Merge branch 'keystore-rust'

Author: benma

src/CMakeLists.txt

@@ -312,7 +312,7 @@ add_custom_target(rust-bindgen
     --allowlist-function keystore_get_bip39_mnemonic
     --allowlist-function keystore_get_bip39_word
     --allowlist-function keystore_get_ed25519_seed
-    --allowlist-function keystore_secp256k1_pubkey_uncompressed
+    --allowlist-function keystore_secp256k1_compressed_to_uncompressed
     --allowlist-function keystore_secp256k1_nonce_commit
     --allowlist-function keystore_secp256k1_sign
     --allowlist-function keystore_secp256k1_schnorr_bip86_sign

src/keystore.c

@@ -539,11 +539,9 @@ bool keystore_get_bip39_word(uint16_t idx, char** word_out)
     return bip39_get_word(NULL, idx, word_out) == WALLY_OK;
 }
 
-// Reformats xpub from compressed 33 bytes to uncompressed 65 bytes (<0x04><64 bytes X><64 bytes
-// Y>),
-// pubkey must be 33 bytes
-// uncompressed_out must be 65 bytes.
-static bool _compressed_to_uncompressed(const uint8_t* pubkey_bytes, uint8_t* uncompressed_out)
+bool keystore_secp256k1_compressed_to_uncompressed(
+    const uint8_t* pubkey_bytes,
+    uint8_t* uncompressed_out)
 {
     const secp256k1_context* ctx = wally_get_secp_context();
     secp256k1_pubkey pubkey;
@@ -558,18 +556,6 @@ static bool _compressed_to_uncompressed(const uint8_t* pubkey_bytes, uint8_t* un
     return true;
 }
 
-bool keystore_secp256k1_pubkey_uncompressed(
-    const uint32_t* keypath,
-    size_t keypath_len,
-    uint8_t* pubkey_out)
-{
-    struct ext_key xpub __attribute__((__cleanup__(keystore_zero_xkey))) = {0};
-    if (!keystore_get_xpub(keypath, keypath_len, &xpub)) {
-        return false;
-    }
-    return _compressed_to_uncompressed(xpub.pub_key, pubkey_out);
-}
-
 bool keystore_secp256k1_nonce_commit(
     const uint32_t* keypath,
     size_t keypath_len,
@@ -706,23 +692,12 @@ static void _tagged_hash(const char* tag, const uint8_t* msg, size_t msg_len, ui
     rust_sha256_finish(&hash_ctx, hash_out);
 }
 
-bool keystore_secp256k1_schnorr_bip86_pubkey(
-    const uint32_t* keypath,
-    size_t keypath_len,
-    uint8_t* pubkey_out)
+bool keystore_secp256k1_schnorr_bip86_pubkey(const uint8_t* pubkey33, uint8_t* pubkey_out)
 {
-    if (keystore_is_locked()) {
-        return false;
-    }
-    struct ext_key xpub __attribute__((__cleanup__(keystore_zero_xkey))) = {0};
-    if (!keystore_get_xpub(keypath, keypath_len, &xpub)) {
-        return false;
-    }
-
     const secp256k1_context* ctx = wally_get_secp_context();
 
     secp256k1_pubkey pubkey = {0};
-    if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, xpub.pub_key, sizeof(xpub.pub_key))) {
+    if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkey33, 33)) {
         return false;
     }
     secp256k1_xonly_pubkey xonly_pubkey = {0};

src/keystore.h

@@ -166,17 +166,13 @@ void keystore_zero_xkey(struct ext_key* xkey);
  */
 USE_RESULT bool keystore_get_bip39_word(uint16_t idx, char** word_out);
 
-/**
- * Return the serialized secp256k1 public key at the keypath, in uncompressed format.
- * @param[in] keypath derivation keypath
- * @param[in] keypath_len size of keypath buffer
- * @param[out] pubkey_out serialized output. Must be EC_PUBLIC_KEY_UNCOMPRESSED_LEN bytes.
- * @return true on success, false if the keystore is locked or the input is invalid.
- */
-USE_RESULT bool keystore_secp256k1_pubkey_uncompressed(
-    const uint32_t* keypath,
-    size_t keypath_len,
-    uint8_t* pubkey_out);
+// Reformats pubkey from compressed 33 bytes to uncompressed 65 bytes (<0x04><64 bytes X><64 bytes
+// Y>),
+// pubkey must be 33 bytes
+// uncompressed_out must be 65 bytes.
+USE_RESULT bool keystore_secp256k1_compressed_to_uncompressed(
+    const uint8_t* pubkey_bytes,
+    uint8_t* uncompressed_out);
 
 /**
  * Get a commitment to the original nonce before tweaking it with the host nonce. This is part of
@@ -259,21 +255,18 @@ USE_RESULT bool keystore_encode_xpub_at_keypath(
     uint8_t* out);
 
 /**
- * Return the tweaked taproot pubkey at the given keypath.
+ * Return the tweaked taproot pubkey.
  *
- * Instead of returning the original pubkey at the keypath directly, it is tweaked with the hash of
- * the pubkey.
+ * Instead of returning the original pubkey directly, it is tweaked with the hash of the pubkey.
  *
  * See
  * https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#address-derivation
  *
- * @param[in] keypath derivation keypath
- * @param[in] keypath_len number of elements in keypath
+ * @param[in] pubkey33 33 byte compressed pubkey.
  * @param[out] pubkey_out 32 byte x-only pubkey (see BIP-340 for details).
  */
 USE_RESULT bool keystore_secp256k1_schnorr_bip86_pubkey(
-    const uint32_t* keypath,
-    size_t keypath_len,
+    const uint8_t* pubkey33,
     uint8_t* pubkey_out);
 
 /**

src/rust/bitbox02-rust/src/hww/api/bitcoin/common.rs

@@ -15,7 +15,7 @@
 use super::pb;
 use super::Error;
 
-use bitbox02::keystore;
+use crate::keystore;
 
 use alloc::string::String;
 use alloc::vec::Vec;
@@ -77,7 +77,7 @@ impl Payload {
     ) -> Result<Self, Error> {
         match simple_type {
             SimpleType::P2wpkh => Ok(Payload {
-                data: crate::keystore::secp256k1_pubkey_hash160(keypath)?,
+                data: keystore::secp256k1_pubkey_hash160(keypath)?,
                 output_type: BtcOutputType::P2wpkh,
             }),
             SimpleType::P2wpkhP2sh => {

src/rust/bitbox02-rust/src/hww/api/ethereum/pubrequest.rs

@@ -47,7 +47,7 @@ async fn process_address(request: &pb::EthPubRequest) -> Result<Response, Error>
     if !super::keypath::is_valid_keypath_address(&request.keypath) {
         return Err(Error::InvalidInput);
     }
-    let pubkey = bitbox02::keystore::secp256k1_pubkey_uncompressed(&request.keypath)
+    let pubkey = crate::keystore::secp256k1_pubkey_uncompressed(&request.keypath)
         .or(Err(Error::InvalidInput))?;
     let address = super::address::from_pubkey(&pubkey);
 

src/rust/bitbox02-rust/src/keystore.rs

@@ -34,13 +34,32 @@ pub fn secp256k1_pubkey_hash160(keypath: &[u32]) -> Result<Vec<u8>, ()> {
     Ok(bitbox02::hash160(&xpub.public_key).to_vec())
 }
 
+pub fn secp256k1_pubkey_uncompressed(
+    keypath: &[u32],
+) -> Result<[u8; keystore::EC_PUBLIC_KEY_UNCOMPRESSED_LEN], ()> {
+    let xpub = get_xpub(keypath)?;
+    keystore::secp256k1_pubkey_compressed_to_uncompressed(&xpub.public_key)
+}
+
 /// Returns fingerprint of the root public key at m/, which are the first four bytes of its hash160
 /// according to:
 /// https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#serialization-format
 pub fn root_fingerprint() -> Result<Vec<u8>, ()> {
     Ok(secp256k1_pubkey_hash160(&[])?.get(..4).ok_or(())?.to_vec())
 }
 
+/// Return the tweaked taproot pubkey at the given keypath.
+///
+/// Instead of returning the original pubkey at the keypath directly, it is tweaked with the hash of
+/// the pubkey.
+///
+/// See
+/// https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#address-derivation
+pub fn secp256k1_schnorr_bip86_pubkey(keypath: &[u32]) -> Result<[u8; 32], ()> {
+    let xpub = get_xpub(keypath)?;
+    keystore::secp256k1_schnorr_bip86_pubkey(&xpub.public_key)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -134,4 +153,65 @@ mod tests {
         );
         assert_eq!(root_fingerprint(), Ok(vec![0xf4, 0x0b, 0x46, 0x9a]));
     }
+
+    #[test]
+    fn test_secp256k1_pubkey_uncompressed() {
+        let keypath = &[44 + HARDENED, 0 + HARDENED, 0 + HARDENED, 1, 2];
+
+        keystore::lock();
+        assert_eq!(secp256k1_pubkey_uncompressed(keypath), Err(()));
+
+        mock_unlocked_using_mnemonic("sleep own lobster state clean thrive tail exist cactus bitter pass soccer clinic riot dream turkey before sport action praise tunnel hood donate man");
+        assert_eq!(
+            secp256k1_pubkey_uncompressed(keypath).unwrap(),
+            *b"\x04\x77\xa4\x4a\xa9\xe8\xc8\xfb\x51\x05\xef\x5e\xe2\x39\x4e\x8a\xed\x89\xad\x73\xfc\x74\x36\x14\x25\xf0\x63\x47\xec\xfe\x32\x61\x31\xe1\x33\x93\x67\xee\x3c\xbe\x87\x71\x92\x85\xa0\x7f\x77\x4b\x17\xeb\x93\x3e\xcf\x0b\x9b\x82\xac\xeb\xc1\x95\x22\x6d\x63\x42\x44",
+        );
+    }
+
+    #[test]
+    fn test_secp2e56k1_schnorr_bip86_pubkey() {
+        // Test vectors from:
+        // https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#test-vectors
+        // Here we only test the creation of the tweaked pubkkey. See `Payload::from_simple` for address generation.
+
+        keystore::lock();
+        assert_eq!(
+            secp256k1_schnorr_bip86_pubkey(&[86 + HARDENED, 0 + HARDENED, 0 + HARDENED, 0, 0]),
+            Err(())
+        );
+
+        mock_unlocked_using_mnemonic("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about");
+        assert_eq!(secp256k1_schnorr_bip86_pubkey(&[
+            86 + HARDENED,
+            0 + HARDENED,
+            0 + HARDENED,
+            0,
+            0
+        ])
+        .unwrap(),
+        *b"\xa6\x08\x69\xf0\xdb\xcf\x1d\xc6\x59\xc9\xce\xcb\xaf\x80\x50\x13\x5e\xa9\xe8\xcd\xc4\x87\x05\x3f\x1d\xc6\x88\x09\x49\xdc\x68\x4c",
+        );
+
+        assert_eq!(secp256k1_schnorr_bip86_pubkey(&[
+            86 + HARDENED,
+            0 + HARDENED,
+            0 + HARDENED,
+            0,
+            1
+        ])
+        .unwrap(),
+        *b"\xa8\x2f\x29\x94\x4d\x65\xb8\x6a\xe6\xb5\xe5\xcc\x75\xe2\x94\xea\xd6\xc5\x93\x91\xa1\xed\xc5\xe0\x16\xe3\x49\x8c\x67\xfc\x7b\xbb",
+        );
+
+        assert_eq!(secp256k1_schnorr_bip86_pubkey(&[
+            86 + HARDENED,
+            0 + HARDENED,
+            0 + HARDENED,
+            1,
+            0,
+        ])
+        .unwrap(),
+        *b"\x88\x2d\x74\xe5\xd0\x57\x2d\x5a\x81\x6c\xef\x00\x41\xa9\x6b\x6c\x1d\xe8\x32\xf6\xf9\x67\x6d\x96\x05\xc4\x4d\x5e\x9a\x97\xd3\xdc",
+        );
+    }
 }

src/rust/bitbox02/src/keystore.rs

@@ -183,14 +183,13 @@ pub fn get_bip39_wordlist() -> Result<Bip39Wordlist, ()> {
     Ok(result)
 }
 
-pub fn secp256k1_pubkey_uncompressed(
-    keypath: &[u32],
+pub fn secp256k1_pubkey_compressed_to_uncompressed(
+    compressed_pubkey: &[u8],
 ) -> Result<[u8; EC_PUBLIC_KEY_UNCOMPRESSED_LEN], ()> {
     let mut pubkey = [0u8; EC_PUBLIC_KEY_UNCOMPRESSED_LEN];
     match unsafe {
-        bitbox02_sys::keystore_secp256k1_pubkey_uncompressed(
-            keypath.as_ptr(),
-            keypath.len() as _,
+        bitbox02_sys::keystore_secp256k1_compressed_to_uncompressed(
+            compressed_pubkey.as_ptr(),
             pubkey.as_mut_ptr(),
         )
     } {
@@ -315,12 +314,11 @@ pub fn secp256k1_schnorr_bip86_sign(keypath: &[u32], msg: &[u8; 32]) -> Result<[
     }
 }
 
-pub fn secp256k1_schnorr_bip86_pubkey(keypath: &[u32]) -> Result<[u8; 32], ()> {
+pub fn secp256k1_schnorr_bip86_pubkey(pubkey33: &[u8]) -> Result<[u8; 32], ()> {
     let mut pubkey = [0u8; 32];
     match unsafe {
         bitbox02_sys::keystore_secp256k1_schnorr_bip86_pubkey(
-            keypath.as_ptr(),
-            keypath.len() as _,
+            pubkey33.as_ptr(),
             pubkey.as_mut_ptr(),
         )
     } {

test/unit-test/test_keystore.c

@@ -628,9 +628,7 @@ static void _test_keystore_secp256k1_schnorr_bip86_pubkey(void** state)
 {
     // Test vectors from:
     // https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#test-vectors
-    // Here we only test the creation of the tweaked pubkkey. See
-    // `test_btc_common_address_from_payload()` for the actual address generation, which takes this
-    // pubkey as input.
+    // Here we only test the creation of the tweaked pubkkey.
     _mock_with_mnemonic(
         "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon "
         "about",
@@ -643,8 +641,10 @@ static void _test_keystore_secp256k1_schnorr_bip86_pubkey(void** state)
             0,
             0,
         };
+        struct ext_key xpub = {0};
+        assert_true(keystore_get_xpub(keypath, 5, &xpub));
         uint8_t pubkey[32] = {0};
-        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(keypath, 5, pubkey));
+        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
         const uint8_t expected_pubkey[32] =
             "\xa6\x08\x69\xf0\xdb\xcf\x1d\xc6\x59\xc9\xce\xcb\xaf\x80\x50\x13\x5e\xa9\xe8\xcd\xc4"
             "\x87\x05\x3f\x1d\xc6\x88\x09\x49\xdc\x68\x4c";
@@ -658,8 +658,10 @@ static void _test_keystore_secp256k1_schnorr_bip86_pubkey(void** state)
             0,
             1,
         };
+        struct ext_key xpub = {0};
+        assert_true(keystore_get_xpub(keypath, 5, &xpub));
         uint8_t pubkey[32] = {0};
-        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(keypath, 5, pubkey));
+        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
         const uint8_t expected_pubkey[32] =
             "\xa8\x2f\x29\x94\x4d\x65\xb8\x6a\xe6\xb5\xe5\xcc\x75\xe2\x94\xea\xd6\xc5\x93\x91\xa1"
             "\xed\xc5\xe0\x16\xe3\x49\x8c\x67\xfc\x7b\xbb";
@@ -673,8 +675,10 @@ static void _test_keystore_secp256k1_schnorr_bip86_pubkey(void** state)
             1,
             0,
         };
+        struct ext_key xpub = {0};
+        assert_true(keystore_get_xpub(keypath, 5, &xpub));
         uint8_t pubkey[32] = {0};
-        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(keypath, 5, pubkey));
+        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
         const uint8_t expected_pubkey[32] =
             "\x88\x2d\x74\xe5\xd0\x57\x2d\x5a\x81\x6c\xef\x00\x41\xa9\x6b\x6c\x1d\xe8\x32\xf6\xf9"
             "\x67\x6d\x96\x05\xc4\x4d\x5e\x9a\x97\xd3\xdc";
@@ -696,7 +700,10 @@ static void _test_keystore_secp256k1_schnorr_bip86_sign(void** state)
         0,
         0,
     };
-    assert_true(keystore_secp256k1_schnorr_bip86_pubkey(keypath, 5, pubkey));
+    struct ext_key xpub = {0};
+    assert_true(keystore_get_xpub(keypath, 5, &xpub));
+
+    assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
     uint8_t msg[32] = {0};
     memset(msg, 0x88, sizeof(msg));
     uint8_t sig[64] = {0};

test/unit-test/test_keystore_functional.c

@@ -120,7 +120,8 @@ static bool _encode_xpub(const struct ext_key* xpub, char* out, size_t out_len)
 
 static void _check_pubs(const char* expected_xpub, const char* expected_pubkey_uncompressed_hex)
 {
-    struct ext_key __attribute__((__cleanup__(keystore_zero_xkey))) xpub;
+    struct ext_key __attribute__((__cleanup__(keystore_zero_xkey))) xpub_3;
+    struct ext_key __attribute__((__cleanup__(keystore_zero_xkey))) xpub_5;
     uint32_t keypath[] = {
         44 + BIP32_INITIAL_HARDENED_CHILD,
         0 + BIP32_INITIAL_HARDENED_CHILD,
@@ -129,13 +130,14 @@ static void _check_pubs(const char* expected_xpub, const char* expected_pubkey_u
         2,
     };
 
-    assert_true(keystore_get_xpub(keypath, 3, &xpub));
+    assert_true(keystore_get_xpub(keypath, 3, &xpub_3));
+    assert_true(keystore_get_xpub(keypath, 5, &xpub_5));
     char xpub_serialized[120];
-    assert_true(_encode_xpub(&xpub, xpub_serialized, sizeof(xpub_serialized)));
+    assert_true(_encode_xpub(&xpub_3, xpub_serialized, sizeof(xpub_serialized)));
     assert_string_equal(xpub_serialized, expected_xpub);
 
     uint8_t pubkey_uncompressed[EC_PUBLIC_KEY_UNCOMPRESSED_LEN];
-    assert_true(keystore_secp256k1_pubkey_uncompressed(keypath, 5, pubkey_uncompressed));
+    assert_true(keystore_secp256k1_compressed_to_uncompressed(xpub_5.pub_key, pubkey_uncompressed));
     _assert_equal_memory_hex(
         pubkey_uncompressed, sizeof(pubkey_uncompressed), expected_pubkey_uncompressed_hex);
 }