public SimpleRLPSigner(byte[][] data, byte[] r, byte[] s, byte v)
{
this.numberOfElements = data.Length;
this.data = data;
this.signature = EthECDSASignatureFactory.FromComponents(r, s, v);
decoded = true;
}
public TransactionSignature(ECDSASignature signature, SigHash sigHash)
{
if(sigHash == SigHash.Undefined)
throw new ArgumentException("sigHash should not be Undefined");
_SigHash = sigHash;
_Signature = signature.MakeCanonical();
}
public static int CalculateRecId(this ECKey key, ECDSASignature signature, byte[] hash)
{
var recId = -1;
var thisKey = key.GetPubKey(false); // compressed
for (var i = 0; i < 4; i++)
{
var k = ECKey.RecoverFromSignature(i, signature, hash, false).GetPubKey(false);
if ((k != null) && k.SequenceEqual(thisKey))
{
recId = i;
break;
}
}
if (recId == -1)
throw new Exception("Could not construct a recoverable key. This should never happen.");
return recId;
}
public static ECKey RecoverFromSignature(int recId, ECDSASignature sig, byte[] message, bool compressed)
{
if (recId < 0)
throw new ArgumentException("recId should be positive");
if (sig.R.SignValue < 0)
throw new ArgumentException("r should be positive");
if (sig.S.SignValue < 0)
throw new ArgumentException("s should be positive");
if (message == null)
throw new ArgumentNullException("message");
var curve = Secp256k1;
// 1.0 For j from 0 to h (h == recId here and the loop is outside this function)
// 1.1 Let x = r + jn
var n = curve.N;
var i = BigInteger.ValueOf((long) recId/2);
var x = sig.R.Add(i.Multiply(n));
// 1.2. Convert the integer x to an octet string X of length mlen using the conversion routine
// specified in Section 2.3.7, where mlen = ⌈(log2 p)/8⌉ or mlen = ⌈m/8⌉.
// 1.3. Convert the octet string (16 set binary digits)||X to an elliptic curve point R using the
// conversion routine specified in Section 2.3.4. If this conversion routine outputs “invalid”, then
// do another iteration of Step 1.
//
// More concisely, what these points mean is to use X as a compressed public key.
var prime = ((SecP256K1Curve) curve.Curve).QQ;
if (x.CompareTo(prime) >= 0)
return null;
// Compressed keys require you to know an extra bit of data about the y-coord as there are two possibilities.
// So it's encoded in the recId.
var R = DecompressKey(x, (recId & 1) == 1);
// 1.4. If nR != point at infinity, then do another iteration of Step 1 (callers responsibility).
if (!R.Multiply(n).IsInfinity)
return null;
// 1.5. Compute e from M using Steps 2 and 3 of ECDSA signature verification.
var e = new BigInteger(1, message);
// 1.6. For k from 1 to 2 do the following. (loop is outside this function via iterating recId)
// 1.6.1. Compute a candidate public key as:
// Q = mi(r) * (sR - eG)
//
// Where mi(x) is the modular multiplicative inverse. We transform this into the following:
// Q = (mi(r) * s ** R) + (mi(r) * -e ** G)
// Where -e is the modular additive inverse of e, that is z such that z + e = 0 (mod n). In the above equation
// ** is point multiplication and + is point addition (the EC group operator).
//
// We can find the additive inverse by subtracting e from zero then taking the mod. For example the additive
// inverse of 3 modulo 11 is 8 because 3 + 8 mod 11 = 0, and -3 mod 11 = 8.
var eInv = BigInteger.Zero.Subtract(e).Mod(n);
var rInv = sig.R.ModInverse(n);
var srInv = rInv.Multiply(sig.S).Mod(n);
var eInvrInv = rInv.Multiply(eInv).Mod(n);
var q = ECAlgorithms.SumOfTwoMultiplies(curve.G, eInvrInv, R, srInv);
q = q.Normalize();
if (compressed)
q = new SecP256K1Point(curve.Curve, q.XCoord, q.YCoord, true);
return new ECKey(q.GetEncoded(), false);
}
public bool Verify(byte[] hash, ECDSASignature sig)
{
var signer = new ECDsaSigner();
signer.Init(false, GetPublicKeyParameters());
return signer.VerifySignature(hash, sig.R, sig.S);
}
internal bool Verify(uint256 hash, ECDSASignature sig)
{
var signer = new ECDsaSigner();
signer.Init(false, GetPublicKeyParameters());
return signer.VerifySignature(hash.ToBytes(), sig.R, sig.S);
}
private static ECDSASignature DecodeSig(byte[] signatureEncoded)
{
BigInteger r = new BigInteger(1, signatureEncoded.SafeSubarray(1, 32));
BigInteger s = new BigInteger(1, signatureEncoded.SafeSubarray(33, 32));
var sig = new ECDSASignature(r, s);
return sig;
}
public Script GenerateScriptSig(ECDSASignature[] signatures, Script redeemScript)
{
return GenerateScriptSig(signatures.Select(s => new TransactionSignature(s, SigHash.All)).ToArray(), redeemScript);
}
public TransactionSignature(byte[] sigSigHash)
{
_Signature = ECDSASignature.FromDER(sigSigHash.Take(sigSigHash.Length - 1).ToArray()).MakeCanonical();
_SigHash = (SigHash)sigSigHash[sigSigHash.Length - 1];
}
public TransactionSignature(ECDSASignature signature)
: this(signature, SigHash.All)
{
}
public ECDSASignature Sign(uint256 hash)
{
AssertPrivateKey();
ECDsaSigner signer = new ECDsaSigner();
signer.Init(true, PrivateKey);
BigInteger[] components = signer.GenerateSignature(hash.ToBytes());
ECDSASignature signature = new ECDSASignature(components[0], components[1]);
signature = signature.MakeCanonical();
return signature;
}
public static PubKey RecoverCompact(uint256 hash, byte[] signatureEncoded)
{
if(signatureEncoded.Length < 65)
throw new ArgumentException("Signature truncated, expected 65 bytes and got " + signatureEncoded.Length);
int header = signatureEncoded[0];
// The header byte: 0x1B = first key with even y, 0x1C = first key with odd y,
// 0x1D = second key with even y, 0x1E = second key with odd y
if(header < 27 || header > 34)
throw new ArgumentException("Header byte out of range: " + header);
BigInteger r = new BigInteger(1, signatureEncoded.Skip(1).Take(32).ToArray());
BigInteger s = new BigInteger(1, signatureEncoded.Skip(33).Take(32).ToArray());
var sig = new ECDSASignature(r, s);
bool compressed = false;
if(header >= 31)
{
compressed = true;
header -= 4;
}
int recId = header - 27;
ECKey key = ECKey.RecoverFromSignature(recId, sig, hash, compressed);
return key.GetPubKey(compressed);
}
public bool Verify(uint256 hash, ECDSASignature sig)
{
return _Key.Verify(hash, sig);
}
private ECDSASignature ToPositive(ECDSASignature sig)
{
return new ECDSASignature(new BouncyCastle.Math.BigInteger(1, sig.R.ToByteArray()), new BouncyCastle.Math.BigInteger(1, sig.S.ToByteArray()));
}
public TransactionSignature(byte[] sig, SigHash sigHash)
{
_Signature = ECDSASignature.FromDER(sig).MakeCanonical();
_SigHash = sigHash;
}
public static bool VerifyAllowingOnlyLowS(this ECKey key, byte[] hash, ECDSASignature sig)
{
if (!sig.IsLowS) return false;
return key.Verify(hash, sig);
}
public void RlpDecode()
{
var decodedList = RLP.Decode(GetRLPEncoded());
var decodedData = new List<byte[]>();
var decodedElements = (RLPCollection)decodedList[0];
for (var i = 0; i < numberOfElements; i++)
{
decodedData.Add(decodedElements[i].RLPData);
}
// only parse signature in case is signed
if (decodedElements[numberOfElements].RLPData != null)
{
var v = decodedElements[numberOfElements].RLPData[0];
var r = decodedElements[numberOfElements + 1].RLPData;
var s = decodedElements[numberOfElements + 2].RLPData;
signature = EthECDSASignatureFactory.FromComponents(r, s, v);
}
data = decodedData.ToArray();
decoded = true;
}
public static ECKey RecoverFromSignature(ECDSASignature signature, byte[] hash)
{
return ECKey.RecoverFromSignature(GetRecIdFromV(signature.V), signature, hash, false);
}
public void Sign(ECKey key)
{
signature = key.SignAndCalculateV(RawHash);
rlpEncoded = null;
}
public Script GenerateScriptSig(ECDSASignature signature)
{
return GenerateScriptSig(new TransactionSignature(signature, SigHash.All));
}
public static ECKey RecoverFromSignature(int recId, ECDSASignature sig, uint256 message, bool compressed)
{
if (recId < 0)
{
throw new ArgumentException("recId should be positive");
}
if (sig.R.SignValue < 0)
{
throw new ArgumentException("r should be positive");
}
if (sig.S.SignValue < 0)
{
throw new ArgumentException("s should be positive");
}
if (message == null)
{
throw new ArgumentNullException("message");
}
var curve = ECKey.CreateCurve();
// 1.0 For j from 0 to h (h == recId here and the loop is outside this function)
// 1.1 Let x = r + jn
var n = curve.N;
var i = Org.BouncyCastle.Math.BigInteger.ValueOf((long)recId / 2);
var x = sig.R.Add(i.Multiply(n));
// 1.2. Convert the integer x to an octet string X of length mlen using the conversion routine
// specified in Section 2.3.7, where mlen = ⌈(log2 p)/8⌉ or mlen = ⌈m/8⌉.
// 1.3. Convert the octet string (16 set binary digits)||X to an elliptic curve point R using the
// conversion routine specified in Section 2.3.4. If this conversion routine outputs “invalid”, then
// do another iteration of Step 1.
//
// More concisely, what these points mean is to use X as a compressed public key.
var prime = ((FpCurve)curve.Curve).Q;
if (x.CompareTo(prime) >= 0)
{
return(null);
}
// Compressed keys require you to know an extra bit of data about the y-coord as there are two possibilities.
// So it's encoded in the recId.
ECPoint R = DecompressKey(x, (recId & 1) == 1);
// 1.4. If nR != point at infinity, then do another iteration of Step 1 (callers responsibility).
if (!R.Multiply(n).IsInfinity)
{
return(null);
}
// 1.5. Compute e from M using Steps 2 and 3 of ECDSA signature verification.
var e = new Org.BouncyCastle.Math.BigInteger(1, message.ToBytes());
// 1.6. For k from 1 to 2 do the following. (loop is outside this function via iterating recId)
// 1.6.1. Compute a candidate public key as:
// Q = mi(r) * (sR - eG)
//
// Where mi(x) is the modular multiplicative inverse. We transform this into the following:
// Q = (mi(r) * s ** R) + (mi(r) * -e ** G)
// Where -e is the modular additive inverse of e, that is z such that z + e = 0 (mod n). In the above equation
// ** is point multiplication and + is point addition (the EC group operator).
//
// We can find the additive inverse by subtracting e from zero then taking the mod. For example the additive
// inverse of 3 modulo 11 is 8 because 3 + 8 mod 11 = 0, and -3 mod 11 = 8.
var eInv = Org.BouncyCastle.Math.BigInteger.Zero.Subtract(e).Mod(n);
var rInv = sig.R.ModInverse(n);
var srInv = rInv.Multiply(sig.S).Mod(n);
var eInvrInv = rInv.Multiply(eInv).Mod(n);
var q = (FpPoint)ECAlgorithms.SumOfTwoMultiplies(curve.G, eInvrInv, R, srInv);
if (compressed)
{
q = new FpPoint(curve.Curve, q.X, q.Y, true);
}
return(new ECKey(q.GetEncoded(), false));
}
