bool
verifyDigest (PublicKey const& publicKey,
uint256 const& digest,
Slice const& sig,
bool mustBeFullyCanonical)
{
if (publicKeyType(publicKey) != KeyType::secp256k1)
LogicError("sign: secp256k1 required for digest signing");
auto const canonicality = ecdsaCanonicality(sig);
if (! canonicality)
return false;
if (mustBeFullyCanonical &&
(*canonicality != ECDSACanonicality::fullyCanonical))
return false;
secp256k1_pubkey pubkey_imp;
if(secp256k1_ec_pubkey_parse(
secp256k1Context(),
&pubkey_imp,
reinterpret_cast<unsigned char const*>(
publicKey.data()),
publicKey.size()) != 1)
return false;
secp256k1_ecdsa_signature sig_imp;
if(secp256k1_ecdsa_signature_parse_der(
secp256k1Context(),
&sig_imp,
reinterpret_cast<unsigned char const*>(
sig.data()),
sig.size()) != 1)
return false;
if (*canonicality != ECDSACanonicality::fullyCanonical)
{
secp256k1_ecdsa_signature sig_norm;
if(secp256k1_ecdsa_signature_normalize(
secp256k1Context(),
&sig_norm,
&sig_imp) != 1)
return false;
return secp256k1_ecdsa_verify(
secp256k1Context(),
&sig_norm,
reinterpret_cast<unsigned char const*>(
digest.data()),
&pubkey_imp) == 1;
}
return secp256k1_ecdsa_verify(
secp256k1Context(),
&sig_imp,
reinterpret_cast<unsigned char const*>(
digest.data()),
&pubkey_imp) == 1;
}
bool verify_signature(const secp256k1_context* context,
const secp256k1_pubkey point, const hash_digest& hash,
const ec_signature& signature)
{
// Copy to avoid exposing external types.
secp256k1_ecdsa_signature parsed;
std::copy(signature.begin(), signature.end(), std::begin(parsed.data));
// secp256k1_ecdsa_verify rejects non-normalized (low-s) signatures, but
// bitcoin does not have such a limitation, so we always normalize.
secp256k1_ecdsa_signature normal;
secp256k1_ecdsa_signature_normalize(context, &normal, &parsed);
return secp256k1_ecdsa_verify(context, &normal, hash.data(), &point) == 1;
}
bool bp_pubkey_checklowS(const void *sig_, size_t sig_len)
{
secp256k1_ecdsa_signature sig;
secp256k1_context *ctx = get_secp256k1_context();
if (!ctx) {
return false;
}
if (!ecdsa_signature_parse_der_lax(ctx, &sig, sig_, sig_len)) {
return false;
}
return (!secp256k1_ecdsa_signature_normalize(ctx, NULL, &sig));
}
bool bp_verify(const struct bp_key *key, const void *data, size_t data_len,
const void *sig_, size_t sig_len)
{
if (32 != data_len) {
return false;
}
secp256k1_ecdsa_signature sig;
secp256k1_context *ctx = get_secp256k1_context();
if (!ctx) {
return false;
}
if (ecdsa_signature_parse_der_lax(ctx, &sig, sig_, sig_len)) {
secp256k1_ecdsa_signature_normalize(ctx, &sig, &sig);
return secp256k1_ecdsa_verify(ctx, &sig, data, &key->pubkey);
}
return false;
}
bool verify_signature(data_slice point, const hash_digest& hash,
const ec_signature& signature)
{
// Copy to avoid exposing external types.
secp256k1_ecdsa_signature parsed;
std::copy(signature.begin(), signature.end(), std::begin(parsed.data));
// secp256k1_ecdsa_verify rejects non-normalized (low-s) signatures, but
// bitcoin does not have such a limitation, so we always normalize.
secp256k1_ecdsa_signature normal;
const auto context = verification.context();
secp256k1_ecdsa_signature_normalize(context, &normal, &parsed);
// This uses a data slice and calls secp256k1_ec_pubkey_parse() in place of
// parse() so that we can support the der_verify data_chunk optimization.
secp256k1_pubkey pubkey;
const auto size = point.size();
return
secp256k1_ec_pubkey_parse(context, &pubkey, point.data(), size) == 1 &&
secp256k1_ecdsa_verify(context, &normal, hash.data(), &pubkey) == 1;
}
void Sec256SignatureEx::Parse(RCSpan cbuf) {
if (!ecdsa_signature_parse_der_lax(g_sec256Ctx, &m_sig, cbuf.data(), cbuf.size()))
throw CryptoException(make_error_code(ExtErr::Crypto), "Invalid Signature");
secp256k1_ecdsa_signature_normalize(g_sec256Ctx, &m_sig, &m_sig);
}
