// isPubKey returns whether or not the passed public key script is a standard
// pay-to-pubkey script that pays to a valid compressed or uncompressed public
// key along with the serialized pubkey it is paying to if it is.
//
// NOTE: This function ensures the public key is actually valid since the
// compression algorithm requires valid pubkeys. It does not support hybrid
// pubkeys. This means that even if the script has the correct form for a
// pay-to-pubkey script, this function will only return true when it is paying
// to a valid compressed or uncompressed pubkey.
func isPubKey(script []byte) (bool, []byte) {
// Pay-to-compressed-pubkey script.
if len(script) == 35 && script[0] == txscript.OP_DATA_33 &&
script[34] == txscript.OP_CHECKSIG && (script[1] == 0x02 ||
script[1] == 0x03) {
// Ensure the public key is valid.
serializedPubKey := script[1:34]
_, err := btcec.ParsePubKey(serializedPubKey, btcec.S256())
if err == nil {
return true, serializedPubKey
}
}
// Pay-to-uncompressed-pubkey script.
if len(script) == 67 && script[0] == txscript.OP_DATA_65 &&
script[66] == txscript.OP_CHECKSIG && script[1] == 0x04 {
// Ensure the public key is valid.
serializedPubKey := script[1:66]
_, err := btcec.ParsePubKey(serializedPubKey, btcec.S256())
if err == nil {
return true, serializedPubKey
}
}
return false, nil
}
// GetIdentity returns the public identity corresponding to the given address
// if it exists.
func (c *Client) GetIdentity(address string) (*identity.Public, error) {
addr, err := bmutil.DecodeAddress(address)
if err != nil {
return nil, fmt.Errorf("Address decode failed: %v", addr)
}
res, err := c.bmd.GetIdentity(context.Background(), &pb.GetIdentityRequest{
Address: address,
})
if grpc.Code(err) == codes.NotFound {
return nil, ErrIdentityNotFound
} else if err != nil {
return nil, err
}
signKey, err := btcec.ParsePubKey(res.SigningKey, btcec.S256())
if err != nil {
return nil, err
}
encKey, err := btcec.ParsePubKey(res.EncryptionKey, btcec.S256())
if err != nil {
return nil, err
}
return identity.NewPublic(signKey, encKey,
&pow.Data{
res.NonceTrials,
res.ExtraBytes,
}, addr.Version, addr.Stream), nil
}
func TestPublicKeyIsEqual(t *testing.T) {
pubKey1, err := btcec.ParsePubKey(
[]byte{0x03, 0x26, 0x89, 0xc7, 0xc2, 0xda, 0xb1, 0x33,
0x09, 0xfb, 0x14, 0x3e, 0x0e, 0x8f, 0xe3, 0x96, 0x34,
0x25, 0x21, 0x88, 0x7e, 0x97, 0x66, 0x90, 0xb6, 0xb4,
0x7f, 0x5b, 0x2a, 0x4b, 0x7d, 0x44, 0x8e,
},
btcec.S256(),
)
if err != nil {
t.Fatalf("failed to parse raw bytes for pubKey1: %v", err)
}
pubKey2, err := btcec.ParsePubKey(
[]byte{0x02, 0xce, 0x0b, 0x14, 0xfb, 0x84, 0x2b, 0x1b,
0xa5, 0x49, 0xfd, 0xd6, 0x75, 0xc9, 0x80, 0x75, 0xf1,
0x2e, 0x9c, 0x51, 0x0f, 0x8e, 0xf5, 0x2b, 0xd0, 0x21,
0xa9, 0xa1, 0xf4, 0x80, 0x9d, 0x3b, 0x4d,
},
btcec.S256(),
)
if err != nil {
t.Fatalf("failed to parse raw bytes for pubKey2: %v", err)
}
if !pubKey1.IsEqual(pubKey1) {
t.Fatalf("value of IsEqual is incorrect, %v is "+
"equal to %v", pubKey1, pubKey1)
}
if pubKey1.IsEqual(pubKey2) {
t.Fatalf("value of IsEqual is incorrect, %v is not "+
"equal to %v", pubKey1, pubKey2)
}
}
// TestSigCacheAddEvictEntry tests the eviction case where a new signature
// triplet is added to a full signature cache which should trigger randomized
// eviction, followed by adding the new element to the cache.
func TestSigCacheAddEvictEntry(t *testing.T) {
// Create a sigcache that can hold up to 100 entries.
sigCacheSize := uint(100)
sigCache := NewSigCache(sigCacheSize)
// Fill the sigcache up with some random sig triplets.
for i := uint(0); i < sigCacheSize; i++ {
msg, sig, key, err := genRandomSig()
if err != nil {
t.Fatalf("unable to generate random signature test data")
}
sigCache.Add(*msg, sig, key)
sigCopy, _ := btcec.ParseSignature(sig.Serialize(), btcec.S256())
keyCopy, _ := btcec.ParsePubKey(key.SerializeCompressed(), btcec.S256())
if !sigCache.Exists(*msg, sigCopy, keyCopy) {
t.Errorf("previously added item not found in signature" +
"cache")
}
}
// The sigcache should now have sigCacheSize entries within it.
if uint(len(sigCache.validSigs)) != sigCacheSize {
t.Fatalf("sigcache should now have %v entries, instead it has %v",
sigCacheSize, len(sigCache.validSigs))
}
// Add a new entry, this should cause eviction of a randomly chosen
// previously entry.
msgNew, sigNew, keyNew, err := genRandomSig()
if err != nil {
t.Fatalf("unable to generate random signature test data")
}
sigCache.Add(*msgNew, sigNew, keyNew)
// The sigcache should still have sigCache entries.
if uint(len(sigCache.validSigs)) != sigCacheSize {
t.Fatalf("sigcache should now have %v entries, instead it has %v",
sigCacheSize, len(sigCache.validSigs))
}
// The entry added above should be found within the sigcache.
sigNewCopy, _ := btcec.ParseSignature(sigNew.Serialize(), btcec.S256())
keyNewCopy, _ := btcec.ParsePubKey(keyNew.SerializeCompressed(), btcec.S256())
if !sigCache.Exists(*msgNew, sigNewCopy, keyNewCopy) {
t.Fatalf("previously added item not found in signature cache")
}
}
func TestPubKeys(t *testing.T) {
for _, test := range pubKeyTests {
pk, err := btcec.ParsePubKey(test.key, btcec.S256())
if err != nil {
if test.isValid {
t.Errorf("%s pubkey failed when shouldn't %v",
test.name, err)
}
continue
}
if !test.isValid {
t.Errorf("%s counted as valid when it should fail",
test.name)
continue
}
var pkStr []byte
switch test.format {
case btcec.TstPubkeyUncompressed:
pkStr = (*btcec.PublicKey)(pk).SerializeUncompressed()
case btcec.TstPubkeyCompressed:
pkStr = (*btcec.PublicKey)(pk).SerializeCompressed()
case btcec.TstPubkeyHybrid:
pkStr = (*btcec.PublicKey)(pk).SerializeHybrid()
}
if !bytes.Equal(test.key, pkStr) {
t.Errorf("%s pubkey: serialized keys do not match.",
test.name)
spew.Dump(test.key)
spew.Dump(pkStr)
}
}
}
// TestSigCacheAddMaxEntriesZeroOrNegative tests that if a sigCache is created
// with a max size <= 0, then no entries are added to the sigcache at all.
func TestSigCacheAddMaxEntriesZeroOrNegative(t *testing.T) {
// Create a sigcache that can hold up to 0 entries.
sigCache := NewSigCache(0)
// Generate a random sigCache entry triplet.
msg1, sig1, key1, err := genRandomSig()
if err != nil {
t.Errorf("unable to generate random signature test data")
}
// Add the triplet to the signature cache.
sigCache.Add(*msg1, sig1, key1)
// The generated triplet should not be found.
sig1Copy, _ := btcec.ParseSignature(sig1.Serialize(), btcec.S256())
key1Copy, _ := btcec.ParsePubKey(key1.SerializeCompressed(), btcec.S256())
if sigCache.Exists(*msg1, sig1Copy, key1Copy) {
t.Errorf("previously added signature found in sigcache, but" +
"shouldn't have been")
}
// There shouldn't be any entries in the sigCache.
if len(sigCache.validSigs) != 0 {
t.Errorf("%v items found in sigcache, no items should have"+
"been added", len(sigCache.validSigs))
}
}
// Uncompress computes the public key for a given compressed public key.
func (cpk *CompressedPublicKey) Uncompress() (*PublicKey, error) {
// Should only execute the decompression branch of ParsePublicKey
pk_s, err := btcec.ParsePubKey(cpk[:], S256)
if err != nil {
return nil, err
}
return newPublicKeyCoords(pk_s.X, pk_s.Y), nil
}
// TstAddressPubKey makes an AddressPubKey, setting the unexported fields with
// the parameters.
func TstAddressPubKey(serializedPubKey []byte, pubKeyFormat PubKeyFormat,
netID byte) *AddressPubKey {
pubKey, _ := btcec.ParsePubKey(serializedPubKey, btcec.S256())
return &AddressPubKey{
pubKeyFormat: pubKeyFormat,
pubKey: (*btcec.PublicKey)(pubKey),
pubKeyHashID: netID,
}
}
// authPKH...
func (c *LNDConn) authPKH(
myId *btcec.PrivateKey, theirPKH, localEphPubBytes []byte) error {
if c.Authed {
return fmt.Errorf("%s already authed", c.RemotePub)
}
if len(theirPKH) != 20 {
return fmt.Errorf("remote PKH must be 20 bytes, got %d",
len(theirPKH))
}
// Send 53 bytes: our pubkey, and the remote's pubkey hash.
var greetingMsg [53]byte
copy(greetingMsg[:33], myId.PubKey().SerializeCompressed())
copy(greetingMsg[:33], theirPKH)
if _, err := c.Conn.Write(greetingMsg[:]); err != nil {
return err
}
// Wait for their response.
// TODO(tadge): add timeout here
// * NOTE(roasbeef): read timeout should be set on the underlying
// net.Conn.
resp := make([]byte, 53)
if _, err := c.Conn.Read(resp); err != nil {
return err
}
// Parse their long-term public key, and generate the DH proof.
theirPub, err := btcec.ParsePubKey(resp[:33], btcec.S256())
if err != nil {
return err
}
idDH := fastsha256.Sum256(btcec.GenerateSharedSecret(myId, theirPub))
fmt.Printf("made idDH %x\n", idDH)
theirDHproof := btcutil.Hash160(append(localEphPubBytes, idDH[:]...))
// Verify that their DH proof matches the one we just generated.
if bytes.Equal(resp[33:], theirDHproof) == false {
return fmt.Errorf("Invalid DH proof %x", theirDHproof)
}
// If their DH proof checks out, then send our own.
myDHproof := btcutil.Hash160(append(c.RemotePub.SerializeCompressed(), idDH[:]...))
if _, err = c.Conn.Write(myDHproof); err != nil {
return err
}
// Proof sent, auth complete.
c.RemotePub = theirPub
theirAdr := btcutil.Hash160(theirPub.SerializeCompressed())
copy(c.RemoteLNId[:], theirAdr[:16])
c.Authed = true
return nil
}
// newLnAddr...
func newLnAddr(encodedAddr string) (*lnAddr, error) {
// The format of an lnaddr is "<pubkey or pkh>@host"
idHost := strings.Split(encodedAddr, "@")
if len(idHost) != 2 {
return nil, fmt.Errorf("invalid format for lnaddr string: %v", encodedAddr)
}
// Attempt to resolve the IP address, this handles parsing IPv6 zones,
// and such.
fmt.Println("host: ", idHost[1])
ipAddr, err := net.ResolveTCPAddr("tcp", idHost[1])
if err != nil {
return nil, err
}
addr := &lnAddr{netAddr: ipAddr}
idLen := len(idHost[0])
switch {
// Is the ID a hex-encoded compressed public key?
case idLen > 65 && idLen < 69:
pubkeyBytes, err := hex.DecodeString(idHost[0])
if err != nil {
return nil, err
}
addr.pubKey, err = btcec.ParsePubKey(pubkeyBytes, btcec.S256())
if err != nil {
return nil, err
}
// got pubey, populate address from pubkey
pkh := btcutil.Hash160(addr.pubKey.SerializeCompressed())
addr.bitcoinAddr, err = btcutil.NewAddressPubKeyHash(pkh,
&chaincfg.TestNet3Params)
if err != nil {
return nil, err
}
// Is the ID a string encoded bitcoin address?
case idLen > 33 && idLen < 37:
addr.bitcoinAddr, err = btcutil.DecodeAddress(idHost[0],
&chaincfg.TestNet3Params)
if err != nil {
return nil, err
}
default:
return nil, fmt.Errorf("invalid address %s", idHost[0])
}
// Finally, populate the lnid from the address.
copy(addr.lnId[:], addr.bitcoinAddr.ScriptAddress())
return addr, nil
}
// Verifies a hash using DER encoded signature
func verifyECDSA(pubKey, signature, hash []byte) (bool, error) {
sig, err := btcec.ParseDERSignature(signature, btcec.S256())
if err != nil {
return false, err
}
pk, err := btcec.ParsePubKey(pubKey, btcec.S256())
if err != nil {
return false, nil
}
return sig.Verify(hash, pk), nil
}
// NewKeyFromString returns a new extended key instance from a base58-encoded
// extended key.
func NewKeyFromString(key string) (*ExtendedKey, error) {
// The base58-decoded extended key must consist of a serialized payload
// plus an additional 4 bytes for the checksum.
decoded := base58.Decode(key)
if len(decoded) != serializedKeyLen+4 {
return nil, ErrInvalidKeyLen
}
// The serialized format is:
// version (4) || depth (1) || parent fingerprint (4)) ||
// child num (4) || chain code (32) || key data (33) || checksum (4)
// Split the payload and checksum up and ensure the checksum matches.
payload := decoded[:len(decoded)-4]
checkSum := decoded[len(decoded)-4:]
expectedCheckSum := chainhash.DoubleHashB(payload)[:4]
if !bytes.Equal(checkSum, expectedCheckSum) {
return nil, ErrBadChecksum
}
// Deserialize each of the payload fields.
version := payload[:4]
depth := uint16(payload[4:5][0])
parentFP := payload[5:9]
childNum := binary.BigEndian.Uint32(payload[9:13])
chainCode := payload[13:45]
keyData := payload[45:78]
// The key data is a private key if it starts with 0x00. Serialized
// compressed pubkeys either start with 0x02 or 0x03.
isPrivate := keyData[0] == 0x00
if isPrivate {
// Ensure the private key is valid. It must be within the range
// of the order of the secp256k1 curve and not be 0.
keyData = keyData[1:]
keyNum := new(big.Int).SetBytes(keyData)
if keyNum.Cmp(btcec.S256().N) >= 0 || keyNum.Sign() == 0 {
return nil, ErrUnusableSeed
}
} else {
// Ensure the public key parses correctly and is actually on the
// secp256k1 curve.
_, err := btcec.ParsePubKey(keyData, btcec.S256())
if err != nil {
return nil, err
}
}
return newExtendedKey(version, keyData, chainCode, parentFP, depth,
childNum, isPrivate), nil
}
func (pubKey PubKeySecp256k1) VerifyBytes(msg []byte, sig_ Signature) bool {
pub__, err := secp256k1.ParsePubKey(append([]byte{0x04}, pubKey[:]...), secp256k1.S256())
if err != nil {
return false
}
sig, ok := sig_.(SignatureSecp256k1)
if !ok {
return false
}
sig__, err := secp256k1.ParseDERSignature(sig[:], secp256k1.S256())
if err != nil {
return false
}
return sig__.Verify(Sha256(msg), pub__)
}
// createCipherConn....
func (l *Listener) createCipherConn(lnConn *LNDConn) (*btcec.PrivateKey, error) {
var err error
var theirEphPubBytes []byte
// First, read and deserialize their ephemeral public key.
theirEphPubBytes, err = readClear(lnConn.Conn)
if err != nil {
return nil, err
}
if len(theirEphPubBytes) != 33 {
return nil, fmt.Errorf("Got invalid %d byte eph pubkey %x\n",
len(theirEphPubBytes), theirEphPubBytes)
}
theirEphPub, err := btcec.ParsePubKey(theirEphPubBytes, btcec.S256())
if err != nil {
return nil, err
}
// Once we've parsed and verified their key, generate, and send own
// ephemeral key pair for use within this session.
myEph, err := btcec.NewPrivateKey(btcec.S256())
if err != nil {
return nil, err
}
if _, err := writeClear(lnConn.Conn, myEph.PubKey().SerializeCompressed()); err != nil {
return nil, err
}
// Now that we have both keys, do non-interactive diffie with ephemeral
// pubkeys, sha256 for good luck.
sessionKey := fastsha256.Sum256(
btcec.GenerateSharedSecret(myEph, theirEphPub),
)
lnConn.chachaStream, err = chacha20poly1305.New(sessionKey[:])
// display private key for debug only
fmt.Printf("made session key %x\n", sessionKey)
lnConn.remoteNonceInt = 1 << 63
lnConn.myNonceInt = 0
lnConn.RemotePub = theirEphPub
lnConn.Authed = false
return myEph, nil
}
// authPubKey...
func (c *LNDConn) authPubKey(
myId *btcec.PrivateKey, remotePubBytes, localEphPubBytes []byte) error {
if c.Authed {
return fmt.Errorf("%s already authed", c.RemotePub)
}
// Since we already know their public key, we can immediately generate
// the DH proof without an additional round-trip.
theirPub, err := btcec.ParsePubKey(remotePubBytes, btcec.S256())
if err != nil {
return err
}
theirPKH := btcutil.Hash160(remotePubBytes)
idDH := fastsha256.Sum256(btcec.GenerateSharedSecret(myId, theirPub))
myDHproof := btcutil.Hash160(append(c.RemotePub.SerializeCompressed(), idDH[:]...))
// Send over the 73 byte authentication message: my pubkey, their
// pubkey hash, DH proof.
var authMsg [73]byte
copy(authMsg[:33], myId.PubKey().SerializeCompressed())
copy(authMsg[33:], theirPKH)
copy(authMsg[53:], myDHproof)
if _, err = c.Conn.Write(authMsg[:]); err != nil {
return nil
}
// Await, their response. They should send only the 20-byte DH proof.
resp := make([]byte, 20)
_, err = c.Conn.Read(resp)
if err != nil {
return err
}
// Verify that their proof matches our locally computed version.
theirDHproof := btcutil.Hash160(append(localEphPubBytes, idDH[:]...))
if bytes.Equal(resp, theirDHproof) == false {
return fmt.Errorf("invalid DH proof %x", theirDHproof)
}
// Proof checks out, auth complete.
c.RemotePub = theirPub
theirAdr := btcutil.Hash160(theirPub.SerializeCompressed())
copy(c.RemoteLNId[:], theirAdr[:16])
c.Authed = true
return nil
}
// This example demonstrates encrypting a message for a public key that is first
// parsed from raw bytes, then decrypting it using the corresponding private key.
func Example_encryptMessage() {
// Decode the hex-encoded pubkey of the recipient.
pubKeyBytes, err := hex.DecodeString("04115c42e757b2efb7671c578530ec191a1" +
"359381e6a71127a9d37c486fd30dae57e76dc58f693bd7e7010358ce6b165e483a29" +
"21010db67ac11b1b51b651953d2") // uncompressed pubkey
if err != nil {
fmt.Println(err)
return
}
pubKey, err := btcec.ParsePubKey(pubKeyBytes, btcec.S256())
if err != nil {
fmt.Println(err)
return
}
// Encrypt a message decryptable by the private key corresponding to pubKey
message := "test message"
ciphertext, err := btcec.Encrypt(pubKey, []byte(message))
if err != nil {
fmt.Println(err)
return
}
// Decode the hex-encoded private key.
pkBytes, err := hex.DecodeString("a11b0a4e1a132305652ee7a8eb7848f6ad" +
"5ea381e3ce20a2c086a2e388230811")
if err != nil {
fmt.Println(err)
return
}
// note that we already have corresponding pubKey
privKey, _ := btcec.PrivKeyFromBytes(btcec.S256(), pkBytes)
// Try decrypting and verify if it's the same message.
plaintext, err := btcec.Decrypt(privKey, ciphertext)
if err != nil {
fmt.Println(err)
return
}
fmt.Println(string(plaintext))
// Output:
// test message
}
func TestPrivKeys(t *testing.T) {
tests := []struct {
name string
key []byte
}{
{
name: "check curve",
key: []byte{
0xea, 0xf0, 0x2c, 0xa3, 0x48, 0xc5, 0x24, 0xe6,
0x39, 0x26, 0x55, 0xba, 0x4d, 0x29, 0x60, 0x3c,
0xd1, 0xa7, 0x34, 0x7d, 0x9d, 0x65, 0xcf, 0xe9,
0x3c, 0xe1, 0xeb, 0xff, 0xdc, 0xa2, 0x26, 0x94,
},
},
}
for _, test := range tests {
priv, pub := btcec.PrivKeyFromBytes(btcec.S256(), test.key)
_, err := btcec.ParsePubKey(
pub.SerializeUncompressed(), btcec.S256())
if err != nil {
t.Errorf("%s privkey: %v", test.name, err)
continue
}
hash := []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9}
sig, err := priv.Sign(hash)
if err != nil {
t.Errorf("%s could not sign: %v", test.name, err)
continue
}
if !sig.Verify(hash, pub) {
t.Errorf("%s could not verify: %v", test.name, err)
continue
}
serializedKey := priv.Serialize()
if !bytes.Equal(serializedKey, test.key) {
t.Errorf("%s unexpected serialized bytes - got: %x, "+
"want: %x", test.name, serializedKey, test.key)
}
}
}
// TestSigCacheAddExists tests the ability to add, and later check the
// existence of a signature triplet in the signature cache.
func TestSigCacheAddExists(t *testing.T) {
sigCache := NewSigCache(200)
// Generate a random sigCache entry triplet.
msg1, sig1, key1, err := genRandomSig()
if err != nil {
t.Errorf("unable to generate random signature test data")
}
// Add the triplet to the signature cache.
sigCache.Add(*msg1, sig1, key1)
// The previously added triplet should now be found within the sigcache.
sig1Copy, _ := btcec.ParseSignature(sig1.Serialize(), btcec.S256())
key1Copy, _ := btcec.ParsePubKey(key1.SerializeCompressed(), btcec.S256())
if !sigCache.Exists(*msg1, sig1Copy, key1Copy) {
t.Errorf("previously added item not found in signature cache")
}
}
// This example demonstrates verifying a secp256k1 signature against a public
// key that is first parsed from raw bytes. The signature is also parsed from
// raw bytes.
func Example_verifySignature() {
// Decode hex-encoded serialized public key.
pubKeyBytes, err := hex.DecodeString("02a673638cb9587cb68ea08dbef685c" +
"6f2d2a751a8b3c6f2a7e9a4999e6e4bfaf5")
if err != nil {
fmt.Println(err)
return
}
pubKey, err := btcec.ParsePubKey(pubKeyBytes, btcec.S256())
if err != nil {
fmt.Println(err)
return
}
// Decode hex-encoded serialized signature.
sigBytes, err := hex.DecodeString("30450220090ebfb3690a0ff115bb1b38b" +
"8b323a667b7653454f1bccb06d4bbdca42c2079022100ec95778b51e707" +
"1cb1205f8bde9af6592fc978b0452dafe599481c46d6b2e479")
if err != nil {
fmt.Println(err)
return
}
signature, err := btcec.ParseSignature(sigBytes, btcec.S256())
if err != nil {
fmt.Println(err)
return
}
// Verify the signature for the message using the public key.
message := "test message"
messageHash := wire.DoubleSha256([]byte(message))
verified := signature.Verify(messageHash, pubKey)
fmt.Println("Signature Verified?", verified)
// Output:
// Signature Verified? true
}
// NewAddressPubKey returns a new AddressPubKey which represents a pay-to-pubkey
// address. The serializedPubKey parameter must be a valid pubkey and can be
// uncompressed, compressed, or hybrid.
func NewAddressPubKey(serializedPubKey []byte, net *chaincfg.Params) (*AddressPubKey, error) {
pubKey, err := btcec.ParsePubKey(serializedPubKey, btcec.S256())
if err != nil {
return nil, err
}
// Set the format of the pubkey. This probably should be returned
// from btcec, but do it here to avoid API churn. We already know the
// pubkey is valid since it parsed above, so it's safe to simply examine
// the leading byte to get the format.
pkFormat := PKFUncompressed
switch serializedPubKey[0] {
case 0x02, 0x03:
pkFormat = PKFCompressed
case 0x06, 0x07:
pkFormat = PKFHybrid
}
return &AddressPubKey{
pubKeyFormat: pkFormat,
pubKey: pubKey,
pubKeyHashID: net.PubKeyHashAddrID,
}, nil
}
// ECPubKey converts the extended key to a btcec public key and returns it.
func (k *ExtendedKey) ECPubKey() (*btcec.PublicKey, error) {
return btcec.ParsePubKey(k.pubKeyBytes(), btcec.S256())
}
// Dial...
func (c *Conn) Dial(address string, remoteId []byte) error {
var err error
if c.conn != nil {
return fmt.Errorf("connection already established")
}
// Before dialing out to the remote host, verify that `remoteId` is either
// a pubkey or a pubkey hash.
if len(remoteId) != 33 && len(remoteId) != 20 {
return fmt.Errorf("must supply either remote pubkey or " +
"pubkey hash")
}
// First, open the TCP connection itself.
c.conn, err = net.Dial("tcp", address)
if err != nil {
return err
}
// Calc remote LNId; need this for creating pbx connections just because
// LNid is in the struct does not mean it's authed!
if len(remoteId) == 20 {
copy(c.remoteLNId[:], remoteId[:16])
} else {
theirAdr := btcutil.Hash160(remoteId)
copy(c.remoteLNId[:], theirAdr[:16])
}
// Make up an ephemeral keypair for this session.
ourEphemeralPriv, err := btcec.NewPrivateKey(btcec.S256())
if err != nil {
return err
}
ourEphemeralPub := ourEphemeralPriv.PubKey()
// Sned 1. Send my ephemeral pubkey. Can add version bits.
if _, err = writeClear(c.conn, ourEphemeralPub.SerializeCompressed()); err != nil {
return err
}
// Read, then deserialize their ephemeral public key.
theirEphPubBytes, err := readClear(c.conn)
if err != nil {
return err
}
theirEphPub, err := btcec.ParsePubKey(theirEphPubBytes, btcec.S256())
if err != nil {
return err
}
// Do non-interactive diffie with ephemeral pubkeys. Sha256 for good
// luck.
sessionKey := fastsha256.Sum256(
btcec.GenerateSharedSecret(ourEphemeralPriv, theirEphPub),
)
// Now that we've derive the session key, we can initialize the
// chacha20poly1305 AEAD instance which will be used for the remainder of
// the session.
c.chachaStream, err = chacha20poly1305.New(sessionKey[:])
if err != nil {
return err
}
// display private key for debug only
fmt.Printf("made session key %x\n", sessionKey)
c.myNonceInt = 1 << 63
c.remoteNonceInt = 0
c.remotePub = theirEphPub
c.authed = false
// Session is now open and confidential but not yet authenticated...
// So auth!
if len(remoteId) == 20 {
// Only know pubkey hash (20 bytes).
err = c.authPKH(remoteId, ourEphemeralPub.SerializeCompressed())
} else {
// Must be 33 byte pubkey.
err = c.authPubKey(remoteId, ourEphemeralPub.SerializeCompressed())
}
if err != nil {
return err
}
return nil
}
// decompressScript returns the original script obtained by decompressing the
// passed compressed script according to the domain specific compression
// algorithm described above.
//
// NOTE: The script parameter must already have been proven to be long enough
// to contain the number of bytes returned by decodeCompressedScriptSize or it
// will panic. This is acceptable since it is only an internal function.
func decompressScript(compressedPkScript []byte, version int32) []byte {
// In practice this function will not be called with a zero-length or
// nil script since the nil script encoding includes the length, however
// the code below assumes the length exists, so just return nil now if
// the function ever ends up being called with a nil script in the
// future.
if len(compressedPkScript) == 0 {
return nil
}
// Decode the script size and examine it for the special cases.
encodedScriptSize, bytesRead := deserializeVLQ(compressedPkScript)
switch encodedScriptSize {
// Pay-to-pubkey-hash script. The resulting script is:
// <OP_DUP><OP_HASH160><20 byte hash><OP_EQUALVERIFY><OP_CHECKSIG>
case cstPayToPubKeyHash:
pkScript := make([]byte, 25)
pkScript[0] = txscript.OP_DUP
pkScript[1] = txscript.OP_HASH160
pkScript[2] = txscript.OP_DATA_20
copy(pkScript[3:], compressedPkScript[bytesRead:bytesRead+20])
pkScript[23] = txscript.OP_EQUALVERIFY
pkScript[24] = txscript.OP_CHECKSIG
return pkScript
// Pay-to-script-hash script. The resulting script is:
// <OP_HASH160><20 byte script hash><OP_EQUAL>
case cstPayToScriptHash:
pkScript := make([]byte, 23)
pkScript[0] = txscript.OP_HASH160
pkScript[1] = txscript.OP_DATA_20
copy(pkScript[2:], compressedPkScript[bytesRead:bytesRead+20])
pkScript[22] = txscript.OP_EQUAL
return pkScript
// Pay-to-compressed-pubkey script. The resulting script is:
// <OP_DATA_33><33 byte compressed pubkey><OP_CHECKSIG>
case cstPayToPubKeyComp2, cstPayToPubKeyComp3:
pkScript := make([]byte, 35)
pkScript[0] = txscript.OP_DATA_33
pkScript[1] = byte(encodedScriptSize)
copy(pkScript[2:], compressedPkScript[bytesRead:bytesRead+32])
pkScript[34] = txscript.OP_CHECKSIG
return pkScript
// Pay-to-uncompressed-pubkey script. The resulting script is:
// <OP_DATA_65><65 byte uncompressed pubkey><OP_CHECKSIG>
case cstPayToPubKeyUncomp4, cstPayToPubKeyUncomp5:
// Change the leading byte to the appropriate compressed pubkey
// identifier (0x02 or 0x03) so it can be decoded as a
// compressed pubkey. This really should never fail since the
// encoding ensures it is valid before compressing to this type.
compressedKey := make([]byte, 33)
compressedKey[0] = byte(encodedScriptSize - 2)
copy(compressedKey[1:], compressedPkScript[1:])
key, err := btcec.ParsePubKey(compressedKey, btcec.S256())
if err != nil {
return nil
}
pkScript := make([]byte, 67)
pkScript[0] = txscript.OP_DATA_65
copy(pkScript[1:], key.SerializeUncompressed())
pkScript[66] = txscript.OP_CHECKSIG
return pkScript
}
// When none of the special cases apply, the script was encoded using
// the general format, so reduce the script size by the number of
// special cases and return the unmodified script.
scriptSize := int(encodedScriptSize - numSpecialScripts)
pkScript := make([]byte, scriptSize)
copy(pkScript, compressedPkScript[bytesRead:bytesRead+scriptSize])
return pkScript
}
// Deserialize an LNId from byte slice (on disk)
// Note that this does not check any internal consistency, because on local
// storage there's no point. Check separately if needed.
// Also, old and probably needs to be changed / updated
func (l *LNAdr) Deserialize(s []byte) error {
b := bytes.NewBuffer(s)
// Fail if on-disk LNId too short
if b.Len() < 24 { // 24 is min lenght
return fmt.Errorf("can't read LNId - too short")
}
// read indicator of pubkey or pubkeyhash
x, err := b.ReadByte()
if err != nil {
return err
}
if x == 0xb0 { // for pubkey storage
// read 33 bytes of pubkey
l.PubKey, err = btcec.ParsePubKey(b.Next(33), btcec.S256())
if err != nil {
return err
}
l.Base58Adr, err = btcutil.NewAddressPubKeyHash(
btcutil.Hash160(l.PubKey.SerializeCompressed()),
globalconfig.NetParams)
if err != nil {
return err
}
} else if x == 0xa0 { // for pubkeyhash storage
l.Base58Adr, err = btcutil.NewAddressPubKeyHash(
b.Next(20), globalconfig.NetParams)
if err != nil {
return err
}
} else {
return fmt.Errorf("Unknown lnid indicator byte %x", x)
}
var nameLen, hostLen, endorseLen uint8
// read name length
err = binary.Read(b, binary.BigEndian, &nameLen)
if err != nil {
return err
}
// if name non-zero, read name
if nameLen > 0 {
l.name = string(b.Next(int(nameLen)))
}
// read host length
err = binary.Read(b, binary.BigEndian, &hostLen)
if err != nil {
return err
}
// if host non-zero, read host
if hostLen > 0 {
l.host = string(b.Next(int(hostLen)))
}
// read endorsement length
err = binary.Read(b, binary.BigEndian, &endorseLen)
if err != nil {
return err
}
// if endorsement non-zero, read endorsement
if endorseLen > 0 {
l.endorsement = b.Next(int(endorseLen))
}
return nil
}
func TestChaining(t *testing.T) {
tests := []struct {
name string
cc []byte
origPrivateKey []byte
nextPrivateKeyUncompressed []byte
nextPrivateKeyCompressed []byte
nextPublicKeyUncompressed []byte
nextPublicKeyCompressed []byte
}{
{
name: "chaintest 1",
cc: []byte("3318959fff419ab8b556facb3c429a86"),
origPrivateKey: []byte("5ffc975976eaaa1f7b179f384ebbc053"),
nextPrivateKeyUncompressed: []byte{
0xd3, 0xfe, 0x2e, 0x96, 0x44, 0x12, 0x2d, 0xaa,
0x80, 0x8e, 0x36, 0x17, 0xb5, 0x9f, 0x8c, 0xd2,
0x72, 0x8c, 0xaf, 0xf1, 0xdb, 0xd6, 0x4a, 0x92,
0xd7, 0xc7, 0xee, 0x2b, 0x56, 0x34, 0xe2, 0x87,
},
nextPrivateKeyCompressed: []byte{
0x08, 0x56, 0x7a, 0x1b, 0x89, 0x56, 0x2e, 0xfa,
0xb4, 0x02, 0x59, 0x69, 0x10, 0xc3, 0x60, 0x1f,
0x34, 0xf0, 0x55, 0x02, 0x8a, 0xbf, 0x37, 0xf5,
0x22, 0x80, 0x9f, 0xd2, 0xe5, 0x42, 0x5b, 0x2d,
},
nextPublicKeyUncompressed: []byte{
0x04, 0xdd, 0x70, 0x31, 0xa5, 0xf9, 0x06, 0x70,
0xd3, 0x9a, 0x24, 0x5b, 0xd5, 0x73, 0xdd, 0xb6,
0x15, 0x81, 0x0b, 0x78, 0x19, 0xbc, 0xc8, 0x26,
0xc9, 0x16, 0x86, 0x73, 0xae, 0xe4, 0xc0, 0xed,
0x39, 0x81, 0xb4, 0x86, 0x2d, 0x19, 0x8c, 0x67,
0x9c, 0x93, 0x99, 0xf6, 0xd2, 0x3f, 0xd1, 0x53,
0x9e, 0xed, 0xbd, 0x07, 0xd6, 0x4f, 0xa9, 0x81,
0x61, 0x85, 0x46, 0x84, 0xb1, 0xa0, 0xed, 0xbc,
0xa7,
},
nextPublicKeyCompressed: []byte{
0x02, 0x2c, 0x48, 0x73, 0x37, 0x35, 0x74, 0x7f,
0x05, 0x58, 0xc1, 0x4e, 0x0d, 0x18, 0xc2, 0xbf,
0xcc, 0x83, 0xa2, 0x4d, 0x64, 0xab, 0xba, 0xea,
0xeb, 0x4c, 0xcd, 0x4c, 0x0c, 0x21, 0xc4, 0x30,
0x0f,
},
},
}
for _, test := range tests {
// Create both uncompressed and compressed public keys for original
// private key.
origPubUncompressed := pubkeyFromPrivkey(test.origPrivateKey, false)
origPubCompressed := pubkeyFromPrivkey(test.origPrivateKey, true)
// Create next chained private keys, chained from both the uncompressed
// and compressed pubkeys.
nextPrivUncompressed, err := chainedPrivKey(test.origPrivateKey,
origPubUncompressed, test.cc)
if err != nil {
t.Errorf("%s: Uncompressed chainedPrivKey failed: %v", test.name, err)
return
}
nextPrivCompressed, err := chainedPrivKey(test.origPrivateKey,
origPubCompressed, test.cc)
if err != nil {
t.Errorf("%s: Compressed chainedPrivKey failed: %v", test.name, err)
return
}
// Verify that the new private keys match the expected values
// in the test case.
if !bytes.Equal(nextPrivUncompressed, test.nextPrivateKeyUncompressed) {
t.Errorf("%s: Next private key (from uncompressed pubkey) does not match expected.\nGot: %s\nExpected: %s",
test.name, spew.Sdump(nextPrivUncompressed), spew.Sdump(test.nextPrivateKeyUncompressed))
return
}
if !bytes.Equal(nextPrivCompressed, test.nextPrivateKeyCompressed) {
t.Errorf("%s: Next private key (from compressed pubkey) does not match expected.\nGot: %s\nExpected: %s",
test.name, spew.Sdump(nextPrivCompressed), spew.Sdump(test.nextPrivateKeyCompressed))
return
}
// Create the next pubkeys generated from the next private keys.
nextPubUncompressedFromPriv := pubkeyFromPrivkey(nextPrivUncompressed, false)
nextPubCompressedFromPriv := pubkeyFromPrivkey(nextPrivCompressed, true)
// Create the next pubkeys by chaining directly off the original
// pubkeys (without using the original's private key).
nextPubUncompressedFromPub, err := chainedPubKey(origPubUncompressed, test.cc)
if err != nil {
t.Errorf("%s: Uncompressed chainedPubKey failed: %v", test.name, err)
return
}
nextPubCompressedFromPub, err := chainedPubKey(origPubCompressed, test.cc)
if err != nil {
t.Errorf("%s: Compressed chainedPubKey failed: %v", test.name, err)
return
}
// Public keys (used to generate the bitcoin address) MUST match.
if !bytes.Equal(nextPubUncompressedFromPriv, nextPubUncompressedFromPub) {
t.Errorf("%s: Uncompressed public keys do not match.", test.name)
}
if !bytes.Equal(nextPubCompressedFromPriv, nextPubCompressedFromPub) {
t.Errorf("%s: Compressed public keys do not match.", test.name)
}
// Verify that all generated public keys match the expected
// values in the test case.
if !bytes.Equal(nextPubUncompressedFromPub, test.nextPublicKeyUncompressed) {
t.Errorf("%s: Next uncompressed public keys do not match expected value.\nGot: %s\nExpected: %s",
test.name, spew.Sdump(nextPubUncompressedFromPub), spew.Sdump(test.nextPublicKeyUncompressed))
return
}
if !bytes.Equal(nextPubCompressedFromPub, test.nextPublicKeyCompressed) {
t.Errorf("%s: Next compressed public keys do not match expected value.\nGot: %s\nExpected: %s",
test.name, spew.Sdump(nextPubCompressedFromPub), spew.Sdump(test.nextPublicKeyCompressed))
return
}
// Sign data with the next private keys and verify signature with
// the next pubkeys.
pubkeyUncompressed, err := btcec.ParsePubKey(nextPubUncompressedFromPub, btcec.S256())
if err != nil {
t.Errorf("%s: Unable to parse next uncompressed pubkey: %v", test.name, err)
return
}
pubkeyCompressed, err := btcec.ParsePubKey(nextPubCompressedFromPub, btcec.S256())
if err != nil {
t.Errorf("%s: Unable to parse next compressed pubkey: %v", test.name, err)
return
}
privkeyUncompressed := &btcec.PrivateKey{
PublicKey: *pubkeyUncompressed.ToECDSA(),
D: new(big.Int).SetBytes(nextPrivUncompressed),
}
privkeyCompressed := &btcec.PrivateKey{
PublicKey: *pubkeyCompressed.ToECDSA(),
D: new(big.Int).SetBytes(nextPrivCompressed),
}
data := "String to sign."
sig, err := privkeyUncompressed.Sign([]byte(data))
if err != nil {
t.Errorf("%s: Unable to sign data with next private key (chained from uncompressed pubkey): %v",
test.name, err)
return
}
ok := sig.Verify([]byte(data), privkeyUncompressed.PubKey())
if !ok {
t.Errorf("%s: btcec signature verification failed for next keypair (chained from uncompressed pubkey).",
test.name)
return
}
sig, err = privkeyCompressed.Sign([]byte(data))
if err != nil {
t.Errorf("%s: Unable to sign data with next private key (chained from compressed pubkey): %v",
test.name, err)
return
}
ok = sig.Verify([]byte(data), privkeyCompressed.PubKey())
if !ok {
t.Errorf("%s: btcec signature verification failed for next keypair (chained from compressed pubkey).",
test.name)
return
}
}
}
func readElement(r io.Reader, element interface{}) error {
var err error
switch e := element.(type) {
case *uint8:
var b [1]uint8
_, err = r.Read(b[:])
if err != nil {
return err
}
*e = b[0]
return nil
case *uint16:
var b [2]byte
_, err = io.ReadFull(r, b[:])
if err != nil {
return err
}
*e = binary.BigEndian.Uint16(b[:])
return nil
case *CreditsAmount:
var b [4]byte
_, err = io.ReadFull(r, b[:])
if err != nil {
return err
}
*e = CreditsAmount(int32(binary.BigEndian.Uint32(b[:])))
return nil
case *uint32:
var b [4]byte
_, err = io.ReadFull(r, b[:])
if err != nil {
return err
}
*e = binary.BigEndian.Uint32(b[:])
return nil
case *uint64:
var b [8]byte
_, err = io.ReadFull(r, b[:])
if err != nil {
return err
}
*e = binary.BigEndian.Uint64(b[:])
return nil
case *HTLCKey:
var b [8]byte
_, err = io.ReadFull(r, b[:])
if err != nil {
return err
}
*e = HTLCKey(binary.BigEndian.Uint64(b[:]))
return nil
case *btcutil.Amount:
var b [8]byte
_, err = io.ReadFull(r, b[:])
if err != nil {
return err
}
*e = btcutil.Amount(int64(binary.BigEndian.Uint64(b[:])))
return nil
case **wire.ShaHash:
var b wire.ShaHash
_, err = io.ReadFull(r, b[:])
if err != nil {
return err
}
*e = &b
return nil
case **btcec.PublicKey:
var b [33]byte
_, err = io.ReadFull(r, b[:])
if err != nil {
return err
}
x, err := btcec.ParsePubKey(b[:], btcec.S256())
if err != nil {
return err
}
*e = &*x
return nil
case *[]uint64:
var numItems uint16
err = readElement(r, &numItems)
if err != nil {
return err
}
// if numItems > 65535 {
// return fmt.Errorf("Too many items in []uint64")
// }
// Read the number of items
var items []uint64
for i := uint16(0); i < numItems; i++ {
var item uint64
err = readElement(r, &item)
if err != nil {
return err
}
items = append(items, item)
}
*e = *&items
return nil
case *[]*btcec.Signature:
var numSigs uint8
err = readElement(r, &numSigs)
if err != nil {
return err
}
if numSigs > 127 {
return fmt.Errorf("Too many signatures!")
}
// Read that number of signatures
var sigs []*btcec.Signature
for i := uint8(0); i < numSigs; i++ {
sig := new(btcec.Signature)
err = readElement(r, &sig)
if err != nil {
return err
}
sigs = append(sigs, sig)
}
*e = *&sigs
return nil
case **btcec.Signature:
var sigLength uint8
err = readElement(r, &sigLength)
if err != nil {
return err
}
if sigLength > 73 {
return fmt.Errorf("Signature too long!")
}
// Read the sig length
l := io.LimitReader(r, int64(sigLength))
sig, err := ioutil.ReadAll(l)
if err != nil {
return err
}
if len(sig) != int(sigLength) {
return fmt.Errorf("EOF: Signature length mismatch.")
}
btcecSig, err := btcec.ParseSignature(sig, btcec.S256())
if err != nil {
return err
}
*e = &*btcecSig
return nil
case *[]*[20]byte:
// How many to read
var sliceSize uint16
err = readElement(r, &sliceSize)
if err != nil {
return err
}
var data []*[20]byte
// Append the actual
for i := uint16(0); i < sliceSize; i++ {
var element [20]byte
err = readElement(r, &element)
if err != nil {
return err
}
data = append(data, &element)
}
*e = data
return nil
case *[20]byte:
_, err = io.ReadFull(r, e[:])
if err != nil {
return err
}
return nil
case *wire.BitcoinNet:
var b [4]byte
_, err := io.ReadFull(r, b[:])
if err != nil {
return err
}
*e = wire.BitcoinNet(binary.BigEndian.Uint32(b[:]))
return nil
case *[]byte:
// Get the blob length first
var blobLength uint16
err = readElement(r, &blobLength)
if err != nil {
return err
}
// Shouldn't need to do this, since it's uint16, but we
// might have a different value for MAX_SLICE_LENGTH...
if int(blobLength) > MAX_SLICE_LENGTH {
return fmt.Errorf("Slice length too long!")
}
// Read the slice length
l := io.LimitReader(r, int64(blobLength))
*e, err = ioutil.ReadAll(l)
if err != nil {
return err
}
if len(*e) != int(blobLength) {
return fmt.Errorf("EOF: Slice length mismatch.")
}
return nil
case *PkScript:
// Get the script length first
var scriptLength uint8
err = readElement(r, &scriptLength)
if err != nil {
return err
}
if scriptLength > 25 {
return fmt.Errorf("PkScript too long!")
}
// Read the script length
l := io.LimitReader(r, int64(scriptLength))
*e, err = ioutil.ReadAll(l)
if err != nil {
return err
}
if len(*e) != int(scriptLength) {
return fmt.Errorf("EOF: Signature length mismatch.")
}
return nil
case *string:
// Get the string length first
var strlen uint16
err = readElement(r, &strlen)
if err != nil {
return err
}
// Read the string for the length
l := io.LimitReader(r, int64(strlen))
b, err := ioutil.ReadAll(l)
if len(b) != int(strlen) {
return fmt.Errorf("EOF: String length mismatch.")
}
*e = string(b)
if err != nil {
return err
}
return nil
case *[]*wire.TxIn:
// Read the size (1-byte number of txins)
var numScripts uint8
err = readElement(r, &numScripts)
if err != nil {
return err
}
if numScripts > 127 {
return fmt.Errorf("Too many txins")
}
// Append the actual TxIns
var txins []*wire.TxIn
for i := uint8(0); i < numScripts; i++ {
outpoint := new(wire.OutPoint)
txin := wire.NewTxIn(outpoint, nil)
err = readElement(r, &txin)
if err != nil {
return err
}
txins = append(txins, txin)
}
*e = *&txins
return nil
case **wire.TxIn:
// Hash
var h [32]byte
_, err = io.ReadFull(r, h[:])
if err != nil {
return err
}
hash, err := wire.NewShaHash(h[:])
if err != nil {
return err
}
(*e).PreviousOutPoint.Hash = *hash
// Index
var idxBytes [4]byte
_, err = io.ReadFull(r, idxBytes[:])
if err != nil {
return err
}
(*e).PreviousOutPoint.Index = binary.BigEndian.Uint32(idxBytes[:])
return nil
default:
return fmt.Errorf("Unknown type in readElement: %T", e)
}
return nil
}
// AuthListen...
func (l *Listener) authenticateConnection(
myId *btcec.PrivateKey, lnConn *LNDConn, localEphPubBytes []byte) error {
var err error
// TODO(roasbeef): should be using read/write clear here?
slice := make([]byte, 73)
n, err := lnConn.Conn.Read(slice)
if err != nil {
fmt.Printf("Read error: %s\n", err.Error())
return err
}
fmt.Printf("read %d bytes\n", n)
authmsg := slice[:n]
if len(authmsg) != 53 && len(authmsg) != 73 {
return fmt.Errorf("got auth message of %d bytes, "+
"expect 53 or 73", len(authmsg))
}
myPKH := btcutil.Hash160(l.longTermPriv.PubKey().SerializeCompressed())
if !bytes.Equal(myPKH, authmsg[33:53]) {
return fmt.Errorf(
"remote host asking for PKH %x, that's not me", authmsg[33:53])
}
// do DH with id keys
theirPub, err := btcec.ParsePubKey(authmsg[:33], btcec.S256())
if err != nil {
return err
}
idDH := fastsha256.Sum256(
btcec.GenerateSharedSecret(l.longTermPriv, theirPub),
)
myDHproof := btcutil.Hash160(
append(lnConn.RemotePub.SerializeCompressed(), idDH[:]...),
)
theirDHproof := btcutil.Hash160(append(localEphPubBytes, idDH[:]...))
// If they already know our public key, then execute the fast path.
// Verify their DH proof, and send our own.
if len(authmsg) == 73 {
// Verify their DH proof.
if !bytes.Equal(authmsg[53:], theirDHproof) {
return fmt.Errorf("invalid DH proof from %s",
lnConn.RemoteAddr().String())
}
// Their DH proof checks out, so send ours now.
if _, err = lnConn.Conn.Write(myDHproof); err != nil {
return err
}
} else {
// Otherwise, they don't yet know our public key. So we'll send
// it over to them, so we can both compute the DH proof.
msg := append(l.longTermPriv.PubKey().SerializeCompressed(), myDHproof...)
if _, err = lnConn.Conn.Write(msg); err != nil {
return err
}
resp := make([]byte, 20)
if _, err := lnConn.Conn.Read(resp); err != nil {
return err
}
// Verify their DH proof.
if bytes.Equal(resp, theirDHproof) == false {
return fmt.Errorf("Invalid DH proof %x", theirDHproof)
}
}
theirAdr := btcutil.Hash160(theirPub.SerializeCompressed())
copy(lnConn.RemoteLNId[:], theirAdr[:16])
lnConn.RemotePub = theirPub
lnConn.Authed = true
return nil
}
// Child returns a derived child extended key at the given index. When this
// extended key is a private extended key (as determined by the IsPrivate
// function), a private extended key will be derived. Otherwise, the derived
// extended key will be also be a public extended key.
//
// When the index is greater to or equal than the HardenedKeyStart constant, the
// derived extended key will be a hardened extended key. It is only possible to
// derive a hardended extended key from a private extended key. Consequently,
// this function will return ErrDeriveHardFromPublic if a hardened child
// extended key is requested from a public extended key.
//
// A hardened extended key is useful since, as previously mentioned, it requires
// a parent private extended key to derive. In other words, normal child
// extended public keys can be derived from a parent public extended key (no
// knowledge of the parent private key) whereas hardened extended keys may not
// be.
//
// NOTE: There is an extremely small chance (< 1 in 2^127) the specific child
// index does not derive to a usable child. The ErrInvalidChild error will be
// returned if this should occur, and the caller is expected to ignore the
// invalid child and simply increment to the next index.
func (k *ExtendedKey) Child(i uint32) (*ExtendedKey, error) {
// There are four scenarios that could happen here:
// 1) Private extended key -> Hardened child private extended key
// 2) Private extended key -> Non-hardened child private extended key
// 3) Public extended key -> Non-hardened child public extended key
// 4) Public extended key -> Hardened child public extended key (INVALID!)
// Case #4 is invalid, so error out early.
// A hardened child extended key may not be created from a public
// extended key.
isChildHardened := i >= HardenedKeyStart
if !k.isPrivate && isChildHardened {
return nil, ErrDeriveHardFromPublic
}
// The data used to derive the child key depends on whether or not the
// child is hardened per [BIP32].
//
// For hardened children:
// 0x00 || ser256(parentKey) || ser32(i)
//
// For normal children:
// serP(parentPubKey) || ser32(i)
keyLen := 33
data := make([]byte, keyLen+4)
if isChildHardened {
// Case #1.
// When the child is a hardened child, the key is known to be a
// private key due to the above early return. Pad it with a
// leading zero as required by [BIP32] for deriving the child.
copy(data[1:], k.key)
} else {
// Case #2 or #3.
// This is either a public or private extended key, but in
// either case, the data which is used to derive the child key
// starts with the secp256k1 compressed public key bytes.
copy(data, k.pubKeyBytes())
}
binary.BigEndian.PutUint32(data[keyLen:], i)
// Take the HMAC-SHA512 of the current key's chain code and the derived
// data:
// I = HMAC-SHA512(Key = chainCode, Data = data)
hmac512 := hmac.New(sha512.New, k.chainCode)
hmac512.Write(data)
ilr := hmac512.Sum(nil)
// Split "I" into two 32-byte sequences Il and Ir where:
// Il = intermediate key used to derive the child
// Ir = child chain code
il := ilr[:len(ilr)/2]
childChainCode := ilr[len(ilr)/2:]
// Both derived public or private keys rely on treating the left 32-byte
// sequence calculated above (Il) as a 256-bit integer that must be
// within the valid range for a secp256k1 private key. There is a small
// chance (< 1 in 2^127) this condition will not hold, and in that case,
// a child extended key can't be created for this index and the caller
// should simply increment to the next index.
ilNum := new(big.Int).SetBytes(il)
if ilNum.Cmp(btcec.S256().N) >= 0 || ilNum.Sign() == 0 {
return nil, ErrInvalidChild
}
// The algorithm used to derive the child key depends on whether or not
// a private or public child is being derived.
//
// For private children:
// childKey = parse256(Il) + parentKey
//
// For public children:
// childKey = serP(point(parse256(Il)) + parentKey)
var isPrivate bool
var childKey []byte
if k.isPrivate {
// Case #1 or #2.
// Add the parent private key to the intermediate private key to
// derive the final child key.
//
// childKey = parse256(Il) + parenKey
keyNum := new(big.Int).SetBytes(k.key)
ilNum.Add(ilNum, keyNum)
ilNum.Mod(ilNum, btcec.S256().N)
childKey = ilNum.Bytes()
isPrivate = true
} else {
// Case #3.
// Calculate the corresponding intermediate public key for
// intermediate private key.
ilx, ily := btcec.S256().ScalarBaseMult(il)
if ilx.Sign() == 0 || ily.Sign() == 0 {
return nil, ErrInvalidChild
}
// Convert the serialized compressed parent public key into X
// and Y coordinates so it can be added to the intermediate
// public key.
pubKey, err := btcec.ParsePubKey(k.key, btcec.S256())
if err != nil {
return nil, err
}
// Add the intermediate public key to the parent public key to
// derive the final child key.
//
// childKey = serP(point(parse256(Il)) + parentKey)
childX, childY := btcec.S256().Add(ilx, ily, pubKey.X, pubKey.Y)
pk := btcec.PublicKey{Curve: btcec.S256(), X: childX, Y: childY}
childKey = pk.SerializeCompressed()
}
// The fingerprint of the parent for the derived child is the first 4
// bytes of the RIPEMD160(SHA256(parentPubKey)).
parentFP := btcutil.Hash160(k.pubKeyBytes())[:4]
return newExtendedKey(k.version, childKey, childChainCode, parentFP,
k.depth+1, i, isPrivate), nil
}
// Decode...
func (o *OpenChannel) Decode(b io.Reader, addrManager *waddrmgr.Manager) error {
var scratch [8]byte
if _, err := b.Read(o.TheirLNID[:]); err != nil {
return err
}
if _, err := b.Read(o.ChanID[:]); err != nil {
return err
}
if _, err := b.Read(scratch[:]); err != nil {
return err
}
o.MinFeePerKb = btcutil.Amount(endian.Uint64(scratch[:]))
// nonce + serPrivKey + mac
var encryptedPriv [24 + 32 + 16]byte
if _, err := b.Read(encryptedPriv[:]); err != nil {
return err
}
decryptedPriv, err := addrManager.Decrypt(waddrmgr.CKTPrivate, encryptedPriv[:])
if err != nil {
return err
}
o.OurCommitKey, _ = btcec.PrivKeyFromBytes(btcec.S256(), decryptedPriv)
var serPubKey [33]byte
if _, err := b.Read(serPubKey[:]); err != nil {
return err
}
o.TheirCommitKey, err = btcec.ParsePubKey(serPubKey[:], btcec.S256())
if err != nil {
return err
}
if _, err := b.Read(scratch[:]); err != nil {
return err
}
o.Capacity = btcutil.Amount(endian.Uint64(scratch[:]))
if _, err := b.Read(scratch[:]); err != nil {
return err
}
o.OurBalance = btcutil.Amount(endian.Uint64(scratch[:]))
if _, err := b.Read(scratch[:]); err != nil {
return err
}
o.TheirBalance = btcutil.Amount(endian.Uint64(scratch[:]))
o.TheirCommitTx = wire.NewMsgTx()
if err := o.TheirCommitTx.Deserialize(b); err != nil {
return err
}
o.OurCommitTx = wire.NewMsgTx()
if err := o.OurCommitTx.Deserialize(b); err != nil {
return err
}
o.FundingTx = wire.NewMsgTx()
if err := o.FundingTx.Deserialize(b); err != nil {
return err
}
if _, err := b.Read(encryptedPriv[:]); err != nil {
return err
}
decryptedPriv, err = addrManager.Decrypt(waddrmgr.CKTPrivate, encryptedPriv[:])
if err != nil {
return err
}
o.MultiSigKey, _ = btcec.PrivKeyFromBytes(btcec.S256(), decryptedPriv)
var redeemScript [71]byte
if _, err := b.Read(redeemScript[:]); err != nil {
return err
}
o.FundingRedeemScript = redeemScript[:]
if _, err := b.Read(o.TheirCurrentRevocation[:]); err != nil {
return err
}
var addr [34]byte
if _, err := b.Read(addr[:]); err != nil {
return err
}
o.OurDeliveryAddress, err = btcutil.DecodeAddress(string(addr[:]), ActiveNetParams)
if err != nil {
return err
}
if _, err := b.Read(addr[:]); err != nil {
return err
}
o.TheirDeliveryAddress, err = btcutil.DecodeAddress(string(addr[:]), ActiveNetParams)
if err != nil {
return err
}
if err := binary.Read(b, endian, &o.CsvDelay); err != nil {
return err
}
if err := binary.Read(b, endian, &o.NumUpdates); err != nil {
return err
}
if err := binary.Read(b, endian, &o.TotalSatoshisSent); err != nil {
return err
}
if err := binary.Read(b, endian, &o.TotalSatoshisReceived); err != nil {
return err
}
var unix int64
if err := binary.Read(b, endian, &unix); err != nil {
return err
}
o.CreationTime = time.Unix(unix, 0)
return nil
}
