Support Koblitz-based and Keccak256-based custom witness verification

src/Neo/Cryptography/Crypto.cs

@@ -28,6 +28,7 @@ public static class Crypto
         private static readonly bool IsOSX = RuntimeInformation.IsOSPlatform(OSPlatform.OSX);
         private static readonly ECCurve secP256k1 = ECCurve.CreateFromFriendlyName("secP256k1");
         private static readonly X9ECParameters bouncySecp256k1 = Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp256k1");
+        private static readonly X9ECParameters bouncySecp256r1 = Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName("secp256r1");
 
         /// <summary>
         /// Calculates the 160-bit hash value of the specified message.
@@ -50,22 +51,30 @@ public static byte[] Hash256(ReadOnlySpan<byte> message)
         }
 
         /// <summary>
-        /// Signs the specified message using the ECDSA algorithm.
+        /// Signs the specified message using the ECDSA algorithm and specified hash algorithm.
         /// </summary>
         /// <param name="message">The message to be signed.</param>
         /// <param name="priKey">The private key to be used.</param>
         /// <param name="ecCurve">The <see cref="ECC.ECCurve"/> curve of the signature, default is <see cref="ECC.ECCurve.Secp256r1"/>.</param>
+        /// <param name="hasher">The hash algorithm to hash the message, default is SHA256.</param>
         /// <returns>The ECDSA signature for the specified message.</returns>
-        public static byte[] Sign(byte[] message, byte[] priKey, ECC.ECCurve ecCurve = null)
+        public static byte[] Sign(byte[] message, byte[] priKey, ECC.ECCurve ecCurve = null, Hasher hasher = Hasher.SHA256)
         {
-            if (IsOSX && ecCurve == ECC.ECCurve.Secp256k1)
+            if (hasher == Hasher.Keccak256 || (IsOSX && ecCurve == ECC.ECCurve.Secp256k1))
             {
-                var domain = new ECDomainParameters(bouncySecp256k1.Curve, bouncySecp256k1.G, bouncySecp256k1.N, bouncySecp256k1.H);
+                var domain =
+                    ecCurve == null || ecCurve == ECC.ECCurve.Secp256r1 ? new ECDomainParameters(bouncySecp256r1.Curve, bouncySecp256r1.G, bouncySecp256r1.N, bouncySecp256r1.H) :
+                    ecCurve == ECC.ECCurve.Secp256k1 ? new ECDomainParameters(bouncySecp256k1.Curve, bouncySecp256k1.G, bouncySecp256k1.N, bouncySecp256k1.H) :
+                    throw new NotSupportedException(nameof(ecCurve));
                 var signer = new Org.BouncyCastle.Crypto.Signers.ECDsaSigner();
                 var privateKey = new BigInteger(1, priKey);
                 var priKeyParameters = new ECPrivateKeyParameters(privateKey, domain);
                 signer.Init(true, priKeyParameters);
-                var signature = signer.GenerateSignature(message.Sha256());
+                var messageHash =
+                    hasher == Hasher.SHA256 ? message.Sha256() :
+                    hasher == Hasher.Keccak256 ? message.Keccak256() :
+                    throw new NotSupportedException(nameof(hasher));
+                var signature = signer.GenerateSignature(messageHash);
 
                 var signatureBytes = new byte[64];
                 var rBytes = signature[0].ToByteArrayUnsigned();
@@ -87,24 +96,35 @@ public static byte[] Sign(byte[] message, byte[] priKey, ECC.ECCurve ecCurve = n
                 Curve = curve,
                 D = priKey,
             });
-            return ecdsa.SignData(message, HashAlgorithmName.SHA256);
+            var hashAlg =
+                hasher == Hasher.SHA256 ? HashAlgorithmName.SHA256 :
+                throw new NotSupportedException(nameof(hasher));
+            return ecdsa.SignData(message, hashAlg);
         }
 
         /// <summary>
-        /// Verifies that a digital signature is appropriate for the provided key and message.
+        /// Verifies that a digital signature is appropriate for the provided key, message and hash algorithm.
         /// </summary>
         /// <param name="message">The signed message.</param>
         /// <param name="signature">The signature to be verified.</param>
         /// <param name="pubkey">The public key to be used.</param>
+        /// <param name="hasher">The hash algorithm to be used to hash the message, the default is SHA256.</param>
         /// <returns><see langword="true"/> if the signature is valid; otherwise, <see langword="false"/>.</returns>
-        public static bool VerifySignature(ReadOnlySpan<byte> message, ReadOnlySpan<byte> signature, ECC.ECPoint pubkey)
+        public static bool VerifySignature(ReadOnlySpan<byte> message, ReadOnlySpan<byte> signature, ECC.ECPoint pubkey, Hasher hasher = Hasher.SHA256)
         {
             if (signature.Length != 64) return false;
 
-            if (IsOSX && pubkey.Curve == ECC.ECCurve.Secp256k1)
+            if (hasher == Hasher.Keccak256 || (IsOSX && pubkey.Curve == ECC.ECCurve.Secp256k1))
             {
-                var domain = new ECDomainParameters(bouncySecp256k1.Curve, bouncySecp256k1.G, bouncySecp256k1.N, bouncySecp256k1.H);
-                var point = bouncySecp256k1.Curve.CreatePoint(
+                var domain =
+                    pubkey.Curve == ECC.ECCurve.Secp256r1 ? new ECDomainParameters(bouncySecp256r1.Curve, bouncySecp256r1.G, bouncySecp256r1.N, bouncySecp256r1.H) :
+                    pubkey.Curve == ECC.ECCurve.Secp256k1 ? new ECDomainParameters(bouncySecp256k1.Curve, bouncySecp256k1.G, bouncySecp256k1.N, bouncySecp256k1.H) :
+                    throw new NotSupportedException(nameof(pubkey.Curve));
+                var curve =
+                    pubkey.Curve == ECC.ECCurve.Secp256r1 ? bouncySecp256r1.Curve :
+                    bouncySecp256k1.Curve;
+
+                var point = curve.CreatePoint(
                     new BigInteger(pubkey.X.Value.ToString()),
                     new BigInteger(pubkey.Y.Value.ToString()));
                 var pubKey = new ECPublicKeyParameters("ECDSA", point, domain);
@@ -115,11 +135,19 @@ public static bool VerifySignature(ReadOnlySpan<byte> message, ReadOnlySpan<byte
                 var r = new BigInteger(1, sig, 0, 32);
                 var s = new BigInteger(1, sig, 32, 32);
 
-                return signer.VerifySignature(message.Sha256(), r, s);
+                var messageHash =
+                    hasher == Hasher.SHA256 ? message.Sha256() :
+                    hasher == Hasher.Keccak256 ? message.Keccak256() :
+                    throw new NotSupportedException(nameof(hasher));
+
+                return signer.VerifySignature(messageHash, r, s);
             }
 
             var ecdsa = CreateECDsa(pubkey);
-            return ecdsa.VerifyData(message, signature, HashAlgorithmName.SHA256);
+            var hashAlg =
+                hasher == Hasher.SHA256 ? HashAlgorithmName.SHA256 :
+                throw new NotSupportedException(nameof(hasher));
+            return ecdsa.VerifyData(message, signature, hashAlg);
         }
 
         /// <summary>
@@ -153,16 +181,17 @@ public static ECDsa CreateECDsa(ECC.ECPoint pubkey)
         }
 
         /// <summary>
-        /// Verifies that a digital signature is appropriate for the provided key and message.
+        /// Verifies that a digital signature is appropriate for the provided key, curve, message and hasher.
         /// </summary>
         /// <param name="message">The signed message.</param>
         /// <param name="signature">The signature to be verified.</param>
         /// <param name="pubkey">The public key to be used.</param>
         /// <param name="curve">The curve to be used by the ECDSA algorithm.</param>
+        /// <param name="hasher">The hash algorithm to be used hash the message, the default is SHA256.</param>
         /// <returns><see langword="true"/> if the signature is valid; otherwise, <see langword="false"/>.</returns>
-        public static bool VerifySignature(ReadOnlySpan<byte> message, ReadOnlySpan<byte> signature, ReadOnlySpan<byte> pubkey, ECC.ECCurve curve)
+        public static bool VerifySignature(ReadOnlySpan<byte> message, ReadOnlySpan<byte> signature, ReadOnlySpan<byte> pubkey, ECC.ECCurve curve, Hasher hasher = Hasher.SHA256)
         {
-            return VerifySignature(message, signature, ECC.ECPoint.DecodePoint(pubkey, curve));
+            return VerifySignature(message, signature, ECC.ECPoint.DecodePoint(pubkey, curve), hasher);
         }
     }
 }

src/Neo/Cryptography/Hasher.cs

@@ -0,0 +1,29 @@
+// Copyright (C) 2015-2024 The Neo Project.
+//
+// Hasher.cs file belongs to the neo project and is free
+// software distributed under the MIT software license, see the
+// accompanying file LICENSE in the main directory of the
+// repository or http://www.opensource.org/licenses/mit-license.php
+// for more details.
+//
+// Redistribution and use in source and binary forms with or without
+// modifications are permitted.
+
+namespace Neo.Cryptography
+{
+    /// <summary>
+    /// Represents hash function identifiers supported by ECDSA message signature and verification.
+    /// </summary>
+    public enum Hasher : byte
+    {
+        /// <summary>
+        /// The SHA256 hash algorithm.
+        /// </summary>
+        SHA256 = 0x00,
+
+        /// <summary>
+        /// The Keccak256 hash algorithm.
+        /// </summary>
+        Keccak256 = 0x01,
+    }
+}

src/Neo/Cryptography/Helper.cs

@@ -12,6 +12,7 @@
 using Neo.IO;
 using Neo.Network.P2P.Payloads;
 using Neo.Wallets;
+using Org.BouncyCastle.Crypto.Digests;
 using Org.BouncyCastle.Crypto.Engines;
 using Org.BouncyCastle.Crypto.Modes;
 using Org.BouncyCastle.Crypto.Parameters;
@@ -153,6 +154,40 @@ public static byte[] Sha256(this Span<byte> value)
             return Sha256((ReadOnlySpan<byte>)value);
         }
 
+        /// <summary>
+        /// Computes the hash value for the specified byte array using the keccak256 algorithm.
+        /// </summary>
+        /// <param name="value">The input to compute the hash code for.</param>
+        /// <returns>The computed hash code.</returns>
+        public static byte[] Keccak256(this byte[] value)
+        {
+            KeccakDigest keccak = new(256);
+            keccak.BlockUpdate(value, 0, value.Length);
+            byte[] result = new byte[keccak.GetDigestSize()];
+            keccak.DoFinal(result, 0);
+            return result;
+        }
+
+        /// <summary>
+        /// Computes the hash value for the specified byte array using the keccak256 algorithm.
+        /// </summary>
+        /// <param name="value">The input to compute the hash code for.</param>
+        /// <returns>The computed hash code.</returns>
+        public static byte[] Keccak256(this ReadOnlySpan<byte> value)
+        {
+            return Keccak256(value.ToArray());
+        }
+
+        /// <summary>
+        /// Computes the hash value for the specified byte array using the keccak256 algorithm.
+        /// </summary>
+        /// <param name="value">The input to compute the hash code for.</param>
+        /// <returns>The computed hash code.</returns>
+        public static byte[] Keccak256(this Span<byte> value)
+        {
+            return Keccak256(value.ToArray());
+        }
+
         public static byte[] AES256Encrypt(this byte[] plainData, byte[] key, byte[] nonce, byte[] associatedData = null)
         {
             if (nonce.Length != 12) throw new ArgumentOutOfRangeException(nameof(nonce));

src/Neo/SmartContract/Helper.cs

@@ -361,5 +361,22 @@ internal static bool VerifyWitness(this IVerifiable verifiable, ProtocolSettings
             }
             return true;
         }
+
+        /// <summary>
+        /// Emits an <see cref="Instruction"/> with <see cref="OpCode.SYSCALL"/> System.Contract.Call with the specified parameters.
+        /// </summary>
+        /// <param name="builder">Neo VM script builder, <see cref="ScriptBuilder"/>.</param>
+        /// <param name="contractHash">Hash of the contract to call.</param>
+        /// <param name="method">Method of the contract to call.</param>
+        /// <param name="f">Call flags allowed during the call, <see cref="CallFlags"/>.</param>
+        /// <returns>A reference to this instance after the emit operation has completed.</returns>
+        public static ScriptBuilder EmitAppCallNoArgs(this ScriptBuilder builder, UInt160 contractHash, string method, CallFlags f)
+        {
+            builder.EmitPush((byte)f);
+            builder.EmitPush(method);
+            builder.EmitPush(contractHash);
+            builder.EmitSysCall(ApplicationEngine.System_Contract_Call);
+            return builder;
+        }
     }
 }

src/Neo/SmartContract/Native/CryptoLib.cs

@@ -11,7 +11,6 @@
 
 using Neo.Cryptography;
 using Neo.Cryptography.ECC;
-using Org.BouncyCastle.Crypto.Digests;
 using System;
 using System.Collections.Generic;
 
@@ -22,10 +21,12 @@ namespace Neo.SmartContract.Native
     /// </summary>
     public sealed partial class CryptoLib : NativeContract
     {
-        private static readonly Dictionary<NamedCurve, ECCurve> curves = new()
+        private static readonly Dictionary<NamedCurveHash, (ECCurve, Hasher)> curves = new()
         {
-            [NamedCurve.secp256k1] = ECCurve.Secp256k1,
-            [NamedCurve.secp256r1] = ECCurve.Secp256r1
+            [NamedCurveHash.secp256k1SHA256] = (ECCurve.Secp256k1, Hasher.SHA256),
+            [NamedCurveHash.secp256r1SHA256] = (ECCurve.Secp256r1, Hasher.SHA256),
+            [NamedCurveHash.secp256k1Keccak256] = (ECCurve.Secp256k1, Hasher.Keccak256),
+            [NamedCurveHash.secp256r1Keccak256] = (ECCurve.Secp256r1, Hasher.Keccak256),
         };
 
         internal CryptoLib() : base() { }
@@ -73,11 +74,7 @@ public static byte[] Murmur32(byte[] data, uint seed)
         [ContractMethod(Hardfork.HF_Cockatrice, CpuFee = 1 << 15)]
         public static byte[] Keccak256(byte[] data)
         {
-            KeccakDigest keccak = new(256);
-            keccak.BlockUpdate(data, 0, data.Length);
-            byte[] result = new byte[keccak.GetDigestSize()];
-            keccak.DoFinal(result, 0);
-            return result;
+            return data.Keccak256();
         }
 
         /// <summary>
@@ -86,14 +83,15 @@ public static byte[] Keccak256(byte[] data)
         /// <param name="message">The signed message.</param>
         /// <param name="pubkey">The public key to be used.</param>
         /// <param name="signature">The signature to be verified.</param>
-        /// <param name="curve">The curve to be used by the ECDSA algorithm.</param>
+        /// <param name="curveHash">A pair of the curve to be used by the ECDSA algorithm and the hasher function to be used to hash message.</param>
         /// <returns><see langword="true"/> if the signature is valid; otherwise, <see langword="false"/>.</returns>
         [ContractMethod(CpuFee = 1 << 15)]
-        public static bool VerifyWithECDsa(byte[] message, byte[] pubkey, byte[] signature, NamedCurve curve)
+        public static bool VerifyWithECDsa(byte[] message, byte[] pubkey, byte[] signature, NamedCurveHash curveHash)
         {
             try
             {
-                return Crypto.VerifySignature(message, signature, pubkey, curves[curve]);
+                var ch = curves[curveHash];
+                return Crypto.VerifySignature(message, signature, pubkey, ch.Item1, ch.Item2);
             }
             catch (ArgumentException)
             {

src/Neo/SmartContract/Native/NamedCurve.cs

@@ -9,24 +9,30 @@
 // Redistribution and use in source and binary forms with or without
 // modifications are permitted.
 
+using System;
+
 namespace Neo.SmartContract.Native
 {
     /// <summary>
-    /// Represents the named curve used in ECDSA.
+    /// Represents the named curve used in ECDSA. This enum is obsolete
+    /// and will be removed in future versions. Please, use an extended <see cref="NamedCurveHash"/> instead.
     /// </summary>
     /// <remarks>
     /// https://tools.ietf.org/html/rfc4492#section-5.1.1
     /// </remarks>
+    [Obsolete("NamedCurve enum is obsolete and will be removed in future versions. Please, use an extended NamedCurveHash instead.")]
     public enum NamedCurve : byte
     {
         /// <summary>
         /// The secp256k1 curve.
         /// </summary>
+        [Obsolete("secp256k1 value is obsolete and will be removed in future versions. Please, use NamedCurveHash.secp256k1SHA256 for compatible behaviour.")]
         secp256k1 = 22,
 
         /// <summary>
         /// The secp256r1 curve, which known as prime256v1 or nistP-256.
         /// </summary>
+        [Obsolete("secp256r1 value is obsolete and will be removed in future versions. Please, use NamedCurveHash.secp256r1SHA256 for compatible behaviour.")]
         secp256r1 = 23
     }
 }

src/Neo/SmartContract/Native/NamedCurveHash.cs

@@ -0,0 +1,43 @@
+// Copyright (C) 2015-2024 The Neo Project.
+//
+// NamedCurveHash.cs file belongs to the neo project and is free
+// software distributed under the MIT software license, see the
+// accompanying file LICENSE in the main directory of the
+// repository or http://www.opensource.org/licenses/mit-license.php
+// for more details.
+//
+// Redistribution and use in source and binary forms with or without
+// modifications are permitted.
+
+namespace Neo.SmartContract.Native
+{
+    /// <summary>
+    /// Represents a pair of the named curve used in ECDSA and a hash algorithm used to hash message.
+    /// This is a compatible extension of an obsolete <see cref="NamedCurve"/> enum.
+    /// </summary>
+    /// <remarks>
+    /// https://tools.ietf.org/html/rfc4492#section-5.1.1
+    /// </remarks>
+    public enum NamedCurveHash : byte
+    {
+        /// <summary>
+        /// The secp256k1 curve and SHA256 hash algorithm.
+        /// </summary>
+        secp256k1SHA256 = 22,
+
+        /// <summary>
+        /// The secp256r1 curve, which known as prime256v1 or nistP-256, and SHA256 hash algorithm.
+        /// </summary>
+        secp256r1SHA256 = 23,
+
+        /// <summary>
+        /// The secp256k1 curve and Keccak256 hash algorithm.
+        /// </summary>
+        secp256k1Keccak256 = 24,
+
+        /// <summary>
+        /// The secp256r1 curve, which known as prime256v1 or nistP-256, and Keccak256 hash algorithm.
+        /// </summary>
+        secp256r1Keccak256 = 25
+    }
+}