1// Copyright (c) 2017 The btcsuite developers
2// Copyright (c) 2019 The Decred developers
3// Use of this source code is governed by an ISC
4// license that can be found in the LICENSE file.
5
6package bech32
7
8import (
9	"strings"
10)
11
12// charset is the set of characters used in the data section of bech32 strings.
13// Note that this is ordered, such that for a given charset[i], i is the binary
14// value of the character.
15const charset = "qpzry9x8gf2tvdw0s3jn54khce6mua7l"
16
17// gen encodes the generator polynomial for the bech32 BCH checksum.
18var gen = []int{0x3b6a57b2, 0x26508e6d, 0x1ea119fa, 0x3d4233dd, 0x2a1462b3}
19
20// toBytes converts each character in the string 'chars' to the value of the
21// index of the correspoding character in 'charset'.
22func toBytes(chars string) ([]byte, error) {
23	decoded := make([]byte, 0, len(chars))
24	for i := 0; i < len(chars); i++ {
25		index := strings.IndexByte(charset, chars[i])
26		if index < 0 {
27			return nil, ErrNonCharsetChar(chars[i])
28		}
29		decoded = append(decoded, byte(index))
30	}
31	return decoded, nil
32}
33
34// bech32Polymod calculates the BCH checksum for a given hrp, values and
35// checksum data. Checksum is optional, and if nil a 0 checksum is assumed.
36//
37// Values and checksum (if provided) MUST be encoded as 5 bits per element (base
38// 32), otherwise the results are undefined.
39//
40// For more details on the polymod calculation, please refer to BIP 173.
41func bech32Polymod(hrp string, values, checksum []byte) int {
42	chk := 1
43
44	// Account for the high bits of the HRP in the checksum.
45	for i := 0; i < len(hrp); i++ {
46		b := chk >> 25
47		hiBits := int(hrp[i]) >> 5
48		chk = (chk&0x1ffffff)<<5 ^ hiBits
49		for i := 0; i < 5; i++ {
50			if (b>>uint(i))&1 == 1 {
51				chk ^= gen[i]
52			}
53		}
54	}
55
56	// Account for the separator (0) between high and low bits of the HRP.
57	// x^0 == x, so we eliminate the redundant xor used in the other rounds.
58	b := chk >> 25
59	chk = (chk & 0x1ffffff) << 5
60	for i := 0; i < 5; i++ {
61		if (b>>uint(i))&1 == 1 {
62			chk ^= gen[i]
63		}
64	}
65
66	// Account for the low bits of the HRP.
67	for i := 0; i < len(hrp); i++ {
68		b := chk >> 25
69		loBits := int(hrp[i]) & 31
70		chk = (chk&0x1ffffff)<<5 ^ loBits
71		for i := 0; i < 5; i++ {
72			if (b>>uint(i))&1 == 1 {
73				chk ^= gen[i]
74			}
75		}
76	}
77
78	// Account for the values.
79	for _, v := range values {
80		b := chk >> 25
81		chk = (chk&0x1ffffff)<<5 ^ int(v)
82		for i := 0; i < 5; i++ {
83			if (b>>uint(i))&1 == 1 {
84				chk ^= gen[i]
85			}
86		}
87	}
88
89	if checksum == nil {
90		// A nil checksum is used during encoding, so assume all bytes are zero.
91		// x^0 == x, so we eliminate the redundant xor used in the other rounds.
92		for v := 0; v < 6; v++ {
93			b := chk >> 25
94			chk = (chk & 0x1ffffff) << 5
95			for i := 0; i < 5; i++ {
96				if (b>>uint(i))&1 == 1 {
97					chk ^= gen[i]
98				}
99			}
100		}
101	} else {
102		// Checksum is provided during decoding, so use it.
103		for _, v := range checksum {
104			b := chk >> 25
105			chk = (chk&0x1ffffff)<<5 ^ int(v)
106			for i := 0; i < 5; i++ {
107				if (b>>uint(i))&1 == 1 {
108					chk ^= gen[i]
109				}
110			}
111		}
112	}
113
114	return chk
115}
116
117// writeBech32Checksum calculates the checksum data expected for a string that
118// will have the given hrp and payload data and writes it to the provided string
119// builder.
120//
121// The payload data MUST be encoded as a base 32 (5 bits per element) byte slice
122// and the hrp MUST only use the allowed character set (ascii chars between 33
123// and 126), otherwise the results are undefined.
124//
125// For more details on the checksum calculation, please refer to BIP 173.
126func writeBech32Checksum(hrp string, data []byte, bldr *strings.Builder) {
127	polymod := bech32Polymod(hrp, data, nil) ^ 1
128	for i := 0; i < 6; i++ {
129		b := byte((polymod >> uint(5*(5-i))) & 31)
130
131		// This can't fail, given we explicitly cap the previous b byte by the
132		// first 31 bits.
133		c := charset[b]
134		bldr.WriteByte(c)
135	}
136}
137
138// bech32VerifyChecksum verifies whether the bech32 string specified by the
139// provided hrp and payload data (encoded as 5 bits per element byte slice) has
140// the correct checksum suffix.
141//
142// Data MUST have more than 6 elements, otherwise this function panics.
143//
144// For more details on the checksum verification, please refer to BIP 173.
145func bech32VerifyChecksum(hrp string, data []byte) bool {
146	checksum := data[len(data)-6:]
147	values := data[:len(data)-6]
148	polymod := bech32Polymod(hrp, values, checksum)
149	return polymod == 1
150}
151
152// DecodeNoLimit decodes a bech32 encoded string, returning the human-readable
153// part and the data part excluding the checksum.  This function does NOT
154// validate against the BIP-173 maximum length allowed for bech32 strings and
155// is meant for use in custom applications (such as lightning network payment
156// requests), NOT on-chain addresses.
157//
158// Note that the returned data is 5-bit (base32) encoded and the human-readable
159// part will be lowercase.
160func DecodeNoLimit(bech string) (string, []byte, error) {
161	// The minimum allowed size of a bech32 string is 8 characters, since it
162	// needs a non-empty HRP, a separator, and a 6 character checksum.
163	if len(bech) < 8 {
164		return "", nil, ErrInvalidLength(len(bech))
165	}
166
167	// Only	ASCII characters between 33 and 126 are allowed.
168	var hasLower, hasUpper bool
169	for i := 0; i < len(bech); i++ {
170		if bech[i] < 33 || bech[i] > 126 {
171			return "", nil, ErrInvalidCharacter(bech[i])
172		}
173
174		// The characters must be either all lowercase or all uppercase. Testing
175		// directly with ascii codes is safe here, given the previous test.
176		hasLower = hasLower || (bech[i] >= 97 && bech[i] <= 122)
177		hasUpper = hasUpper || (bech[i] >= 65 && bech[i] <= 90)
178		if hasLower && hasUpper {
179			return "", nil, ErrMixedCase{}
180		}
181	}
182
183	// Bech32 standard uses only the lowercase for of strings for checksum
184	// calculation.
185	if hasUpper {
186		bech = strings.ToLower(bech)
187	}
188
189	// The string is invalid if the last '1' is non-existent, it is the
190	// first character of the string (no human-readable part) or one of the
191	// last 6 characters of the string (since checksum cannot contain '1').
192	one := strings.LastIndexByte(bech, '1')
193	if one < 1 || one+7 > len(bech) {
194		return "", nil, ErrInvalidSeparatorIndex(one)
195	}
196
197	// The human-readable part is everything before the last '1'.
198	hrp := bech[:one]
199	data := bech[one+1:]
200
201	// Each character corresponds to the byte with value of the index in
202	// 'charset'.
203	decoded, err := toBytes(data)
204	if err != nil {
205		return "", nil, err
206	}
207
208	// Verify if the checksum (stored inside decoded[:]) is valid, given the
209	// previously decoded hrp.
210	if !bech32VerifyChecksum(hrp, decoded) {
211		// Invalid checksum. Calculate what it should have been, so that the
212		// error contains this information.
213
214		// Extract the payload bytes and actual checksum in the string.
215		actual := bech[len(bech)-6:]
216		payload := decoded[:len(decoded)-6]
217
218		// Calculate the expected checksum, given the hrp and payload data.
219		var expectedBldr strings.Builder
220		expectedBldr.Grow(6)
221		writeBech32Checksum(hrp, payload, &expectedBldr)
222		expected := expectedBldr.String()
223
224		err = ErrInvalidChecksum{
225			Expected: expected,
226			Actual:   actual,
227		}
228		return "", nil, err
229	}
230
231	// We exclude the last 6 bytes, which is the checksum.
232	return hrp, decoded[:len(decoded)-6], nil
233}
234
235// Decode decodes a bech32 encoded string, returning the human-readable part and
236// the data part excluding the checksum.
237//
238// Note that the returned data is 5-bit (base32) encoded and the human-readable
239// part will be lowercase.
240func Decode(bech string) (string, []byte, error) {
241	// The maximum allowed length for a bech32 string is 90.
242	if len(bech) > 90 {
243		return "", nil, ErrInvalidLength(len(bech))
244	}
245
246	return DecodeNoLimit(bech)
247}
248
249// Encode encodes a byte slice into a bech32 string with the given
250// human-readable part (HRP).  The HRP will be converted to lowercase if needed
251// since mixed cased encodings are not permitted and lowercase is used for
252// checksum purposes.  Note that the bytes must each encode 5 bits (base32).
253func Encode(hrp string, data []byte) (string, error) {
254	// The resulting bech32 string is the concatenation of the lowercase hrp,
255	// the separator 1, data and the 6-byte checksum.
256	hrp = strings.ToLower(hrp)
257	var bldr strings.Builder
258	bldr.Grow(len(hrp) + 1 + len(data) + 6)
259	bldr.WriteString(hrp)
260	bldr.WriteString("1")
261
262	// Write the data part, using the bech32 charset.
263	for _, b := range data {
264		if int(b) >= len(charset) {
265			return "", ErrInvalidDataByte(b)
266		}
267		bldr.WriteByte(charset[b])
268	}
269
270	// Calculate and write the checksum of the data.
271	writeBech32Checksum(hrp, data, &bldr)
272
273	return bldr.String(), nil
274}
275
276// ConvertBits converts a byte slice where each byte is encoding fromBits bits,
277// to a byte slice where each byte is encoding toBits bits.
278func ConvertBits(data []byte, fromBits, toBits uint8, pad bool) ([]byte, error) {
279	if fromBits < 1 || fromBits > 8 || toBits < 1 || toBits > 8 {
280		return nil, ErrInvalidBitGroups{}
281	}
282
283	// Determine the maximum size the resulting array can have after base
284	// conversion, so that we can size it a single time. This might be off
285	// by a byte depending on whether padding is used or not and if the input
286	// data is a multiple of both fromBits and toBits, but we ignore that and
287	// just size it to the maximum possible.
288	maxSize := len(data)*int(fromBits)/int(toBits) + 1
289
290	// The final bytes, each byte encoding toBits bits.
291	regrouped := make([]byte, 0, maxSize)
292
293	// Keep track of the next byte we create and how many bits we have
294	// added to it out of the toBits goal.
295	nextByte := byte(0)
296	filledBits := uint8(0)
297
298	for _, b := range data {
299
300		// Discard unused bits.
301		b = b << (8 - fromBits)
302
303		// How many bits remaining to extract from the input data.
304		remFromBits := fromBits
305		for remFromBits > 0 {
306			// How many bits remaining to be added to the next byte.
307			remToBits := toBits - filledBits
308
309			// The number of bytes to next extract is the minimum of
310			// remFromBits and remToBits.
311			toExtract := remFromBits
312			if remToBits < toExtract {
313				toExtract = remToBits
314			}
315
316			// Add the next bits to nextByte, shifting the already
317			// added bits to the left.
318			nextByte = (nextByte << toExtract) | (b >> (8 - toExtract))
319
320			// Discard the bits we just extracted and get ready for
321			// next iteration.
322			b = b << toExtract
323			remFromBits -= toExtract
324			filledBits += toExtract
325
326			// If the nextByte is completely filled, we add it to
327			// our regrouped bytes and start on the next byte.
328			if filledBits == toBits {
329				regrouped = append(regrouped, nextByte)
330				filledBits = 0
331				nextByte = 0
332			}
333		}
334	}
335
336	// We pad any unfinished group if specified.
337	if pad && filledBits > 0 {
338		nextByte = nextByte << (toBits - filledBits)
339		regrouped = append(regrouped, nextByte)
340		filledBits = 0
341		nextByte = 0
342	}
343
344	// Any incomplete group must be <= 4 bits, and all zeroes.
345	if filledBits > 0 && (filledBits > 4 || nextByte != 0) {
346		return nil, ErrInvalidIncompleteGroup{}
347	}
348
349	return regrouped, nil
350}
351
352// EncodeFromBase256 converts a base256-encoded byte slice into a base32-encoded
353// byte slice and then encodes it into a bech32 string with the given
354// human-readable part (HRP).  The HRP will be converted to lowercase if needed
355// since mixed cased encodings are not permitted and lowercase is used for
356// checksum purposes.
357func EncodeFromBase256(hrp string, data []byte) (string, error) {
358	converted, err := ConvertBits(data, 8, 5, true)
359	if err != nil {
360		return "", err
361	}
362	return Encode(hrp, converted)
363}
364
365// DecodeToBase256 decodes a bech32-encoded string into its associated
366// human-readable part (HRP) and base32-encoded data, converts that data to a
367// base256-encoded byte slice and returns it along with the lowercase HRP.
368func DecodeToBase256(bech string) (string, []byte, error) {
369	hrp, data, err := Decode(bech)
370	if err != nil {
371		return "", nil, err
372	}
373	converted, err := ConvertBits(data, 5, 8, false)
374	if err != nil {
375		return "", nil, err
376	}
377	return hrp, converted, nil
378}
379