zecfoundation
/
rust-secp256k1
mirror of https://github.com/ZcashFoundation/rust-secp256k1.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
rust-secp256k1/src/lib.rs

840 lines
29 KiB
Rust
Raw Normal View History

Add CC0 license and header to all files
2014-08-11 19:26:14 -07:00
// Bitcoin secp256k1 bindings
// Written in 2014 by
// Dawid Ciężarkiewicz
// Andrew Poelstra
//
// To the extent possible under law, the author(s) have dedicated all
// copyright and related and neighboring rights to this software to
// the public domain worldwide. This software is distributed without
// any warranty.
//
// You should have received a copy of the CC0 Public Domain Dedication
// along with this software.
// If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
//
Move FFI functions into separate module; add documentation and style lints
2014-08-09 13:27:08 -07:00
//! # Secp256k1
//! Rust bindings for Pieter Wuille's secp256k1 library, which is used for
//! fast and accurate manipulation of ECDSA signatures on the secp256k1
//! curve. Such signatures are used extensively by the Bitcoin network
//! and its derivatives.
//!
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
#![crate_type = "lib"]
#![crate_type = "rlib"]
#![crate_type = "dylib"]
Change name to secp256k1 from bitcoin-secp256k1-rs [breaking-change]
2015-03-25 15:20:44 -07:00
#![crate_name = "secp256k1"]
Update for rustc changes We can compile now, but not link -- there have been too many changes in libsecp256k1 behind the scenes. Next commit :)
2015-01-17 08:13:45 -08:00
Move FFI functions into separate module; add documentation and style lints
2014-08-09 13:27:08 -07:00
// Coding conventions
Update for rustc changes We can compile now, but not link -- there have been too many changes in libsecp256k1 behind the scenes. Next commit :)
2015-01-17 08:13:45 -08:00
#![deny(non_upper_case_globals)]
Move FFI functions into separate module; add documentation and style lints
2014-08-09 13:27:08 -07:00
#![deny(non_camel_case_types)]
Change lint names for upstream
2014-08-30 07:24:44 -07:00
#![deny(non_snake_case)]
Move FFI functions into separate module; add documentation and style lints
2014-08-09 13:27:08 -07:00
#![deny(unused_mut)]
Update for rustc changes We can compile now, but not link -- there have been too many changes in libsecp256k1 behind the scenes. Next commit :)
2015-01-17 08:13:45 -08:00
#![warn(missing_docs)]
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
Update Travis to use travis-cargo
2015-07-28 10:38:01 -07:00
#![cfg_attr(all(test, feature = "unstable"), feature(test))]
#[cfg(all(test, feature = "unstable"))] extern crate test;
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
extern crate arrayvec;
Change rustc-serialize for crate hyphen transition
2015-03-26 08:07:28 -07:00
extern crate rustc_serialize as serialize;
Add support for serde (de)serialization; add unit tests
2015-04-09 22:32:12 -07:00
extern crate serde;
Update serde dep to 0.6 from 0.3
2015-09-20 10:52:46 -07:00
extern crate serde_json as json;
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-08-31 20:26:02 -07:00
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
extern crate libc;
Change std::rand to just rand::, though there is still a 'unimplemented trait' error :/
2015-03-25 16:22:24 -07:00
extern crate rand;
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
Expose serialization of Signature; move copy_nonoverlapping for rustc stable
2015-10-09 12:19:53 -07:00
use libc::size_t;
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
use std::{fmt, ops, ptr};
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
use rand::Rng;
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
Update for rustc changes We can compile now, but not link -- there have been too many changes in libsecp256k1 behind the scenes. Next commit :)
2015-01-17 08:13:45 -08:00
#[macro_use]
Travis speaks rust now :D
2014-08-27 10:19:10 -07:00
mod macros;
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-09 18:03:17 -07:00
pub mod constants;
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
pub mod ecdh;
Move FFI functions into separate module; add documentation and style lints
2014-08-09 13:27:08 -07:00
pub mod ffi;
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-09 18:03:17 -07:00
pub mod key;
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-09 18:03:17 -07:00
/// A tag used for recovering the public key from a compact signature
Update for language changes (rustc beta is out !!)
2015-04-04 10:20:38 -07:00
#[derive(Copy, Clone, PartialEq, Eq, Debug)]
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-09 18:03:17 -07:00
pub struct RecoveryId(i32);
Move FFI functions into separate module; add documentation and style lints
2014-08-09 13:27:08 -07:00
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-09 18:03:17 -07:00
/// An ECDSA signature
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
#[derive(Copy, Clone, PartialEq, Eq, Debug)]
pub struct Signature(ffi::Signature);
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-09 18:03:17 -07:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
/// An ECDSA signature with a recovery ID for pubkey recovery
#[derive(Copy, Clone, PartialEq, Eq, Debug)]
pub struct RecoverableSignature(ffi::RecoverableSignature);
Adding to_i32 and from_i32 functions to RecoveryId in order to give library users the ability to create RecoveryId objects and convert them to i32 equivalents, without allowing users to create invalid ones.
2015-10-11 10:29:53 -07:00
impl RecoveryId {
#[inline]
/// Allows library users to create valid recovery IDs from i32.
pub fn from_i32(id: i32) -> Result<RecoveryId, Error> {
match id {
0 | 1 | 2 | 3 => Ok(RecoveryId(id)),
_ => Err(Error::InvalidRecoveryId)
}
}
#[inline]
/// Allows library users to convert recovery IDs to i32.
pub fn to_i32(&self) -> i32 {
self.0
}
}
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-09 18:03:17 -07:00
impl Signature {
Make `verify` accept a `Signature` rather than a slice [breaking-change]
2014-09-04 09:52:25 -07:00
#[inline]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
/// Converts a DER-encoded byte slice to a signature
pub fn from_der(secp: &Secp256k1, data: &[u8]) -> Result<Signature, Error> {
let mut ret = unsafe { ffi::Signature::blank() };
Make `verify` accept a `Signature` rather than a slice [breaking-change]
2014-09-04 09:52:25 -07:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
unsafe {
if ffi::secp256k1_ecdsa_signature_parse_der(secp.ctx, &mut ret,
Fix for upstream API changes
2015-09-20 12:52:29 -07:00
data.as_ptr(), data.len() as libc::size_t) == 1 {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
Ok(Signature(ret))
} else {
Err(Error::InvalidSignature)
}
}
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-09 18:03:17 -07:00
}
Move FFI functions into separate module; add documentation and style lints
2014-08-09 13:27:08 -07:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
/// Creates a new public key from a FFI public key
#[inline]
pub fn from_ffi(sig: ffi::Signature) -> Signature {
Signature(sig)
}
/// Obtains a raw pointer suitable for use with FFI functions
#[inline]
pub fn as_ptr(&self) -> *const ffi::Signature {
&self.0 as *const _
}
Expose serialization of Signature; move copy_nonoverlapping for rustc stable
2015-10-09 12:19:53 -07:00
#[inline]
/// Serializes the signature in DER format
pub fn serialize_der(&self, secp: &Secp256k1) -> Vec<u8> {
let mut ret = Vec::with_capacity(72);
let mut len: size_t = ret.capacity() as size_t;
unsafe {
let err = ffi::secp256k1_ecdsa_signature_serialize_der(secp.ctx, ret.as_mut_ptr(),
&mut len, self.as_ptr());
debug_assert!(err == 1);
ret.set_len(len as usize);
}
ret
}
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
}
impl RecoverableSignature {
Remove allocations for Signature, use array instead As @dpc observes, embedded systems do not necessarily have allocators, so we should avoid using them if it is not too much hassle. (And it is no hassle at all.)
2014-08-15 23:43:40 -07:00
#[inline]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
/// Converts a compact-encoded byte slice to a signature. This
/// representation is nonstandard and defined by the libsecp256k1
/// library.
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
pub fn from_compact(secp: &Secp256k1, data: &[u8], recid: RecoveryId) -> Result<RecoverableSignature, Error> {
let mut ret = unsafe { ffi::RecoverableSignature::blank() };
Make `verify` accept a `Signature` rather than a slice [breaking-change]
2014-09-04 09:52:25 -07:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
unsafe {
if data.len() != 64 {
Err(Error::InvalidSignature)
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
} else if ffi::secp256k1_ecdsa_recoverable_signature_parse_compact(secp.ctx, &mut ret,
data.as_ptr(), recid.0) == 1 {
Ok(RecoverableSignature(ret))
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
} else {
Err(Error::InvalidSignature)
Make `verify` accept a `Signature` rather than a slice [breaking-change]
2014-09-04 09:52:25 -07:00
}
}
}
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
/// Creates a new public key from a FFI public key
#[inline]
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
pub fn from_ffi(sig: ffi::RecoverableSignature) -> RecoverableSignature {
RecoverableSignature(sig)
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
}
/// Obtains a raw pointer suitable for use with FFI functions
#[inline]
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
pub fn as_ptr(&self) -> *const ffi::RecoverableSignature {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
&self.0 as *const _
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 07:36:49 -07:00
}
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
RecoverableSignature now supports compact serialization via FFI, with additional test case added.
2015-10-11 00:04:28 -07:00
#[inline]
/// Serializes the recoverable signature in compact format
pub fn serialize_compact(&self, secp: &Secp256k1) -> (RecoveryId, [u8; 64]) {
let mut ret = [0u8; 64];
let mut recid = 0i32;
unsafe {
let err = ffi::secp256k1_ecdsa_recoverable_signature_serialize_compact(
secp.ctx, ret.as_mut_ptr(), &mut recid, self.as_ptr());
assert!(err == 1);
}
(RecoveryId(recid), ret)
}
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
/// Converts a recoverable signature to a non-recoverable one (this is needed
/// for verification
#[inline]
pub fn to_standard(&self, secp: &Secp256k1) -> Signature {
let mut ret = unsafe { ffi::Signature::blank() };
unsafe {
let err = ffi::secp256k1_ecdsa_recoverable_signature_convert(secp.ctx, &mut ret, self.as_ptr());
assert!(err == 1);
}
Signature(ret)
}
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 07:36:49 -07:00
}
More slicing
2015-03-25 18:52:09 -07:00
impl ops::Index<usize> for Signature {
type Output = u8;
#[inline]
fn index(&self, index: usize) -> &u8 {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
&self.0[index]
More slicing
2015-03-25 18:52:09 -07:00
}
}
impl ops::Index<ops::Range<usize>> for Signature {
type Output = [u8];
#[inline]
fn index(&self, index: ops::Range<usize>) -> &[u8] {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
&self.0[index]
More slicing
2015-03-25 18:52:09 -07:00
}
}
impl ops::Index<ops::RangeFrom<usize>> for Signature {
type Output = [u8];
#[inline]
fn index(&self, index: ops::RangeFrom<usize>) -> &[u8] {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
&self.0[index.start..]
More slicing
2015-03-25 18:52:09 -07:00
}
}
impl ops::Index<ops::RangeFull> for Signature {
type Output = [u8];
#[inline]
fn index(&self, _: ops::RangeFull) -> &[u8] {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
&self.0[..]
Update for language changes (rustc beta is out !!)
2015-04-04 10:20:38 -07:00
}
}
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
/// A (hashed) message input to an ECDSA signature
pub struct Message([u8; constants::MESSAGE_SIZE]);
impl_array_newtype!(Message, u8, constants::MESSAGE_SIZE);
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
impl_pretty_debug!(Message);
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
impl Message {
Minor documentation fixes
2015-10-09 09:39:42 -07:00
/// Converts a `MESSAGE_SIZE`-byte slice to a message object
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
#[inline]
pub fn from_slice(data: &[u8]) -> Result<Message, Error> {
match data.len() {
constants::MESSAGE_SIZE => {
let mut ret = [0; constants::MESSAGE_SIZE];
unsafe {
Expose serialization of Signature; move copy_nonoverlapping for rustc stable
2015-10-09 12:19:53 -07:00
ptr::copy_nonoverlapping(data.as_ptr(),
ret.as_mut_ptr(),
data.len());
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
}
Ok(Message(ret))
}
_ => Err(Error::InvalidMessage)
}
}
}
Move FFI functions into separate module; add documentation and style lints
2014-08-09 13:27:08 -07:00
/// An ECDSA error
Update for language changes (rustc beta is out !!)
2015-04-04 10:20:38 -07:00
#[derive(Copy, PartialEq, Eq, Clone, Debug)]
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
pub enum Error {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
/// A `Secp256k1` was used for an operation, but it was not created to
/// support this (so necessary precomputations have not been done)
IncapableContext,
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-09 18:03:17 -07:00
/// Signature failed verification
IncorrectSignature,
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
/// Badly sized message
InvalidMessage,
Move FFI functions into separate module; add documentation and style lints
2014-08-09 13:27:08 -07:00
/// Bad public key
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
InvalidPublicKey,
Move FFI functions into separate module; add documentation and style lints
2014-08-09 13:27:08 -07:00
/// Bad signature
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
InvalidSignature,
Move FFI functions into separate module; add documentation and style lints
2014-08-09 13:27:08 -07:00
/// Bad secret key
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
InvalidSecretKey,
Adding to_i32 and from_i32 functions to RecoveryId in order to give library users the ability to create RecoveryId objects and convert them to i32 equivalents, without allowing users to create invalid ones.
2015-10-11 10:29:53 -07:00
/// Bad recovery id
InvalidRecoveryId,
Expose tweak functions in FFI, wrap a couple
2014-08-28 09:16:53 -07:00
/// Boolean-returning function returned the wrong boolean
Unknown
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
}
Add `Display` impl to `Error`; cleanup `Result` mess
2015-04-05 18:27:43 -07:00
// Passthrough Debug to Display, since errors should be user-visible
impl fmt::Display for Error {
fn fmt(&self, f: &mut fmt::Formatter) -> Result<(), fmt::Error> {
fmt::Debug::fmt(self, f)
}
}
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-09 18:03:17 -07:00
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
/// The secp256k1 engine, used to execute all signature operations
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
pub struct Secp256k1 {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
ctx: ffi::Context,
caps: ContextFlag
}
/// Flags used to determine the capabilities of a `Secp256k1` object;
/// the more capabilities, the more expensive it is to create.
#[derive(PartialEq, Eq, Copy, Clone, Debug)]
pub enum ContextFlag {
/// Can neither sign nor verify signatures (cheapest to create, useful
/// for cases not involving signatures, such as creating keys from slices)
None,
/// Can sign but not verify signatures
SignOnly,
/// Can verify but not create signatures
VerifyOnly,
/// Can verify and create signatures
Full
}
// Passthrough Debug to Display, since caps should be user-visible
impl fmt::Display for ContextFlag {
fn fmt(&self, f: &mut fmt::Formatter) -> Result<(), fmt::Error> {
fmt::Debug::fmt(self, f)
}
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
}
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
impl Clone for Secp256k1 {
fn clone(&self) -> Secp256k1 {
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 07:36:49 -07:00
Secp256k1 {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
ctx: unsafe { ffi::secp256k1_context_clone(self.ctx) },
caps: self.caps
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 07:36:49 -07:00
}
}
}
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
impl PartialEq for Secp256k1 {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
fn eq(&self, other: &Secp256k1) -> bool { self.caps == other.caps }
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 07:36:49 -07:00
}
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
impl Eq for Secp256k1 { }
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 07:36:49 -07:00
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
impl fmt::Debug for Secp256k1 {
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 07:36:49 -07:00
fn fmt(&self, f: &mut fmt::Formatter) -> Result<(), fmt::Error> {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
write!(f, "Secp256k1 {{ [private], caps: {:?} }}", self.caps)
Add missing implementations; update FFI for libsecp256k1's new cloning fn
2015-04-12 07:36:49 -07:00
}
}
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
impl Drop for Secp256k1 {
[API BREAK] update for libsecp256k1 "explicit context" API break Rather than have global initialization functions, which required expensive synchronization on the part of the Rust library, libsecp256k1 now carries its context in thread-local data which must be passed to every function. What this means for the rust-secp256k1 API is: - Most functions on `PublicKey` and `SecretKey` now require a `Secp256k1` to be given to them. - `Secp256k1::verify` and `::verify_raw` now take a `&self` - `SecretKey::new` now takes a `Secp256k1` rather than a Rng; a future commit will allow specifying the Rng in the `Secp256k1` so that functionality is not lost. - The FFI functions have all changed to take a context argument - `secp256k1::init()` is gone, as is the dependency on std::sync - There is a `ffi::Context` type which must be handled carefully by anyone using it directly (hopefully nobody :))
2015-04-11 10:00:20 -07:00
fn drop(&mut self) {
unsafe { ffi::secp256k1_context_destroy(self.ctx); }
Pull out initialization code so that `PublicKey::from_secret_key` can be used safely
2014-08-09 20:34:16 -07:00
}
}
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
impl Secp256k1 {
/// Creates a new Secp256k1 context
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
#[inline]
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
pub fn new() -> Secp256k1 {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
Secp256k1::with_caps(ContextFlag::Full)
}
/// Creates a new Secp256k1 context with the specified capabilities
pub fn with_caps(caps: ContextFlag) -> Secp256k1 {
let flag = match caps {
ContextFlag::None => 0,
ContextFlag::SignOnly => ffi::SECP256K1_START_SIGN,
ContextFlag::VerifyOnly => ffi::SECP256K1_START_VERIFY,
ContextFlag::Full => ffi::SECP256K1_START_SIGN | ffi::SECP256K1_START_VERIFY
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
};
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
Secp256k1 { ctx: unsafe { ffi::secp256k1_context_create(flag) }, caps: caps }
Add `Secp256k1::with_rng`, parameterize `Secp256k1` over its RNG. Now that you can't create secret keys by directly passing a Rng to `SecretKey::new`, we need a way to allow user-chosed randomness. We add it to the `Secp256k1`.
2015-04-11 10:51:39 -07:00
}
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 16:22:30 -07:00
/// (Re)randomizes the Secp256k1 context for cheap sidechannel resistence;
/// see comment in libsecp256k1 commit d2275795f by Gregory Maxwell
pub fn randomize<R: Rng>(&mut self, rng: &mut R) {
let mut seed = [0; 32];
rng.fill_bytes(&mut seed);
unsafe {
let err = ffi::secp256k1_context_randomize(self.ctx, seed.as_ptr());
// This function cannot fail; it has an error return for future-proofing.
// We do not expose this error since it is impossible to hit, and we have
// precedent for not exposing impossible errors (for example in
// `PublicKey::from_secret_key` where it is impossble to create an invalid
// secret key through the API.)
// However, if this DOES fail, the result is potentially weaker side-channel
// resistance, which is deadly and undetectable, so we take out the entire
// thread to be on the safe side.
assert!(err == 1);
}
}
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
/// Generates a random keypair. Convenience function for `key::SecretKey::new`
/// and `key::PublicKey::from_secret_key`; call those functions directly for
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
/// batch key generation. Requires a signing-capable context.
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
#[inline]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
pub fn generate_keypair<R: Rng>(&self, rng: &mut R)
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
-> Result<(key::SecretKey, key::PublicKey), Error> {
if self.caps == ContextFlag::VerifyOnly || self.caps == ContextFlag::None {
return Err(Error::IncapableContext);
}
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
let sk = key::SecretKey::new(self, rng);
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let pk = key::PublicKey::from_secret_key(self, &sk);
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
Ok((sk, pk))
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
}
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
/// Constructs a signature for `msg` using the secret key `sk` and nonce `nonce`.
/// Requires a signing-capable context.
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
pub fn sign(&self, msg: &Message, sk: &key::SecretKey)
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
-> Result<Signature, Error> {
if self.caps == ContextFlag::VerifyOnly || self.caps == ContextFlag::None {
return Err(Error::IncapableContext);
}
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let mut ret = unsafe { ffi::Signature::blank() };
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
unsafe {
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
// We can assume the return value because it's not possible to construct
// an invalid signature from a valid `Message` and `SecretKey`
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
assert_eq!(ffi::secp256k1_ecdsa_sign(self.ctx, &mut ret, msg.as_ptr(),
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
sk.as_ptr(), ffi::secp256k1_nonce_function_rfc6979,
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
ptr::null()), 1);
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
}
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
Ok(Signature::from_ffi(ret))
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
}
Overhaul interface to use zero-on-free SecretKeys Using the `secretdata` library, we can store SecretKeys in such a way that they cannot be moved or copied, and their memory is zeroed out on drop. This gives us some assurance that in the case of memory unsafety, there is not secret key data lying around anywhere that we don't expect. Unfortunately, it means that we cannot construct secret keys and then return them, which forces the interface to change a fair bit. I removed the `generate_keypair` function from Secp256k1, then `generate_nonce` for symmetry, then dropped the `Secp256k1` struct entirely because it turned out that none of the remaining functions used the `self` param. So here we are. I bumped the version number. Sorry about this.
2014-09-11 20:36:15 -07:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
/// Constructs a signature for `msg` using the secret key `sk` and nonce `nonce`.
/// Requires a signing-capable context.
pub fn sign_recoverable(&self, msg: &Message, sk: &key::SecretKey)
-> Result<RecoverableSignature, Error> {
if self.caps == ContextFlag::VerifyOnly || self.caps == ContextFlag::None {
return Err(Error::IncapableContext);
}
let mut ret = unsafe { ffi::RecoverableSignature::blank() };
unsafe {
// We can assume the return value because it's not possible to construct
// an invalid signature from a valid `Message` and `SecretKey`
assert_eq!(ffi::secp256k1_ecdsa_sign_recoverable(self.ctx, &mut ret, msg.as_ptr(),
sk.as_ptr(), ffi::secp256k1_nonce_function_rfc6979,
ptr::null()), 1);
}
Ok(RecoverableSignature::from_ffi(ret))
}
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
/// Determines the public key for which `sig` is a valid signature for
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
/// `msg`. Returns through the out-pointer `pubkey`. Requires a verify-capable
/// context.
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
pub fn recover(&self, msg: &Message, sig: &RecoverableSignature)
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
-> Result<key::PublicKey, Error> {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
if self.caps == ContextFlag::SignOnly || self.caps == ContextFlag::None {
return Err(Error::IncapableContext);
}
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let mut pk = unsafe { ffi::PublicKey::blank() };
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
unsafe {
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
if ffi::secp256k1_ecdsa_recover(self.ctx, &mut pk,
sig.as_ptr(), msg.as_ptr()) != 1 {
Update for rustc changes We can compile now, but not link -- there have been too many changes in libsecp256k1 behind the scenes. Next commit :)
2015-01-17 08:13:45 -08:00
return Err(Error::InvalidSignature);
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
}
};
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
Ok(key::PublicKey::from_ffi(pk))
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
}
/// Checks that `sig` is a valid ECDSA signature for `msg` using the public
/// key `pubkey`. Returns `Ok(true)` on success. Note that this function cannot
[API BREAK] update for libsecp256k1 "explicit context" API break Rather than have global initialization functions, which required expensive synchronization on the part of the Rust library, libsecp256k1 now carries its context in thread-local data which must be passed to every function. What this means for the rust-secp256k1 API is: - Most functions on `PublicKey` and `SecretKey` now require a `Secp256k1` to be given to them. - `Secp256k1::verify` and `::verify_raw` now take a `&self` - `SecretKey::new` now takes a `Secp256k1` rather than a Rng; a future commit will allow specifying the Rng in the `Secp256k1` so that functionality is not lost. - The FFI functions have all changed to take a context argument - `secp256k1::init()` is gone, as is the dependency on std::sync - There is a `ffi::Context` type which must be handled carefully by anyone using it directly (hopefully nobody :))
2015-04-11 10:00:20 -07:00
/// be used for Bitcoin consensus checking since there may exist signatures
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
/// which OpenSSL would verify but not libsecp256k1, or vice-versa. Requires a
/// verify-capable context.
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
#[inline]
[API BREAK] update for libsecp256k1 "explicit context" API break Rather than have global initialization functions, which required expensive synchronization on the part of the Rust library, libsecp256k1 now carries its context in thread-local data which must be passed to every function. What this means for the rust-secp256k1 API is: - Most functions on `PublicKey` and `SecretKey` now require a `Secp256k1` to be given to them. - `Secp256k1::verify` and `::verify_raw` now take a `&self` - `SecretKey::new` now takes a `Secp256k1` rather than a Rng; a future commit will allow specifying the Rng in the `Secp256k1` so that functionality is not lost. - The FFI functions have all changed to take a context argument - `secp256k1::init()` is gone, as is the dependency on std::sync - There is a `ffi::Context` type which must be handled carefully by anyone using it directly (hopefully nobody :))
2015-04-11 10:00:20 -07:00
pub fn verify(&self, msg: &Message, sig: &Signature, pk: &key::PublicKey) -> Result<(), Error> {
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
if self.caps == ContextFlag::SignOnly || self.caps == ContextFlag::None {
return Err(Error::IncapableContext);
}
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
if !pk.is_valid() {
Err(Error::InvalidPublicKey)
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
} else if unsafe { ffi::secp256k1_ecdsa_verify(self.ctx, sig.as_ptr(), msg.as_ptr(),
pk.as_ptr()) } == 0 {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
Err(Error::IncorrectSignature)
} else {
Ok(())
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
}
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
}
}
fix unused import warning
2014-08-04 16:58:57 -07:00
#[cfg(test)]
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-08-31 20:26:02 -07:00
mod tests {
Change rand crate to crates.io version
2015-03-25 16:57:16 -07:00
use rand::{Rng, thread_rng};
Expose serialization of Signature; move copy_nonoverlapping for rustc stable
2015-10-09 12:19:53 -07:00
use std::ptr;
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
use key::{SecretKey, PublicKey};
use super::constants;
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
use super::{Secp256k1, Signature, RecoverableSignature, Message, RecoveryId, ContextFlag};
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
use super::Error::{InvalidMessage, InvalidPublicKey, IncorrectSignature, InvalidSignature,
IncapableContext};
#[test]
fn capabilities() {
let none = Secp256k1::with_caps(ContextFlag::None);
let sign = Secp256k1::with_caps(ContextFlag::SignOnly);
let vrfy = Secp256k1::with_caps(ContextFlag::VerifyOnly);
let full = Secp256k1::with_caps(ContextFlag::Full);
let mut msg = [0u8; 32];
thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap();
// Try key generation
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
assert_eq!(none.generate_keypair(&mut thread_rng()), Err(IncapableContext));
assert_eq!(vrfy.generate_keypair(&mut thread_rng()), Err(IncapableContext));
assert!(sign.generate_keypair(&mut thread_rng()).is_ok());
assert!(full.generate_keypair(&mut thread_rng()).is_ok());
let (sk, pk) = full.generate_keypair(&mut thread_rng()).unwrap();
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
// Try signing
assert_eq!(none.sign(&msg, &sk), Err(IncapableContext));
assert_eq!(vrfy.sign(&msg, &sk), Err(IncapableContext));
assert!(sign.sign(&msg, &sk).is_ok());
assert!(full.sign(&msg, &sk).is_ok());
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
assert_eq!(none.sign_recoverable(&msg, &sk), Err(IncapableContext));
assert_eq!(vrfy.sign_recoverable(&msg, &sk), Err(IncapableContext));
assert!(sign.sign_recoverable(&msg, &sk).is_ok());
assert!(full.sign_recoverable(&msg, &sk).is_ok());
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
assert_eq!(sign.sign(&msg, &sk), full.sign(&msg, &sk));
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
assert_eq!(sign.sign_recoverable(&msg, &sk), full.sign_recoverable(&msg, &sk));
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
let sig = full.sign(&msg, &sk).unwrap();
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
let sigr = full.sign_recoverable(&msg, &sk).unwrap();
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
// Try verifying
assert_eq!(none.verify(&msg, &sig, &pk), Err(IncapableContext));
assert_eq!(sign.verify(&msg, &sig, &pk), Err(IncapableContext));
assert!(vrfy.verify(&msg, &sig, &pk).is_ok());
assert!(full.verify(&msg, &sig, &pk).is_ok());
// Try pk recovery
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
assert_eq!(none.recover(&msg, &sigr), Err(IncapableContext));
assert_eq!(none.recover(&msg, &sigr), Err(IncapableContext));
assert_eq!(sign.recover(&msg, &sigr), Err(IncapableContext));
assert_eq!(sign.recover(&msg, &sigr), Err(IncapableContext));
assert!(vrfy.recover(&msg, &sigr).is_ok());
assert!(vrfy.recover(&msg, &sigr).is_ok());
assert!(full.recover(&msg, &sigr).is_ok());
assert!(full.recover(&msg, &sigr).is_ok());
assert_eq!(vrfy.recover(&msg, &sigr),
full.recover(&msg, &sigr));
assert_eq!(full.recover(&msg, &sigr), Ok(pk));
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
// Check that we can produce keys from slices with no precomputation
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let (pk_slice, sk_slice) = (&pk.serialize_vec(&none, true), &sk[..]);
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
let new_pk = PublicKey::from_slice(&none, pk_slice).unwrap();
let new_sk = SecretKey::from_slice(&none, sk_slice).unwrap();
assert_eq!(sk, new_sk);
assert_eq!(pk, new_pk);
}
Add .travis.yml, update tests and Cargo.toml for upstream changes
2014-08-17 18:55:07 -07:00
Add sanity-check unit test for RecoveryId This is kinda silly but gets me 100% coverage from kcov
2015-04-13 20:21:56 -07:00
#[test]
fn recid_sanity_check() {
let one = RecoveryId(1);
assert_eq!(one, one.clone());
}
fix unused import warning
2014-08-04 16:58:57 -07:00
#[test]
fn invalid_pubkey() {
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
let s = Secp256k1::new();
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
let sig = RecoverableSignature::from_compact(&s, &[1; 64], RecoveryId(0)).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let pk = PublicKey::new();
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
let mut msg = [0u8; 32];
Update for language changes (rustc beta is out !!)
2015-04-04 10:20:38 -07:00
thread_rng().fill_bytes(&mut msg);
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
let msg = Message::from_slice(&msg).unwrap();
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
assert_eq!(s.verify(&msg, &sig.to_standard(&s), &pk), Err(InvalidPublicKey));
fix unused import warning
2014-08-04 16:58:57 -07:00
}
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
fix unused import warning
2014-08-04 16:58:57 -07:00
#[test]
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
fn sign() {
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 16:22:30 -07:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
let one = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1];
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
let sk = SecretKey::from_slice(&s, &one).unwrap();
let msg = Message::from_slice(&one).unwrap();
Move FFI and constants into their own modules; replace outptrs with returns
2014-08-09 18:03:17 -07:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
let sig = s.sign_recoverable(&msg, &sk).unwrap();
assert_eq!(Ok(sig), RecoverableSignature::from_compact(&s, &[
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
0x66, 0x73, 0xff, 0xad, 0x21, 0x47, 0x74, 0x1f,
0x04, 0x77, 0x2b, 0x6f, 0x92, 0x1f, 0x0b, 0xa6,
0xaf, 0x0c, 0x1e, 0x77, 0xfc, 0x43, 0x9e, 0x65,
0xc3, 0x6d, 0xed, 0xf4, 0x09, 0x2e, 0x88, 0x98,
0x4c, 0x1a, 0x97, 0x16, 0x52, 0xe0, 0xad, 0xa8,
0x80, 0x12, 0x0e, 0xf8, 0x02, 0x5e, 0x70, 0x9f,
0xff, 0x20, 0x80, 0xc4, 0xa3, 0x9a, 0xae, 0x06,
0x8d, 0x12, 0xee, 0xd0, 0x09, 0xb6, 0x8c, 0x89],
RecoveryId(1)))
fix unused import warning
2014-08-04 16:58:57 -07:00
}
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
Expose serialization of Signature; move copy_nonoverlapping for rustc stable
2015-10-09 12:19:53 -07:00
#[test]
fn signature_der_roundtrip() {
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
let mut msg = [0; 32];
for _ in 0..100 {
thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap();
let (sk, _) = s.generate_keypair(&mut thread_rng()).unwrap();
let sig1 = s.sign(&msg, &sk).unwrap();
let der = sig1.serialize_der(&s);
let sig2 = Signature::from_der(&s, &der[..]).unwrap();
assert_eq!(sig1, sig2);
}
}
fix unused import warning
2014-08-04 16:58:57 -07:00
#[test]
fn sign_and_verify() {
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 16:22:30 -07:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
let mut msg = [0; 32];
for _ in 0..100 {
thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap();
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let (sk, pk) = s.generate_keypair(&mut thread_rng()).unwrap();
[API BREAK] expose ability to create contexts without verify or signing caps There are a lot of cases in rust-bitcoin where we need a `Secp256k1` which doesn't need any signing or verification capabilities, only checking the validity of various objects. We can get away with a bare context (i.e. no precomputation) which can be cheaply created on demand, avoiding the need to pass around references to Secp256k1 objects everywhere. API break because the following functions can now fail (given an insufficiently capable context) and therefore now return a Result: Secp256k1::generate_keypair Secp256k1::sign Secp256k1::sign_compact
2015-04-13 20:04:43 -07:00
let sig = s.sign(&msg, &sk).unwrap();
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
assert_eq!(s.verify(&msg, &sig, &pk), Ok(()));
}
fix unused import warning
2014-08-04 16:58:57 -07:00
}
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
fix unused import warning
2014-08-04 16:58:57 -07:00
#[test]
Add extreme value sign/verify test
2015-04-28 11:46:17 -07:00
fn sign_and_verify_extreme() {
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 16:22:30 -07:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
Add extreme value sign/verify test
2015-04-28 11:46:17 -07:00
// Wild keys: 1, CURVE_ORDER - 1
// Wild msgs: 0, 1, CURVE_ORDER - 1, CURVE_ORDER
let mut wild_keys = [[0; 32]; 2];
let mut wild_msgs = [[0; 32]; 4];
wild_keys[0][0] = 1;
wild_msgs[1][0] = 1;
unsafe {
use constants;
Expose serialization of Signature; move copy_nonoverlapping for rustc stable
2015-10-09 12:19:53 -07:00
ptr::copy_nonoverlapping(constants::CURVE_ORDER.as_ptr(),
wild_keys[1].as_mut_ptr(),
32);
ptr::copy_nonoverlapping(constants::CURVE_ORDER.as_ptr(),
wild_msgs[1].as_mut_ptr(),
32);
ptr::copy_nonoverlapping(constants::CURVE_ORDER.as_ptr(),
wild_msgs[2].as_mut_ptr(),
32);
Add extreme value sign/verify test
2015-04-28 11:46:17 -07:00
wild_keys[1][0] -= 1;
wild_msgs[1][0] -= 1;
}
for key in wild_keys.iter().map(|k| SecretKey::from_slice(&s, &k[..]).unwrap()) {
for msg in wild_msgs.iter().map(|m| Message::from_slice(&m[..]).unwrap()) {
let sig = s.sign(&msg, &key).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let pk = PublicKey::from_secret_key(&s, &key);
Add extreme value sign/verify test
2015-04-28 11:46:17 -07:00
assert_eq!(s.verify(&msg, &sig, &pk), Ok(()));
}
}
}
#[test]
fix unused import warning
2014-08-04 16:58:57 -07:00
fn sign_and_verify_fail() {
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 16:22:30 -07:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
let mut msg = [0u8; 32];
Update for language changes (rustc beta is out !!)
2015-04-04 10:20:38 -07:00
thread_rng().fill_bytes(&mut msg);
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
let msg = Message::from_slice(&msg).unwrap();
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let (sk, pk) = s.generate_keypair(&mut thread_rng()).unwrap();
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
let sigr = s.sign_recoverable(&msg, &sk).unwrap();
let sig = sigr.to_standard(&s);
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
let mut msg = [0u8; 32];
Update for language changes (rustc beta is out !!)
2015-04-04 10:20:38 -07:00
thread_rng().fill_bytes(&mut msg);
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
let msg = Message::from_slice(&msg).unwrap();
[API BREAK] update for libsecp256k1 "explicit context" API break Rather than have global initialization functions, which required expensive synchronization on the part of the Rust library, libsecp256k1 now carries its context in thread-local data which must be passed to every function. What this means for the rust-secp256k1 API is: - Most functions on `PublicKey` and `SecretKey` now require a `Secp256k1` to be given to them. - `Secp256k1::verify` and `::verify_raw` now take a `&self` - `SecretKey::new` now takes a `Secp256k1` rather than a Rng; a future commit will allow specifying the Rng in the `Secp256k1` so that functionality is not lost. - The FFI functions have all changed to take a context argument - `secp256k1::init()` is gone, as is the dependency on std::sync - There is a `ffi::Context` type which must be handled carefully by anyone using it directly (hopefully nobody :))
2015-04-11 10:00:20 -07:00
assert_eq!(s.verify(&msg, &sig, &pk), Err(IncorrectSignature));
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
let recovered_key = s.recover(&msg, &sigr).unwrap();
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
assert!(recovered_key != pk);
fix unused import warning
2014-08-04 16:58:57 -07:00
}
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
fix unused import warning
2014-08-04 16:58:57 -07:00
#[test]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
fn sign_with_recovery() {
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 16:22:30 -07:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
Update for rustc changes We can compile now, but not link -- there have been too many changes in libsecp256k1 behind the scenes. Next commit :)
2015-01-17 08:13:45 -08:00
let mut msg = [0u8; 32];
Update for language changes (rustc beta is out !!)
2015-04-04 10:20:38 -07:00
thread_rng().fill_bytes(&mut msg);
Update bindings to current secp256k1 library rust-secp256k1 was based off of https://github.com/sipa/secp256k1, which has been inactive nearly as long as this repository (prior to a couple days ago anyway). The correct repository is https://github.com/bitcoin/secp256k1 This is a major breaking change to the library for one reason: there are no longer any Nonce types in the safe interface. The signing functions do not take a nonce; this is generated internally. This also means that I was able to drop all my RFC6979 code, since libsecp256k1 has its own implementation. If you need to generate your own nonces, you need to create an unsafe function of type `ffi::NonceFn`, then pass it to the appropriate functions in the `ffi` module. There is no safe interface for doing this, deliberately: there is basically no need to directly fiddle with nonces ever.
2015-04-05 22:13:38 -07:00
let msg = Message::from_slice(&msg).unwrap();
Revert "Overhaul interface to use zero-on-free SecretKeys" This reverts commit 98890907849326a0e265d0ee12d3caa232b19602. This is not ready for primetime -- the move prevention also prevents reborrowing, which makes secret keys nearly unusable.
2014-09-12 06:28:35 -07:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let (sk, pk) = s.generate_keypair(&mut thread_rng()).unwrap();
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
let sig = s.sign_recoverable(&msg, &sk).unwrap();
Initial (failing) implementation.
2014-07-06 22:41:22 -07:00
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
assert_eq!(s.recover(&msg, &sig), Ok(pk));
fix unused import warning
2014-08-04 16:58:57 -07:00
}
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-08-31 20:26:02 -07:00
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
#[test]
fn bad_recovery() {
Expose `secp256k1_context_randomize` This is a new libsecp256k1 function which does additive blinding for nonce generation during signing.
2015-05-03 16:22:30 -07:00
let mut s = Secp256k1::new();
s.randomize(&mut thread_rng());
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
let msg = Message::from_slice(&[0x55; 32]).unwrap();
// Zero is not a valid sig
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
let sig = RecoverableSignature::from_compact(&s, &[0; 64], RecoveryId(0)).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
assert_eq!(s.recover(&msg, &sig), Err(InvalidSignature));
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
// ...but 111..111 is
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
let sig = RecoverableSignature::from_compact(&s, &[1; 64], RecoveryId(0)).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
assert!(s.recover(&msg, &sig).is_ok());
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
}
#[test]
fn test_bad_slice() {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let s = Secp256k1::new();
assert_eq!(Signature::from_der(&s, &[0; constants::MAX_SIGNATURE_SIZE + 1]),
Err(InvalidSignature));
assert_eq!(Signature::from_der(&s, &[0; constants::MAX_SIGNATURE_SIZE]),
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
Err(InvalidSignature));
assert_eq!(Message::from_slice(&[0; constants::MESSAGE_SIZE - 1]),
Err(InvalidMessage));
assert_eq!(Message::from_slice(&[0; constants::MESSAGE_SIZE + 1]),
Err(InvalidMessage));
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
assert!(Message::from_slice(&[0; constants::MESSAGE_SIZE]).is_ok());
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
}
#[test]
fn test_debug_output() {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let s = Secp256k1::new();
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
let sig = RecoverableSignature::from_compact(&s, &[
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
0x66, 0x73, 0xff, 0xad, 0x21, 0x47, 0x74, 0x1f,
0x04, 0x77, 0x2b, 0x6f, 0x92, 0x1f, 0x0b, 0xa6,
0xaf, 0x0c, 0x1e, 0x77, 0xfc, 0x43, 0x9e, 0x65,
0xc3, 0x6d, 0xed, 0xf4, 0x09, 0x2e, 0x88, 0x98,
0x4c, 0x1a, 0x97, 0x16, 0x52, 0xe0, 0xad, 0xa8,
0x80, 0x12, 0x0e, 0xf8, 0x02, 0x5e, 0x70, 0x9f,
0xff, 0x20, 0x80, 0xc4, 0xa3, 0x9a, 0xae, 0x06,
0x8d, 0x12, 0xee, 0xd0, 0x09, 0xb6, 0x8c, 0x89],
RecoveryId(1)).unwrap();
Fix for upstream API changes; add ECDH support I didn't mean for both of these to go into the same commit, but given how small the ECDH code was, and the fact that no commit prior to this one will compile (as both libsecp256k1 and rustc have changed so much), I'm letting it slide.
2015-09-18 13:22:48 -07:00
assert_eq!(&format!("{:?}", sig), "RecoverableSignature(98882e09f4ed6dc3659e43fc771e0cafa60b1f926f2b77041f744721adff7366898cb609d0ee128d06ae9aa3c48020ff9f705e02f80e1280a8ade05216971a4c01)");
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
let msg = Message([1, 2, 3, 4, 5, 6, 7, 8,
9, 10, 11, 12, 13, 14, 15, 16,
17, 18, 19, 20, 21, 22, 23, 24,
25, 26, 27, 28, 29, 30, 31, 255]);
assert_eq!(&format!("{:?}", msg), "Message(0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1fff)");
}
RecoverableSignature now supports compact serialization via FFI, with additional test case added.
2015-10-11 00:04:28 -07:00
#[test]
fn test_recov_sig_serialize_compact() {
let s = Secp256k1::new();
let recid_in = RecoveryId(1);
let bytes_in = &[
0x66, 0x73, 0xff, 0xad, 0x21, 0x47, 0x74, 0x1f,
0x04, 0x77, 0x2b, 0x6f, 0x92, 0x1f, 0x0b, 0xa6,
0xaf, 0x0c, 0x1e, 0x77, 0xfc, 0x43, 0x9e, 0x65,
0xc3, 0x6d, 0xed, 0xf4, 0x09, 0x2e, 0x88, 0x98,
0x4c, 0x1a, 0x97, 0x16, 0x52, 0xe0, 0xad, 0xa8,
0x80, 0x12, 0x0e, 0xf8, 0x02, 0x5e, 0x70, 0x9f,
0xff, 0x20, 0x80, 0xc4, 0xa3, 0x9a, 0xae, 0x06,
0x8d, 0x12, 0xee, 0xd0, 0x09, 0xb6, 0x8c, 0x89];
let sig = RecoverableSignature::from_compact(
&s, bytes_in, recid_in).unwrap();
let (recid_out, bytes_out) = sig.serialize_compact(&s);
assert_eq!(recid_in, recid_out);
assert_eq!(&bytes_in[..], &bytes_out[..]);
}
Adding to_i32 and from_i32 functions to RecoveryId in order to give library users the ability to create RecoveryId objects and convert them to i32 equivalents, without allowing users to create invalid ones.
2015-10-11 10:29:53 -07:00
#[test]
fn test_recov_id_conversion_between_i32() {
assert!(RecoveryId::from_i32(-1).is_err());
assert!(RecoveryId::from_i32(0).is_ok());
assert!(RecoveryId::from_i32(1).is_ok());
assert!(RecoveryId::from_i32(2).is_ok());
assert!(RecoveryId::from_i32(3).is_ok());
assert!(RecoveryId::from_i32(4).is_err());
let id0 = RecoveryId::from_i32(0).unwrap();
assert_eq!(id0.to_i32(), 0);
let id1 = RecoveryId(1);
assert_eq!(id1.to_i32(), 1);
}
Update Travis to use travis-cargo
2015-07-28 10:38:01 -07:00
}
#[cfg(all(test, feature = "unstable"))]
mod benches {
use rand::{Rng, thread_rng};
use test::{Bencher, black_box};
use super::{Secp256k1, Message};
[minor API BREAK] Add unit tests to cover all error cases This comes with a couple bugfixes and the following API changes: - Secp256k1::sign and ::sign_compact no longer return Result; it is impossible to trigger their failure modes with safe code since the `Message` and `SecretKey` types validate when they are created. - constants::MAX_COMPACT_SIGNATURE_SIZE loses the MAX_; signatures are always constant size - the Debug output for everything is now hex-encoded rather than being a list of base-10 ints. It's just easier to read this way. kcov v26 now reports 100% test coverage; however, this does not guarantee that test coverage is actually complete. Patches are always welcome for improved unit tests.
2015-04-12 08:51:15 -07:00
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-08-31 20:26:02 -07:00
#[bench]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
pub fn generate(bh: &mut Bencher) {
[API BREAK] Remove Rng from Secp256k1 and associated code The Rng was only used for key generation, and for BIP32 users not even then; thus hauling around a Rng is a waste of space in addition to causing a massive amount of syntactic noise. For example rust-bitcoin almost always uses `()` as the Rng; having `Secp256k1` default to a `Secp256k1<Fortuna>` then means even more syntactic noise, rather than less. Now key generation functions take a Rng as a parameter, and the rest can forget about having a Rng. This also means that the Secp256k1 context never needs a mutable reference and can be easily put into an Arc if so desired.
2015-04-12 13:54:22 -07:00
struct CounterRng(u32);
impl Rng for CounterRng {
fn next_u32(&mut self) -> u32 { self.0 += 1; self.0 }
}
let s = Secp256k1::new();
let mut r = CounterRng(0);
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-08-31 20:26:02 -07:00
bh.iter( || {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let (sk, pk) = s.generate_keypair(&mut r).unwrap();
Add a bunch of benchmarks
2015-04-30 12:28:34 -07:00
black_box(sk);
black_box(pk);
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-08-31 20:26:02 -07:00
});
}
#[bench]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
pub fn bench_sign(bh: &mut Bencher) {
Add a bunch of benchmarks
2015-04-30 12:28:34 -07:00
let s = Secp256k1::new();
let mut msg = [0u8; 32];
thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let (sk, _) = s.generate_keypair(&mut thread_rng()).unwrap();
Add a bunch of benchmarks
2015-04-30 12:28:34 -07:00
bh.iter(|| {
let sig = s.sign(&msg, &sk).unwrap();
black_box(sig);
});
}
#[bench]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
pub fn bench_verify(bh: &mut Bencher) {
Add a bunch of benchmarks
2015-04-30 12:28:34 -07:00
let s = Secp256k1::new();
let mut msg = [0u8; 32];
thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let (sk, pk) = s.generate_keypair(&mut thread_rng()).unwrap();
Add a bunch of benchmarks
2015-04-30 12:28:34 -07:00
let sig = s.sign(&msg, &sk).unwrap();
bh.iter(|| {
let res = s.verify(&msg, &sig, &pk).unwrap();
black_box(res);
});
}
#[bench]
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
pub fn bench_recover(bh: &mut Bencher) {
Add a bunch of benchmarks
2015-04-30 12:28:34 -07:00
let s = Secp256k1::new();
let mut msg = [0u8; 32];
thread_rng().fill_bytes(&mut msg);
let msg = Message::from_slice(&msg).unwrap();
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let (sk, _) = s.generate_keypair(&mut thread_rng()).unwrap();
Fix benchmarks
2015-09-20 13:18:53 -07:00
let sig = s.sign_recoverable(&msg, &sk).unwrap();
Add a bunch of benchmarks
2015-04-30 12:28:34 -07:00
bh.iter(|| {
[API BREAK] Update for new libsecp256k1 API
2015-07-28 09:03:10 -07:00
let res = s.recover(&msg, &sig).unwrap();
Add a bunch of benchmarks
2015-04-30 12:28:34 -07:00
black_box(res);
Generate keys from Fortuna rather than always using the OsRng When creating a Secp256k1, we attach a Fortuna CSRNG seeded from the OS RNG, rather than using the OS RNG all the time. This moves the potential RNG failure to the creation of the object, rather than at every single place that keys are generated. It also reduces trust in the operating system RNG. This does mean that Secp256k1::new() now returns an IoResult while the generate_* methods no longer return Results, so this is a breaking change. Also add a benchmark for key generation. On my system I get: test tests::generate_compressed ... bench: 492990 ns/iter (+/- 27981) test tests::generate_uncompressed ... bench: 495148 ns/iter (+/- 29829) Contrast the numbers with OsRng: test tests::generate_compressed ... bench: 66691 ns/iter (+/- 3640) test tests::generate_uncompressed ... bench: 67148 ns/iter (+/- 3806) Not too shabby :) [breaking-change]
2014-08-31 20:26:02 -07:00
});
}
fix unused import warning
2014-08-04 16:58:57 -07:00
}
Add a bunch of benchmarks
2015-04-30 12:28:34 -07:00