keystore: use xpub from Rust when computing bip86 pubkey

The goal use xpub from the Rust keystore, so that we can impement xpub
caching in Rust, calling to C only for utility functions that are hard
to port. If the xpub is derived in C.

Author: benma

src/keystore.c

@@ -691,23 +691,12 @@ static void _tagged_hash(const char* tag, const uint8_t* msg, size_t msg_len, ui
     rust_sha256_finish(&hash_ctx, hash_out);
 }
 
-bool keystore_secp256k1_schnorr_bip86_pubkey(
-    const uint32_t* keypath,
-    size_t keypath_len,
-    uint8_t* pubkey_out)
+bool keystore_secp256k1_schnorr_bip86_pubkey(const uint8_t* pubkey33, uint8_t* pubkey_out)
 {
-    if (keystore_is_locked()) {
-        return false;
-    }
-    struct ext_key xpub __attribute__((__cleanup__(keystore_zero_xkey))) = {0};
-    if (!keystore_get_xpub(keypath, keypath_len, &xpub)) {
-        return false;
-    }
-
     const secp256k1_context* ctx = wally_get_secp_context();
 
     secp256k1_pubkey pubkey = {0};
-    if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, xpub.pub_key, sizeof(xpub.pub_key))) {
+    if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkey33, 33)) {
         return false;
     }
     secp256k1_xonly_pubkey xonly_pubkey = {0};

src/keystore.h

@@ -255,21 +255,18 @@ USE_RESULT bool keystore_encode_xpub_at_keypath(
     uint8_t* out);
 
 /**
- * Return the tweaked taproot pubkey at the given keypath.
+ * Return the tweaked taproot pubkey.
  *
- * Instead of returning the original pubkey at the keypath directly, it is tweaked with the hash of
- * the pubkey.
+ * Instead of returning the original pubkey directly, it is tweaked with the hash of the pubkey.
  *
  * See
  * https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#address-derivation
  *
- * @param[in] keypath derivation keypath
- * @param[in] keypath_len number of elements in keypath
+ * @param[in] pubkey33 33 byte compressed pubkey.
  * @param[out] pubkey_out 32 byte x-only pubkey (see BIP-340 for details).
  */
 USE_RESULT bool keystore_secp256k1_schnorr_bip86_pubkey(
-    const uint32_t* keypath,
-    size_t keypath_len,
+    const uint8_t* pubkey33,
     uint8_t* pubkey_out);
 
 /**

src/rust/bitbox02-rust/src/hww/api/bitcoin/common.rs

@@ -15,7 +15,7 @@
 use super::pb;
 use super::Error;
 
-use bitbox02::keystore;
+use crate::keystore;
 
 use alloc::string::String;
 use alloc::vec::Vec;
@@ -77,7 +77,7 @@ impl Payload {
     ) -> Result<Self, Error> {
         match simple_type {
             SimpleType::P2wpkh => Ok(Payload {
-                data: crate::keystore::secp256k1_pubkey_hash160(keypath)?,
+                data: keystore::secp256k1_pubkey_hash160(keypath)?,
                 output_type: BtcOutputType::P2wpkh,
             }),
             SimpleType::P2wpkhP2sh => {

src/rust/bitbox02-rust/src/keystore.rs

@@ -48,6 +48,18 @@ pub fn root_fingerprint() -> Result<Vec<u8>, ()> {
     Ok(secp256k1_pubkey_hash160(&[])?.get(..4).ok_or(())?.to_vec())
 }
 
+/// Return the tweaked taproot pubkey at the given keypath.
+///
+/// Instead of returning the original pubkey at the keypath directly, it is tweaked with the hash of
+/// the pubkey.
+///
+/// See
+/// https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#address-derivation
+pub fn secp256k1_schnorr_bip86_pubkey(keypath: &[u32]) -> Result<[u8; 32], ()> {
+    let xpub = get_xpub(keypath)?;
+    keystore::secp256k1_schnorr_bip86_pubkey(&xpub.public_key)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -155,4 +167,51 @@ mod tests {
             *b"\x04\x77\xa4\x4a\xa9\xe8\xc8\xfb\x51\x05\xef\x5e\xe2\x39\x4e\x8a\xed\x89\xad\x73\xfc\x74\x36\x14\x25\xf0\x63\x47\xec\xfe\x32\x61\x31\xe1\x33\x93\x67\xee\x3c\xbe\x87\x71\x92\x85\xa0\x7f\x77\x4b\x17\xeb\x93\x3e\xcf\x0b\x9b\x82\xac\xeb\xc1\x95\x22\x6d\x63\x42\x44",
         );
     }
+
+    #[test]
+    fn test_secp2e56k1_schnorr_bip86_pubkey() {
+        // Test vectors from:
+        // https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#test-vectors
+        // Here we only test the creation of the tweaked pubkkey. See `Payload::from_simple` for address generation.
+
+        keystore::lock();
+        assert_eq!(
+            secp256k1_schnorr_bip86_pubkey(&[86 + HARDENED, 0 + HARDENED, 0 + HARDENED, 0, 0]),
+            Err(())
+        );
+
+        mock_unlocked_using_mnemonic("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about");
+        assert_eq!(secp256k1_schnorr_bip86_pubkey(&[
+            86 + HARDENED,
+            0 + HARDENED,
+            0 + HARDENED,
+            0,
+            0
+        ])
+        .unwrap(),
+        *b"\xa6\x08\x69\xf0\xdb\xcf\x1d\xc6\x59\xc9\xce\xcb\xaf\x80\x50\x13\x5e\xa9\xe8\xcd\xc4\x87\x05\x3f\x1d\xc6\x88\x09\x49\xdc\x68\x4c",
+        );
+
+        assert_eq!(secp256k1_schnorr_bip86_pubkey(&[
+            86 + HARDENED,
+            0 + HARDENED,
+            0 + HARDENED,
+            0,
+            1
+        ])
+        .unwrap(),
+        *b"\xa8\x2f\x29\x94\x4d\x65\xb8\x6a\xe6\xb5\xe5\xcc\x75\xe2\x94\xea\xd6\xc5\x93\x91\xa1\xed\xc5\xe0\x16\xe3\x49\x8c\x67\xfc\x7b\xbb",
+        );
+
+        assert_eq!(secp256k1_schnorr_bip86_pubkey(&[
+            86 + HARDENED,
+            0 + HARDENED,
+            0 + HARDENED,
+            1,
+            0,
+        ])
+        .unwrap(),
+        *b"\x88\x2d\x74\xe5\xd0\x57\x2d\x5a\x81\x6c\xef\x00\x41\xa9\x6b\x6c\x1d\xe8\x32\xf6\xf9\x67\x6d\x96\x05\xc4\x4d\x5e\x9a\x97\xd3\xdc",
+        );
+    }
 }

src/rust/bitbox02/src/keystore.rs

@@ -314,12 +314,11 @@ pub fn secp256k1_schnorr_bip86_sign(keypath: &[u32], msg: &[u8; 32]) -> Result<[
     }
 }
 
-pub fn secp256k1_schnorr_bip86_pubkey(keypath: &[u32]) -> Result<[u8; 32], ()> {
+pub fn secp256k1_schnorr_bip86_pubkey(pubkey33: &[u8]) -> Result<[u8; 32], ()> {
     let mut pubkey = [0u8; 32];
     match unsafe {
         bitbox02_sys::keystore_secp256k1_schnorr_bip86_pubkey(
-            keypath.as_ptr(),
-            keypath.len() as _,
+            pubkey33.as_ptr(),
             pubkey.as_mut_ptr(),
         )
     } {

test/unit-test/test_keystore.c

@@ -628,9 +628,7 @@ static void _test_keystore_secp256k1_schnorr_bip86_pubkey(void** state)
 {
     // Test vectors from:
     // https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#test-vectors
-    // Here we only test the creation of the tweaked pubkkey. See
-    // `test_btc_common_address_from_payload()` for the actual address generation, which takes this
-    // pubkey as input.
+    // Here we only test the creation of the tweaked pubkkey.
     _mock_with_mnemonic(
         "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon "
         "about",
@@ -643,8 +641,10 @@ static void _test_keystore_secp256k1_schnorr_bip86_pubkey(void** state)
             0,
             0,
         };
+        struct ext_key xpub = {0};
+        assert_true(keystore_get_xpub(keypath, 5, &xpub));
         uint8_t pubkey[32] = {0};
-        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(keypath, 5, pubkey));
+        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
         const uint8_t expected_pubkey[32] =
             "\xa6\x08\x69\xf0\xdb\xcf\x1d\xc6\x59\xc9\xce\xcb\xaf\x80\x50\x13\x5e\xa9\xe8\xcd\xc4"
             "\x87\x05\x3f\x1d\xc6\x88\x09\x49\xdc\x68\x4c";
@@ -658,8 +658,10 @@ static void _test_keystore_secp256k1_schnorr_bip86_pubkey(void** state)
             0,
             1,
         };
+        struct ext_key xpub = {0};
+        assert_true(keystore_get_xpub(keypath, 5, &xpub));
         uint8_t pubkey[32] = {0};
-        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(keypath, 5, pubkey));
+        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
         const uint8_t expected_pubkey[32] =
             "\xa8\x2f\x29\x94\x4d\x65\xb8\x6a\xe6\xb5\xe5\xcc\x75\xe2\x94\xea\xd6\xc5\x93\x91\xa1"
             "\xed\xc5\xe0\x16\xe3\x49\x8c\x67\xfc\x7b\xbb";
@@ -673,8 +675,10 @@ static void _test_keystore_secp256k1_schnorr_bip86_pubkey(void** state)
             1,
             0,
         };
+        struct ext_key xpub = {0};
+        assert_true(keystore_get_xpub(keypath, 5, &xpub));
         uint8_t pubkey[32] = {0};
-        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(keypath, 5, pubkey));
+        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
         const uint8_t expected_pubkey[32] =
             "\x88\x2d\x74\xe5\xd0\x57\x2d\x5a\x81\x6c\xef\x00\x41\xa9\x6b\x6c\x1d\xe8\x32\xf6\xf9"
             "\x67\x6d\x96\x05\xc4\x4d\x5e\x9a\x97\xd3\xdc";
@@ -696,7 +700,10 @@ static void _test_keystore_secp256k1_schnorr_bip86_sign(void** state)
         0,
         0,
     };
-    assert_true(keystore_secp256k1_schnorr_bip86_pubkey(keypath, 5, pubkey));
+    struct ext_key xpub = {0};
+    assert_true(keystore_get_xpub(keypath, 5, &xpub));
+
+    assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
     uint8_t msg[32] = {0};
     memset(msg, 0x88, sizeof(msg));
     uint8_t sig[64] = {0};