keystore: use xpub from Rust when computing uncompressed pubkey

The goal use xpub from the Rust keystore, so that we can impement xpub
caching in Rust, calling to C only for utility functions that are hard
to port. If the xpub is derived in C.

Author: benma

src/CMakeLists.txt

@@ -312,7 +312,7 @@ add_custom_target(rust-bindgen
     --allowlist-function keystore_get_bip39_mnemonic
     --allowlist-function keystore_get_bip39_word
     --allowlist-function keystore_get_ed25519_seed
-    --allowlist-function keystore_secp256k1_pubkey_uncompressed
+    --allowlist-function keystore_secp256k1_compressed_to_uncompressed
     --allowlist-function keystore_secp256k1_nonce_commit
     --allowlist-function keystore_secp256k1_sign
     --allowlist-function keystore_secp256k1_schnorr_bip86_sign

src/keystore.c

@@ -538,11 +538,9 @@ bool keystore_get_bip39_word(uint16_t idx, char** word_out)
     return bip39_get_word(NULL, idx, word_out) == WALLY_OK;
 }
 
-// Reformats xpub from compressed 33 bytes to uncompressed 65 bytes (<0x04><64 bytes X><64 bytes
-// Y>),
-// pubkey must be 33 bytes
-// uncompressed_out must be 65 bytes.
-static bool _compressed_to_uncompressed(const uint8_t* pubkey_bytes, uint8_t* uncompressed_out)
+bool keystore_secp256k1_compressed_to_uncompressed(
+    const uint8_t* pubkey_bytes,
+    uint8_t* uncompressed_out)
 {
     const secp256k1_context* ctx = wally_get_secp_context();
     secp256k1_pubkey pubkey;
@@ -557,18 +555,6 @@ static bool _compressed_to_uncompressed(const uint8_t* pubkey_bytes, uint8_t* un
     return true;
 }
 
-bool keystore_secp256k1_pubkey_uncompressed(
-    const uint32_t* keypath,
-    size_t keypath_len,
-    uint8_t* pubkey_out)
-{
-    struct ext_key xpub __attribute__((__cleanup__(keystore_zero_xkey))) = {0};
-    if (!keystore_get_xpub(keypath, keypath_len, &xpub)) {
-        return false;
-    }
-    return _compressed_to_uncompressed(xpub.pub_key, pubkey_out);
-}
-
 bool keystore_secp256k1_nonce_commit(
     const uint32_t* keypath,
     size_t keypath_len,

src/keystore.h

@@ -166,17 +166,13 @@ void keystore_zero_xkey(struct ext_key* xkey);
  */
 USE_RESULT bool keystore_get_bip39_word(uint16_t idx, char** word_out);
 
-/**
- * Return the serialized secp256k1 public key at the keypath, in uncompressed format.
- * @param[in] keypath derivation keypath
- * @param[in] keypath_len size of keypath buffer
- * @param[out] pubkey_out serialized output. Must be EC_PUBLIC_KEY_UNCOMPRESSED_LEN bytes.
- * @return true on success, false if the keystore is locked or the input is invalid.
- */
-USE_RESULT bool keystore_secp256k1_pubkey_uncompressed(
-    const uint32_t* keypath,
-    size_t keypath_len,
-    uint8_t* pubkey_out);
+// Reformats pubkey from compressed 33 bytes to uncompressed 65 bytes (<0x04><64 bytes X><64 bytes
+// Y>),
+// pubkey must be 33 bytes
+// uncompressed_out must be 65 bytes.
+USE_RESULT bool keystore_secp256k1_compressed_to_uncompressed(
+    const uint8_t* pubkey_bytes,
+    uint8_t* uncompressed_out);
 
 /**
  * Get a commitment to the original nonce before tweaking it with the host nonce. This is part of

src/rust/bitbox02-rust/src/hww/api/ethereum/pubrequest.rs

@@ -47,7 +47,7 @@ async fn process_address(request: &pb::EthPubRequest) -> Result<Response, Error>
     if !super::keypath::is_valid_keypath_address(&request.keypath) {
         return Err(Error::InvalidInput);
     }
-    let pubkey = bitbox02::keystore::secp256k1_pubkey_uncompressed(&request.keypath)
+    let pubkey = crate::keystore::secp256k1_pubkey_uncompressed(&request.keypath)
         .or(Err(Error::InvalidInput))?;
     let address = super::address::from_pubkey(&pubkey);
 

src/rust/bitbox02-rust/src/keystore.rs

@@ -34,6 +34,13 @@ pub fn secp256k1_pubkey_hash160(keypath: &[u32]) -> Result<Vec<u8>, ()> {
     Ok(bitbox02::hash160(&xpub.public_key).to_vec())
 }
 
+pub fn secp256k1_pubkey_uncompressed(
+    keypath: &[u32],
+) -> Result<[u8; keystore::EC_PUBLIC_KEY_UNCOMPRESSED_LEN], ()> {
+    let xpub = get_xpub(keypath)?;
+    keystore::secp256k1_pubkey_compressed_to_uncompressed(&xpub.public_key)
+}
+
 /// Returns fingerprint of the root public key at m/, which are the first four bytes of its hash160
 /// according to:
 /// https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#serialization-format
@@ -134,4 +141,18 @@ mod tests {
         );
         assert_eq!(root_fingerprint(), Ok(vec![0xf4, 0x0b, 0x46, 0x9a]));
     }
+
+    #[test]
+    fn test_secp256k1_pubkey_uncompressed() {
+        let keypath = &[44 + HARDENED, 0 + HARDENED, 0 + HARDENED, 1, 2];
+
+        keystore::lock();
+        assert_eq!(secp256k1_pubkey_uncompressed(keypath), Err(()));
+
+        mock_unlocked_using_mnemonic("sleep own lobster state clean thrive tail exist cactus bitter pass soccer clinic riot dream turkey before sport action praise tunnel hood donate man");
+        assert_eq!(
+            secp256k1_pubkey_uncompressed(keypath).unwrap(),
+            *b"\x04\x77\xa4\x4a\xa9\xe8\xc8\xfb\x51\x05\xef\x5e\xe2\x39\x4e\x8a\xed\x89\xad\x73\xfc\x74\x36\x14\x25\xf0\x63\x47\xec\xfe\x32\x61\x31\xe1\x33\x93\x67\xee\x3c\xbe\x87\x71\x92\x85\xa0\x7f\x77\x4b\x17\xeb\x93\x3e\xcf\x0b\x9b\x82\xac\xeb\xc1\x95\x22\x6d\x63\x42\x44",
+        );
+    }
 }

src/rust/bitbox02/src/keystore.rs

@@ -183,14 +183,13 @@ pub fn get_bip39_wordlist() -> Result<Bip39Wordlist, ()> {
     Ok(result)
 }
 
-pub fn secp256k1_pubkey_uncompressed(
-    keypath: &[u32],
+pub fn secp256k1_pubkey_compressed_to_uncompressed(
+    compressed_pubkey: &[u8],
 ) -> Result<[u8; EC_PUBLIC_KEY_UNCOMPRESSED_LEN], ()> {
     let mut pubkey = [0u8; EC_PUBLIC_KEY_UNCOMPRESSED_LEN];
     match unsafe {
-        bitbox02_sys::keystore_secp256k1_pubkey_uncompressed(
-            keypath.as_ptr(),
-            keypath.len() as _,
+        bitbox02_sys::keystore_secp256k1_compressed_to_uncompressed(
+            compressed_pubkey.as_ptr(),
             pubkey.as_mut_ptr(),
         )
     } {

test/unit-test/test_keystore_functional.c

@@ -120,7 +120,8 @@ static bool _encode_xpub(const struct ext_key* xpub, char* out, size_t out_len)
 
 static void _check_pubs(const char* expected_xpub, const char* expected_pubkey_uncompressed_hex)
 {
-    struct ext_key __attribute__((__cleanup__(keystore_zero_xkey))) xpub;
+    struct ext_key __attribute__((__cleanup__(keystore_zero_xkey))) xpub_3;
+    struct ext_key __attribute__((__cleanup__(keystore_zero_xkey))) xpub_5;
     uint32_t keypath[] = {
         44 + BIP32_INITIAL_HARDENED_CHILD,
         0 + BIP32_INITIAL_HARDENED_CHILD,
@@ -129,13 +130,14 @@ static void _check_pubs(const char* expected_xpub, const char* expected_pubkey_u
         2,
     };
 
-    assert_true(keystore_get_xpub(keypath, 3, &xpub));
+    assert_true(keystore_get_xpub(keypath, 3, &xpub_3));
+    assert_true(keystore_get_xpub(keypath, 5, &xpub_5));
     char xpub_serialized[120];
-    assert_true(_encode_xpub(&xpub, xpub_serialized, sizeof(xpub_serialized)));
+    assert_true(_encode_xpub(&xpub_3, xpub_serialized, sizeof(xpub_serialized)));
     assert_string_equal(xpub_serialized, expected_xpub);
 
     uint8_t pubkey_uncompressed[EC_PUBLIC_KEY_UNCOMPRESSED_LEN];
-    assert_true(keystore_secp256k1_pubkey_uncompressed(keypath, 5, pubkey_uncompressed));
+    assert_true(keystore_secp256k1_compressed_to_uncompressed(xpub_5.pub_key, pubkey_uncompressed));
     _assert_equal_memory_hex(
         pubkey_uncompressed, sizeof(pubkey_uncompressed), expected_pubkey_uncompressed_hex);
 }