Move `Signature` and `SerializedSignature` to new `ecdsa` module

With the introduction of Schnorr signatures, exporting a `Signature`
type without any further qualification is ambiguous. To minimize the
ambiguity, the `ecdsa` module is public which should encourage users
to refer to its types as `ecdsa::Signature` and `ecdsa::SerializedSignature`.

To reduce ambiguity in the APIs on `Secp256k1`, we deprecate several
fucntions and introduce new variants that explicitly mention the use of
the ECDSA signature algorithm.

Due to the move of `Signature` and `SerializedSignature` to a new module,
this patch is a breaking change. The impact is minimal though and fixing the
compile errors encourages a qualified naming of the type.
This commit is contained in:
Thomas Eizinger 2021-09-09 19:25:06 +10:00
parent 49c7e21486
commit c47ead9967
No known key found for this signature in database
GPG Key ID: 651AC83A6C6C8B96
6 changed files with 483 additions and 410 deletions

View File

@ -2,22 +2,22 @@ extern crate bitcoin_hashes;
extern crate secp256k1; extern crate secp256k1;
use bitcoin_hashes::{sha256, Hash}; use bitcoin_hashes::{sha256, Hash};
use secp256k1::{Error, Message, PublicKey, Secp256k1, SecretKey, Signature, Signing, Verification}; use secp256k1::{Error, Message, PublicKey, Secp256k1, SecretKey, ecdsa, Signing, Verification};
fn verify<C: Verification>(secp: &Secp256k1<C>, msg: &[u8], sig: [u8; 64], pubkey: [u8; 33]) -> Result<bool, Error> { fn verify<C: Verification>(secp: &Secp256k1<C>, msg: &[u8], sig: [u8; 64], pubkey: [u8; 33]) -> Result<bool, Error> {
let msg = sha256::Hash::hash(msg); let msg = sha256::Hash::hash(msg);
let msg = Message::from_slice(&msg)?; let msg = Message::from_slice(&msg)?;
let sig = Signature::from_compact(&sig)?; let sig = ecdsa::Signature::from_compact(&sig)?;
let pubkey = PublicKey::from_slice(&pubkey)?; let pubkey = PublicKey::from_slice(&pubkey)?;
Ok(secp.verify(&msg, &sig, &pubkey).is_ok()) Ok(secp.verify_ecdsa(&msg, &sig, &pubkey).is_ok())
} }
fn sign<C: Signing>(secp: &Secp256k1<C>, msg: &[u8], seckey: [u8; 32]) -> Result<Signature, Error> { fn sign<C: Signing>(secp: &Secp256k1<C>, msg: &[u8], seckey: [u8; 32]) -> Result<ecdsa::Signature, Error> {
let msg = sha256::Hash::hash(msg); let msg = sha256::Hash::hash(msg);
let msg = Message::from_slice(&msg)?; let msg = Message::from_slice(&msg)?;
let seckey = SecretKey::from_slice(&seckey)?; let seckey = SecretKey::from_slice(&seckey)?;
Ok(secp.sign(&msg, &seckey)) Ok(secp.sign_ecdsa(&msg, &seckey))
} }
fn main() { fn main() {

View File

@ -3,23 +3,22 @@ extern crate bitcoin_hashes;
extern crate secp256k1; extern crate secp256k1;
use bitcoin_hashes::{sha256, Hash}; use bitcoin_hashes::{sha256, Hash};
use secp256k1::recovery::{RecoverableSignature, RecoveryId}; use secp256k1::{Error, Message, PublicKey, Secp256k1, SecretKey, Signing, Verification, ecdsa};
use secp256k1::{Error, Message, PublicKey, Secp256k1, SecretKey, Signing, Verification};
fn recover<C: Verification>(secp: &Secp256k1<C>,msg: &[u8],sig: [u8; 64],recovery_id: u8) -> Result<PublicKey, Error> { fn recover<C: Verification>(secp: &Secp256k1<C>,msg: &[u8],sig: [u8; 64],recovery_id: u8) -> Result<PublicKey, Error> {
let msg = sha256::Hash::hash(msg); let msg = sha256::Hash::hash(msg);
let msg = Message::from_slice(&msg)?; let msg = Message::from_slice(&msg)?;
let id = RecoveryId::from_i32(recovery_id as i32)?; let id = ecdsa::RecoveryId::from_i32(recovery_id as i32)?;
let sig = RecoverableSignature::from_compact(&sig, id)?; let sig = ecdsa::RecoverableSignature::from_compact(&sig, id)?;
secp.recover(&msg, &sig) secp.recover_ecdsa(&msg, &sig)
} }
fn sign_recovery<C: Signing>(secp: &Secp256k1<C>, msg: &[u8], seckey: [u8; 32]) -> Result<RecoverableSignature, Error> { fn sign_recovery<C: Signing>(secp: &Secp256k1<C>, msg: &[u8], seckey: [u8; 32]) -> Result<ecdsa::RecoverableSignature, Error> {
let msg = sha256::Hash::hash(msg); let msg = sha256::Hash::hash(msg);
let msg = Message::from_slice(&msg)?; let msg = Message::from_slice(&msg)?;
let seckey = SecretKey::from_slice(&seckey)?; let seckey = SecretKey::from_slice(&seckey)?;
Ok(secp.sign_recoverable(&msg, &seckey)) Ok(secp.sign_ecdsa_recoverable(&msg, &seckey))
} }
fn main() { fn main() {

View File

@ -106,14 +106,14 @@ fn start(_argc: isize, _argv: *const *const u8) -> isize {
let public_key = PublicKey::from_secret_key(&secp, &secret_key); let public_key = PublicKey::from_secret_key(&secp, &secret_key);
let message = Message::from_slice(&[0xab; 32]).expect("32 bytes"); let message = Message::from_slice(&[0xab; 32]).expect("32 bytes");
let sig = secp.sign(&message, &secret_key); let sig = secp.sign_ecdsa(&message, &secret_key);
assert!(secp.verify(&message, &sig, &public_key).is_ok()); assert!(secp.verify_ecdsa(&message, &sig, &public_key).is_ok());
let rec_sig = secp.sign_recoverable(&message, &secret_key); let rec_sig = secp.sign_ecdsa_recoverable(&message, &secret_key);
assert!(secp.verify(&message, &rec_sig.to_standard(), &public_key).is_ok()); assert!(secp.verify_ecdsa(&message, &rec_sig.to_standard(), &public_key).is_ok());
assert_eq!(public_key, secp.recover(&message, &rec_sig).unwrap()); assert_eq!(public_key, secp.recover_ecdsa(&message, &rec_sig).unwrap());
let (rec_id, data) = rec_sig.serialize_compact(); let (rec_id, data) = rec_sig.serialize_compact();
let new_rec_sig = recovery::RecoverableSignature::from_compact(&data, rec_id).unwrap(); let new_rec_sig = ecdsa::RecoverableSignature::from_compact(&data, rec_id).unwrap();
assert_eq!(rec_sig, new_rec_sig); assert_eq!(rec_sig, new_rec_sig);
let mut cbor_ser = [0u8; 100]; let mut cbor_ser = [0u8; 100];
@ -121,7 +121,7 @@ fn start(_argc: isize, _argv: *const *const u8) -> isize {
let mut ser = Serializer::new(writer); let mut ser = Serializer::new(writer);
sig.serialize(&mut ser).unwrap(); sig.serialize(&mut ser).unwrap();
let size = ser.into_inner().bytes_written(); let size = ser.into_inner().bytes_written();
let new_sig: Signature = de::from_mut_slice(&mut cbor_ser[..size]).unwrap(); let new_sig: ecdsa::Signature = de::from_mut_slice(&mut cbor_ser[..size]).unwrap();
assert_eq!(sig, new_sig); assert_eq!(sig, new_sig);
let _ = SharedSecret::new(&public_key, &secret_key); let _ = SharedSecret::new(&public_key, &secret_key);

307
src/ecdsa/mod.rs Normal file
View File

@ -0,0 +1,307 @@
//! Structs and functionality related to the ECDSA signature algorithm.
use core::{fmt, str, ops};
use Error;
use ffi::CPtr;
use ffi;
use from_hex;
#[cfg(feature = "recovery")]
mod recovery;
#[cfg(feature = "recovery")]
pub use self::recovery::{RecoveryId, RecoverableSignature};
/// An ECDSA signature
#[derive(Copy, Clone, PartialEq, Eq)]
pub struct Signature(pub(crate) ffi::Signature);
/// A DER serialized Signature
#[derive(Copy, Clone)]
pub struct SerializedSignature {
data: [u8; 72],
len: usize,
}
impl fmt::Debug for Signature {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
fmt::Display::fmt(self, f)
}
}
impl fmt::Display for Signature {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
let sig = self.serialize_der();
for v in sig.iter() {
write!(f, "{:02x}", v)?;
}
Ok(())
}
}
impl str::FromStr for Signature {
type Err = Error;
fn from_str(s: &str) -> Result<Signature, Error> {
let mut res = [0u8; 72];
match from_hex(s, &mut res) {
Ok(x) => Signature::from_der(&res[0..x]),
_ => Err(Error::InvalidSignature),
}
}
}
impl Default for SerializedSignature {
fn default() -> SerializedSignature {
SerializedSignature {
data: [0u8; 72],
len: 0,
}
}
}
impl PartialEq for SerializedSignature {
fn eq(&self, other: &SerializedSignature) -> bool {
self.data[..self.len] == other.data[..other.len]
}
}
impl AsRef<[u8]> for SerializedSignature {
fn as_ref(&self) -> &[u8] {
&self.data[..self.len]
}
}
impl ops::Deref for SerializedSignature {
type Target = [u8];
fn deref(&self) -> &[u8] {
&self.data[..self.len]
}
}
impl Eq for SerializedSignature {}
impl SerializedSignature {
/// Get a pointer to the underlying data with the specified capacity.
pub(crate) fn get_data_mut_ptr(&mut self) -> *mut u8 {
self.data.as_mut_ptr()
}
/// Get the capacity of the underlying data buffer.
pub fn capacity(&self) -> usize {
self.data.len()
}
/// Get the len of the used data.
pub fn len(&self) -> usize {
self.len
}
/// Set the length of the object.
pub(crate) fn set_len(&mut self, len: usize) {
self.len = len;
}
/// Convert the serialized signature into the Signature struct.
/// (This DER deserializes it)
pub fn to_signature(&self) -> Result<Signature, Error> {
Signature::from_der(&self)
}
/// Create a SerializedSignature from a Signature.
/// (this DER serializes it)
pub fn from_signature(sig: &Signature) -> SerializedSignature {
sig.serialize_der()
}
/// Check if the space is zero.
pub fn is_empty(&self) -> bool { self.len() == 0 }
}
impl Signature {
#[inline]
/// Converts a DER-encoded byte slice to a signature
pub fn from_der(data: &[u8]) -> Result<Signature, Error> {
if data.is_empty() {return Err(Error::InvalidSignature);}
unsafe {
let mut ret = ffi::Signature::new();
if ffi::secp256k1_ecdsa_signature_parse_der(
ffi::secp256k1_context_no_precomp,
&mut ret,
data.as_c_ptr(),
data.len() as usize,
) == 1
{
Ok(Signature(ret))
} else {
Err(Error::InvalidSignature)
}
}
}
/// Converts a 64-byte compact-encoded byte slice to a signature
pub fn from_compact(data: &[u8]) -> Result<Signature, Error> {
if data.len() != 64 {
return Err(Error::InvalidSignature)
}
unsafe {
let mut ret = ffi::Signature::new();
if ffi::secp256k1_ecdsa_signature_parse_compact(
ffi::secp256k1_context_no_precomp,
&mut ret,
data.as_c_ptr(),
) == 1
{
Ok(Signature(ret))
} else {
Err(Error::InvalidSignature)
}
}
}
/// Converts a "lax DER"-encoded byte slice to a signature. This is basically
/// only useful for validating signatures in the Bitcoin blockchain from before
/// 2016. It should never be used in new applications. This library does not
/// support serializing to this "format"
pub fn from_der_lax(data: &[u8]) -> Result<Signature, Error> {
if data.is_empty() {return Err(Error::InvalidSignature);}
unsafe {
let mut ret = ffi::Signature::new();
if ffi::ecdsa_signature_parse_der_lax(
ffi::secp256k1_context_no_precomp,
&mut ret,
data.as_c_ptr(),
data.len() as usize,
) == 1
{
Ok(Signature(ret))
} else {
Err(Error::InvalidSignature)
}
}
}
/// Normalizes a signature to a "low S" form. In ECDSA, signatures are
/// of the form (r, s) where r and s are numbers lying in some finite
/// field. The verification equation will pass for (r, s) iff it passes
/// for (r, -s), so it is possible to ``modify'' signatures in transit
/// by flipping the sign of s. This does not constitute a forgery since
/// the signed message still cannot be changed, but for some applications,
/// changing even the signature itself can be a problem. Such applications
/// require a "strong signature". It is believed that ECDSA is a strong
/// signature except for this ambiguity in the sign of s, so to accommodate
/// these applications libsecp256k1 will only accept signatures for which
/// s is in the lower half of the field range. This eliminates the
/// ambiguity.
///
/// However, for some systems, signatures with high s-values are considered
/// valid. (For example, parsing the historic Bitcoin blockchain requires
/// this.) For these applications we provide this normalization function,
/// which ensures that the s value lies in the lower half of its range.
pub fn normalize_s(&mut self) {
unsafe {
// Ignore return value, which indicates whether the sig
// was already normalized. We don't care.
ffi::secp256k1_ecdsa_signature_normalize(
ffi::secp256k1_context_no_precomp,
self.as_mut_c_ptr(),
self.as_c_ptr(),
);
}
}
/// Obtains a raw pointer suitable for use with FFI functions
#[inline]
pub fn as_ptr(&self) -> *const ffi::Signature {
&self.0
}
/// Obtains a raw mutable pointer suitable for use with FFI functions
#[inline]
pub fn as_mut_ptr(&mut self) -> *mut ffi::Signature {
&mut self.0
}
#[inline]
/// Serializes the signature in DER format
pub fn serialize_der(&self) -> SerializedSignature {
let mut ret = SerializedSignature::default();
let mut len: usize = ret.capacity();
unsafe {
let err = ffi::secp256k1_ecdsa_signature_serialize_der(
ffi::secp256k1_context_no_precomp,
ret.get_data_mut_ptr(),
&mut len,
self.as_c_ptr(),
);
debug_assert!(err == 1);
ret.set_len(len);
}
ret
}
#[inline]
/// Serializes the signature in compact format
pub fn serialize_compact(&self) -> [u8; 64] {
let mut ret = [0u8; 64];
unsafe {
let err = ffi::secp256k1_ecdsa_signature_serialize_compact(
ffi::secp256k1_context_no_precomp,
ret.as_mut_c_ptr(),
self.as_c_ptr(),
);
debug_assert!(err == 1);
}
ret
}
}
impl CPtr for Signature {
type Target = ffi::Signature;
fn as_c_ptr(&self) -> *const Self::Target {
self.as_ptr()
}
fn as_mut_c_ptr(&mut self) -> *mut Self::Target {
self.as_mut_ptr()
}
}
/// Creates a new signature from a FFI signature
impl From<ffi::Signature> for Signature {
#[inline]
fn from(sig: ffi::Signature) -> Signature {
Signature(sig)
}
}
#[cfg(feature = "serde")]
impl ::serde::Serialize for Signature {
fn serialize<S: ::serde::Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
if s.is_human_readable() {
s.collect_str(self)
} else {
s.serialize_bytes(&self.serialize_der())
}
}
}
#[cfg(feature = "serde")]
impl<'de> ::serde::Deserialize<'de> for Signature {
fn deserialize<D: ::serde::Deserializer<'de>>(d: D) -> Result<Self, D::Error> {
if d.is_human_readable() {
d.deserialize_str(::serde_util::FromStrVisitor::new(
"a hex string representing a DER encoded Signature"
))
} else {
d.deserialize_bytes(::serde_util::BytesVisitor::new(
"raw byte stream, that represents a DER encoded Signature",
Signature::from_der
))
}
}
}

View File

@ -19,13 +19,11 @@
use core::ptr; use core::ptr;
use key; use key;
use super::{Secp256k1, Message, Error, Signature, Verification, Signing};
use super::ffi as super_ffi; use super::ffi as super_ffi;
pub use key::SecretKey;
pub use key::PublicKey;
use self::super_ffi::CPtr; use self::super_ffi::CPtr;
use ffi::recovery as ffi; use ffi::recovery as ffi;
use super::*;
use {Verification, Secp256k1, Signing, Message};
/// A tag used for recovering the public key from a compact signature /// A tag used for recovering the public key from a compact signature
#[derive(Copy, Clone, PartialEq, Eq, Debug)] #[derive(Copy, Clone, PartialEq, Eq, Debug)]
@ -148,9 +146,14 @@ impl From<ffi::RecoverableSignature> for RecoverableSignature {
impl<C: Signing> Secp256k1<C> { impl<C: Signing> Secp256k1<C> {
/// Constructs a signature for `msg` using the secret key `sk` and RFC6979 nonce /// Constructs a signature for `msg` using the secret key `sk` and RFC6979 nonce
/// Requires a signing-capable context. /// Requires a signing-capable context.
pub fn sign_recoverable(&self, msg: &Message, sk: &key::SecretKey) #[deprecated(since = "0.21.0", note = "Use sign_ecdsa_recoverable instead.")]
-> RecoverableSignature { pub fn sign_recoverable(&self, msg: &Message, sk: &key::SecretKey) -> RecoverableSignature {
self.sign_ecdsa_recoverable(msg, sk)
}
/// Constructs a signature for `msg` using the secret key `sk` and RFC6979 nonce
/// Requires a signing-capable context.
pub fn sign_ecdsa_recoverable(&self, msg: &Message, sk: &key::SecretKey) -> RecoverableSignature {
let mut ret = ffi::RecoverableSignature::new(); let mut ret = ffi::RecoverableSignature::new();
unsafe { unsafe {
// We can assume the return value because it's not possible to construct // We can assume the return value because it's not possible to construct
@ -175,7 +178,14 @@ impl<C: Signing> Secp256k1<C> {
impl<C: Verification> Secp256k1<C> { impl<C: Verification> Secp256k1<C> {
/// Determines the public key for which `sig` is a valid signature for /// Determines the public key for which `sig` is a valid signature for
/// `msg`. Requires a verify-capable context. /// `msg`. Requires a verify-capable context.
pub fn recover(&self, msg: &Message, sig: &RecoverableSignature) #[deprecated(since = "0.21.0", note = "Use recover_ecdsa instead.")]
pub fn recover(&self, msg: &Message, sig: &RecoverableSignature) -> Result<key::PublicKey, Error> {
self.recover_ecdsa(msg, sig)
}
/// Determines the public key for which `sig` is a valid signature for
/// `msg`. Requires a verify-capable context.
pub fn recover_ecdsa(&self, msg: &Message, sig: &RecoverableSignature)
-> Result<key::PublicKey, Error> { -> Result<key::PublicKey, Error> {
unsafe { unsafe {
@ -192,12 +202,9 @@ impl<C: Verification> Secp256k1<C> {
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::*;
use rand::{RngCore, thread_rng}; use rand::{RngCore, thread_rng};
use key::SecretKey; use key::SecretKey;
use super::{RecoveryId, RecoverableSignature};
use super::super::{Secp256k1, Message};
use super::super::Error::{IncorrectSignature, InvalidSignature};
#[cfg(target_arch = "wasm32")] #[cfg(target_arch = "wasm32")]
use wasm_bindgen_test::wasm_bindgen_test as test; use wasm_bindgen_test::wasm_bindgen_test as test;
@ -275,7 +282,7 @@ mod tests {
let mut msg = [0u8; 32]; let mut msg = [0u8; 32];
thread_rng().fill_bytes(&mut msg); thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap(); let msg = Message::from_slice(&msg).unwrap();
assert_eq!(s.verify(&msg, &sig, &pk), Err(IncorrectSignature)); assert_eq!(s.verify_ecdsa(&msg, &sig, &pk), Err(Error::IncorrectSignature));
let recovered_key = s.recover(&msg, &sigr).unwrap(); let recovered_key = s.recover(&msg, &sigr).unwrap();
assert!(recovered_key != pk); assert!(recovered_key != pk);
@ -306,7 +313,7 @@ mod tests {
// Zero is not a valid sig // Zero is not a valid sig
let sig = RecoverableSignature::from_compact(&[0; 64], RecoveryId(0)).unwrap(); let sig = RecoverableSignature::from_compact(&[0; 64], RecoveryId(0)).unwrap();
assert_eq!(s.recover(&msg, &sig), Err(InvalidSignature)); assert_eq!(s.recover(&msg, &sig), Err(Error::InvalidSignature));
// ...but 111..111 is // ...but 111..111 is
let sig = RecoverableSignature::from_compact(&[1; 64], RecoveryId(0)).unwrap(); let sig = RecoverableSignature::from_compact(&[1; 64], RecoveryId(0)).unwrap();
assert!(s.recover(&msg, &sig).is_ok()); assert!(s.recover(&msg, &sig).is_ok());

View File

@ -47,8 +47,8 @@
//! let (secret_key, public_key) = secp.generate_keypair(&mut rng); //! let (secret_key, public_key) = secp.generate_keypair(&mut rng);
//! let message = Message::from_hashed_data::<sha256::Hash>("Hello World!".as_bytes()); //! let message = Message::from_hashed_data::<sha256::Hash>("Hello World!".as_bytes());
//! //!
//! let sig = secp.sign(&message, &secret_key); //! let sig = secp.sign_ecdsa(&message, &secret_key);
//! assert!(secp.verify(&message, &sig, &public_key).is_ok()); //! assert!(secp.verify_ecdsa(&message, &sig, &public_key).is_ok());
//! # } //! # }
//! ``` //! ```
//! //!
@ -66,14 +66,14 @@
//! // See the above example for how to use this library together with bitcoin_hashes. //! // See the above example for how to use this library together with bitcoin_hashes.
//! let message = Message::from_slice(&[0xab; 32]).expect("32 bytes"); //! let message = Message::from_slice(&[0xab; 32]).expect("32 bytes");
//! //!
//! let sig = secp.sign(&message, &secret_key); //! let sig = secp.sign_ecdsa(&message, &secret_key);
//! assert!(secp.verify(&message, &sig, &public_key).is_ok()); //! assert!(secp.verify_ecdsa(&message, &sig, &public_key).is_ok());
//! ``` //! ```
//! //!
//! Users who only want to verify signatures can use a cheaper context, like so: //! Users who only want to verify signatures can use a cheaper context, like so:
//! //!
//! ```rust //! ```rust
//! use secp256k1::{Secp256k1, Message, Signature, PublicKey}; //! use secp256k1::{Secp256k1, Message, ecdsa, PublicKey};
//! //!
//! let secp = Secp256k1::verification_only(); //! let secp = Secp256k1::verification_only();
//! //!
@ -92,7 +92,7 @@
//! 0xd5, 0x44, 0x53, 0xcf, 0x6e, 0x82, 0xb4, 0x50, //! 0xd5, 0x44, 0x53, 0xcf, 0x6e, 0x82, 0xb4, 0x50,
//! ]).expect("messages must be 32 bytes and are expected to be hashes"); //! ]).expect("messages must be 32 bytes and are expected to be hashes");
//! //!
//! let sig = Signature::from_compact(&[ //! let sig = ecdsa::Signature::from_compact(&[
//! 0xdc, 0x4d, 0xc2, 0x64, 0xa9, 0xfe, 0xf1, 0x7a, //! 0xdc, 0x4d, 0xc2, 0x64, 0xa9, 0xfe, 0xf1, 0x7a,
//! 0x3f, 0x25, 0x34, 0x49, 0xcf, 0x8c, 0x39, 0x7a, //! 0x3f, 0x25, 0x34, 0x49, 0xcf, 0x8c, 0x39, 0x7a,
//! 0xb6, 0xf1, 0x6f, 0xb3, 0xd6, 0x3d, 0x86, 0x94, //! 0xb6, 0xf1, 0x6f, 0xb3, 0xd6, 0x3d, 0x86, 0x94,
@ -104,7 +104,7 @@
//! ]).expect("compact signatures are 64 bytes; DER signatures are 68-72 bytes"); //! ]).expect("compact signatures are 64 bytes; DER signatures are 68-72 bytes");
//! //!
//! # #[cfg(not(fuzzing))] //! # #[cfg(not(fuzzing))]
//! assert!(secp.verify(&message, &sig, &public_key).is_ok()); //! assert!(secp.verify_ecdsa(&message, &sig, &public_key).is_ok());
//! ``` //! ```
//! //!
//! Observe that the same code using, say [`signing_only`](struct.Secp256k1.html#method.signing_only) //! Observe that the same code using, say [`signing_only`](struct.Secp256k1.html#method.signing_only)
@ -147,9 +147,8 @@ mod key;
pub mod constants; pub mod constants;
pub mod ecdh; pub mod ecdh;
pub mod ecdsa;
pub mod schnorrsig; pub mod schnorrsig;
#[cfg(feature = "recovery")]
pub mod recovery;
#[cfg(feature = "serde")] #[cfg(feature = "serde")]
mod serde_util; mod serde_util;
@ -158,7 +157,6 @@ pub use key::PublicKey;
pub use key::ONE_KEY; pub use key::ONE_KEY;
pub use context::*; pub use context::*;
use core::marker::PhantomData; use core::marker::PhantomData;
use core::ops::Deref;
use core::{mem, fmt, ptr, str}; use core::{mem, fmt, ptr, str};
use ffi::{CPtr, types::AlignedType}; use ffi::{CPtr, types::AlignedType};
@ -168,44 +166,6 @@ pub use context::global::SECP256K1;
#[cfg(feature = "bitcoin_hashes")] #[cfg(feature = "bitcoin_hashes")]
use hashes::Hash; use hashes::Hash;
/// An ECDSA signature
#[derive(Copy, Clone, PartialEq, Eq)]
pub struct Signature(ffi::Signature);
/// A DER serialized Signature
#[derive(Copy, Clone)]
pub struct SerializedSignature {
data: [u8; 72],
len: usize,
}
impl fmt::Debug for Signature {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
fmt::Display::fmt(self, f)
}
}
impl fmt::Display for Signature {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
let sig = self.serialize_der();
for v in sig.iter() {
write!(f, "{:02x}", v)?;
}
Ok(())
}
}
impl str::FromStr for Signature {
type Err = Error;
fn from_str(s: &str) -> Result<Signature, Error> {
let mut res = [0u8; 72];
match from_hex(s, &mut res) {
Ok(x) => Signature::from_der(&res[0..x]),
_ => Err(Error::InvalidSignature),
}
}
}
/// Trait describing something that promises to be a 32-byte random number; in particular, /// Trait describing something that promises to be a 32-byte random number; in particular,
/// it has negligible probability of being zero or overflowing the group order. Such objects /// it has negligible probability of being zero or overflowing the group order. Such objects
/// may be converted to `Message`s without any error paths. /// may be converted to `Message`s without any error paths.
@ -235,231 +195,6 @@ impl<T: hashes::sha256t::Tag> ThirtyTwoByteHash for hashes::sha256t::Hash<T> {
} }
} }
impl SerializedSignature {
/// Get a pointer to the underlying data with the specified capacity.
pub(crate) fn get_data_mut_ptr(&mut self) -> *mut u8 {
self.data.as_mut_ptr()
}
/// Get the capacity of the underlying data buffer.
pub fn capacity(&self) -> usize {
self.data.len()
}
/// Get the len of the used data.
pub fn len(&self) -> usize {
self.len
}
/// Set the length of the object.
pub(crate) fn set_len(&mut self, len: usize) {
self.len = len;
}
/// Convert the serialized signature into the Signature struct.
/// (This DER deserializes it)
pub fn to_signature(&self) -> Result<Signature, Error> {
Signature::from_der(&self)
}
/// Create a SerializedSignature from a Signature.
/// (this DER serializes it)
pub fn from_signature(sig: &Signature) -> SerializedSignature {
sig.serialize_der()
}
/// Check if the space is zero.
pub fn is_empty(&self) -> bool { self.len() == 0 }
}
impl Signature {
#[inline]
/// Converts a DER-encoded byte slice to a signature
pub fn from_der(data: &[u8]) -> Result<Signature, Error> {
if data.is_empty() {return Err(Error::InvalidSignature);}
unsafe {
let mut ret = ffi::Signature::new();
if ffi::secp256k1_ecdsa_signature_parse_der(
ffi::secp256k1_context_no_precomp,
&mut ret,
data.as_c_ptr(),
data.len() as usize,
) == 1
{
Ok(Signature(ret))
} else {
Err(Error::InvalidSignature)
}
}
}
/// Converts a 64-byte compact-encoded byte slice to a signature
pub fn from_compact(data: &[u8]) -> Result<Signature, Error> {
if data.len() != 64 {
return Err(Error::InvalidSignature)
}
unsafe {
let mut ret = ffi::Signature::new();
if ffi::secp256k1_ecdsa_signature_parse_compact(
ffi::secp256k1_context_no_precomp,
&mut ret,
data.as_c_ptr(),
) == 1
{
Ok(Signature(ret))
} else {
Err(Error::InvalidSignature)
}
}
}
/// Converts a "lax DER"-encoded byte slice to a signature. This is basically
/// only useful for validating signatures in the Bitcoin blockchain from before
/// 2016. It should never be used in new applications. This library does not
/// support serializing to this "format"
pub fn from_der_lax(data: &[u8]) -> Result<Signature, Error> {
if data.is_empty() {return Err(Error::InvalidSignature);}
unsafe {
let mut ret = ffi::Signature::new();
if ffi::ecdsa_signature_parse_der_lax(
ffi::secp256k1_context_no_precomp,
&mut ret,
data.as_c_ptr(),
data.len() as usize,
) == 1
{
Ok(Signature(ret))
} else {
Err(Error::InvalidSignature)
}
}
}
/// Normalizes a signature to a "low S" form. In ECDSA, signatures are
/// of the form (r, s) where r and s are numbers lying in some finite
/// field. The verification equation will pass for (r, s) iff it passes
/// for (r, -s), so it is possible to ``modify'' signatures in transit
/// by flipping the sign of s. This does not constitute a forgery since
/// the signed message still cannot be changed, but for some applications,
/// changing even the signature itself can be a problem. Such applications
/// require a "strong signature". It is believed that ECDSA is a strong
/// signature except for this ambiguity in the sign of s, so to accommodate
/// these applications libsecp256k1 will only accept signatures for which
/// s is in the lower half of the field range. This eliminates the
/// ambiguity.
///
/// However, for some systems, signatures with high s-values are considered
/// valid. (For example, parsing the historic Bitcoin blockchain requires
/// this.) For these applications we provide this normalization function,
/// which ensures that the s value lies in the lower half of its range.
pub fn normalize_s(&mut self) {
unsafe {
// Ignore return value, which indicates whether the sig
// was already normalized. We don't care.
ffi::secp256k1_ecdsa_signature_normalize(
ffi::secp256k1_context_no_precomp,
self.as_mut_c_ptr(),
self.as_c_ptr(),
);
}
}
/// Obtains a raw pointer suitable for use with FFI functions
#[inline]
pub fn as_ptr(&self) -> *const ffi::Signature {
&self.0
}
/// Obtains a raw mutable pointer suitable for use with FFI functions
#[inline]
pub fn as_mut_ptr(&mut self) -> *mut ffi::Signature {
&mut self.0
}
#[inline]
/// Serializes the signature in DER format
pub fn serialize_der(&self) -> SerializedSignature {
let mut ret = SerializedSignature::default();
let mut len: usize = ret.capacity();
unsafe {
let err = ffi::secp256k1_ecdsa_signature_serialize_der(
ffi::secp256k1_context_no_precomp,
ret.get_data_mut_ptr(),
&mut len,
self.as_c_ptr(),
);
debug_assert!(err == 1);
ret.set_len(len);
}
ret
}
#[inline]
/// Serializes the signature in compact format
pub fn serialize_compact(&self) -> [u8; 64] {
let mut ret = [0u8; 64];
unsafe {
let err = ffi::secp256k1_ecdsa_signature_serialize_compact(
ffi::secp256k1_context_no_precomp,
ret.as_mut_c_ptr(),
self.as_c_ptr(),
);
debug_assert!(err == 1);
}
ret
}
}
impl CPtr for Signature {
type Target = ffi::Signature;
fn as_c_ptr(&self) -> *const Self::Target {
self.as_ptr()
}
fn as_mut_c_ptr(&mut self) -> *mut Self::Target {
self.as_mut_ptr()
}
}
/// Creates a new signature from a FFI signature
impl From<ffi::Signature> for Signature {
#[inline]
fn from(sig: ffi::Signature) -> Signature {
Signature(sig)
}
}
#[cfg(feature = "serde")]
impl ::serde::Serialize for Signature {
fn serialize<S: ::serde::Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
if s.is_human_readable() {
s.collect_str(self)
} else {
s.serialize_bytes(&self.serialize_der())
}
}
}
#[cfg(feature = "serde")]
impl<'de> ::serde::Deserialize<'de> for Signature {
fn deserialize<D: ::serde::Deserializer<'de>>(d: D) -> Result<Self, D::Error> {
if d.is_human_readable() {
d.deserialize_str(serde_util::FromStrVisitor::new(
"a hex string representing a DER encoded Signature"
))
} else {
d.deserialize_bytes(serde_util::BytesVisitor::new(
"raw byte stream, that represents a DER encoded Signature",
Signature::from_der
))
}
}
}
/// A (hashed) message input to an ECDSA signature /// A (hashed) message input to an ECDSA signature
pub struct Message([u8; constants::MESSAGE_SIZE]); pub struct Message([u8; constants::MESSAGE_SIZE]);
impl_array_newtype!(Message, u8, constants::MESSAGE_SIZE); impl_array_newtype!(Message, u8, constants::MESSAGE_SIZE);
@ -575,41 +310,10 @@ unsafe impl<C: Context> Send for Secp256k1<C> {}
// The API does not permit any mutation of `Secp256k1` objects except through `&mut` references // The API does not permit any mutation of `Secp256k1` objects except through `&mut` references
unsafe impl<C: Context> Sync for Secp256k1<C> {} unsafe impl<C: Context> Sync for Secp256k1<C> {}
impl<C: Context> PartialEq for Secp256k1<C> { impl<C: Context> PartialEq for Secp256k1<C> {
fn eq(&self, _other: &Secp256k1<C>) -> bool { true } fn eq(&self, _other: &Secp256k1<C>) -> bool { true }
} }
impl Default for SerializedSignature {
fn default() -> SerializedSignature {
SerializedSignature {
data: [0u8; 72],
len: 0,
}
}
}
impl PartialEq for SerializedSignature {
fn eq(&self, other: &SerializedSignature) -> bool {
self.data[..self.len] == other.data[..other.len]
}
}
impl AsRef<[u8]> for SerializedSignature {
fn as_ref(&self) -> &[u8] {
&self.data[..self.len]
}
}
impl Deref for SerializedSignature {
type Target = [u8];
fn deref(&self) -> &[u8] {
&self.data[..self.len]
}
}
impl Eq for SerializedSignature {}
impl<C: Context> Eq for Secp256k1<C> { } impl<C: Context> Eq for Secp256k1<C> { }
impl<C: Context> Drop for Secp256k1<C> { impl<C: Context> Drop for Secp256k1<C> {
@ -706,9 +410,14 @@ impl<C: Signing> Secp256k1<C> {
/// Constructs a signature for `msg` using the secret key `sk` and RFC6979 nonce /// Constructs a signature for `msg` using the secret key `sk` and RFC6979 nonce
/// Requires a signing-capable context. /// Requires a signing-capable context.
pub fn sign(&self, msg: &Message, sk: &key::SecretKey) #[deprecated(since = "0.21.0", note = "Use sign_ecdsa instead.")]
-> Signature { pub fn sign(&self, msg: &Message, sk: &key::SecretKey) -> ecdsa::Signature {
self.sign_ecdsa(msg, sk)
}
/// Constructs a signature for `msg` using the secret key `sk` and RFC6979 nonce
/// Requires a signing-capable context.
pub fn sign_ecdsa(&self, msg: &Message, sk: &key::SecretKey) -> ecdsa::Signature {
unsafe { unsafe {
let mut ret = ffi::Signature::new(); let mut ret = ffi::Signature::new();
// We can assume the return value because it's not possible to construct // We can assume the return value because it's not possible to construct
@ -716,14 +425,14 @@ impl<C: Signing> Secp256k1<C> {
assert_eq!(ffi::secp256k1_ecdsa_sign(self.ctx, &mut ret, msg.as_c_ptr(), assert_eq!(ffi::secp256k1_ecdsa_sign(self.ctx, &mut ret, msg.as_c_ptr(),
sk.as_c_ptr(), ffi::secp256k1_nonce_function_rfc6979, sk.as_c_ptr(), ffi::secp256k1_nonce_function_rfc6979,
ptr::null()), 1); ptr::null()), 1);
Signature::from(ret) ecdsa::Signature::from(ret)
} }
} }
fn sign_grind_with_check( fn sign_grind_with_check(
&self, msg: &Message, &self, msg: &Message,
sk: &key::SecretKey, sk: &SecretKey,
check: impl Fn(&ffi::Signature) -> bool) -> Signature { check: impl Fn(&ffi::Signature) -> bool) -> ecdsa::Signature {
let mut entropy_p : *const ffi::types::c_void = ptr::null(); let mut entropy_p : *const ffi::types::c_void = ptr::null();
let mut counter : u32 = 0; let mut counter : u32 = 0;
let mut extra_entropy = [0u8; 32]; let mut extra_entropy = [0u8; 32];
@ -736,7 +445,7 @@ impl<C: Signing> Secp256k1<C> {
sk.as_c_ptr(), ffi::secp256k1_nonce_function_rfc6979, sk.as_c_ptr(), ffi::secp256k1_nonce_function_rfc6979,
entropy_p), 1); entropy_p), 1);
if check(&ret) { if check(&ret) {
return Signature::from(ret); return ecdsa::Signature::from(ret);
} }
counter += 1; counter += 1;
@ -751,7 +460,7 @@ impl<C: Signing> Secp256k1<C> {
// When fuzzing, these checks will usually spinloop forever, so just short-circuit them. // When fuzzing, these checks will usually spinloop forever, so just short-circuit them.
#[cfg(fuzzing)] #[cfg(fuzzing)]
return Signature::from(ret); return ecdsa::Signature::from(ret);
} }
} }
} }
@ -762,7 +471,18 @@ impl<C: Signing> Secp256k1<C> {
/// of signing operation performed by this function is exponential in the /// of signing operation performed by this function is exponential in the
/// number of bytes grinded. /// number of bytes grinded.
/// Requires a signing capable context. /// Requires a signing capable context.
pub fn sign_grind_r(&self, msg: &Message, sk: &key::SecretKey, bytes_to_grind: usize) -> Signature { #[deprecated(since = "0.21.0", note = "Use sign_ecdsa_grind_r instead.")]
pub fn sign_grind_r(&self, msg: &Message, sk: &SecretKey, bytes_to_grind: usize) -> ecdsa::Signature {
self.sign_ecdsa_grind_r(msg, sk, bytes_to_grind)
}
/// Constructs a signature for `msg` using the secret key `sk`, RFC6979 nonce
/// and "grinds" the nonce by passing extra entropy if necessary to produce
/// a signature that is less than 71 - bytes_to_grund bytes. The number
/// of signing operation performed by this function is exponential in the
/// number of bytes grinded.
/// Requires a signing capable context.
pub fn sign_ecdsa_grind_r(&self, msg: &Message, sk: &SecretKey, bytes_to_grind: usize) -> ecdsa::Signature {
let len_check = |s : &ffi::Signature| der_length_check(s, 71 - bytes_to_grind); let len_check = |s : &ffi::Signature| der_length_check(s, 71 - bytes_to_grind);
return self.sign_grind_with_check(msg, sk, len_check); return self.sign_grind_with_check(msg, sk, len_check);
} }
@ -773,7 +493,18 @@ impl<C: Signing> Secp256k1<C> {
/// signature implementation of bitcoin core. In average, this function /// signature implementation of bitcoin core. In average, this function
/// will perform two signing operations. /// will perform two signing operations.
/// Requires a signing capable context. /// Requires a signing capable context.
pub fn sign_low_r(&self, msg: &Message, sk: &key::SecretKey) -> Signature { #[deprecated(since = "0.21.0", note = "Use sign_ecdsa_grind_r instead.")]
pub fn sign_low_r(&self, msg: &Message, sk: &SecretKey) -> ecdsa::Signature {
return self.sign_grind_with_check(msg, sk, compact_sig_has_zero_first_bit)
}
/// Constructs a signature for `msg` using the secret key `sk`, RFC6979 nonce
/// and "grinds" the nonce by passing extra entropy if necessary to produce
/// a signature that is less than 71 bytes and compatible with the low r
/// signature implementation of bitcoin core. In average, this function
/// will perform two signing operations.
/// Requires a signing capable context.
pub fn sign_ecdsa_low_r(&self, msg: &Message, sk: &SecretKey) -> ecdsa::Signature {
return self.sign_grind_with_check(msg, sk, compact_sig_has_zero_first_bit) return self.sign_grind_with_check(msg, sk, compact_sig_has_zero_first_bit)
} }
@ -816,7 +547,36 @@ impl<C: Verification> Secp256k1<C> {
/// # } /// # }
/// ``` /// ```
#[inline] #[inline]
pub fn verify(&self, msg: &Message, sig: &Signature, pk: &key::PublicKey) -> Result<(), Error> { #[deprecated(since = "0.21.0", note = "Use verify_ecdsa instead")]
pub fn verify(&self, msg: &Message, sig: &ecdsa::Signature, pk: &PublicKey) -> Result<(), Error> {
self.verify_ecdsa(msg, sig, pk)
}
/// Checks that `sig` is a valid ECDSA signature for `msg` using the public
/// key `pubkey`. Returns `Ok(())` on success. Note that this function cannot
/// be used for Bitcoin consensus checking since there may exist signatures
/// which OpenSSL would verify but not libsecp256k1, or vice-versa. Requires a
/// verify-capable context.
///
/// ```rust
/// # #[cfg(feature="rand")] {
/// # use secp256k1::rand::rngs::OsRng;
/// # use secp256k1::{Secp256k1, Message, Error};
/// #
/// # let secp = Secp256k1::new();
/// # let mut rng = OsRng::new().expect("OsRng");
/// # let (secret_key, public_key) = secp.generate_keypair(&mut rng);
/// #
/// let message = Message::from_slice(&[0xab; 32]).expect("32 bytes");
/// let sig = secp.sign_ecdsa(&message, &secret_key);
/// assert_eq!(secp.verify_ecdsa(&message, &sig, &public_key), Ok(()));
///
/// let message = Message::from_slice(&[0xcd; 32]).expect("32 bytes");
/// assert_eq!(secp.verify_ecdsa(&message, &sig, &public_key), Err(Error::IncorrectSignature));
/// # }
/// ```
#[inline]
pub fn verify_ecdsa(&self, msg: &Message, sig: &ecdsa::Signature, pk: &PublicKey) -> Result<(), Error> {
unsafe { unsafe {
if ffi::secp256k1_ecdsa_verify(self.ctx, sig.as_c_ptr(), msg.as_c_ptr(), pk.as_c_ptr()) == 0 { if ffi::secp256k1_ecdsa_verify(self.ctx, sig.as_c_ptr(), msg.as_c_ptr(), pk.as_c_ptr()) == 0 {
Err(Error::IncorrectSignature) Err(Error::IncorrectSignature)
@ -911,12 +671,12 @@ mod tests {
let (sk, pk) = full.generate_keypair(&mut thread_rng()); let (sk, pk) = full.generate_keypair(&mut thread_rng());
let msg = Message::from_slice(&[2u8; 32]).unwrap(); let msg = Message::from_slice(&[2u8; 32]).unwrap();
// Try signing // Try signing
assert_eq!(sign.sign(&msg, &sk), full.sign(&msg, &sk)); assert_eq!(sign.sign_ecdsa(&msg, &sk), full.sign_ecdsa(&msg, &sk));
let sig = full.sign(&msg, &sk); let sig = full.sign_ecdsa(&msg, &sk);
// Try verifying // Try verifying
assert!(vrfy.verify(&msg, &sig, &pk).is_ok()); assert!(vrfy.verify_ecdsa(&msg, &sig, &pk).is_ok());
assert!(full.verify(&msg, &sig, &pk).is_ok()); assert!(full.verify_ecdsa(&msg, &sig, &pk).is_ok());
drop(full);drop(sign);drop(vrfy); drop(full);drop(sign);drop(vrfy);
@ -940,12 +700,12 @@ mod tests {
let (sk, pk) = full.generate_keypair(&mut thread_rng()); let (sk, pk) = full.generate_keypair(&mut thread_rng());
let msg = Message::from_slice(&[2u8; 32]).unwrap(); let msg = Message::from_slice(&[2u8; 32]).unwrap();
// Try signing // Try signing
assert_eq!(sign.sign(&msg, &sk), full.sign(&msg, &sk)); assert_eq!(sign.sign_ecdsa(&msg, &sk), full.sign_ecdsa(&msg, &sk));
let sig = full.sign(&msg, &sk); let sig = full.sign_ecdsa(&msg, &sk);
// Try verifying // Try verifying
assert!(vrfy.verify(&msg, &sig, &pk).is_ok()); assert!(vrfy.verify_ecdsa(&msg, &sig, &pk).is_ok());
assert!(full.verify(&msg, &sig, &pk).is_ok()); assert!(full.verify_ecdsa(&msg, &sig, &pk).is_ok());
unsafe { unsafe {
ManuallyDrop::drop(&mut full); ManuallyDrop::drop(&mut full);
@ -984,12 +744,12 @@ mod tests {
let (sk, pk) = full.generate_keypair(&mut thread_rng()); let (sk, pk) = full.generate_keypair(&mut thread_rng());
let msg = Message::from_slice(&[2u8; 32]).unwrap(); let msg = Message::from_slice(&[2u8; 32]).unwrap();
// Try signing // Try signing
assert_eq!(sign.sign(&msg, &sk), full.sign(&msg, &sk)); assert_eq!(sign.sign_ecdsa(&msg, &sk), full.sign_ecdsa(&msg, &sk));
let sig = full.sign(&msg, &sk); let sig = full.sign_ecdsa(&msg, &sk);
// Try verifying // Try verifying
assert!(vrfy.verify(&msg, &sig, &pk).is_ok()); assert!(vrfy.verify_ecdsa(&msg, &sig, &pk).is_ok());
assert!(full.verify(&msg, &sig, &pk).is_ok()); assert!(full.verify_ecdsa(&msg, &sig, &pk).is_ok());
} }
#[test] #[test]
@ -1006,12 +766,12 @@ mod tests {
let (sk, pk) = full.generate_keypair(&mut thread_rng()); let (sk, pk) = full.generate_keypair(&mut thread_rng());
// Try signing // Try signing
assert_eq!(sign.sign(&msg, &sk), full.sign(&msg, &sk)); assert_eq!(sign.sign_ecdsa(&msg, &sk), full.sign_ecdsa(&msg, &sk));
let sig = full.sign(&msg, &sk); let sig = full.sign_ecdsa(&msg, &sk);
// Try verifying // Try verifying
assert!(vrfy.verify(&msg, &sig, &pk).is_ok()); assert!(vrfy.verify_ecdsa(&msg, &sig, &pk).is_ok());
assert!(full.verify(&msg, &sig, &pk).is_ok()); assert!(full.verify_ecdsa(&msg, &sig, &pk).is_ok());
// Check that we can produce keys from slices with no precomputation // Check that we can produce keys from slices with no precomputation
let (pk_slice, sk_slice) = (&pk.serialize(), &sk[..]); let (pk_slice, sk_slice) = (&pk.serialize(), &sk[..]);
@ -1032,19 +792,19 @@ mod tests {
let msg = Message::from_slice(&msg).unwrap(); let msg = Message::from_slice(&msg).unwrap();
let (sk, _) = s.generate_keypair(&mut thread_rng()); let (sk, _) = s.generate_keypair(&mut thread_rng());
let sig1 = s.sign(&msg, &sk); let sig1 = s.sign_ecdsa(&msg, &sk);
let der = sig1.serialize_der(); let der = sig1.serialize_der();
let sig2 = Signature::from_der(&der[..]).unwrap(); let sig2 = ecdsa::Signature::from_der(&der[..]).unwrap();
assert_eq!(sig1, sig2); assert_eq!(sig1, sig2);
let compact = sig1.serialize_compact(); let compact = sig1.serialize_compact();
let sig2 = Signature::from_compact(&compact[..]).unwrap(); let sig2 = ecdsa::Signature::from_compact(&compact[..]).unwrap();
assert_eq!(sig1, sig2); assert_eq!(sig1, sig2);
assert!(Signature::from_compact(&der[..]).is_err()); assert!(ecdsa::Signature::from_compact(&der[..]).is_err());
assert!(Signature::from_compact(&compact[0..4]).is_err()); assert!(ecdsa::Signature::from_compact(&compact[0..4]).is_err());
assert!(Signature::from_der(&compact[..]).is_err()); assert!(ecdsa::Signature::from_der(&compact[..]).is_err());
assert!(Signature::from_der(&der[0..4]).is_err()); assert!(ecdsa::Signature::from_der(&der[0..4]).is_err());
} }
} }
@ -1054,27 +814,27 @@ mod tests {
let byte_str = hex!(hex_str); let byte_str = hex!(hex_str);
assert_eq!( assert_eq!(
Signature::from_der(&byte_str).expect("byte str decode"), ecdsa::Signature::from_der(&byte_str).expect("byte str decode"),
Signature::from_str(&hex_str).expect("byte str decode") ecdsa::Signature::from_str(&hex_str).expect("byte str decode")
); );
let sig = Signature::from_str(&hex_str).expect("byte str decode"); let sig = ecdsa::Signature::from_str(&hex_str).expect("byte str decode");
assert_eq!(&sig.to_string(), hex_str); assert_eq!(&sig.to_string(), hex_str);
assert_eq!(&format!("{:?}", sig), hex_str); assert_eq!(&format!("{:?}", sig), hex_str);
assert!(Signature::from_str( assert!(ecdsa::Signature::from_str(
"3046022100839c1fbc5304de944f697c9f4b1d01d1faeba32d751c0f7acb21ac8a0f436a\ "3046022100839c1fbc5304de944f697c9f4b1d01d1faeba32d751c0f7acb21ac8a0f436a\
72022100e89bd46bb3a5a62adc679f659b7ce876d83ee297c7a5587b2011c4fcc72eab4" 72022100e89bd46bb3a5a62adc679f659b7ce876d83ee297c7a5587b2011c4fcc72eab4"
).is_err()); ).is_err());
assert!(Signature::from_str( assert!(ecdsa::Signature::from_str(
"3046022100839c1fbc5304de944f697c9f4b1d01d1faeba32d751c0f7acb21ac8a0f436a\ "3046022100839c1fbc5304de944f697c9f4b1d01d1faeba32d751c0f7acb21ac8a0f436a\
72022100e89bd46bb3a5a62adc679f659b7ce876d83ee297c7a5587b2011c4fcc72eab" 72022100e89bd46bb3a5a62adc679f659b7ce876d83ee297c7a5587b2011c4fcc72eab"
).is_err()); ).is_err());
assert!(Signature::from_str( assert!(ecdsa::Signature::from_str(
"3046022100839c1fbc5304de944f697c9f4b1d01d1faeba32d751c0f7acb21ac8a0f436a\ "3046022100839c1fbc5304de944f697c9f4b1d01d1faeba32d751c0f7acb21ac8a0f436a\
72022100e89bd46bb3a5a62adc679f659b7ce876d83ee297c7a5587b2011c4fcc72eabxx" 72022100e89bd46bb3a5a62adc679f659b7ce876d83ee297c7a5587b2011c4fcc72eabxx"
).is_err()); ).is_err());
assert!(Signature::from_str( assert!(ecdsa::Signature::from_str(
"3046022100839c1fbc5304de944f697c9f4b1d01d1faeba32d751c0f7acb21ac8a0f436a\ "3046022100839c1fbc5304de944f697c9f4b1d01d1faeba32d751c0f7acb21ac8a0f436a\
72022100e89bd46bb3a5a62adc679f659b7ce876d83ee297c7a5587b2011c4fcc72eab45\ 72022100e89bd46bb3a5a62adc679f659b7ce876d83ee297c7a5587b2011c4fcc72eab45\
72022100e89bd46bb3a5a62adc679f659b7ce876d83ee297c7a5587b2011c4fcc72eab45\ 72022100e89bd46bb3a5a62adc679f659b7ce876d83ee297c7a5587b2011c4fcc72eab45\
@ -1085,7 +845,7 @@ mod tests {
// 71 byte signature // 71 byte signature
let hex_str = "30450221009d0bad576719d32ae76bedb34c774866673cbde3f4e12951555c9408e6ce774b02202876e7102f204f6bfee26c967c3926ce702cf97d4b010062e193f763190f6776"; let hex_str = "30450221009d0bad576719d32ae76bedb34c774866673cbde3f4e12951555c9408e6ce774b02202876e7102f204f6bfee26c967c3926ce702cf97d4b010062e193f763190f6776";
let sig = Signature::from_str(&hex_str).expect("byte str decode"); let sig = ecdsa::Signature::from_str(&hex_str).expect("byte str decode");
assert_eq!(&format!("{}", sig), hex_str); assert_eq!(&format!("{}", sig), hex_str);
} }
@ -1094,7 +854,7 @@ mod tests {
macro_rules! check_lax_sig( macro_rules! check_lax_sig(
($hex:expr) => ({ ($hex:expr) => ({
let sig = hex!($hex); let sig = hex!($hex);
assert!(Signature::from_der_lax(&sig[..]).is_ok()); assert!(ecdsa::Signature::from_der_lax(&sig[..]).is_ok());
}) })
); );
@ -1108,7 +868,7 @@ mod tests {
} }
#[test] #[test]
fn sign_and_verify() { fn sign_and_verify_ecdsa() {
let mut s = Secp256k1::new(); let mut s = Secp256k1::new();
s.randomize(&mut thread_rng()); s.randomize(&mut thread_rng());
@ -1118,12 +878,12 @@ mod tests {
let msg = Message::from_slice(&msg).unwrap(); let msg = Message::from_slice(&msg).unwrap();
let (sk, pk) = s.generate_keypair(&mut thread_rng()); let (sk, pk) = s.generate_keypair(&mut thread_rng());
let sig = s.sign(&msg, &sk); let sig = s.sign_ecdsa(&msg, &sk);
assert_eq!(s.verify(&msg, &sig, &pk), Ok(())); assert_eq!(s.verify_ecdsa(&msg, &sig, &pk), Ok(()));
let low_r_sig = s.sign_low_r(&msg, &sk); let low_r_sig = s.sign_ecdsa_low_r(&msg, &sk);
assert_eq!(s.verify(&msg, &low_r_sig, &pk), Ok(())); assert_eq!(s.verify_ecdsa(&msg, &low_r_sig, &pk), Ok(()));
let grind_r_sig = s.sign_grind_r(&msg, &sk, 1); let grind_r_sig = s.sign_ecdsa_grind_r(&msg, &sk, 1);
assert_eq!(s.verify(&msg, &grind_r_sig, &pk), Ok(())); assert_eq!(s.verify_ecdsa(&msg, &grind_r_sig, &pk), Ok(()));
let compact = sig.serialize_compact(); let compact = sig.serialize_compact();
if compact[0] < 0x80 { if compact[0] < 0x80 {
assert_eq!(sig, low_r_sig); assert_eq!(sig, low_r_sig);
@ -1160,13 +920,13 @@ mod tests {
for key in wild_keys.iter().map(|k| SecretKey::from_slice(&k[..]).unwrap()) { for key in wild_keys.iter().map(|k| SecretKey::from_slice(&k[..]).unwrap()) {
for msg in wild_msgs.iter().map(|m| Message::from_slice(&m[..]).unwrap()) { for msg in wild_msgs.iter().map(|m| Message::from_slice(&m[..]).unwrap()) {
let sig = s.sign(&msg, &key); let sig = s.sign_ecdsa(&msg, &key);
let low_r_sig = s.sign_low_r(&msg, &key); let low_r_sig = s.sign_ecdsa_low_r(&msg, &key);
let grind_r_sig = s.sign_grind_r(&msg, &key, 1); let grind_r_sig = s.sign_ecdsa_grind_r(&msg, &key, 1);
let pk = PublicKey::from_secret_key(&s, &key); let pk = PublicKey::from_secret_key(&s, &key);
assert_eq!(s.verify(&msg, &sig, &pk), Ok(())); assert_eq!(s.verify_ecdsa(&msg, &sig, &pk), Ok(()));
assert_eq!(s.verify(&msg, &low_r_sig, &pk), Ok(())); assert_eq!(s.verify_ecdsa(&msg, &low_r_sig, &pk), Ok(()));
assert_eq!(s.verify(&msg, &grind_r_sig, &pk), Ok(())); assert_eq!(s.verify_ecdsa(&msg, &grind_r_sig, &pk), Ok(()));
} }
} }
} }
@ -1182,19 +942,19 @@ mod tests {
let (sk, pk) = s.generate_keypair(&mut thread_rng()); let (sk, pk) = s.generate_keypair(&mut thread_rng());
let sig = s.sign(&msg, &sk); let sig = s.sign_ecdsa(&msg, &sk);
let mut msg = [0u8; 32]; let mut msg = [0u8; 32];
thread_rng().fill_bytes(&mut msg); thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap(); let msg = Message::from_slice(&msg).unwrap();
assert_eq!(s.verify(&msg, &sig, &pk), Err(Error::IncorrectSignature)); assert_eq!(s.verify_ecdsa(&msg, &sig, &pk), Err(Error::IncorrectSignature));
} }
#[test] #[test]
fn test_bad_slice() { fn test_bad_slice() {
assert_eq!(Signature::from_der(&[0; constants::MAX_SIGNATURE_SIZE + 1]), assert_eq!(ecdsa::Signature::from_der(&[0; constants::MAX_SIGNATURE_SIZE + 1]),
Err(Error::InvalidSignature)); Err(Error::InvalidSignature));
assert_eq!(Signature::from_der(&[0; constants::MAX_SIGNATURE_SIZE]), assert_eq!(ecdsa::Signature::from_der(&[0; constants::MAX_SIGNATURE_SIZE]),
Err(Error::InvalidSignature)); Err(Error::InvalidSignature));
assert_eq!(Message::from_slice(&[0; constants::MESSAGE_SIZE - 1]), assert_eq!(Message::from_slice(&[0; constants::MESSAGE_SIZE - 1]),
@ -1242,15 +1002,15 @@ mod tests {
let msg = hex!("a4965ca63b7d8562736ceec36dfa5a11bf426eb65be8ea3f7a49ae363032da0d"); let msg = hex!("a4965ca63b7d8562736ceec36dfa5a11bf426eb65be8ea3f7a49ae363032da0d");
let secp = Secp256k1::new(); let secp = Secp256k1::new();
let mut sig = Signature::from_der(&sig[..]).unwrap(); let mut sig = ecdsa::Signature::from_der(&sig[..]).unwrap();
let pk = PublicKey::from_slice(&pk[..]).unwrap(); let pk = PublicKey::from_slice(&pk[..]).unwrap();
let msg = Message::from_slice(&msg[..]).unwrap(); let msg = Message::from_slice(&msg[..]).unwrap();
// without normalization we expect this will fail // without normalization we expect this will fail
assert_eq!(secp.verify(&msg, &sig, &pk), Err(Error::IncorrectSignature)); assert_eq!(secp.verify_ecdsa(&msg, &sig, &pk), Err(Error::IncorrectSignature));
// after normalization it should pass // after normalization it should pass
sig.normalize_s(); sig.normalize_s();
assert_eq!(secp.verify(&msg, &sig, &pk), Ok(())); assert_eq!(secp.verify_ecdsa(&msg, &sig, &pk), Ok(()));
} }
#[test] #[test]
@ -1261,9 +1021,9 @@ mod tests {
let msg = Message::from_slice(&msg).unwrap(); let msg = Message::from_slice(&msg).unwrap();
let sk = SecretKey::from_str("57f0148f94d13095cfda539d0da0d1541304b678d8b36e243980aab4e1b7cead").unwrap(); let sk = SecretKey::from_str("57f0148f94d13095cfda539d0da0d1541304b678d8b36e243980aab4e1b7cead").unwrap();
let expected_sig = hex!("047dd4d049db02b430d24c41c7925b2725bcd5a85393513bdec04b4dc363632b1054d0180094122b380f4cfa391e6296244da773173e78fc745c1b9c79f7b713"); let expected_sig = hex!("047dd4d049db02b430d24c41c7925b2725bcd5a85393513bdec04b4dc363632b1054d0180094122b380f4cfa391e6296244da773173e78fc745c1b9c79f7b713");
let expected_sig = Signature::from_compact(&expected_sig).unwrap(); let expected_sig = ecdsa::Signature::from_compact(&expected_sig).unwrap();
let sig = secp.sign_low_r(&msg, &sk); let sig = secp.sign_ecdsa_low_r(&msg, &sk);
assert_eq!(expected_sig, sig); assert_eq!(expected_sig, sig);
} }
@ -1275,9 +1035,9 @@ mod tests {
let msg = hex!("ef2d5b9a7c61865a95941d0f04285420560df7e9d76890ac1b8867b12ce43167"); let msg = hex!("ef2d5b9a7c61865a95941d0f04285420560df7e9d76890ac1b8867b12ce43167");
let msg = Message::from_slice(&msg).unwrap(); let msg = Message::from_slice(&msg).unwrap();
let sk = SecretKey::from_str("848355d75fe1c354cf05539bb29b2015f1863065bcb6766b44d399ab95c3fa0b").unwrap(); let sk = SecretKey::from_str("848355d75fe1c354cf05539bb29b2015f1863065bcb6766b44d399ab95c3fa0b").unwrap();
let expected_sig = Signature::from_str("304302202ffc447100d518c8ba643d11f3e6a83a8640488e7d2537b1954b942408be6ea3021f26e1248dd1e52160c3a38af9769d91a1a806cab5f9d508c103464d3c02d6e1").unwrap(); let expected_sig = ecdsa::Signature::from_str("304302202ffc447100d518c8ba643d11f3e6a83a8640488e7d2537b1954b942408be6ea3021f26e1248dd1e52160c3a38af9769d91a1a806cab5f9d508c103464d3c02d6e1").unwrap();
let sig = secp.sign_grind_r(&msg, &sk, 2); let sig = secp.sign_ecdsa_grind_r(&msg, &sk, 2);
assert_eq!(expected_sig, sig); assert_eq!(expected_sig, sig);
} }
@ -1292,7 +1052,7 @@ mod tests {
let msg = Message::from_slice(&[1; 32]).unwrap(); let msg = Message::from_slice(&[1; 32]).unwrap();
let sk = SecretKey::from_slice(&[2; 32]).unwrap(); let sk = SecretKey::from_slice(&[2; 32]).unwrap();
let sig = s.sign(&msg, &sk); let sig = s.sign_ecdsa(&msg, &sk);
static SIG_BYTES: [u8; 71] = [ static SIG_BYTES: [u8; 71] = [
48, 69, 2, 33, 0, 157, 11, 173, 87, 103, 25, 211, 42, 231, 107, 237, 48, 69, 2, 33, 0, 157, 11, 173, 87, 103, 25, 211, 42, 231, 107, 237,
179, 76, 119, 72, 102, 103, 60, 189, 227, 244, 225, 41, 81, 85, 92, 148, 179, 76, 119, 72, 102, 103, 60, 189, 227, 244, 225, 41, 81, 85, 92, 148,
@ -1329,8 +1089,8 @@ mod tests {
let pk = PublicKey::from_secret_key(&SECP256K1, &sk); let pk = PublicKey::from_secret_key(&SECP256K1, &sk);
// Check usage as self // Check usage as self
let sig = SECP256K1.sign(&msg, &sk); let sig = SECP256K1.sign_ecdsa(&msg, &sk);
assert!(SECP256K1.verify(&msg, &sig, &pk).is_ok()); assert!(SECP256K1.verify_ecdsa(&msg, &sig, &pk).is_ok());
} }
#[cfg(feature = "bitcoin_hashes")] #[cfg(feature = "bitcoin_hashes")]
@ -1402,7 +1162,7 @@ mod benches {
} }
#[bench] #[bench]
pub fn bench_sign(bh: &mut Bencher) { pub fn bench_sign_ecdsa(bh: &mut Bencher) {
let s = Secp256k1::new(); let s = Secp256k1::new();
let mut msg = [0u8; 32]; let mut msg = [0u8; 32];
thread_rng().fill_bytes(&mut msg); thread_rng().fill_bytes(&mut msg);
@ -1410,22 +1170,22 @@ mod benches {
let (sk, _) = s.generate_keypair(&mut thread_rng()); let (sk, _) = s.generate_keypair(&mut thread_rng());
bh.iter(|| { bh.iter(|| {
let sig = s.sign(&msg, &sk); let sig = s.sign_ecdsa(&msg, &sk);
black_box(sig); black_box(sig);
}); });
} }
#[bench] #[bench]
pub fn bench_verify(bh: &mut Bencher) { pub fn bench_verify_ecdsa(bh: &mut Bencher) {
let s = Secp256k1::new(); let s = Secp256k1::new();
let mut msg = [0u8; 32]; let mut msg = [0u8; 32];
thread_rng().fill_bytes(&mut msg); thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap(); let msg = Message::from_slice(&msg).unwrap();
let (sk, pk) = s.generate_keypair(&mut thread_rng()); let (sk, pk) = s.generate_keypair(&mut thread_rng());
let sig = s.sign(&msg, &sk); let sig = s.sign_ecdsa(&msg, &sk);
bh.iter(|| { bh.iter(|| {
let res = s.verify(&msg, &sig, &pk).unwrap(); let res = s.verify_ecdsa(&msg, &sig, &pk).unwrap();
black_box(res); black_box(res);
}); });
} }