diff options
Diffstat (limited to 'cli/vendor/github.com/btcsuite/btcd')
13 files changed, 722 insertions, 0 deletions
diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/LICENSE b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/LICENSE new file mode 100644 index 0000000..23190ba --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/LICENSE @@ -0,0 +1,16 @@ +ISC License + +Copyright (c) 2013-2022 The btcsuite developers +Copyright (c) 2015-2016 The Decred developers + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/README.md b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/README.md new file mode 100644 index 0000000..cbf63dd --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/README.md @@ -0,0 +1,40 @@ +btcec +===== + +[](https://github.com/btcsuite/btcd/actions) +[](http://copyfree.org) +[](https://pkg.go.dev/github.com/btcsuite/btcd/btcec/v2) + +Package btcec implements elliptic curve cryptography needed for working with +Bitcoin (secp256k1 only for now). It is designed so that it may be used with the +standard crypto/ecdsa packages provided with go. A comprehensive suite of test +is provided to ensure proper functionality. Package btcec was originally based +on work from ThePiachu which is licensed under the same terms as Go, but it has +signficantly diverged since then. The btcsuite developers original is licensed +under the liberal ISC license. + +Although this package was primarily written for btcd, it has intentionally been +designed so it can be used as a standalone package for any projects needing to +use secp256k1 elliptic curve cryptography. + +## Installation and Updating + +```bash +$ go install -u -v github.com/btcsuite/btcd/btcec/v2 +``` + +## Examples + +* [Sign Message](https://pkg.go.dev/github.com/btcsuite/btcd/btcec/v2#example-package--SignMessage) + Demonstrates signing a message with a secp256k1 private key that is first + parsed form raw bytes and serializing the generated signature. + +* [Verify Signature](https://pkg.go.dev/github.com/btcsuite/btcd/btcec/v2#example-package--VerifySignature) + Demonstrates verifying a secp256k1 signature against a public key that is + first parsed from raw bytes. The signature is also parsed from raw bytes. + +## License + +Package btcec is licensed under the [copyfree](http://copyfree.org) ISC License +except for btcec.go and btcec_test.go which is under the same license as Go. + diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/btcec.go b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/btcec.go new file mode 100644 index 0000000..f85baba --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/btcec.go @@ -0,0 +1,56 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Copyright 2011 ThePiachu. All rights reserved. +// Copyright 2013-2014 The btcsuite developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +package btcec + +// References: +// [SECG]: Recommended Elliptic Curve Domain Parameters +// http://www.secg.org/sec2-v2.pdf +// +// [GECC]: Guide to Elliptic Curve Cryptography (Hankerson, Menezes, Vanstone) + +// This package operates, internally, on Jacobian coordinates. For a given +// (x, y) position on the curve, the Jacobian coordinates are (x1, y1, z1) +// where x = x1/z1² and y = y1/z1³. The greatest speedups come when the whole +// calculation can be performed within the transform (as in ScalarMult and +// ScalarBaseMult). But even for Add and Double, it's faster to apply and +// reverse the transform than to operate in affine coordinates. + +import ( + secp "github.com/decred/dcrd/dcrec/secp256k1/v4" +) + +// KoblitzCurve provides an implementation for secp256k1 that fits the ECC +// Curve interface from crypto/elliptic. +type KoblitzCurve = secp.KoblitzCurve + +// S256 returns a Curve which implements secp256k1. +func S256() *KoblitzCurve { + return secp.S256() +} + +// CurveParams contains the parameters for the secp256k1 curve. +type CurveParams = secp.CurveParams + +// Params returns the secp256k1 curve parameters for convenience. +func Params() *CurveParams { + return secp.Params() +} + +// Generator returns the public key at the Generator Point. +func Generator() *PublicKey { + var ( + result JacobianPoint + k secp.ModNScalar + ) + + k.SetInt(1) + ScalarBaseMultNonConst(&k, &result) + + result.ToAffine() + + return NewPublicKey(&result.X, &result.Y) +} diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/ciphering.go b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/ciphering.go new file mode 100644 index 0000000..88d93e2 --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/ciphering.go @@ -0,0 +1,16 @@ +// Copyright (c) 2015-2016 The btcsuite developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +package btcec + +import ( + secp "github.com/decred/dcrd/dcrec/secp256k1/v4" +) + +// GenerateSharedSecret generates a shared secret based on a private key and a +// public key using Diffie-Hellman key exchange (ECDH) (RFC 4753). +// RFC5903 Section 9 states we should only return x. +func GenerateSharedSecret(privkey *PrivateKey, pubkey *PublicKey) []byte { + return secp.GenerateSharedSecret(privkey, pubkey) +} diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/curve.go b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/curve.go new file mode 100644 index 0000000..70a9229 --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/curve.go @@ -0,0 +1,115 @@ +// Copyright (c) 2015-2021 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers + +package btcec + +import ( + "fmt" + + secp "github.com/decred/dcrd/dcrec/secp256k1/v4" +) + +// JacobianPoint is an element of the group formed by the secp256k1 curve in +// Jacobian projective coordinates and thus represents a point on the curve. +type JacobianPoint = secp.JacobianPoint + +// infinityPoint is the jacobian representation of the point at infinity. +var infinityPoint JacobianPoint + +// MakeJacobianPoint returns a Jacobian point with the provided X, Y, and Z +// coordinates. +func MakeJacobianPoint(x, y, z *FieldVal) JacobianPoint { + return secp.MakeJacobianPoint(x, y, z) +} + +// AddNonConst adds the passed Jacobian points together and stores the result +// in the provided result param in *non-constant* time. +func AddNonConst(p1, p2, result *JacobianPoint) { + secp.AddNonConst(p1, p2, result) +} + +// DecompressY attempts to calculate the Y coordinate for the given X +// coordinate such that the result pair is a point on the secp256k1 curve. It +// adjusts Y based on the desired oddness and returns whether or not it was +// successful since not all X coordinates are valid. +// +// The magnitude of the provided X coordinate field val must be a max of 8 for +// a correct result. The resulting Y field val will have a max magnitude of 2. +func DecompressY(x *FieldVal, odd bool, resultY *FieldVal) bool { + return secp.DecompressY(x, odd, resultY) +} + +// DoubleNonConst doubles the passed Jacobian point and stores the result in +// the provided result parameter in *non-constant* time. +// +// NOTE: The point must be normalized for this function to return the correct +// result. The resulting point will be normalized. +func DoubleNonConst(p, result *JacobianPoint) { + secp.DoubleNonConst(p, result) +} + +// ScalarBaseMultNonConst multiplies k*G where G is the base point of the group +// and k is a big endian integer. The result is stored in Jacobian coordinates +// (x1, y1, z1). +// +// NOTE: The resulting point will be normalized. +func ScalarBaseMultNonConst(k *ModNScalar, result *JacobianPoint) { + secp.ScalarBaseMultNonConst(k, result) +} + +// ScalarMultNonConst multiplies k*P where k is a big endian integer modulo the +// curve order and P is a point in Jacobian projective coordinates and stores +// the result in the provided Jacobian point. +// +// NOTE: The point must be normalized for this function to return the correct +// result. The resulting point will be normalized. +func ScalarMultNonConst(k *ModNScalar, point, result *JacobianPoint) { + secp.ScalarMultNonConst(k, point, result) +} + +// ParseJacobian parses a byte slice point as a secp.Publickey and returns the +// pubkey as a JacobianPoint. If the nonce is a zero slice, the infinityPoint +// is returned. +func ParseJacobian(point []byte) (JacobianPoint, error) { + var result JacobianPoint + + if len(point) != 33 { + str := fmt.Sprintf("invalid nonce: invalid length: %v", + len(point)) + return JacobianPoint{}, makeError(secp.ErrPubKeyInvalidLen, str) + } + + if point[0] == 0x00 { + return infinityPoint, nil + } + + noncePk, err := secp.ParsePubKey(point) + if err != nil { + return JacobianPoint{}, err + } + noncePk.AsJacobian(&result) + + return result, nil +} + +// JacobianToByteSlice converts the passed JacobianPoint to a Pubkey +// and serializes that to a byte slice. If the JacobianPoint is the infinity +// point, a zero slice is returned. +func JacobianToByteSlice(point JacobianPoint) []byte { + if point.X == infinityPoint.X && point.Y == infinityPoint.Y { + return make([]byte, 33) + } + + point.ToAffine() + + return NewPublicKey( + &point.X, &point.Y, + ).SerializeCompressed() +} + +// GeneratorJacobian sets the passed JacobianPoint to the Generator Point. +func GeneratorJacobian(jacobian *JacobianPoint) { + var k ModNScalar + k.SetInt(1) + ScalarBaseMultNonConst(&k, jacobian) +} diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/doc.go b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/doc.go new file mode 100644 index 0000000..fa8346a --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/doc.go @@ -0,0 +1,21 @@ +// Copyright (c) 2013-2014 The btcsuite developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +/* +Package btcec implements support for the elliptic curves needed for bitcoin. + +Bitcoin uses elliptic curve cryptography using koblitz curves +(specifically secp256k1) for cryptographic functions. See +http://www.secg.org/collateral/sec2_final.pdf for details on the +standard. + +This package provides the data structures and functions implementing the +crypto/elliptic Curve interface in order to permit using these curves +with the standard crypto/ecdsa package provided with go. Helper +functionality is provided to parse signatures and public keys from +standard formats. It was designed for use with btcd, but should be +general enough for other uses of elliptic curve crypto. It was originally based +on some initial work by ThePiachu, but has significantly diverged since then. +*/ +package btcec diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/ecdsa/error.go b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/ecdsa/error.go new file mode 100644 index 0000000..a30d63b --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/ecdsa/error.go @@ -0,0 +1,18 @@ +// Copyright (c) 2013-2021 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers + +package ecdsa + +import ( + secp_ecdsa "github.com/decred/dcrd/dcrec/secp256k1/v4/ecdsa" +) + +// ErrorKind identifies a kind of error. It has full support for +// errors.Is and errors.As, so the caller can directly check against +// an error kind when determining the reason for an error. +type ErrorKind = secp_ecdsa.ErrorKind + +// Error identifies an error related to an ECDSA signature. It has full +// support for errors.Is and errors.As, so the caller can ascertain the +// specific reason for the error by checking the underlying error. +type Error = secp_ecdsa.ErrorKind diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/ecdsa/signature.go b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/ecdsa/signature.go new file mode 100644 index 0000000..092e4ce --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/ecdsa/signature.go @@ -0,0 +1,240 @@ +// Copyright (c) 2013-2017 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +package ecdsa + +import ( + "errors" + "fmt" + "math/big" + + "github.com/btcsuite/btcd/btcec/v2" + secp_ecdsa "github.com/decred/dcrd/dcrec/secp256k1/v4/ecdsa" +) + +// Errors returned by canonicalPadding. +var ( + errNegativeValue = errors.New("value may be interpreted as negative") + errExcessivelyPaddedValue = errors.New("value is excessively padded") +) + +// Signature is a type representing an ecdsa signature. +type Signature = secp_ecdsa.Signature + +// NewSignature instantiates a new signature given some r and s values. +func NewSignature(r, s *btcec.ModNScalar) *Signature { + return secp_ecdsa.NewSignature(r, s) +} + +var ( + // Used in RFC6979 implementation when testing the nonce for correctness + one = big.NewInt(1) + + // oneInitializer is used to fill a byte slice with byte 0x01. It is provided + // here to avoid the need to create it multiple times. + oneInitializer = []byte{0x01} +) + +// MinSigLen is the minimum length of a DER encoded signature and is when both R +// and S are 1 byte each. +// 0x30 + <1-byte> + 0x02 + 0x01 + <byte> + 0x2 + 0x01 + <byte> +const MinSigLen = 8 + +// canonicalPadding checks whether a big-endian encoded integer could +// possibly be misinterpreted as a negative number (even though OpenSSL +// treats all numbers as unsigned), or if there is any unnecessary +// leading zero padding. +func canonicalPadding(b []byte) error { + switch { + case b[0]&0x80 == 0x80: + return errNegativeValue + case len(b) > 1 && b[0] == 0x00 && b[1]&0x80 != 0x80: + return errExcessivelyPaddedValue + default: + return nil + } +} + +func parseSig(sigStr []byte, der bool) (*Signature, error) { + // Originally this code used encoding/asn1 in order to parse the + // signature, but a number of problems were found with this approach. + // Despite the fact that signatures are stored as DER, the difference + // between go's idea of a bignum (and that they have sign) doesn't agree + // with the openssl one (where they do not). The above is true as of + // Go 1.1. In the end it was simpler to rewrite the code to explicitly + // understand the format which is this: + // 0x30 <length of whole message> <0x02> <length of R> <R> 0x2 + // <length of S> <S>. + + if len(sigStr) < MinSigLen { + return nil, errors.New("malformed signature: too short") + } + // 0x30 + index := 0 + if sigStr[index] != 0x30 { + return nil, errors.New("malformed signature: no header magic") + } + index++ + // length of remaining message + siglen := sigStr[index] + index++ + + // siglen should be less than the entire message and greater than + // the minimal message size. + if int(siglen+2) > len(sigStr) || int(siglen+2) < MinSigLen { + return nil, errors.New("malformed signature: bad length") + } + // trim the slice we're working on so we only look at what matters. + sigStr = sigStr[:siglen+2] + + // 0x02 + if sigStr[index] != 0x02 { + return nil, + errors.New("malformed signature: no 1st int marker") + } + index++ + + // Length of signature R. + rLen := int(sigStr[index]) + // must be positive, must be able to fit in another 0x2, <len> <s> + // hence the -3. We assume that the length must be at least one byte. + index++ + if rLen <= 0 || rLen > len(sigStr)-index-3 { + return nil, errors.New("malformed signature: bogus R length") + } + + // Then R itself. + rBytes := sigStr[index : index+rLen] + if der { + switch err := canonicalPadding(rBytes); err { + case errNegativeValue: + return nil, errors.New("signature R is negative") + case errExcessivelyPaddedValue: + return nil, errors.New("signature R is excessively padded") + } + } + + // Strip leading zeroes from R. + for len(rBytes) > 0 && rBytes[0] == 0x00 { + rBytes = rBytes[1:] + } + + // R must be in the range [1, N-1]. Notice the check for the maximum number + // of bytes is required because SetByteSlice truncates as noted in its + // comment so it could otherwise fail to detect the overflow. + var r btcec.ModNScalar + if len(rBytes) > 32 { + str := "invalid signature: R is larger than 256 bits" + return nil, errors.New(str) + } + if overflow := r.SetByteSlice(rBytes); overflow { + str := "invalid signature: R >= group order" + return nil, errors.New(str) + } + if r.IsZero() { + str := "invalid signature: R is 0" + return nil, errors.New(str) + } + index += rLen + // 0x02. length already checked in previous if. + if sigStr[index] != 0x02 { + return nil, errors.New("malformed signature: no 2nd int marker") + } + index++ + + // Length of signature S. + sLen := int(sigStr[index]) + index++ + // S should be the rest of the string. + if sLen <= 0 || sLen > len(sigStr)-index { + return nil, errors.New("malformed signature: bogus S length") + } + + // Then S itself. + sBytes := sigStr[index : index+sLen] + if der { + switch err := canonicalPadding(sBytes); err { + case errNegativeValue: + return nil, errors.New("signature S is negative") + case errExcessivelyPaddedValue: + return nil, errors.New("signature S is excessively padded") + } + } + + // Strip leading zeroes from S. + for len(sBytes) > 0 && sBytes[0] == 0x00 { + sBytes = sBytes[1:] + } + + // S must be in the range [1, N-1]. Notice the check for the maximum number + // of bytes is required because SetByteSlice truncates as noted in its + // comment so it could otherwise fail to detect the overflow. + var s btcec.ModNScalar + if len(sBytes) > 32 { + str := "invalid signature: S is larger than 256 bits" + return nil, errors.New(str) + } + if overflow := s.SetByteSlice(sBytes); overflow { + str := "invalid signature: S >= group order" + return nil, errors.New(str) + } + if s.IsZero() { + str := "invalid signature: S is 0" + return nil, errors.New(str) + } + index += sLen + + // sanity check length parsing + if index != len(sigStr) { + return nil, fmt.Errorf("malformed signature: bad final length %v != %v", + index, len(sigStr)) + } + + return NewSignature(&r, &s), nil +} + +// ParseSignature parses a signature in BER format for the curve type `curve' +// into a Signature type, perfoming some basic sanity checks. If parsing +// according to the more strict DER format is needed, use ParseDERSignature. +func ParseSignature(sigStr []byte) (*Signature, error) { + return parseSig(sigStr, false) +} + +// ParseDERSignature parses a signature in DER format for the curve type +// `curve` into a Signature type. If parsing according to the less strict +// BER format is needed, use ParseSignature. +func ParseDERSignature(sigStr []byte) (*Signature, error) { + return parseSig(sigStr, true) +} + +// SignCompact produces a compact signature of the data in hash with the given +// private key on the given koblitz curve. The isCompressed parameter should +// be used to detail if the given signature should reference a compressed +// public key or not. If successful the bytes of the compact signature will be +// returned in the format: +// <(byte of 27+public key solution)+4 if compressed >< padded bytes for signature R><padded bytes for signature S> +// where the R and S parameters are padde up to the bitlengh of the curve. +func SignCompact(key *btcec.PrivateKey, hash []byte, + isCompressedKey bool) ([]byte, error) { + + return secp_ecdsa.SignCompact(key, hash, isCompressedKey), nil +} + +// RecoverCompact verifies the compact signature "signature" of "hash" for the +// Koblitz curve in "curve". If the signature matches then the recovered public +// key will be returned as well as a boolean if the original key was compressed +// or not, else an error will be returned. +func RecoverCompact(signature, hash []byte) (*btcec.PublicKey, bool, error) { + return secp_ecdsa.RecoverCompact(signature, hash) +} + +// Sign generates an ECDSA signature over the secp256k1 curve for the provided +// hash (which should be the result of hashing a larger message) using the +// given private key. The produced signature is deterministic (same message and +// same key yield the same signature) and canonical in accordance with RFC6979 +// and BIP0062. +func Sign(key *btcec.PrivateKey, hash []byte) *Signature { + return secp_ecdsa.Sign(key, hash) +} diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/error.go b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/error.go new file mode 100644 index 0000000..df6ec67 --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/error.go @@ -0,0 +1,24 @@ +// Copyright (c) 2013-2021 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers + +package btcec + +import ( + secp "github.com/decred/dcrd/dcrec/secp256k1/v4" +) + +// Error identifies an error related to public key cryptography using a +// sec256k1 curve. It has full support for errors.Is and errors.As, so the +// caller can ascertain the specific reason for the error by checking the +// underlying error. +type Error = secp.Error + +// ErrorKind identifies a kind of error. It has full support for errors.Is and +// errors.As, so the caller can directly check against an error kind when +// determining the reason for an error. +type ErrorKind = secp.ErrorKind + +// makeError creates an secp.Error given a set of arguments. +func makeError(kind ErrorKind, desc string) Error { + return Error{Err: kind, Description: desc} +} diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/field.go b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/field.go new file mode 100644 index 0000000..fef6f34 --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/field.go @@ -0,0 +1,43 @@ +package btcec + +import secp "github.com/decred/dcrd/dcrec/secp256k1/v4" + +// FieldVal implements optimized fixed-precision arithmetic over the secp256k1 +// finite field. This means all arithmetic is performed modulo +// '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'. +// +// WARNING: Since it is so important for the field arithmetic to be extremely +// fast for high performance crypto, this type does not perform any validation +// of documented preconditions where it ordinarily would. As a result, it is +// IMPERATIVE for callers to understand some key concepts that are described +// below and ensure the methods are called with the necessary preconditions +// that each method is documented with. For example, some methods only give the +// correct result if the field value is normalized and others require the field +// values involved to have a maximum magnitude and THERE ARE NO EXPLICIT CHECKS +// TO ENSURE THOSE PRECONDITIONS ARE SATISFIED. This does, unfortunately, make +// the type more difficult to use correctly and while I typically prefer to +// ensure all state and input is valid for most code, this is a bit of an +// exception because those extra checks really add up in what ends up being +// critical hot paths. +// +// The first key concept when working with this type is normalization. In order +// to avoid the need to propagate a ton of carries, the internal representation +// provides additional overflow bits for each word of the overall 256-bit +// value. This means that there are multiple internal representations for the +// same value and, as a result, any methods that rely on comparison of the +// value, such as equality and oddness determination, require the caller to +// provide a normalized value. +// +// The second key concept when working with this type is magnitude. As +// previously mentioned, the internal representation provides additional +// overflow bits which means that the more math operations that are performed +// on the field value between normalizations, the more those overflow bits +// accumulate. The magnitude is effectively that maximum possible number of +// those overflow bits that could possibly be required as a result of a given +// operation. Since there are only a limited number of overflow bits available, +// this implies that the max possible magnitude MUST be tracked by the caller +// and the caller MUST normalize the field value if a given operation would +// cause the magnitude of the result to exceed the max allowed value. +// +// IMPORTANT: The max allowed magnitude of a field value is 64. +type FieldVal = secp.FieldVal diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/modnscalar.go b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/modnscalar.go new file mode 100644 index 0000000..b18b2c1 --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/modnscalar.go @@ -0,0 +1,45 @@ +// Copyright (c) 2013-2021 The btcsuite developers +// Copyright (c) 2015-2021 The Decred developers + +package btcec + +import ( + secp "github.com/decred/dcrd/dcrec/secp256k1/v4" +) + +// ModNScalar implements optimized 256-bit constant-time fixed-precision +// arithmetic over the secp256k1 group order. This means all arithmetic is +// performed modulo: +// +// 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 +// +// It only implements the arithmetic needed for elliptic curve operations, +// however, the operations that are not implemented can typically be worked +// around if absolutely needed. For example, subtraction can be performed by +// adding the negation. +// +// Should it be absolutely necessary, conversion to the standard library +// math/big.Int can be accomplished by using the Bytes method, slicing the +// resulting fixed-size array, and feeding it to big.Int.SetBytes. However, +// that should typically be avoided when possible as conversion to big.Ints +// requires allocations, is not constant time, and is slower when working modulo +// the group order. +type ModNScalar = secp.ModNScalar + +// NonceRFC6979 generates a nonce deterministically according to RFC 6979 using +// HMAC-SHA256 for the hashing function. It takes a 32-byte hash as an input +// and returns a 32-byte nonce to be used for deterministic signing. The extra +// and version arguments are optional, but allow additional data to be added to +// the input of the HMAC. When provided, the extra data must be 32-bytes and +// version must be 16 bytes or they will be ignored. +// +// Finally, the extraIterations parameter provides a method to produce a stream +// of deterministic nonces to ensure the signing code is able to produce a nonce +// that results in a valid signature in the extremely unlikely event the +// original nonce produced results in an invalid signature (e.g. R == 0). +// Signing code should start with 0 and increment it if necessary. +func NonceRFC6979(privKey []byte, hash []byte, extra []byte, version []byte, + extraIterations uint32) *ModNScalar { + + return secp.NonceRFC6979(privKey, hash, extra, version, extraIterations) +} diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/privkey.go b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/privkey.go new file mode 100644 index 0000000..4efa806 --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/privkey.go @@ -0,0 +1,37 @@ +// Copyright (c) 2013-2016 The btcsuite developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +package btcec + +import ( + secp "github.com/decred/dcrd/dcrec/secp256k1/v4" +) + +// PrivateKey wraps an ecdsa.PrivateKey as a convenience mainly for signing +// things with the the private key without having to directly import the ecdsa +// package. +type PrivateKey = secp.PrivateKey + +// PrivKeyFromBytes returns a private and public key for `curve' based on the +// private key passed as an argument as a byte slice. +func PrivKeyFromBytes(pk []byte) (*PrivateKey, *PublicKey) { + privKey := secp.PrivKeyFromBytes(pk) + + return privKey, privKey.PubKey() +} + +// NewPrivateKey is a wrapper for ecdsa.GenerateKey that returns a PrivateKey +// instead of the normal ecdsa.PrivateKey. +func NewPrivateKey() (*PrivateKey, error) { + return secp.GeneratePrivateKey() +} + +// PrivKeyFromScalar instantiates a new private key from a scalar encoded as a +// big integer. +func PrivKeyFromScalar(key *ModNScalar) *PrivateKey { + return &PrivateKey{Key: *key} +} + +// PrivKeyBytesLen defines the length in bytes of a serialized private key. +const PrivKeyBytesLen = 32 diff --git a/cli/vendor/github.com/btcsuite/btcd/btcec/v2/pubkey.go b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/pubkey.go new file mode 100644 index 0000000..7968ed0 --- /dev/null +++ b/cli/vendor/github.com/btcsuite/btcd/btcec/v2/pubkey.go @@ -0,0 +1,51 @@ +// Copyright (c) 2013-2014 The btcsuite developers +// Use of this source code is governed by an ISC +// license that can be found in the LICENSE file. + +package btcec + +import ( + secp "github.com/decred/dcrd/dcrec/secp256k1/v4" +) + +// These constants define the lengths of serialized public keys. +const ( + PubKeyBytesLenCompressed = 33 +) + +const ( + pubkeyCompressed byte = 0x2 // y_bit + x coord + pubkeyUncompressed byte = 0x4 // x coord + y coord + pubkeyHybrid byte = 0x6 // y_bit + x coord + y coord +) + +// IsCompressedPubKey returns true the the passed serialized public key has +// been encoded in compressed format, and false otherwise. +func IsCompressedPubKey(pubKey []byte) bool { + // The public key is only compressed if it is the correct length and + // the format (first byte) is one of the compressed pubkey values. + return len(pubKey) == PubKeyBytesLenCompressed && + (pubKey[0]&^byte(0x1) == pubkeyCompressed) +} + +// ParsePubKey parses a public key for a koblitz curve from a bytestring into a +// ecdsa.Publickey, verifying that it is valid. It supports compressed, +// uncompressed and hybrid signature formats. +func ParsePubKey(pubKeyStr []byte) (*PublicKey, error) { + return secp.ParsePubKey(pubKeyStr) +} + +// PublicKey is an ecdsa.PublicKey with additional functions to +// serialize in uncompressed, compressed, and hybrid formats. +type PublicKey = secp.PublicKey + +// NewPublicKey instantiates a new public key with the given x and y +// coordinates. +// +// It should be noted that, unlike ParsePubKey, since this accepts arbitrary x +// and y coordinates, it allows creation of public keys that are not valid +// points on the secp256k1 curve. The IsOnCurve method of the returned instance +// can be used to determine validity. +func NewPublicKey(x, y *FieldVal) *PublicKey { + return secp.NewPublicKey(x, y) +} |