Reject the identity in `SpendValidatingKey::from_bytes`

`ak_P` is not allowed to be the identity in the Orchard protocol. We were enforcing this by construction in most places, except for the parsing of an Orchard full viewing key. Closes zcash/orchard#261.
2021-12-15 13:48:59 +00:00 · 2021-12-15 13:48:59 +00:00 · 044844c0a0
parent 99b767a3a1
commit 044844c0a0
1 changed files with 13 additions and 4 deletions
--- a/src/keys.rs
+++ b/src/keys.rs
@ -181,14 +181,17 @@ impl SpendValidatingKey {
    pub(crate) fn from_bytes(bytes: &[u8]) -> Option<Self> {
        <[u8; 32]>::try_from(bytes)
            .ok()
-            .and_then(|b|
-                // check that the sign of the y-coordinate is positive
-                if b[31] & 0x80 == 0 {
+            .and_then(|b| {
+                // Structural validity checks for ak_P:
+                // - The point must not be the identity
+                //   (which for Pallas is canonically encoded as all-zeroes).
+                // - The sign of the y-coordinate must be positive.
+                if b != [0; 32] && b[31] & 0x80 == 0 {
                    <redpallas::VerificationKey<SpendAuth>>::try_from(b).ok()
                } else {
                    None
                }
-            )
+            })
            .map(SpendValidatingKey)
    }
 }
@ -838,6 +841,12 @@ mod tests {
        Note,
    };

+    #[test]
+    fn spend_validating_key_from_bytes() {
+        // ak_P must not be the identity.
+        assert!(SpendValidatingKey::from_bytes(&[0; 32]).is_none());
+    }
+
    #[test]
    fn parsers_reject_invalid() {
        assert!(bool::from(