2018-07-24 03:47:47 +03:00
|
|
|
// Copyright 2015 Jeffrey Wilcke, Felix Lange, Gustav Simonsson. All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style license that can be found in
|
|
|
|
// the LICENSE file.
|
2015-07-07 02:54:22 +02:00
|
|
|
|
2023-11-28 19:16:50 +01:00
|
|
|
//go:build !gofuzz && cgo
|
|
|
|
// +build !gofuzz,cgo
|
|
|
|
|
2015-01-22 00:35:00 +01:00
|
|
|
package secp256k1
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
2017-01-12 21:29:11 +01:00
|
|
|
"crypto/ecdsa"
|
|
|
|
"crypto/elliptic"
|
|
|
|
"crypto/rand"
|
2015-09-28 11:19:23 +02:00
|
|
|
"encoding/hex"
|
2018-07-26 14:33:13 +03:00
|
|
|
"io"
|
2015-01-22 00:35:00 +01:00
|
|
|
"testing"
|
|
|
|
)
|
|
|
|
|
2015-09-29 19:37:44 +02:00
|
|
|
const TestCount = 1000
|
2015-01-22 00:35:00 +01:00
|
|
|
|
2017-01-12 21:29:11 +01:00
|
|
|
func generateKeyPair() (pubkey, privkey []byte) {
|
|
|
|
key, err := ecdsa.GenerateKey(S256(), rand.Reader)
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
pubkey = elliptic.Marshal(S256(), key.X, key.Y)
|
2018-07-26 14:33:13 +03:00
|
|
|
|
|
|
|
privkey = make([]byte, 32)
|
|
|
|
blob := key.D.Bytes()
|
|
|
|
copy(privkey[32-len(blob):], blob)
|
|
|
|
|
|
|
|
return pubkey, privkey
|
|
|
|
}
|
|
|
|
|
|
|
|
func csprngEntropy(n int) []byte {
|
|
|
|
buf := make([]byte, n)
|
|
|
|
if _, err := io.ReadFull(rand.Reader, buf); err != nil {
|
|
|
|
panic("reading from crypto/rand failed: " + err.Error())
|
|
|
|
}
|
|
|
|
return buf
|
2017-01-12 21:29:11 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func randSig() []byte {
|
2018-07-26 14:33:13 +03:00
|
|
|
sig := csprngEntropy(65)
|
2017-01-12 21:29:11 +01:00
|
|
|
sig[32] &= 0x70
|
|
|
|
sig[64] %= 4
|
|
|
|
return sig
|
|
|
|
}
|
|
|
|
|
|
|
|
// tests for malleability
|
|
|
|
// highest bit of signature ECDSA s value must be 0, in the 33th byte
|
|
|
|
func compactSigCheck(t *testing.T, sig []byte) {
|
2018-05-08 16:17:09 -07:00
|
|
|
var b = int(sig[32])
|
2017-01-12 21:29:11 +01:00
|
|
|
if b < 0 {
|
|
|
|
t.Errorf("highest bit is negative: %d", b)
|
|
|
|
}
|
|
|
|
if ((b >> 7) == 1) != ((b & 0x80) == 0x80) {
|
|
|
|
t.Errorf("highest bit: %d bit >> 7: %d", b, b>>7)
|
|
|
|
}
|
|
|
|
if (b & 0x80) == 0x80 {
|
|
|
|
t.Errorf("highest bit: %d bit & 0x80: %d", b, b&0x80)
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
func TestSignatureValidity(t *testing.T) {
|
2017-01-12 21:29:11 +01:00
|
|
|
pubkey, seckey := generateKeyPair()
|
2018-07-26 14:33:13 +03:00
|
|
|
msg := csprngEntropy(32)
|
2015-09-28 11:19:23 +02:00
|
|
|
sig, err := Sign(msg, seckey)
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("signature error: %s", err)
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
2015-09-28 11:19:23 +02:00
|
|
|
compactSigCheck(t, sig)
|
2015-01-22 00:35:00 +01:00
|
|
|
if len(pubkey) != 65 {
|
2015-09-28 11:19:23 +02:00
|
|
|
t.Errorf("pubkey length mismatch: want: 65 have: %d", len(pubkey))
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
|
|
|
if len(seckey) != 32 {
|
2015-09-28 11:19:23 +02:00
|
|
|
t.Errorf("seckey length mismatch: want: 32 have: %d", len(seckey))
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
2015-09-28 11:19:23 +02:00
|
|
|
if len(sig) != 65 {
|
|
|
|
t.Errorf("sig length mismatch: want: 65 have: %d", len(sig))
|
|
|
|
}
|
|
|
|
recid := int(sig[64])
|
|
|
|
if recid > 4 || recid < 0 {
|
|
|
|
t.Errorf("sig recid mismatch: want: within 0 to 4 have: %d", int(sig[64]))
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-11-16 17:11:26 +01:00
|
|
|
func TestInvalidRecoveryID(t *testing.T) {
|
2017-01-12 21:29:11 +01:00
|
|
|
_, seckey := generateKeyPair()
|
2018-07-26 14:33:13 +03:00
|
|
|
msg := csprngEntropy(32)
|
2015-11-16 17:11:26 +01:00
|
|
|
sig, _ := Sign(msg, seckey)
|
|
|
|
sig[64] = 99
|
|
|
|
_, err := RecoverPubkey(msg, sig)
|
|
|
|
if err != ErrInvalidRecoveryID {
|
|
|
|
t.Fatalf("got %q, want %q", err, ErrInvalidRecoveryID)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
func TestSignAndRecover(t *testing.T) {
|
2017-01-12 21:29:11 +01:00
|
|
|
pubkey1, seckey := generateKeyPair()
|
2018-07-26 14:33:13 +03:00
|
|
|
msg := csprngEntropy(32)
|
2015-09-28 11:19:23 +02:00
|
|
|
sig, err := Sign(msg, seckey)
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("signature error: %s", err)
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
2015-09-28 11:19:23 +02:00
|
|
|
pubkey2, err := RecoverPubkey(msg, sig)
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("recover error: %s", err)
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
2015-09-28 11:19:23 +02:00
|
|
|
if !bytes.Equal(pubkey1, pubkey2) {
|
|
|
|
t.Errorf("pubkey mismatch: want: %x have: %x", pubkey1, pubkey2)
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-01-22 23:28:47 +01:00
|
|
|
func TestSignDeterministic(t *testing.T) {
|
|
|
|
_, seckey := generateKeyPair()
|
|
|
|
msg := make([]byte, 32)
|
|
|
|
copy(msg, "hi there")
|
|
|
|
|
|
|
|
sig1, err := Sign(msg, seckey)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
sig2, err := Sign(msg, seckey)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if !bytes.Equal(sig1, sig2) {
|
|
|
|
t.Fatal("signatures not equal")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
func TestRandomMessagesWithSameKey(t *testing.T) {
|
2017-01-12 21:29:11 +01:00
|
|
|
pubkey, seckey := generateKeyPair()
|
2015-09-28 11:19:23 +02:00
|
|
|
keys := func() ([]byte, []byte) {
|
2015-09-28 11:19:23 +02:00
|
|
|
return pubkey, seckey
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
2015-09-28 11:19:23 +02:00
|
|
|
signAndRecoverWithRandomMessages(t, keys)
|
|
|
|
}
|
2015-01-22 00:35:00 +01:00
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
func TestRandomMessagesWithRandomKeys(t *testing.T) {
|
|
|
|
keys := func() ([]byte, []byte) {
|
2017-01-12 21:29:11 +01:00
|
|
|
pubkey, seckey := generateKeyPair()
|
2015-09-28 11:19:23 +02:00
|
|
|
return pubkey, seckey
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
2015-09-28 11:19:23 +02:00
|
|
|
signAndRecoverWithRandomMessages(t, keys)
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
func signAndRecoverWithRandomMessages(t *testing.T, keys func() ([]byte, []byte)) {
|
|
|
|
for i := 0; i < TestCount; i++ {
|
|
|
|
pubkey1, seckey := keys()
|
2018-07-26 14:33:13 +03:00
|
|
|
msg := csprngEntropy(32)
|
2015-09-28 11:19:23 +02:00
|
|
|
sig, err := Sign(msg, seckey)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("signature error: %s", err)
|
|
|
|
}
|
|
|
|
if sig == nil {
|
|
|
|
t.Fatal("signature is nil")
|
|
|
|
}
|
|
|
|
compactSigCheck(t, sig)
|
2015-01-22 00:35:00 +01:00
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
// TODO: why do we flip around the recovery id?
|
2015-01-22 00:35:00 +01:00
|
|
|
sig[len(sig)-1] %= 4
|
2015-09-28 11:19:23 +02:00
|
|
|
|
|
|
|
pubkey2, err := RecoverPubkey(msg, sig)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("recover error: %s", err)
|
|
|
|
}
|
2015-01-22 00:35:00 +01:00
|
|
|
if pubkey2 == nil {
|
2015-09-28 11:19:23 +02:00
|
|
|
t.Error("pubkey is nil")
|
|
|
|
}
|
|
|
|
if !bytes.Equal(pubkey1, pubkey2) {
|
|
|
|
t.Fatalf("pubkey mismatch: want: %x have: %x", pubkey1, pubkey2)
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
func TestRecoveryOfRandomSignature(t *testing.T) {
|
2017-01-12 21:29:11 +01:00
|
|
|
pubkey1, _ := generateKeyPair()
|
2018-07-26 14:33:13 +03:00
|
|
|
msg := csprngEntropy(32)
|
2015-01-22 00:35:00 +01:00
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
for i := 0; i < TestCount; i++ {
|
|
|
|
// recovery can sometimes work, but if so should always give wrong pubkey
|
2017-01-09 11:16:06 +01:00
|
|
|
pubkey2, _ := RecoverPubkey(msg, randSig())
|
2015-09-28 11:19:23 +02:00
|
|
|
if bytes.Equal(pubkey1, pubkey2) {
|
|
|
|
t.Fatalf("iteration: %d: pubkey mismatch: do NOT want %x: ", i, pubkey2)
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
func TestRandomMessagesAgainstValidSig(t *testing.T) {
|
2017-01-12 21:29:11 +01:00
|
|
|
pubkey1, seckey := generateKeyPair()
|
2018-07-26 14:33:13 +03:00
|
|
|
msg := csprngEntropy(32)
|
2015-01-22 00:35:00 +01:00
|
|
|
sig, _ := Sign(msg, seckey)
|
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
for i := 0; i < TestCount; i++ {
|
2018-07-26 14:33:13 +03:00
|
|
|
msg = csprngEntropy(32)
|
2015-01-22 00:35:00 +01:00
|
|
|
pubkey2, _ := RecoverPubkey(msg, sig)
|
2015-09-28 11:19:23 +02:00
|
|
|
// recovery can sometimes work, but if so should always give wrong pubkey
|
|
|
|
if bytes.Equal(pubkey1, pubkey2) {
|
|
|
|
t.Fatalf("iteration: %d: pubkey mismatch: do NOT want %x: ", i, pubkey2)
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
// Useful when the underlying libsecp256k1 API changes to quickly
|
|
|
|
// check only recover function without use of signature function
|
|
|
|
func TestRecoverSanity(t *testing.T) {
|
|
|
|
msg, _ := hex.DecodeString("ce0677bb30baa8cf067c88db9811f4333d131bf8bcf12fe7065d211dce971008")
|
|
|
|
sig, _ := hex.DecodeString("90f27b8b488db00b00606796d2987f6a5f59ae62ea05effe84fef5b8b0e549984a691139ad57a3f0b906637673aa2f63d1f55cb1a69199d4009eea23ceaddc9301")
|
|
|
|
pubkey1, _ := hex.DecodeString("04e32df42865e97135acfb65f3bae71bdc86f4d49150ad6a440b6f15878109880a0a2b2667f7e725ceea70c673093bf67663e0312623c8e091b13cf2c0f11ef652")
|
|
|
|
pubkey2, err := RecoverPubkey(msg, sig)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("recover error: %s", err)
|
|
|
|
}
|
|
|
|
if !bytes.Equal(pubkey1, pubkey2) {
|
|
|
|
t.Errorf("pubkey mismatch: want: %x have: %x", pubkey1, pubkey2)
|
|
|
|
}
|
|
|
|
}
|
2015-01-22 00:35:00 +01:00
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
func BenchmarkSign(b *testing.B) {
|
2017-01-12 21:29:11 +01:00
|
|
|
_, seckey := generateKeyPair()
|
2018-07-26 14:33:13 +03:00
|
|
|
msg := csprngEntropy(32)
|
2017-01-12 21:29:11 +01:00
|
|
|
b.ResetTimer()
|
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
for i := 0; i < b.N; i++ {
|
2017-01-12 21:29:11 +01:00
|
|
|
Sign(msg, seckey)
|
2015-01-22 00:35:00 +01:00
|
|
|
}
|
|
|
|
}
|
2015-02-16 13:19:57 +01:00
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
func BenchmarkRecover(b *testing.B) {
|
2018-07-26 14:33:13 +03:00
|
|
|
msg := csprngEntropy(32)
|
2017-01-12 21:29:11 +01:00
|
|
|
_, seckey := generateKeyPair()
|
|
|
|
sig, _ := Sign(msg, seckey)
|
|
|
|
b.ResetTimer()
|
|
|
|
|
2015-09-28 11:19:23 +02:00
|
|
|
for i := 0; i < b.N; i++ {
|
2017-01-12 21:29:11 +01:00
|
|
|
RecoverPubkey(msg, sig)
|
2015-02-16 13:19:57 +01:00
|
|
|
}
|
|
|
|
}
|