milksad
/
rust-secp256k1-unsafe-fast
14
0
Fork 0
Code Issues Pull Requests Activity
rust-secp256k1-unsafe-fast/src/lib.rs

1052 lines
39 KiB
Rust
Raw Normal View History

Add CC0 license and header to all files
2014-08-12 02:26:14 +00:00
// Bitcoin secp256k1 bindings
// Written in 2014 by
// Dawid Ciężarkiewicz
// Andrew Poelstra
//
// To the extent possible under law, the author(s) have dedicated all
// copyright and related and neighboring rights to this software to
// the public domain worldwide. This software is distributed without
// any warranty.
//
// You should have received a copy of the CC0 Public Domain Dedication
// along with this software.
// If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
//
Move FFI functions into separate module; add documentation and style lints
2014-08-09 20:27:08 +00:00
//! # Secp256k1
//! Rust bindings for Pieter Wuille's secp256k1 library, which is used for
//! fast and accurate manipulation of ECDSA signatures on the secp256k1
//! curve. Such signatures are used extensively by the Bitcoin network
//! and its derivatives.
//!
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
#![crate_type = "lib"]
#![crate_type = "rlib"]
#![crate_type = "dylib"]
Change name to secp256k1 from bitcoin-secp256k1-rs [breaking-change]
2015-03-25 22:20:44 +00:00
#![crate_name = "secp256k1"]
Update for rustc changes We can compile now, but not link -- there have been too many changes in libsecp256k1 behind the scenes. Next commit :)
2015-01-17 16:13:45 +00:00
Move FFI functions into separate module; add documentation and style lints
2014-08-09 20:27:08 +00:00
// Coding conventions
Update for rustc changes We can compile now, but not link -- there have been too many changes in libsecp256k1 behind the scenes. Next commit :)
2015-01-17 16:13:45 +00:00
#![deny(non_upper_case_globals)]
Move FFI functions into separate module; add documentation and style lints
2014-08-09 20:27:08 +00:00
#![deny(non_camel_case_types)]
Change lint names for upstream
2014-08-30 14:24:44 +00:00
#![deny(non_snake_case)]
Move FFI functions into separate module; add documentation and style lints
2014-08-09 20:27:08 +00:00
#![deny(unused_mut)]
Update for rustc changes We can compile now, but not link -- there have been too many changes in libsecp256k1 behind the scenes. Next commit :)
2015-01-17 16:13:45 +00:00
#![warn(missing_docs)]
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
cleanup: remove unused attributes; add `dev` compile feature that'll run clippy
2015-12-20 02:19:45 +00:00
#![cfg_attr(feature = "dev", allow(unstable_features))]
#![cfg_attr(feature = "dev", feature(plugin))]
#![cfg_attr(feature = "dev", plugin(clippy))]
Update Travis to use travis-cargo
2015-07-28 17:38:01 +00:00
#![cfg_attr(all(test, feature = "unstable"), feature(test))]
#[cfg(all(test, feature = "unstable"))] extern crate test;
remove arrayvec dependency; rename PublicKey::serialize_vec
2017-12-19 20:36:46 +00:00
#[cfg(test)] extern crate serde_json as json;
make `rand` crate optional
2017-12-19 20:49:01 +00:00
#[cfg(any(test, feature = "rand"))] extern crate rand;
make `rustc-serialize` crate optional
2017-12-19 22:21:23 +00:00
#[cfg(any(test, feature = "rustc-serialize"))] extern crate rustc_serialize as serialize;
Update Travis to use travis-cargo
2015-07-28 17:38:01 +00:00
Add support for serde (de)serialization; add unit tests
2015-04-10 05:32:12 +00:00
extern crate serde;
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-09-01 03:26:02 +00:00
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
extern crate libc;
Expose serialization of Signature; move copy_nonoverlapping for rustc stable
2015-10-09 19:19:53 +00:00
use libc::size_t;
impl Error for error type; remove `Unknown` error variant
2015-10-17 14:49:19 +00:00
use std::{error, fmt, ops, ptr};
make `rand` crate optional
2017-12-19 20:49:01 +00:00
#[cfg(any(test, feature = "rand"))] use rand::Rng;
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
Update for rustc changes We can compile now, but not link -- there have been too many changes in libsecp256k1 behind the scenes. Next commit :)
2015-01-17 16:13:45 +00:00
#[macro_use]
Travis speaks rust now :D
2014-08-27 17:19:10 +00:00
mod macros;
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-10 01:03:17 +00:00
pub mod constants;
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
pub mod ecdh;
Move FFI functions into separate module; add documentation and style lints
2014-08-09 20:27:08 +00:00
pub mod ffi;
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-10 01:03:17 +00:00
pub mod key;
Expose Schnorr sign/verify
2015-12-15 18:47:07 +00:00
pub mod schnorr;
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-10 01:03:17 +00:00
/// A tag used for recovering the public key from a compact signature
Update for language changes (rustc beta is out !!)
2015-04-04 17:20:38 +00:00
#[derive(Copy, Clone, PartialEq, Eq, Debug)]
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-10 01:03:17 +00:00
pub struct RecoveryId(i32);
Move FFI functions into separate module; add documentation and style lints
2014-08-09 20:27:08 +00:00
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-10 01:03:17 +00:00
/// An ECDSA signature
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
#[derive(Copy, Clone, PartialEq, Eq, Debug)]
pub struct Signature(ffi::Signature);
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-10 01:03:17 +00:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
/// An ECDSA signature with a recovery ID for pubkey recovery
#[derive(Copy, Clone, PartialEq, Eq, Debug)]
pub struct RecoverableSignature(ffi::RecoverableSignature);
Adding to_i32 and from_i32 functions to RecoveryId in order to give library users the ability to create RecoveryId objects and convert them to i32 equivalents, without allowing users to create invalid ones.
2015-10-11 17:29:53 +00:00
impl RecoveryId {
#[inline]
/// Allows library users to create valid recovery IDs from i32.
pub fn from_i32(id: i32) -> Result<RecoveryId, Error> {
match id {
0 | 1 | 2 | 3 => Ok(RecoveryId(id)),
_ => Err(Error::InvalidRecoveryId)
}
}
#[inline]
/// Allows library users to convert recovery IDs to i32.
pub fn to_i32(&self) -> i32 {
self.0
}
}
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-10 01:03:17 +00:00
impl Signature {
Make `verify` accept a `Signature` rather than a slice [breaking-change]
2014-09-04 16:52:25 +00:00
#[inline]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
/// Converts a DER-encoded byte slice to a signature
pub fn from_der(secp: &Secp256k1, data: &[u8]) -> Result<Signature, Error> {
let mut ret = unsafe { ffi::Signature::blank() };
Make `verify` accept a `Signature` rather than a slice [breaking-change]
2014-09-04 16:52:25 +00:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
unsafe {
if ffi::secp256k1_ecdsa_signature_parse_der(secp.ctx, &mut ret,
Fix for upstream API changes
2015-09-20 19:52:29 +00:00
data.as_ptr(), data.len() as libc::size_t) == 1 {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
Ok(Signature(ret))
} else {
Err(Error::InvalidSignature)
}
}
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-10 01:03:17 +00:00
}
Move FFI functions into separate module; add documentation and style lints
2014-08-09 20:27:08 +00:00
add compact signature encoding
2017-07-12 19:55:06 +00:00
/// Converts a 64-byte compact-encoded byte slice to a signature
pub fn from_compact(secp: &Secp256k1, data: &[u8]) -> Result<Signature, Error> {
let mut ret = unsafe { ffi::Signature::blank() };
if data.len() != 64 {
return Err(Error::InvalidSignature)
}
unsafe {
if ffi::secp256k1_ecdsa_signature_parse_compact(secp.ctx, &mut ret,
data.as_ptr()) == 1 {
Ok(Signature(ret))
} else {
Err(Error::InvalidSignature)
}
}
}
Add "lax DER" support; bump major version number for recent build system changes
2015-10-26 17:59:40 +00:00
/// Converts a "lax DER"-encoded byte slice to a signature. This is basically
/// only useful for validating signatures in the Bitcoin blockchain from before
/// 2016. It should never be used in new applications. This library does not
/// support serializing to this "format"
pub fn from_der_lax(secp: &Secp256k1, data: &[u8]) -> Result<Signature, Error> {
unsafe {
let mut ret = ffi::Signature::blank();
Update libsecp to latest master, c18b869e58aa4d3bff6958f370f6b643d1223c44
2016-01-14 18:35:54 +00:00
if ffi::ecdsa_signature_parse_der_lax(secp.ctx, &mut ret,
data.as_ptr(), data.len() as libc::size_t) == 1 {
Add "lax DER" support; bump major version number for recent build system changes
2015-10-26 17:59:40 +00:00
Ok(Signature(ret))
} else {
Err(Error::InvalidSignature)
}
}
}
Expose normalize_s function to convert signatures to low-S form
2015-10-26 19:25:18 +00:00
/// Normalizes a signature to a "low S" form. In ECDSA, signatures are
/// of the form (r, s) where r and s are numbers lying in some finite
/// field. The verification equation will pass for (r, s) iff it passes
/// for (r, -s), so it is possible to ``modify'' signatures in transit
/// by flipping the sign of s. This does not constitute a forgery since
/// the signed message still cannot be changed, but for some applications,
/// changing even the signature itself can be a problem. Such applications
/// require a "strong signature". It is believed that ECDSA is a strong
/// signature except for this ambiguity in the sign of s, so to accomodate
/// these applications libsecp256k1 will only accept signatures for which
/// s is in the lower half of the field range. This eliminates the
/// ambiguity.
///
/// However, for some systems, signatures with high s-values are considered
/// valid. (For example, parsing the historic Bitcoin blockchain requires
/// this.) For these applications we provide this normalization function,
/// which ensures that the s value lies in the lower half of its range.
pub fn normalize_s(&mut self, secp: &Secp256k1) {
unsafe {
// Ignore return value, which indicates whether the sig
// was already normalized. We don't care.
ffi::secp256k1_ecdsa_signature_normalize(secp.ctx, self.as_mut_ptr(),
self.as_ptr());
}
}
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
/// Obtains a raw pointer suitable for use with FFI functions
#[inline]
pub fn as_ptr(&self) -> *const ffi::Signature {
&self.0 as *const _
}
Expose serialization of Signature; move copy_nonoverlapping for rustc stable
2015-10-09 19:19:53 +00:00
Expose normalize_s function to convert signatures to low-S form
2015-10-26 19:25:18 +00:00
/// Obtains a raw mutable pointer suitable for use with FFI functions
#[inline]
pub fn as_mut_ptr(&mut self) -> *mut ffi::Signature {
&mut self.0 as *mut _
}
Expose serialization of Signature; move copy_nonoverlapping for rustc stable
2015-10-09 19:19:53 +00:00
#[inline]
/// Serializes the signature in DER format
pub fn serialize_der(&self, secp: &Secp256k1) -> Vec<u8> {
let mut ret = Vec::with_capacity(72);
let mut len: size_t = ret.capacity() as size_t;
unsafe {
let err = ffi::secp256k1_ecdsa_signature_serialize_der(secp.ctx, ret.as_mut_ptr(),
&mut len, self.as_ptr());
debug_assert!(err == 1);
ret.set_len(len as usize);
}
ret
}
add compact signature encoding
2017-07-12 19:55:06 +00:00
#[inline]
/// Serializes the signature in compact format
pub fn serialize_compact(&self, secp: &Secp256k1) -> [u8; 64] {
let mut ret = [0; 64];
unsafe {
let err = ffi::secp256k1_ecdsa_signature_serialize_compact(secp.ctx, ret.as_mut_ptr(),
self.as_ptr());
debug_assert!(err == 1);
}
ret
}
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
}
Implement serde traits for Signature
2017-07-21 21:58:19 +00:00
impl serde::Serialize for Signature {
fn serialize<S>(&self, s: S) -> Result<S::Ok, S::Error>
where S: serde::Serializer
{
let secp = Secp256k1::with_caps(::ContextFlag::None);
(&self.serialize_compact(&secp)[..]).serialize(s)
}
}
impl<'de> serde::Deserialize<'de> for Signature {
fn deserialize<D>(d: D) -> Result<Signature, D::Error>
where D: serde::Deserializer<'de>
{
use serde::de;
struct Visitor {
marker: std::marker::PhantomData<Signature>,
}
impl<'de> de::Visitor<'de> for Visitor {
type Value = Signature;
#[inline]
fn visit_seq<A>(self, mut a: A) -> Result<Signature, A::Error>
where A: de::SeqAccess<'de>
{
let s = Secp256k1::with_caps(::ContextFlag::None);
unsafe {
use std::mem;
let mut ret: [u8; constants::COMPACT_SIGNATURE_SIZE] = mem::uninitialized();
for i in 0..constants::COMPACT_SIGNATURE_SIZE {
ret[i] = match try!(a.next_element()) {
Some(c) => c,
None => return Err(::serde::de::Error::invalid_length(i, &self))
};
}
let one_after_last : Option<u8> = try!(a.next_element());
if one_after_last.is_some() {
return Err(serde::de::Error::invalid_length(constants::COMPACT_SIGNATURE_SIZE + 1, &self));
}
Signature::from_compact(&s, &ret).map_err(
|e| match e {
Error::InvalidSignature => de::Error::invalid_value(de::Unexpected::Seq, &self),
_ => de::Error::custom(&e.to_string()),
}
)
}
}
fn expecting(&self, f: &mut ::std::fmt::Formatter) -> ::std::fmt::Result {
write!(f, "a sequence of {} bytes representing a syntactically well-formed compact signature",
constants::COMPACT_SIGNATURE_SIZE)
}
}
// Begin actual function
d.deserialize_seq(Visitor { marker: std::marker::PhantomData })
}
}
[BREAKING CHANGE] Make PK::from_secret_key() return a Result; change from_ffi functions to From impls If you try to call PublicKey::from_secret() key with an incapable context it will now return an error. Before it would pass through to the underlying library which would terminate the process, something we strive to never expose. Also change the from_ffi functions on various types to impl's of From to be more Rustic. We cannot change the from_slice functions because they have error returns. Also add a Secp256k1::without_caps() function which creates a capability-less context. I find myself using this in so many places downstream that it seems appropriate.
2015-10-14 14:35:02 +00:00
/// Creates a new signature from a FFI signature
impl From<ffi::Signature> for Signature {
#[inline]
fn from(sig: ffi::Signature) -> Signature {
Signature(sig)
}
}
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
impl RecoverableSignature {
Remove allocations for Signature, use array instead As @dpc observes, embedded systems do not necessarily have allocators, so we should avoid using them if it is not too much hassle. (And it is no hassle at all.)
2014-08-16 06:43:40 +00:00
#[inline]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
/// Converts a compact-encoded byte slice to a signature. This
/// representation is nonstandard and defined by the libsecp256k1
/// library.
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
pub fn from_compact(secp: &Secp256k1, data: &[u8], recid: RecoveryId) -> Result<RecoverableSignature, Error> {
let mut ret = unsafe { ffi::RecoverableSignature::blank() };
Make `verify` accept a `Signature` rather than a slice [breaking-change]
2014-09-04 16:52:25 +00:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
unsafe {
if data.len() != 64 {
Err(Error::InvalidSignature)
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
} else if ffi::secp256k1_ecdsa_recoverable_signature_parse_compact(secp.ctx, &mut ret,
data.as_ptr(), recid.0) == 1 {
Ok(RecoverableSignature(ret))
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
} else {
Err(Error::InvalidSignature)
Make `verify` accept a `Signature` rather than a slice [breaking-change]
2014-09-04 16:52:25 +00:00
}
}
}
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
/// Obtains a raw pointer suitable for use with FFI functions
#[inline]
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
pub fn as_ptr(&self) -> *const ffi::RecoverableSignature {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
&self.0 as *const _
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 14:36:49 +00:00
}
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
RecoverableSignature now supports compact serialization via FFI, with additional test case added.
2015-10-11 07:04:28 +00:00
#[inline]
/// Serializes the recoverable signature in compact format
pub fn serialize_compact(&self, secp: &Secp256k1) -> (RecoveryId, [u8; 64]) {
let mut ret = [0u8; 64];
let mut recid = 0i32;
unsafe {
let err = ffi::secp256k1_ecdsa_recoverable_signature_serialize_compact(
secp.ctx, ret.as_mut_ptr(), &mut recid, self.as_ptr());
assert!(err == 1);
}
(RecoveryId(recid), ret)
}
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
/// Converts a recoverable signature to a non-recoverable one (this is needed
/// for verification
#[inline]
pub fn to_standard(&self, secp: &Secp256k1) -> Signature {
let mut ret = unsafe { ffi::Signature::blank() };
unsafe {
let err = ffi::secp256k1_ecdsa_recoverable_signature_convert(secp.ctx, &mut ret, self.as_ptr());
assert!(err == 1);
}
Signature(ret)
}
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 14:36:49 +00:00
}
[BREAKING CHANGE] Make PK::from_secret_key() return a Result; change from_ffi functions to From impls If you try to call PublicKey::from_secret() key with an incapable context it will now return an error. Before it would pass through to the underlying library which would terminate the process, something we strive to never expose. Also change the from_ffi functions on various types to impl's of From to be more Rustic. We cannot change the from_slice functions because they have error returns. Also add a Secp256k1::without_caps() function which creates a capability-less context. I find myself using this in so many places downstream that it seems appropriate.
2015-10-14 14:35:02 +00:00
/// Creates a new recoverable signature from a FFI one
impl From<ffi::RecoverableSignature> for RecoverableSignature {
#[inline]
fn from(sig: ffi::RecoverableSignature) -> RecoverableSignature {
RecoverableSignature(sig)
}
}
More slicing
2015-03-26 01:52:09 +00:00
impl ops::Index<usize> for Signature {
type Output = u8;
#[inline]
fn index(&self, index: usize) -> &u8 {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
&self.0[index]
More slicing
2015-03-26 01:52:09 +00:00
}
}
impl ops::Index<ops::Range<usize>> for Signature {
type Output = [u8];
#[inline]
fn index(&self, index: ops::Range<usize>) -> &[u8] {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
&self.0[index]
More slicing
2015-03-26 01:52:09 +00:00
}
}
impl ops::Index<ops::RangeFrom<usize>> for Signature {
type Output = [u8];
#[inline]
fn index(&self, index: ops::RangeFrom<usize>) -> &[u8] {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
&self.0[index.start..]
More slicing
2015-03-26 01:52:09 +00:00
}
}
impl ops::Index<ops::RangeFull> for Signature {
type Output = [u8];
#[inline]
fn index(&self, _: ops::RangeFull) -> &[u8] {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
&self.0[..]
Update for language changes (rustc beta is out !!)
2015-04-04 17:20:38 +00:00
}
}
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
/// A (hashed) message input to an ECDSA signature
pub struct Message([u8; constants::MESSAGE_SIZE]);
impl_array_newtype!(Message, u8, constants::MESSAGE_SIZE);
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
impl_pretty_debug!(Message);
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
impl Message {
Minor documentation fixes
2015-10-09 16:39:42 +00:00
/// Converts a `MESSAGE_SIZE`-byte slice to a message object
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
#[inline]
pub fn from_slice(data: &[u8]) -> Result<Message, Error> {
match data.len() {
constants::MESSAGE_SIZE => {
let mut ret = [0; constants::MESSAGE_SIZE];
Replace unsafe copy_nonoverlapping() with safe copy_from_slice()
2017-05-08 11:18:35 +00:00
ret[..].copy_from_slice(data);
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
Ok(Message(ret))
}
_ => Err(Error::InvalidMessage)
}
}
}
Implement From<[u8;32]> for Message
2017-05-08 11:10:51 +00:00
/// Creates a message from a `MESSAGE_SIZE` byte array
impl From<[u8; constants::MESSAGE_SIZE]> for Message {
fn from(buf: [u8; constants::MESSAGE_SIZE]) -> Message {
Message(buf)
}
}
Move FFI functions into separate module; add documentation and style lints
2014-08-09 20:27:08 +00:00
/// An ECDSA error
Update for language changes (rustc beta is out !!)
2015-04-04 17:20:38 +00:00
#[derive(Copy, PartialEq, Eq, Clone, Debug)]
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
pub enum Error {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
/// A `Secp256k1` was used for an operation, but it was not created to
/// support this (so necessary precomputations have not been done)
IncapableContext,
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-10 01:03:17 +00:00
/// Signature failed verification
IncorrectSignature,
Improve Error::InvalidMessage comment
2017-05-08 10:11:27 +00:00
/// Badly sized message ("messages" are actually fixed-sized digests; see the `MESSAGE_SIZE`
/// constant)
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
InvalidMessage,
Move FFI functions into separate module; add documentation and style lints
2014-08-09 20:27:08 +00:00
/// Bad public key
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
InvalidPublicKey,
Move FFI functions into separate module; add documentation and style lints
2014-08-09 20:27:08 +00:00
/// Bad signature
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
InvalidSignature,
Move FFI functions into separate module; add documentation and style lints
2014-08-09 20:27:08 +00:00
/// Bad secret key
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
InvalidSecretKey,
Adding to_i32 and from_i32 functions to RecoveryId in order to give library users the ability to create RecoveryId objects and convert them to i32 equivalents, without allowing users to create invalid ones.
2015-10-11 17:29:53 +00:00
/// Bad recovery id
InvalidRecoveryId,
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
}
Add `Display` impl to `Error`; cleanup `Result` mess
2015-04-06 01:27:43 +00:00
// Passthrough Debug to Display, since errors should be user-visible
impl fmt::Display for Error {
fn fmt(&self, f: &mut fmt::Formatter) -> Result<(), fmt::Error> {
impl Error for error type; remove `Unknown` error variant
2015-10-17 14:49:19 +00:00
f.write_str(error::Error::description(self))
}
}
impl error::Error for Error {
fn cause(&self) -> Option<&error::Error> { None }
fn description(&self) -> &str {
match *self {
Error::IncapableContext => "secp: context does not have sufficient capabilities",
Error::IncorrectSignature => "secp: signature failed verification",
Error::InvalidMessage => "secp: message was not 32 bytes (do you need to hash?)",
Error::InvalidPublicKey => "secp: malformed public key",
Error::InvalidSignature => "secp: malformed signature",
Error::InvalidSecretKey => "secp: malformed or out-of-range secret key",
Error::InvalidRecoveryId => "secp: bad recovery id"
}
Add `Display` impl to `Error`; cleanup `Result` mess
2015-04-06 01:27:43 +00:00
}
}
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-10 01:03:17 +00:00
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
/// The secp256k1 engine, used to execute all signature operations
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 20:54:22 +00:00
pub struct Secp256k1 {
[BREAKING CHANGE] Fix FFI
2015-11-15 23:00:07 +00:00
ctx: *mut ffi::Context,
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
caps: ContextFlag
}
[BREAKING CHANGE] Fix FFI
2015-11-15 23:00:07 +00:00
unsafe impl Send for Secp256k1 {}
unsafe impl Sync for Secp256k1 {}
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
/// Flags used to determine the capabilities of a `Secp256k1` object;
/// the more capabilities, the more expensive it is to create.
#[derive(PartialEq, Eq, Copy, Clone, Debug)]
pub enum ContextFlag {
/// Can neither sign nor verify signatures (cheapest to create, useful
/// for cases not involving signatures, such as creating keys from slices)
None,
/// Can sign but not verify signatures
SignOnly,
/// Can verify but not create signatures
VerifyOnly,
/// Can verify and create signatures
Full
}
// Passthrough Debug to Display, since caps should be user-visible
impl fmt::Display for ContextFlag {
fn fmt(&self, f: &mut fmt::Formatter) -> Result<(), fmt::Error> {
fmt::Debug::fmt(self, f)
}
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
}
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 20:54:22 +00:00
impl Clone for Secp256k1 {
fn clone(&self) -> Secp256k1 {
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 14:36:49 +00:00
Secp256k1 {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
ctx: unsafe { ffi::secp256k1_context_clone(self.ctx) },
caps: self.caps
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 14:36:49 +00:00
}
}
}
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 20:54:22 +00:00
impl PartialEq for Secp256k1 {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
fn eq(&self, other: &Secp256k1) -> bool { self.caps == other.caps }
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 14:36:49 +00:00
}
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 20:54:22 +00:00
impl Eq for Secp256k1 { }
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 14:36:49 +00:00
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 20:54:22 +00:00
impl fmt::Debug for Secp256k1 {
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 14:36:49 +00:00
fn fmt(&self, f: &mut fmt::Formatter) -> Result<(), fmt::Error> {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
write!(f, "Secp256k1 {{ [private], caps: {:?} }}", self.caps)
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 14:36:49 +00:00
}
}
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 20:54:22 +00:00
impl Drop for Secp256k1 {
[API BREAK] update for libsecp256k1 "explicit context" API break Rather than have global initialization functions, which required expensive synchronization on the part of the Rust library, libsecp256k1 now carries its context in thread-local data which must be passed to every function. What this means for the rust-secp256k1 API is: - Most functions on `PublicKey` and `SecretKey` now require a `Secp256k1` to be given to them. - `Secp256k1::verify` and `::verify_raw` now take a `&self` - `SecretKey::new` now takes a `Secp256k1` rather than a Rng; a future commit will allow specifying the Rng in the `Secp256k1` so that functionality is not lost. - The FFI functions have all changed to take a context argument - `secp256k1::init()` is gone, as is the dependency on std::sync - There is a `ffi::Context` type which must be handled carefully by anyone using it directly (hopefully nobody :))
2015-04-11 17:00:20 +00:00
fn drop(&mut self) {
unsafe { ffi::secp256k1_context_destroy(self.ctx); }
Pull out initialization code so that `PublicKey::from_secret_key` can be used safely
2014-08-10 03:34:16 +00:00
}
}
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 20:54:22 +00:00
impl Secp256k1 {
/// Creates a new Secp256k1 context
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
#[inline]
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 20:54:22 +00:00
pub fn new() -> Secp256k1 {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
Secp256k1::with_caps(ContextFlag::Full)
}
/// Creates a new Secp256k1 context with the specified capabilities
pub fn with_caps(caps: ContextFlag) -> Secp256k1 {
let flag = match caps {
Update for breaking changes in underlying rustc. This should be a major version number since I changed public constants in the ffi module. I'm not doing so as the invariant "will the constants be meaningful to the underlying library" has not changed. In general this library's version numbers do not map well to the underlying library, which is as-yet not versioned at all, so users need to always be running "the lastest" rust-secp256k1 anyway, and semantic versioning can't really be used meaninfully. So this is a bit of a judgement call.
2015-10-25 23:26:08 +00:00
ContextFlag::None => ffi::SECP256K1_START_NONE,
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
ContextFlag::SignOnly => ffi::SECP256K1_START_SIGN,
ContextFlag::VerifyOnly => ffi::SECP256K1_START_VERIFY,
ContextFlag::Full => ffi::SECP256K1_START_SIGN | ffi::SECP256K1_START_VERIFY
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 20:54:22 +00:00
};
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
Secp256k1 { ctx: unsafe { ffi::secp256k1_context_create(flag) }, caps: caps }
Add `Secp256k1::with_rng`, parameterize `Secp256k1` over its RNG. Now that you can't create secret keys by directly passing a Rng to `SecretKey::new`, we need a way to allow user-chosed randomness. We add it to the `Secp256k1`.
2015-04-11 17:51:39 +00:00
}
[BREAKING CHANGE] Make PK::from_secret_key() return a Result; change from_ffi functions to From impls If you try to call PublicKey::from_secret() key with an incapable context it will now return an error. Before it would pass through to the underlying library which would terminate the process, something we strive to never expose. Also change the from_ffi functions on various types to impl's of From to be more Rustic. We cannot change the from_slice functions because they have error returns. Also add a Secp256k1::without_caps() function which creates a capability-less context. I find myself using this in so many places downstream that it seems appropriate.
2015-10-14 14:35:02 +00:00
/// Creates a new Secp256k1 context with no capabilities (just de/serialization)
pub fn without_caps() -> Secp256k1 {
Secp256k1::with_caps(ContextFlag::None)
}
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 23:22:30 +00:00
/// (Re)randomizes the Secp256k1 context for cheap sidechannel resistence;
/// see comment in libsecp256k1 commit d2275795f by Gregory Maxwell
make `rand` crate optional
2017-12-19 20:49:01 +00:00
#[cfg(any(test, feature = "rand"))]
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 23:22:30 +00:00
pub fn randomize<R: Rng>(&mut self, rng: &mut R) {
let mut seed = [0; 32];
rng.fill_bytes(&mut seed);
unsafe {
let err = ffi::secp256k1_context_randomize(self.ctx, seed.as_ptr());
// This function cannot fail; it has an error return for future-proofing.
// We do not expose this error since it is impossible to hit, and we have
// precedent for not exposing impossible errors (for example in
// `PublicKey::from_secret_key` where it is impossble to create an invalid
// secret key through the API.)
// However, if this DOES fail, the result is potentially weaker side-channel
// resistance, which is deadly and undetectable, so we take out the entire
// thread to be on the safe side.
assert!(err == 1);
}
}
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
/// Generates a random keypair. Convenience function for `key::SecretKey::new`
/// and `key::PublicKey::from_secret_key`; call those functions directly for
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
/// batch key generation. Requires a signing-capable context.
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
#[inline]
make `rand` crate optional
2017-12-19 20:49:01 +00:00
#[cfg(any(test, feature = "rand"))]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
pub fn generate_keypair<R: Rng>(&self, rng: &mut R)
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
-> Result<(key::SecretKey, key::PublicKey), Error> {
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 20:54:22 +00:00
let sk = key::SecretKey::new(self, rng);
[BREAKING CHANGE] Make PK::from_secret_key() return a Result; change from_ffi functions to From impls If you try to call PublicKey::from_secret() key with an incapable context it will now return an error. Before it would pass through to the underlying library which would terminate the process, something we strive to never expose. Also change the from_ffi functions on various types to impl's of From to be more Rustic. We cannot change the from_slice functions because they have error returns. Also add a Secp256k1::without_caps() function which creates a capability-less context. I find myself using this in so many places downstream that it seems appropriate.
2015-10-14 14:35:02 +00:00
let pk = try!(key::PublicKey::from_secret_key(self, &sk));
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
Ok((sk, pk))
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
}
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
Fix nonce doccoments
2015-12-15 18:48:01 +00:00
/// Constructs a signature for `msg` using the secret key `sk` and RFC6979 nonce
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
/// Requires a signing-capable context.
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
pub fn sign(&self, msg: &Message, sk: &key::SecretKey)
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
-> Result<Signature, Error> {
if self.caps == ContextFlag::VerifyOnly || self.caps == ContextFlag::None {
return Err(Error::IncapableContext);
}
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let mut ret = unsafe { ffi::Signature::blank() };
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
unsafe {
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
// We can assume the return value because it's not possible to construct
// an invalid signature from a valid `Message` and `SecretKey`
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
assert_eq!(ffi::secp256k1_ecdsa_sign(self.ctx, &mut ret, msg.as_ptr(),
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
sk.as_ptr(), ffi::secp256k1_nonce_function_rfc6979,
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
ptr::null()), 1);
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
}
[BREAKING CHANGE] Make PK::from_secret_key() return a Result; change from_ffi functions to From impls If you try to call PublicKey::from_secret() key with an incapable context it will now return an error. Before it would pass through to the underlying library which would terminate the process, something we strive to never expose. Also change the from_ffi functions on various types to impl's of From to be more Rustic. We cannot change the from_slice functions because they have error returns. Also add a Secp256k1::without_caps() function which creates a capability-less context. I find myself using this in so many places downstream that it seems appropriate.
2015-10-14 14:35:02 +00:00
Ok(Signature::from(ret))
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
}
Overhaul interface to use zero-on-free SecretKeys Using the `secretdata` library, we can store SecretKeys in such a way that they cannot be moved or copied, and their memory is zeroed out on drop. This gives us some assurance that in the case of memory unsafety, there is not secret key data lying around anywhere that we don't expect. Unfortunately, it means that we cannot construct secret keys and then return them, which forces the interface to change a fair bit. I removed the `generate_keypair` function from Secp256k1, then `generate_nonce` for symmetry, then dropped the `Secp256k1` struct entirely because it turned out that none of the remaining functions used the `self` param. So here we are. I bumped the version number. Sorry about this.
2014-09-12 03:36:15 +00:00
Fix nonce doccoments
2015-12-15 18:48:01 +00:00
/// Constructs a signature for `msg` using the secret key `sk` and RFC6979 nonce
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
/// Requires a signing-capable context.
pub fn sign_recoverable(&self, msg: &Message, sk: &key::SecretKey)
-> Result<RecoverableSignature, Error> {
if self.caps == ContextFlag::VerifyOnly || self.caps == ContextFlag::None {
return Err(Error::IncapableContext);
}
let mut ret = unsafe { ffi::RecoverableSignature::blank() };
unsafe {
// We can assume the return value because it's not possible to construct
// an invalid signature from a valid `Message` and `SecretKey`
assert_eq!(ffi::secp256k1_ecdsa_sign_recoverable(self.ctx, &mut ret, msg.as_ptr(),
sk.as_ptr(), ffi::secp256k1_nonce_function_rfc6979,
ptr::null()), 1);
}
[BREAKING CHANGE] Make PK::from_secret_key() return a Result; change from_ffi functions to From impls If you try to call PublicKey::from_secret() key with an incapable context it will now return an error. Before it would pass through to the underlying library which would terminate the process, something we strive to never expose. Also change the from_ffi functions on various types to impl's of From to be more Rustic. We cannot change the from_slice functions because they have error returns. Also add a Secp256k1::without_caps() function which creates a capability-less context. I find myself using this in so many places downstream that it seems appropriate.
2015-10-14 14:35:02 +00:00
Ok(RecoverableSignature::from(ret))
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
}
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
/// Determines the public key for which `sig` is a valid signature for
Expose Schnorr sign/verify
2015-12-15 18:47:07 +00:00
/// `msg`. Requires a verify-capable context.
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
pub fn recover(&self, msg: &Message, sig: &RecoverableSignature)
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
-> Result<key::PublicKey, Error> {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
if self.caps == ContextFlag::SignOnly || self.caps == ContextFlag::None {
return Err(Error::IncapableContext);
}
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let mut pk = unsafe { ffi::PublicKey::blank() };
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
unsafe {
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
if ffi::secp256k1_ecdsa_recover(self.ctx, &mut pk,
sig.as_ptr(), msg.as_ptr()) != 1 {
Update for rustc changes We can compile now, but not link -- there have been too many changes in libsecp256k1 behind the scenes. Next commit :)
2015-01-17 16:13:45 +00:00
return Err(Error::InvalidSignature);
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
}
};
[BREAKING CHANGE] Make PK::from_secret_key() return a Result; change from_ffi functions to From impls If you try to call PublicKey::from_secret() key with an incapable context it will now return an error. Before it would pass through to the underlying library which would terminate the process, something we strive to never expose. Also change the from_ffi functions on various types to impl's of From to be more Rustic. We cannot change the from_slice functions because they have error returns. Also add a Secp256k1::without_caps() function which creates a capability-less context. I find myself using this in so many places downstream that it seems appropriate.
2015-10-14 14:35:02 +00:00
Ok(key::PublicKey::from(pk))
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
}
/// Checks that `sig` is a valid ECDSA signature for `msg` using the public
/// key `pubkey`. Returns `Ok(true)` on success. Note that this function cannot
[API BREAK] update for libsecp256k1 "explicit context" API break Rather than have global initialization functions, which required expensive synchronization on the part of the Rust library, libsecp256k1 now carries its context in thread-local data which must be passed to every function. What this means for the rust-secp256k1 API is: - Most functions on `PublicKey` and `SecretKey` now require a `Secp256k1` to be given to them. - `Secp256k1::verify` and `::verify_raw` now take a `&self` - `SecretKey::new` now takes a `Secp256k1` rather than a Rng; a future commit will allow specifying the Rng in the `Secp256k1` so that functionality is not lost. - The FFI functions have all changed to take a context argument - `secp256k1::init()` is gone, as is the dependency on std::sync - There is a `ffi::Context` type which must be handled carefully by anyone using it directly (hopefully nobody :))
2015-04-11 17:00:20 +00:00
/// be used for Bitcoin consensus checking since there may exist signatures
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
/// which OpenSSL would verify but not libsecp256k1, or vice-versa. Requires a
/// verify-capable context.
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
#[inline]
[API BREAK] update for libsecp256k1 "explicit context" API break Rather than have global initialization functions, which required expensive synchronization on the part of the Rust library, libsecp256k1 now carries its context in thread-local data which must be passed to every function. What this means for the rust-secp256k1 API is: - Most functions on `PublicKey` and `SecretKey` now require a `Secp256k1` to be given to them. - `Secp256k1::verify` and `::verify_raw` now take a `&self` - `SecretKey::new` now takes a `Secp256k1` rather than a Rng; a future commit will allow specifying the Rng in the `Secp256k1` so that functionality is not lost. - The FFI functions have all changed to take a context argument - `secp256k1::init()` is gone, as is the dependency on std::sync - There is a `ffi::Context` type which must be handled carefully by anyone using it directly (hopefully nobody :))
2015-04-11 17:00:20 +00:00
pub fn verify(&self, msg: &Message, sig: &Signature, pk: &key::PublicKey) -> Result<(), Error> {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
if self.caps == ContextFlag::SignOnly || self.caps == ContextFlag::None {
return Err(Error::IncapableContext);
}
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
if !pk.is_valid() {
Err(Error::InvalidPublicKey)
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
} else if unsafe { ffi::secp256k1_ecdsa_verify(self.ctx, sig.as_ptr(), msg.as_ptr(),
pk.as_ptr()) } == 0 {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
Err(Error::IncorrectSignature)
} else {
Ok(())
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
}
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
}
}
fix unused import warning
2014-08-04 23:58:57 +00:00
#[cfg(test)]
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-09-01 03:26:02 +00:00
mod tests {
Change rand crate to crates.io version
2015-03-25 23:57:16 +00:00
use rand::{Rng, thread_rng};
Add "lax DER" support; bump major version number for recent build system changes
2015-10-26 17:59:40 +00:00
use serialize::hex::FromHex;
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
use key::{SecretKey, PublicKey};
use super::constants;
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
use super::{Secp256k1, Signature, RecoverableSignature, Message, RecoveryId, ContextFlag};
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
use super::Error::{InvalidMessage, InvalidPublicKey, IncorrectSignature, InvalidSignature,
IncapableContext};
Add "lax DER" support; bump major version number for recent build system changes
2015-10-26 17:59:40 +00:00
macro_rules! hex (($hex:expr) => ($hex.from_hex().unwrap()));
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
#[test]
fn capabilities() {
let none = Secp256k1::with_caps(ContextFlag::None);
let sign = Secp256k1::with_caps(ContextFlag::SignOnly);
let vrfy = Secp256k1::with_caps(ContextFlag::VerifyOnly);
let full = Secp256k1::with_caps(ContextFlag::Full);
let mut msg = [0u8; 32];
thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap();
// Try key generation
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
assert_eq!(none.generate_keypair(&mut thread_rng()), Err(IncapableContext));
assert_eq!(vrfy.generate_keypair(&mut thread_rng()), Err(IncapableContext));
assert!(sign.generate_keypair(&mut thread_rng()).is_ok());
assert!(full.generate_keypair(&mut thread_rng()).is_ok());
let (sk, pk) = full.generate_keypair(&mut thread_rng()).unwrap();
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
// Try signing
assert_eq!(none.sign(&msg, &sk), Err(IncapableContext));
assert_eq!(vrfy.sign(&msg, &sk), Err(IncapableContext));
assert!(sign.sign(&msg, &sk).is_ok());
assert!(full.sign(&msg, &sk).is_ok());
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
assert_eq!(none.sign_recoverable(&msg, &sk), Err(IncapableContext));
assert_eq!(vrfy.sign_recoverable(&msg, &sk), Err(IncapableContext));
assert!(sign.sign_recoverable(&msg, &sk).is_ok());
assert!(full.sign_recoverable(&msg, &sk).is_ok());
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
assert_eq!(sign.sign(&msg, &sk), full.sign(&msg, &sk));
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
assert_eq!(sign.sign_recoverable(&msg, &sk), full.sign_recoverable(&msg, &sk));
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
let sig = full.sign(&msg, &sk).unwrap();
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
let sigr = full.sign_recoverable(&msg, &sk).unwrap();
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
// Try verifying
assert_eq!(none.verify(&msg, &sig, &pk), Err(IncapableContext));
assert_eq!(sign.verify(&msg, &sig, &pk), Err(IncapableContext));
assert!(vrfy.verify(&msg, &sig, &pk).is_ok());
assert!(full.verify(&msg, &sig, &pk).is_ok());
// Try pk recovery
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
assert_eq!(none.recover(&msg, &sigr), Err(IncapableContext));
assert_eq!(sign.recover(&msg, &sigr), Err(IncapableContext));
assert!(vrfy.recover(&msg, &sigr).is_ok());
assert!(full.recover(&msg, &sigr).is_ok());
assert_eq!(vrfy.recover(&msg, &sigr),
full.recover(&msg, &sigr));
assert_eq!(full.recover(&msg, &sigr), Ok(pk));
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
// Check that we can produce keys from slices with no precomputation
remove arrayvec dependency; rename PublicKey::serialize_vec
2017-12-19 20:36:46 +00:00
let (pk_slice, sk_slice) = (&pk.serialize(), &sk[..]);
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
let new_pk = PublicKey::from_slice(&none, pk_slice).unwrap();
let new_sk = SecretKey::from_slice(&none, sk_slice).unwrap();
assert_eq!(sk, new_sk);
assert_eq!(pk, new_pk);
}
Add .travis.yml, update tests and Cargo.toml for upstream changes
2014-08-18 01:55:07 +00:00
Add sanity-check unit test for RecoveryId This is kinda silly but gets me 100% coverage from kcov
2015-04-14 03:21:56 +00:00
#[test]
fn recid_sanity_check() {
let one = RecoveryId(1);
assert_eq!(one, one.clone());
}
fix unused import warning
2014-08-04 23:58:57 +00:00
#[test]
fn invalid_pubkey() {
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 20:54:22 +00:00
let s = Secp256k1::new();
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
let sig = RecoverableSignature::from_compact(&s, &[1; 64], RecoveryId(0)).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let pk = PublicKey::new();
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
let mut msg = [0u8; 32];
Update for language changes (rustc beta is out !!)
2015-04-04 17:20:38 +00:00
thread_rng().fill_bytes(&mut msg);
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
let msg = Message::from_slice(&msg).unwrap();
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
assert_eq!(s.verify(&msg, &sig.to_standard(&s), &pk), Err(InvalidPublicKey));
fix unused import warning
2014-08-04 23:58:57 +00:00
}
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
fix unused import warning
2014-08-04 23:58:57 +00:00
#[test]
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
fn sign() {
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 23:22:30 +00:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
let one = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1];
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
let sk = SecretKey::from_slice(&s, &one).unwrap();
let msg = Message::from_slice(&one).unwrap();
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-10 01:03:17 +00:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
let sig = s.sign_recoverable(&msg, &sk).unwrap();
assert_eq!(Ok(sig), RecoverableSignature::from_compact(&s, &[
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
0x66, 0x73, 0xff, 0xad, 0x21, 0x47, 0x74, 0x1f,
0x04, 0x77, 0x2b, 0x6f, 0x92, 0x1f, 0x0b, 0xa6,
0xaf, 0x0c, 0x1e, 0x77, 0xfc, 0x43, 0x9e, 0x65,
0xc3, 0x6d, 0xed, 0xf4, 0x09, 0x2e, 0x88, 0x98,
0x4c, 0x1a, 0x97, 0x16, 0x52, 0xe0, 0xad, 0xa8,
0x80, 0x12, 0x0e, 0xf8, 0x02, 0x5e, 0x70, 0x9f,
0xff, 0x20, 0x80, 0xc4, 0xa3, 0x9a, 0xae, 0x06,
0x8d, 0x12, 0xee, 0xd0, 0x09, 0xb6, 0x8c, 0x89],
RecoveryId(1)))
fix unused import warning
2014-08-04 23:58:57 +00:00
}
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
Expose serialization of Signature; move copy_nonoverlapping for rustc stable
2015-10-09 19:19:53 +00:00
#[test]
add compact signature encoding
2017-07-12 19:55:06 +00:00
fn signature_serialize_roundtrip() {
Expose serialization of Signature; move copy_nonoverlapping for rustc stable
2015-10-09 19:19:53 +00:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
let mut msg = [0; 32];
for _ in 0..100 {
thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap();
let (sk, _) = s.generate_keypair(&mut thread_rng()).unwrap();
let sig1 = s.sign(&msg, &sk).unwrap();
let der = sig1.serialize_der(&s);
let sig2 = Signature::from_der(&s, &der[..]).unwrap();
assert_eq!(sig1, sig2);
add compact signature encoding
2017-07-12 19:55:06 +00:00
let compact = sig1.serialize_compact(&s);
let sig2 = Signature::from_compact(&s, &compact[..]).unwrap();
assert_eq!(sig1, sig2);
Implement serde traits for Signature
2017-07-21 21:58:19 +00:00
round_trip_serde!(sig1);
add compact signature encoding
2017-07-12 19:55:06 +00:00
assert!(Signature::from_compact(&s, &der[..]).is_err());
assert!(Signature::from_compact(&s, &compact[0..4]).is_err());
assert!(Signature::from_der(&s, &compact[..]).is_err());
assert!(Signature::from_der(&s, &der[0..4]).is_err());
Expose serialization of Signature; move copy_nonoverlapping for rustc stable
2015-10-09 19:19:53 +00:00
}
}
Add "lax DER" support; bump major version number for recent build system changes
2015-10-26 17:59:40 +00:00
#[test]
fn signature_lax_der() {
Expose normalize_s function to convert signatures to low-S form
2015-10-26 19:25:18 +00:00
macro_rules! check_lax_sig(
($hex:expr) => ({
let secp = Secp256k1::without_caps();
let sig = hex!($hex);
assert!(Signature::from_der_lax(&secp, &sig[..]).is_ok());
})
);
check_lax_sig!("304402204c2dd8a9b6f8d425fcd8ee9a20ac73b619906a6367eac6cb93e70375225ec0160220356878eff111ff3663d7e6bf08947f94443845e0dcc54961664d922f7660b80c");
check_lax_sig!("304402202ea9d51c7173b1d96d331bd41b3d1b4e78e66148e64ed5992abd6ca66290321c0220628c47517e049b3e41509e9d71e480a0cdc766f8cdec265ef0017711c1b5336f");
check_lax_sig!("3045022100bf8e050c85ffa1c313108ad8c482c4849027937916374617af3f2e9a881861c9022023f65814222cab09d5ec41032ce9c72ca96a5676020736614de7b78a4e55325a");
check_lax_sig!("3046022100839c1fbc5304de944f697c9f4b1d01d1faeba32d751c0f7acb21ac8a0f436a72022100e89bd46bb3a5a62adc679f659b7ce876d83ee297c7a5587b2011c4fcc72eab45");
check_lax_sig!("3046022100eaa5f90483eb20224616775891397d47efa64c68b969db1dacb1c30acdfc50aa022100cf9903bbefb1c8000cf482b0aeeb5af19287af20bd794de11d82716f9bae3db1");
check_lax_sig!("3045022047d512bc85842ac463ca3b669b62666ab8672ee60725b6c06759e476cebdc6c102210083805e93bd941770109bcc797784a71db9e48913f702c56e60b1c3e2ff379a60");
check_lax_sig!("3044022023ee4e95151b2fbbb08a72f35babe02830d14d54bd7ed1320e4751751d1baa4802206235245254f58fd1be6ff19ca291817da76da65c2f6d81d654b5185dd86b8acf");
Add "lax DER" support; bump major version number for recent build system changes
2015-10-26 17:59:40 +00:00
}
fix unused import warning
2014-08-04 23:58:57 +00:00
#[test]
fn sign_and_verify() {
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 23:22:30 +00:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
let mut msg = [0; 32];
for _ in 0..100 {
thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap();
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let (sk, pk) = s.generate_keypair(&mut thread_rng()).unwrap();
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-14 03:04:43 +00:00
let sig = s.sign(&msg, &sk).unwrap();
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
assert_eq!(s.verify(&msg, &sig, &pk), Ok(()));
}
fix unused import warning
2014-08-04 23:58:57 +00:00
}
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
fix unused import warning
2014-08-04 23:58:57 +00:00
#[test]
Add extreme value sign/verify test
2015-04-28 18:46:17 +00:00
fn sign_and_verify_extreme() {
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 23:22:30 +00:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
Add extreme value sign/verify test
2015-04-28 18:46:17 +00:00
// Wild keys: 1, CURVE_ORDER - 1
// Wild msgs: 0, 1, CURVE_ORDER - 1, CURVE_ORDER
let mut wild_keys = [[0; 32]; 2];
let mut wild_msgs = [[0; 32]; 4];
wild_keys[0][0] = 1;
wild_msgs[1][0] = 1;
Replace unsafe copy_nonoverlapping() with safe copy_from_slice()
2017-05-08 11:18:35 +00:00
use constants;
wild_keys[1][..].copy_from_slice(&constants::CURVE_ORDER[..]);
wild_msgs[1][..].copy_from_slice(&constants::CURVE_ORDER[..]);
wild_msgs[2][..].copy_from_slice(&constants::CURVE_ORDER[..]);
wild_keys[1][0] -= 1;
wild_msgs[1][0] -= 1;
Add extreme value sign/verify test
2015-04-28 18:46:17 +00:00
for key in wild_keys.iter().map(|k| SecretKey::from_slice(&s, &k[..]).unwrap()) {
for msg in wild_msgs.iter().map(|m| Message::from_slice(&m[..]).unwrap()) {
let sig = s.sign(&msg, &key).unwrap();
[BREAKING CHANGE] Make PK::from_secret_key() return a Result; change from_ffi functions to From impls If you try to call PublicKey::from_secret() key with an incapable context it will now return an error. Before it would pass through to the underlying library which would terminate the process, something we strive to never expose. Also change the from_ffi functions on various types to impl's of From to be more Rustic. We cannot change the from_slice functions because they have error returns. Also add a Secp256k1::without_caps() function which creates a capability-less context. I find myself using this in so many places downstream that it seems appropriate.
2015-10-14 14:35:02 +00:00
let pk = PublicKey::from_secret_key(&s, &key).unwrap();
Add extreme value sign/verify test
2015-04-28 18:46:17 +00:00
assert_eq!(s.verify(&msg, &sig, &pk), Ok(()));
}
}
}
#[test]
fix unused import warning
2014-08-04 23:58:57 +00:00
fn sign_and_verify_fail() {
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 23:22:30 +00:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
let mut msg = [0u8; 32];
Update for language changes (rustc beta is out !!)
2015-04-04 17:20:38 +00:00
thread_rng().fill_bytes(&mut msg);
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
let msg = Message::from_slice(&msg).unwrap();
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let (sk, pk) = s.generate_keypair(&mut thread_rng()).unwrap();
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
let sigr = s.sign_recoverable(&msg, &sk).unwrap();
let sig = sigr.to_standard(&s);
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
let mut msg = [0u8; 32];
Update for language changes (rustc beta is out !!)
2015-04-04 17:20:38 +00:00
thread_rng().fill_bytes(&mut msg);
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
let msg = Message::from_slice(&msg).unwrap();
[API BREAK] update for libsecp256k1 "explicit context" API break Rather than have global initialization functions, which required expensive synchronization on the part of the Rust library, libsecp256k1 now carries its context in thread-local data which must be passed to every function. What this means for the rust-secp256k1 API is: - Most functions on `PublicKey` and `SecretKey` now require a `Secp256k1` to be given to them. - `Secp256k1::verify` and `::verify_raw` now take a `&self` - `SecretKey::new` now takes a `Secp256k1` rather than a Rng; a future commit will allow specifying the Rng in the `Secp256k1` so that functionality is not lost. - The FFI functions have all changed to take a context argument - `secp256k1::init()` is gone, as is the dependency on std::sync - There is a `ffi::Context` type which must be handled carefully by anyone using it directly (hopefully nobody :))
2015-04-11 17:00:20 +00:00
assert_eq!(s.verify(&msg, &sig, &pk), Err(IncorrectSignature));
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
let recovered_key = s.recover(&msg, &sigr).unwrap();
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
assert!(recovered_key != pk);
fix unused import warning
2014-08-04 23:58:57 +00:00
}
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
fix unused import warning
2014-08-04 23:58:57 +00:00
#[test]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
fn sign_with_recovery() {
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 23:22:30 +00:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
Update for rustc changes We can compile now, but not link -- there have been too many changes in libsecp256k1 behind the scenes. Next commit :)
2015-01-17 16:13:45 +00:00
let mut msg = [0u8; 32];
Update for language changes (rustc beta is out !!)
2015-04-04 17:20:38 +00:00
thread_rng().fill_bytes(&mut msg);
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-06 05:13:38 +00:00
let msg = Message::from_slice(&msg).unwrap();
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 13:28:35 +00:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let (sk, pk) = s.generate_keypair(&mut thread_rng()).unwrap();
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
let sig = s.sign_recoverable(&msg, &sk).unwrap();
Initial (failing) implementation.
2014-07-07 05:41:22 +00:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
assert_eq!(s.recover(&msg, &sig), Ok(pk));
fix unused import warning
2014-08-04 23:58:57 +00:00
}
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-09-01 03:26:02 +00:00
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
#[test]
fn bad_recovery() {
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 23:22:30 +00:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
let msg = Message::from_slice(&[0x55; 32]).unwrap();
// Zero is not a valid sig
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
let sig = RecoverableSignature::from_compact(&s, &[0; 64], RecoveryId(0)).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
assert_eq!(s.recover(&msg, &sig), Err(InvalidSignature));
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
// ...but 111..111 is
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
let sig = RecoverableSignature::from_compact(&s, &[1; 64], RecoveryId(0)).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
assert!(s.recover(&msg, &sig).is_ok());
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
}
#[test]
fn test_bad_slice() {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let s = Secp256k1::new();
assert_eq!(Signature::from_der(&s, &[0; constants::MAX_SIGNATURE_SIZE + 1]),
Err(InvalidSignature));
assert_eq!(Signature::from_der(&s, &[0; constants::MAX_SIGNATURE_SIZE]),
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
Err(InvalidSignature));
assert_eq!(Message::from_slice(&[0; constants::MESSAGE_SIZE - 1]),
Err(InvalidMessage));
assert_eq!(Message::from_slice(&[0; constants::MESSAGE_SIZE + 1]),
Err(InvalidMessage));
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
assert!(Message::from_slice(&[0; constants::MESSAGE_SIZE]).is_ok());
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
}
#[test]
fn test_debug_output() {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let s = Secp256k1::new();
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
let sig = RecoverableSignature::from_compact(&s, &[
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
0x66, 0x73, 0xff, 0xad, 0x21, 0x47, 0x74, 0x1f,
0x04, 0x77, 0x2b, 0x6f, 0x92, 0x1f, 0x0b, 0xa6,
0xaf, 0x0c, 0x1e, 0x77, 0xfc, 0x43, 0x9e, 0x65,
0xc3, 0x6d, 0xed, 0xf4, 0x09, 0x2e, 0x88, 0x98,
0x4c, 0x1a, 0x97, 0x16, 0x52, 0xe0, 0xad, 0xa8,
0x80, 0x12, 0x0e, 0xf8, 0x02, 0x5e, 0x70, 0x9f,
0xff, 0x20, 0x80, 0xc4, 0xa3, 0x9a, 0xae, 0x06,
0x8d, 0x12, 0xee, 0xd0, 0x09, 0xb6, 0x8c, 0x89],
RecoveryId(1)).unwrap();
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 20:22:48 +00:00
assert_eq!(&format!("{:?}", sig), "RecoverableSignature(98882e09f4ed6dc3659e43fc771e0cafa60b1f926f2b77041f744721adff7366898cb609d0ee128d06ae9aa3c48020ff9f705e02f80e1280a8ade05216971a4c01)");
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
let msg = Message([1, 2, 3, 4, 5, 6, 7, 8,
9, 10, 11, 12, 13, 14, 15, 16,
17, 18, 19, 20, 21, 22, 23, 24,
25, 26, 27, 28, 29, 30, 31, 255]);
assert_eq!(&format!("{:?}", msg), "Message(0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1fff)");
}
RecoverableSignature now supports compact serialization via FFI, with additional test case added.
2015-10-11 07:04:28 +00:00
#[test]
fn test_recov_sig_serialize_compact() {
let s = Secp256k1::new();
let recid_in = RecoveryId(1);
let bytes_in = &[
0x66, 0x73, 0xff, 0xad, 0x21, 0x47, 0x74, 0x1f,
0x04, 0x77, 0x2b, 0x6f, 0x92, 0x1f, 0x0b, 0xa6,
0xaf, 0x0c, 0x1e, 0x77, 0xfc, 0x43, 0x9e, 0x65,
0xc3, 0x6d, 0xed, 0xf4, 0x09, 0x2e, 0x88, 0x98,
0x4c, 0x1a, 0x97, 0x16, 0x52, 0xe0, 0xad, 0xa8,
0x80, 0x12, 0x0e, 0xf8, 0x02, 0x5e, 0x70, 0x9f,
0xff, 0x20, 0x80, 0xc4, 0xa3, 0x9a, 0xae, 0x06,
0x8d, 0x12, 0xee, 0xd0, 0x09, 0xb6, 0x8c, 0x89];
let sig = RecoverableSignature::from_compact(
&s, bytes_in, recid_in).unwrap();
let (recid_out, bytes_out) = sig.serialize_compact(&s);
assert_eq!(recid_in, recid_out);
assert_eq!(&bytes_in[..], &bytes_out[..]);
}
Adding to_i32 and from_i32 functions to RecoveryId in order to give library users the ability to create RecoveryId objects and convert them to i32 equivalents, without allowing users to create invalid ones.
2015-10-11 17:29:53 +00:00
#[test]
fn test_recov_id_conversion_between_i32() {
assert!(RecoveryId::from_i32(-1).is_err());
assert!(RecoveryId::from_i32(0).is_ok());
assert!(RecoveryId::from_i32(1).is_ok());
assert!(RecoveryId::from_i32(2).is_ok());
assert!(RecoveryId::from_i32(3).is_ok());
assert!(RecoveryId::from_i32(4).is_err());
let id0 = RecoveryId::from_i32(0).unwrap();
assert_eq!(id0.to_i32(), 0);
let id1 = RecoveryId(1);
assert_eq!(id1.to_i32(), 1);
}
Expose normalize_s function to convert signatures to low-S form
2015-10-26 19:25:18 +00:00
#[test]
fn test_low_s() {
// nb this is a transaction on testnet
// txid 8ccc87b72d766ab3128f03176bb1c98293f2d1f85ebfaf07b82cc81ea6891fa9
// input number 3
let sig = hex!("3046022100839c1fbc5304de944f697c9f4b1d01d1faeba32d751c0f7acb21ac8a0f436a72022100e89bd46bb3a5a62adc679f659b7ce876d83ee297c7a5587b2011c4fcc72eab45");
let pk = hex!("031ee99d2b786ab3b0991325f2de8489246a6a3fdb700f6d0511b1d80cf5f4cd43");
let msg = hex!("a4965ca63b7d8562736ceec36dfa5a11bf426eb65be8ea3f7a49ae363032da0d");
let secp = Secp256k1::new();
let mut sig = Signature::from_der(&secp, &sig[..]).unwrap();
let pk = PublicKey::from_slice(&secp, &pk[..]).unwrap();
let msg = Message::from_slice(&msg[..]).unwrap();
// without normalization we expect this will fail
assert_eq!(secp.verify(&msg, &sig, &pk), Err(IncorrectSignature));
// after normalization it should pass
sig.normalize_s(&secp);
assert_eq!(secp.verify(&msg, &sig, &pk), Ok(()));
}
Update Travis to use travis-cargo
2015-07-28 17:38:01 +00:00
}
#[cfg(all(test, feature = "unstable"))]
mod benches {
use rand::{Rng, thread_rng};
use test::{Bencher, black_box};
use super::{Secp256k1, Message};
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 15:51:15 +00:00
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-09-01 03:26:02 +00:00
#[bench]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
pub fn generate(bh: &mut Bencher) {
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 20:54:22 +00:00
struct CounterRng(u32);
impl Rng for CounterRng {
fn next_u32(&mut self) -> u32 { self.0 += 1; self.0 }
}
let s = Secp256k1::new();
let mut r = CounterRng(0);
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-09-01 03:26:02 +00:00
bh.iter( || {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let (sk, pk) = s.generate_keypair(&mut r).unwrap();
Add a bunch of benchmarks
2015-04-30 19:28:34 +00:00
black_box(sk);
black_box(pk);
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-09-01 03:26:02 +00:00
});
}
#[bench]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
pub fn bench_sign(bh: &mut Bencher) {
Add a bunch of benchmarks
2015-04-30 19:28:34 +00:00
let s = Secp256k1::new();
let mut msg = [0u8; 32];
thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let (sk, _) = s.generate_keypair(&mut thread_rng()).unwrap();
Add a bunch of benchmarks
2015-04-30 19:28:34 +00:00
bh.iter(|| {
let sig = s.sign(&msg, &sk).unwrap();
black_box(sig);
});
}
#[bench]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
pub fn bench_verify(bh: &mut Bencher) {
Add a bunch of benchmarks
2015-04-30 19:28:34 +00:00
let s = Secp256k1::new();
let mut msg = [0u8; 32];
thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let (sk, pk) = s.generate_keypair(&mut thread_rng()).unwrap();
Add a bunch of benchmarks
2015-04-30 19:28:34 +00:00
let sig = s.sign(&msg, &sk).unwrap();
bh.iter(|| {
let res = s.verify(&msg, &sig, &pk).unwrap();
black_box(res);
});
}
#[bench]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
pub fn bench_recover(bh: &mut Bencher) {
Add a bunch of benchmarks
2015-04-30 19:28:34 +00:00
let s = Secp256k1::new();
let mut msg = [0u8; 32];
thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let (sk, _) = s.generate_keypair(&mut thread_rng()).unwrap();
Fix benchmarks
2015-09-20 20:18:53 +00:00
let sig = s.sign_recoverable(&msg, &sk).unwrap();
Add a bunch of benchmarks
2015-04-30 19:28:34 +00:00
bh.iter(|| {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 16:03:10 +00:00
let res = s.recover(&msg, &sig).unwrap();
Add a bunch of benchmarks
2015-04-30 19:28:34 +00:00
black_box(res);
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-09-01 03:26:02 +00:00
});
}
fix unused import warning
2014-08-04 23:58:57 +00:00
}
Add a bunch of benchmarks
2015-04-30 19:28:34 +00:00