mirror of https://github.com/zcash/orchard.git
Reject the identity in `SpendValidatingKey::from_bytes`
`ak_P` is not allowed to be the identity in the Orchard protocol. We were enforcing this by construction in most places, except for the parsing of an Orchard full viewing key. Closes zcash/orchard#261.
This commit is contained in:
parent
99b767a3a1
commit
044844c0a0
17
src/keys.rs
17
src/keys.rs
|
@ -181,14 +181,17 @@ impl SpendValidatingKey {
|
||||||
pub(crate) fn from_bytes(bytes: &[u8]) -> Option<Self> {
|
pub(crate) fn from_bytes(bytes: &[u8]) -> Option<Self> {
|
||||||
<[u8; 32]>::try_from(bytes)
|
<[u8; 32]>::try_from(bytes)
|
||||||
.ok()
|
.ok()
|
||||||
.and_then(|b|
|
.and_then(|b| {
|
||||||
// check that the sign of the y-coordinate is positive
|
// Structural validity checks for ak_P:
|
||||||
if b[31] & 0x80 == 0 {
|
// - The point must not be the identity
|
||||||
|
// (which for Pallas is canonically encoded as all-zeroes).
|
||||||
|
// - The sign of the y-coordinate must be positive.
|
||||||
|
if b != [0; 32] && b[31] & 0x80 == 0 {
|
||||||
<redpallas::VerificationKey<SpendAuth>>::try_from(b).ok()
|
<redpallas::VerificationKey<SpendAuth>>::try_from(b).ok()
|
||||||
} else {
|
} else {
|
||||||
None
|
None
|
||||||
}
|
}
|
||||||
)
|
})
|
||||||
.map(SpendValidatingKey)
|
.map(SpendValidatingKey)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -838,6 +841,12 @@ mod tests {
|
||||||
Note,
|
Note,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn spend_validating_key_from_bytes() {
|
||||||
|
// ak_P must not be the identity.
|
||||||
|
assert!(SpendValidatingKey::from_bytes(&[0; 32]).is_none());
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn parsers_reject_invalid() {
|
fn parsers_reject_invalid() {
|
||||||
assert!(bool::from(
|
assert!(bool::from(
|
||||||
|
|
Loading…
Reference in New Issue