add missing methods for secp256k1

crypto/keys/multisig.go

@@ -71,19 +71,25 @@ var _ crypto.PubKey = PubKeyMultisigThreshold{}
 
 // NewPubKeyMultisigThreshold returns a new PubKeyMultisigThreshold.
 // Panics if len(pubkeys) < k or 0 >= k.
-func NewPubKeyMultisigThreshold(k int32, pubkeys []*crypto.PubKey) crypto.PubKey {
+func NewPubKeyMultisigThreshold(k int32, pubkeys []crypto.PubKey) crypto.PubKey {
 	if k <= 0 {
 		panic("threshold k of n multisignature: k <= 0")
 	}
 	if len(pubkeys) < int(k) {
 		panic("threshold k of n multisignature: len(pubkeys) < k")
 	}
-	for _, pubkey := range pubkeys {
+
+	pks := make([]*PubKey, len(pubkeys))
+	for i, pubkey := range pubkeys {
 		if pubkey == nil {
-			panic("nil pubkey")
+			panic(fmt.Errorf("pubkey at index %d cannot be nil", i))
+		}
+		if err := pks[i].SetPubKey(pubkey); err != nil {
+			panic(fmt.Errorf("couldn't set pubkey at index %d: %w", i, err))
 		}
 	}
-	return PubKeyMultisigThreshold{K: uint32(k), PubKeys: pubkeys}
+
+	return PubKeyMultisigThreshold{K: uint32(k), PubKeys: pks}
 }
 
 // VerifyBytes expects sig to be an amino encoded version of a MultiSignature.

crypto/keys/secp256k1.go

@@ -5,8 +5,10 @@ import (
 	"crypto/sha256"
 	"crypto/subtle"
 	"fmt"
+	"math/big"
 
-	secp256k1 "github.com/btcsuite/btcd/btcec"
+	"github.com/btcsuite/btcd/btcec"
+	"github.com/ethereum/go-ethereum/crypto/secp256k1"
 	"golang.org/x/crypto/ripemd160" // nolint: staticcheck // necessary for Bitcoin address format
 
 	"github.com/tendermint/tendermint/crypto"
@@ -30,6 +32,12 @@ const (
 	PrivKeySecp256k1Size = 32
 )
 
+// used to reject malleable signatures
+// see:
+//  - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93
+//  - https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/crypto.go#L39
+var secp256k1halfN = new(big.Int).Rsh(btcec.S256().N, 1)
+
 // Address returns a Bitcoin style addresses: RIPEMD160(SHA256(pubkey))
 func (pubKey PubKeySecp256K1) Address() crypto.Address {
 	hasherSHA256 := sha256.New()
@@ -61,10 +69,43 @@ func (pubKey PubKeySecp256K1) String() string {
 }
 
 func (pubKey PubKeySecp256K1) Equals(other crypto.PubKey) bool {
-	if otherSecp, ok := other.(PubKeySecp256K1); ok {
-		return bytes.Equal(pubKey.bytes, otherSecp.bytes)
+	otherSecp, ok := other.(PubKeySecp256K1)
+	if !ok {
+		return false
+	}
+	return bytes.Equal(pubKey.bytes, otherSecp.bytes)
+}
+
+// Sign creates an ECDSA signature on curve Secp256k1, using SHA256 on the msg.
+// The returned signature will be of the form R || S (in lower-S form).
+func (privKey PubKeySecp256K1) Sign(msg []byte) ([]byte, error) {
+	priv, _ := btcec.PrivKeyFromBytes(btcec.S256(), privKey.Bytes())
+	sig, err := priv.Sign(crypto.Sha256(msg))
+	if err != nil {
+		return nil, err
+	}
+	sigBytes := serializeSig(sig)
+	return sigBytes, nil
+}
+
+// VerifyBytes verifies a signature of the form R || S.
+// It rejects signatures which are not in lower-S form.
+func (pubKey PubKeySecp256K1) VerifyBytes(msg []byte, sigStr []byte) bool {
+	if len(sigStr) != 64 {
+		return false
+	}
+	pub, err := btcec.ParsePubKey(pubKey.Bytes(), btcec.S256())
+	if err != nil {
+		return false
+	}
+	// parse the signature:
+	signature := signatureFromBytes(sigStr)
+	// Reject malleable signatures. libsecp256k1 does this check but btcec doesn't.
+	// see: https://github.com/ethereum/go-ethereum/blob/f9401ae011ddf7f8d2d95020b7446c17f8d98dc1/crypto/signature_nocgo.go#L90-L93
+	if signature.S.Cmp(secp256k1halfN) > 0 {
+		return false
 	}
-	return false
+	return signature.Verify(crypto.Sha256(msg), pub)
 }
 
 //-------------------------------------
@@ -80,7 +121,7 @@ func (privKey PrivKeySecp256K1) Bytes() []byte {
 // PubKey performs the point-scalar multiplication from the privKey on the
 // generator point to get the pubkey.
 func (privKey PrivKeySecp256K1) PubKey() crypto.PubKey {
-	_, pubkeyObject := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey.Bytes()[:])
+	_, pubkeyObject := btcec.PrivKeyFromBytes(secp256k1.S256(), privKey.Bytes()[:])
 	var pubkeyBytes []byte
 	copy(pubkeyBytes, pubkeyObject.SerializeCompressed())
 	return PubKeySecp256K1{bytes: pubkeyBytes}
@@ -89,8 +130,48 @@ func (privKey PrivKeySecp256K1) PubKey() crypto.PubKey {
 // Equals - you probably don't need to use this.
 // Runs in constant time based on length of the keys.
 func (privKey PrivKeySecp256K1) Equals(other crypto.PrivKey) bool {
-	if otherSecp, ok := other.(PrivKeySecp256K1); ok {
-		return subtle.ConstantTimeCompare(privKey.bytes, otherSecp.bytes) == 1
+	otherSecp, ok := other.(PrivKeySecp256K1)
+	if !ok {
+		return false
 	}
-	return false
+	return subtle.ConstantTimeCompare(privKey.bytes, otherSecp.bytes) == 1
+}
+
+// Sign creates an ECDSA signature on curve Secp256k1, using SHA256 on the msg.
+func (privKey PrivKeySecp256K1) Sign(msg []byte) ([]byte, error) {
+	rsv, err := secp256k1.Sign(crypto.Sha256(msg), privKey.Bytes())
+	if err != nil {
+		return nil, err
+	}
+	// we do not need v  in r||s||v:
+	rs := rsv[:len(rsv)-1]
+	return rs, nil
+}
+
+func (pubKey PrivKeySecp256K1) VerifyBytes(msg []byte, sig []byte) bool {
+	return secp256k1.VerifySignature(pubKey.Bytes(), crypto.Sha256(msg), sig)
+}
+
+//-------------------------------------
+// utils
+
+// Read signature struct from R || S.
+// CONTRACT: Caller needs to ensure that len(sigStr) == 64.
+func signatureFromBytes(sigStr []byte) *btcec.Signature {
+	return &btcec.Signature{
+		R: new(big.Int).SetBytes(sigStr[:32]),
+		S: new(big.Int).SetBytes(sigStr[32:64]),
+	}
+}
+
+// Serialize signature to R || S.
+// R, S are padded to 32 bytes respectively.
+func serializeSig(sig *btcec.Signature) []byte {
+	rBytes := sig.R.Bytes()
+	sBytes := sig.S.Bytes()
+	sigBytes := make([]byte, 64)
+	// 0 pad the byte arrays from the left if they aren't big enough.
+	copy(sigBytes[32-len(rBytes):32], rBytes)
+	copy(sigBytes[64-len(sBytes):64], sBytes)
+	return sigBytes
 }

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/btcsuite/btcutil v0.0.0-20180706230648-ab6388e0c60a
 	github.com/cosmos/go-bip39 v0.0.0-20180819234021-555e2067c45d
 	github.com/cosmos/ledger-cosmos-go v0.11.1
+	github.com/ethereum/go-ethereum v1.9.12
 	github.com/gibson042/canonicaljson-go v1.0.3
 	github.com/gogo/protobuf v1.3.1
 	github.com/golang/mock v1.4.3
@@ -33,7 +34,7 @@ require (
 	github.com/tendermint/iavl v0.13.2
 	github.com/tendermint/tendermint v0.33.2
 	github.com/tendermint/tm-db v0.5.0
-	golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413
+	golang.org/x/crypto v0.0.0-20200311171314-f7b00557c8c4
 	google.golang.org/protobuf v1.20.1 // indirect
 	gopkg.in/yaml.v2 v2.2.8
 )