1// Copyright (c) 2017 The btcsuite developers 2// Copyright (c) 2019 The Decred developers 3// Use of this source code is governed by an ISC 4// license that can be found in the LICENSE file. 5 6package bech32 7 8import ( 9 "strings" 10) 11 12// charset is the set of characters used in the data section of bech32 strings. 13// Note that this is ordered, such that for a given charset[i], i is the binary 14// value of the character. 15const charset = "qpzry9x8gf2tvdw0s3jn54khce6mua7l" 16 17// gen encodes the generator polynomial for the bech32 BCH checksum. 18var gen = []int{0x3b6a57b2, 0x26508e6d, 0x1ea119fa, 0x3d4233dd, 0x2a1462b3} 19 20// toBytes converts each character in the string 'chars' to the value of the 21// index of the correspoding character in 'charset'. 22func toBytes(chars string) ([]byte, error) { 23 decoded := make([]byte, 0, len(chars)) 24 for i := 0; i < len(chars); i++ { 25 index := strings.IndexByte(charset, chars[i]) 26 if index < 0 { 27 return nil, ErrNonCharsetChar(chars[i]) 28 } 29 decoded = append(decoded, byte(index)) 30 } 31 return decoded, nil 32} 33 34// bech32Polymod calculates the BCH checksum for a given hrp, values and 35// checksum data. Checksum is optional, and if nil a 0 checksum is assumed. 36// 37// Values and checksum (if provided) MUST be encoded as 5 bits per element (base 38// 32), otherwise the results are undefined. 39// 40// For more details on the polymod calculation, please refer to BIP 173. 41func bech32Polymod(hrp string, values, checksum []byte) int { 42 chk := 1 43 44 // Account for the high bits of the HRP in the checksum. 45 for i := 0; i < len(hrp); i++ { 46 b := chk >> 25 47 hiBits := int(hrp[i]) >> 5 48 chk = (chk&0x1ffffff)<<5 ^ hiBits 49 for i := 0; i < 5; i++ { 50 if (b>>uint(i))&1 == 1 { 51 chk ^= gen[i] 52 } 53 } 54 } 55 56 // Account for the separator (0) between high and low bits of the HRP. 57 // x^0 == x, so we eliminate the redundant xor used in the other rounds. 58 b := chk >> 25 59 chk = (chk & 0x1ffffff) << 5 60 for i := 0; i < 5; i++ { 61 if (b>>uint(i))&1 == 1 { 62 chk ^= gen[i] 63 } 64 } 65 66 // Account for the low bits of the HRP. 67 for i := 0; i < len(hrp); i++ { 68 b := chk >> 25 69 loBits := int(hrp[i]) & 31 70 chk = (chk&0x1ffffff)<<5 ^ loBits 71 for i := 0; i < 5; i++ { 72 if (b>>uint(i))&1 == 1 { 73 chk ^= gen[i] 74 } 75 } 76 } 77 78 // Account for the values. 79 for _, v := range values { 80 b := chk >> 25 81 chk = (chk&0x1ffffff)<<5 ^ int(v) 82 for i := 0; i < 5; i++ { 83 if (b>>uint(i))&1 == 1 { 84 chk ^= gen[i] 85 } 86 } 87 } 88 89 if checksum == nil { 90 // A nil checksum is used during encoding, so assume all bytes are zero. 91 // x^0 == x, so we eliminate the redundant xor used in the other rounds. 92 for v := 0; v < 6; v++ { 93 b := chk >> 25 94 chk = (chk & 0x1ffffff) << 5 95 for i := 0; i < 5; i++ { 96 if (b>>uint(i))&1 == 1 { 97 chk ^= gen[i] 98 } 99 } 100 } 101 } else { 102 // Checksum is provided during decoding, so use it. 103 for _, v := range checksum { 104 b := chk >> 25 105 chk = (chk&0x1ffffff)<<5 ^ int(v) 106 for i := 0; i < 5; i++ { 107 if (b>>uint(i))&1 == 1 { 108 chk ^= gen[i] 109 } 110 } 111 } 112 } 113 114 return chk 115} 116 117// writeBech32Checksum calculates the checksum data expected for a string that 118// will have the given hrp and payload data and writes it to the provided string 119// builder. 120// 121// The payload data MUST be encoded as a base 32 (5 bits per element) byte slice 122// and the hrp MUST only use the allowed character set (ascii chars between 33 123// and 126), otherwise the results are undefined. 124// 125// For more details on the checksum calculation, please refer to BIP 173. 126func writeBech32Checksum(hrp string, data []byte, bldr *strings.Builder) { 127 polymod := bech32Polymod(hrp, data, nil) ^ 1 128 for i := 0; i < 6; i++ { 129 b := byte((polymod >> uint(5*(5-i))) & 31) 130 131 // This can't fail, given we explicitly cap the previous b byte by the 132 // first 31 bits. 133 c := charset[b] 134 bldr.WriteByte(c) 135 } 136} 137 138// bech32VerifyChecksum verifies whether the bech32 string specified by the 139// provided hrp and payload data (encoded as 5 bits per element byte slice) has 140// the correct checksum suffix. 141// 142// Data MUST have more than 6 elements, otherwise this function panics. 143// 144// For more details on the checksum verification, please refer to BIP 173. 145func bech32VerifyChecksum(hrp string, data []byte) bool { 146 checksum := data[len(data)-6:] 147 values := data[:len(data)-6] 148 polymod := bech32Polymod(hrp, values, checksum) 149 return polymod == 1 150} 151 152// DecodeNoLimit decodes a bech32 encoded string, returning the human-readable 153// part and the data part excluding the checksum. This function does NOT 154// validate against the BIP-173 maximum length allowed for bech32 strings and 155// is meant for use in custom applications (such as lightning network payment 156// requests), NOT on-chain addresses. 157// 158// Note that the returned data is 5-bit (base32) encoded and the human-readable 159// part will be lowercase. 160func DecodeNoLimit(bech string) (string, []byte, error) { 161 // The minimum allowed size of a bech32 string is 8 characters, since it 162 // needs a non-empty HRP, a separator, and a 6 character checksum. 163 if len(bech) < 8 { 164 return "", nil, ErrInvalidLength(len(bech)) 165 } 166 167 // Only ASCII characters between 33 and 126 are allowed. 168 var hasLower, hasUpper bool 169 for i := 0; i < len(bech); i++ { 170 if bech[i] < 33 || bech[i] > 126 { 171 return "", nil, ErrInvalidCharacter(bech[i]) 172 } 173 174 // The characters must be either all lowercase or all uppercase. Testing 175 // directly with ascii codes is safe here, given the previous test. 176 hasLower = hasLower || (bech[i] >= 97 && bech[i] <= 122) 177 hasUpper = hasUpper || (bech[i] >= 65 && bech[i] <= 90) 178 if hasLower && hasUpper { 179 return "", nil, ErrMixedCase{} 180 } 181 } 182 183 // Bech32 standard uses only the lowercase for of strings for checksum 184 // calculation. 185 if hasUpper { 186 bech = strings.ToLower(bech) 187 } 188 189 // The string is invalid if the last '1' is non-existent, it is the 190 // first character of the string (no human-readable part) or one of the 191 // last 6 characters of the string (since checksum cannot contain '1'). 192 one := strings.LastIndexByte(bech, '1') 193 if one < 1 || one+7 > len(bech) { 194 return "", nil, ErrInvalidSeparatorIndex(one) 195 } 196 197 // The human-readable part is everything before the last '1'. 198 hrp := bech[:one] 199 data := bech[one+1:] 200 201 // Each character corresponds to the byte with value of the index in 202 // 'charset'. 203 decoded, err := toBytes(data) 204 if err != nil { 205 return "", nil, err 206 } 207 208 // Verify if the checksum (stored inside decoded[:]) is valid, given the 209 // previously decoded hrp. 210 if !bech32VerifyChecksum(hrp, decoded) { 211 // Invalid checksum. Calculate what it should have been, so that the 212 // error contains this information. 213 214 // Extract the payload bytes and actual checksum in the string. 215 actual := bech[len(bech)-6:] 216 payload := decoded[:len(decoded)-6] 217 218 // Calculate the expected checksum, given the hrp and payload data. 219 var expectedBldr strings.Builder 220 expectedBldr.Grow(6) 221 writeBech32Checksum(hrp, payload, &expectedBldr) 222 expected := expectedBldr.String() 223 224 err = ErrInvalidChecksum{ 225 Expected: expected, 226 Actual: actual, 227 } 228 return "", nil, err 229 } 230 231 // We exclude the last 6 bytes, which is the checksum. 232 return hrp, decoded[:len(decoded)-6], nil 233} 234 235// Decode decodes a bech32 encoded string, returning the human-readable part and 236// the data part excluding the checksum. 237// 238// Note that the returned data is 5-bit (base32) encoded and the human-readable 239// part will be lowercase. 240func Decode(bech string) (string, []byte, error) { 241 // The maximum allowed length for a bech32 string is 90. 242 if len(bech) > 90 { 243 return "", nil, ErrInvalidLength(len(bech)) 244 } 245 246 return DecodeNoLimit(bech) 247} 248 249// Encode encodes a byte slice into a bech32 string with the given 250// human-readable part (HRP). The HRP will be converted to lowercase if needed 251// since mixed cased encodings are not permitted and lowercase is used for 252// checksum purposes. Note that the bytes must each encode 5 bits (base32). 253func Encode(hrp string, data []byte) (string, error) { 254 // The resulting bech32 string is the concatenation of the lowercase hrp, 255 // the separator 1, data and the 6-byte checksum. 256 hrp = strings.ToLower(hrp) 257 var bldr strings.Builder 258 bldr.Grow(len(hrp) + 1 + len(data) + 6) 259 bldr.WriteString(hrp) 260 bldr.WriteString("1") 261 262 // Write the data part, using the bech32 charset. 263 for _, b := range data { 264 if int(b) >= len(charset) { 265 return "", ErrInvalidDataByte(b) 266 } 267 bldr.WriteByte(charset[b]) 268 } 269 270 // Calculate and write the checksum of the data. 271 writeBech32Checksum(hrp, data, &bldr) 272 273 return bldr.String(), nil 274} 275 276// ConvertBits converts a byte slice where each byte is encoding fromBits bits, 277// to a byte slice where each byte is encoding toBits bits. 278func ConvertBits(data []byte, fromBits, toBits uint8, pad bool) ([]byte, error) { 279 if fromBits < 1 || fromBits > 8 || toBits < 1 || toBits > 8 { 280 return nil, ErrInvalidBitGroups{} 281 } 282 283 // Determine the maximum size the resulting array can have after base 284 // conversion, so that we can size it a single time. This might be off 285 // by a byte depending on whether padding is used or not and if the input 286 // data is a multiple of both fromBits and toBits, but we ignore that and 287 // just size it to the maximum possible. 288 maxSize := len(data)*int(fromBits)/int(toBits) + 1 289 290 // The final bytes, each byte encoding toBits bits. 291 regrouped := make([]byte, 0, maxSize) 292 293 // Keep track of the next byte we create and how many bits we have 294 // added to it out of the toBits goal. 295 nextByte := byte(0) 296 filledBits := uint8(0) 297 298 for _, b := range data { 299 300 // Discard unused bits. 301 b = b << (8 - fromBits) 302 303 // How many bits remaining to extract from the input data. 304 remFromBits := fromBits 305 for remFromBits > 0 { 306 // How many bits remaining to be added to the next byte. 307 remToBits := toBits - filledBits 308 309 // The number of bytes to next extract is the minimum of 310 // remFromBits and remToBits. 311 toExtract := remFromBits 312 if remToBits < toExtract { 313 toExtract = remToBits 314 } 315 316 // Add the next bits to nextByte, shifting the already 317 // added bits to the left. 318 nextByte = (nextByte << toExtract) | (b >> (8 - toExtract)) 319 320 // Discard the bits we just extracted and get ready for 321 // next iteration. 322 b = b << toExtract 323 remFromBits -= toExtract 324 filledBits += toExtract 325 326 // If the nextByte is completely filled, we add it to 327 // our regrouped bytes and start on the next byte. 328 if filledBits == toBits { 329 regrouped = append(regrouped, nextByte) 330 filledBits = 0 331 nextByte = 0 332 } 333 } 334 } 335 336 // We pad any unfinished group if specified. 337 if pad && filledBits > 0 { 338 nextByte = nextByte << (toBits - filledBits) 339 regrouped = append(regrouped, nextByte) 340 filledBits = 0 341 nextByte = 0 342 } 343 344 // Any incomplete group must be <= 4 bits, and all zeroes. 345 if filledBits > 0 && (filledBits > 4 || nextByte != 0) { 346 return nil, ErrInvalidIncompleteGroup{} 347 } 348 349 return regrouped, nil 350} 351 352// EncodeFromBase256 converts a base256-encoded byte slice into a base32-encoded 353// byte slice and then encodes it into a bech32 string with the given 354// human-readable part (HRP). The HRP will be converted to lowercase if needed 355// since mixed cased encodings are not permitted and lowercase is used for 356// checksum purposes. 357func EncodeFromBase256(hrp string, data []byte) (string, error) { 358 converted, err := ConvertBits(data, 8, 5, true) 359 if err != nil { 360 return "", err 361 } 362 return Encode(hrp, converted) 363} 364 365// DecodeToBase256 decodes a bech32-encoded string into its associated 366// human-readable part (HRP) and base32-encoded data, converts that data to a 367// base256-encoded byte slice and returns it along with the lowercase HRP. 368func DecodeToBase256(bech string) (string, []byte, error) { 369 hrp, data, err := Decode(bech) 370 if err != nil { 371 return "", nil, err 372 } 373 converted, err := ConvertBits(data, 5, 8, false) 374 if err != nil { 375 return "", nil, err 376 } 377 return hrp, converted, nil 378} 379