From e550c3d536594395496c5466f67f12c2c1a19d41 Mon Sep 17 00:00:00 2001
From: therealyingtong <yingtong@z.cash>
Date: Wed, 30 Mar 2022 20:16:45 +0800
Subject: [PATCH] Check IVK derivations during FullViewingKey::from_bytes.

Closes zcash/orchard#303

Co-authored-by: Jack Grigg <jack@electriccoin.co>
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
---
 src/keys.rs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/keys.rs b/src/keys.rs
index 6877a218..b1324a69 100644
--- a/src/keys.rs
+++ b/src/keys.rs
@@ -433,7 +433,12 @@ impl FullViewingKey {
         let nk = NullifierDerivingKey::from_bytes(&bytes[32..64])?;
         let rivk = CommitIvkRandomness::from_bytes(&bytes[64..])?;
 
-        Some(FullViewingKey { ak, nk, rivk })
+        let fvk = FullViewingKey { ak, nk, rivk };
+
+        // If ivk is 0 or ⊥, this FVK is invalid.
+        let _: NonZeroPallasBase = Option::from(KeyAgreementPrivateKey::derive_inner(&fvk))?;
+
+        Some(fvk)
     }
 
     /// Derives an internal full viewing key from a full viewing key, as specified in
@@ -583,7 +588,7 @@ impl KeyAgreementPrivateKey {
     ///
     /// [orchardkeycomponents]: https://zips.z.cash/protocol/protocol.pdf#orchardkeycomponents
     fn from_fvk(fvk: &FullViewingKey) -> Self {
-        // KeyAgreementPrivateKey cannot be constructed such that this unwrap would fail.
+        // FullViewingKey cannot be constructed such that this unwrap would fail.
         let ivk = KeyAgreementPrivateKey::derive_inner(fvk).unwrap();
         KeyAgreementPrivateKey(ivk.into())
     }