Merge branch 'rust-pk'

Author: benma

src/keystore.c

@@ -614,23 +614,6 @@ bool keystore_get_bip39_word(uint16_t idx, char** word_out)
     return bip39_get_word(NULL, idx, word_out) == WALLY_OK;
 }
 
-bool keystore_secp256k1_compressed_to_uncompressed(
-    const uint8_t* pubkey_bytes,
-    uint8_t* uncompressed_out)
-{
-    const secp256k1_context* ctx = wally_get_secp_context();
-    secp256k1_pubkey pubkey;
-    if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkey_bytes, 33)) {
-        return false;
-    }
-    size_t len = 65;
-    if (!secp256k1_ec_pubkey_serialize(
-            ctx, uncompressed_out, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED)) {
-        return false;
-    }
-    return true;
-}
-
 bool keystore_secp256k1_nonce_commit(
     const uint32_t* keypath,
     size_t keypath_len,
@@ -843,46 +826,6 @@ USE_RESULT bool keystore_encode_xpub_at_keypath(
            WALLY_OK;
 }
 
-static void _tagged_hash(const char* tag, const uint8_t* msg, size_t msg_len, uint8_t* hash_out)
-{
-    uint8_t tag_hash[32] = {0};
-    rust_sha256(tag, strlen(tag), tag_hash);
-    void* hash_ctx = rust_sha256_new();
-    rust_sha256_update(hash_ctx, tag_hash, sizeof(tag_hash));
-    rust_sha256_update(hash_ctx, tag_hash, sizeof(tag_hash));
-    rust_sha256_update(hash_ctx, msg, msg_len);
-    rust_sha256_finish(&hash_ctx, hash_out);
-}
-
-bool keystore_secp256k1_schnorr_bip86_pubkey(const uint8_t* pubkey33, uint8_t* pubkey_out)
-{
-    const secp256k1_context* ctx = wally_get_secp_context();
-
-    secp256k1_pubkey pubkey = {0};
-    if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkey33, 33)) {
-        return false;
-    }
-    secp256k1_xonly_pubkey xonly_pubkey = {0};
-    if (!secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pubkey, NULL, &pubkey)) {
-        return false;
-    }
-    uint8_t xonly_pubkey_serialized[32] = {0};
-    if (!secp256k1_xonly_pubkey_serialize(ctx, xonly_pubkey_serialized, &xonly_pubkey)) {
-        return false;
-    }
-    uint8_t hash[32] = {0};
-    secp256k1_pubkey tweaked_pubkey = {0};
-    _tagged_hash("TapTweak", xonly_pubkey_serialized, sizeof(xonly_pubkey_serialized), hash);
-    if (!secp256k1_xonly_pubkey_tweak_add(ctx, &tweaked_pubkey, &xonly_pubkey, hash)) {
-        return false;
-    }
-    secp256k1_xonly_pubkey tweaked_xonly_pubkey = {0};
-    if (!secp256k1_xonly_pubkey_from_pubkey(ctx, &tweaked_xonly_pubkey, NULL, &tweaked_pubkey)) {
-        return false;
-    }
-    return secp256k1_xonly_pubkey_serialize(ctx, pubkey_out, &tweaked_xonly_pubkey) == 1;
-}
-
 static bool _schnorr_keypair(
     const uint32_t* keypath,
     size_t keypath_len,

src/keystore.h

@@ -24,7 +24,7 @@
 #include <secp256k1.h>
 #include <wally_bip32.h>
 #include <wally_bip39.h> // for BIP39_WORDLIST_LEN
-#include <wally_crypto.h> // for EC_PUBLIC_KEY_UNCOMPRESSED_LEN and EC_PUBLIC_KEY_LEN
+#include <wally_crypto.h> // for EC_PUBLIC_KEY_LEN
 
 #define KEYSTORE_MAX_SEED_LENGTH (32)
 #define KEYSTORE_U2F_SEED_LENGTH SHA256_LEN
@@ -160,14 +160,6 @@ void keystore_zero_xkey(struct ext_key* xkey);
  */
 USE_RESULT bool keystore_get_bip39_word(uint16_t idx, char** word_out);
 
-// Reformats pubkey from compressed 33 bytes to uncompressed 65 bytes (<0x04><64 bytes X><64 bytes
-// Y>),
-// pubkey must be 33 bytes
-// uncompressed_out must be 65 bytes.
-USE_RESULT bool keystore_secp256k1_compressed_to_uncompressed(
-    const uint8_t* pubkey_bytes,
-    uint8_t* uncompressed_out);
-
 /**
  * Get a commitment to the original nonce before tweaking it with the host nonce. This is part of
  * the ECDSA Anti-Klepto Protocol. For more details, check the docs of
@@ -274,23 +266,7 @@ USE_RESULT bool keystore_encode_xpub_at_keypath(
     uint8_t* out);
 
 /**
- * Return the tweaked taproot pubkey.
- *
- * Instead of returning the original pubkey directly, it is tweaked with the hash of the pubkey.
- *
- * See
- * https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#address-derivation
- *
- * @param[in] pubkey33 33 byte compressed pubkey.
- * @param[out] pubkey_out 32 byte x-only pubkey (see BIP-340 for details).
- */
-USE_RESULT bool keystore_secp256k1_schnorr_bip86_pubkey(
-    const uint8_t* pubkey33,
-    uint8_t* pubkey_out);
-
-/**
- * Sign a message that verifies against the pubkey returned by
- * `keystore_secp256k1_schnorr_bip86_pubkey()`.
+ * Sign a message that verifies against the pubkey tweaked using BIP-86.
  *
  * @param[in] keypath derivation keypath
  * @param[in] keypath_len number of elements in keypath

src/rust/bitbox02-rust/src/bip32.rs

@@ -18,6 +18,8 @@ use alloc::vec::Vec;
 
 pub use pb::btc_pub_request::XPubType;
 
+use bitcoin::hashes::Hash;
+
 #[derive(Clone)]
 pub struct Xpub {
     xpub: pb::XPub,
@@ -114,14 +116,17 @@ impl Xpub {
 
     /// Return the hash160 of the secp256k1 public key.
     pub fn pubkey_hash160(&self) -> Vec<u8> {
-        bitbox02::hash160(self.public_key()).to_vec()
+        bitcoin::hashes::hash160::Hash::hash(self.public_key())
+            .to_byte_array()
+            .to_vec()
     }
 
     /// Return the 65 byte secp256k1 compressed pubkey:
     ///
     /// (<0x04><64 bytes X><64 bytes Y>).
     pub fn pubkey_uncompressed(&self) -> Result<[u8; 65], ()> {
-        bitbox02::keystore::secp256k1_pubkey_compressed_to_uncompressed(self.public_key())
+        let pk = bitcoin::secp256k1::PublicKey::from_slice(self.public_key()).map_err(|_| ())?;
+        Ok(pk.serialize_uncompressed())
     }
 
     /// Return the tweaked taproot pubkey.
@@ -132,7 +137,14 @@ impl Xpub {
     /// See
     /// https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#address-derivation
     pub fn schnorr_bip86_pubkey(&self) -> Result<[u8; 32], ()> {
-        bitbox02::keystore::secp256k1_schnorr_bip86_pubkey(self.public_key())
+        use bitcoin::key::TapTweak;
+        let untweaked_pubkey: bitcoin::key::UntweakedPublicKey =
+            bitcoin::key::PublicKey::from_slice(self.public_key())
+                .map_err(|_| ())?
+                .into();
+        let secp = bitcoin::secp256k1::Secp256k1::new();
+        let (tweaked, _) = untweaked_pubkey.tap_tweak(&secp, None);
+        Ok(tweaked.serialize())
     }
 }
 

src/rust/bitbox02-rust/src/hww/api/bitcoin/common.rs

@@ -29,6 +29,8 @@ use super::{multisig, params::Params, script};
 
 use sha2::{Digest, Sha256};
 
+use bitcoin::hashes::Hash;
+
 const HASH160_LEN: usize = 20;
 const SHA256_LEN: usize = 32;
 
@@ -92,7 +94,9 @@ impl Payload {
                     Payload::from_simple(xpub_cache, params, SimpleType::P2wpkh, keypath)?;
                 let pkscript_p2wpkh = payload_p2wpkh.pk_script(params)?;
                 Ok(Payload {
-                    data: bitbox02::hash160(&pkscript_p2wpkh).to_vec(),
+                    data: bitcoin::hashes::hash160::Hash::hash(&pkscript_p2wpkh)
+                        .to_byte_array()
+                        .to_vec(),
                     output_type: BtcOutputType::P2sh,
                 })
             }
@@ -140,7 +144,9 @@ impl Payload {
             pb::btc_script_config::multisig::ScriptType::P2wshP2sh => {
                 let pkscript_p2wsh = payload_p2wsh.pk_script(params)?;
                 Ok(Payload {
-                    data: bitbox02::hash160(&pkscript_p2wsh).to_vec(),
+                    data: bitcoin::hashes::hash160::Hash::hash(&pkscript_p2wsh)
+                        .to_byte_array()
+                        .to_vec(),
                     output_type: BtcOutputType::P2sh,
                 })
             }

src/rust/bitbox02-sys/build.rs

@@ -22,7 +22,6 @@ const ALLOWLIST_VARS: &[&str] = &[
     "BIP32_SERIALIZED_LEN",
     "BIP39_WORDLIST_LEN",
     "EC_PUBLIC_KEY_LEN",
-    "EC_PUBLIC_KEY_UNCOMPRESSED_LEN",
     "INPUT_STRING_MAX_SIZE",
     "KEYSTORE_MAX_SEED_LENGTH",
     "MAX_LABEL_SIZE",
@@ -73,10 +72,8 @@ const ALLOWLIST_FNS: &[&str] = &[
     "keystore_is_locked",
     "keystore_lock",
     "keystore_mock_unlocked",
-    "keystore_secp256k1_compressed_to_uncompressed",
     "keystore_secp256k1_get_private_key",
     "keystore_secp256k1_nonce_commit",
-    "keystore_secp256k1_schnorr_bip86_pubkey",
     "keystore_secp256k1_schnorr_sign",
     "keystore_secp256k1_sign",
     "keystore_unlock",
@@ -141,7 +138,6 @@ const ALLOWLIST_FNS: &[&str] = &[
     "util_format_datetime",
     "wally_free_string",
     "wally_get_secp_context",
-    "wally_hash160",
     "wally_sha512",
 ];
 

src/rust/bitbox02/src/keystore.rs

@@ -22,7 +22,6 @@ use core::convert::TryInto;
 use bitbox02_sys::keystore_error_t;
 
 pub const BIP39_WORDLIST_LEN: u16 = bitbox02_sys::BIP39_WORDLIST_LEN as u16;
-pub const EC_PUBLIC_KEY_UNCOMPRESSED_LEN: usize = bitbox02_sys::EC_PUBLIC_KEY_UNCOMPRESSED_LEN as _;
 pub const EC_PUBLIC_KEY_LEN: usize = bitbox02_sys::EC_PUBLIC_KEY_LEN as _;
 pub const MAX_SEED_LENGTH: usize = bitbox02_sys::KEYSTORE_MAX_SEED_LENGTH as usize;
 
@@ -200,21 +199,6 @@ pub fn get_bip39_wordlist(indices: Option<&[u16]>) -> Bip39Wordlist {
     )
 }
 
-pub fn secp256k1_pubkey_compressed_to_uncompressed(
-    compressed_pubkey: &[u8],
-) -> Result<[u8; EC_PUBLIC_KEY_UNCOMPRESSED_LEN], ()> {
-    let mut pubkey = [0u8; EC_PUBLIC_KEY_UNCOMPRESSED_LEN];
-    match unsafe {
-        bitbox02_sys::keystore_secp256k1_compressed_to_uncompressed(
-            compressed_pubkey.as_ptr(),
-            pubkey.as_mut_ptr(),
-        )
-    } {
-        true => Ok(pubkey),
-        false => Err(()),
-    }
-}
-
 pub fn encode_xpub_at_keypath(keypath: &[u32]) -> Result<Vec<u8>, ()> {
     let mut xpub = vec![0u8; bitbox02_sys::BIP32_SERIALIZED_LEN as _];
     match unsafe {
@@ -376,19 +360,6 @@ pub fn secp256k1_schnorr_sign(
     }
 }
 
-pub fn secp256k1_schnorr_bip86_pubkey(pubkey33: &[u8]) -> Result<[u8; 32], ()> {
-    let mut pubkey = [0u8; 32];
-    match unsafe {
-        bitbox02_sys::keystore_secp256k1_schnorr_bip86_pubkey(
-            pubkey33.as_ptr(),
-            pubkey.as_mut_ptr(),
-        )
-    } {
-        true => Ok(pubkey),
-        false => Err(()),
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;

src/rust/bitbox02/src/lib.rs

@@ -217,19 +217,6 @@ pub fn reboot() -> ! {
     loop {}
 }
 
-pub fn hash160(data: &[u8]) -> [u8; 20] {
-    let mut out = [0u8; 20];
-    unsafe {
-        bitbox02_sys::wally_hash160(
-            data.as_ptr(),
-            data.len() as _,
-            out.as_mut_ptr(),
-            out.len() as _,
-        );
-    }
-    out
-}
-
 #[cfg(feature = "testing")]
 pub fn reboot() -> ! {
     panic!("reboot called")

test/unit-test/test_keystore.c

@@ -638,68 +638,6 @@ static void _test_secp256k1_schnorr_sign(void** state)
     }
 }
 
-static void _test_keystore_secp256k1_schnorr_bip86_pubkey(void** state)
-{
-    // Test vectors from:
-    // https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#test-vectors
-    // Here we only test the creation of the tweaked pubkkey.
-    _mock_with_mnemonic(
-        "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon "
-        "about",
-        "");
-    {
-        const uint32_t keypath[] = {
-            86 + BIP32_INITIAL_HARDENED_CHILD,
-            0 + BIP32_INITIAL_HARDENED_CHILD,
-            0 + BIP32_INITIAL_HARDENED_CHILD,
-            0,
-            0,
-        };
-        struct ext_key xpub = {0};
-        assert_true(keystore_get_xpub(keypath, 5, &xpub));
-        uint8_t pubkey[32] = {0};
-        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
-        const uint8_t expected_pubkey[32] =
-            "\xa6\x08\x69\xf0\xdb\xcf\x1d\xc6\x59\xc9\xce\xcb\xaf\x80\x50\x13\x5e\xa9\xe8\xcd\xc4"
-            "\x87\x05\x3f\x1d\xc6\x88\x09\x49\xdc\x68\x4c";
-        assert_memory_equal(pubkey, expected_pubkey, sizeof(pubkey));
-    }
-    {
-        const uint32_t keypath[] = {
-            86 + BIP32_INITIAL_HARDENED_CHILD,
-            0 + BIP32_INITIAL_HARDENED_CHILD,
-            0 + BIP32_INITIAL_HARDENED_CHILD,
-            0,
-            1,
-        };
-        struct ext_key xpub = {0};
-        assert_true(keystore_get_xpub(keypath, 5, &xpub));
-        uint8_t pubkey[32] = {0};
-        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
-        const uint8_t expected_pubkey[32] =
-            "\xa8\x2f\x29\x94\x4d\x65\xb8\x6a\xe6\xb5\xe5\xcc\x75\xe2\x94\xea\xd6\xc5\x93\x91\xa1"
-            "\xed\xc5\xe0\x16\xe3\x49\x8c\x67\xfc\x7b\xbb";
-        assert_memory_equal(pubkey, expected_pubkey, sizeof(pubkey));
-    }
-    {
-        const uint32_t keypath[] = {
-            86 + BIP32_INITIAL_HARDENED_CHILD,
-            0 + BIP32_INITIAL_HARDENED_CHILD,
-            0 + BIP32_INITIAL_HARDENED_CHILD,
-            1,
-            0,
-        };
-        struct ext_key xpub = {0};
-        assert_true(keystore_get_xpub(keypath, 5, &xpub));
-        uint8_t pubkey[32] = {0};
-        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
-        const uint8_t expected_pubkey[32] =
-            "\x88\x2d\x74\xe5\xd0\x57\x2d\x5a\x81\x6c\xef\x00\x41\xa9\x6b\x6c\x1d\xe8\x32\xf6\xf9"
-            "\x67\x6d\x96\x05\xc4\x4d\x5e\x9a\x97\xd3\xdc";
-        assert_memory_equal(pubkey, expected_pubkey, sizeof(pubkey));
-    }
-}
-
 static void _test_keystore_secp256k1_schnorr_sign(void** state)
 {
     _mock_with_mnemonic(
@@ -762,7 +700,6 @@ int main(void)
         cmocka_unit_test(_test_keystore_create_and_store_seed),
         cmocka_unit_test(_test_keystore_get_ed25519_seed),
         cmocka_unit_test(_test_secp256k1_schnorr_sign),
-        cmocka_unit_test(_test_keystore_secp256k1_schnorr_bip86_pubkey),
         cmocka_unit_test(_test_keystore_secp256k1_schnorr_sign),
     };
     return cmocka_run_group_tests(tests, NULL, NULL);