All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.bitcoinj.crypto.ECKey Maven / Gradle / Ivy

There is a newer version: 0.17-beta1
Show newest version
/*
 * Copyright 2011 Google Inc.
 * Copyright 2014 Andreas Schildbach
 * Copyright 2014-2016 the libsecp256k1 contributors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.bitcoinj.crypto;

import com.google.common.base.MoreObjects;
import org.bitcoin.NativeSecp256k1;
import org.bitcoin.NativeSecp256k1Util;
import org.bitcoin.Secp256k1Context;
import org.bitcoinj.base.Address;
import org.bitcoinj.base.BitcoinNetwork;
import org.bitcoinj.base.LegacyAddress;
import org.bitcoinj.base.Network;
import org.bitcoinj.base.ScriptType;
import org.bitcoinj.base.SegwitAddress;
import org.bitcoinj.base.Sha256Hash;
import org.bitcoinj.base.internal.TimeUtils;
import org.bitcoinj.base.internal.ByteUtils;
import org.bitcoinj.core.NetworkParameters;
import org.bitcoinj.base.VarInt;
import org.bitcoinj.crypto.internal.CryptoUtils;
import org.bitcoinj.crypto.utils.MessageVerifyUtils;
import org.bitcoinj.wallet.Protos;
import org.bitcoinj.wallet.Wallet;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.BERTags;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequenceGenerator;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.x9.X9ECParameters;
import org.bouncycastle.asn1.x9.X9IntegerConverter;
import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.crypto.ec.CustomNamedCurves;
import org.bouncycastle.crypto.generators.ECKeyPairGenerator;
import org.bouncycastle.crypto.params.ECDomainParameters;
import org.bouncycastle.crypto.params.ECKeyGenerationParameters;
import org.bouncycastle.crypto.params.ECPrivateKeyParameters;
import org.bouncycastle.crypto.params.ECPublicKeyParameters;
import org.bouncycastle.crypto.signers.ECDSASigner;
import org.bouncycastle.crypto.signers.HMacDSAKCalculator;
import org.bouncycastle.math.ec.ECAlgorithms;
import org.bouncycastle.math.ec.ECPoint;
import org.bouncycastle.math.ec.FixedPointCombMultiplier;
import org.bouncycastle.math.ec.FixedPointUtil;
import org.bouncycastle.math.ec.custom.sec.SecP256K1Curve;
import org.bouncycastle.util.Properties;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.annotation.Nullable;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Arrays;
import java.util.Comparator;
import java.util.Objects;
import java.util.Optional;

import static org.bitcoinj.base.internal.Preconditions.checkArgument;
import static org.bitcoinj.base.internal.Preconditions.checkState;

/**
 * 

Represents an elliptic curve public and (optionally) private key, usable for digital signatures but not encryption. * Creating a new ECKey with the empty constructor will generate a new random keypair. Other static methods can be used * when you already have the public or private parts. If you create a key with only the public part, you can check * signatures but not create them.

* *

ECKey also provides access to Bitcoin Core compatible text message signing, as accessible via the UI or JSON-RPC. * This is slightly different to signing raw bytes - if you want to sign your own data and it won't be exposed as * text to people, you don't want to use this. If in doubt, ask on the mailing list.

* *

The ECDSA algorithm supports key recovery in which a signature plus a couple of discriminator bits can * be reversed to find the public key used to calculate it. This can be convenient when you have a message and a * signature and want to find out who signed it, rather than requiring the user to provide the expected identity.

* *

This class supports a variety of serialization forms. The methods that accept/return byte arrays serialize * private keys as raw byte arrays and public keys using the SEC standard byte encoding for public keys. Signatures * are encoded using ASN.1/DER inside the Bitcoin protocol.

* *

A key can be compressed or uncompressed. This refers to whether the public key is represented * when encoded into bytes as an (x, y) coordinate on the elliptic curve, or whether it's represented as just an X * co-ordinate and an extra byte that carries a sign bit. With the latter form the Y coordinate can be calculated * dynamically, however, because the binary serialization is different the address of a key changes if its * compression status is changed. If you deviate from the defaults it's important to understand this: money sent * to a compressed version of the key will have a different address to the same key in uncompressed form. Whether * a public key is compressed or not is recorded in the SEC binary serialisation format, and preserved in a flag in * this class so round-tripping preserves state. Unless you're working with old software or doing unusual things, you * can usually ignore the compressed/uncompressed distinction.

*/ public class ECKey implements EncryptableItem { private static final Logger log = LoggerFactory.getLogger(ECKey.class); // Note: this can be replaced with Arrays.compareUnsigned(a, b) once we require Java 9 private static final Comparator LEXICOGRAPHICAL_COMPARATOR = ByteUtils.arrayUnsignedComparator(); /** Sorts oldest keys first, newest last. */ public static final Comparator AGE_COMPARATOR = Comparator.comparing(ecKey -> ecKey.creationTime().orElse(Instant.EPOCH)); /** Compares by extracting pub key as a {@code byte[]} and using a lexicographic comparator */ public static final Comparator PUBKEY_COMPARATOR = Comparator.comparing(ECKey::getPubKey, LEXICOGRAPHICAL_COMPARATOR); // The parameters of the secp256k1 curve that Bitcoin uses. private static final X9ECParameters CURVE_PARAMS = CustomNamedCurves.getByName("secp256k1"); /** The parameters of the secp256k1 curve that Bitcoin uses. */ public static final ECDomainParameters CURVE; /** * Equal to CURVE.getN().shiftRight(1), used for canonicalising the S value of a signature. If you aren't * sure what this is about, you can ignore it. */ public static final BigInteger HALF_CURVE_ORDER; private static final SecureRandom secureRandom; static { // Tell Bouncy Castle to precompute data that's needed during secp256k1 calculations. FixedPointUtil.precompute(CURVE_PARAMS.getG()); CURVE = new ECDomainParameters(CURVE_PARAMS.getCurve(), CURVE_PARAMS.getG(), CURVE_PARAMS.getN(), CURVE_PARAMS.getH()); HALF_CURVE_ORDER = CURVE_PARAMS.getN().shiftRight(1); secureRandom = new SecureRandom(); } // The two parts of the key. If "pub" is set but not "priv", we can only verify signatures, not make them. @Nullable protected final BigInteger priv; // A field element. protected final LazyECPoint pub; // Creation time of the key, or null if the key was deserialized from a version that did // not have this field. @Nullable protected Instant creationTime = null; protected KeyCrypter keyCrypter; protected EncryptedData encryptedPrivateKey; private byte[] pubKeyHash; /** * Generates an entirely new keypair. Point compression is used so the resulting public key will be 33 bytes * (32 for the co-ordinate and 1 byte to represent the y bit). */ public ECKey() { this(secureRandom); } /** * Generates an entirely new keypair with the given {@link SecureRandom} object. Point compression is used so the * resulting public key will be 33 bytes (32 for the co-ordinate and 1 byte to represent the y bit). */ public ECKey(SecureRandom secureRandom) { ECKeyPairGenerator generator = new ECKeyPairGenerator(); ECKeyGenerationParameters keygenParams = new ECKeyGenerationParameters(CURVE, secureRandom); generator.init(keygenParams); AsymmetricCipherKeyPair keypair = generator.generateKeyPair(); ECPrivateKeyParameters privParams = (ECPrivateKeyParameters) keypair.getPrivate(); ECPublicKeyParameters pubParams = (ECPublicKeyParameters) keypair.getPublic(); priv = privParams.getD(); pub = new LazyECPoint(pubParams.getQ(), true); creationTime = TimeUtils.currentTime().truncatedTo(ChronoUnit.SECONDS); } protected ECKey(@Nullable BigInteger priv, ECPoint pub, boolean compressed) { this(priv, new LazyECPoint(Objects.requireNonNull(pub), compressed)); } protected ECKey(@Nullable BigInteger priv, LazyECPoint pub) { if (priv != null) { checkArgument(priv.bitLength() <= 32 * 8, () -> "private key exceeds 32 bytes: " + priv.bitLength() + " bits"); // Try and catch buggy callers or bad key imports, etc. Zero and one are special because these are often // used as sentinel values and because scripting languages have a habit of auto-casting true and false to // 1 and 0 or vice-versa. Type confusion bugs could therefore result in private keys with these values. checkArgument(!priv.equals(BigInteger.ZERO)); checkArgument(!priv.equals(BigInteger.ONE)); } this.priv = priv; this.pub = Objects.requireNonNull(pub); } /** * Construct an ECKey from an ASN.1 encoded private key. These are produced by OpenSSL and stored by Bitcoin * Core in its wallet. Note that this is slow because it requires an EC point multiply. */ public static ECKey fromASN1(byte[] asn1privkey) { return extractKeyFromASN1(asn1privkey); } /** * Creates an ECKey given the private key only. The public key is calculated from it (this is slow). The resulting * public key is compressed. */ public static ECKey fromPrivate(BigInteger privKey) { return fromPrivate(privKey, true); } /** * Creates an ECKey given the private key only. The public key is calculated from it (this is slow). * @param compressed Determines whether the resulting ECKey will use a compressed encoding for the public key. */ public static ECKey fromPrivate(BigInteger privKey, boolean compressed) { ECPoint point = publicPointFromPrivate(privKey); return new ECKey(privKey, new LazyECPoint(point, compressed)); } /** * Creates an ECKey given the private key only. The public key is calculated from it (this is slow). The resulting * public key is compressed. */ public static ECKey fromPrivate(byte[] privKeyBytes) { return fromPrivate(ByteUtils.bytesToBigInteger(privKeyBytes)); } /** * Creates an ECKey given the private key only. The public key is calculated from it (this is slow). * @param compressed Determines whether the resulting ECKey will use a compressed encoding for the public key. */ public static ECKey fromPrivate(byte[] privKeyBytes, boolean compressed) { return fromPrivate(ByteUtils.bytesToBigInteger(privKeyBytes), compressed); } /** * Creates an ECKey that simply trusts the caller to ensure that point is really the result of multiplying the * generator point by the private key. This is used to speed things up when you know you have the right values * already. * @param compressed Determines whether the resulting ECKey will use a compressed encoding for the public key. */ public static ECKey fromPrivateAndPrecalculatedPublic(BigInteger priv, ECPoint pub, boolean compressed) { return new ECKey(priv, pub, compressed); } /** * Creates an ECKey that simply trusts the caller to ensure that point is really the result of multiplying the * generator point by the private key. This is used to speed things up when you know you have the right values * already. The compression state of the point will be preserved. */ public static ECKey fromPrivateAndPrecalculatedPublic(byte[] priv, byte[] pub) { Objects.requireNonNull(priv); Objects.requireNonNull(pub); return new ECKey(ByteUtils.bytesToBigInteger(priv), new LazyECPoint(CURVE.getCurve(), pub)); } /** * Creates an ECKey that cannot be used for signing, only verifying signatures, from the given point. * @param compressed Determines whether the resulting ECKey will use a compressed encoding for the public key. */ public static ECKey fromPublicOnly(ECPoint pub, boolean compressed) { return new ECKey(null, pub, compressed); } /** * Creates an ECKey that cannot be used for signing, only verifying signatures, from the given encoded point. * The compression state of pub will be preserved. */ public static ECKey fromPublicOnly(byte[] pub) { return new ECKey(null, new LazyECPoint(CURVE.getCurve(), pub)); } public static ECKey fromPublicOnly(ECKey key) { return fromPublicOnly(key.getPubKeyPoint(), key.isCompressed()); } /** * Returns a copy of this key, but with the public point represented in uncompressed form. Normally you would * never need this: it's for specialised scenarios or when backwards compatibility in encoded form is necessary. */ public ECKey decompress() { if (!pub.isCompressed()) return this; else return new ECKey(priv, new LazyECPoint(pub.get(), false)); } /** * Constructs a key that has an encrypted private component. The given object wraps encrypted bytes and an * initialization vector. Note that the key will not be decrypted during this call: the returned ECKey is * unusable for signing unless a decryption key is supplied. */ public static ECKey fromEncrypted(EncryptedData encryptedPrivateKey, KeyCrypter crypter, byte[] pubKey) { ECKey key = fromPublicOnly(pubKey); key.encryptedPrivateKey = Objects.requireNonNull(encryptedPrivateKey); key.keyCrypter = Objects.requireNonNull(crypter); return key; } /** * Returns true if this key doesn't have unencrypted access to private key bytes. This may be because it was never * given any private key bytes to begin with (a watching key), or because the key is encrypted. You can use * {@link #isEncrypted()} to tell the cases apart. */ public boolean isPubKeyOnly() { return priv == null; } /** * Returns true if this key has unencrypted access to private key bytes. Does the opposite of * {@link #isPubKeyOnly()}. */ public boolean hasPrivKey() { return priv != null; } /** Returns true if this key is watch only, meaning it has a public key but no private key. */ public boolean isWatching() { return isPubKeyOnly() && !isEncrypted(); } /** * Output this ECKey as an ASN.1 encoded private key, as understood by OpenSSL or used by Bitcoin Core * in its wallet storage format. * @throws ECKey.MissingPrivateKeyException if the private key is missing or encrypted. */ public byte[] toASN1() { try { byte[] privKeyBytes = getPrivKeyBytes(); ByteArrayOutputStream baos = new ByteArrayOutputStream(400); // ASN1_SEQUENCE(EC_PRIVATEKEY) = { // ASN1_SIMPLE(EC_PRIVATEKEY, version, LONG), // ASN1_SIMPLE(EC_PRIVATEKEY, privateKey, ASN1_OCTET_STRING), // ASN1_EXP_OPT(EC_PRIVATEKEY, parameters, ECPKPARAMETERS, 0), // ASN1_EXP_OPT(EC_PRIVATEKEY, publicKey, ASN1_BIT_STRING, 1) // } ASN1_SEQUENCE_END(EC_PRIVATEKEY) DERSequenceGenerator seq = new DERSequenceGenerator(baos); seq.addObject(new ASN1Integer(1)); // version seq.addObject(new DEROctetString(privKeyBytes)); seq.addObject(new DERTaggedObject(0, CURVE_PARAMS.toASN1Primitive())); seq.addObject(new DERTaggedObject(1, new DERBitString(getPubKey()))); seq.close(); return baos.toByteArray(); } catch (IOException e) { throw new RuntimeException(e); // Cannot happen, writing to memory stream. } } /** * Returns public key bytes from the given private key. To convert a byte array into a BigInteger, * use {@link ByteUtils#bytesToBigInteger(byte[])} */ public static byte[] publicKeyFromPrivate(BigInteger privKey, boolean compressed) { ECPoint point = publicPointFromPrivate(privKey); return point.getEncoded(compressed); } /** * Returns public key point from the given private key. To convert a byte array into a BigInteger, * use {@link ByteUtils#bytesToBigInteger(byte[])} */ public static ECPoint publicPointFromPrivate(BigInteger privKey) { /* * TODO: FixedPointCombMultiplier currently doesn't support scalars longer than the group order, * but that could change in future versions. */ if (privKey.bitLength() > CURVE.getN().bitLength()) { privKey = privKey.mod(CURVE.getN()); } return new FixedPointCombMultiplier().multiply(CURVE.getG(), privKey); } /** Gets the hash160 form of the public key (as seen in addresses). */ public byte[] getPubKeyHash() { if (pubKeyHash == null) pubKeyHash = CryptoUtils.sha256hash160(this.pub.getEncoded()); return pubKeyHash; } /** * Gets the raw public key value. This appears in transaction scriptSigs. Note that this is not the same * as the pubKeyHash/address. */ public byte[] getPubKey() { return pub.getEncoded(); } /** Gets the public key in the form of an elliptic curve point object from Bouncy Castle. */ public ECPoint getPubKeyPoint() { return pub.get(); } /** * Gets the private key in the form of an integer field element. The public key is derived by performing EC * point addition this number of times (i.e. point multiplying). * * @throws java.lang.IllegalStateException if the private key bytes are not available. */ public BigInteger getPrivKey() { if (priv == null) throw new MissingPrivateKeyException(); return priv; } /** * Returns whether this key is using the compressed form or not. Compressed pubkeys are only 33 bytes, not 64. */ public boolean isCompressed() { return pub.isCompressed(); } public Address toAddress(ScriptType scriptType, Network network) { if (scriptType == ScriptType.P2PKH) { return LegacyAddress.fromPubKeyHash(network, this.getPubKeyHash()); } else if (scriptType == ScriptType.P2WPKH) { checkArgument(this.isCompressed(), () -> "only compressed keys allowed"); return SegwitAddress.fromHash(network, this.getPubKeyHash()); } else { throw new IllegalArgumentException(scriptType.toString()); } } /** * Groups the two components that make up a signature, and provides a way to encode to DER form, which is * how ECDSA signatures are represented when embedded in other data structures in the Bitcoin protocol. The raw * components can be useful for doing further EC maths on them. */ public static class ECDSASignature { /** The two components of the signature. */ public final BigInteger r, s; /** * Constructs a signature with the given components. Does NOT automatically canonicalise the signature. */ public ECDSASignature(BigInteger r, BigInteger s) { this.r = r; this.s = s; } /** * Returns true if the S component is "low", that means it is below {@link ECKey#HALF_CURVE_ORDER}. See BIP62. */ public boolean isCanonical() { return s.compareTo(HALF_CURVE_ORDER) <= 0; } /** * Will automatically adjust the S component to be less than or equal to half the curve order, if necessary. * This is required because for every signature (r,s) the signature (r, -s (mod N)) is a valid signature of * the same message. However, we dislike the ability to modify the bits of a Bitcoin transaction after it's * been signed, as that violates various assumed invariants. Thus in future only one of those forms will be * considered legal and the other will be banned. */ public ECDSASignature toCanonicalised() { if (!isCanonical()) { // The order of the curve is the number of valid points that exist on that curve. If S is in the upper // half of the number of valid points, then bring it back to the lower half. Otherwise, imagine that // N = 10 // s = 8, so (-8 % 10 == 2) thus both (r, 8) and (r, 2) are valid solutions. // 10 - 8 == 2, giving us always the latter solution, which is canonical. return new ECDSASignature(r, CURVE.getN().subtract(s)); } else { return this; } } /** * DER is an international standard for serializing data structures which is widely used in cryptography. * It's somewhat like protocol buffers but less convenient. This method returns a standard DER encoding * of the signature, as recognized by OpenSSL and other libraries. */ public byte[] encodeToDER() { try { return derByteStream().toByteArray(); } catch (IOException e) { throw new RuntimeException(e); // Cannot happen. } } /** * @throws SignatureDecodeException if the signature is unparseable in some way. */ public static ECDSASignature decodeFromDER(byte[] bytes) throws SignatureDecodeException { ASN1InputStream decoder = null; try { // BouncyCastle by default is strict about parsing ASN.1 integers. We relax this check, because some // Bitcoin signatures would not parse. Properties.setThreadOverride("org.bouncycastle.asn1.allow_unsafe_integer", true); decoder = new ASN1InputStream(bytes); final ASN1Primitive seqObj = decoder.readObject(); if (seqObj == null) throw new SignatureDecodeException("Reached past end of ASN.1 stream."); if (!(seqObj instanceof DLSequence)) throw new SignatureDecodeException("Read unexpected class: " + seqObj.getClass().getName()); final DLSequence seq = (DLSequence) seqObj; ASN1Integer r, s; try { r = (ASN1Integer) seq.getObjectAt(0); s = (ASN1Integer) seq.getObjectAt(1); } catch (ClassCastException e) { throw new SignatureDecodeException(e); } // OpenSSL deviates from the DER spec by interpreting these values as unsigned, though they should not be // Thus, we always use the positive versions. See: http://r6.ca/blog/20111119T211504Z.html return new ECDSASignature(r.getPositiveValue(), s.getPositiveValue()); } catch (IOException e) { throw new SignatureDecodeException(e); } finally { if (decoder != null) try { decoder.close(); } catch (IOException x) {} Properties.removeThreadOverride("org.bouncycastle.asn1.allow_unsafe_integer"); } } protected ByteArrayOutputStream derByteStream() throws IOException { // Usually 70-72 bytes. ByteArrayOutputStream bos = new ByteArrayOutputStream(72); DERSequenceGenerator seq = new DERSequenceGenerator(bos); seq.addObject(new ASN1Integer(r)); seq.addObject(new ASN1Integer(s)); seq.close(); return bos; } @Override public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; ECDSASignature other = (ECDSASignature) o; return r.equals(other.r) && s.equals(other.s); } @Override public int hashCode() { return Objects.hash(r, s); } } /** * Signs the given hash and returns the R and S components as BigIntegers. In the Bitcoin protocol, they are * usually encoded using ASN.1 format, so you want {@link ECKey.ECDSASignature#toASN1()} * instead. However sometimes the independent components can be useful, for instance, if you're going to do * further EC maths on them. * @throws KeyCrypterException if this ECKey doesn't have a private part. */ public ECDSASignature sign(Sha256Hash input) throws KeyCrypterException { return sign(input, null); } /** * Signs the given hash and returns the R and S components as BigIntegers. In the Bitcoin protocol, they are * usually encoded using DER format, so you want {@link ECKey.ECDSASignature#encodeToDER()} * instead. However sometimes the independent components can be useful, for instance, if you're doing to do further * EC maths on them. * * @param aesKey The AES key to use for decryption of the private key. If null then no decryption is required. * @throws KeyCrypterException if there's something wrong with aesKey. * @throws ECKey.MissingPrivateKeyException if this key cannot sign because it's pubkey only. */ public ECDSASignature sign(Sha256Hash input, @Nullable AesKey aesKey) throws KeyCrypterException { KeyCrypter crypter = getKeyCrypter(); if (crypter != null) { if (aesKey == null) throw new KeyIsEncryptedException(); return decrypt(aesKey).sign(input); } else { // No decryption of private key required. if (priv == null) throw new MissingPrivateKeyException(); } return doSign(input, priv); } protected ECDSASignature doSign(Sha256Hash input, BigInteger privateKeyForSigning) { if (Secp256k1Context.isEnabled()) { try { byte[] signature = NativeSecp256k1.sign( input.getBytes(), ByteUtils.bigIntegerToBytes(privateKeyForSigning, 32) ); return ECDSASignature.decodeFromDER(signature); } catch (NativeSecp256k1Util.AssertFailException e) { log.error("Caught AssertFailException inside secp256k1", e); throw new RuntimeException(e); } catch (SignatureDecodeException e) { throw new RuntimeException(e); // cannot happen } } Objects.requireNonNull(privateKeyForSigning); ECDSASigner signer = new ECDSASigner(new HMacDSAKCalculator(new SHA256Digest())); ECPrivateKeyParameters privKey = new ECPrivateKeyParameters(privateKeyForSigning, CURVE); signer.init(true, privKey); BigInteger[] components = signer.generateSignature(input.getBytes()); return new ECDSASignature(components[0], components[1]).toCanonicalised(); } /** *

Verifies the given ECDSA signature against the message bytes using the public key bytes.

* *

When using native ECDSA verification, data must be 32 bytes, and no element may be * larger than 520 bytes.

* * @param data Hash of the data to verify. * @param signature ASN.1 encoded signature. * @param pub The public key bytes to use. */ public static boolean verify(byte[] data, ECDSASignature signature, byte[] pub) { if (Secp256k1Context.isEnabled()) { try { return NativeSecp256k1.verify(data, signature.encodeToDER(), pub); } catch (NativeSecp256k1Util.AssertFailException e) { log.error("Caught AssertFailException inside secp256k1", e); return false; } } ECDSASigner signer = new ECDSASigner(); ECPublicKeyParameters params = new ECPublicKeyParameters(CURVE.getCurve().decodePoint(pub), CURVE); signer.init(false, params); try { return signer.verifySignature(data, signature.r, signature.s); } catch (NullPointerException e) { // Bouncy Castle contains a bug that can cause NPEs given specially crafted signatures. Those signatures // are inherently invalid/attack sigs so we just fail them here rather than crash the thread. log.error("Caught NPE inside bouncy castle", e); return false; } } /** * Verifies the given ASN.1 encoded ECDSA signature against a hash using the public key. * * @param data Hash of the data to verify. * @param signature ASN.1 encoded signature. * @param pub The public key bytes to use. * @throws SignatureDecodeException if the signature is unparseable in some way. */ public static boolean verify(byte[] data, byte[] signature, byte[] pub) throws SignatureDecodeException { if (Secp256k1Context.isEnabled()) { try { return NativeSecp256k1.verify(data, signature, pub); } catch (NativeSecp256k1Util.AssertFailException e) { log.error("Caught AssertFailException inside secp256k1", e); return false; } } return verify(data, ECDSASignature.decodeFromDER(signature), pub); } /** * Verifies the given ASN.1 encoded ECDSA signature against a hash using the public key. * * @param hash Hash of the data to verify. * @param signature ASN.1 encoded signature. * @throws SignatureDecodeException if the signature is unparseable in some way. */ public boolean verify(byte[] hash, byte[] signature) throws SignatureDecodeException { return ECKey.verify(hash, signature, getPubKey()); } /** * Verifies the given R/S pair (signature) against a hash using the public key. */ public boolean verify(Sha256Hash sigHash, ECDSASignature signature) { return ECKey.verify(sigHash.getBytes(), signature, getPubKey()); } /** * Verifies the given ASN.1 encoded ECDSA signature against a hash using the public key, and throws an exception * if the signature doesn't match * @throws SignatureDecodeException if the signature is unparseable in some way. * @throws java.security.SignatureException if the signature does not match. */ public void verifyOrThrow(byte[] hash, byte[] signature) throws SignatureDecodeException, SignatureException { if (!verify(hash, signature)) throw new SignatureException(); } /** * Verifies the given R/S pair (signature) against a hash using the public key, and throws an exception * if the signature doesn't match * @throws java.security.SignatureException if the signature does not match. */ public void verifyOrThrow(Sha256Hash sigHash, ECDSASignature signature) throws SignatureException { if (!ECKey.verify(sigHash.getBytes(), signature, getPubKey())) throw new SignatureException(); } /** * Returns true if the given pubkey is canonical, i.e. the correct length taking into account compression. */ public static boolean isPubKeyCanonical(byte[] pubkey) { if (pubkey.length < 33) return false; if (pubkey[0] == 0x04) { // Uncompressed pubkey if (pubkey.length != 65) return false; } else if (pubkey[0] == 0x02 || pubkey[0] == 0x03) { // Compressed pubkey if (pubkey.length != 33) return false; } else return false; return true; } /** * Returns true if the given pubkey is in its compressed form. */ public static boolean isPubKeyCompressed(byte[] encoded) { if (encoded.length == 33 && (encoded[0] == 0x02 || encoded[0] == 0x03)) return true; else if (encoded.length == 65 && encoded[0] == 0x04) return false; else throw new IllegalArgumentException(ByteUtils.formatHex(encoded)); } private static ECKey extractKeyFromASN1(byte[] asn1privkey) { // To understand this code, see the definition of the ASN.1 format for EC private keys in the OpenSSL source // code in ec_asn1.c: // // ASN1_SEQUENCE(EC_PRIVATEKEY) = { // ASN1_SIMPLE(EC_PRIVATEKEY, version, LONG), // ASN1_SIMPLE(EC_PRIVATEKEY, privateKey, ASN1_OCTET_STRING), // ASN1_EXP_OPT(EC_PRIVATEKEY, parameters, ECPKPARAMETERS, 0), // ASN1_EXP_OPT(EC_PRIVATEKEY, publicKey, ASN1_BIT_STRING, 1) // } ASN1_SEQUENCE_END(EC_PRIVATEKEY) // try { ASN1InputStream decoder = new ASN1InputStream(asn1privkey); DLSequence seq = (DLSequence) decoder.readObject(); checkArgument(decoder.readObject() == null, () -> "input contains extra bytes"); decoder.close(); checkArgument(seq.size() == 4, () -> "input does not appear to be an ASN.1 OpenSSL EC private key"); checkArgument(((ASN1Integer) seq.getObjectAt(0)).getValue().equals(BigInteger.ONE), () -> "input is of wrong version"); byte[] privbits = ((ASN1OctetString) seq.getObjectAt(1)).getOctets(); BigInteger privkey = ByteUtils.bytesToBigInteger(privbits); ASN1TaggedObject pubkey = (ASN1TaggedObject) seq.getObjectAt(3); checkArgument(pubkey.getTagNo() == 1, () -> "input has 'publicKey' with bad tag number"); checkArgument(pubkey.getTagClass() == BERTags.CONTEXT_SPECIFIC, () -> "input has 'publicKey' with bad tag class"); byte[] pubbits = ((DERBitString) pubkey.getBaseObject()).getBytes(); checkArgument(pubbits.length == 33 || pubbits.length == 65, () -> "input has 'publicKey' with invalid length"); int encoding = pubbits[0] & 0xFF; // Only allow compressed(2,3) and uncompressed(4), not infinity(0) or hybrid(6,7) checkArgument(encoding >= 2 && encoding <= 4, () -> "input has 'publicKey' with invalid encoding"); // Now sanity check to ensure the pubkey bytes match the privkey. ECKey key = ECKey.fromPrivate(privkey, isPubKeyCompressed(pubbits)); checkArgument (Arrays.equals(key.getPubKey(), pubbits), () -> "public key in ASN.1 structure does not match private key."); return key; } catch (IOException e) { throw new RuntimeException(e); // Cannot happen, reading from memory stream. } } /** * Signs a text message using the standard Bitcoin messaging signing format and returns the signature as a base64 * encoded string. * * @throws IllegalStateException if this ECKey does not have the private part. * @throws KeyCrypterException if this ECKey is encrypted and no AESKey is provided or it does not decrypt the ECKey. * @deprecated use {@link #signMessage(String, ScriptType)} instead and specify the correct script type */ @Deprecated public String signMessage(String message) throws KeyCrypterException { return signMessage(message, null, ScriptType.P2PKH); } /** * Signs a text message using the standard Bitcoin messaging signing format and returns the signature as a base64 * encoded string. * * @throws IllegalStateException if this ECKey does not have the private part. * @throws KeyCrypterException if this ECKey is encrypted and no AESKey is provided or it does not decrypt the ECKey. */ public String signMessage(String message, ScriptType scriptType) throws KeyCrypterException { return signMessage(message, null, scriptType); } /** * Signs a text message using the standard Bitcoin messaging signing format and returns the signature as a base64 * encoded string. * * @throws IllegalStateException if this ECKey does not have the private part. * @throws KeyCrypterException if this ECKey is encrypted and no AESKey is provided or it does not decrypt the ECKey. * @deprecated use {@link #signMessage(String, AesKey, ScriptType)} instead and specify the correct script type */ @Deprecated public String signMessage(String message, @Nullable AesKey aesKey) throws KeyCrypterException { return signMessage(message, aesKey, ScriptType.P2PKH); } /** * Signs a text message using the standard Bitcoin messaging signing format and returns the signature as a base64 * encoded string. * * @throws IllegalArgumentException if uncompressed key is used for Segwit scriptType, or unsupported script type is specified * @throws IllegalStateException if this ECKey does not have the private part. * @throws KeyCrypterException if this ECKey is encrypted and no AESKey is provided or it does not decrypt the ECKey. */ public String signMessage(String message, @Nullable AesKey aesKey, ScriptType scriptType) throws KeyCrypterException { if (!isCompressed() && (scriptType == ScriptType.P2WPKH || scriptType == ScriptType.P2SH)) { throw new IllegalArgumentException("Segwit P2WPKH and P2SH-P2WPKH script types only can be used with compressed keys. See BIP 141."); } byte[] data = formatMessageForSigning(message); Sha256Hash hash = Sha256Hash.twiceOf(data); ECDSASignature sig = sign(hash, aesKey); byte recId = findRecoveryId(hash, sig); // Meaning of header byte ranges: // * 27-30: P2PKH uncompressed, recId 0-3 // * 31-34: P2PKH compressed, recId 0-3 // * 35-38: Segwit P2SH (always compressed), recId 0-3 // * 39-42: Segwit Bech32 (always compressed), recId 0-3 // as defined in https://github.com/bitcoin/bips/blob/master/bip-0137.mediawiki#procedure-for-signingverifying-a-signature int headerByte; switch (scriptType) { case P2PKH: headerByte = recId + 27 + (isCompressed() ? 4 : 0); break; case P2SH: // P2SH-P2WPKH ("legacy-segwit") headerByte = recId + 35; break; case P2WPKH: headerByte = recId + 39; break; default: throw new IllegalArgumentException("Unsupported script type for message signing."); } byte[] sigData = new byte[65]; // 1 header + 32 bytes for R + 32 bytes for S sigData[0] = (byte)headerByte; System.arraycopy(ByteUtils.bigIntegerToBytes(sig.r, 32), 0, sigData, 1, 32); System.arraycopy(ByteUtils.bigIntegerToBytes(sig.s, 32), 0, sigData, 33, 32); return new String(Base64.encode(sigData), StandardCharsets.UTF_8); } /** * Given an arbitrary piece of text and a Bitcoin-format message signature encoded in base64, returns an ECKey * containing the public key that was used to sign it. This can then be compared to the expected public key to * determine if the signature was correct. These sorts of signatures are compatible with the Bitcoin-Qt/bitcoind * format generated by signmessage/verifymessage RPCs and GUI menu options. They are intended for humans to verify * their communications with each other, hence the base64 format and the fact that the input is text. * * @param message Some piece of human readable text. * @param signatureBase64 The Bitcoin-format message signature in base64 * @throws SignatureException If the public key could not be recovered or if there was a signature format error. */ public static ECKey signedMessageToKey(String message, String signatureBase64) throws SignatureException { byte[] signatureEncoded; try { signatureEncoded = Base64.decode(signatureBase64); } catch (RuntimeException e) { // This is what you get back from Bouncy Castle if base64 doesn't decode :( throw new SignatureException("Could not decode base64", e); } // Parse the signature bytes into r/s and the selector value. if (signatureEncoded.length < 65) throw new SignatureException("Signature truncated, expected 65 bytes and got " + signatureEncoded.length); int header = signatureEncoded[0] & 0xFF; // allowed range of valid header byte values as defined in BIP 137: if (header < 27 || header > 42) throw new SignatureException("Header byte out of range: " + header); BigInteger r = ByteUtils.bytesToBigInteger(Arrays.copyOfRange(signatureEncoded, 1, 33)); BigInteger s = ByteUtils.bytesToBigInteger(Arrays.copyOfRange(signatureEncoded, 33, 65)); ECDSASignature sig = new ECDSASignature(r, s); byte[] messageBytes = formatMessageForSigning(message); // Note that the C++ code doesn't actually seem to specify any character encoding. Presumably it's whatever // JSON-SPIRIT hands back. Assume UTF-8 for now. Sha256Hash messageHash = Sha256Hash.twiceOf(messageBytes); boolean compressed = false; // Meaning of header byte ranges: // * 27-30: P2PKH uncompressed, recId 0-3 // * 31-34: P2PKH compressed, recId 0-3 // * 35-38: Segwit P2SH (always compressed), recId 0-3 // * 39-42: Segwit Bech32 (always compressed), recId 0-3 // as defined in https://github.com/bitcoin/bips/blob/master/bip-0137.mediawiki#procedure-for-signingverifying-a-signature // this is a signature created with a Segwit bech32 address if (header >= 39) { header -= 12; compressed = true; // by definition in BIP 141 } // this is a signature created with a Segwit p2sh (p2sh-p2wpkh) address else if (header >= 35) { header -= 8; compressed = true; // by definition in BIP 141 } // this is a signature created with a compressed p2pkh address else if (header >= 31) { compressed = true; header -= 4; } // else: signature created with an uncompressed p2pkh address // As the recovery of a pubkey from an ECDSA signature will recover several possible // public keys, the header byte is used to carry information, which of the possible // keys was the key used to create the signature (see also BIP 137): // header byte: 27 = first key with even y, 28 = first key with odd y, // 29 = second key with even y, 30 = second key with odd y int recId = header - 27; ECKey key = ECKey.recoverFromSignature(recId, sig, messageHash, compressed); if (key == null) throw new SignatureException("Could not recover public key from signature"); return key; } /** * Convenience wrapper around {@link ECKey#signedMessageToKey(String, String)}. If the key derived from the * signature is not the same as this one, throws a SignatureException. * @deprecated Use {@link MessageVerifyUtils#verifyMessage(Address, String, String)} instead, * which works with different address types, which works also with legacy segwit (P2SH-P2WPKH, 3…) * and native segwit addresses (P2WPKH, bc1…). */ @Deprecated public void verifyMessage(String message, String signatureBase64) throws SignatureException { ECKey key = ECKey.signedMessageToKey(message, signatureBase64); if (!key.pub.equals(pub)) throw new SignatureException("Signature did not match for message"); } /** * Returns the recovery ID, a byte with value between 0 and 3, inclusive, that specifies which of 4 possible * curve points was used to sign a message. This value is also referred to as "v". * * @throws RuntimeException if no recovery ID can be found. */ public byte findRecoveryId(Sha256Hash hash, ECDSASignature sig) { byte recId = -1; for (byte i = 0; i < 4; i++) { ECKey k = ECKey.recoverFromSignature(i, sig, hash, isCompressed()); if (k != null && k.pub.equals(pub)) { recId = i; break; } } if (recId == -1) throw new RuntimeException("Could not construct a recoverable key. This should never happen."); return recId; } /** *

Given the components of a signature and a selector value, recover and return the public key * that generated the signature according to the algorithm in SEC1v2 section 4.1.6.

* *

The recId is an index from 0 to 3 which indicates which of the 4 possible keys is the correct one. Because * the key recovery operation yields multiple potential keys, the correct key must either be stored alongside the * signature, or you must be willing to try each recId in turn until you find one that outputs the key you are * expecting.

* *

If this method returns null it means recovery was not possible and recId should be iterated.

* *

Given the above two points, a correct usage of this method is inside a for loop from 0 to 3, and if the * output is null OR a key that is not the one you expect, you try again with the next recId.

* * @param recId Which possible key to recover. * @param sig the R and S components of the signature, wrapped. * @param message Hash of the data that was signed. * @param compressed Whether or not the original pubkey was compressed. * @return An ECKey containing only the public part, or null if recovery wasn't possible. */ @Nullable public static ECKey recoverFromSignature(int recId, ECDSASignature sig, Sha256Hash message, boolean compressed) { checkArgument(recId >= 0, () -> "recId must be positive"); checkArgument(sig.r.signum() >= 0, () -> "r must be positive"); checkArgument(sig.s.signum() >= 0, () -> "s must be positive"); Objects.requireNonNull(message); // see https://www.secg.org/sec1-v2.pdf, section 4.1.6 // 1.0 For j from 0 to h (h == recId here and the loop is outside this function) // 1.1 Let x = r + jn BigInteger n = CURVE.getN(); // Curve order. BigInteger i = BigInteger.valueOf((long) recId / 2); BigInteger x = sig.r.add(i.multiply(n)); // 1.2. Convert the integer x to an octet string X of length mlen using the conversion routine // specified in Section 2.3.7, where mlen = ⌈(log2 p)/8⌉ or mlen = ⌈m/8⌉. // 1.3. Convert the octet string (16 set binary digits)||X to an elliptic curve point R using the // conversion routine specified in Section 2.3.4. If this conversion routine outputs "invalid", then // do another iteration of Step 1. // // More concisely, what these points mean is to use X as a compressed public key. BigInteger prime = SecP256K1Curve.q; if (x.compareTo(prime) >= 0) { // Cannot have point co-ordinates larger than this as everything takes place modulo Q. return null; } // Compressed keys require you to know an extra bit of data about the y-coord as there are two possibilities. // So it's encoded in the recId. ECPoint R = decompressKey(x, (recId & 1) == 1); // 1.4. If nR != point at infinity, then do another iteration of Step 1 (callers responsibility). if (!R.multiply(n).isInfinity()) return null; // 1.5. Compute e from M using Steps 2 and 3 of ECDSA signature verification. BigInteger e = message.toBigInteger(); // 1.6. For k from 1 to 2 do the following. (loop is outside this function via iterating recId) // 1.6.1. Compute a candidate public key as: // Q = mi(r) * (sR - eG) // // Where mi(x) is the modular multiplicative inverse. We transform this into the following: // Q = (mi(r) * s ** R) + (mi(r) * -e ** G) // Where -e is the modular additive inverse of e, that is z such that z + e = 0 (mod n). In the above equation // ** is point multiplication and + is point addition (the EC group operator). // // We can find the additive inverse by subtracting e from zero then taking the mod. For example the additive // inverse of 3 modulo 11 is 8 because 3 + 8 mod 11 = 0, and -3 mod 11 = 8. BigInteger eInv = BigInteger.ZERO.subtract(e).mod(n); BigInteger rInv = sig.r.modInverse(n); BigInteger srInv = rInv.multiply(sig.s).mod(n); BigInteger eInvrInv = rInv.multiply(eInv).mod(n); ECPoint q = ECAlgorithms.sumOfTwoMultiplies(CURVE.getG(), eInvrInv, R, srInv); return ECKey.fromPublicOnly(q, compressed); } /** Decompress a compressed public key (x co-ord and low-bit of y-coord). */ private static ECPoint decompressKey(BigInteger xBN, boolean yBit) { X9IntegerConverter x9 = new X9IntegerConverter(); byte[] compEnc = x9.integerToBytes(xBN, 1 + x9.getByteLength(CURVE.getCurve())); compEnc[0] = (byte)(yBit ? 0x03 : 0x02); return CURVE.getCurve().decodePoint(compEnc); } /** * Returns a 32 byte array containing the private key. * @throws ECKey.MissingPrivateKeyException if the private key bytes are missing/encrypted. */ public byte[] getPrivKeyBytes() { return ByteUtils.bigIntegerToBytes(getPrivKey(), 32); } /** * Exports the private key in the form used by Bitcoin Core's "dumpprivkey" and "importprivkey" commands. Use * the {@link DumpedPrivateKey#toString()} method to get the string. * * @param network The network this key is intended for use on. * @return Private key bytes as a {@link DumpedPrivateKey}. * @throws IllegalStateException if the private key is not available. */ public DumpedPrivateKey getPrivateKeyEncoded(Network network) { return new DumpedPrivateKey(network, getPrivKeyBytes(), isCompressed()); } /** * Exports the private key in the form used by Bitcoin Core's "dumpprivkey" and "importprivkey" commands. Use * the {@link DumpedPrivateKey#toString()} method to get the string. * * @param params The network this key is intended for use on. * @return Private key bytes as a {@link DumpedPrivateKey}. * @throws IllegalStateException if the private key is not available. * @deprecated Use {@link #getPrivateKeyEncoded(Network)} */ @Deprecated public DumpedPrivateKey getPrivateKeyEncoded(NetworkParameters params) { return getPrivateKeyEncoded(params.network()); } /** * Returns the creation time of this key, or empty if the key was deserialized from a version that did not store * that data. */ @Override public Optional creationTime() { return Optional.ofNullable(creationTime); } /** * Sets the creation time of this key. This method can be useful when * you have a raw key you are importing from somewhere else. * @param creationTime creation time of this key */ public void setCreationTime(Instant creationTime) { this.creationTime = Objects.requireNonNull(creationTime); } /** * Clears the creation time of this key. This is mainly used deserialization and cloning. Normally you should not * need to use this, as keys should have proper creation times whenever possible. */ public void clearCreationTime() { this.creationTime = null; } /** @deprecated use {@link #setCreationTime(Instant)} */ @Deprecated public void setCreationTimeSeconds(long creationTimeSecs) { if (creationTimeSecs > 0) setCreationTime(Instant.ofEpochSecond(creationTimeSecs)); else if (creationTimeSecs == 0) clearCreationTime(); else throw new IllegalArgumentException("Cannot set creation time to negative value: " + creationTimeSecs); } /** * Create an encrypted private key with the keyCrypter and the AES key supplied. * This method returns a new encrypted key and leaves the original unchanged. * * @param keyCrypter The keyCrypter that specifies exactly how the encrypted bytes are created. * @param aesKey The KeyParameter with the AES encryption key (usually constructed with keyCrypter#deriveKey and cached as it is slow to create). * @return encryptedKey */ public ECKey encrypt(KeyCrypter keyCrypter, AesKey aesKey) throws KeyCrypterException { Objects.requireNonNull(keyCrypter); final byte[] privKeyBytes = getPrivKeyBytes(); EncryptedData encryptedPrivateKey = keyCrypter.encrypt(privKeyBytes, aesKey); ECKey result = ECKey.fromEncrypted(encryptedPrivateKey, keyCrypter, getPubKey()); if (creationTime != null) result.setCreationTime(creationTime); else result.clearCreationTime(); return result; } /** * Create a decrypted private key with the keyCrypter and AES key supplied. Note that if the aesKey is wrong, this * has some chance of throwing KeyCrypterException due to the corrupted padding that will result, but it can also * just yield a garbage key. * * @param keyCrypter The keyCrypter that specifies exactly how the decrypted bytes are created. * @param aesKey The KeyParameter with the AES encryption key (usually constructed with keyCrypter#deriveKey and cached). */ public ECKey decrypt(KeyCrypter keyCrypter, AesKey aesKey) throws KeyCrypterException { Objects.requireNonNull(keyCrypter); // Check that the keyCrypter matches the one used to encrypt the keys, if set. if (this.keyCrypter != null && !this.keyCrypter.equals(keyCrypter)) throw new KeyCrypterException("The keyCrypter being used to decrypt the key is different to the one that was used to encrypt it"); checkState(encryptedPrivateKey != null, () -> "this key is not encrypted"); byte[] unencryptedPrivateKey = keyCrypter.decrypt(encryptedPrivateKey, aesKey); if (unencryptedPrivateKey.length != 32) throw new KeyCrypterException.InvalidCipherText( "Decrypted key must be 32 bytes long, but is " + unencryptedPrivateKey.length); ECKey key = ECKey.fromPrivate(unencryptedPrivateKey, isCompressed()); if (!Arrays.equals(key.getPubKey(), getPubKey())) throw new KeyCrypterException("Provided AES key is wrong"); if (creationTime != null) key.setCreationTime(creationTime); else key.clearCreationTime(); return key; } /** * Create a decrypted private key with AES key. Note that if the AES key is wrong, this * has some chance of throwing KeyCrypterException due to the corrupted padding that will result, but it can also * just yield a garbage key. * * @param aesKey The KeyParameter with the AES encryption key (usually constructed with keyCrypter#deriveKey and cached). */ public ECKey decrypt(AesKey aesKey) throws KeyCrypterException { final KeyCrypter crypter = getKeyCrypter(); if (crypter == null) throw new KeyCrypterException("No key crypter available"); return decrypt(crypter, aesKey); } /** * Creates decrypted private key if needed. */ public ECKey maybeDecrypt(@Nullable AesKey aesKey) throws KeyCrypterException { return isEncrypted() && aesKey != null ? decrypt(aesKey) : this; } /** *

Check that it is possible to decrypt the key with the keyCrypter and that the original key is returned.

* *

Because it is a critical failure if the private keys cannot be decrypted successfully (resulting of loss of all * bitcoins controlled by the private key) you can use this method to check when you *encrypt* a wallet that * it can definitely be decrypted successfully.

* *

See {@link Wallet#encrypt(KeyCrypter keyCrypter, AesKey aesKey)} for example usage.

* * @return true if the encrypted key can be decrypted back to the original key successfully. */ public static boolean encryptionIsReversible(ECKey originalKey, ECKey encryptedKey, KeyCrypter keyCrypter, AesKey aesKey) { try { ECKey rebornUnencryptedKey = encryptedKey.decrypt(keyCrypter, aesKey); byte[] originalPrivateKeyBytes = originalKey.getPrivKeyBytes(); byte[] rebornKeyBytes = rebornUnencryptedKey.getPrivKeyBytes(); if (!Arrays.equals(originalPrivateKeyBytes, rebornKeyBytes)) { log.error("The check that encryption could be reversed failed for {}", originalKey); return false; } return true; } catch (KeyCrypterException kce) { log.error(kce.getMessage()); return false; } } /** * Indicates whether the private key is encrypted (true) or not (false). * A private key is deemed to be encrypted when there is both a KeyCrypter and the encryptedPrivateKey is non-zero. */ @Override public boolean isEncrypted() { return keyCrypter != null && encryptedPrivateKey != null && encryptedPrivateKey.encryptedBytes.length > 0; } @Nullable @Override public Protos.Wallet.EncryptionType getEncryptionType() { return keyCrypter != null ? keyCrypter.getUnderstoodEncryptionType() : Protos.Wallet.EncryptionType.UNENCRYPTED; } /** * A wrapper for {@link #getPrivKeyBytes()} that returns null if the private key bytes are missing or would have * to be derived (for the HD key case). */ @Override @Nullable public byte[] getSecretBytes() { if (hasPrivKey()) return getPrivKeyBytes(); else return null; } /** An alias for {@link #getEncryptedPrivateKey()} */ @Nullable @Override public EncryptedData getEncryptedData() { return getEncryptedPrivateKey(); } /** * Returns the the encrypted private key bytes and initialisation vector for this ECKey, or null if the ECKey * is not encrypted. */ @Nullable public EncryptedData getEncryptedPrivateKey() { return encryptedPrivateKey; } /** * Returns the KeyCrypter that was used to encrypt to encrypt this ECKey. You need this to decrypt the ECKey. */ @Nullable public KeyCrypter getKeyCrypter() { return keyCrypter; } public static class MissingPrivateKeyException extends RuntimeException { } public static class KeyIsEncryptedException extends MissingPrivateKeyException { } @Override public boolean equals(Object o) { if (this == o) return true; if (o == null || !(o instanceof ECKey)) return false; ECKey other = (ECKey) o; return Objects.equals(this.priv, other.priv) && Objects.equals(this.pub, other.pub) && Objects.equals(this.creationTime, other.creationTime) && Objects.equals(this.keyCrypter, other.keyCrypter) && Objects.equals(this.encryptedPrivateKey, other.encryptedPrivateKey); } @Override public int hashCode() { return pub.hashCode(); } @Override public String toString() { return toString(false, null, BitcoinNetwork.MAINNET); } /** * Produce a string rendering of the ECKey INCLUDING the private key. * Unless you absolutely need the private key it is better for security reasons to just use {@link #toString()}. */ public String toStringWithPrivate(@Nullable AesKey aesKey, Network network) { return toString(true, aesKey, network); } /** * Produce a string rendering of the ECKey INCLUDING the private key. * Unless you absolutely need the private key it is better for security reasons to just use {@link #toString()}. * @deprecated Use {@link #toStringWithPrivate(AesKey, Network)} */ @Deprecated public String toStringWithPrivate(@Nullable AesKey aesKey, NetworkParameters params) { return toStringWithPrivate(aesKey, params.network()); } public String getPrivateKeyAsHex() { return ByteUtils.formatHex(getPrivKeyBytes()); } public String getPublicKeyAsHex() { return ByteUtils.formatHex(pub.getEncoded()); } public String getPrivateKeyAsWiF(Network network) { return getPrivateKeyEncoded(network).toString(); } /** * @deprecated Use {@link #getPrivateKeyEncoded(Network)} */ @Deprecated public String getPrivateKeyAsWiF(NetworkParameters params) { return getPrivateKeyAsWiF(params.network()); } private String toString(boolean includePrivate, @Nullable AesKey aesKey, Network network) { final MoreObjects.ToStringHelper helper = MoreObjects.toStringHelper(this).omitNullValues(); helper.add("pub HEX", getPublicKeyAsHex()); if (includePrivate) { ECKey decryptedKey = isEncrypted() ? decrypt(Objects.requireNonNull(aesKey)) : this; try { helper.add("priv HEX", decryptedKey.getPrivateKeyAsHex()); helper.add("priv WIF", decryptedKey.getPrivateKeyAsWiF(network)); } catch (IllegalStateException e) { // TODO: Make hasPrivKey() work for deterministic keys and fix this. } catch (Exception e) { final String message = e.getMessage(); helper.add("priv EXCEPTION", e.getClass().getName() + (message != null ? ": " + message : "")); } } if (creationTime != null) helper.add("creationTime", creationTime); helper.add("keyCrypter", keyCrypter); if (includePrivate) helper.add("encryptedPrivateKey", encryptedPrivateKey); helper.add("isEncrypted", isEncrypted()); helper.add("isPubKeyOnly", isPubKeyOnly()); return helper.toString(); } /** * @deprecated Use {@link #toString(boolean, AesKey, Network)} */ @Deprecated private String toString(boolean includePrivate, @Nullable AesKey aesKey, @Nullable NetworkParameters params) { Network network = (params != null) ? params.network() : BitcoinNetwork.MAINNET; return toString(includePrivate, aesKey, network); } public void formatKeyWithAddress(boolean includePrivateKeys, @Nullable AesKey aesKey, StringBuilder builder, Network network, ScriptType outputScriptType, @Nullable String comment) { builder.append(" addr:"); if (outputScriptType != null) { builder.append(toAddress(outputScriptType, network)); } else { builder.append(toAddress(ScriptType.P2PKH, network)); if (isCompressed()) builder.append(',').append(toAddress(ScriptType.P2WPKH, network)); } if (!isCompressed()) builder.append(" UNCOMPRESSED"); builder.append(" hash160:"); builder.append(ByteUtils.formatHex(getPubKeyHash())); if (creationTime != null) builder.append(" creationTime:").append(creationTime).append(" [") .append(TimeUtils.dateTimeFormat(creationTime)).append("]"); if (comment != null) builder.append(" (").append(comment).append(")"); builder.append("\n"); if (includePrivateKeys) { builder.append(" "); builder.append(toStringWithPrivate(aesKey, network)); builder.append("\n"); } } /** * @deprecated Use {@link #formatKeyWithAddress(boolean, AesKey, StringBuilder, Network, ScriptType, String)} */ @Deprecated public void formatKeyWithAddress(boolean includePrivateKeys, @Nullable AesKey aesKey, StringBuilder builder, NetworkParameters params, ScriptType outputScriptType, @Nullable String comment) { formatKeyWithAddress(includePrivateKeys, aesKey, builder, params.network(), outputScriptType, comment); } /** The string that prefixes all text messages signed using Bitcoin keys. */ private static final String BITCOIN_SIGNED_MESSAGE_HEADER = "Bitcoin Signed Message:\n"; private static final byte[] BITCOIN_SIGNED_MESSAGE_HEADER_BYTES = BITCOIN_SIGNED_MESSAGE_HEADER.getBytes(StandardCharsets.UTF_8); /** *

Given a textual message, returns a byte buffer formatted as follows:

*

{@code [24] "Bitcoin Signed Message:\n" [message.length as a varint] message}

*/ private static byte[] formatMessageForSigning(String message) { try { ByteArrayOutputStream bos = new ByteArrayOutputStream(); bos.write(BITCOIN_SIGNED_MESSAGE_HEADER_BYTES.length); bos.write(BITCOIN_SIGNED_MESSAGE_HEADER_BYTES); byte[] messageBytes = message.getBytes(StandardCharsets.UTF_8); VarInt size = VarInt.of(messageBytes.length); bos.write(size.encode()); bos.write(messageBytes); return bos.toByteArray(); } catch (IOException e) { throw new RuntimeException(e); // Cannot happen. } } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy