# encoding: ascii-8bit module Bitcoin # Elliptic Curve key as used in bitcoin. class Key attr_reader :key # Generate a new keypair. # Bitcoin::Key.generate def self.generate(opts={compressed: true}) k = new(nil, nil, opts); k.generate; k end # Import private key from base58 fromat as described in # https://en.bitcoin.it/wiki/Private_key#Base_58_Wallet_Import_format and # https://en.bitcoin.it/wiki/Base58Check_encoding#Encoding_a_private_key. # See also #to_base58 def self.from_base58(str) hex = Bitcoin.decode_base58(str) compressed = hex.size == 76 version, key, flag, checksum = hex.unpack("a2a64a#{compressed ? 2 : 0}a8") raise "Invalid version" unless version == Bitcoin.network[:privkey_version] raise "Invalid checksum" unless Bitcoin.checksum(version + key + flag) == checksum key = new(key, nil, compressed) end def ==(other) self.priv == other.priv end # Create a new key with given +privkey+ and +pubkey+. # Bitcoin::Key.new # Bitcoin::Key.new(privkey) # Bitcoin::Key.new(nil, pubkey) def initialize(privkey = nil, pubkey = nil, opts={compressed: true}) compressed = opts.is_a?(Hash) ? opts.fetch(:compressed, true) : opts @key = Bitcoin.bitcoin_elliptic_curve @pubkey_compressed = pubkey ? self.class.is_compressed_pubkey?(pubkey) : compressed set_priv(privkey) if privkey set_pub(pubkey, @pubkey_compressed) if pubkey end # Generate new priv/pub key. def generate @key.generate_key end # Get the private key (in hex). def priv return nil unless @key.private_key @key.private_key.to_hex.rjust(64, '0') end # Set the private key to +priv+ (in hex). def priv= priv set_priv(priv) regenerate_pubkey end # Get the public key (in hex). # In case the key was initialized with only # a private key, the public key is regenerated. def pub regenerate_pubkey unless @key.public_key return nil unless @key.public_key @pubkey_compressed ? pub_compressed : pub_uncompressed end def pub_compressed @key.public_key.group.point_conversion_form = :compressed @key.public_key.to_hex.rjust(66, '0') end def pub_uncompressed @key.public_key.group.point_conversion_form = :uncompressed @key.public_key.to_hex.rjust(130, '0') end def compressed @pubkey_compressed end # Set the public key (in hex). def pub= pub set_pub(pub) end # Get the hash160 of the public key. def hash160 Bitcoin.hash160(pub) end # Get the address corresponding to the public key. def addr Bitcoin.hash160_to_address(hash160) end # Sign +data+ with the key. # key1 = Bitcoin::Key.generate # sig = key1.sign("some data") def sign(data) Bitcoin.sign_data(key, data) end # Verify signature +sig+ for +data+. # key2 = Bitcoin::Key.new(nil, key1.pub) # key2.verify("some data", sig) def verify(data, sig) regenerate_pubkey unless @key.public_key sig = Bitcoin::OpenSSL_EC.repack_der_signature(sig) if sig @key.dsa_verify_asn1(data, sig) else false end end def sign_message(message) Bitcoin.sign_message(priv, pub, message)['signature'] end def verify_message(signature, message) Bitcoin.verify_message(addr, signature, message) end def self.verify_message(address, signature, message) Bitcoin.verify_message(address, signature, message) end # Thanks to whoever wrote http://pastebin.com/bQtdDzHx # for help with compact signatures # # Given +data+ and a compact signature (65 bytes, base64-encoded to # a larger string), recover the public components of the key whose # private counterpart validly signed +data+. # # If the signature validly signed +data+, create a new Key # having the signing public key and address. Otherwise return nil. # # Be sure to check that the returned Key matches the one you were # expecting! Otherwise you are merely checking that *someone* validly # signed the data. def self.recover_compact_signature_to_key(data, signature_base64) signature = signature_base64.unpack("m0")[0] return nil if signature.size != 65 version = signature.unpack('C')[0] return nil if version < 27 or version > 34 compressed = (version >= 31) ? (version -= 4; true) : false hash = Bitcoin.bitcoin_signed_message_hash(data) pub_hex = Bitcoin::OpenSSL_EC.recover_public_key_from_signature(hash, signature, version-27, compressed) return nil unless pub_hex Key.new(nil, pub_hex) end # Export private key to base58 format. # See also Key.from_base58 def to_base58 data = Bitcoin.network[:privkey_version] + priv data += "01" if @pubkey_compressed hex = data + Bitcoin.checksum(data) Bitcoin.int_to_base58( hex.to_i(16) ) end # Export private key to bip38 (non-ec-multiply) format as described in # https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki # See also Key.from_bip38 def to_bip38(passphrase) flagbyte = compressed ? "\xe0" : "\xc0" addresshash = Digest::SHA256.digest( Digest::SHA256.digest( self.addr ) )[0...4] require 'scrypt' unless defined?(::SCrypt::Engine) buf = SCrypt::Engine.__sc_crypt(passphrase, addresshash, 16384, 8, 8, 64) derivedhalf1, derivedhalf2 = buf[0...32], buf[32..-1] aes = proc{|k,a,b| cipher = OpenSSL::Cipher::AES.new(256, :ECB); cipher.encrypt; cipher.padding = 0; cipher.key = k cipher.update [ (a.to_i(16) ^ b.unpack("H*")[0].to_i(16)).to_s(16).rjust(32, '0') ].pack("H*") } encryptedhalf1 = aes.call(derivedhalf2, self.priv[0...32], derivedhalf1[0...16]) encryptedhalf2 = aes.call(derivedhalf2, self.priv[32..-1], derivedhalf1[16..-1]) encrypted_privkey = "\x01\x42" + flagbyte + addresshash + encryptedhalf1 + encryptedhalf2 encrypted_privkey += Digest::SHA256.digest( Digest::SHA256.digest( encrypted_privkey ) )[0...4] encrypted_privkey = Bitcoin.encode_base58( encrypted_privkey.unpack("H*")[0] ) end # Import private key from bip38 (non-ec-multiply) fromat as described in # https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki # See also #to_bip38 def self.from_bip38(encrypted_privkey, passphrase) version, flagbyte, addresshash, encryptedhalf1, encryptedhalf2, checksum = [ Bitcoin.decode_base58(encrypted_privkey) ].pack("H*").unpack("a2aa4a16a16a4") compressed = (flagbyte == "\xe0") ? true : false raise "Invalid version" unless version == "\x01\x42" raise "Invalid checksum" unless Digest::SHA256.digest(Digest::SHA256.digest(version + flagbyte + addresshash + encryptedhalf1 + encryptedhalf2))[0...4] == checksum require 'scrypt' unless defined?(::SCrypt::Engine) buf = SCrypt::Engine.__sc_crypt(passphrase, addresshash, 16384, 8, 8, 64) derivedhalf1, derivedhalf2 = buf[0...32], buf[32..-1] aes = proc{|k,a| cipher = OpenSSL::Cipher::AES.new(256, :ECB); cipher.decrypt; cipher.padding = 0; cipher.key = k cipher.update(a) } decryptedhalf2 = aes.call(derivedhalf2, encryptedhalf2) decryptedhalf1 = aes.call(derivedhalf2, encryptedhalf1) priv = decryptedhalf1 + decryptedhalf2 priv = (priv.unpack("H*")[0].to_i(16) ^ derivedhalf1.unpack("H*")[0].to_i(16)).to_s(16).rjust(64, '0') key = Bitcoin::Key.new(priv, nil, compressed) if Digest::SHA256.digest( Digest::SHA256.digest( key.addr ) )[0...4] != addresshash raise "Invalid addresshash! Password is likely incorrect." end key end # Import private key from warp fromat as described in # https://github.com/keybase/warpwallet # https://keybase.io/warp/ def self.from_warp(passphrase, salt="", compressed=false) require 'scrypt' unless defined?(::SCrypt::Engine) s1 = SCrypt::Engine.scrypt(passphrase+"\x01", salt+"\x01", 2**18, 8, 1, 32) s2 = OpenSSL::PKCS5.pbkdf2_hmac(passphrase+"\x02", salt+"\x02", 2**16, 32, OpenSSL::Digest::SHA256.new) s3 = s1.bytes.zip(s2.bytes).map{|a,b| a ^ b }.pack("C*") key = Bitcoin::Key.new(s3.unpack("H*")[0], nil, compressed) # [key.addr, key.to_base58, [s1,s2,s3].map{|i| i.unpack("H*")[0] }, compressed] key end protected # Regenerate public key from the private key. def regenerate_pubkey return nil unless @key.private_key set_pub(Bitcoin::OpenSSL_EC.regenerate_key(priv)[1], @pubkey_compressed) end # Set +priv+ as the new private key (converting from hex). def set_priv(priv) @key.private_key = OpenSSL::BN.from_hex(priv) end # Set +pub+ as the new public key (converting from hex). def set_pub(pub, compressed = nil) @pubkey_compressed = compressed == nil ? self.class.is_compressed_pubkey?(pub) : compressed @key.public_key = OpenSSL::PKey::EC::Point.from_hex(@key.group, pub) end def self.is_compressed_pubkey?(pub) ["02","03"].include?(pub[0..1]) end end end