strawmelonjuice.com / AT-Zero
Forking what is left of ZeroNet and hopefully adding an AT Proto Frontend/Proxy
fork atom
AT-Zero / src / lib / sslcrypto / _ecc.py
at main 506 lines 19 kB view raw
Ivanq Support compressed keys
0a9a9b5a
1import hashlib 2import struct 3import hmac 4import base58 5 6 7try: 8 hashlib.new("ripemd160") 9except ValueError: 10 # No native implementation 11 from . import _ripemd 12 def ripemd160(*args): 13 return _ripemd.new(*args) 14else: 15 # Use OpenSSL 16 def ripemd160(*args): 17 return hashlib.new("ripemd160", *args) 18 19 20class ECC: 21 # pylint: disable=line-too-long 22 # name: (nid, p, n, a, b, (Gx, Gy)), 23 CURVES = { 24 "secp112r1": ( 25 704, 26 0xDB7C2ABF62E35E668076BEAD208B, 27 0xDB7C2ABF62E35E7628DFAC6561C5, 28 0xDB7C2ABF62E35E668076BEAD2088, 29 0x659EF8BA043916EEDE8911702B22, 30 ( 31 0x09487239995A5EE76B55F9C2F098, 32 0xA89CE5AF8724C0A23E0E0FF77500 33 ) 34 ), 35 "secp112r2": ( 36 705, 37 0xDB7C2ABF62E35E668076BEAD208B, 38 0x36DF0AAFD8B8D7597CA10520D04B, 39 0x6127C24C05F38A0AAAF65C0EF02C, 40 0x51DEF1815DB5ED74FCC34C85D709, 41 ( 42 0x4BA30AB5E892B4E1649DD0928643, 43 0xADCD46F5882E3747DEF36E956E97 44 ) 45 ), 46 "secp128r1": ( 47 706, 48 0xFFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF, 49 0xFFFFFFFE0000000075A30D1B9038A115, 50 0xFFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFC, 51 0xE87579C11079F43DD824993C2CEE5ED3, 52 ( 53 0x161FF7528B899B2D0C28607CA52C5B86, 54 0xCF5AC8395BAFEB13C02DA292DDED7A83 55 ) 56 ), 57 "secp128r2": ( 58 707, 59 0xFFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF, 60 0x3FFFFFFF7FFFFFFFBE0024720613B5A3, 61 0xD6031998D1B3BBFEBF59CC9BBFF9AEE1, 62 0x5EEEFCA380D02919DC2C6558BB6D8A5D, 63 ( 64 0x7B6AA5D85E572983E6FB32A7CDEBC140, 65 0x27B6916A894D3AEE7106FE805FC34B44 66 ) 67 ), 68 "secp160k1": ( 69 708, 70 0x00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73, 71 0x0100000000000000000001B8FA16DFAB9ACA16B6B3, 72 0, 73 7, 74 ( 75 0x3B4C382CE37AA192A4019E763036F4F5DD4D7EBB, 76 0x938CF935318FDCED6BC28286531733C3F03C4FEE 77 ) 78 ), 79 "secp160r1": ( 80 709, 81 0x00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF, 82 0x0100000000000000000001F4C8F927AED3CA752257, 83 0x00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC, 84 0x001C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45, 85 ( 86 0x4A96B5688EF573284664698968C38BB913CBFC82, 87 0x23A628553168947D59DCC912042351377AC5FB32 88 ) 89 ), 90 "secp160r2": ( 91 710, 92 0x00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73, 93 0x0100000000000000000000351EE786A818F3A1A16B, 94 0x00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70, 95 0x00B4E134D3FB59EB8BAB57274904664D5AF50388BA, 96 ( 97 0x52DCB034293A117E1F4FF11B30F7199D3144CE6D, 98 0xFEAFFEF2E331F296E071FA0DF9982CFEA7D43F2E 99 ) 100 ), 101 "secp192k1": ( 102 711, 103 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37, 104 0xFFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D, 105 0, 106 3, 107 ( 108 0xDB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D, 109 0x9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D 110 ) 111 ), 112 "prime192v1": ( 113 409, 114 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF, 115 0xFFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831, 116 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC, 117 0x64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1, 118 ( 119 0x188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012, 120 0x07192B95FFC8DA78631011ED6B24CDD573F977A11E794811 121 ) 122 ), 123 "secp224k1": ( 124 712, 125 0x00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D, 126 0x010000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7, 127 0, 128 5, 129 ( 130 0xA1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C, 131 0x7E089FED7FBA344282CAFBD6F7E319F7C0B0BD59E2CA4BDB556D61A5 132 ) 133 ), 134 "secp224r1": ( 135 713, 136 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001, 137 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D, 138 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE, 139 0xB4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4, 140 ( 141 0xB70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21, 142 0xBD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34 143 ) 144 ), 145 "secp256k1": ( 146 714, 147 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F, 148 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141, 149 0, 150 7, 151 ( 152 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798, 153 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8 154 ) 155 ), 156 "prime256v1": ( 157 715, 158 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF, 159 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551, 160 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC, 161 0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B, 162 ( 163 0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296, 164 0x4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5 165 ) 166 ), 167 "secp384r1": ( 168 716, 169 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF, 170 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973, 171 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC, 172 0xB3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF, 173 ( 174 0xAA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7, 175 0x3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F 176 ) 177 ), 178 "secp521r1": ( 179 717, 180 0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF, 181 0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409, 182 0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC, 183 0x0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00, 184 ( 185 0x00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66, 186 0x011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650 187 ) 188 ) 189 } 190 # pylint: enable=line-too-long 191 192 def __init__(self, backend, aes): 193 self._backend = backend 194 self._aes = aes 195 196 197 def get_curve(self, name): 198 if name not in self.CURVES: 199 raise ValueError("Unknown curve {}".format(name)) 200 nid, p, n, a, b, g = self.CURVES[name] 201 return EllipticCurve(self._backend(p, n, a, b, g), self._aes, nid) 202 203 204 def get_backend(self): 205 return self._backend.get_backend() 206 207 208class EllipticCurve: 209 def __init__(self, backend, aes, nid): 210 self._backend = backend 211 self._aes = aes 212 self.nid = nid 213 214 215 def _encode_public_key(self, x, y, is_compressed=True, raw=True): 216 if raw: 217 if is_compressed: 218 return bytes([0x02 + (y[-1] % 2)]) + x 219 else: 220 return bytes([0x04]) + x + y 221 else: 222 return struct.pack("!HH", self.nid, len(x)) + x + struct.pack("!H", len(y)) + y 223 224 225 def _decode_public_key(self, public_key, partial=False): 226 if not public_key: 227 raise ValueError("No public key") 228 229 if public_key[0] == 0x04: 230 # Uncompressed 231 expected_length = 1 + 2 * self._backend.public_key_length 232 if partial: 233 if len(public_key) < expected_length: 234 raise ValueError("Invalid uncompressed public key length") 235 else: 236 if len(public_key) != expected_length: 237 raise ValueError("Invalid uncompressed public key length") 238 x = public_key[1:1 + self._backend.public_key_length] 239 y = public_key[1 + self._backend.public_key_length:expected_length] 240 if partial: 241 return (x, y), expected_length 242 else: 243 return x, y 244 elif public_key[0] in (0x02, 0x03): 245 # Compressed 246 expected_length = 1 + self._backend.public_key_length 247 if partial: 248 if len(public_key) < expected_length: 249 raise ValueError("Invalid compressed public key length") 250 else: 251 if len(public_key) != expected_length: 252 raise ValueError("Invalid compressed public key length") 253 254 x, y = self._backend.decompress_point(public_key[:expected_length]) 255 # Sanity check 256 if x != public_key[1:expected_length]: 257 raise ValueError("Incorrect compressed public key") 258 if partial: 259 return (x, y), expected_length 260 else: 261 return x, y 262 else: 263 raise ValueError("Invalid public key prefix") 264 265 266 def _decode_public_key_openssl(self, public_key, partial=False): 267 if not public_key: 268 raise ValueError("No public key") 269 270 i = 0 271 272 nid, = struct.unpack("!H", public_key[i:i + 2]) 273 i += 2 274 if nid != self.nid: 275 raise ValueError("Wrong curve") 276 277 xlen, = struct.unpack("!H", public_key[i:i + 2]) 278 i += 2 279 if len(public_key) - i < xlen: 280 raise ValueError("Too short public key") 281 x = public_key[i:i + xlen] 282 i += xlen 283 284 ylen, = struct.unpack("!H", public_key[i:i + 2]) 285 i += 2 286 if len(public_key) - i < ylen: 287 raise ValueError("Too short public key") 288 y = public_key[i:i + ylen] 289 i += ylen 290 291 if partial: 292 return (x, y), i 293 else: 294 if i < len(public_key): 295 raise ValueError("Too long public key") 296 return x, y 297 298 299 def new_private_key(self, is_compressed=False): 300 return self._backend.new_private_key() + (b"\x01" if is_compressed else b"") 301 302 303 def private_to_public(self, private_key): 304 if len(private_key) == self._backend.public_key_length: 305 is_compressed = False 306 elif len(private_key) == self._backend.public_key_length + 1 and private_key[-1] == 1: 307 is_compressed = True 308 private_key = private_key[:-1] 309 else: 310 raise ValueError("Private key has invalid length") 311 x, y = self._backend.private_to_public(private_key) 312 return self._encode_public_key(x, y, is_compressed=is_compressed) 313 314 315 def private_to_wif(self, private_key): 316 return base58.b58encode_check(b"\x80" + private_key) 317 318 319 def wif_to_private(self, wif): 320 dec = base58.b58decode_check(wif) 321 if dec[0] != 0x80: 322 raise ValueError("Invalid network (expected mainnet)") 323 return dec[1:] 324 325 326 def public_to_address(self, public_key): 327 h = hashlib.sha256(public_key).digest() 328 hash160 = ripemd160(h).digest() 329 return base58.b58encode_check(b"\x00" + hash160) 330 331 332 def private_to_address(self, private_key): 333 # Kinda useless but left for quick migration from pybitcointools 334 return self.public_to_address(self.private_to_public(private_key)) 335 336 337 def derive(self, private_key, public_key): 338 if len(private_key) == self._backend.public_key_length + 1 and private_key[-1] == 1: 339 private_key = private_key[:-1] 340 if len(private_key) != self._backend.public_key_length: 341 raise ValueError("Private key has invalid length") 342 if not isinstance(public_key, tuple): 343 public_key = self._decode_public_key(public_key) 344 return self._backend.ecdh(private_key, public_key) 345 346 347 def _digest(self, data, hash): 348 if hash is None: 349 return data 350 elif callable(hash): 351 return hash(data) 352 elif hash == "sha1": 353 return hashlib.sha1(data).digest() 354 elif hash == "sha256": 355 return hashlib.sha256(data).digest() 356 elif hash == "sha512": 357 return hashlib.sha512(data).digest() 358 else: 359 raise ValueError("Unknown hash/derivation method") 360 361 362 # High-level functions 363 def encrypt(self, data, public_key, algo="aes-256-cbc", derivation="sha256", mac="hmac-sha256", return_aes_key=False): 364 # Generate ephemeral private key 365 private_key = self.new_private_key() 366 367 # Derive key 368 ecdh = self.derive(private_key, public_key) 369 key = self._digest(ecdh, derivation) 370 k_enc_len = self._aes.get_algo_key_length(algo) 371 if len(key) < k_enc_len: 372 raise ValueError("Too short digest") 373 k_enc, k_mac = key[:k_enc_len], key[k_enc_len:] 374 375 # Encrypt 376 ciphertext, iv = self._aes.encrypt(data, k_enc, algo=algo) 377 ephem_public_key = self.private_to_public(private_key) 378 ephem_public_key = self._decode_public_key(ephem_public_key) 379 ephem_public_key = self._encode_public_key(*ephem_public_key, raw=False) 380 ciphertext = iv + ephem_public_key + ciphertext 381 382 # Add MAC tag 383 if callable(mac): 384 tag = mac(k_mac, ciphertext) 385 elif mac == "hmac-sha256": 386 h = hmac.new(k_mac, digestmod="sha256") 387 h.update(ciphertext) 388 tag = h.digest() 389 elif mac == "hmac-sha512": 390 h = hmac.new(k_mac, digestmod="sha512") 391 h.update(ciphertext) 392 tag = h.digest() 393 elif mac is None: 394 tag = b"" 395 else: 396 raise ValueError("Unsupported MAC") 397 398 if return_aes_key: 399 return ciphertext + tag, k_enc 400 else: 401 return ciphertext + tag 402 403 404 def decrypt(self, ciphertext, private_key, algo="aes-256-cbc", derivation="sha256", mac="hmac-sha256"): 405 # Get MAC tag 406 if callable(mac): 407 tag_length = mac.digest_size 408 elif mac == "hmac-sha256": 409 tag_length = hmac.new(b"", digestmod="sha256").digest_size 410 elif mac == "hmac-sha512": 411 tag_length = hmac.new(b"", digestmod="sha512").digest_size 412 elif mac is None: 413 tag_length = 0 414 else: 415 raise ValueError("Unsupported MAC") 416 417 if len(ciphertext) < tag_length: 418 raise ValueError("Ciphertext is too small to contain MAC tag") 419 if tag_length == 0: 420 tag = b"" 421 else: 422 ciphertext, tag = ciphertext[:-tag_length], ciphertext[-tag_length:] 423 424 orig_ciphertext = ciphertext 425 426 if len(ciphertext) < 16: 427 raise ValueError("Ciphertext is too small to contain IV") 428 iv, ciphertext = ciphertext[:16], ciphertext[16:] 429 430 public_key, pos = self._decode_public_key_openssl(ciphertext, partial=True) 431 ciphertext = ciphertext[pos:] 432 433 # Derive key 434 ecdh = self.derive(private_key, public_key) 435 key = self._digest(ecdh, derivation) 436 k_enc_len = self._aes.get_algo_key_length(algo) 437 if len(key) < k_enc_len: 438 raise ValueError("Too short digest") 439 k_enc, k_mac = key[:k_enc_len], key[k_enc_len:] 440 441 # Verify MAC tag 442 if callable(mac): 443 expected_tag = mac(k_mac, orig_ciphertext) 444 elif mac == "hmac-sha256": 445 h = hmac.new(k_mac, digestmod="sha256") 446 h.update(orig_ciphertext) 447 expected_tag = h.digest() 448 elif mac == "hmac-sha512": 449 h = hmac.new(k_mac, digestmod="sha512") 450 h.update(orig_ciphertext) 451 expected_tag = h.digest() 452 elif mac is None: 453 expected_tag = b"" 454 455 if not hmac.compare_digest(tag, expected_tag): 456 raise ValueError("Invalid MAC tag") 457 458 return self._aes.decrypt(ciphertext, iv, k_enc, algo=algo) 459 460 461 def sign(self, data, private_key, hash="sha256", recoverable=False, entropy=None): 462 if len(private_key) == self._backend.public_key_length: 463 is_compressed = False 464 elif len(private_key) == self._backend.public_key_length + 1 and private_key[-1] == 1: 465 is_compressed = True 466 private_key = private_key[:-1] 467 else: 468 raise ValueError("Private key has invalid length") 469 470 data = self._digest(data, hash) 471 if not entropy: 472 v = b"\x01" * len(data) 473 k = b"\x00" * len(data) 474 k = hmac.new(k, v + b"\x00" + private_key + data, "sha256").digest() 475 v = hmac.new(k, v, "sha256").digest() 476 k = hmac.new(k, v + b"\x01" + private_key + data, "sha256").digest() 477 v = hmac.new(k, v, "sha256").digest() 478 entropy = hmac.new(k, v, "sha256").digest() 479 return self._backend.sign(data, private_key, recoverable, is_compressed, entropy=entropy) 480 481 482 def recover(self, signature, data, hash="sha256"): 483 # Sanity check: is this signature recoverable? 484 if len(signature) != 1 + 2 * self._backend.public_key_length: 485 raise ValueError("Cannot recover an unrecoverable signature") 486 x, y = self._backend.recover(signature, self._digest(data, hash)) 487 is_compressed = signature[0] >= 31 488 return self._encode_public_key(x, y, is_compressed=is_compressed) 489 490 491 def verify(self, signature, data, public_key, hash="sha256"): 492 if len(signature) == 1 + 2 * self._backend.public_key_length: 493 # Recoverable signature 494 signature = signature[1:] 495 if len(signature) != 2 * self._backend.public_key_length: 496 raise ValueError("Invalid signature format") 497 if not isinstance(public_key, tuple): 498 public_key = self._decode_public_key(public_key) 499 return self._backend.verify(signature, self._digest(data, hash), public_key) 500 501 502 def derive_child(self, seed, child): 503 # Based on BIP32 504 if not 0 <= child < 2 ** 31: 505 raise ValueError("Invalid child index") 506 return self._backend.derive_child(seed, child)