// Copyright 2016 The go-ethereum Authors // This file is part of the go-ethereum library. // // The go-ethereum library is free software: you can redistribute it and/or modify // it under the terms of the GNU Lesser General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // The go-ethereum library is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU Lesser General Public License for more details. // // You should have received a copy of the GNU Lesser General Public License // along with the go-ethereum library. If not, see . package types import ( "crypto/ecdsa" "errors" "fmt" "math/big" "github.com/ethereum/go-ethereum/common" "github.com/ethereum/go-ethereum/crypto" "github.com/ethereum/go-ethereum/params" ) var ErrInvalidChainId = errors.New("invalid chain id for signer") // sigCache is used to cache the derived sender and contains // the signer used to derive it. type sigCache struct { signer Signer from common.Address } // MakeSigner returns a Signer based on the given chain config and block number. func MakeSigner(config *params.ChainConfig, blockNumber *big.Int, blockTime uint64) Signer { var signer Signer switch { case config.IsCancun(blockNumber, blockTime): signer = NewCancunSigner(config.ChainID) case config.IsLondon(blockNumber): signer = NewLondonSigner(config.ChainID) case config.IsBerlin(blockNumber): signer = NewEIP2930Signer(config.ChainID) case config.IsEIP155(blockNumber): signer = NewEIP155Signer(config.ChainID) case config.IsHomestead(blockNumber): signer = HomesteadSigner{} default: signer = FrontierSigner{} } return signer } // LatestSigner returns the 'most permissive' Signer available for the given chain // configuration. Specifically, this enables support of all types of transactions // when their respective forks are scheduled to occur at any block number (or time) // in the chain config. // // Use this in transaction-handling code where the current block number is unknown. If you // have the current block number available, use MakeSigner instead. func LatestSigner(config *params.ChainConfig) Signer { if config.ChainID != nil { if config.CancunTime != nil { return NewCancunSigner(config.ChainID) } if config.LondonBlock != nil { return NewLondonSigner(config.ChainID) } if config.BerlinBlock != nil { return NewEIP2930Signer(config.ChainID) } if config.EIP155Block != nil { return NewEIP155Signer(config.ChainID) } } return HomesteadSigner{} } // LatestSignerForChainID returns the 'most permissive' Signer available. Specifically, // this enables support for EIP-155 replay protection and all implemented EIP-2718 // transaction types if chainID is non-nil. // // Use this in transaction-handling code where the current block number and fork // configuration are unknown. If you have a ChainConfig, use LatestSigner instead. // If you have a ChainConfig and know the current block number, use MakeSigner instead. func LatestSignerForChainID(chainID *big.Int) Signer { if chainID == nil { return HomesteadSigner{} } return NewCancunSigner(chainID) } // SignTx signs the transaction using the given signer and private key. func SignTx(tx *Transaction, s Signer, prv *ecdsa.PrivateKey) (*Transaction, error) { h := s.Hash(tx) sig, err := crypto.Sign(h[:], prv) if err != nil { return nil, err } return tx.WithSignature(s, sig) } // SignNewTx creates a transaction and signs it. func SignNewTx(prv *ecdsa.PrivateKey, s Signer, txdata TxData) (*Transaction, error) { tx := NewTx(txdata) h := s.Hash(tx) sig, err := crypto.Sign(h[:], prv) if err != nil { return nil, err } return tx.WithSignature(s, sig) } // MustSignNewTx creates a transaction and signs it. // This panics if the transaction cannot be signed. func MustSignNewTx(prv *ecdsa.PrivateKey, s Signer, txdata TxData) *Transaction { tx, err := SignNewTx(prv, s, txdata) if err != nil { panic(err) } return tx } // Sender returns the address derived from the signature (V, R, S) using secp256k1 // elliptic curve and an error if it failed deriving or upon an incorrect // signature. // // Sender may cache the address, allowing it to be used regardless of // signing method. The cache is invalidated if the cached signer does // not match the signer used in the current call. func Sender(signer Signer, tx *Transaction) (common.Address, error) { if sc := tx.from.Load(); sc != nil { sigCache := sc.(sigCache) // If the signer used to derive from in a previous // call is not the same as used current, invalidate // the cache. if sigCache.signer.Equal(signer) { return sigCache.from, nil } } addr, err := signer.Sender(tx) if err != nil { return common.Address{}, err } tx.from.Store(sigCache{signer: signer, from: addr}) return addr, nil } // Signer encapsulates transaction signature handling. The name of this type is slightly // misleading because Signers don't actually sign, they're just for validating and // processing of signatures. // // Note that this interface is not a stable API and may change at any time to accommodate // new protocol rules. type Signer interface { // Sender returns the sender address of the transaction. Sender(tx *Transaction) (common.Address, error) // SignatureValues returns the raw R, S, V values corresponding to the // given signature. SignatureValues(tx *Transaction, sig []byte) (r, s, v *big.Int, err error) ChainID() *big.Int // Hash returns 'signature hash', i.e. the transaction hash that is signed by the // private key. This hash does not uniquely identify the transaction. Hash(tx *Transaction) common.Hash // Equal returns true if the given signer is the same as the receiver. Equal(Signer) bool } type cancunSigner struct{ londonSigner } // NewCancunSigner returns a signer that accepts // - EIP-4844 blob transactions // - EIP-1559 dynamic fee transactions // - EIP-2930 access list transactions, // - EIP-155 replay protected transactions, and // - legacy Homestead transactions. func NewCancunSigner(chainId *big.Int) Signer { return cancunSigner{londonSigner{eip2930Signer{NewEIP155Signer(chainId)}}} } func (s cancunSigner) Sender(tx *Transaction) (common.Address, error) { if tx.Type() != BlobTxType { return s.londonSigner.Sender(tx) } V, R, S := tx.RawSignatureValues() // Blob txs are defined to use 0 and 1 as their recovery // id, add 27 to become equivalent to unprotected Homestead signatures. V = new(big.Int).Add(V, big.NewInt(27)) if tx.ChainId().Cmp(s.chainId) != 0 { return common.Address{}, fmt.Errorf("%w: have %d want %d", ErrInvalidChainId, tx.ChainId(), s.chainId) } return recoverPlain(s.Hash(tx), R, S, V, true) } func (s cancunSigner) Equal(s2 Signer) bool { x, ok := s2.(cancunSigner) return ok && x.chainId.Cmp(s.chainId) == 0 } func (s cancunSigner) SignatureValues(tx *Transaction, sig []byte) (R, S, V *big.Int, err error) { txdata, ok := tx.inner.(*BlobTx) if !ok { return s.londonSigner.SignatureValues(tx, sig) } // Check that chain ID of tx matches the signer. We also accept ID zero here, // because it indicates that the chain ID was not specified in the tx. if txdata.ChainID.Sign() != 0 && txdata.ChainID.ToBig().Cmp(s.chainId) != 0 { return nil, nil, nil, fmt.Errorf("%w: have %d want %d", ErrInvalidChainId, txdata.ChainID, s.chainId) } R, S, _ = decodeSignature(sig) V = big.NewInt(int64(sig[64])) return R, S, V, nil } // Hash returns the hash to be signed by the sender. // It does not uniquely identify the transaction. func (s cancunSigner) Hash(tx *Transaction) common.Hash { if tx.Type() != BlobTxType { return s.londonSigner.Hash(tx) } return prefixedRlpHash( tx.Type(), []interface{}{ s.chainId, tx.Nonce(), tx.GasTipCap(), tx.GasFeeCap(), tx.Gas(), tx.To(), tx.Value(), tx.Data(), tx.AccessList(), tx.BlobGasFeeCap(), tx.BlobHashes(), }) } type londonSigner struct{ eip2930Signer } // NewLondonSigner returns a signer that accepts // - EIP-1559 dynamic fee transactions // - EIP-2930 access list transactions, // - EIP-155 replay protected transactions, and // - legacy Homestead transactions. func NewLondonSigner(chainId *big.Int) Signer { return londonSigner{eip2930Signer{NewEIP155Signer(chainId)}} } func (s londonSigner) Sender(tx *Transaction) (common.Address, error) { if tx.Type() != DynamicFeeTxType { return s.eip2930Signer.Sender(tx) } V, R, S := tx.RawSignatureValues() // DynamicFee txs are defined to use 0 and 1 as their recovery // id, add 27 to become equivalent to unprotected Homestead signatures. V = new(big.Int).Add(V, big.NewInt(27)) if tx.ChainId().Cmp(s.chainId) != 0 { return common.Address{}, fmt.Errorf("%w: have %d want %d", ErrInvalidChainId, tx.ChainId(), s.chainId) } return recoverPlain(s.Hash(tx), R, S, V, true) } func (s londonSigner) Equal(s2 Signer) bool { x, ok := s2.(londonSigner) return ok && x.chainId.Cmp(s.chainId) == 0 } func (s londonSigner) SignatureValues(tx *Transaction, sig []byte) (R, S, V *big.Int, err error) { txdata, ok := tx.inner.(*DynamicFeeTx) if !ok { return s.eip2930Signer.SignatureValues(tx, sig) } // Check that chain ID of tx matches the signer. We also accept ID zero here, // because it indicates that the chain ID was not specified in the tx. if txdata.ChainID.Sign() != 0 && txdata.ChainID.Cmp(s.chainId) != 0 { return nil, nil, nil, fmt.Errorf("%w: have %d want %d", ErrInvalidChainId, txdata.ChainID, s.chainId) } R, S, _ = decodeSignature(sig) V = big.NewInt(int64(sig[64])) return R, S, V, nil } // Hash returns the hash to be signed by the sender. // It does not uniquely identify the transaction. func (s londonSigner) Hash(tx *Transaction) common.Hash { if tx.Type() != DynamicFeeTxType { return s.eip2930Signer.Hash(tx) } return prefixedRlpHash( tx.Type(), []interface{}{ s.chainId, tx.Nonce(), tx.GasTipCap(), tx.GasFeeCap(), tx.Gas(), tx.To(), tx.Value(), tx.Data(), tx.AccessList(), }) } type eip2930Signer struct{ EIP155Signer } // NewEIP2930Signer returns a signer that accepts EIP-2930 access list transactions, // EIP-155 replay protected transactions, and legacy Homestead transactions. func NewEIP2930Signer(chainId *big.Int) Signer { return eip2930Signer{NewEIP155Signer(chainId)} } func (s eip2930Signer) ChainID() *big.Int { return s.chainId } func (s eip2930Signer) Equal(s2 Signer) bool { x, ok := s2.(eip2930Signer) return ok && x.chainId.Cmp(s.chainId) == 0 } func (s eip2930Signer) Sender(tx *Transaction) (common.Address, error) { V, R, S := tx.RawSignatureValues() switch tx.Type() { case LegacyTxType: return s.EIP155Signer.Sender(tx) case AccessListTxType: // AL txs are defined to use 0 and 1 as their recovery // id, add 27 to become equivalent to unprotected Homestead signatures. V = new(big.Int).Add(V, big.NewInt(27)) default: return common.Address{}, ErrTxTypeNotSupported } if tx.ChainId().Cmp(s.chainId) != 0 { return common.Address{}, fmt.Errorf("%w: have %d want %d", ErrInvalidChainId, tx.ChainId(), s.chainId) } return recoverPlain(s.Hash(tx), R, S, V, true) } func (s eip2930Signer) SignatureValues(tx *Transaction, sig []byte) (R, S, V *big.Int, err error) { switch txdata := tx.inner.(type) { case *LegacyTx: return s.EIP155Signer.SignatureValues(tx, sig) case *AccessListTx: // Check that chain ID of tx matches the signer. We also accept ID zero here, // because it indicates that the chain ID was not specified in the tx. if txdata.ChainID.Sign() != 0 && txdata.ChainID.Cmp(s.chainId) != 0 { return nil, nil, nil, fmt.Errorf("%w: have %d want %d", ErrInvalidChainId, txdata.ChainID, s.chainId) } R, S, _ = decodeSignature(sig) V = big.NewInt(int64(sig[64])) default: return nil, nil, nil, ErrTxTypeNotSupported } return R, S, V, nil } // Hash returns the hash to be signed by the sender. // It does not uniquely identify the transaction. func (s eip2930Signer) Hash(tx *Transaction) common.Hash { switch tx.Type() { case LegacyTxType: return s.EIP155Signer.Hash(tx) case AccessListTxType: return prefixedRlpHash( tx.Type(), []interface{}{ s.chainId, tx.Nonce(), tx.GasPrice(), tx.Gas(), tx.To(), tx.Value(), tx.Data(), tx.AccessList(), }) default: // This _should_ not happen, but in case someone sends in a bad // json struct via RPC, it's probably more prudent to return an // empty hash instead of killing the node with a panic //panic("Unsupported transaction type: %d", tx.typ) return common.Hash{} } } // EIP155Signer implements Signer using the EIP-155 rules. This accepts transactions which // are replay-protected as well as unprotected homestead transactions. type EIP155Signer struct { chainId, chainIdMul *big.Int } func NewEIP155Signer(chainId *big.Int) EIP155Signer { if chainId == nil { chainId = new(big.Int) } return EIP155Signer{ chainId: chainId, chainIdMul: new(big.Int).Mul(chainId, big.NewInt(2)), } } func (s EIP155Signer) ChainID() *big.Int { return s.chainId } func (s EIP155Signer) Equal(s2 Signer) bool { eip155, ok := s2.(EIP155Signer) return ok && eip155.chainId.Cmp(s.chainId) == 0 } var big8 = big.NewInt(8) func (s EIP155Signer) Sender(tx *Transaction) (common.Address, error) { if tx.Type() != LegacyTxType { return common.Address{}, ErrTxTypeNotSupported } if !tx.Protected() { return HomesteadSigner{}.Sender(tx) } if tx.ChainId().Cmp(s.chainId) != 0 { return common.Address{}, fmt.Errorf("%w: have %d want %d", ErrInvalidChainId, tx.ChainId(), s.chainId) } V, R, S := tx.RawSignatureValues() V = new(big.Int).Sub(V, s.chainIdMul) V.Sub(V, big8) return recoverPlain(s.Hash(tx), R, S, V, true) } // SignatureValues returns signature values. This signature // needs to be in the [R || S || V] format where V is 0 or 1. func (s EIP155Signer) SignatureValues(tx *Transaction, sig []byte) (R, S, V *big.Int, err error) { if tx.Type() != LegacyTxType { return nil, nil, nil, ErrTxTypeNotSupported } R, S, V = decodeSignature(sig) if s.chainId.Sign() != 0 { V = big.NewInt(int64(sig[64] + 35)) V.Add(V, s.chainIdMul) } return R, S, V, nil } // Hash returns the hash to be signed by the sender. // It does not uniquely identify the transaction. func (s EIP155Signer) Hash(tx *Transaction) common.Hash { return rlpHash([]interface{}{ tx.Nonce(), tx.GasPrice(), tx.Gas(), tx.To(), tx.Value(), tx.Data(), s.chainId, uint(0), uint(0), }) } // HomesteadSigner implements Signer interface using the // homestead rules. type HomesteadSigner struct{ FrontierSigner } func (s HomesteadSigner) ChainID() *big.Int { return nil } func (s HomesteadSigner) Equal(s2 Signer) bool { _, ok := s2.(HomesteadSigner) return ok } // SignatureValues returns signature values. This signature // needs to be in the [R || S || V] format where V is 0 or 1. func (hs HomesteadSigner) SignatureValues(tx *Transaction, sig []byte) (r, s, v *big.Int, err error) { return hs.FrontierSigner.SignatureValues(tx, sig) } func (hs HomesteadSigner) Sender(tx *Transaction) (common.Address, error) { if tx.Type() != LegacyTxType { return common.Address{}, ErrTxTypeNotSupported } v, r, s := tx.RawSignatureValues() return recoverPlain(hs.Hash(tx), r, s, v, true) } // FrontierSigner implements Signer interface using the // frontier rules. type FrontierSigner struct{} func (s FrontierSigner) ChainID() *big.Int { return nil } func (s FrontierSigner) Equal(s2 Signer) bool { _, ok := s2.(FrontierSigner) return ok } func (fs FrontierSigner) Sender(tx *Transaction) (common.Address, error) { if tx.Type() != LegacyTxType { return common.Address{}, ErrTxTypeNotSupported } v, r, s := tx.RawSignatureValues() return recoverPlain(fs.Hash(tx), r, s, v, false) } // SignatureValues returns signature values. This signature // needs to be in the [R || S || V] format where V is 0 or 1. func (fs FrontierSigner) SignatureValues(tx *Transaction, sig []byte) (r, s, v *big.Int, err error) { if tx.Type() != LegacyTxType { return nil, nil, nil, ErrTxTypeNotSupported } r, s, v = decodeSignature(sig) return r, s, v, nil } // Hash returns the hash to be signed by the sender. // It does not uniquely identify the transaction. func (fs FrontierSigner) Hash(tx *Transaction) common.Hash { return rlpHash([]interface{}{ tx.Nonce(), tx.GasPrice(), tx.Gas(), tx.To(), tx.Value(), tx.Data(), }) } func decodeSignature(sig []byte) (r, s, v *big.Int) { if len(sig) != crypto.SignatureLength { panic(fmt.Sprintf("wrong size for signature: got %d, want %d", len(sig), crypto.SignatureLength)) } r = new(big.Int).SetBytes(sig[:32]) s = new(big.Int).SetBytes(sig[32:64]) v = new(big.Int).SetBytes([]byte{sig[64] + 27}) return r, s, v } func recoverPlain(sighash common.Hash, R, S, Vb *big.Int, homestead bool) (common.Address, error) { if Vb.BitLen() > 8 { return common.Address{}, ErrInvalidSig } V := byte(Vb.Uint64() - 27) if !crypto.ValidateSignatureValues(V, R, S, homestead) { return common.Address{}, ErrInvalidSig } // encode the signature in uncompressed format r, s := R.Bytes(), S.Bytes() sig := make([]byte, crypto.SignatureLength) copy(sig[32-len(r):32], r) copy(sig[64-len(s):64], s) sig[64] = V // recover the public key from the signature pub, err := crypto.Ecrecover(sighash[:], sig) if err != nil { return common.Address{}, err } if len(pub) == 0 || pub[0] != 4 { return common.Address{}, errors.New("invalid public key") } var addr common.Address copy(addr[:], crypto.Keccak256(pub[1:])[12:]) return addr, nil } // deriveChainId derives the chain id from the given v parameter func deriveChainId(v *big.Int) *big.Int { if v.BitLen() <= 64 { v := v.Uint64() if v == 27 || v == 28 { return new(big.Int) } return new(big.Int).SetUint64((v - 35) / 2) } v = new(big.Int).Sub(v, big.NewInt(35)) return v.Div(v, big.NewInt(2)) }