def __init__(self, pk_wif: str = None, ecdsa_key: int = None):
if pk_wif is None and ecdsa_key is None:
self.signingkey = self.generate()
elif pk_wif is not None:
secret = int.from_bytes(
base58.b58decode_check(pk_wif)[-32:], "big")
self.signingkey = SigningKey.from_secret_exponent(
secret, ecdsa.SECP256k1)
else:
self.signingkey = SigningKey.from_secret_exponent(
ecdsa_key, ecdsa.SECP256k1)
# Then, initialize the public key part
super().__init__(self.signingkey.get_verifying_key().pubkey.point)
def get_root_key(seed): """ Gets the root key from the seed. """ # :TODO: add support for more than key #0 # see https://github.com/ripple/ripple-lib/blob/develop/src/js/ripple/seed.js def generate_key(seed): i = 0 res = 0 while True: res = from_bytes(hashes.sha512half(seed + to_bytes(i, 4))) i += 1 if curves.SECP256k1.order >= res: break return res private_generator = generate_key(seed) public_generator = curves.SECP256k1.generator * private_generator # use public + private generators to generate a secret sequence = 0 # public_compressed = _get_compressed_point(public_generator) secret = generate_key(public_compressed + to_bytes(sequence, 4)) secret += private_generator secret %= curves.SECP256k1.order # use secret to generate a secp256k1 key return SigningKey.from_secret_exponent(secret, curves.SECP256k1)
def recover_key(c1,sig1,c2,sig2,pubkey):
#using the same variable names as in:
#http://en.wikipedia.org/wiki/Elliptic_Curve_DSA
curve_order = pubkey.curve.order
n = curve_order
s1 = int(sig1[96:],16)
print("s1: " + str(s1))
s2 = int(sig2[96:],16)
print("s2: " + str(s2))
r = int(sig1[:-96], 16)
print("r: " + str(r))
print("R values match: " + str(int(sig2[:-96],16) == r))
z1 = string_to_number(sha256(c1))
z2 = string_to_number(sha256(c2))
#magical math stuff
sdiff_inv = inverse_mod(((s1-s2)%n),n)
k = ( ((z1-z2)%n) * sdiff_inv) % n
r_inv = inverse_mod(r,n)
da = (((((s1*k) %n) -z1) %n) * r_inv) % n
print("Recovered Da: " + hex(da))
#turn the private key into a signing key
recovered_private_key_ec = SigningKey.from_secret_exponent(da, curve=NIST384p)
return recovered_private_key_ec
def create_wallet(seed=None):
"""
Generate a new wallet. The wallet uses a key pair and an address
based on the SHA1 of the generated wallet's public key. The keys
generated use the ECDSA key generation algorithm with the curve
SECP256k1, the same as bitcoin.
"""
logging.debug("Creating wallet(seed={})".format(seed))
if seed is None:
seed = ''.join([
random.SystemRandom().choice(string.ascii_letters +
string.digits) for _ in range(50)
])
seed = int(hashlib.sha256(seed).hexdigest(), 16)
secret_exponent = randrange_from_seed__trytryagain(
seed, SECP256k1.order)
private_key = SigningKey.from_secret_exponent(secret_exponent,
curve=SECP256k1)
public_key = private_key.get_verifying_key()
address = 'QC' + hashlib.sha1(public_key.to_string()).hexdigest()
wallet = {
'private_key': binascii.b2a_base64(private_key.to_string()),
'public_key': binascii.b2a_base64(public_key.to_string()),
'address': address
}
return wallet
def __init__(self, secret_exponent, network=BitcoinMainNet, *args, **kwargs):
if not isinstance(secret_exponent, six.integer_types):
raise ValueError("secret_exponent must be a long")
super(PrivateKey, self).__init__(network=network, *args, **kwargs)
self._private_key = SigningKey.from_secret_exponent(
secret_exponent, curve=SECP256k1
)
def __init__(self, secret_exponent, network=BitcoinMainNet,
*args, **kwargs):
if not isinstance(secret_exponent, six.integer_types):
raise ValueError("secret_exponent must be a long")
super(PrivateKey, self).__init__(network=network, *args, **kwargs)
self._private_key = SigningKey.from_secret_exponent(
secret_exponent, curve=SECP256k1)
def recover_key(c1,sig1,c2,sig2,pubkey): #using the same variable names as in: #http://en.wikipedia.org/wiki/Elliptic_Curve_DSA curve_order = pubkey.curve.order n = curve_order s1 = string_to_number(sig1[-48:]) print "s1: " + str(s1) s2 = string_to_number(sig2[-48:]) print "s2: " + str(s2) r = string_to_number(sig1[-96:--48]) print "r: " + str(r) print "R values match: " + str(string_to_number(sig2[-96:--48]) == r) z1 = string_to_number(sha1(c1)) z2 = string_to_number(sha1(c2)) sdiff_inv = inverse_mod(((s1-s2)%n),n) k = ( ((z1-z2)%n) * sdiff_inv) % n r_inv = inverse_mod(r,n) da = (((((s1*k) %n) -z1) %n) * r_inv) % n print "Recovered Da: " + hex(da) recovered_private_key_ec = SigningKey.from_secret_exponent(da, curve=NIST384p) return recovered_private_key_ec.to_pem()
def _compute_ecdsa_signature(self):
try:
sys_random = random.SystemRandom()
ecdsa_nonce = sys_random.getrandbits(224)
self.client_nonce = random.getrandbits(16 * 8).to_bytes(16, "big")
user_bytes = int(self.user_id).to_bytes(8, "big")
message = b"".join(
[user_bytes, self.server_nonce, self.client_nonce])
key = b"".join([user_bytes, self.passphrase])
key_hash = sha224(key).digest()
exponent = int.from_bytes(key_hash, "big", signed=False)
secp224k1 = self.secp224k1()
priv_key = SigningKey.from_secret_exponent(exponent,
curve=secp224k1,
hashfunc=sha224)
r, s = priv_key.sign_deterministic(message,
hashfunc=sha224,
sigencode=lambda r, s, order:
(r, s))
r = r.to_bytes(28, "big")
s = s.to_bytes(28, "big")
r = base64.b64encode(r).decode()
s = base64.b64encode(s).decode()
return r, s
except ValueError:
self._err_handler(self, "Invalid signature data")
def generate_ephid(): curve = SECP128r1 secexp = randrange(curve.order) sk = SigningKey.from_secret_exponent(secexp, curve) ephid = sk.to_string() return secexp, ephid
def recover_key(c1, sig1, c2, sig2):
#using the same variable names as in:
#http://en.wikipedia.org/wiki/Elliptic_Curve_DSA
n = curve_order
# s1 = string_to_number(sig1[0:47])
# s2 = string_to_number(sig2[0:47])
sig, _ = der_decode(sig1, asn1Spec=EcSignature())
s1 = int(sig["s"])
r = int(sig["r"])
sig, _ = der_decode(sig2, asn1Spec=EcSignature())
s2 = int(sig["s"])
# r = string_to_number(sig1[48:95])
print s2
print r
z1 = string_to_number(sha256(c1))
z2 = string_to_number(sha256(c2))
sdiff_inv = inverse_mod(((s1 - s2) % n), n)
k = (((z1 - z2) % n) * sdiff_inv) % n
r_inv = inverse_mod(r, n)
da = (((((s1 * k) % n) - z1) % n) * r_inv) % n
recovered_private_key_ec = SigningKey.from_secret_exponent(da,
curve=SECP256k1)
print recovered_private_key_ec.privkey.secret_multiplier
return recovered_private_key_ec.to_pem()
def create_material(self, bits, d=None, x=None, y=None):
curve = self.curve_for_bits(bits)
if d:
return SigningKey.from_secret_exponent(d, curve)
if x and y:
point = ec.Point(curve.curve, x, y, curve.order)
return VerifyingKey.from_public_point(point, curve)
def get_root_key(seed):
""" Gets the root key from the seed. """
# :TODO: add support for more than key #0
# see https://github.com/ripple/ripple-lib/blob/develop/src/js/ripple/seed.js
def generate_key(seed):
i = 0
res = 0
while True:
res = from_bytes(hashes.sha512half(seed + to_bytes(i, 4)))
i += 1
if curves.SECP256k1.order >= res:
break
return res
private_generator = generate_key(seed)
public_generator = curves.SECP256k1.generator * private_generator
# use public + private generators to generate a secret
sequence = 0 #
public_compressed = _get_compressed_point(public_generator)
secret = generate_key(public_compressed + to_bytes(sequence, 4))
secret += private_generator
secret %= curves.SECP256k1.order
# use secret to generate a secp256k1 key
return SigningKey.from_secret_exponent(secret, curves.SECP256k1)
def sign(self,
to_be_signed: bytes,
alg: Optional[CoseAlgorithms] = None,
curve: EllipticCurveType = None) -> bytes:
"""
Computes a digital signature over 'to_be_signed'. The parameter 'alg' and 'curve' parameters are optional in
case they are already provided by one of the COSE key objects.
:param to_be_signed: data over which the signature is calculated
:param alg: an optional algorithm parameter (specifies the exact algorithm used for the signature).
:param curve: an optional curve
"""
self._check_key_conf(algorithm=alg,
key_operation=KeyOps.SIGN,
curve=curve)
try:
alg_cfg = config(CoseAlgorithms(self.alg))
except KeyError as err:
raise CoseInvalidAlgorithm(err)
sk = SigningKey.from_secret_exponent(int(hexlify(self.d), 16),
curve=alg_cfg.curve)
return sk.sign_deterministic(to_be_signed, hashfunc=alg_cfg.hash)
def derive(seed, path, curve_name):
"""Derives gpg key from provided bip32 path
>>> seed = mnemonic_to_seed(test_mnemonic)
>>> sk = derive(seed,
... [2147483661, 3641273873, 3222207101, 2735596413, 2741857293],
... "nist256p1")
>>> sk.verifying_key.to_string().hex()
'32dd7bda4eb424e57ec2594bc2dad...eb1ca14a6f518c204e32b24c5f18b4'
"""
logger.debug("seed: %s", seed.hex())
privkey, chaincode = privkey_and_chaincode_from_seed(seed, curve_name)
logger.debug("master privkey: %s", privkey.hex())
logger.debug("master chaincode: %s", chaincode.hex())
for i in path:
privkey, chaincode = derive_private_child(curve_name, privkey,
chaincode, i)
logger.debug("ckd: %d -> %s %s", i, privkey.hex(), chaincode.hex())
logger.debug("child privkey: %s", privkey.hex())
secexp = util.bytes2num(privkey)
curve = get_curve(curve_name)
sk = SigningKey.from_secret_exponent(secexp=secexp,
curve=curve,
hashfunc=hashlib.sha256)
return sk
def test_ecdsa():
# private key as an integer
secret = 27777772222
m = b"Nitin"
# check if order and generator are in sync
assert O == ec_scalar_mul(generator, order), "Generator seems off"
sig = ecdsa_sign(secret, m)
sig_hex = str(sig)
pub = pub_key_from_priv(secret)
assert pub
print(f"pub key\n{pub_key_from_priv(secret)}\n")
print(f"signature\n{sig_hex}\n")
priv = SigningKey.from_secret_exponent(secret, SECP256k1, hashfunc=sha256)
pub = priv.verifying_key
pub.verify(bytes.fromhex(sig_hex), m)
pytest.raises(BadSignatureError, pub.verify, bytes.fromhex(sig_hex),
b"wrongdata")
with open("public.pem", 'wb') as f:
f.write(pub.to_pem())
with open("private.pem", 'wb') as f:
f.write(priv.to_pem())
with open('data.txt', "wb") as f:
f.write(sha256(m).digest())
with open('signature.der', "wb") as f:
f.write(util.sigencode_der(sig.r, sig.s, order))
def letTheDogsOut(msg):
with open("s.txt", "r") as f:
for number in f.readlines():
currentSeed = int(number.strip(), 10)
sk = SigningKey.from_secret_exponent(currentSeed, curve=NIST384p)
signature = binascii.hexlify(sk.sign(str.encode(msg)))
r = req.post(url + "eval", json={"expr": msg, "sig": signature.decode()})
print(r.text)
def mk_keyobj_from_private_key(self):
if self.private_key is None:
return
if self.type != KeyType.ECDSA_SECP256k1_X and self.type != KeyType.ECDSA_SECP256k1_XY:
return
self.private_key_object = SigningKey.from_secret_exponent(
self.to_bigint(self.private_key), curve=ECDSA_CURVE)
self.public_key_object = self.private_key_object.get_verifying_key()
def getPrivateKeyFromPassPhrase(passphrase):
logging.debug(
f'getPrivateKeyFromPassPhrase called with passphrase {passphrase}')
secexp = randrange_from_seed__trytryagain(
hashlib.sha256(str(passphrase).encode(ENCODING)).hexdigest(),
NIST256p.order)
sk = SigningKey.from_secret_exponent(secexp, curve=NIST256p)
return binaryStringFormat(sk.to_pem())
def sign_hash(secret, msg_hash):
priv_key = SigningKey.from_secret_exponent(secret,
curve=secp256k1,
hashfunc=sha256)
k = rfc6979.generate_k(generator_secp256k1.order(), secret, sha256,
msg_hash) % generator_secp256k1.order()
return priv_key.sign_digest(msg_hash, sigencode=util.sigencode_der,
k=k).encode('hex')
def gen_priv_and_seed():
secret = -1
while not is_secret_within_curve_range(secret):
seed = mn.Mnemonic().make_seed()
secret = get_secret_from_seed(seed)
sk = SigningKey.from_secret_exponent(secret, curve=SECP256k1)
return seed, sk
def getExponent(unique_rng_values):
for i in unique_rng_values:
sk = SigningKey.from_secret_exponent(i + 1, curve=NIST384p)
signature = binascii.hexlify(sk.sign(str.encode('2+2')))
req = requestEval("2+2", signature)
if "Bad signature" not in req.text: return i + 1
def getPublicKeyFromPassPhrase(passphrase):
logging.debug(
f'getPublicKeyFromPassPhrase called with passphrase {passphrase}')
secexp = randrange_from_seed__trytryagain(
hashlib.sha256(str(passphrase).encode(ENCODING)).hexdigest(),
NIST256p.order)
sk = SigningKey.from_secret_exponent(secexp, curve=NIST256p)
vk = sk.get_verifying_key()
return '04' + vk.to_string().hex()
def root_key_from_seed(secret):
"""This derives your master key the given seed.
Implemented in ripple-lib as ``Seed.prototype.get_key``, and further
is described here:
https://ripple.com/wiki/Account_Family#Root_Key_.28GenerateRootDeterministicKey.29
"""
key = SigningKey.from_secret_exponent(secret, curves.SECP256k1)
return key
def signMessageFromPassPhrase(message, passphrase):
logging.debug(
f'signMessageFromPassPhrase call with message {message} and passphrase {passphrase}'
)
secexp = randrange_from_seed__trytryagain(
hashlib.sha256(str(passphrase).encode(ENCODING)).hexdigest(),
NIST256p.order)
sk = SigningKey.from_secret_exponent(secexp, curve=NIST256p)
return signMessage(message, binaryStringFormat(sk.to_pem()))
def verifyMessageFromPassPhrase(message, signedMessage, passphrase):
logging.debug(
f'verifyMessageFromPassPhrase call with message {message}, signedMessage {signedMessage} and passphrase {passphrase}'
)
secexp = randrange_from_seed__trytryagain(
hashlib.sha256(str(passphrase).encode(ENCODING)).hexdigest(),
NIST256p.order)
sk = SigningKey.from_secret_exponent(secexp, curve=NIST256p)
vk = sk.get_verifying_key()
return verifyMessage(message, signedMessage, vk.to_string().hex())
def Addr(key):
if key == 0:
key = rankey()
print WIF(key)
private_key = SigningKey.from_secret_exponent(int(key,16),curves.SECP256k1)
public_key = sha256(('04'+(private_key.get_verifying_key().to_string()).encode('hex')).decode('hex')).hexdigest()
RIPEMD = new('ripemd160',(public_key).decode('hex')).hexdigest()
dbhash = sha256((sha256(('00'+RIPEMD).decode('hex')).hexdigest()).decode('hex')).hexdigest()
o = '00'+RIPEMD+dbhash[:8]
address = EncodeB58(o)
return address
def recover_from_hash(curve, r, s1, h1, s2, h2, hashfunc):
"""
:param curve:
:param r:
:param s1:
:param h1:
:param s2:
:param h2:
:param hashfunc:
:return:
"""
# Extract order from curve
order = curve.order
# Precomputed values for minor optimisation
r_inv = inverse_mod(r, order)
h = (h1 - h2) % order
#
# Signature is still valid whether s or -s mod curve_order (or n)
# s*k-h
# Try different possible values for "random" k until hit
for k_try in (s1 - s2, s1 + s2, -s1 - s2, -s1 + s2):
# Retrieving actual k
k = (h * inverse_mod(k_try, order)) % order
if verbosity >= 2:
print("Trying nonce value : '{}'".format(k))
# Secret exponent
secexp = (((((s1 * k) % order) - h1) % order) * r_inv) % order
if verbosity >= 2:
print("Secret exposant : '{}'".format(secexp))
# Building the secret key
signing_key = SigningKey.from_secret_exponent(secexp,
curve=curve,
hashfunc=hashfunc)
if verbosity >= 2:
print("Trying signing key : '{}'".format(signing_key.to_pem()))
# Verify if build key is appropriate
if signing_key.get_verifying_key().pubkey.verifies(
h1, Signature(r, s1)):
if verbosity >= 1:
print("Success !")
return signing_key
return None
def eval(seed, expr):
rand = secure_rng(seed) + 1
sk = SigningKey.from_secret_exponent(rand, curve=NIST384p)
vk = sk.get_verifying_key()
sig = sign(sk, expr)
req = requests.post('http://127.0.0.1:81/eval',
json={
'expr': expr,
'sig': sig
})
response = req.text
print response
def generate_pub_key(_pk):
# convert_pk = SigningKey.from_string(_pk, curve=NIST256p)
_pk_unhex = binascii.unhexlify(_pk)
secexp = string_to_number(_pk_unhex)
origin_pk = SigningKey.from_secret_exponent(secexp, curve=NIST256p)
vk = origin_pk.get_verifying_key()
vk_string = vk.to_string()
pub_key = binascii.hexlify(vk_string)
return pub_key, vk
def readkeys(self, path):
"""
read private keys from a directory, which must containser private.key, address and public.key
"""
self.address = open(path + "/address").read()
self.private_key_js = open(path + "/private.key").read()
self.public_key_js = open(path + "/public.key").read()
sk_obj = json.loads(self.private_key_js)
X = int(sk_obj['X'])
Y = int(sk_obj['Y'])
D = int(sk_obj['D'])
self.public_key = VerifyingKey.from_public_point(ellipticcurve.Point(NIST256p.curve, X, Y), NIST256p, double_sha256)
self.private_key = SigningKey.from_secret_exponent(D, NIST256p, double_sha256)
def generate_pub_key(_pk):
# convert_pk = SigningKey.from_string(_pk, curve=NIST256p)
_pk_unhex = binascii.unhexlify(_pk)
secexp = string_to_number(_pk_unhex)
origin_pk = SigningKey.from_secret_exponent(secexp, curve=NIST256p)
vk = origin_pk.get_verifying_key()
vk_string = vk.to_string()
pub_key = binascii.hexlify(vk_string)
return pub_key, vk
def signMessage():
print("""
Sign Message Service - courtsy of bakflip&sons
""")
message = input("Enter a message to sign: ").encode()
if message == b'please_give_me_the_flag':
print("\n\t:Coughs: This ain't that easy as Verifier1")
sys.exit()
secret_mask = int(input("Now insert a really stupid value here: "))
secret = secret_multiplier ^ secret_mask
signingKey = SigningKey.from_secret_exponent(secret)
signature = signingKey.sign(message)
print("Signature: ", hexlify(signature).decode())
def from_blob(cls, blob):
named_curve = str(blob.pop_str(), 'ascii')
if named_curve not in cls.curves:
logger.warn('unsupported named curve "{}"'.format(named_curve))
return None
curve = cls.curves[named_curve]
group = blob.pop_mpint()
eckey = blob.pop_mpint()
keydata = dict(
named_curve=named_curve,
private_key=SigningKey.from_secret_exponent(eckey, curve),
)
return cls(**keydata)
def __init__(self, name, privkey=None):
"""
A wallet object is initialized by a private key.
"""
self.name = name
if privkey is None:
secexp = randrange_from_seed__trytryagain(
os.urandom(SECP256k1.baselen), SECP256k1.order)
self.privkey = SigningKey.from_secret_exponent(secexp,
curve=SECP256k1)
else:
self.privkey = privkey
self.pubkey = self.privkey.get_verifying_key()
self.address = tools.make_address([self.pubkey], 1)
def make_key_with_salt(seed, salt):
"""generates a key from a given seed, returns the key and a salt
Args:
seed
Returns:
signing key, a salt
Raises:
assertion failure if the signature is not verified
"""
ecdsa_seed = hash_256(seed + salt)
secexp = randrange_from_seed__trytryagain(ecdsa_seed, SECP256k1.order)
return SigningKey.from_secret_exponent(secexp, curve=SECP256k1), salt
def lookup_private_key(keyword):
"""
Hacky way to predictibly lookup private keys for "node ids"
or "characters" ("bob" or "alice")
"""
# Interpret integers as bank ID's
if isinstance(keyword, int):
# we add 100, so that first 100 integers can represent "characters"
exponent = 100 + keyword
# Otherwise, look up in this little registry of "characters"
else:
exponent = {"alice": 1, "bob": 2}[keyword]
return SigningKey.from_secret_exponent(exponent, curve=SECP256k1)
def getFlag():
print("""
BeetleBountyProgram - by bakflip&sons
Wanted! Patched or Alive- $200,000
Submit a valid signature for 'please_give_me_the_flag' and claim the flag
""")
signingKey = SigningKey.from_secret_exponent(secret_multiplier)
verifyingKey = signingKey.verifying_key
try:
signature = unhexlify(input("Forged Signature: "))
if verifyingKey.verify(signature, b'please_give_me_the_flag'):
print(flag)
except:
print("Phew! that was close")
def __init__(self, seed=None, signing_key=None):
assert seed is None or signing_key is None
if signing_key:
self.signing_key = signing_key
elif seed:
secret_exp = randrange_from_seed__trytryagain(seed, CURVE.order)
self.signing_key = SigningKey.from_secret_exponent(secret_exp,
curve=CURVE)
else:
self.signing_key = SigningKey.generate(curve=CURVE)
# The next two fields depend only on the signing_key
self.verifying_key = self.signing_key.get_verifying_key()
# note that if instead of to_string() we would use to_der()
# or to_pem(), we could use different elliptic curves for different addresses
self.address = self.verifying_key.to_string().hex()
def generate(currency='btc', secret=None, compressed=False):
"""Generate address pair for currency. (Default: BTC)
:currency: string, 3 letter currency code
:secret: string, seed for private address
:compressed: bool, if key pair is on compresses format or not
:returns: tuple, (private_key, public_key) containing representation in hex and base58 format.
"""
from ecdsa import SigningKey, SECP256k1
if secret:
h = hashlib.sha256(secret).hexdigest()
secret_exp = int(h, 16)
sk = SigningKey.from_secret_exponent(secret_exp, curve=SECP256k1)
else:
sk = SigningKey.generate(curve=SECP256k1)
priv = sk.to_string()
pub = sk.get_verifying_key()
if compressed:
priv = priv + '\x01'
if pub.pubkey.point.y() % 2:
prefix = '\x03'
else:
prefix = '\x02'
pub = prefix + pub.to_string()[0:32]
else:
pub = '\x04' + pub.to_string()
priv_hex = priv.encode('hex')
priv_b58 = from_hash160(priv_hex, typ='priv', currency=currency)
pub_hex = sha256hash160(pub).encode('hex')
pub_b58 = from_hash160(pub_hex, currency=currency)
return Key(hex=priv_hex, b58=priv_b58), Key(hex=pub_hex, b58=pub_b58)
def root_key_from_seed(seed):
"""This derives your master key the given seed.
Implemented in ripple-lib as ``Seed.prototype.get_key``, and further
is described here:
https://ripple.com/wiki/Account_Family#Root_Key_.28GenerateRootDeterministicKey.29
"""
seq = 0
while True:
private_gen = from_bytes(first_half_of_sha512(
b''.join([seed, to_bytes(seq, 4)])))
seq += 1
if curves.SECP256k1.order >= private_gen:
break
public_gen = curves.SECP256k1.generator * private_gen
# Now that we have the private and public generators, we apparently
# have to calculate a secret from them that can be used as a ECDSA
# signing key.
secret = i = 0
public_gen_compressed = ecc_point_to_bytes_compressed(public_gen)
while True:
secret = from_bytes(first_half_of_sha512(
b"".join([
public_gen_compressed, to_bytes(0, 4), to_bytes(i, 4)])))
i += 1
if curves.SECP256k1.order >= secret:
break
secret = (secret + private_gen) % curves.SECP256k1.order
# The ECDSA signing key object will, given this secret, then expose
# the actual private and public key we are supposed to work with.
key = SigningKey.from_secret_exponent(secret, curves.SECP256k1)
# Attach the generators as supplemental data
key.private_gen = private_gen
key.public_gen = public_gen
return key
from ecdsa import numbertheory, util
from ecdsa import VerifyingKey, SigningKey
PUBLIC_KEY = """
-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEgTxPtDMGS8oOT3h6fLvYyUGq/BWeKiCB
sQPyD0+2vybIT/Xdl6hOqQd74zr4U2dkj+2q6+vwQ4DCB1X7HsFZ5JczfkO7HCdY
I7sGDvd9eUias/xPdSIL3gMbs26b0Ww0
-----END PUBLIC KEY-----
"""
vk = VerifyingKey.from_pem(PUBLIC_KEY.strip())
msg1 = 'help'
sig1 = binascii.unhexlify('c0e1fc4e3858ac6334cc8798fdec40790d7ad361ffc691c26f2902c41f2b7c2fd1ca916de687858953a6405423fe156cfd7287caf75247c9a32e52ab8260e7ff1e46e55594aea88731bee163035f9ee31f2c2965ac7b2cdfca6100d10ba23826')
msg2 = 'time'
sig2 = binascii.unhexlify('c0e1fc4e3858ac6334cc8798fdec40790d7ad361ffc691c26f2902c41f2b7c2fd1ca916de687858953a6405423fe156c0cbebcec222f83dc9dd5b0d4d8e698a08ddecb79e6c3b35fc2caaa4543d58a45603639647364983301565728b504015d')
r = util.string_to_number(sig1[:48])
s1 = util.string_to_number(sig1[48:])
z1 = util.string_to_number(hashlib.sha256(msg1).digest())
s2 = util.string_to_number(sig2[48:])
z2 = util.string_to_number(hashlib.sha256(msg2).digest())
k = (z1 - z2) * numbertheory.inverse_mod(s1 - s2, vk.pubkey.order) % vk.pubkey.order
d = (s1 * k - z1) * numbertheory.inverse_mod(r, vk.pubkey.order) % vk.pubkey.order
sk = SigningKey.from_secret_exponent(d, curve=vk.curve, hashfunc=hashlib.sha256)
msg3 = 'read %s' % sys.argv[1]
print '%s:%s' % (msg3, binascii.hexlify(sk.sign(msg3, k=k)))
def from_exponent(cls, exponent):
key = SigningKey.from_secret_exponent(exponent, curve=SECP256k1)
return cls(key)
def private_to_address(private):
private_int = int(b2a_hex(private), 16)
sk = SigningKey.from_secret_exponent(private_int, curves.SECP256k1)
vk = sk.get_verifying_key()
return public_to_address(vk.to_string())
