test: use Wycheproof ECDSA SHA256 vectors

Author: ARR4N

libevm/precompiles/p256verify/p256verify.go

@@ -91,12 +91,15 @@ func Sign(priv *ecdsa.PrivateKey, hash [32]byte) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
+	return Pack(hash, r, s, &priv.PublicKey), nil
+}
 
+func Pack(hash [32]byte, r, s *big.Int, key *ecdsa.PublicKey) []byte {
 	var in input
 	copy(in.word(0), hash[:])
 	r.FillBytes(in.word(1))
 	s.FillBytes(in.word(2))
-	priv.X.FillBytes(in.word(3))
-	priv.Y.FillBytes(in.word(4))
-	return in[:], nil
+	key.X.FillBytes(in.word(3))
+	key.Y.FillBytes(in.word(4))
+	return in[:]
 }

libevm/precompiles/p256verify/p256verify_test.go

@@ -20,7 +20,14 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/sha256"
+	"encoding/asn1"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"math/big"
 	"slices"
+	"strings"
 	"testing"
 
 	"github.com/holiman/uint256"
@@ -33,6 +40,8 @@ import (
 	"github.com/ava-labs/libevm/libevm/ethtest"
 	"github.com/ava-labs/libevm/libevm/hookstest"
 	"github.com/ava-labs/libevm/params"
+
+	_ "embed"
 )
 
 // ulerdoganTestCase is the test case from
@@ -41,15 +50,18 @@ import (
 // information.
 const ulerdoganTestCase = `4cee90eb86eaa050036147a12d49004b6b9c72bd725d39d4785011fe190f0b4da73bd4903f0ce3b639bbbf6e8e80d16931ff4bcf5993d58468e8fb19086e8cac36dbcd03009df8c59286b162af3bd7fcc0450c9aa81be5d10d312af6c66b1d604aebd3099c618202fcfe16ae7770b0c49ab5eadf74b754204a3bb6060e44eff37618b065f9832de4ca6ca971a7a1adc826d0f7c00181a5fb2ddf79ae00b4e10e`
 
+//go:embed testdata/ecdsa_secp256r1_sha256_test.json
+var wycheproofECDSASHA256 []byte
+
+type testCase struct {
+	name        string
+	in          []byte
+	wantSuccess bool
+}
+
 func TestPrecompile(t *testing.T) {
 	assert.Equal(t, params.P256VerifyGas, Precompile{}.RequiredGas(nil), "RequiredGas()")
 
-	type testCase struct {
-		name        string
-		in          []byte
-		wantSuccess bool
-	}
-
 	tests := []testCase{
 		{
 			name: "empty_input",
@@ -102,6 +114,11 @@ func TestPrecompile(t *testing.T) {
 		}
 	}
 
+	tests = append(tests, wycheproofTestCases(t)...)
+	if t.Failed() {
+		return
+	}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := Precompile{}.Run(tt.in)
@@ -116,6 +133,100 @@ func TestPrecompile(t *testing.T) {
 	}
 }
 
+type jsonHex []byte
+
+var _ json.Unmarshaler = (*jsonHex)(nil)
+
+func (j *jsonHex) UnmarshalJSON(data []byte) error {
+	var s string
+	if err := json.Unmarshal(data, &s); err != nil {
+		return err
+	}
+	b, err := hex.DecodeString(s)
+	if err != nil {
+		return err
+	}
+	*j = b
+	return nil
+}
+
+func wycheproofTestCases(t *testing.T) []testCase {
+	t.Helper()
+
+	var raw struct {
+		Groups []struct {
+			Key struct {
+				X jsonHex `json:"wx"`
+				Y jsonHex `json:"wy"`
+			}
+			Tests []struct {
+				ID       int `json:"tcId"`
+				Comment  string
+				Preimage jsonHex `json:"msg"`
+				ASNSig   jsonHex `json:"sig"`
+				Result   string
+			} `json:"tests"`
+		} `json:"testGroups"`
+	}
+	require.NoError(t, json.Unmarshal(wycheproofECDSASHA256, &raw))
+
+	var cases []testCase
+	for _, group := range raw.Groups {
+		key := &ecdsa.PublicKey{
+			Curve: elliptic.P256(),
+			X:     new(big.Int).SetBytes(group.Key.X),
+			Y:     new(big.Int).SetBytes(group.Key.Y),
+		}
+
+		for _, test := range group.Tests {
+			t.Run(fmt.Sprintf("parse_test_%d", test.ID), func(t *testing.T) {
+				// Many of the invalid cases are due to ASN1-specific problems,
+				// which aren't of concern to us.
+				include := test.Result == "valid" ||
+					strings.Contains(test.Comment, "r or s") ||
+					strings.Contains(test.Comment, "r and s") ||
+					slices.Contains(
+						[]int{
+							// Special cases of r and/or s.
+							286, 294, 295, 303, 304, 340, 341,
+							342, 343, 356, 357, 358, 359,
+						},
+						test.ID,
+					)
+
+				include = include && !slices.Contains(
+					// These cases have negative r or s value(s) with the same
+					// absolute value(s) as valid signatures. Packing and then
+					// unpacking via [big.Int.Bytes] therefore converts them to
+					// the valid, positive values that pass verification and
+					// raise false-positive test errors.
+					[]int{133, 139, 140},
+					test.ID,
+				)
+				if !include {
+					return
+				}
+
+				var rs [2]*big.Int
+				rest, err := asn1.Unmarshal(test.ASNSig, &rs)
+				if err != nil || len(rest) > 0 {
+					return
+				}
+				if rs[0].BitLen() > 256 || rs[1].BitLen() > 256 {
+					return
+				}
+				cases = append(cases, testCase{
+					name:        fmt.Sprintf("wycheproof_ecdsa_secp256r1_sha256_%d", test.ID),
+					in:          Pack(sha256.Sum256(test.Preimage), rs[0], rs[1], key),
+					wantSuccess: test.Result == "valid",
+				})
+			})
+		}
+	}
+	t.Logf("%d Wycheproof cases", len(cases))
+	return cases
+}
+
 func BenchmarkPrecompile(b *testing.B) {
 	in := common.Hex2Bytes(ulerdoganTestCase)
 	var p Precompile

libevm/precompiles/p256verify/testdata/README.md

@@ -0,0 +1 @@
+Test vectors from Project Wycheproof; see [original source](https://github.com/C2SP/wycheproof/tree/4a6c2bf5dc4c0b67c770233ad33961ee653996a0) for license and copyright. No changes made.