2022-08-19 12:34:07 -04:00
|
|
|
// Copyright (c) 2013-2014 The btcsuite developers
|
2023-06-30 09:41:32 -04:00
|
|
|
// Copyright (c) 2015-2023 The Decred developers
|
2022-08-19 12:34:07 -04:00
|
|
|
// Use of this source code is governed by an ISC
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package secp256k1
|
|
|
|
|
|
|
|
import (
|
2023-06-30 09:41:32 -04:00
|
|
|
cryptorand "crypto/rand"
|
|
|
|
"io"
|
2022-08-19 12:34:07 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
// PrivateKey provides facilities for working with secp256k1 private keys within
|
|
|
|
// this package and includes functionality such as serializing and parsing them
|
|
|
|
// as well as computing their associated public key.
|
|
|
|
type PrivateKey struct {
|
|
|
|
Key ModNScalar
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewPrivateKey instantiates a new private key from a scalar encoded as a
|
|
|
|
// big integer.
|
|
|
|
func NewPrivateKey(key *ModNScalar) *PrivateKey {
|
|
|
|
return &PrivateKey{Key: *key}
|
|
|
|
}
|
|
|
|
|
|
|
|
// PrivKeyFromBytes returns a private based on the provided byte slice which is
|
|
|
|
// interpreted as an unsigned 256-bit big-endian integer in the range [0, N-1],
|
|
|
|
// where N is the order of the curve.
|
|
|
|
//
|
2023-06-30 09:41:32 -04:00
|
|
|
// WARNING: This means passing a slice with more than 32 bytes is truncated and
|
|
|
|
// that truncated value is reduced modulo N. Further, 0 is not a valid private
|
|
|
|
// key. It is up to the caller to provide a value in the appropriate range of
|
|
|
|
// [1, N-1]. Failure to do so will either result in an invalid private key or
|
|
|
|
// potentially weak private keys that have bias that could be exploited.
|
2022-08-19 12:34:07 -04:00
|
|
|
//
|
2023-06-30 09:41:32 -04:00
|
|
|
// This function primarily exists to provide a mechanism for converting
|
|
|
|
// serialized private keys that are already known to be good.
|
|
|
|
//
|
|
|
|
// Typically callers should make use of GeneratePrivateKey or
|
|
|
|
// GeneratePrivateKeyFromRand when creating private keys since they properly
|
|
|
|
// handle generation of appropriate values.
|
2022-08-19 12:34:07 -04:00
|
|
|
func PrivKeyFromBytes(privKeyBytes []byte) *PrivateKey {
|
|
|
|
var privKey PrivateKey
|
|
|
|
privKey.Key.SetByteSlice(privKeyBytes)
|
|
|
|
return &privKey
|
|
|
|
}
|
|
|
|
|
2023-06-30 09:41:32 -04:00
|
|
|
// generatePrivateKey generates and returns a new private key that is suitable
|
|
|
|
// for use with secp256k1 using the provided reader as a source of entropy. The
|
|
|
|
// provided reader must be a source of cryptographically secure randomness to
|
|
|
|
// avoid weak private keys.
|
|
|
|
func generatePrivateKey(rand io.Reader) (*PrivateKey, error) {
|
2022-11-04 09:57:20 -04:00
|
|
|
// The group order is close enough to 2^256 that there is only roughly a 1
|
|
|
|
// in 2^128 chance of generating an invalid private key, so this loop will
|
|
|
|
// virtually never run more than a single iteration in practice.
|
|
|
|
var key PrivateKey
|
|
|
|
var b32 [32]byte
|
|
|
|
for valid := false; !valid; {
|
2023-06-30 09:41:32 -04:00
|
|
|
if _, err := io.ReadFull(rand, b32[:]); err != nil {
|
2022-11-04 09:57:20 -04:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// The private key is only valid when it is in the range [1, N-1], where
|
|
|
|
// N is the order of the curve.
|
|
|
|
overflow := key.Key.SetBytes(&b32)
|
|
|
|
valid = (key.Key.IsZeroBit() | overflow) == 0
|
2022-08-19 12:34:07 -04:00
|
|
|
}
|
2022-11-04 09:57:20 -04:00
|
|
|
zeroArray32(&b32)
|
|
|
|
|
|
|
|
return &key, nil
|
2022-08-19 12:34:07 -04:00
|
|
|
}
|
|
|
|
|
2023-06-30 09:41:32 -04:00
|
|
|
// GeneratePrivateKey generates and returns a new cryptographically secure
|
|
|
|
// private key that is suitable for use with secp256k1.
|
|
|
|
func GeneratePrivateKey() (*PrivateKey, error) {
|
|
|
|
return generatePrivateKey(cryptorand.Reader)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GeneratePrivateKeyFromRand generates a private key that is suitable for use
|
|
|
|
// with secp256k1 using the provided reader as a source of entropy. The
|
|
|
|
// provided reader must be a source of cryptographically secure randomness, such
|
|
|
|
// as [crypto/rand.Reader], to avoid weak private keys.
|
|
|
|
func GeneratePrivateKeyFromRand(rand io.Reader) (*PrivateKey, error) {
|
|
|
|
return generatePrivateKey(rand)
|
|
|
|
}
|
|
|
|
|
2022-08-19 12:34:07 -04:00
|
|
|
// PubKey computes and returns the public key corresponding to this private key.
|
|
|
|
func (p *PrivateKey) PubKey() *PublicKey {
|
|
|
|
var result JacobianPoint
|
|
|
|
ScalarBaseMultNonConst(&p.Key, &result)
|
|
|
|
result.ToAffine()
|
|
|
|
return NewPublicKey(&result.X, &result.Y)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Zero manually clears the memory associated with the private key. This can be
|
|
|
|
// used to explicitly clear key material from memory for enhanced security
|
|
|
|
// against memory scraping.
|
|
|
|
func (p *PrivateKey) Zero() {
|
|
|
|
p.Key.Zero()
|
|
|
|
}
|
|
|
|
|
|
|
|
// PrivKeyBytesLen defines the length in bytes of a serialized private key.
|
|
|
|
const PrivKeyBytesLen = 32
|
|
|
|
|
|
|
|
// Serialize returns the private key as a 256-bit big-endian binary-encoded
|
|
|
|
// number, padded to a length of 32 bytes.
|
|
|
|
func (p PrivateKey) Serialize() []byte {
|
|
|
|
var privKeyBytes [PrivKeyBytesLen]byte
|
|
|
|
p.Key.PutBytes(&privKeyBytes)
|
|
|
|
return privKeyBytes[:]
|
|
|
|
}
|