// SPDX-License-Identifier: CC0-1.0 //! Public and secret keys. //! use core::convert::TryFrom; use core::ops::{self, BitXor}; use core::{fmt, ptr, str}; #[cfg(feature = "serde")] use serde::ser::SerializeTuple; use crate::ellswift::ElligatorSwift; use crate::ffi::types::c_uint; use crate::ffi::{self, CPtr}; use crate::Error::{self, InvalidPublicKey, InvalidPublicKeySum, InvalidSecretKey}; #[cfg(feature = "global-context")] use crate::SECP256K1; use crate::{ constants, ecdsa, from_hex, schnorr, Message, Scalar, Secp256k1, Signing, Verification, }; #[cfg(feature = "hashes")] use crate::{hashes, ThirtyTwoByteHash}; /// Secret key - a 256-bit key used to create ECDSA and Taproot signatures. /// /// This value should be generated using a [cryptographically secure pseudorandom number generator]. /// /// # Side channel attacks /// /// We have attempted to reduce the side channel attack surface by implementing a constant time `eq` /// method. For similar reasons we explicitly do not implement `PartialOrd`, `Ord`, or `Hash` on /// `SecretKey`. If you really want to order secrets keys then you can use `AsRef` to get at the /// underlying bytes and compare them - however this is almost certainly a bad idea. /// /// # Serde support /// /// Implements de/serialization with the `serde` feature enabled. We treat the byte value as a tuple /// of 32 `u8`s for non-human-readable formats. This representation is optimal for for some formats /// (e.g. [`bincode`]) however other formats may be less optimal (e.g. [`cbor`]). /// /// # Examples /// /// Basic usage: /// /// ``` /// # #[cfg(feature = "rand-std")] { /// use secp256k1::{rand, Secp256k1, SecretKey}; /// /// let secp = Secp256k1::new(); /// let secret_key = SecretKey::new(&mut rand::thread_rng()); /// # } /// ``` /// [`bincode`]: https://docs.rs/bincode /// [`cbor`]: https://docs.rs/cbor /// [cryptographically secure pseudorandom number generator]: https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator #[derive(Copy, Clone)] pub struct SecretKey([u8; constants::SECRET_KEY_SIZE]); impl_display_secret!(SecretKey); impl_non_secure_erase!(SecretKey, 0, [1u8; constants::SECRET_KEY_SIZE]); impl PartialEq for SecretKey { /// This implementation is designed to be constant time to help prevent side channel attacks. #[inline] fn eq(&self, other: &Self) -> bool { let accum = self.0.iter().zip(&other.0).fold(0, |accum, (a, b)| accum | a ^ b); unsafe { core::ptr::read_volatile(&accum) == 0 } } } impl Eq for SecretKey {} impl AsRef<[u8; constants::SECRET_KEY_SIZE]> for SecretKey { /// Gets a reference to the underlying array. /// /// # Side channel attacks /// /// Using ordering functions (`PartialOrd`/`Ord`) on a reference to secret keys leaks data /// because the implementations are not constant time. Doing so will make your code vulnerable /// to side channel attacks. [`SecretKey::eq`] is implemented using a constant time algorithm, /// please consider using it to do comparisons of secret keys. #[inline] fn as_ref(&self) -> &[u8; constants::SECRET_KEY_SIZE] { let SecretKey(dat) = self; dat } } impl ops::Index for SecretKey where [u8]: ops::Index, { type Output = <[u8] as ops::Index>::Output; #[inline] fn index(&self, index: I) -> &Self::Output { &self.0[index] } } impl ffi::CPtr for SecretKey { type Target = u8; fn as_c_ptr(&self) -> *const Self::Target { let SecretKey(dat) = self; dat.as_ptr() } fn as_mut_c_ptr(&mut self) -> *mut Self::Target { let &mut SecretKey(ref mut dat) = self; dat.as_mut_ptr() } } impl str::FromStr for SecretKey { type Err = Error; fn from_str(s: &str) -> Result { let mut res = [0u8; constants::SECRET_KEY_SIZE]; match from_hex(s, &mut res) { Ok(constants::SECRET_KEY_SIZE) => SecretKey::from_slice(&res), _ => Err(Error::InvalidSecretKey), } } } /// Public key - used to verify ECDSA signatures and to do Taproot tweaks. /// /// # Serde support /// /// Implements de/serialization with the `serde` feature enabled. We treat the byte value as a tuple /// of 33 `u8`s for non-human-readable formats. This representation is optimal for for some formats /// (e.g. [`bincode`]) however other formats may be less optimal (e.g. [`cbor`]). /// /// # Examples /// /// Basic usage: /// /// ``` /// # #[cfg(feature = "alloc")] { /// use secp256k1::{SecretKey, Secp256k1, PublicKey}; /// /// let secp = Secp256k1::new(); /// let secret_key = SecretKey::from_slice(&[0xcd; 32]).expect("32 bytes, within curve order"); /// let public_key = PublicKey::from_secret_key(&secp, &secret_key); /// # } /// ``` /// [`bincode`]: https://docs.rs/bincode /// [`cbor`]: https://docs.rs/cbor #[derive(Copy, Clone, Debug, PartialOrd, Ord, PartialEq, Eq, Hash)] #[repr(transparent)] pub struct PublicKey(ffi::PublicKey); impl_fast_comparisons!(PublicKey); impl fmt::LowerHex for PublicKey { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { let ser = self.serialize(); for ch in &ser[..] { write!(f, "{:02x}", *ch)?; } Ok(()) } } impl fmt::Display for PublicKey { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { fmt::LowerHex::fmt(self, f) } } impl str::FromStr for PublicKey { type Err = Error; fn from_str(s: &str) -> Result { let mut res = [0u8; constants::UNCOMPRESSED_PUBLIC_KEY_SIZE]; match from_hex(s, &mut res) { Ok(constants::PUBLIC_KEY_SIZE) => PublicKey::from_slice(&res[0..constants::PUBLIC_KEY_SIZE]), Ok(constants::UNCOMPRESSED_PUBLIC_KEY_SIZE) => PublicKey::from_slice(&res), _ => Err(Error::InvalidPublicKey), } } } impl SecretKey { /// Generates a new random secret key. /// /// # Examples /// /// ``` /// # #[cfg(all(feature = "std", feature = "rand-std"))] { /// use secp256k1::{rand, SecretKey}; /// let secret_key = SecretKey::new(&mut rand::thread_rng()); /// # } /// ``` #[inline] #[cfg(feature = "rand")] pub fn new(rng: &mut R) -> SecretKey { let mut data = crate::random_32_bytes(rng); unsafe { while ffi::secp256k1_ec_seckey_verify( ffi::secp256k1_context_no_precomp, data.as_c_ptr(), ) == 0 { data = crate::random_32_bytes(rng); } } SecretKey(data) } /// Converts a `SECRET_KEY_SIZE`-byte slice to a secret key. /// /// # Examples /// /// ``` /// use secp256k1::SecretKey; /// let sk = SecretKey::from_slice(&[0xcd; 32]).expect("32 bytes, within curve order"); /// ``` #[inline] pub fn from_slice(data: &[u8]) -> Result { match <[u8; constants::SECRET_KEY_SIZE]>::try_from(data) { Ok(data) => { unsafe { if ffi::secp256k1_ec_seckey_verify( ffi::secp256k1_context_no_precomp, data.as_c_ptr(), ) == 0 { return Err(InvalidSecretKey); } } Ok(SecretKey(data)) } Err(_) => Err(InvalidSecretKey), } } /// Creates a new secret key using data from BIP-340 [`Keypair`]. /// /// # Examples /// /// ``` /// # #[cfg(feature = "rand-std")] { /// use secp256k1::{rand, Secp256k1, SecretKey, Keypair}; /// /// let secp = Secp256k1::new(); /// let keypair = Keypair::new(&secp, &mut rand::thread_rng()); /// let secret_key = SecretKey::from_keypair(&keypair); /// # } /// ``` #[inline] pub fn from_keypair(keypair: &Keypair) -> Self { let mut sk = [0u8; constants::SECRET_KEY_SIZE]; unsafe { let ret = ffi::secp256k1_keypair_sec( ffi::secp256k1_context_no_precomp, sk.as_mut_c_ptr(), keypair.as_c_ptr(), ); debug_assert_eq!(ret, 1); } SecretKey(sk) } /// Constructs a [`SecretKey`] by hashing `data` with hash algorithm `H`. /// /// Requires the feature `hashes` to be enabled. /// /// # Examples /// /// ``` /// # #[cfg(feature="hashes")] { /// use secp256k1::hashes::{sha256, Hash}; /// use secp256k1::SecretKey; /// /// let sk1 = SecretKey::from_hashed_data::("Hello world!".as_bytes()); /// // is equivalent to /// let sk2 = SecretKey::from(sha256::Hash::hash("Hello world!".as_bytes())); /// /// assert_eq!(sk1, sk2); /// # } /// ``` #[cfg(feature = "hashes")] #[inline] pub fn from_hashed_data(data: &[u8]) -> Self { ::hash(data).into() } /// Returns the secret key as a byte value. #[inline] pub fn secret_bytes(&self) -> [u8; constants::SECRET_KEY_SIZE] { self.0 } /// Negates the secret key. #[inline] #[must_use = "you forgot to use the negated secret key"] pub fn negate(mut self) -> SecretKey { unsafe { let res = ffi::secp256k1_ec_seckey_negate( ffi::secp256k1_context_no_precomp, self.as_mut_c_ptr(), ); debug_assert_eq!(res, 1); } self } /// Tweaks a [`SecretKey`] by adding `tweak` modulo the curve order. /// /// # Errors /// /// Returns an error if the resulting key would be invalid. #[inline] pub fn add_tweak(mut self, tweak: &Scalar) -> Result { unsafe { if ffi::secp256k1_ec_seckey_tweak_add( ffi::secp256k1_context_no_precomp, self.as_mut_c_ptr(), tweak.as_c_ptr(), ) != 1 { Err(Error::InvalidTweak) } else { Ok(self) } } } /// Tweaks a [`SecretKey`] by multiplying by `tweak` modulo the curve order. /// /// # Errors /// /// Returns an error if the resulting key would be invalid. #[inline] pub fn mul_tweak(mut self, tweak: &Scalar) -> Result { unsafe { if ffi::secp256k1_ec_seckey_tweak_mul( ffi::secp256k1_context_no_precomp, self.as_mut_c_ptr(), tweak.as_c_ptr(), ) != 1 { Err(Error::InvalidTweak) } else { Ok(self) } } } /// Constructs an ECDSA signature for `msg` using the global [`SECP256K1`] context. #[inline] #[cfg(feature = "global-context")] pub fn sign_ecdsa(&self, msg: Message) -> ecdsa::Signature { SECP256K1.sign_ecdsa(&msg, self) } /// Returns the [`Keypair`] for this [`SecretKey`]. /// /// This is equivalent to using [`Keypair::from_secret_key`]. #[inline] pub fn keypair(&self, secp: &Secp256k1) -> Keypair { Keypair::from_secret_key(secp, self) } /// Returns the [`PublicKey`] for this [`SecretKey`]. /// /// This is equivalent to using [`PublicKey::from_secret_key`]. #[inline] pub fn public_key(&self, secp: &Secp256k1) -> PublicKey { PublicKey::from_secret_key(secp, self) } /// Returns the [`XOnlyPublicKey`] (and it's [`Parity`]) for this [`SecretKey`]. /// /// This is equivalent to `XOnlyPublicKey::from_keypair(self.keypair(secp))`. #[inline] pub fn x_only_public_key(&self, secp: &Secp256k1) -> (XOnlyPublicKey, Parity) { let kp = self.keypair(secp); XOnlyPublicKey::from_keypair(&kp) } } #[cfg(feature = "hashes")] impl From for SecretKey { /// Converts a 32-byte hash directly to a secret key without error paths. fn from(t: T) -> SecretKey { SecretKey::from_slice(&t.into_32()).expect("failed to create secret key") } } #[cfg(feature = "serde")] impl serde::Serialize for SecretKey { fn serialize(&self, s: S) -> Result { if s.is_human_readable() { let mut buf = [0u8; constants::SECRET_KEY_SIZE * 2]; s.serialize_str(crate::to_hex(&self.0, &mut buf).expect("fixed-size hex serialization")) } else { let mut tuple = s.serialize_tuple(constants::SECRET_KEY_SIZE)?; for byte in self.0.iter() { tuple.serialize_element(byte)?; } tuple.end() } } } #[cfg(feature = "serde")] impl<'de> serde::Deserialize<'de> for SecretKey { fn deserialize>(d: D) -> Result { if d.is_human_readable() { d.deserialize_str(super::serde_util::FromStrVisitor::new( "a hex string representing 32 byte SecretKey", )) } else { let visitor = super::serde_util::Tuple32Visitor::new( "raw 32 bytes SecretKey", SecretKey::from_slice, ); d.deserialize_tuple(constants::SECRET_KEY_SIZE, visitor) } } } impl PublicKey { /// Obtains a raw const pointer suitable for use with FFI functions. #[inline] #[deprecated(since = "0.25.0", note = "Use Self::as_c_ptr if you need to access the FFI layer")] pub fn as_ptr(&self) -> *const ffi::PublicKey { self.as_c_ptr() } /// Obtains a raw mutable pointer suitable for use with FFI functions. #[inline] #[deprecated( since = "0.25.0", note = "Use Self::as_mut_c_ptr if you need to access the FFI layer" )] pub fn as_mut_ptr(&mut self) -> *mut ffi::PublicKey { self.as_mut_c_ptr() } /// Creates a new public key from a [`SecretKey`]. /// /// # Examples /// /// ``` /// # #[cfg(feature = "rand-std")] { /// use secp256k1::{rand, Secp256k1, SecretKey, PublicKey}; /// /// let secp = Secp256k1::new(); /// let secret_key = SecretKey::new(&mut rand::thread_rng()); /// let public_key = PublicKey::from_secret_key(&secp, &secret_key); /// # } /// ``` #[inline] pub fn from_secret_key(secp: &Secp256k1, sk: &SecretKey) -> PublicKey { unsafe { let mut pk = ffi::PublicKey::new(); // We can assume the return value because it's not possible to construct // an invalid `SecretKey` without transmute trickery or something. let res = ffi::secp256k1_ec_pubkey_create(secp.ctx.as_ptr(), &mut pk, sk.as_c_ptr()); debug_assert_eq!(res, 1); PublicKey(pk) } } /// Creates a new public key from an [`ElligatorSwift`]. #[inline] pub fn from_ellswift(ellswift: ElligatorSwift) -> PublicKey { ElligatorSwift::decode(ellswift) } /// Creates a new public key from a [`SecretKey`] and the global [`SECP256K1`] context. #[inline] #[cfg(feature = "global-context")] pub fn from_secret_key_global(sk: &SecretKey) -> PublicKey { PublicKey::from_secret_key(SECP256K1, sk) } /// Creates a public key directly from a slice. #[inline] pub fn from_slice(data: &[u8]) -> Result { if data.is_empty() { return Err(Error::InvalidPublicKey); } unsafe { let mut pk = ffi::PublicKey::new(); if ffi::secp256k1_ec_pubkey_parse( ffi::secp256k1_context_no_precomp, &mut pk, data.as_c_ptr(), data.len(), ) == 1 { Ok(PublicKey(pk)) } else { Err(InvalidPublicKey) } } } /// Creates a new compressed public key using data from BIP-340 [`Keypair`]. /// /// # Examples /// /// ``` /// # #[cfg(feature = "rand-std")] { /// use secp256k1::{rand, Secp256k1, PublicKey, Keypair}; /// /// let secp = Secp256k1::new(); /// let keypair = Keypair::new(&secp, &mut rand::thread_rng()); /// let public_key = PublicKey::from_keypair(&keypair); /// # } /// ``` #[inline] pub fn from_keypair(keypair: &Keypair) -> Self { unsafe { let mut pk = ffi::PublicKey::new(); let ret = ffi::secp256k1_keypair_pub( ffi::secp256k1_context_no_precomp, &mut pk, keypair.as_c_ptr(), ); debug_assert_eq!(ret, 1); PublicKey(pk) } } /// Creates a [`PublicKey`] using the key material from `pk` combined with the `parity`. pub fn from_x_only_public_key(pk: XOnlyPublicKey, parity: Parity) -> PublicKey { let mut buf = [0u8; 33]; // First byte of a compressed key should be `0x02 AND parity`. buf[0] = match parity { Parity::Even => 0x02, Parity::Odd => 0x03, }; buf[1..].clone_from_slice(&pk.serialize()); PublicKey::from_slice(&buf).expect("we know the buffer is valid") } #[inline] /// Serializes the key as a byte-encoded pair of values. In compressed form the y-coordinate is /// represented by only a single bit, as x determines it up to one bit. pub fn serialize(&self) -> [u8; constants::PUBLIC_KEY_SIZE] { let mut ret = [0u8; constants::PUBLIC_KEY_SIZE]; self.serialize_internal(&mut ret, ffi::SECP256K1_SER_COMPRESSED); ret } #[inline] /// Serializes the key as a byte-encoded pair of values, in uncompressed form. pub fn serialize_uncompressed(&self) -> [u8; constants::UNCOMPRESSED_PUBLIC_KEY_SIZE] { let mut ret = [0u8; constants::UNCOMPRESSED_PUBLIC_KEY_SIZE]; self.serialize_internal(&mut ret, ffi::SECP256K1_SER_UNCOMPRESSED); ret } #[inline(always)] fn serialize_internal(&self, ret: &mut [u8], flag: c_uint) { let mut ret_len = ret.len(); let res = unsafe { ffi::secp256k1_ec_pubkey_serialize( ffi::secp256k1_context_no_precomp, ret.as_mut_c_ptr(), &mut ret_len, self.as_c_ptr(), flag, ) }; debug_assert_eq!(res, 1); debug_assert_eq!(ret_len, ret.len()); } /// Negates the public key. #[inline] #[must_use = "you forgot to use the negated public key"] pub fn negate(mut self, secp: &Secp256k1) -> PublicKey { unsafe { let res = ffi::secp256k1_ec_pubkey_negate(secp.ctx.as_ptr(), &mut self.0); debug_assert_eq!(res, 1); } self } /// Tweaks a [`PublicKey`] by adding `tweak * G` modulo the curve order. /// /// # Errors /// /// Returns an error if the resulting key would be invalid. #[inline] pub fn add_exp_tweak( mut self, secp: &Secp256k1, tweak: &Scalar, ) -> Result { unsafe { if ffi::secp256k1_ec_pubkey_tweak_add(secp.ctx.as_ptr(), &mut self.0, tweak.as_c_ptr()) == 1 { Ok(self) } else { Err(Error::InvalidTweak) } } } /// Tweaks a [`PublicKey`] by multiplying by `tweak` modulo the curve order. /// /// # Errors /// /// Returns an error if the resulting key would be invalid. #[inline] pub fn mul_tweak( mut self, secp: &Secp256k1, other: &Scalar, ) -> Result { unsafe { if ffi::secp256k1_ec_pubkey_tweak_mul(secp.ctx.as_ptr(), &mut self.0, other.as_c_ptr()) == 1 { Ok(self) } else { Err(Error::InvalidTweak) } } } /// Adds a second key to this one, returning the sum. /// /// # Errors /// /// If the result would be the point at infinity, i.e. adding this point to its own negation. /// /// # Examples /// /// ``` /// # #[cfg(feature = "rand-std")] { /// use secp256k1::{rand, Secp256k1}; /// /// let secp = Secp256k1::new(); /// let mut rng = rand::thread_rng(); /// let (_, pk1) = secp.generate_keypair(&mut rng); /// let (_, pk2) = secp.generate_keypair(&mut rng); /// let sum = pk1.combine(&pk2).expect("It's improbable to fail for 2 random public keys"); /// # } /// ``` pub fn combine(&self, other: &PublicKey) -> Result { PublicKey::combine_keys(&[self, other]) } /// Adds the keys in the provided slice together, returning the sum. /// /// # Errors /// /// Errors under any of the following conditions: /// - The result would be the point at infinity, i.e. adding a point to its own negation. /// - The provided slice is empty. /// - The number of elements in the provided slice is greater than `i32::MAX`. /// /// # Examples /// /// ``` /// # #[cfg(feature = "rand-std")] { /// use secp256k1::{rand, Secp256k1, PublicKey}; /// /// let secp = Secp256k1::new(); /// let mut rng = rand::thread_rng(); /// let (_, pk1) = secp.generate_keypair(&mut rng); /// let (_, pk2) = secp.generate_keypair(&mut rng); /// let (_, pk3) = secp.generate_keypair(&mut rng); /// let sum = PublicKey::combine_keys(&[&pk1, &pk2, &pk3]).expect("It's improbable to fail for 3 random public keys"); /// # } /// ``` pub fn combine_keys(keys: &[&PublicKey]) -> Result { use core::i32::MAX; use core::mem::transmute; if keys.is_empty() || keys.len() > MAX as usize { return Err(InvalidPublicKeySum); } unsafe { let mut ret = ffi::PublicKey::new(); let ptrs: &[*const ffi::PublicKey] = transmute::<&[&PublicKey], &[*const ffi::PublicKey]>(keys); if ffi::secp256k1_ec_pubkey_combine( ffi::secp256k1_context_no_precomp, &mut ret, ptrs.as_c_ptr(), keys.len(), ) == 1 { Ok(PublicKey(ret)) } else { Err(InvalidPublicKeySum) } } } /// Returns the [`XOnlyPublicKey`] (and it's [`Parity`]) for this [`PublicKey`]. #[inline] pub fn x_only_public_key(&self) -> (XOnlyPublicKey, Parity) { let mut pk_parity = 0; unsafe { let mut xonly_pk = ffi::XOnlyPublicKey::new(); let ret = ffi::secp256k1_xonly_pubkey_from_pubkey( ffi::secp256k1_context_no_precomp, &mut xonly_pk, &mut pk_parity, self.as_c_ptr(), ); debug_assert_eq!(ret, 1); let parity = Parity::from_i32(pk_parity).expect("should not panic, pk_parity is 0 or 1"); (XOnlyPublicKey(xonly_pk), parity) } } /// Checks that `sig` is a valid ECDSA signature for `msg` using this public key. pub fn verify( &self, secp: &Secp256k1, msg: &Message, sig: &ecdsa::Signature, ) -> Result<(), Error> { secp.verify_ecdsa(msg, sig, self) } } /// This trait enables interaction with the FFI layer and even though it is part of the public API /// normal users should never need to directly interact with FFI types. impl CPtr for PublicKey { type Target = ffi::PublicKey; /// Obtains a const pointer suitable for use with FFI functions. fn as_c_ptr(&self) -> *const Self::Target { &self.0 } /// Obtains a mutable pointer suitable for use with FFI functions. fn as_mut_c_ptr(&mut self) -> *mut Self::Target { &mut self.0 } } /// Creates a new public key from a FFI public key. /// /// Note, normal users should never need to interact directly with FFI types. impl From for PublicKey { #[inline] fn from(pk: ffi::PublicKey) -> PublicKey { PublicKey(pk) } } #[cfg(feature = "serde")] impl serde::Serialize for PublicKey { fn serialize(&self, s: S) -> Result { if s.is_human_readable() { s.collect_str(self) } else { let mut tuple = s.serialize_tuple(constants::PUBLIC_KEY_SIZE)?; // Serialize in compressed form. for byte in self.serialize().iter() { tuple.serialize_element(&byte)?; } tuple.end() } } } #[cfg(feature = "serde")] impl<'de> serde::Deserialize<'de> for PublicKey { fn deserialize>(d: D) -> Result { if d.is_human_readable() { d.deserialize_str(super::serde_util::FromStrVisitor::new( "an ASCII hex string representing a public key", )) } else { let visitor = super::serde_util::Tuple33Visitor::new( "33 bytes compressed public key", PublicKey::from_slice, ); d.deserialize_tuple(constants::PUBLIC_KEY_SIZE, visitor) } } } /// Opaque data structure that holds a keypair consisting of a secret and a public key. /// /// # Serde support /// /// Implements de/serialization with the `serde` and_`global-context` features enabled. Serializes /// the secret bytes only. We treat the byte value as a tuple of 32 `u8`s for non-human-readable /// formats. This representation is optimal for for some formats (e.g. [`bincode`]) however other /// formats may be less optimal (e.g. [`cbor`]). For human-readable formats we use a hex string. /// /// # Examples /// /// Basic usage: /// /// ``` /// # #[cfg(feature = "rand-std")] { /// use secp256k1::{rand, Keypair, Secp256k1}; /// /// let secp = Secp256k1::new(); /// let (secret_key, public_key) = secp.generate_keypair(&mut rand::thread_rng()); /// let keypair = Keypair::from_secret_key(&secp, &secret_key); /// # } /// ``` /// [`bincode`]: https://docs.rs/bincode /// [`cbor`]: https://docs.rs/cbor #[derive(Copy, Clone, PartialOrd, Ord, PartialEq, Eq, Hash)] pub struct Keypair(ffi::Keypair); impl_display_secret!(Keypair); impl_fast_comparisons!(Keypair); impl Keypair { /// Obtains a raw const pointer suitable for use with FFI functions. #[inline] #[deprecated(since = "0.25.0", note = "Use Self::as_c_ptr if you need to access the FFI layer")] pub fn as_ptr(&self) -> *const ffi::Keypair { self.as_c_ptr() } /// Obtains a raw mutable pointer suitable for use with FFI functions. #[inline] #[deprecated( since = "0.25.0", note = "Use Self::as_mut_c_ptr if you need to access the FFI layer" )] pub fn as_mut_ptr(&mut self) -> *mut ffi::Keypair { self.as_mut_c_ptr() } /// Creates a [`Keypair`] directly from a Secp256k1 secret key. #[inline] pub fn from_secret_key(secp: &Secp256k1, sk: &SecretKey) -> Keypair { unsafe { let mut kp = ffi::Keypair::new(); if ffi::secp256k1_keypair_create(secp.ctx.as_ptr(), &mut kp, sk.as_c_ptr()) == 1 { Keypair(kp) } else { panic!("the provided secret key is invalid: it is corrupted or was not produced by Secp256k1 library") } } } /// Creates a [`Keypair`] directly from a secret key slice. /// /// # Errors /// /// [`Error::InvalidSecretKey`] if the provided data has an incorrect length, exceeds Secp256k1 /// field `p` value or the corresponding public key is not even. #[inline] pub fn from_seckey_slice( secp: &Secp256k1, data: &[u8], ) -> Result { if data.is_empty() || data.len() != constants::SECRET_KEY_SIZE { return Err(Error::InvalidSecretKey); } unsafe { let mut kp = ffi::Keypair::new(); if ffi::secp256k1_keypair_create(secp.ctx.as_ptr(), &mut kp, data.as_c_ptr()) == 1 { Ok(Keypair(kp)) } else { Err(Error::InvalidSecretKey) } } } /// Creates a [`Keypair`] directly from a secret key string. /// /// # Errors /// /// [`Error::InvalidSecretKey`] if corresponding public key for the provided secret key is not even. #[inline] pub fn from_seckey_str(secp: &Secp256k1, s: &str) -> Result { let mut res = [0u8; constants::SECRET_KEY_SIZE]; match from_hex(s, &mut res) { Ok(constants::SECRET_KEY_SIZE) => Keypair::from_seckey_slice(secp, &res[0..constants::SECRET_KEY_SIZE]), _ => Err(Error::InvalidPublicKey), } } /// Creates a [`Keypair`] directly from a secret key string and the global [`SECP256K1`] context. /// /// # Errors /// /// [`Error::InvalidSecretKey`] if corresponding public key for the provided secret key is not even. #[inline] #[cfg(feature = "global-context")] pub fn from_seckey_str_global(s: &str) -> Result { Keypair::from_seckey_str(SECP256K1, s) } /// Generates a new random secret key. /// # Examples /// /// ``` /// # #[cfg(feature = "rand-std")] { /// use secp256k1::{rand, Secp256k1, SecretKey, Keypair}; /// /// let secp = Secp256k1::new(); /// let keypair = Keypair::new(&secp, &mut rand::thread_rng()); /// # } /// ``` #[inline] #[cfg(feature = "rand")] pub fn new(secp: &Secp256k1, rng: &mut R) -> Keypair { let mut data = crate::random_32_bytes(rng); unsafe { let mut keypair = ffi::Keypair::new(); while ffi::secp256k1_keypair_create(secp.ctx.as_ptr(), &mut keypair, data.as_c_ptr()) == 0 { data = crate::random_32_bytes(rng); } Keypair(keypair) } } /// Generates a new random secret key using the global [`SECP256K1`] context. #[inline] #[cfg(all(feature = "global-context", feature = "rand"))] pub fn new_global(rng: &mut R) -> Keypair { Keypair::new(SECP256K1, rng) } /// Returns the secret bytes for this key pair. #[inline] pub fn secret_bytes(&self) -> [u8; constants::SECRET_KEY_SIZE] { *SecretKey::from_keypair(self).as_ref() } /// Tweaks a keypair by first converting the public key to an xonly key and tweaking it. /// /// # Errors /// /// Returns an error if the resulting key would be invalid. /// /// NB: Will not error if the tweaked public key has an odd value and can't be used for /// BIP 340-342 purposes. /// /// # Examples /// /// ``` /// # #[cfg(feature = "rand-std")] { /// use secp256k1::{Secp256k1, Keypair, Scalar}; /// /// let secp = Secp256k1::new(); /// let tweak = Scalar::random(); /// /// let mut keypair = Keypair::new(&secp, &mut rand::thread_rng()); /// let tweaked = keypair.add_xonly_tweak(&secp, &tweak).expect("Improbable to fail with a randomly generated tweak"); /// # } /// ``` // TODO: Add checked implementation #[inline] pub fn add_xonly_tweak( mut self, secp: &Secp256k1, tweak: &Scalar, ) -> Result { unsafe { let err = ffi::secp256k1_keypair_xonly_tweak_add( secp.ctx.as_ptr(), &mut self.0, tweak.as_c_ptr(), ); if err != 1 { return Err(Error::InvalidTweak); } Ok(self) } } /// Returns the [`SecretKey`] for this [`Keypair`]. /// /// This is equivalent to using [`SecretKey::from_keypair`]. #[inline] pub fn secret_key(&self) -> SecretKey { SecretKey::from_keypair(self) } /// Returns the [`PublicKey`] for this [`Keypair`]. /// /// This is equivalent to using [`PublicKey::from_keypair`]. #[inline] pub fn public_key(&self) -> PublicKey { PublicKey::from_keypair(self) } /// Returns the [`XOnlyPublicKey`] (and it's [`Parity`]) for this [`Keypair`]. /// /// This is equivalent to using [`XOnlyPublicKey::from_keypair`]. #[inline] pub fn x_only_public_key(&self) -> (XOnlyPublicKey, Parity) { XOnlyPublicKey::from_keypair(self) } /// Constructs an schnorr signature for `msg` using the global [`SECP256K1`] context. #[inline] #[cfg(all(feature = "global-context", feature = "rand-std"))] pub fn sign_schnorr(&self, msg: Message) -> schnorr::Signature { SECP256K1.sign_schnorr(&msg, self) } /// Attempts to erase the secret within the underlying array. /// /// Note, however, that the compiler is allowed to freely copy or move the contents /// of this array to other places in memory. Preventing this behavior is very subtle. /// For more discussion on this, please see the documentation of the /// [`zeroize`](https://docs.rs/zeroize) crate. #[inline] pub fn non_secure_erase(&mut self) { self.0.non_secure_erase(); } } impl From for SecretKey { #[inline] fn from(pair: Keypair) -> Self { SecretKey::from_keypair(&pair) } } impl<'a> From<&'a Keypair> for SecretKey { #[inline] fn from(pair: &'a Keypair) -> Self { SecretKey::from_keypair(pair) } } impl From for PublicKey { #[inline] fn from(pair: Keypair) -> Self { PublicKey::from_keypair(&pair) } } impl<'a> From<&'a Keypair> for PublicKey { #[inline] fn from(pair: &'a Keypair) -> Self { PublicKey::from_keypair(pair) } } impl str::FromStr for Keypair { type Err = Error; #[allow(unused_variables, unreachable_code)] // When built with no default features. fn from_str(s: &str) -> Result { #[cfg(feature = "global-context")] let ctx = SECP256K1; #[cfg(all(not(feature = "global-context"), feature = "alloc"))] let ctx = Secp256k1::signing_only(); #[cfg(not(any(feature = "global-context", feature = "alloc")))] let ctx: Secp256k1 = panic!("The previous implementation was panicking too, please enable the global-context feature of rust-secp256k1"); #[allow(clippy::needless_borrow)] Keypair::from_seckey_str(&ctx, s) } } #[cfg(feature = "serde")] impl serde::Serialize for Keypair { fn serialize(&self, s: S) -> Result { if s.is_human_readable() { let mut buf = [0u8; constants::SECRET_KEY_SIZE * 2]; s.serialize_str( crate::to_hex(&self.secret_bytes(), &mut buf) .expect("fixed-size hex serialization"), ) } else { let mut tuple = s.serialize_tuple(constants::SECRET_KEY_SIZE)?; for byte in self.secret_bytes().iter() { tuple.serialize_element(&byte)?; } tuple.end() } } } #[cfg(feature = "serde")] #[allow(unused_variables)] // For `data` under some feature combinations (the unconditional panic below). #[allow(unreachable_code)] // For `Keypair::from_seckey_slice` after unconditional panic. impl<'de> serde::Deserialize<'de> for Keypair { fn deserialize>(d: D) -> Result { if d.is_human_readable() { d.deserialize_str(super::serde_util::FromStrVisitor::new( "a hex string representing 32 byte Keypair", )) } else { let visitor = super::serde_util::Tuple32Visitor::new("raw 32 bytes Keypair", |data| { #[cfg(feature = "global-context")] let ctx = SECP256K1; #[cfg(all(not(feature = "global-context"), feature = "alloc"))] let ctx = Secp256k1::signing_only(); #[cfg(not(any(feature = "global-context", feature = "alloc")))] let ctx: Secp256k1 = panic!("cannot deserialize key pair without a context (please enable either the global-context or alloc feature)"); #[allow(clippy::needless_borrow)] Keypair::from_seckey_slice(&ctx, data) }); d.deserialize_tuple(constants::SECRET_KEY_SIZE, visitor) } } } impl CPtr for Keypair { type Target = ffi::Keypair; fn as_c_ptr(&self) -> *const Self::Target { &self.0 } fn as_mut_c_ptr(&mut self) -> *mut Self::Target { &mut self.0 } } /// An x-only public key, used for verification of Taproot signatures and serialized according to BIP-340. /// /// # Serde support /// /// Implements de/serialization with the `serde` feature enabled. We treat the byte value as a tuple /// of 32 `u8`s for non-human-readable formats. This representation is optimal for for some formats /// (e.g. [`bincode`]) however other formats may be less optimal (e.g. [`cbor`]). /// /// # Examples /// /// Basic usage: /// /// ``` /// # #[cfg(feature = "rand-std")] { /// use secp256k1::{rand, Secp256k1, Keypair, XOnlyPublicKey}; /// /// let secp = Secp256k1::new(); /// let keypair = Keypair::new(&secp, &mut rand::thread_rng()); /// let xonly = XOnlyPublicKey::from_keypair(&keypair); /// # } /// ``` /// [`bincode`]: https://docs.rs/bincode /// [`cbor`]: https://docs.rs/cbor #[derive(Copy, Clone, Debug, PartialOrd, Ord, PartialEq, Eq, Hash)] pub struct XOnlyPublicKey(ffi::XOnlyPublicKey); impl_fast_comparisons!(XOnlyPublicKey); impl fmt::LowerHex for XOnlyPublicKey { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { let ser = self.serialize(); for ch in &ser[..] { write!(f, "{:02x}", *ch)?; } Ok(()) } } impl fmt::Display for XOnlyPublicKey { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { fmt::LowerHex::fmt(self, f) } } impl str::FromStr for XOnlyPublicKey { type Err = Error; fn from_str(s: &str) -> Result { let mut res = [0u8; constants::SCHNORR_PUBLIC_KEY_SIZE]; match from_hex(s, &mut res) { Ok(constants::SCHNORR_PUBLIC_KEY_SIZE) => XOnlyPublicKey::from_slice(&res[0..constants::SCHNORR_PUBLIC_KEY_SIZE]), _ => Err(Error::InvalidPublicKey), } } } impl XOnlyPublicKey { /// Obtains a raw const pointer suitable for use with FFI functions. #[inline] #[deprecated(since = "0.25.0", note = "Use Self::as_c_ptr if you need to access the FFI layer")] pub fn as_ptr(&self) -> *const ffi::XOnlyPublicKey { self.as_c_ptr() } /// Obtains a raw mutable pointer suitable for use with FFI functions. #[inline] #[deprecated( since = "0.25.0", note = "Use Self::as_mut_c_ptr if you need to access the FFI layer" )] pub fn as_mut_ptr(&mut self) -> *mut ffi::XOnlyPublicKey { self.as_mut_c_ptr() } /// Returns the [`XOnlyPublicKey`] (and it's [`Parity`]) for `keypair`. #[inline] pub fn from_keypair(keypair: &Keypair) -> (XOnlyPublicKey, Parity) { let mut pk_parity = 0; unsafe { let mut xonly_pk = ffi::XOnlyPublicKey::new(); let ret = ffi::secp256k1_keypair_xonly_pub( ffi::secp256k1_context_no_precomp, &mut xonly_pk, &mut pk_parity, keypair.as_c_ptr(), ); debug_assert_eq!(ret, 1); let parity = Parity::from_i32(pk_parity).expect("should not panic, pk_parity is 0 or 1"); (XOnlyPublicKey(xonly_pk), parity) } } /// Creates a schnorr public key directly from a slice. /// /// # Errors /// /// Returns [`Error::InvalidPublicKey`] if the length of the data slice is not 32 bytes or the /// slice does not represent a valid Secp256k1 point x coordinate. #[inline] pub fn from_slice(data: &[u8]) -> Result { if data.is_empty() || data.len() != constants::SCHNORR_PUBLIC_KEY_SIZE { return Err(Error::InvalidPublicKey); } unsafe { let mut pk = ffi::XOnlyPublicKey::new(); if ffi::secp256k1_xonly_pubkey_parse( ffi::secp256k1_context_no_precomp, &mut pk, data.as_c_ptr(), ) == 1 { Ok(XOnlyPublicKey(pk)) } else { Err(Error::InvalidPublicKey) } } } #[inline] /// Serializes the key as a byte-encoded x coordinate value (32 bytes). pub fn serialize(&self) -> [u8; constants::SCHNORR_PUBLIC_KEY_SIZE] { let mut ret = [0u8; constants::SCHNORR_PUBLIC_KEY_SIZE]; unsafe { let err = ffi::secp256k1_xonly_pubkey_serialize( ffi::secp256k1_context_no_precomp, ret.as_mut_c_ptr(), self.as_c_ptr(), ); debug_assert_eq!(err, 1); } ret } /// Tweaks an [`XOnlyPublicKey`] by adding the generator multiplied with the given tweak to it. /// /// # Returns /// /// The newly tweaked key plus an opaque type representing the parity of the tweaked key, this /// should be provided to `tweak_add_check` which can be used to verify a tweak more efficiently /// than regenerating it and checking equality. /// /// # Errors /// /// If the resulting key would be invalid. /// /// # Examples /// /// ``` /// # #[cfg(feature = "rand-std")] { /// use secp256k1::{Secp256k1, Keypair, Scalar, XOnlyPublicKey}; /// /// let secp = Secp256k1::new(); /// let tweak = Scalar::random(); /// /// let mut keypair = Keypair::new(&secp, &mut rand::thread_rng()); /// let (xonly, _parity) = keypair.x_only_public_key(); /// let tweaked = xonly.add_tweak(&secp, &tweak).expect("Improbable to fail with a randomly generated tweak"); /// # } /// ``` pub fn add_tweak( mut self, secp: &Secp256k1, tweak: &Scalar, ) -> Result<(XOnlyPublicKey, Parity), Error> { let mut pk_parity = 0; unsafe { let mut pubkey = ffi::PublicKey::new(); let mut err = ffi::secp256k1_xonly_pubkey_tweak_add( secp.ctx.as_ptr(), &mut pubkey, self.as_c_ptr(), tweak.as_c_ptr(), ); if err != 1 { return Err(Error::InvalidTweak); } err = ffi::secp256k1_xonly_pubkey_from_pubkey( secp.ctx.as_ptr(), &mut self.0, &mut pk_parity, &pubkey, ); if err == 0 { return Err(Error::InvalidPublicKey); } let parity = Parity::from_i32(pk_parity)?; Ok((self, parity)) } } /// Verifies that a tweak produced by [`XOnlyPublicKey::add_tweak`] was computed correctly. /// /// Should be called on the original untweaked key. Takes the tweaked key and output parity from /// [`XOnlyPublicKey::add_tweak`] as input. /// /// Currently this is not much more efficient than just recomputing the tweak and checking /// equality. However, in future this API will support batch verification, which is /// significantly faster, so it is wise to design protocols with this in mind. /// /// # Returns /// /// True if tweak and check is successful, false otherwise. /// /// # Examples /// /// ``` /// # #[cfg(feature = "rand-std")] { /// use secp256k1::{Secp256k1, Keypair, Scalar}; /// /// let secp = Secp256k1::new(); /// let tweak = Scalar::random(); /// /// let mut keypair = Keypair::new(&secp, &mut rand::thread_rng()); /// let (mut public_key, _) = keypair.x_only_public_key(); /// let original = public_key; /// let (tweaked, parity) = public_key.add_tweak(&secp, &tweak).expect("Improbable to fail with a randomly generated tweak"); /// assert!(original.tweak_add_check(&secp, &tweaked, parity, tweak)); /// # } /// ``` pub fn tweak_add_check( &self, secp: &Secp256k1, tweaked_key: &Self, tweaked_parity: Parity, tweak: Scalar, ) -> bool { let tweaked_ser = tweaked_key.serialize(); unsafe { let err = ffi::secp256k1_xonly_pubkey_tweak_add_check( secp.ctx.as_ptr(), tweaked_ser.as_c_ptr(), tweaked_parity.to_i32(), &self.0, tweak.as_c_ptr(), ); err == 1 } } /// Returns the [`PublicKey`] for this [`XOnlyPublicKey`]. /// /// This is equivalent to using [`PublicKey::from_xonly_and_parity(self, parity)`]. #[inline] pub fn public_key(&self, parity: Parity) -> PublicKey { PublicKey::from_x_only_public_key(*self, parity) } /// Checks that `sig` is a valid schnorr signature for `msg` using this public key. pub fn verify( &self, secp: &Secp256k1, msg: &Message, sig: &schnorr::Signature, ) -> Result<(), Error> { secp.verify_schnorr(sig, msg, self) } } /// Represents the parity passed between FFI function calls. #[derive(Copy, Clone, PartialEq, Eq, Debug, PartialOrd, Ord, Hash)] pub enum Parity { /// Even parity. Even = 0, /// Odd parity. Odd = 1, } impl Parity { /// Converts parity into an integer (byte) value. /// /// This returns `0` for even parity and `1` for odd parity. pub fn to_u8(self) -> u8 { self as u8 } /// Converts parity into an integer value. /// /// This returns `0` for even parity and `1` for odd parity. pub fn to_i32(self) -> i32 { self as i32 } /// Constructs a [`Parity`] from a byte. /// /// The only allowed values are `0` meaning even parity and `1` meaning odd. /// Other values result in error being returned. pub fn from_u8(parity: u8) -> Result { Parity::from_i32(parity.into()) } /// Constructs a [`Parity`] from a signed integer. /// /// The only allowed values are `0` meaning even parity and `1` meaning odd. /// Other values result in error being returned. pub fn from_i32(parity: i32) -> Result { match parity { 0 => Ok(Parity::Even), 1 => Ok(Parity::Odd), _ => Err(InvalidParityValue(parity)), } } } /// `Even` for `0`, `Odd` for `1`, error for anything else impl TryFrom for Parity { type Error = InvalidParityValue; fn try_from(parity: i32) -> Result { Self::from_i32(parity) } } /// `Even` for `0`, `Odd` for `1`, error for anything else impl TryFrom for Parity { type Error = InvalidParityValue; fn try_from(parity: u8) -> Result { Self::from_u8(parity) } } /// The conversion returns `0` for even parity and `1` for odd. impl From for i32 { fn from(parity: Parity) -> i32 { parity.to_i32() } } /// The conversion returns `0` for even parity and `1` for odd. impl From for u8 { fn from(parity: Parity) -> u8 { parity.to_u8() } } /// Returns even parity if the operands are equal, odd otherwise. impl BitXor for Parity { type Output = Parity; fn bitxor(self, rhs: Parity) -> Self::Output { // This works because Parity has only two values (i.e. only 1 bit of information). if self == rhs { Parity::Even // 1^1==0 and 0^0==0 } else { Parity::Odd // 1^0==1 and 0^1==1 } } } /// Error returned when conversion from an integer to `Parity` fails. // // Note that we don't allow inspecting the value because we may change the type. // Yes, this comment is intentionally NOT doc comment. // Too many derives for compatibility with current Error type. #[derive(Copy, Clone, Debug, Eq, PartialEq, Hash, Ord, PartialOrd)] pub struct InvalidParityValue(i32); impl fmt::Display for InvalidParityValue { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { write!(f, "invalid value {} for Parity - must be 0 or 1", self.0) } } #[cfg(feature = "std")] impl std::error::Error for InvalidParityValue {} impl From for Error { fn from(error: InvalidParityValue) -> Self { Error::InvalidParityValue(error) } } /// The parity is serialized as `u8` - `0` for even, `1` for odd. #[cfg(feature = "serde")] impl serde::Serialize for Parity { fn serialize(&self, s: S) -> Result { s.serialize_u8(self.to_u8()) } } /// The parity is deserialized as `u8` - `0` for even, `1` for odd. #[cfg(feature = "serde")] impl<'de> serde::Deserialize<'de> for Parity { fn deserialize>(d: D) -> Result { struct Visitor; impl<'de> serde::de::Visitor<'de> for Visitor { type Value = Parity; fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result { formatter.write_str("8-bit integer (byte) with value 0 or 1") } fn visit_u8(self, v: u8) -> Result where E: serde::de::Error, { use serde::de::Unexpected; Parity::from_u8(v) .map_err(|_| E::invalid_value(Unexpected::Unsigned(v.into()), &"0 or 1")) } } d.deserialize_u8(Visitor) } } impl CPtr for XOnlyPublicKey { type Target = ffi::XOnlyPublicKey; fn as_c_ptr(&self) -> *const Self::Target { &self.0 } fn as_mut_c_ptr(&mut self) -> *mut Self::Target { &mut self.0 } } /// Creates a new schnorr public key from a FFI x-only public key. impl From for XOnlyPublicKey { #[inline] fn from(pk: ffi::XOnlyPublicKey) -> XOnlyPublicKey { XOnlyPublicKey(pk) } } impl From for XOnlyPublicKey { fn from(src: PublicKey) -> XOnlyPublicKey { unsafe { let mut pk = ffi::XOnlyPublicKey::new(); assert_eq!( 1, ffi::secp256k1_xonly_pubkey_from_pubkey( ffi::secp256k1_context_no_precomp, &mut pk, ptr::null_mut(), src.as_c_ptr(), ) ); XOnlyPublicKey(pk) } } } #[cfg(feature = "serde")] impl serde::Serialize for XOnlyPublicKey { fn serialize(&self, s: S) -> Result { if s.is_human_readable() { s.collect_str(self) } else { let mut tuple = s.serialize_tuple(constants::SCHNORR_PUBLIC_KEY_SIZE)?; for byte in self.serialize().iter() { tuple.serialize_element(&byte)?; } tuple.end() } } } #[cfg(feature = "serde")] impl<'de> serde::Deserialize<'de> for XOnlyPublicKey { fn deserialize>(d: D) -> Result { if d.is_human_readable() { d.deserialize_str(super::serde_util::FromStrVisitor::new( "a hex string representing 32 byte schnorr public key", )) } else { let visitor = super::serde_util::Tuple32Visitor::new( "raw 32 bytes schnorr public key", XOnlyPublicKey::from_slice, ); d.deserialize_tuple(constants::SCHNORR_PUBLIC_KEY_SIZE, visitor) } } } #[cfg(test)] #[allow(unused_imports)] mod test { use core::str::FromStr; #[cfg(feature = "rand")] use rand::{self, rngs::mock::StepRng, RngCore}; use serde_test::{Configure, Token}; #[cfg(target_arch = "wasm32")] use wasm_bindgen_test::wasm_bindgen_test as test; use super::{Keypair, Parity, PublicKey, Secp256k1, SecretKey, XOnlyPublicKey, *}; use crate::Error::{InvalidPublicKey, InvalidSecretKey}; use crate::{constants, from_hex, to_hex, Scalar}; #[cfg(not(secp256k1_fuzz))] macro_rules! hex { ($hex:expr) => {{ let mut result = vec![0; $hex.len() / 2]; from_hex($hex, &mut result).expect("valid hex string"); result }}; } #[test] fn skey_from_slice() { let sk = SecretKey::from_slice(&[1; 31]); assert_eq!(sk, Err(InvalidSecretKey)); let sk = SecretKey::from_slice(&[1; 32]); assert!(sk.is_ok()); } #[test] fn pubkey_from_slice() { assert_eq!(PublicKey::from_slice(&[]), Err(InvalidPublicKey)); assert_eq!(PublicKey::from_slice(&[1, 2, 3]), Err(InvalidPublicKey)); let uncompressed = PublicKey::from_slice(&[ 4, 54, 57, 149, 239, 162, 148, 175, 246, 254, 239, 75, 154, 152, 10, 82, 234, 224, 85, 220, 40, 100, 57, 121, 30, 162, 94, 156, 135, 67, 74, 49, 179, 57, 236, 53, 162, 124, 149, 144, 168, 77, 74, 30, 72, 211, 229, 110, 111, 55, 96, 193, 86, 227, 183, 152, 195, 155, 51, 247, 123, 113, 60, 228, 188, ]); assert!(uncompressed.is_ok()); let compressed = PublicKey::from_slice(&[ 3, 23, 183, 225, 206, 31, 159, 148, 195, 42, 67, 115, 146, 41, 248, 140, 11, 3, 51, 41, 111, 180, 110, 143, 114, 134, 88, 73, 198, 174, 52, 184, 78, ]); assert!(compressed.is_ok()); } #[test] #[cfg(feature = "rand-std")] fn keypair_slice_round_trip() { let s = Secp256k1::new(); let (sk1, pk1) = s.generate_keypair(&mut rand::thread_rng()); assert_eq!(SecretKey::from_slice(&sk1[..]), Ok(sk1)); assert_eq!(PublicKey::from_slice(&pk1.serialize()[..]), Ok(pk1)); assert_eq!(PublicKey::from_slice(&pk1.serialize_uncompressed()[..]), Ok(pk1)); } #[test] #[cfg(all(feature = "std", not(secp256k1_fuzz)))] fn erased_keypair_is_valid() { let s = Secp256k1::new(); let kp = Keypair::from_seckey_slice(&s, &[1u8; constants::SECRET_KEY_SIZE]) .expect("valid secret key"); let mut kp2 = kp; kp2.non_secure_erase(); assert!(kp.eq_fast_unstable(&kp2)); } #[test] #[rustfmt::skip] fn invalid_secret_key() { // Zero assert_eq!(SecretKey::from_slice(&[0; 32]), Err(InvalidSecretKey)); assert_eq!( SecretKey::from_str("0000000000000000000000000000000000000000000000000000000000000000"), Err(InvalidSecretKey) ); // -1 assert_eq!(SecretKey::from_slice(&[0xff; 32]), Err(InvalidSecretKey)); // Top of range assert!(SecretKey::from_slice(&[ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x40, ]).is_ok()); // One past top of range assert!(SecretKey::from_slice(&[ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41, ]).is_err()); } #[test] #[cfg(all(feature = "rand", feature = "alloc"))] fn test_out_of_range() { struct BadRng(u8); impl RngCore for BadRng { fn next_u32(&mut self) -> u32 { unimplemented!() } fn next_u64(&mut self) -> u64 { unimplemented!() } // This will set a secret key to a little over the // group order, then decrement with repeated calls // until it returns a valid key fn fill_bytes(&mut self, data: &mut [u8]) { #[rustfmt::skip] let group_order: [u8; 32] = [ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41]; assert_eq!(data.len(), 32); data.copy_from_slice(&group_order[..]); data[31] = self.0; self.0 -= 1; } fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), rand::Error> { self.fill_bytes(dest); Ok(()) } } let s = Secp256k1::new(); s.generate_keypair(&mut BadRng(0xff)); } #[test] fn test_pubkey_from_bad_slice() { // Bad sizes assert_eq!( PublicKey::from_slice(&[0; constants::PUBLIC_KEY_SIZE - 1]), Err(InvalidPublicKey) ); assert_eq!( PublicKey::from_slice(&[0; constants::PUBLIC_KEY_SIZE + 1]), Err(InvalidPublicKey) ); assert_eq!( PublicKey::from_slice(&[0; constants::UNCOMPRESSED_PUBLIC_KEY_SIZE - 1]), Err(InvalidPublicKey) ); assert_eq!( PublicKey::from_slice(&[0; constants::UNCOMPRESSED_PUBLIC_KEY_SIZE + 1]), Err(InvalidPublicKey) ); // Bad parse assert_eq!( PublicKey::from_slice(&[0xff; constants::UNCOMPRESSED_PUBLIC_KEY_SIZE]), Err(InvalidPublicKey) ); assert_eq!( PublicKey::from_slice(&[0x55; constants::PUBLIC_KEY_SIZE]), Err(InvalidPublicKey) ); assert_eq!(PublicKey::from_slice(&[]), Err(InvalidPublicKey)); } #[test] fn test_seckey_from_bad_slice() { // Bad sizes assert_eq!( SecretKey::from_slice(&[0; constants::SECRET_KEY_SIZE - 1]), Err(InvalidSecretKey) ); assert_eq!( SecretKey::from_slice(&[0; constants::SECRET_KEY_SIZE + 1]), Err(InvalidSecretKey) ); // Bad parse assert_eq!( SecretKey::from_slice(&[0xff; constants::SECRET_KEY_SIZE]), Err(InvalidSecretKey) ); assert_eq!( SecretKey::from_slice(&[0x00; constants::SECRET_KEY_SIZE]), Err(InvalidSecretKey) ); assert_eq!(SecretKey::from_slice(&[]), Err(InvalidSecretKey)); } #[test] #[cfg(all(feature = "rand", feature = "alloc"))] fn test_debug_output() { let s = Secp256k1::new(); let (sk, _) = s.generate_keypair(&mut StepRng::new(1, 1)); assert_eq!(&format!("{:?}", sk), "SecretKey(#d3e0c51a23169bb5)"); let mut buf = [0u8; constants::SECRET_KEY_SIZE * 2]; assert_eq!( to_hex(&sk[..], &mut buf).unwrap(), "0100000000000000020000000000000003000000000000000400000000000000" ); } #[test] #[cfg(feature = "alloc")] fn test_display_output() { #[rustfmt::skip] static SK_BYTES: [u8; 32] = [ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, ]; #[cfg(not(secp256k1_fuzz))] let s = Secp256k1::signing_only(); let sk = SecretKey::from_slice(&SK_BYTES).expect("sk"); // In fuzzing mode secret->public key derivation is different, so // hard-code the expected result. #[cfg(not(secp256k1_fuzz))] let pk = PublicKey::from_secret_key(&s, &sk); #[cfg(secp256k1_fuzz)] let pk = PublicKey::from_slice(&[ 0x02, 0x18, 0x84, 0x57, 0x81, 0xf6, 0x31, 0xc4, 0x8f, 0x1c, 0x97, 0x09, 0xe2, 0x30, 0x92, 0x06, 0x7d, 0x06, 0x83, 0x7f, 0x30, 0xaa, 0x0c, 0xd0, 0x54, 0x4a, 0xc8, 0x87, 0xfe, 0x91, 0xdd, 0xd1, 0x66, ]) .expect("pk"); assert_eq!( sk.display_secret().to_string(), "01010101010101010001020304050607ffff0000ffff00006363636363636363" ); assert_eq!( SecretKey::from_str("01010101010101010001020304050607ffff0000ffff00006363636363636363") .unwrap(), sk ); assert_eq!( pk.to_string(), "0218845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd166" ); assert_eq!( PublicKey::from_str( "0218845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd166" ) .unwrap(), pk ); assert_eq!( PublicKey::from_str( "04\ 18845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd166\ 84B84DB303A340CD7D6823EE88174747D12A67D2F8F2F9BA40846EE5EE7A44F6" ) .unwrap(), pk ); assert!(SecretKey::from_str( "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" ) .is_err()); assert!(SecretKey::from_str( "01010101010101010001020304050607ffff0000ffff0000636363636363636363" ) .is_err()); assert!(SecretKey::from_str( "01010101010101010001020304050607ffff0000ffff0000636363636363636" ) .is_err()); assert!(SecretKey::from_str( "01010101010101010001020304050607ffff0000ffff000063636363636363" ) .is_err()); assert!(SecretKey::from_str( "01010101010101010001020304050607ffff0000ffff000063636363636363xx" ) .is_err()); assert!(PublicKey::from_str( "0300000000000000000000000000000000000000000000000000000000000000000" ) .is_err()); assert!(PublicKey::from_str( "0218845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd16601" ) .is_err()); assert!(PublicKey::from_str( "0218845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd16" ) .is_err()); assert!(PublicKey::from_str( "0218845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd1" ) .is_err()); assert!(PublicKey::from_str( "xx0218845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd1" ) .is_err()); let long_str = "a".repeat(1024 * 1024); assert!(SecretKey::from_str(&long_str).is_err()); assert!(PublicKey::from_str(&long_str).is_err()); } #[test] // In fuzzing mode the Y coordinate is expected to match the X, so this // test uses invalid public keys. #[cfg(not(secp256k1_fuzz))] #[cfg(all(feature = "alloc", feature = "rand"))] fn test_pubkey_serialize() { let s = Secp256k1::new(); let (_, pk1) = s.generate_keypair(&mut StepRng::new(1, 1)); assert_eq!( &pk1.serialize_uncompressed()[..], &[ 4, 124, 121, 49, 14, 253, 63, 197, 50, 39, 194, 107, 17, 193, 219, 108, 154, 126, 9, 181, 248, 2, 12, 149, 233, 198, 71, 149, 134, 250, 184, 154, 229, 185, 28, 165, 110, 27, 3, 162, 126, 238, 167, 157, 242, 221, 76, 251, 237, 34, 231, 72, 39, 245, 3, 191, 64, 111, 170, 117, 103, 82, 28, 102, 163 ][..] ); assert_eq!( &pk1.serialize()[..], &[ 3, 124, 121, 49, 14, 253, 63, 197, 50, 39, 194, 107, 17, 193, 219, 108, 154, 126, 9, 181, 248, 2, 12, 149, 233, 198, 71, 149, 134, 250, 184, 154, 229 ][..] ); } #[test] #[cfg(feature = "rand-std")] fn tweak_add_arbitrary_data() { let s = Secp256k1::new(); let (sk, pk) = s.generate_keypair(&mut rand::thread_rng()); assert_eq!(PublicKey::from_secret_key(&s, &sk), pk); // Sanity check. // TODO: This would be better tested with a _lot_ of different tweaks. let tweak = Scalar::random(); let tweaked_sk = sk.add_tweak(&tweak).unwrap(); assert_ne!(sk, tweaked_sk); // Make sure we did something. let tweaked_pk = pk.add_exp_tweak(&s, &tweak).unwrap(); assert_ne!(pk, tweaked_pk); assert_eq!(PublicKey::from_secret_key(&s, &tweaked_sk), tweaked_pk); } #[test] #[cfg(feature = "rand-std")] fn tweak_add_zero() { let s = Secp256k1::new(); let (sk, pk) = s.generate_keypair(&mut rand::thread_rng()); let tweak = Scalar::ZERO; let tweaked_sk = sk.add_tweak(&tweak).unwrap(); assert_eq!(sk, tweaked_sk); // Tweak by zero does nothing. let tweaked_pk = pk.add_exp_tweak(&s, &tweak).unwrap(); assert_eq!(pk, tweaked_pk); } #[test] #[cfg(feature = "rand-std")] fn tweak_mul_arbitrary_data() { let s = Secp256k1::new(); let (sk, pk) = s.generate_keypair(&mut rand::thread_rng()); assert_eq!(PublicKey::from_secret_key(&s, &sk), pk); // Sanity check. // TODO: This would be better tested with a _lot_ of different tweaks. let tweak = Scalar::random(); let tweaked_sk = sk.mul_tweak(&tweak).unwrap(); assert_ne!(sk, tweaked_sk); // Make sure we did something. let tweaked_pk = pk.mul_tweak(&s, &tweak).unwrap(); assert_ne!(pk, tweaked_pk); assert_eq!(PublicKey::from_secret_key(&s, &tweaked_sk), tweaked_pk); } #[test] #[cfg(feature = "rand-std")] fn tweak_mul_zero() { let s = Secp256k1::new(); let (sk, _) = s.generate_keypair(&mut rand::thread_rng()); let tweak = Scalar::ZERO; assert!(sk.mul_tweak(&tweak).is_err()) } #[test] #[cfg(feature = "rand-std")] fn test_negation() { let s = Secp256k1::new(); let (sk, pk) = s.generate_keypair(&mut rand::thread_rng()); assert_eq!(PublicKey::from_secret_key(&s, &sk), pk); // Sanity check. let neg = sk.negate(); assert_ne!(sk, neg); let back_sk = neg.negate(); assert_eq!(sk, back_sk); let neg = pk.negate(&s); assert_ne!(pk, neg); let back_pk = neg.negate(&s); assert_eq!(pk, back_pk); assert_eq!(PublicKey::from_secret_key(&s, &back_sk), pk); } #[test] #[cfg(feature = "rand-std")] fn pubkey_hash() { use std::collections::hash_map::DefaultHasher; use std::collections::HashSet; use std::hash::{Hash, Hasher}; fn hash(t: &T) -> u64 { let mut s = DefaultHasher::new(); t.hash(&mut s); s.finish() } let s = Secp256k1::new(); let mut set = HashSet::new(); const COUNT: usize = 1024; for _ in 0..COUNT { let (_, pk) = s.generate_keypair(&mut rand::thread_rng()); let hash = hash(&pk); assert!(!set.contains(&hash)); set.insert(hash); } assert_eq!(set.len(), COUNT); } #[test] #[cfg(not(secp256k1_fuzz))] fn pubkey_combine() { let compressed1 = PublicKey::from_slice(&hex!( "0241cc121c419921942add6db6482fb36243faf83317c866d2a28d8c6d7089f7ba" )) .unwrap(); let compressed2 = PublicKey::from_slice(&hex!( "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443" )) .unwrap(); let exp_sum = PublicKey::from_slice(&hex!( "0384526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07" )) .unwrap(); let sum1 = compressed1.combine(&compressed2); assert!(sum1.is_ok()); let sum2 = compressed2.combine(&compressed1); assert!(sum2.is_ok()); assert_eq!(sum1, sum2); assert_eq!(sum1.unwrap(), exp_sum); } #[test] #[cfg(not(secp256k1_fuzz))] fn pubkey_combine_keys() { let compressed1 = PublicKey::from_slice(&hex!( "0241cc121c419921942add6db6482fb36243faf83317c866d2a28d8c6d7089f7ba" )) .unwrap(); let compressed2 = PublicKey::from_slice(&hex!( "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443" )) .unwrap(); let compressed3 = PublicKey::from_slice(&hex!( "03e74897d8644eb3e5b391ca2ab257aec2080f4d1a95cad57e454e47f021168eb0" )) .unwrap(); let exp_sum = PublicKey::from_slice(&hex!( "0252d73a47f66cf341e5651542f0348f452b7c793af62a6d8bff75ade703a451ad" )) .unwrap(); let sum1 = PublicKey::combine_keys(&[&compressed1, &compressed2, &compressed3]); assert!(sum1.is_ok()); let sum2 = PublicKey::combine_keys(&[&compressed1, &compressed2, &compressed3]); assert!(sum2.is_ok()); assert_eq!(sum1, sum2); assert_eq!(sum1.unwrap(), exp_sum); } #[test] #[cfg(not(secp256k1_fuzz))] fn pubkey_combine_keys_empty_slice() { assert!(PublicKey::combine_keys(&[]).is_err()); } #[test] #[cfg(feature = "rand-std")] fn create_pubkey_combine() { let s = Secp256k1::new(); let (sk1, pk1) = s.generate_keypair(&mut rand::thread_rng()); let (sk2, pk2) = s.generate_keypair(&mut rand::thread_rng()); let sum1 = pk1.combine(&pk2); assert!(sum1.is_ok()); let sum2 = pk2.combine(&pk1); assert!(sum2.is_ok()); assert_eq!(sum1, sum2); let tweaked = sk1.add_tweak(&Scalar::from(sk2)).unwrap(); let sksum = PublicKey::from_secret_key(&s, &tweaked); assert_eq!(Ok(sksum), sum1); } #[cfg(not(secp256k1_fuzz))] #[test] #[allow(clippy::nonminimal_bool)] fn pubkey_equal() { let pk1 = PublicKey::from_slice(&hex!( "0241cc121c419921942add6db6482fb36243faf83317c866d2a28d8c6d7089f7ba" )) .unwrap(); let pk2 = pk1; let pk3 = PublicKey::from_slice(&hex!( "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443" )) .unwrap(); assert_eq!(pk1, pk2); assert!(pk1 <= pk2); assert!(pk2 <= pk1); assert!(!(pk2 < pk1)); assert!(!(pk1 < pk2)); assert!(pk3 > pk1); assert!(pk1 < pk3); assert!(pk3 >= pk1); assert!(pk1 <= pk3); } #[test] #[cfg(all(feature = "serde", feature = "alloc"))] fn test_serde() { use serde_test::{assert_tokens, Configure, Token}; #[rustfmt::skip] static SK_BYTES: [u8; 32] = [ 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 2, 3, 4, 5, 6, 7, 0xff, 0xff, 0, 0, 0xff, 0xff, 0, 0, 99, 99, 99, 99, 99, 99, 99, 99 ]; static SK_STR: &str = "01010101010101010001020304050607ffff0000ffff00006363636363636363"; #[cfg(secp256k1_fuzz)] #[rustfmt::skip] static PK_BYTES: [u8; 33] = [ 0x02, 0x18, 0x84, 0x57, 0x81, 0xf6, 0x31, 0xc4, 0x8f, 0x1c, 0x97, 0x09, 0xe2, 0x30, 0x92, 0x06, 0x7d, 0x06, 0x83, 0x7f, 0x30, 0xaa, 0x0c, 0xd0, 0x54, 0x4a, 0xc8, 0x87, 0xfe, 0x91, 0xdd, 0xd1, 0x66, ]; static PK_STR: &str = "0218845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd166"; #[cfg(not(secp256k1_fuzz))] let s = Secp256k1::new(); let sk = SecretKey::from_slice(&SK_BYTES).unwrap(); // In fuzzing mode secret->public key derivation is different, so // hard-code the expected result. #[cfg(not(secp256k1_fuzz))] let pk = PublicKey::from_secret_key(&s, &sk); #[cfg(secp256k1_fuzz)] let pk = PublicKey::from_slice(&PK_BYTES).expect("pk"); #[rustfmt::skip] assert_tokens(&sk.compact(), &[ Token::Tuple{ len: 32 }, Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(0), Token::U8(1), Token::U8(2), Token::U8(3), Token::U8(4), Token::U8(5), Token::U8(6), Token::U8(7), Token::U8(0xff), Token::U8(0xff), Token::U8(0), Token::U8(0), Token::U8(0xff), Token::U8(0xff), Token::U8(0), Token::U8(0), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::TupleEnd ]); assert_tokens(&sk.readable(), &[Token::BorrowedStr(SK_STR)]); assert_tokens(&sk.readable(), &[Token::Str(SK_STR)]); assert_tokens(&sk.readable(), &[Token::String(SK_STR)]); #[rustfmt::skip] assert_tokens(&pk.compact(), &[ Token::Tuple{ len: 33 }, Token::U8(0x02), Token::U8(0x18), Token::U8(0x84), Token::U8(0x57), Token::U8(0x81), Token::U8(0xf6), Token::U8(0x31), Token::U8(0xc4), Token::U8(0x8f), Token::U8(0x1c), Token::U8(0x97), Token::U8(0x09), Token::U8(0xe2), Token::U8(0x30), Token::U8(0x92), Token::U8(0x06), Token::U8(0x7d), Token::U8(0x06), Token::U8(0x83), Token::U8(0x7f), Token::U8(0x30), Token::U8(0xaa), Token::U8(0x0c), Token::U8(0xd0), Token::U8(0x54), Token::U8(0x4a), Token::U8(0xc8), Token::U8(0x87), Token::U8(0xfe), Token::U8(0x91), Token::U8(0xdd), Token::U8(0xd1), Token::U8(0x66), Token::TupleEnd ]); assert_tokens(&pk.readable(), &[Token::BorrowedStr(PK_STR)]); assert_tokens(&pk.readable(), &[Token::Str(PK_STR)]); assert_tokens(&pk.readable(), &[Token::String(PK_STR)]); } #[test] #[cfg(feature = "rand-std")] fn test_tweak_add_then_tweak_add_check() { let s = Secp256k1::new(); // TODO: 10 times is arbitrary, we should test this a _lot_ of times. for _ in 0..10 { let tweak = Scalar::random(); let kp = Keypair::new(&s, &mut rand::thread_rng()); let (xonly, _) = XOnlyPublicKey::from_keypair(&kp); let tweaked_kp = kp.add_xonly_tweak(&s, &tweak).expect("keypair tweak add failed"); let (tweaked_xonly, parity) = xonly.add_tweak(&s, &tweak).expect("xonly pubkey tweak failed"); let (want_tweaked_xonly, tweaked_kp_parity) = XOnlyPublicKey::from_keypair(&tweaked_kp); assert_eq!(tweaked_xonly, want_tweaked_xonly); assert_eq!(parity, tweaked_kp_parity); assert!(xonly.tweak_add_check(&s, &tweaked_xonly, parity, tweak)); } } #[test] fn test_from_key_pubkey() { let kpk1 = PublicKey::from_str( "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443", ) .unwrap(); let kpk2 = PublicKey::from_str( "0384526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07", ) .unwrap(); let pk1 = XOnlyPublicKey::from(kpk1); let pk2 = XOnlyPublicKey::from(kpk2); assert_eq!(pk1.serialize()[..], kpk1.serialize()[1..]); assert_eq!(pk2.serialize()[..], kpk2.serialize()[1..]); } #[test] #[cfg(all(feature = "global-context", feature = "serde"))] fn test_serde_keypair() { use serde::{Deserialize, Deserializer, Serialize, Serializer}; use serde_test::{assert_tokens, Configure, Token}; use crate::key::Keypair; use crate::SECP256K1; #[rustfmt::skip] static SK_BYTES: [u8; 32] = [ 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 2, 3, 4, 5, 6, 7, 0xff, 0xff, 0, 0, 0xff, 0xff, 0, 0, 99, 99, 99, 99, 99, 99, 99, 99 ]; static SK_STR: &str = "01010101010101010001020304050607ffff0000ffff00006363636363636363"; let sk = Keypair::from_seckey_slice(SECP256K1, &SK_BYTES).unwrap(); #[rustfmt::skip] assert_tokens(&sk.compact(), &[ Token::Tuple{ len: 32 }, Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(1), Token::U8(0), Token::U8(1), Token::U8(2), Token::U8(3), Token::U8(4), Token::U8(5), Token::U8(6), Token::U8(7), Token::U8(0xff), Token::U8(0xff), Token::U8(0), Token::U8(0), Token::U8(0xff), Token::U8(0xff), Token::U8(0), Token::U8(0), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::U8(99), Token::TupleEnd ]); assert_tokens(&sk.readable(), &[Token::BorrowedStr(SK_STR)]); assert_tokens(&sk.readable(), &[Token::Str(SK_STR)]); assert_tokens(&sk.readable(), &[Token::String(SK_STR)]); } #[cfg(all(not(secp256k1_fuzz), feature = "alloc"))] fn keys() -> (SecretKey, PublicKey, Keypair, XOnlyPublicKey) { let secp = Secp256k1::new(); #[rustfmt::skip] static SK_BYTES: [u8; 32] = [ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, ]; #[rustfmt::skip] static PK_BYTES: [u8; 32] = [ 0x18, 0x84, 0x57, 0x81, 0xf6, 0x31, 0xc4, 0x8f, 0x1c, 0x97, 0x09, 0xe2, 0x30, 0x92, 0x06, 0x7d, 0x06, 0x83, 0x7f, 0x30, 0xaa, 0x0c, 0xd0, 0x54, 0x4a, 0xc8, 0x87, 0xfe, 0x91, 0xdd, 0xd1, 0x66 ]; let mut pk_bytes = [0u8; 33]; pk_bytes[0] = 0x02; // Use positive Y co-ordinate. pk_bytes[1..].clone_from_slice(&PK_BYTES); let sk = SecretKey::from_slice(&SK_BYTES).expect("failed to parse sk bytes"); let pk = PublicKey::from_slice(&pk_bytes).expect("failed to create pk from iterator"); let kp = Keypair::from_secret_key(&secp, &sk); let xonly = XOnlyPublicKey::from_slice(&PK_BYTES).expect("failed to get xonly from slice"); (sk, pk, kp, xonly) } #[test] #[cfg(all(not(secp256k1_fuzz), feature = "alloc"))] fn convert_public_key_to_xonly_public_key() { let (_sk, pk, _kp, want) = keys(); let (got, parity) = pk.x_only_public_key(); assert_eq!(parity, Parity::Even); assert_eq!(got, want) } #[test] #[cfg(all(not(secp256k1_fuzz), feature = "alloc"))] fn convert_secret_key_to_public_key() { let secp = Secp256k1::new(); let (sk, want, _kp, _xonly) = keys(); let got = sk.public_key(&secp); assert_eq!(got, want) } #[test] #[cfg(all(not(secp256k1_fuzz), feature = "alloc"))] fn convert_secret_key_to_x_only_public_key() { let secp = Secp256k1::new(); let (sk, _pk, _kp, want) = keys(); let (got, parity) = sk.x_only_public_key(&secp); assert_eq!(parity, Parity::Even); assert_eq!(got, want) } #[test] #[cfg(all(not(secp256k1_fuzz), feature = "alloc"))] fn convert_keypair_to_public_key() { let (_sk, want, kp, _xonly) = keys(); let got = kp.public_key(); assert_eq!(got, want) } #[test] #[cfg(all(not(secp256k1_fuzz), feature = "alloc"))] fn convert_keypair_to_x_only_public_key() { let (_sk, _pk, kp, want) = keys(); let (got, parity) = kp.x_only_public_key(); assert_eq!(parity, Parity::Even); assert_eq!(got, want) } // SecretKey -> Keypair -> SecretKey #[test] #[cfg(all(not(secp256k1_fuzz), feature = "alloc"))] fn roundtrip_secret_key_via_keypair() { let secp = Secp256k1::new(); let (sk, _pk, _kp, _xonly) = keys(); let kp = sk.keypair(&secp); let back = kp.secret_key(); assert_eq!(back, sk) } // Keypair -> SecretKey -> Keypair #[test] #[cfg(all(not(secp256k1_fuzz), feature = "alloc"))] fn roundtrip_keypair_via_secret_key() { let secp = Secp256k1::new(); let (_sk, _pk, kp, _xonly) = keys(); let sk = kp.secret_key(); let back = sk.keypair(&secp); assert_eq!(back, kp) } // XOnlyPublicKey -> PublicKey -> XOnlyPublicKey #[test] #[cfg(all(not(secp256k1_fuzz), feature = "alloc"))] fn roundtrip_x_only_public_key_via_public_key() { let (_sk, _pk, _kp, xonly) = keys(); let pk = xonly.public_key(Parity::Even); let (back, parity) = pk.x_only_public_key(); assert_eq!(parity, Parity::Even); assert_eq!(back, xonly) } // PublicKey -> XOnlyPublicKey -> PublicKey #[test] #[cfg(all(not(secp256k1_fuzz), feature = "alloc"))] fn roundtrip_public_key_via_x_only_public_key() { let (_sk, pk, _kp, _xonly) = keys(); let (xonly, parity) = pk.x_only_public_key(); let back = xonly.public_key(parity); assert_eq!(back, pk) } #[test] fn public_key_from_x_only_public_key_and_odd_parity() { let s = "18845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd166"; let mut want = String::from("03"); want.push_str(s); let xonly = XOnlyPublicKey::from_str(s).expect("failed to parse xonly pubkey string"); let pk = xonly.public_key(Parity::Odd); let got = format!("{}", pk); assert_eq!(got, want) } #[test] #[cfg(not(secp256k1_fuzz))] #[cfg(all(feature = "global-context", feature = "serde"))] fn test_serde_x_only_pubkey() { use serde_test::{assert_tokens, Configure, Token}; #[rustfmt::skip] static SK_BYTES: [u8; 32] = [ 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 2, 3, 4, 5, 6, 7, 0xff, 0xff, 0, 0, 0xff, 0xff, 0, 0, 99, 99, 99, 99, 99, 99, 99, 99 ]; static PK_STR: &str = "18845781f631c48f1c9709e23092067d06837f30aa0cd0544ac887fe91ddd166"; let kp = Keypair::from_seckey_slice(crate::SECP256K1, &SK_BYTES).unwrap(); let (pk, _parity) = XOnlyPublicKey::from_keypair(&kp); #[rustfmt::skip] assert_tokens(&pk.compact(), &[ Token::Tuple{ len: 32 }, Token::U8(0x18), Token::U8(0x84), Token::U8(0x57), Token::U8(0x81), Token::U8(0xf6), Token::U8(0x31), Token::U8(0xc4), Token::U8(0x8f), Token::U8(0x1c), Token::U8(0x97), Token::U8(0x09), Token::U8(0xe2), Token::U8(0x30), Token::U8(0x92), Token::U8(0x06), Token::U8(0x7d), Token::U8(0x06), Token::U8(0x83), Token::U8(0x7f), Token::U8(0x30), Token::U8(0xaa), Token::U8(0x0c), Token::U8(0xd0), Token::U8(0x54), Token::U8(0x4a), Token::U8(0xc8), Token::U8(0x87), Token::U8(0xfe), Token::U8(0x91), Token::U8(0xdd), Token::U8(0xd1), Token::U8(0x66), Token::TupleEnd ]); assert_tokens(&pk.readable(), &[Token::BorrowedStr(PK_STR)]); assert_tokens(&pk.readable(), &[Token::Str(PK_STR)]); assert_tokens(&pk.readable(), &[Token::String(PK_STR)]); } #[test] #[cfg(feature = "rand-std")] fn test_keypair_from_str() { let ctx = crate::Secp256k1::new(); let keypair = Keypair::new(&ctx, &mut rand::thread_rng()); let mut buf = [0_u8; constants::SECRET_KEY_SIZE * 2]; // Holds hex digits. let s = to_hex(&keypair.secret_key().secret_bytes(), &mut buf).unwrap(); let parsed_key = Keypair::from_str(s).unwrap(); assert_eq!(parsed_key, keypair); } #[test] #[cfg(all(any(feature = "alloc", feature = "global-context"), feature = "serde"))] fn test_keypair_deserialize_serde() { let ctx = crate::Secp256k1::new(); let sec_key_str = "4242424242424242424242424242424242424242424242424242424242424242"; let keypair = Keypair::from_seckey_str(&ctx, sec_key_str).unwrap(); serde_test::assert_tokens(&keypair.readable(), &[Token::String(sec_key_str)]); let sec_key_bytes = keypair.secret_key().secret_bytes(); let tokens = std::iter::once(Token::Tuple { len: 32 }) .chain(sec_key_bytes.iter().copied().map(Token::U8)) .chain(std::iter::once(Token::TupleEnd)) .collect::>(); serde_test::assert_tokens(&keypair.compact(), &tokens); } #[test] #[should_panic(expected = "The previous implementation was panicking too")] #[cfg(not(any(feature = "alloc", feature = "global-context")))] fn test_parse_keypair_no_alloc_panic() { let key_hex = "4242424242424242424242424242424242424242424242424242424242424242"; let _: Keypair = key_hex.parse().expect("We shouldn't even get this far"); } } #[cfg(bench)] mod benches { use std::collections::BTreeSet; use test::Bencher; use crate::constants::GENERATOR_X; use crate::PublicKey; #[bench] fn bench_pk_ordering(b: &mut Bencher) { let mut map = BTreeSet::new(); let mut g_slice = [02u8; 33]; g_slice[1..].copy_from_slice(&GENERATOR_X); let g = PublicKey::from_slice(&g_slice).unwrap(); let mut pk = g; b.iter(|| { map.insert(pk); pk = pk.combine(&pk).unwrap(); }) } }