vch.begin(), _vch.end());
109  }
110 
112  unsigned int size() const { return GetLen(vch[0]); }
113  const unsigned char* data() const { return vch; }
114  const unsigned char* begin() const { return vch; }
115  const unsigned char* end() const { return vch + size(); }
116  const unsigned char& operator[](unsigned int pos) const { return vch[pos]; }
117 
119  friend bool operator==(const CPubKey& a, const CPubKey& b)
120  {
121  return a.vch[0] == b.vch[0] &&
122  memcmp(a.vch, b.vch, a.size()) == 0;
123  }
124  friend bool operator!=(const CPubKey& a, const CPubKey& b)
125  {
126  return !(a == b);
127  }
128  friend bool operator<(const CPubKey& a, const CPubKey& b)
129  {
130  return a.vch[0] < b.vch[0] ||
131  (a.vch[0] == b.vch[0] && memcmp(a.vch, b.vch, a.size()) < 0);
132  }
133  friend bool operator>(const CPubKey& a, const CPubKey& b)
134  {
135  return a.vch[0] > b.vch[0] ||
136  (a.vch[0] == b.vch[0] && memcmp(a.vch, b.vch, a.size()) > 0);
137  }
138 
140  template <typename Stream>
141  void Serialize(Stream& s) const
142  {
143  unsigned int len = size();
144  ::WriteCompactSize(s, len);
145  s << Span{vch, len};
146  }
147  template <typename Stream>
148  void Unserialize(Stream& s)
149  {
150  const unsigned int len(::ReadCompactSize(s));
151  if (len <= SIZE) {
152  s >> Span{vch, len};
153  if (len != size()) {
154  Invalidate();
155  }
156  } else {
157  // invalid pubkey, skip available data
158  s.ignore(len);
159  Invalidate();
160  }
161  }
162 
164  CKeyID GetID() const
165  {
166  return CKeyID(Hash160(Span{vch}.first(size())));
167  }
168 
170  uint256 GetHash() const
171  {
172  return Hash(Span{vch}.first(size()));
173  }
174 
175  /*
176  * Check syntactic correctness.
177  *
178  * When setting a pubkey (Set()) or deserializing fails (its header bytes
179  * don't match the length of the data), the size is set to 0. Thus,
180  * by checking size, one can observe whether Set() or deserialization has
181  * failed.
182  *
183  * This does not check for more than that. In particular, it does not verify
184  * that the coordinates correspond to a point on the curve (see IsFullyValid()
185  * for that instead).
186  *
187  * Note that this is consensus critical as CheckECDSASignature() calls it!
188  */
189  bool IsValid() const
190  {
191  return size() > 0;
192  }
193 
195  bool IsValidNonHybrid() const noexcept
196  {
197  return size() > 0 && (vch[0] == 0x02 || vch[0] == 0x03 || vch[0] == 0x04);
198  }
199 
201  bool IsFullyValid() const;
202 
204  bool IsCompressed() const
205  {
206  return size() == COMPRESSED_SIZE;
207  }
208 
213  bool Verify(const uint256& hash, const std::vector<unsigned char>& vchSig) const;
214 
218  static bool CheckLowS(const std::vector<unsigned char>& vchSig);
219 
221  bool RecoverCompact(const uint256& hash, const std::vector<unsigned char>& vchSig);
222 
224  bool Decompress();
225 
227  [[nodiscard]] bool Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const;
228 };
229 
231 {
232 private:
234 
235 public:
237  XOnlyPubKey() = default;
238 
239  XOnlyPubKey(const XOnlyPubKey&) = default;
240  XOnlyPubKey& operator=(const XOnlyPubKey&) = default;
241 
245  bool IsFullyValid() const;
246 
249  bool IsNull() const { return m_keydata.IsNull(); }
250 
252  explicit XOnlyPubKey(Span<const unsigned char> bytes);
253 
255  explicit XOnlyPubKey(const CPubKey& pubkey) : XOnlyPubKey(Span{pubkey}.subspan(1, 32)) {}
256 
261  bool VerifySchnorr(const uint256& msg, Span<const unsigned char> sigbytes) const;
262 
271  uint256 ComputeTapTweakHash(const uint256* merkle_root) const;
272 
275  bool CheckTapTweak(const XOnlyPubKey& internal, const uint256& merkle_root, bool parity) const;
276 
278  std::optional<std::pair<XOnlyPubKey, bool>> CreateTapTweak(const uint256* merkle_root) const;
279 
283  std::vector<CKeyID> GetKeyIDs() const;
284 
286 
287  const unsigned char& operator[](int pos) const { return *(m_keydata.begin() + pos); }
288  static constexpr size_t size() { return decltype(m_keydata)::size(); }
289  const unsigned char* data() const { return m_keydata.begin(); }
290  const unsigned char* begin() const { return m_keydata.begin(); }
291  const unsigned char* end() const { return m_keydata.end(); }
292  unsigned char* data() { return m_keydata.begin(); }
293  unsigned char* begin() { return m_keydata.begin(); }
294  unsigned char* end() { return m_keydata.end(); }
295  bool operator==(const XOnlyPubKey& other) const { return m_keydata == other.m_keydata; }
296  bool operator!=(const XOnlyPubKey& other) const { return m_keydata != other.m_keydata; }
297  bool operator<(const XOnlyPubKey& other) const { return m_keydata < other.m_keydata; }
298 
300  SERIALIZE_METHODS(XOnlyPubKey, obj) { READWRITE(obj.m_keydata); }
301 };
302 
305 {
306 private:
307  static constexpr size_t SIZE = 64;
308  std::array<std::byte, SIZE> m_pubkey;
309 
310 public:
312  EllSwiftPubKey() noexcept = default;
313 
315  EllSwiftPubKey(Span<const std::byte> ellswift) noexcept;
316 
318  CPubKey Decode() const;
319 
320  // Read-only access for serialization.
321  const std::byte* data() const { return m_pubkey.data(); }
322  static constexpr size_t size() { return SIZE; }
323  auto begin() const { return m_pubkey.cbegin(); }
324  auto end() const { return m_pubkey.cend(); }
325 
326  bool friend operator==(const EllSwiftPubKey& a, const EllSwiftPubKey& b)
327  {
328  return a.m_pubkey == b.m_pubkey;
329  }
330 
331  bool friend operator!=(const EllSwiftPubKey& a, const EllSwiftPubKey& b)
332  {
333  return a.m_pubkey != b.m_pubkey;
334  }
335 };
336 
337 struct CExtPubKey {
338  unsigned char version[4];
339  unsigned char nDepth;
340  unsigned char vchFingerprint[4];
341  unsigned int nChild;
344 
345  friend bool operator==(const CExtPubKey &a, const CExtPubKey &b)
346  {
347  return a.nDepth == b.nDepth &&
348  memcmp(a.vchFingerprint, b.vchFingerprint, sizeof(vchFingerprint)) == 0 &&
349  a.nChild == b.nChild &&
350  a.chaincode == b.chaincode &&
351  a.pubkey == b.pubkey;
352  }
353 
354  friend bool operator!=(const CExtPubKey &a, const CExtPubKey &b)
355  {
356  return !(a == b);
357  }
358 
359  friend bool operator<(const CExtPubKey &a, const CExtPubKey &b)
360  {
361  if (a.pubkey < b.pubkey) {
362  return true;
363  } else if (a.pubkey > b.pubkey) {
364  return false;
365  }
366  return a.chaincode < b.chaincode;
367  }
368 
369  void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const;
370  void Decode(const unsigned char code[BIP32_EXTKEY_SIZE]);
371  void EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const;
372  void DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]);
373  [[nodiscard]] bool Derive(CExtPubKey& out, unsigned int nChild) const;
374 };
375 
376 #endif // BITCOIN_PUBKEY_H
A reference to a CKey: the Hash160 of its serialized public key.
Definition: pubkey.h:24
CKeyID()
Definition: pubkey.h:26
CKeyID(const uint160 &in)
Definition: pubkey.h:27
An encapsulated public key.
Definition: pubkey.h:34
bool RecoverCompact(const uint256 &hash, const std::vector< unsigned char > &vchSig)
Recover a public key from a compact signature.
Definition: pubkey.cpp:284
const unsigned char * end() const
Definition: pubkey.h:115
bool IsCompressed() const
Check whether this is a compressed public key.
Definition: pubkey.h:204
CKeyID GetID() const
Get the KeyID of this public key (hash of its serialization)
Definition: pubkey.h:164
static constexpr unsigned int COMPRESSED_SIZE
Definition: pubkey.h:40
CPubKey()
Construct an invalid public key.
Definition: pubkey.h:82
static bool CheckLowS(const std::vector< unsigned char > &vchSig)
Check whether a signature is normalized (lower-S).
Definition: pubkey.cpp:405
bool IsValid() const
Definition: pubkey.h:189
friend bool operator>(const CPubKey &a, const CPubKey &b)
Definition: pubkey.h:133
bool Decompress()
Turn this public key into an uncompressed public key.
Definition: pubkey.cpp:311
bool Verify(const uint256 &hash, const std::vector< unsigned char > &vchSig) const
Verify a DER signature (~72 bytes).
Definition: pubkey.cpp:267
static constexpr unsigned int SIZE
secp256k1:
Definition: pubkey.h:39
bool IsFullyValid() const
fully validate whether this is a valid public key (more expensive than IsValid())
Definition: pubkey.cpp:304
unsigned int size() const
Simple read-only vector-like interface to the pubkey data.
Definition: pubkey.h:112
static bool ValidSize(const std::vector< unsigned char > &vch)
Definition: pubkey.h:77
unsigned static int GetLen(unsigned char chHeader)
Compute the length of a pubkey with a given first byte.
Definition: pubkey.h:60
const unsigned char * begin() const
Definition: pubkey.h:114
friend bool operator==(const CPubKey &a, const CPubKey &b)
Comparator implementation.
Definition: pubkey.h:119
void Serialize(Stream &s) const
Implement serialization, as if this was a byte vector.
Definition: pubkey.h:141
unsigned char vch[SIZE]
see www.keylength.com script supports up to 75 for single byte push
Definition: pubkey.h:49
CPubKey(const T pbegin, const T pend)
Construct a public key using begin/end iterators to byte data.
Definition: pubkey.h:100
void Invalidate()
Set this key data to be invalid.
Definition: pubkey.h:70
CPubKey(Span< const uint8_t > _vch)
Construct a public key from a byte vector.
Definition: pubkey.h:106
void Unserialize(Stream &s)
Definition: pubkey.h:148
uint256 GetHash() const
Get the 256-bit hash of this public key.
Definition: pubkey.h:170
const unsigned char & operator[](unsigned int pos) const
Definition: pubkey.h:116
const unsigned char * data() const
Definition: pubkey.h:113
bool Derive(CPubKey &pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode &cc) const
Derive BIP32 child pubkey.
Definition: pubkey.cpp:325
static constexpr unsigned int SIGNATURE_SIZE
Definition: pubkey.h:41
bool IsValidNonHybrid() const noexcept
Check if a public key is a syntactically valid compressed or uncompressed key.
Definition: pubkey.h:195
static constexpr unsigned int COMPACT_SIGNATURE_SIZE
Definition: pubkey.h:42
void Set(const T pbegin, const T pend)
Initialize a public key using begin/end iterators to byte data.
Definition: pubkey.h:89
friend bool operator!=(const CPubKey &a, const CPubKey &b)
Definition: pubkey.h:124
friend bool operator<(const CPubKey &a, const CPubKey &b)
Definition: pubkey.h:128
A Span is an object that can refer to a contiguous sequence of objects.
Definition: span.h:98
constexpr C * end() const noexcept
Definition: span.h:176
constexpr C * begin() const noexcept
Definition: span.h:175
XOnlyPubKey & operator=(const XOnlyPubKey &)=default
unsigned char * end()
Definition: pubkey.h:294
bool IsNull() const
Test whether this is the 0 key (the result of default construction).
Definition: pubkey.h:249
std::optional< std::pair< XOnlyPubKey, bool > > CreateTapTweak(const uint256 *merkle_root) const
Construct a Taproot tweaked output point with this point as internal key.
Definition: pubkey.cpp:249
const unsigned char * begin() const
Definition: pubkey.h:290
unsigned char * begin()
Definition: pubkey.h:293
bool CheckTapTweak(const XOnlyPubKey &internal, const uint256 &merkle_root, bool parity) const
Verify that this is a Taproot tweaked output point, against a specified internal key,...
Definition: pubkey.cpp:241
static constexpr size_t size()
Definition: pubkey.h:288
unsigned char * data()
Definition: pubkey.h:292
SERIALIZE_METHODS(XOnlyPubKey, obj)
Implement serialization without length prefixes since it is a fixed length.
Definition: pubkey.h:300
CPubKey GetEvenCorrespondingCPubKey() const
Definition: pubkey.cpp:207
uint256 m_keydata
Definition: pubkey.h:233
bool operator!=(const XOnlyPubKey &other) const
Definition: pubkey.h:296
XOnlyPubKey(const XOnlyPubKey &)=default
XOnlyPubKey(const CPubKey &pubkey)
Construct an x-only pubkey from a normal pubkey.
Definition: pubkey.h:255
bool operator<(const XOnlyPubKey &other) const
Definition: pubkey.h:297
bool IsFullyValid() const
Determine if this pubkey is fully valid.
Definition: pubkey.cpp:214
bool VerifySchnorr(const uint256 &msg, Span< const unsigned char > sigbytes) const
Verify a Schnorr signature against this public key.
Definition: pubkey.cpp:220
std::vector< CKeyID > GetKeyIDs() const
Returns a list of CKeyIDs for the CPubKeys that could have been used to create this XOnlyPubKey.
Definition: pubkey.cpp:190
const unsigned char & operator[](int pos) const
Definition: pubkey.h:287
uint256 ComputeTapTweakHash(const uint256 *merkle_root) const
Compute the Taproot tweak as specified in BIP341, with *this as internal key:
Definition: pubkey.cpp:230
XOnlyPubKey()=default
Construct an empty x-only pubkey.
const unsigned char * data() const
Definition: pubkey.h:289
const unsigned char * end() const
Definition: pubkey.h:291
bool operator==(const XOnlyPubKey &other) const
Definition: pubkey.h:295
constexpr bool IsNull() const
Definition: uint256.h:42
constexpr unsigned char * end()
Definition: uint256.h:69
constexpr unsigned char * begin()
Definition: uint256.h:68
160-bit opaque blob.
Definition: uint256.h:95
256-bit opaque blob.
Definition: uint256.h:106
uint160 Hash160(const T1 &in1)
Compute the 160-bit hash an object.
Definition: hash.h:92
uint256 Hash(const T &in1)
Compute the 256-bit hash of an object.
Definition: hash.h:75
const unsigned int BIP32_EXTKEY_WITH_VERSION_SIZE
Definition: pubkey.h:20
const unsigned int BIP32_EXTKEY_SIZE
Definition: pubkey.h:19
uint256 ChainCode
Definition: pubkey.h:30
void WriteCompactSize(SizeComputer &os, uint64_t nSize)
Definition: serialize.h:1110
uint64_t ReadCompactSize(Stream &is, bool range_check=true)
Decode a CompactSize-encoded variable-length integer.
Definition: serialize.h:352
#define READWRITE(...)
Definition: serialize.h:156
friend bool operator==(const CExtPubKey &a, const CExtPubKey &b)
Definition: pubkey.h:345
unsigned char version[4]
Definition: pubkey.h:338
void Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const
Definition: pubkey.cpp:366
ChainCode chaincode
Definition: pubkey.h:342
bool Derive(CExtPubKey &out, unsigned int nChild) const
Definition: pubkey.cpp:396
void DecodeWithVersion(const unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE])
Definition: pubkey.cpp:390
void EncodeWithVersion(unsigned char code[BIP32_EXTKEY_WITH_VERSION_SIZE]) const
Definition: pubkey.cpp:384
unsigned char vchFingerprint[4]
Definition: pubkey.h:340
unsigned char nDepth
Definition: pubkey.h:339
friend bool operator!=(const CExtPubKey &a, const CExtPubKey &b)
Definition: pubkey.h:354
void Decode(const unsigned char code[BIP32_EXTKEY_SIZE])
Definition: pubkey.cpp:375
CPubKey pubkey
Definition: pubkey.h:343
unsigned int nChild
Definition: pubkey.h:341
friend bool operator<(const CExtPubKey &a, const CExtPubKey &b)
Definition: pubkey.h:359
An ElligatorSwift-encoded public key.
Definition: pubkey.h:305
auto begin() const
Definition: pubkey.h:323
bool friend operator==(const EllSwiftPubKey &a, const EllSwiftPubKey &b)
Definition: pubkey.h:326
std::array< std::byte, SIZE > m_pubkey
Definition: pubkey.h:308
CPubKey Decode() const
Decode to normal compressed CPubKey (for debugging purposes).
Definition: pubkey.cpp:352
static constexpr size_t SIZE
Definition: pubkey.h:307
bool friend operator!=(const EllSwiftPubKey &a, const EllSwiftPubKey &b)
Definition: pubkey.h:331
static constexpr size_t size()
Definition: pubkey.h:322
EllSwiftPubKey() noexcept=default
Default constructor creates all-zero pubkey (which is valid).
auto end() const
Definition: pubkey.h:324
const std::byte * data() const
Definition: pubkey.h:321