From 2f3d89f415f8e40458b385c699250d2278fe9394 Mon Sep 17 00:00:00 2001 From: ThomasV Date: Mon, 17 Jun 2024 11:20:37 +0200 Subject: [PATCH] prepare for separation of ecc module: - move encrypt/sign functions elsewhere - remove local dependencies in ecc.py, ecc_fast.py (except logging) --- electrum/bitcoin.py | 46 +++++++++++++++++-- electrum/commands.py | 4 +- electrum/crypto.py | 40 +++++++++++++++- electrum/ecc.py | 84 ++-------------------------------- electrum/gui/qml/qedaemon.py | 2 +- electrum/gui/qt/main_window.py | 5 +- electrum/keystore.py | 5 +- electrum/paymentrequest.py | 4 +- electrum/storage.py | 6 +-- electrum/transaction.py | 2 +- tests/test_bitcoin.py | 59 ++++++++++++------------ tests/test_ecc.py | 4 +- 12 files changed, 133 insertions(+), 128 deletions(-) diff --git a/electrum/bitcoin.py b/electrum/bitcoin.py index a95064659..79d65b3f4 100644 --- a/electrum/bitcoin.py +++ b/electrum/bitcoin.py @@ -769,7 +769,7 @@ def taproot_tweak_pubkey(pubkey32: bytes, h: bytes) -> Tuple[int, bytes]: assert len(pubkey32) == 32, len(pubkey32) int_from_bytes = lambda x: int.from_bytes(x, byteorder="big", signed=False) - tweak = int_from_bytes(ecc.bip340_tagged_hash(b"TapTweak", pubkey32 + h)) + tweak = int_from_bytes(bip340_tagged_hash(b"TapTweak", pubkey32 + h)) if tweak >= ecc.CURVE_ORDER: raise ValueError P = ecc.ECPubkey(b"\x02" + pubkey32) @@ -786,7 +786,7 @@ def taproot_tweak_seckey(seckey0: bytes, h: bytes) -> bytes: P = ecc.ECPrivkey(seckey0) seckey = P.secret_scalar if P.has_even_y() else ecc.CURVE_ORDER - P.secret_scalar pubkey32 = P.get_public_key_bytes(compressed=True)[1:] - tweak = int_from_bytes(ecc.bip340_tagged_hash(b"TapTweak", pubkey32 + h)) + tweak = int_from_bytes(bip340_tagged_hash(b"TapTweak", pubkey32 + h)) if tweak >= ecc.CURVE_ORDER: raise ValueError return int.to_bytes((seckey + tweak) % ecc.CURVE_ORDER, length=32, byteorder="big", signed=False) @@ -798,18 +798,21 @@ def taproot_tweak_seckey(seckey0: bytes, h: bytes) -> bytes: TapTreeLeaf = Tuple[int, bytes] TapTree = Union[TapTreeLeaf, Sequence['TapTree']] +def bip340_tagged_hash(tag: bytes, msg: bytes) -> bytes: + # note: _libsecp256k1.secp256k1_tagged_sha256 benchmarks about 70% slower than this (on my machine) + return sha256(sha256(tag) + sha256(tag) + msg) def taproot_tree_helper(script_tree: TapTree): if isinstance(script_tree, tuple): leaf_version, script = script_tree - h = ecc.bip340_tagged_hash(b"TapLeaf", bytes([leaf_version]) + witness_push(script)) + h = bip340_tagged_hash(b"TapLeaf", bytes([leaf_version]) + witness_push(script)) return ([((leaf_version, script), bytes())], h) left, left_h = taproot_tree_helper(script_tree[0]) right, right_h = taproot_tree_helper(script_tree[1]) ret = [(l, c + right_h) for l, c in left] + [(l, c + left_h) for l, c in right] if right_h < left_h: left_h, right_h = right_h, left_h - return (ret, ecc.bip340_tagged_hash(b"TapBranch", left_h + right_h)) + return (ret, bip340_tagged_hash(b"TapBranch", left_h + right_h)) def taproot_output_script(internal_pubkey: bytes, *, script_tree: Optional[TapTree]) -> bytes: @@ -838,3 +841,38 @@ def control_block_for_taproot_script_spend( pubkey_data = bytes([output_pubkey_y_parity + leaf_version]) + internal_pubkey control_block = pubkey_data + merkle_path return (leaf_script, control_block) + + +# user message signing +def usermessage_magic(message: bytes) -> bytes: + from .bitcoin import var_int + length = var_int(len(message)) + return b"\x18Bitcoin Signed Message:\n" + length + message + +def ecdsa_sign_usermessage(ec_privkey, message: Union[bytes, str], *, is_compressed: bool) -> bytes: + message = to_bytes(message, 'utf8') + msg32 = sha256d(usermessage_magic(message)) + return ec_privkey.ecdsa_sign_recoverable(msg32, is_compressed=is_compressed) + +def verify_usermessage_with_address(address: str, sig65: bytes, message: bytes, *, net=None) -> bool: + from .bitcoin import pubkey_to_address + from .ecc import ECPubkey + assert_bytes(sig65, message) + if net is None: net = constants.net + h = sha256d(usermessage_magic(message)) + try: + public_key, compressed, txin_type_guess = ECPubkey.from_ecdsa_sig65(sig65, h) + except Exception as e: + return False + # check public key using the address + pubkey_hex = public_key.get_public_key_hex(compressed) + txin_types = (txin_type_guess,) if txin_type_guess else ('p2pkh', 'p2wpkh', 'p2wpkh-p2sh') + for txin_type in txin_types: + addr = pubkey_to_address(txin_type, pubkey_hex, net=net) + if address == addr: + break + else: + return False + # check message + # note: `$ bitcoin-cli verifymessage` does NOT enforce the low-S rule for ecdsa sigs + return public_key.ecdsa_verify(sig65[1:], h, enforce_low_s=False) diff --git a/electrum/commands.py b/electrum/commands.py index 605bc9e2c..a3dc424ef 100644 --- a/electrum/commands.py +++ b/electrum/commands.py @@ -716,7 +716,7 @@ class Commands: """Verify a signature.""" sig = base64.b64decode(signature) message = util.to_bytes(message) - return ecc.verify_usermessage_with_address(address, sig, message) + return bitcoin.verify_usermessage_with_address(address, sig, message) @command('wp') async def payto(self, destination, amount, fee=None, feerate=None, from_addr=None, from_coins=None, change_addr=None, @@ -910,7 +910,7 @@ class Commands: except TypeError: raise UserFacingException(f"message must be a string-like object instead of {repr(message)}") public_key = ecc.ECPubkey(bfh(pubkey)) - encrypted = public_key.encrypt_message(message) + encrypted = crypto.ecies_encrypt_message(public_key, message) return encrypted.decode('utf-8') @command('wp') diff --git a/electrum/crypto.py b/electrum/crypto.py index 916f90c61..53c1a5d78 100644 --- a/electrum/crypto.py +++ b/electrum/crypto.py @@ -34,7 +34,7 @@ from typing import Union, Mapping, Optional from .util import assert_bytes, InvalidPassword, to_bytes, to_string, WalletFileException, versiontuple from .i18n import _ from .logging import get_logger - +from . import ecc _logger = get_logger(__name__) @@ -443,3 +443,41 @@ def chacha20_decrypt(*, key: bytes, nonce: bytes, data: bytes) -> bytes: decryptor = cipher.decryptor() return decryptor.update(data) raise Exception("no chacha20 backend found") + + +def ecies_encrypt_message(ec_pubkey, message: bytes, *, magic: bytes = b'BIE1') -> bytes: + """ + ECIES encryption/decryption methods; AES-128-CBC with PKCS7 is used as the cipher; hmac-sha256 is used as the mac + """ + assert_bytes(message) + ephemeral = ecc.ECPrivkey.generate_random_key() + ecdh_key = (ec_pubkey * ephemeral.secret_scalar).get_public_key_bytes(compressed=True) + key = hashlib.sha512(ecdh_key).digest() + iv, key_e, key_m = key[0:16], key[16:32], key[32:] + ciphertext = aes_encrypt_with_iv(key_e, iv, message) + ephemeral_pubkey = ephemeral.get_public_key_bytes(compressed=True) + encrypted = magic + ephemeral_pubkey + ciphertext + mac = hmac_oneshot(key_m, encrypted, hashlib.sha256) + return base64.b64encode(encrypted + mac) + + +def ecies_decrypt_message(ec_privkey, encrypted: Union[str, bytes], *, magic: bytes=b'BIE1') -> bytes: + encrypted = base64.b64decode(encrypted) # type: bytes + if len(encrypted) < 85: + raise Exception('invalid ciphertext: length') + magic_found = encrypted[:4] + ephemeral_pubkey_bytes = encrypted[4:37] + ciphertext = encrypted[37:-32] + mac = encrypted[-32:] + if magic_found != magic: + raise Exception('invalid ciphertext: invalid magic bytes') + try: + ephemeral_pubkey = ecc.ECPubkey(ephemeral_pubkey_bytes) + except ecc.InvalidECPointException as e: + raise Exception('invalid ciphertext: invalid ephemeral pubkey') from e + ecdh_key = (ephemeral_pubkey * ec_privkey.secret_scalar).get_public_key_bytes(compressed=True) + key = hashlib.sha512(ecdh_key).digest() + iv, key_e, key_m = key[0:16], key[16:32], key[32:] + if mac != hmac_oneshot(key_m, encrypted[:-32], hashlib.sha256): + raise InvalidPassword() + return aes_decrypt_with_iv(key_e, iv, ciphertext) diff --git a/electrum/ecc.py b/electrum/ecc.py index 9fabb69b5..f7a0b5b0f 100644 --- a/electrum/ecc.py +++ b/electrum/ecc.py @@ -26,20 +26,17 @@ import base64 import hashlib import functools +import secrets from typing import Union, Tuple, Optional from ctypes import ( byref, c_char_p, c_size_t, create_string_buffer, cast, ) -from .util import bfh, assert_bytes, to_bytes, InvalidPassword, profiler, randrange -from .crypto import (sha256, sha256d, aes_encrypt_with_iv, aes_decrypt_with_iv, hmac_oneshot) -from . import constants -from .logging import get_logger from . import ecc_fast from .ecc_fast import _libsecp256k1, SECP256K1_EC_UNCOMPRESSED, LibModuleMissing -_logger = get_logger(__name__) - +def assert_bytes(x): + assert isinstance(x, (bytes, bytearray)) # Some unit tests need to create ECDSA sigs without grinding the R value (and just use RFC6979). # see https://github.com/bitcoin/bitcoin/pull/13666 @@ -382,23 +379,6 @@ class ECPubkey(object): return False return True - def encrypt_message(self, message: bytes, *, magic: bytes = b'BIE1') -> bytes: - """ - ECIES encryption/decryption methods; AES-128-CBC with PKCS7 is used as the cipher; hmac-sha256 is used as the mac - """ - assert_bytes(message) - - ephemeral = ECPrivkey.generate_random_key() - ecdh_key = (self * ephemeral.secret_scalar).get_public_key_bytes(compressed=True) - key = hashlib.sha512(ecdh_key).digest() - iv, key_e, key_m = key[0:16], key[16:32], key[32:] - ciphertext = aes_encrypt_with_iv(key_e, iv, message) - ephemeral_pubkey = ephemeral.get_public_key_bytes(compressed=True) - encrypted = magic + ephemeral_pubkey + ciphertext - mac = hmac_oneshot(key_m, encrypted, hashlib.sha256) - - return base64.b64encode(encrypted + mac) - @classmethod def order(cls) -> int: return CURVE_ORDER @@ -424,34 +404,6 @@ CURVE_ORDER = 0xFFFFFFFF_FFFFFFFF_FFFFFFFF_FFFFFFFE_BAAEDCE6_AF48A03B_BFD25E8C_D POINT_AT_INFINITY = ECPubkey(None) -def usermessage_magic(message: bytes) -> bytes: - from .bitcoin import var_int - length = var_int(len(message)) - return b"\x18Bitcoin Signed Message:\n" + length + message - - -def verify_usermessage_with_address(address: str, sig65: bytes, message: bytes, *, net=None) -> bool: - from .bitcoin import pubkey_to_address - assert_bytes(sig65, message) - if net is None: net = constants.net - h = sha256d(usermessage_magic(message)) - try: - public_key, compressed, txin_type_guess = ECPubkey.from_ecdsa_sig65(sig65, h) - except Exception as e: - return False - # check public key using the address - pubkey_hex = public_key.get_public_key_hex(compressed) - txin_types = (txin_type_guess,) if txin_type_guess else ('p2pkh', 'p2wpkh', 'p2wpkh-p2sh') - for txin_type in txin_types: - addr = pubkey_to_address(txin_type, pubkey_hex, net=net) - if address == addr: - break - else: - return False - # check message - # note: `$ bitcoin-cli verifymessage` does NOT enforce the low-S rule for ecdsa sigs - return public_key.ecdsa_verify(sig65[1:], h, enforce_low_s=False) - def is_secret_within_curve_range(secret: Union[int, bytes]) -> bool: if isinstance(secret, bytes): @@ -499,7 +451,7 @@ class ECPrivkey(ECPubkey): @classmethod def generate_random_key(cls) -> 'ECPrivkey': - randint = randrange(CURVE_ORDER) + randint = secrets.randbelow(CURVE_ORDER - 1) + 1 ephemeral_exponent = int.to_bytes(randint, length=32, byteorder='big', signed=False) return ECPrivkey(ephemeral_exponent) @@ -592,31 +544,6 @@ class ECPrivkey(ECPubkey): sig65, recid = bruteforce_recid(sig64) return sig65 - def ecdsa_sign_usermessage(self, message: Union[bytes, str], *, is_compressed: bool) -> bytes: - message = to_bytes(message, 'utf8') - msg32 = sha256d(usermessage_magic(message)) - return self.ecdsa_sign_recoverable(msg32, is_compressed=is_compressed) - - def decrypt_message(self, encrypted: Union[str, bytes], *, magic: bytes=b'BIE1') -> bytes: - encrypted = base64.b64decode(encrypted) # type: bytes - if len(encrypted) < 85: - raise Exception('invalid ciphertext: length') - magic_found = encrypted[:4] - ephemeral_pubkey_bytes = encrypted[4:37] - ciphertext = encrypted[37:-32] - mac = encrypted[-32:] - if magic_found != magic: - raise Exception('invalid ciphertext: invalid magic bytes') - try: - ephemeral_pubkey = ECPubkey(ephemeral_pubkey_bytes) - except InvalidECPointException as e: - raise Exception('invalid ciphertext: invalid ephemeral pubkey') from e - ecdh_key = (ephemeral_pubkey * self.secret_scalar).get_public_key_bytes(compressed=True) - key = hashlib.sha512(ecdh_key).digest() - iv, key_e, key_m = key[0:16], key[16:32], key[32:] - if mac != hmac_oneshot(key_m, encrypted[:-32], hashlib.sha256): - raise InvalidPassword() - return aes_decrypt_with_iv(key_e, iv, ciphertext) def construct_ecdsa_sig65(sig64: bytes, recid: int, *, is_compressed: bool) -> bytes: @@ -624,6 +551,3 @@ def construct_ecdsa_sig65(sig64: bytes, recid: int, *, is_compressed: bool) -> b return bytes([27 + recid + comp]) + sig64 -def bip340_tagged_hash(tag: bytes, msg: bytes) -> bytes: - # note: _libsecp256k1.secp256k1_tagged_sha256 benchmarks about 70% slower than this (on my machine) - return sha256(sha256(tag) + sha256(tag) + msg) diff --git a/electrum/gui/qml/qedaemon.py b/electrum/gui/qml/qedaemon.py index 223bdc1bd..a2aaff7c1 100644 --- a/electrum/gui/qml/qedaemon.py +++ b/electrum/gui/qml/qedaemon.py @@ -12,7 +12,7 @@ from electrum.util import WalletFileException, standardize_path, InvalidPassword from electrum.plugin import run_hook from electrum.lnchannel import ChannelState from electrum.bitcoin import is_address -from electrum.ecc import verify_usermessage_with_address +from electrum.bitcoin import verify_usermessage_with_address from electrum.storage import StorageReadWriteError from .auth import AuthMixin, auth_protect diff --git a/electrum/gui/qt/main_window.py b/electrum/gui/qt/main_window.py index 7c11bb58b..5a837f468 100644 --- a/electrum/gui/qt/main_window.py +++ b/electrum/gui/qt/main_window.py @@ -1993,7 +1993,7 @@ class ElectrumWindow(QMainWindow, MessageBoxMixin, Logger, QtEventListener): try: # This can throw on invalid base64 sig = base64.b64decode(str(signature.toPlainText())) - verified = ecc.verify_usermessage_with_address(address, sig, message) + verified = bitcoin.verify_usermessage_with_address(address, sig, message) except Exception as e: verified = False if verified: @@ -2057,6 +2057,7 @@ class ElectrumWindow(QMainWindow, MessageBoxMixin, Logger, QtEventListener): self.thread.add(task, on_success=setText) def do_encrypt(self, message_e, pubkey_e, encrypted_e): + from electrum import crypto message = message_e.toPlainText() message = message.encode('utf-8') try: @@ -2065,7 +2066,7 @@ class ElectrumWindow(QMainWindow, MessageBoxMixin, Logger, QtEventListener): self.logger.exception('Invalid Public key') self.show_warning(_('Invalid Public key')) return - encrypted = public_key.encrypt_message(message) + encrypted = crypto.ecies_encrypt_message(public_key, message) encrypted_e.setText(encrypted.decode('ascii')) def encrypt_message(self, address=''): diff --git a/electrum/keystore.py b/electrum/keystore.py index 1bf832bcd..a93ed5e97 100644 --- a/electrum/keystore.py +++ b/electrum/keystore.py @@ -41,6 +41,7 @@ from .bip32 import (convert_bip32_strpath_to_intpath, BIP32_PRIME, KeyOriginInfo) from .descriptor import PubkeyProvider from .ecc import string_to_number +from . import crypto from .crypto import (pw_decode, pw_encode, sha256, sha256d, PW_HASH_VERSION_LATEST, SUPPORTED_PW_HASH_VERSIONS, UnsupportedPasswordHashVersion, hash_160, CiphertextFormatError) @@ -223,12 +224,12 @@ class Software_KeyStore(KeyStore): def sign_message(self, sequence, message, password, *, script_type=None) -> bytes: privkey, compressed = self.get_private_key(sequence, password) key = ecc.ECPrivkey(privkey) - return key.ecdsa_sign_usermessage(message, is_compressed=compressed) + return bitcoin.ecdsa_sign_usermessage(key, message, is_compressed=compressed) def decrypt_message(self, sequence, message, password) -> bytes: privkey, compressed = self.get_private_key(sequence, password) ec = ecc.ECPrivkey(privkey) - decrypted = ec.decrypt_message(message) + decrypted = crypto.ecies_decrypt_message(ec, message) return decrypted def sign_transaction(self, tx, password): diff --git a/electrum/paymentrequest.py b/electrum/paymentrequest.py index ba2f4a58b..7e734fa49 100644 --- a/electrum/paymentrequest.py +++ b/electrum/paymentrequest.py @@ -235,7 +235,7 @@ class PaymentRequest: address = info.get('address') pr.signature = b'' message = pr.SerializeToString() - if ecc.verify_usermessage_with_address(address, sig, message): + if bitcoin.verify_usermessage_with_address(address, sig, message): self._verified_success_msg = 'Verified with DNSSEC' self._verified_success = True return True @@ -356,7 +356,7 @@ def sign_request_with_alias(pr, alias, alias_privkey): message = pr.SerializeToString() ec_key = ecc.ECPrivkey(alias_privkey) compressed = bitcoin.is_compressed_privkey(alias_privkey) - pr.signature = ec_key.ecdsa_sign_usermessage(message, is_compressed=compressed) + pr.signature = bitcoin.ecdsa_sign_usermessage(ec_key, message, is_compressed=compressed) def verify_cert_chain(chain): diff --git a/electrum/storage.py b/electrum/storage.py index 6c8551571..dedd6d006 100644 --- a/electrum/storage.py +++ b/electrum/storage.py @@ -31,7 +31,7 @@ import zlib from enum import IntEnum from typing import Optional -from . import ecc +from . import ecc, crypto from .util import (profiler, InvalidPassword, WalletFileException, bfh, standardize_path, test_read_write_permissions, os_chmod) @@ -192,7 +192,7 @@ class WalletStorage(Logger): ec_key = self.get_eckey_from_password(password) if self.raw: enc_magic = self._get_encryption_magic() - s = zlib.decompress(ec_key.decrypt_message(self.raw, magic=enc_magic)) + s = zlib.decompress(crypto.ecies_decrypt_message(ec_key, self.raw, magic=enc_magic)) s = s.decode('utf8') else: s = '' @@ -207,7 +207,7 @@ class WalletStorage(Logger): c = zlib.compress(s, level=zlib.Z_BEST_SPEED) enc_magic = self._get_encryption_magic() public_key = ecc.ECPubkey(bfh(self.pubkey)) - s = public_key.encrypt_message(c, magic=enc_magic) + s = crypto.ecies_encrypt_message(public_key, c, magic=enc_magic) s = s.decode('utf8') return s diff --git a/electrum/transaction.py b/electrum/transaction.py index 8573aec96..e861e6678 100644 --- a/electrum/transaction.py +++ b/electrum/transaction.py @@ -2309,7 +2309,7 @@ class PartialTransaction(Transaction): merkle_root = txin.tap_merkle_root or bytes() output_privkey_bytes = taproot_tweak_seckey(privkey_bytes, merkle_root) output_privkey = ecc.ECPrivkey(output_privkey_bytes) - msg_hash = ecc.bip340_tagged_hash(b"TapSighash", pre_hash) + msg_hash = bitcoin.bip340_tagged_hash(b"TapSighash", pre_hash) sig = output_privkey.schnorr_sign(msg_hash) sighash = txin.sighash if txin.sighash is not None else Sighash.DEFAULT else: diff --git a/tests/test_bitcoin.py b/tests/test_bitcoin.py index 1d48cbac7..d91c1827f 100644 --- a/tests/test_bitcoin.py +++ b/tests/test_bitcoin.py @@ -23,12 +23,12 @@ from electrum.bip32 import (BIP32Node, convert_bip32_intpath_to_strpath, is_xpub, convert_bip32_strpath_to_intpath, normalize_bip32_derivation, is_all_public_derivation) from electrum.crypto import sha256d, SUPPORTED_PW_HASH_VERSIONS -from electrum import ecc, crypto, constants +from electrum import ecc, crypto, constants, bitcoin from electrum.util import bfh, InvalidPassword, randrange from electrum.storage import WalletStorage from electrum.keystore import xtype_from_derivation -from electrum import ecc_fast +from electrum import ecc_fast, crypto from . import ElectrumTestCase from . import FAST_TESTS @@ -182,16 +182,16 @@ class Test_bitcoin(ElectrumTestCase): eck = ecc.ECPrivkey.from_secret_scalar(pvk) #print "Compressed public key ", pubkey_c.encode('hex') - enc = ecc.ECPubkey(pubkey_c).encrypt_message(message) - dec = eck.decrypt_message(enc) + enc = crypto.ecies_encrypt_message(ecc.ECPubkey(pubkey_c), message) + dec = crypto.ecies_decrypt_message(eck, enc) self.assertEqual(message, dec) #print "Uncompressed public key", pubkey_u.encode('hex') #enc2 = EC_KEY.encrypt_message(message, pubkey_u) - dec2 = eck.decrypt_message(enc) + dec2 = crypto.ecies_decrypt_message(eck, enc) self.assertEqual(message, dec2) - msg32 = sha256d(ecc.usermessage_magic(message)) + msg32 = sha256d(bitcoin.usermessage_magic(message)) sig65 = eck.ecdsa_sign_recoverable(msg32, is_compressed=True) self.assertTrue(eck.ecdsa_verify_recoverable(sig65, msg32)) @@ -226,7 +226,7 @@ class Test_bitcoin(ElectrumTestCase): def sign_message_with_wif_privkey(wif_privkey: str, msg: bytes) -> bytes: txin_type, privkey, compressed = deserialize_privkey(wif_privkey) key = ecc.ECPrivkey(privkey) - return key.ecdsa_sign_usermessage(msg, is_compressed=compressed) + return bitcoin.ecdsa_sign_usermessage(key, msg, is_compressed=compressed) def test_signmessage_legacy_address(self): msg1 = b'Chancellor on brink of second bailout for banks' @@ -245,11 +245,11 @@ class Test_bitcoin(ElectrumTestCase): self.assertEqual(sig1_b64, b'Hzsu0U/THAsPz/MSuXGBKSULz2dTfmrg1NsAhFp+wH5aKfmX4Db7ExLGa7FGn0m6Mf43KsbEOWpvUUUBTM3Uusw=') self.assertEqual(sig2_b64, b'HBQdYfv7kOrxmRewLJnG7sV6KlU71O04hUnE4tai97p7Pg+D+yKaWXsdGgHTrKw90caQMo/D6b//qX50ge9P9iI=') - self.assertTrue(ecc.verify_usermessage_with_address(addr1, sig1, msg1)) - self.assertTrue(ecc.verify_usermessage_with_address(addr2, sig2, msg2)) + self.assertTrue(bitcoin.verify_usermessage_with_address(addr1, sig1, msg1)) + self.assertTrue(bitcoin.verify_usermessage_with_address(addr2, sig2, msg2)) - self.assertFalse(ecc.verify_usermessage_with_address(addr1, b'wrong', msg1)) - self.assertFalse(ecc.verify_usermessage_with_address(addr1, sig2, msg1)) + self.assertFalse(bitcoin.verify_usermessage_with_address(addr1, b'wrong', msg1)) + self.assertFalse(bitcoin.verify_usermessage_with_address(addr1, sig2, msg1)) def test_signmessage_low_s(self): """`$ bitcoin-cli verifymessage` does NOT enforce the low-S rule for ecdsa sigs. This tests we do the same.""" @@ -257,8 +257,8 @@ class Test_bitcoin(ElectrumTestCase): sig_low_s = b'Hzsu0U/THAsPz/MSuXGBKSULz2dTfmrg1NsAhFp+wH5aKfmX4Db7ExLGa7FGn0m6Mf43KsbEOWpvUUUBTM3Uusw=' sig_high_s = b'IDsu0U/THAsPz/MSuXGBKSULz2dTfmrg1NsAhFp+wH5a1gZoH8kE7O05lE65YLZFzLx3sh/rDzXMbo1dQAJhhnU=' msg = b'Chancellor on brink of second bailout for banks' - self.assertTrue(ecc.verify_usermessage_with_address(address=addr, sig65=base64.b64decode(sig_low_s), message=msg)) - self.assertTrue(ecc.verify_usermessage_with_address(address=addr, sig65=base64.b64decode(sig_high_s), message=msg)) + self.assertTrue(bitcoin.verify_usermessage_with_address(address=addr, sig65=base64.b64decode(sig_low_s), message=msg)) + self.assertTrue(bitcoin.verify_usermessage_with_address(address=addr, sig65=base64.b64decode(sig_high_s), message=msg)) def test_signmessage_segwit_witness_v0_address(self): msg = b'Electrum' @@ -266,14 +266,14 @@ class Test_bitcoin(ElectrumTestCase): sig1 = self.sign_message_with_wif_privkey("p2wpkh-p2sh:L1cgMEnShp73r9iCukoPE3MogLeueNYRD9JVsfT1zVHyPBR3KqBY", msg) addr1 = "3DYoBqQ5N6dADzyQjy9FT1Ls4amiYVaqTG" self.assertEqual(base64.b64encode(sig1), b'HyFaND+87TtVbRhkTfT3mPNBCQcJ32XXtNZGW8sFldJsNpOPCegEmdcCf5Thy18hdMH88GLxZLkOby/EwVUuSeA=') - self.assertTrue(ecc.verify_usermessage_with_address(addr1, sig1, msg)) - self.assertFalse(ecc.verify_usermessage_with_address(addr1, sig1, b'heyheyhey')) + self.assertTrue(bitcoin.verify_usermessage_with_address(addr1, sig1, msg)) + self.assertFalse(bitcoin.verify_usermessage_with_address(addr1, sig1, b'heyheyhey')) # p2wpkh sig2 = self.sign_message_with_wif_privkey("p2wpkh:L1cgMEnShp73r9iCukoPE3MogLeueNYRD9JVsfT1zVHyPBR3KqBY", msg) addr2 = "bc1qq2tmmcngng78nllq2pvrkchcdukemtj56uyue0" self.assertEqual(base64.b64encode(sig2), b'HyFaND+87TtVbRhkTfT3mPNBCQcJ32XXtNZGW8sFldJsNpOPCegEmdcCf5Thy18hdMH88GLxZLkOby/EwVUuSeA=') - self.assertTrue(ecc.verify_usermessage_with_address(addr2, sig2, msg)) - self.assertFalse(ecc.verify_usermessage_with_address(addr2, sig2, b'heyheyhey')) + self.assertTrue(bitcoin.verify_usermessage_with_address(addr2, sig2, msg)) + self.assertFalse(bitcoin.verify_usermessage_with_address(addr2, sig2, b'heyheyhey')) def test_signmessage_segwit_witness_v0_address_test_we_also_accept_sigs_from_trezor(self): """Trezor and some other projects use a slightly different scheme for message-signing @@ -286,20 +286,23 @@ class Test_bitcoin(ElectrumTestCase): addr2 = "bc1qannfxke2tfd4l7vhepehpvt05y83v3qsf6nfkk" sig1 = bytes.fromhex("23744de4516fac5c140808015664516a32fead94de89775cec7e24dbc24fe133075ac09301c4cc8e197bea4b6481661d5b8e9bf19d8b7b8a382ecdb53c2ee0750d") sig2 = bytes.fromhex("28b55d7600d9e9a7e2a49155ddf3cfdb8e796c207faab833010fa41fb7828889bc47cf62348a7aaa0923c0832a589fab541e8f12eb54fb711c90e2307f0f66b194") - self.assertTrue(ecc.verify_usermessage_with_address(address=addr1, sig65=sig1, message=msg)) - self.assertTrue(ecc.verify_usermessage_with_address(address=addr2, sig65=sig2, message=msg)) + self.assertTrue(bitcoin.verify_usermessage_with_address(address=addr1, sig65=sig1, message=msg)) + self.assertTrue(bitcoin.verify_usermessage_with_address(address=addr2, sig65=sig2, message=msg)) # if there is type information in the header of the sig (first byte), enforce that: sig1_wrongtype = bytes.fromhex("27744de4516fac5c140808015664516a32fead94de89775cec7e24dbc24fe133075ac09301c4cc8e197bea4b6481661d5b8e9bf19d8b7b8a382ecdb53c2ee0750d") sig2_wrongtype = bytes.fromhex("24b55d7600d9e9a7e2a49155ddf3cfdb8e796c207faab833010fa41fb7828889bc47cf62348a7aaa0923c0832a589fab541e8f12eb54fb711c90e2307f0f66b194") - self.assertFalse(ecc.verify_usermessage_with_address(address=addr1, sig65=sig1_wrongtype, message=msg)) - self.assertFalse(ecc.verify_usermessage_with_address(address=addr2, sig65=sig2_wrongtype, message=msg)) + self.assertFalse(bitcoin.verify_usermessage_with_address(address=addr1, sig65=sig1_wrongtype, message=msg)) + self.assertFalse(bitcoin.verify_usermessage_with_address(address=addr2, sig65=sig2_wrongtype, message=msg)) @needs_test_with_all_aes_implementations def test_decrypt_message(self): key = WalletStorage.get_eckey_from_password('pw123') - self.assertEqual(b'me<(s_s)>age', key.decrypt_message(b'QklFMQMDFtgT3zWSQsa+Uie8H/WvfUjlu9UN9OJtTt3KlgKeSTi6SQfuhcg1uIz9hp3WIUOFGTLr4RNQBdjPNqzXwhkcPi2Xsbiw6UCNJncVPJ6QBg==')) - self.assertEqual(b'me<(s_s)>age', key.decrypt_message(b'QklFMQKXOXbylOQTSMGfo4MFRwivAxeEEkewWQrpdYTzjPhqjHcGBJwdIhB7DyRfRQihuXx1y0ZLLv7XxLzrILzkl/H4YUtZB4uWjuOAcmxQH4i/Og==')) - self.assertEqual(b'hey_there' * 100, key.decrypt_message(b'QklFMQLOOsabsXtGQH8edAa6VOUa5wX8/DXmxX9NyHoAx1a5bWgllayGRVPeI2bf0ZdWK0tfal0ap0ZIVKbd2eOJybqQkILqT6E1/Syzq0Zicyb/AA1eZNkcX5y4gzloxinw00ubCA8M7gcUjJpOqbnksATcJ5y2YYXcHMGGfGurWu6uJ/UyrNobRidWppRMW5yR9/6utyNvT6OHIolCMEf7qLcmtneoXEiz51hkRdZS7weNf9mGqSbz9a2NL3sdh1A0feHIjAZgcCKcAvksNUSauf0/FnIjzTyPRpjRDMeDC8Ci3sGiuO3cvpWJwhZfbjcS26KmBv2CHWXfRRNFYOInHZNIXWNAoBB47Il5bGSMd+uXiGr+SQ9tNvcu+BiJNmFbxYqg+oQ8dGAl1DtvY2wJVY8k7vO9BIWSpyIxfGw7EDifhc5vnOmGe016p6a01C3eVGxgl23UYMrP7+fpjOcPmTSF4rk5U5ljEN3MSYqlf1QEv0OqlI9q1TwTK02VBCjMTYxDHsnt04OjNBkNO8v5uJ4NR+UUDBEp433z53I59uawZ+dbk4v4ZExcl8EGmKm3Gzbal/iJ/F7KQuX2b/ySEhLOFVYFWxK73X1nBvCSK2mC2/8fCw8oI5pmvzJwQhcCKTdEIrz3MMvAHqtPScDUOjzhXxInQOCb3+UBj1PPIdqkYLvZss1TEaBwYZjLkVnK2MBj7BaqT6Rp6+5A/fippUKHsnB6eYMEPR2YgDmCHL+4twxHJG6UWdP3ybaKiiAPy2OHNP6PTZ0HrqHOSJzBSDD+Z8YpaRg29QX3UEWlqnSKaan0VYAsV1VeaN0XFX46/TWO0L5tjhYVXJJYGqo6tIQJymxATLFRF6AZaD1Mwd27IAL04WkmoQoXfO6OFfwdp/shudY/1gBkDBvGPICBPtnqkvhGF+ZF3IRkuPwiFWeXmwBxKHsRx/3+aJu32Ml9+za41zVk2viaxcGqwTc5KMexQFLAUwqhv+aIik7U+5qk/gEVSuRoVkihoweFzKolNF+BknH2oB4rZdPixag5Zje3DvgjsSFlOl69W/67t/Gs8htfSAaHlsB8vWRQr9+v/lxTbrAw+O0E+sYGoObQ4qQMyQshNZEHbpPg63eWiHtJJnrVBvOeIbIHzoLDnMDsWVWZSMzAQ1vhX1H5QLgSEbRlKSliVY03kDkh/Nk/KOn+B2q37Ialq4JcRoIYFGJ8AoYEAD0tRuTqFddIclE75HzwaNG7NyKW1plsa72ciOPwsPJsdd5F0qdSQ3OSKtooTn7uf6dXOc4lDkfrVYRlZ0PX')) + self.assertEqual(b'me<(s_s)>age', crypto.ecies_decrypt_message( + key, b'QklFMQMDFtgT3zWSQsa+Uie8H/WvfUjlu9UN9OJtTt3KlgKeSTi6SQfuhcg1uIz9hp3WIUOFGTLr4RNQBdjPNqzXwhkcPi2Xsbiw6UCNJncVPJ6QBg==')) + self.assertEqual(b'me<(s_s)>age', crypto.ecies_decrypt_message( + key, b'QklFMQKXOXbylOQTSMGfo4MFRwivAxeEEkewWQrpdYTzjPhqjHcGBJwdIhB7DyRfRQihuXx1y0ZLLv7XxLzrILzkl/H4YUtZB4uWjuOAcmxQH4i/Og==')) + self.assertEqual(b'hey_there' * 100, crypto.ecies_decrypt_message( + key, b'QklFMQLOOsabsXtGQH8edAa6VOUa5wX8/DXmxX9NyHoAx1a5bWgllayGRVPeI2bf0ZdWK0tfal0ap0ZIVKbd2eOJybqQkILqT6E1/Syzq0Zicyb/AA1eZNkcX5y4gzloxinw00ubCA8M7gcUjJpOqbnksATcJ5y2YYXcHMGGfGurWu6uJ/UyrNobRidWppRMW5yR9/6utyNvT6OHIolCMEf7qLcmtneoXEiz51hkRdZS7weNf9mGqSbz9a2NL3sdh1A0feHIjAZgcCKcAvksNUSauf0/FnIjzTyPRpjRDMeDC8Ci3sGiuO3cvpWJwhZfbjcS26KmBv2CHWXfRRNFYOInHZNIXWNAoBB47Il5bGSMd+uXiGr+SQ9tNvcu+BiJNmFbxYqg+oQ8dGAl1DtvY2wJVY8k7vO9BIWSpyIxfGw7EDifhc5vnOmGe016p6a01C3eVGxgl23UYMrP7+fpjOcPmTSF4rk5U5ljEN3MSYqlf1QEv0OqlI9q1TwTK02VBCjMTYxDHsnt04OjNBkNO8v5uJ4NR+UUDBEp433z53I59uawZ+dbk4v4ZExcl8EGmKm3Gzbal/iJ/F7KQuX2b/ySEhLOFVYFWxK73X1nBvCSK2mC2/8fCw8oI5pmvzJwQhcCKTdEIrz3MMvAHqtPScDUOjzhXxInQOCb3+UBj1PPIdqkYLvZss1TEaBwYZjLkVnK2MBj7BaqT6Rp6+5A/fippUKHsnB6eYMEPR2YgDmCHL+4twxHJG6UWdP3ybaKiiAPy2OHNP6PTZ0HrqHOSJzBSDD+Z8YpaRg29QX3UEWlqnSKaan0VYAsV1VeaN0XFX46/TWO0L5tjhYVXJJYGqo6tIQJymxATLFRF6AZaD1Mwd27IAL04WkmoQoXfO6OFfwdp/shudY/1gBkDBvGPICBPtnqkvhGF+ZF3IRkuPwiFWeXmwBxKHsRx/3+aJu32Ml9+za41zVk2viaxcGqwTc5KMexQFLAUwqhv+aIik7U+5qk/gEVSuRoVkihoweFzKolNF+BknH2oB4rZdPixag5Zje3DvgjsSFlOl69W/67t/Gs8htfSAaHlsB8vWRQr9+v/lxTbrAw+O0E+sYGoObQ4qQMyQshNZEHbpPg63eWiHtJJnrVBvOeIbIHzoLDnMDsWVWZSMzAQ1vhX1H5QLgSEbRlKSliVY03kDkh/Nk/KOn+B2q37Ialq4JcRoIYFGJ8AoYEAD0tRuTqFddIclE75HzwaNG7NyKW1plsa72ciOPwsPJsdd5F0qdSQ3OSKtooTn7uf6dXOc4lDkfrVYRlZ0PX')) @needs_test_with_all_aes_implementations def test_encrypt_message(self): @@ -309,10 +312,10 @@ class Test_bitcoin(ElectrumTestCase): b'cannot think of anything funny' ] for plaintext in msgs: - ciphertext1 = key.encrypt_message(plaintext) - ciphertext2 = key.encrypt_message(plaintext) - self.assertEqual(plaintext, key.decrypt_message(ciphertext1)) - self.assertEqual(plaintext, key.decrypt_message(ciphertext2)) + ciphertext1 = crypto.ecies_encrypt_message(key, plaintext) + ciphertext2 = crypto.ecies_encrypt_message(key, plaintext) + self.assertEqual(plaintext, crypto.ecies_decrypt_message(key, ciphertext1)) + self.assertEqual(plaintext, crypto.ecies_decrypt_message(key, ciphertext2)) self.assertNotEqual(ciphertext1, ciphertext2) def test_sign_transaction(self): diff --git a/tests/test_ecc.py b/tests/test_ecc.py index d9f0c129d..e8f434112 100644 --- a/tests/test_ecc.py +++ b/tests/test_ecc.py @@ -4,7 +4,7 @@ from ctypes import ( ) import io -from electrum import ecc +from electrum import ecc, bitcoin from electrum.ecc import ECPubkey, ECPrivkey from electrum.ecc_fast import _libsecp256k1 from electrum import crypto @@ -115,7 +115,7 @@ class TestSchnorr(ElectrumTestCase): ) for tag, msg in data: self.assertEqual(bip340_tagged_hash__from_libsecp(tag, msg), - ecc.bip340_tagged_hash(tag, msg)) + bitcoin.bip340_tagged_hash(tag, msg)) class TestEcdsa(ElectrumTestCase):