public DHPrivateKeyParameters(
BigInteger x,
DHParameters parameters)
: base(true, parameters)
{
this.x = x;
}
static ECKey()
{
_Secp256k1 = NBitcoin.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp256k1");
CURVE = new ECDomainParameters(_Secp256k1.Curve, _Secp256k1.G, _Secp256k1.N, _Secp256k1.H);
HALF_CURVE_ORDER = _Secp256k1.N.ShiftRight(1);
CURVE_ORDER = _Secp256k1.N;
}
public ECDomainParameters(
ECCurve curve,
ECPoint g,
BigInteger n)
: this(curve, g, n, BigInteger.One)
{
}
static ECKey()
{
X9ECParameters @params = CreateCurve();
CURVE = new ECDomainParameters(@params.Curve, @params.G, @params.N, @params.H);
HALF_CURVE_ORDER = @params.N.ShiftRight(1);
CURVE_ORDER = @params.N;
}
static ECKey()
{
_Secp256k1 = CustomNamedCurves.Secp256k1;
CURVE = new ECDomainParameters(_Secp256k1.Curve, _Secp256k1.G, _Secp256k1.N, _Secp256k1.H);
HALF_CURVE_ORDER = _Secp256k1.N.ShiftRight(1);
CURVE_ORDER = _Secp256k1.N;
}
public ElGamalParameter(
BigInteger p,
BigInteger g)
{
this.p = new DerInteger(p);
this.g = new DerInteger(g);
}
/**
* Return a random BigInteger not less than 'min' and not greater than 'max'
*
* @param min the least value that may be generated
* @param max the greatest value that may be generated
* @param random the source of randomness
* @return a random BigInteger value in the range [min,max]
*/
public static BigInteger CreateRandomInRange(
BigInteger min,
BigInteger max,
// TODO Should have been just Random class
SecureRandom random)
{
int cmp = min.CompareTo(max);
if(cmp >= 0)
{
if(cmp > 0)
throw new ArgumentException("'min' may not be greater than 'max'");
return min;
}
if(min.BitLength > max.BitLength / 2)
{
return CreateRandomInRange(BigInteger.Zero, max.Subtract(min), random).Add(min);
}
for(int i = 0; i < MaxIterations; ++i)
{
BigInteger x = new BigInteger(max.BitLength, random);
if(x.CompareTo(min) >= 0 && x.CompareTo(max) <= 0)
{
return x;
}
}
// fall back to a faster (restricted) method
return new BigInteger(max.Subtract(min).BitLength - 1, random).Add(min);
}
/**
* generate a signature for the given message using the key we were
* initialised with. For conventional Gost3410 the message should be a Gost3411
* hash of the message of interest.
*
* @param message the message that will be verified later.
*/
public BigInteger[] GenerateSignature(
byte[] message)
{
byte[] mRev = new byte[message.Length]; // conversion is little-endian
for (int i = 0; i != mRev.Length; i++)
{
mRev[i] = message[mRev.Length - 1 - i];
}
BigInteger m = new BigInteger(1, mRev);
Gost3410Parameters parameters = key.Parameters;
BigInteger k;
do
{
k = new BigInteger(parameters.Q.BitLength, random);
}
while (k.CompareTo(parameters.Q) >= 0);
BigInteger r = parameters.A.ModPow(k, parameters.P).Mod(parameters.Q);
BigInteger s = k.Multiply(m).
Add(((Gost3410PrivateKeyParameters)key).X.Multiply(r)).
Mod(parameters.Q);
return new BigInteger[]{ r, s };
}
public IssuerAndSerialNumber(
X509Name name,
BigInteger serialNumber)
{
this.name = name;
this.serialNumber = new DerInteger(serialNumber);
}
public DsaParameters(
BigInteger p,
BigInteger q,
BigInteger g)
: this(p, q, g, null)
{
}
public X9ECParameters(
ECCurve curve,
ECPoint g,
BigInteger n)
: this(curve, g, n, BigInteger.One, null)
{
}
public Gost3410Parameters(
BigInteger p,
BigInteger q,
BigInteger a)
: this(p, q, a, null)
{
}
static ECKey()
{
_Secp256k1 = NBitcoin.BouncyCastle.Crypto.EC.CustomNamedCurves.Secp256k1;
CURVE = new ECDomainParameters(_Secp256k1.Curve, _Secp256k1.G, _Secp256k1.N, _Secp256k1.H);
HALF_CURVE_ORDER = _Secp256k1.N.ShiftRight(1);
CURVE_ORDER = _Secp256k1.N;
}
public RsaPrivateCrtKeyParameters(
BigInteger modulus,
BigInteger publicExponent,
BigInteger privateExponent,
BigInteger p,
BigInteger q,
BigInteger dP,
BigInteger dQ,
BigInteger qInv)
: base(true, modulus, privateExponent)
{
ValidateValue(publicExponent, "publicExponent", "exponent");
ValidateValue(p, "p", "P value");
ValidateValue(q, "q", "Q value");
ValidateValue(dP, "dP", "DP value");
ValidateValue(dQ, "dQ", "DQ value");
ValidateValue(qInv, "qInv", "InverseQ value");
this.e = publicExponent;
this.p = p;
this.q = q;
this.dP = dP;
this.dQ = dQ;
this.qInv = qInv;
}
public DHParameters(
BigInteger p,
BigInteger g,
BigInteger q)
: this(p, g, q, 0)
{
}
/**
* @param privateKey
*/
public NaccacheSternKeyParameters(bool privateKey, BigInteger g, BigInteger n, int lowerSigmaBound)
: base(privateKey)
{
this.g = g;
this.n = n;
this.lowerSigmaBound = lowerSigmaBound;
}
public ECDomainParameters(
ECCurve curve,
ECPoint g,
BigInteger n,
BigInteger h)
: this(curve, g, n, h, null)
{
}
public DHParameters(
BigInteger p,
BigInteger g,
BigInteger q,
int l)
: this(p, g, q, GetDefaultMParam(l), l, null, null)
{
}
public X9ECParameters(
ECCurve curve,
X9ECPoint g,
BigInteger n,
BigInteger h)
: this(curve, g, n, h, null)
{
}
public DerInteger(
BigInteger value)
{
if (value == null)
throw new ArgumentNullException("value");
bytes = value.ToByteArray();
}
private static ECPoint DecompressKey(NBitcoin.BouncyCastle.Math.BigInteger xBN, bool yBit)
{
var curve = ECKey.Secp256k1.Curve;
byte[] compEnc = X9IntegerConverter.IntegerToBytes(xBN, 1 + X9IntegerConverter.GetByteLength(curve));
compEnc[0] = (byte)(yBit ? 0x03 : 0x02);
return(curve.DecodePoint(compEnc));
}
public DHPrivateKeyParameters(
BigInteger x,
DHParameters parameters,
DerObjectIdentifier algorithmOid)
: base(true, parameters, algorithmOid)
{
this.x = x;
}
public X9ECParameters(
ECCurve curve,
ECPoint g,
BigInteger n,
BigInteger h,
byte[] seed)
: this(curve, new X9ECPoint(g), n, h, seed)
{
}
private static BigInteger[] ConstructBigPrimeProducts(int[] primeProducts)
{
BigInteger[] bpp = new BigInteger[primeProducts.Length];
for (int i = 0; i < bpp.Length; ++i)
{
bpp[i] = BigInteger.ValueOf(primeProducts[i]);
}
return bpp;
}
public DsaParameter(
BigInteger p,
BigInteger q,
BigInteger g)
{
this.p = new DerInteger(p);
this.q = new DerInteger(q);
this.g = new DerInteger(g);
}
public MacData(
DigestInfo digInfo,
byte[] salt,
int iterationCount)
{
this.digInfo = digInfo;
this.salt = (byte[]) salt.Clone();
this.iterationCount = BigInteger.ValueOf(iterationCount);
}
public DHParameters(
BigInteger p,
BigInteger g,
BigInteger q,
BigInteger j,
DHValidationParameters validation)
: this(p, g, q, DefaultMinimumLength, 0, j, validation)
{
}
public DHParameters(
BigInteger p,
BigInteger g,
BigInteger q,
int m,
int l)
: this(p, g, q, m, l, null, null)
{
}
public ElGamalPublicKeyParameters(
BigInteger y,
ElGamalParameters parameters)
: base(false, parameters)
{
if (y == null)
throw new ArgumentNullException("y");
this.y = y;
}
public ElGamalPrivateKeyParameters(
BigInteger x,
ElGamalParameters parameters)
: base(true, parameters)
{
if (x == null)
throw new ArgumentNullException("x");
this.x = x;
}
/**
* calculate our initial message.
*/
public BigInteger CalculateMessage()
{
DHKeyPairGenerator dhGen = new DHKeyPairGenerator();
dhGen.Init(new DHKeyGenerationParameters(random, dhParams));
AsymmetricCipherKeyPair dhPair = dhGen.GenerateKeyPair();
this.privateValue = ((DHPrivateKeyParameters)dhPair.Private).X;
return ((DHPublicKeyParameters)dhPair.Public).Y;
}
internal static Array BigIntegerToBytes(NBitcoin.BouncyCastle.Math.BigInteger b, int numBytes)
{
if (b == null)
{
return(null);
}
byte[] bytes = new byte[numBytes];
byte[] biBytes = b.ToByteArray();
int start = (biBytes.Length == numBytes + 1) ? 1 : 0;
int length = Math.Min(biBytes.Length, numBytes);
Array.Copy(biBytes, start, bytes, numBytes - length, length);
return(bytes);
}
public static ECKey RecoverFromSignature(int recId, ECDSASignature sig, uint256 message, bool compressed)
{
if (recId < 0)
{
throw new ArgumentException("recId should be positive");
}
#pragma warning disable 618
if (sig.R.SignValue < 0)
{
throw new ArgumentException("r should be positive");
}
if (sig.S.SignValue < 0)
{
throw new ArgumentException("s should be positive");
}
#pragma warning restore 618
if (message == null)
{
throw new ArgumentNullException(nameof(message));
}
var curve = ECKey.Secp256k1;
// 1.0 For j from 0 to h (h == recId here and the loop is outside this function)
// 1.1 Let x = r + jn
var n = curve.N;
var i = NBitcoin.BouncyCastle.Math.BigInteger.ValueOf((long)recId / 2);
#pragma warning disable 618
var x = sig.R.Add(i.Multiply(n));
#pragma warning restore 618
// 1.2. Convert the integer x to an octet string X of length mlen using the conversion routine
// specified in Section 2.3.7, where mlen = ⌈(log2 p)/8⌉ or mlen = ⌈m/8⌉.
// 1.3. Convert the octet string (16 set binary digits)||X to an elliptic curve point R using the
// conversion routine specified in Section 2.3.4. If this conversion routine outputs “invalid”, then
// do another iteration of Step 1.
//
// More concisely, what these points mean is to use X as a compressed public key.
var prime = ((SecP256K1Curve)curve.Curve).QQ;
if (x.CompareTo(prime) >= 0)
{
return(null);
}
// Compressed keys require you to know an extra bit of data about the y-coord as there are two possibilities.
// So it's encoded in the recId.
ECPoint R = DecompressKey(x, (recId & 1) == 1);
// 1.4. If nR != point at infinity, then do another iteration of Step 1 (callers responsibility).
if (!R.Multiply(n).IsInfinity)
{
return(null);
}
// 1.5. Compute e from M using Steps 2 and 3 of ECDSA signature verification.
var e = new NBitcoin.BouncyCastle.Math.BigInteger(1, message.ToBytes());
// 1.6. For k from 1 to 2 do the following. (loop is outside this function via iterating recId)
// 1.6.1. Compute a candidate public key as:
// Q = mi(r) * (sR - eG)
//
// Where mi(x) is the modular multiplicative inverse. We transform this into the following:
// Q = (mi(r) * s ** R) + (mi(r) * -e ** G)
// Where -e is the modular additive inverse of e, that is z such that z + e = 0 (mod n). In the above equation
// ** is point multiplication and + is point addition (the EC group operator).
//
// We can find the additive inverse by subtracting e from zero then taking the mod. For example the additive
// inverse of 3 modulo 11 is 8 because 3 + 8 mod 11 = 0, and -3 mod 11 = 8.
var eInv = NBitcoin.BouncyCastle.Math.BigInteger.Zero.Subtract(e).Mod(n);
#pragma warning disable 618
var rInv = sig.R.ModInverse(n);
var srInv = rInv.Multiply(sig.S).Mod(n);
#pragma warning restore 618
var eInvrInv = rInv.Multiply(eInv).Mod(n);
ECPoint q = ECAlgorithms.SumOfTwoMultiplies(curve.G, eInvrInv, R, srInv);
q = q.Normalize();
if (compressed)
{
q = new SecP256K1Point(curve.Curve, q.XCoord, q.YCoord, true);
}
return(new ECKey(q.GetEncoded(), false));
}
