Skip to main content

commonware_cryptography/secp256r1/
standard.rs

1cfg_if::cfg_if! {
2    if #[cfg(feature = "std")] {
3        use std::borrow::Cow;
4    } else {
5        use alloc::borrow::Cow;
6    }
7}
8use super::common::{
9    impl_private_key_wrapper, impl_public_key_wrapper, PrivateKeyInner, PublicKeyInner, CURVE_NAME,
10    PRIVATE_KEY_LENGTH, PUBLIC_KEY_LENGTH,
11};
12#[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))]
13use aws_lc_rs::signature::{UnparsedPublicKey, ECDSA_P256_SHA256_FIXED};
14use bytes::{Buf, BufMut};
15use commonware_codec::{Error as CodecError, FixedArray, FixedSize, Read, ReadExt, Write};
16use commonware_formatting::Hex;
17use commonware_utils::{union_unique, Array, Span};
18use core::{
19    fmt::{Debug, Display},
20    hash::{Hash, Hasher},
21    ops::Deref,
22};
23#[cfg(not(any(target_arch = "x86_64", target_arch = "aarch64")))]
24use p256::ecdsa::signature::Verifier;
25use p256::{ecdsa::signature::Signer, elliptic_curve::scalar::IsHigh};
26
27const SIGNATURE_LENGTH: usize = 64; // R || S
28
29/// Secp256r1 Private Key.
30#[derive(Clone, Eq, PartialEq)]
31pub struct PrivateKey(PrivateKeyInner);
32
33impl_private_key_wrapper!(PrivateKey);
34
35impl crate::Signer for PrivateKey {
36    type Signature = Signature;
37    type PublicKey = PublicKey;
38
39    fn sign(&self, namespace: &[u8], msg: &[u8]) -> Self::Signature {
40        self.sign_inner(Some(namespace), msg)
41    }
42
43    fn public_key(&self) -> Self::PublicKey {
44        PublicKey(PublicKeyInner::from_private_key(&self.0))
45    }
46}
47
48impl PrivateKey {
49    #[inline(always)]
50    fn sign_inner(&self, namespace: Option<&[u8]>, msg: &[u8]) -> Signature {
51        let payload = namespace.map_or(Cow::Borrowed(msg), |namespace| {
52            Cow::Owned(union_unique(namespace, msg))
53        });
54        let signature: p256::ecdsa::Signature = self.0.key.expose(|key| key.sign(&payload));
55        let signature = signature.normalize_s();
56        Signature::try_from(signature).expect("freshly signed signature is valid")
57    }
58}
59
60impl From<PrivateKey> for PublicKey {
61    fn from(value: PrivateKey) -> Self {
62        Self(PublicKeyInner::from_private_key(&value.0))
63    }
64}
65
66/// Secp256r1 Public Key.
67#[derive(Clone, Eq, PartialEq, Ord, PartialOrd, FixedArray)]
68#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
69pub struct PublicKey(PublicKeyInner);
70
71impl_public_key_wrapper!(PublicKey);
72
73impl crate::Verifier for PublicKey {
74    type Signature = Signature;
75
76    fn verify(&self, namespace: &[u8], msg: &[u8], sig: &Self::Signature) -> bool {
77        self.verify_inner(Some(namespace), msg, sig)
78    }
79}
80
81impl PublicKey {
82    #[cfg(not(any(target_arch = "x86_64", target_arch = "aarch64")))]
83    #[inline(always)]
84    fn verify_inner(&self, namespace: Option<&[u8]>, msg: &[u8], sig: &Signature) -> bool {
85        let payload = namespace.map_or(Cow::Borrowed(msg), |namespace| {
86            Cow::Owned(union_unique(namespace, msg))
87        });
88        self.0.key.verify(&payload, &sig.signature).is_ok()
89    }
90
91    #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))]
92    #[inline(always)]
93    fn verify_inner(&self, namespace: Option<&[u8]>, msg: &[u8], sig: &Signature) -> bool {
94        let payload = namespace.map_or(Cow::Borrowed(msg), |namespace| {
95            Cow::Owned(union_unique(namespace, msg))
96        });
97        let uncompressed = self.0.to_uncompressed();
98        let public_key = UnparsedPublicKey::new(&ECDSA_P256_SHA256_FIXED, &uncompressed);
99        public_key.verify(&payload, &sig.raw).is_ok()
100    }
101}
102
103/// Secp256r1 Signature.
104#[derive(Clone, Eq, PartialEq, FixedArray)]
105pub struct Signature {
106    raw: [u8; SIGNATURE_LENGTH],
107    signature: p256::ecdsa::Signature,
108}
109
110impl crate::Signature for Signature {}
111
112impl Write for Signature {
113    fn write(&self, buf: &mut impl BufMut) {
114        self.raw.write(buf);
115    }
116}
117
118impl Read for Signature {
119    type Cfg = ();
120
121    fn read_cfg(buf: &mut impl Buf, _: &()) -> Result<Self, CodecError> {
122        let raw = <[u8; Self::SIZE]>::read(buf)?;
123        let result = p256::ecdsa::Signature::from_slice(&raw);
124        #[cfg(feature = "std")]
125        let signature = result.map_err(|e| CodecError::Wrapped(CURVE_NAME, e.into()))?;
126        #[cfg(not(feature = "std"))]
127        let signature = result
128            .map_err(|e| CodecError::Wrapped(CURVE_NAME, alloc::format!("{:?}", e).into()))?;
129        // Reject any signatures with a `s` value in the upper half of the curve order.
130        if signature.s().is_high().into() {
131            return Err(CodecError::Invalid(CURVE_NAME, "Signature S is high"));
132        }
133        Ok(Self { raw, signature })
134    }
135}
136
137impl FixedSize for Signature {
138    const SIZE: usize = SIGNATURE_LENGTH;
139}
140
141impl Span for Signature {}
142
143impl Array for Signature {}
144
145impl Hash for Signature {
146    fn hash<H: Hasher>(&self, state: &mut H) {
147        self.raw.hash(state);
148    }
149}
150
151impl Ord for Signature {
152    fn cmp(&self, other: &Self) -> core::cmp::Ordering {
153        self.raw.cmp(&other.raw)
154    }
155}
156
157impl PartialOrd for Signature {
158    fn partial_cmp(&self, other: &Self) -> Option<core::cmp::Ordering> {
159        Some(self.cmp(other))
160    }
161}
162
163impl AsRef<[u8]> for Signature {
164    fn as_ref(&self) -> &[u8] {
165        &self.raw
166    }
167}
168
169impl Deref for Signature {
170    type Target = [u8];
171    fn deref(&self) -> &[u8] {
172        &self.raw
173    }
174}
175
176impl TryFrom<p256::ecdsa::Signature> for Signature {
177    type Error = CodecError;
178
179    fn try_from(value: p256::ecdsa::Signature) -> Result<Self, Self::Error> {
180        let raw: [u8; _] = value.to_bytes().into();
181        Self::try_from(raw)
182    }
183}
184
185impl Debug for Signature {
186    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
187        write!(f, "{}", Hex(&self.raw))
188    }
189}
190
191impl Display for Signature {
192    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
193        write!(f, "{}", Hex(&self.raw))
194    }
195}
196
197#[cfg(feature = "arbitrary")]
198impl arbitrary::Arbitrary<'_> for Signature {
199    fn arbitrary(u: &mut arbitrary::Unstructured<'_>) -> arbitrary::Result<Self> {
200        use crate::Signer;
201        use commonware_math::algebra::Random;
202        use rand::{rngs::StdRng, SeedableRng};
203
204        let mut rand = StdRng::from_seed(u.arbitrary::<[u8; 32]>()?);
205        let private_key = PrivateKey(PrivateKeyInner::random(&mut rand));
206        let len = u.arbitrary::<usize>()? % 256;
207        let message = u
208            .arbitrary_iter()?
209            .take(len)
210            .collect::<Result<Vec<_>, _>>()?;
211
212        Ok(private_key.sign(&[], &message))
213    }
214}
215
216#[cfg(test)]
217mod tests {
218    use super::*;
219    use crate::{secp256r1::common::tests::*, Signer as _, Verifier as _};
220    use bytes::Bytes;
221    use commonware_codec::{DecodeExt, Encode};
222    use p256::elliptic_curve::scalar::IsHigh;
223    use rstest::rstest;
224
225    const NAMESPACE: &[u8] = b"test-namespace";
226
227    #[test]
228    fn test_codec_private_key() {
229        let original = PrivateKey(create_private_key());
230        let encoded = original.encode();
231        assert_eq!(encoded.len(), PRIVATE_KEY_LENGTH);
232
233        let decoded = PrivateKey::decode(encoded).unwrap();
234        assert_eq!(original, decoded);
235    }
236
237    #[test]
238    fn test_codec_public_key() {
239        let private_key = PrivateKey(create_private_key());
240        let original = PublicKey::from(private_key);
241
242        let encoded = original.encode();
243        assert_eq!(encoded.len(), PUBLIC_KEY_LENGTH);
244
245        let decoded = PublicKey::decode(encoded).unwrap();
246        assert_eq!(original, decoded);
247    }
248
249    #[test]
250    fn test_codec_signature() {
251        let private_key = PrivateKey(create_private_key());
252        let original = private_key.sign(NAMESPACE, "Hello World".as_bytes());
253
254        let encoded = original.encode();
255        assert_eq!(encoded.len(), SIGNATURE_LENGTH);
256
257        let decoded = Signature::decode(encoded).unwrap();
258        assert_eq!(original, decoded);
259    }
260
261    #[test]
262    fn test_codec_signature_invalid() {
263        let (_, sig, ..) = vector_sig_verification_5();
264        let result = Signature::decode(Bytes::from(sig));
265        assert!(result.is_err());
266    }
267
268    #[test]
269    fn test_scheme_sign() {
270        let private_key: PrivateKey = PrivateKey::decode(
271            commonware_formatting::from_hex(
272                "519b423d715f8b581f4fa8ee59f4771a5b44c8130b4e3eacca54a56dda72b464",
273            )
274            .unwrap()
275            .as_ref(),
276        )
277        .unwrap();
278        let public_key: PublicKey = private_key.clone().into();
279        let message = commonware_formatting::from_hex(
280            "5905238877c77421f73e43ee3da6f2d9e2ccad5fc942dcec0cbd25482935faaf416983fe165b1a045e
281            e2bcd2e6dca3bdf46c4310a7461f9a37960ca672d3feb5473e253605fb1ddfd28065b53cb5858a8ad28175bf
282            9bd386a5e471ea7a65c17cc934a9d791e91491eb3754d03799790fe2d308d16146d5c9b0d0debd97d79ce8",
283        )
284        .unwrap();
285        let signature = private_key.sign(NAMESPACE, &message);
286        assert_eq!(SIGNATURE_LENGTH, signature.len());
287        assert!(public_key.verify(NAMESPACE, &message, &signature));
288    }
289
290    #[test]
291    fn test_decode_zero_signature_fails() {
292        let result = Signature::decode(vec![0u8; SIGNATURE_LENGTH].as_ref());
293        assert!(result.is_err());
294    }
295
296    #[test]
297    fn test_decode_high_s_signature_fails() {
298        let (inner, _) = vector_keypair_1();
299        let private_key = PrivateKey(inner);
300        let message = b"edge";
301        let signature = private_key.sign(NAMESPACE, message);
302        let mut bad_signature = signature.to_vec();
303        bad_signature[32] |= 0x80;
304        assert!(Signature::decode(bad_signature.as_ref()).is_err());
305    }
306
307    #[test]
308    fn test_decode_zero_r_signature_fails() {
309        let (inner, _) = vector_keypair_1();
310        let private_key = PrivateKey(inner);
311        let message = b"edge";
312        let signature = private_key.sign(NAMESPACE, message);
313        let mut bad_signature = signature.to_vec();
314        for b in bad_signature.iter_mut().take(32) {
315            *b = 0x00;
316        }
317        bad_signature[32] = 1;
318        assert!(Signature::decode(bad_signature.as_ref()).is_err());
319    }
320
321    #[test]
322    fn test_rfc6979() {
323        let private_key: PrivateKey = PrivateKey::decode(
324            commonware_formatting::from_hex(
325                "c9afa9d845ba75166b5c215767b1d6934e50c3db36e89b127b8a622b120f6721",
326            )
327            .unwrap()
328            .as_ref(),
329        )
330        .unwrap();
331
332        let (message, exp_sig) = (
333            b"sample",
334            p256::ecdsa::Signature::from_slice(
335                &commonware_formatting::from_hex(
336                    "efd48b2aacb6a8fd1140dd9cd45e81d69d2c877b56aaf991c34d0ea84eaf3716
337                    f7cb1c942d657c41d436c7a1b6e29f65f3e900dbb9aff4064dc4ab2f843acda8",
338                )
339                .unwrap(),
340            )
341            .unwrap(),
342        );
343        let signature = private_key.sign_inner(None, message);
344        assert_eq!(signature.to_vec(), exp_sig.normalize_s().to_vec());
345
346        let (message, exp_sig) = (
347            b"test",
348            p256::ecdsa::Signature::from_slice(
349                &commonware_formatting::from_hex(
350                    "f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d38367
351                    019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083",
352                )
353                .unwrap(),
354            )
355            .unwrap(),
356        );
357
358        let signature = private_key.sign_inner(None, message);
359        assert_eq!(signature.to_vec(), exp_sig.to_vec());
360    }
361
362    #[test]
363    fn test_scheme_validate_public_key_too_long() {
364        let qx_hex = "d0720dc691aa80096ba32fed1cb97c2b620690d06de0317b8618d5ce65eb728f";
365        let qy_hex = "d0720dc691aa80096ba32fed1cb97c2b620690d06de0317b8618d5ce65eb728f";
366
367        let uncompressed_public_key = parse_public_key_as_uncompressed_vector(qx_hex, qy_hex);
368        let public_key = PublicKey::decode(uncompressed_public_key.as_ref());
369        assert!(matches!(public_key, Err(CodecError::Invalid(_, _))));
370
371        let mut compressed_public_key = parse_public_key_as_compressed_vector(qx_hex, qy_hex);
372        compressed_public_key.push(0u8);
373        let public_key = PublicKey::decode(compressed_public_key.as_ref());
374        assert!(matches!(public_key, Err(CodecError::ExtraData(1))));
375
376        let compressed_public_key = parse_public_key_as_compressed_vector(qx_hex, qy_hex);
377        let public_key = PublicKey::decode(compressed_public_key.as_ref());
378        assert!(public_key.is_ok());
379    }
380
381    #[test]
382    fn test_scheme_verify_signature_r0() {
383        let private_key: PrivateKey = PrivateKey::decode(
384            commonware_formatting::from_hex(
385                "c9806898a0334916c860748880a541f093b579a9b1f32934d86c363c39800357",
386            )
387            .unwrap()
388            .as_ref(),
389        )
390        .unwrap();
391        let message = b"sample";
392        let signature = private_key.sign_inner(None, message);
393        let (_, s) = signature.split_at(32);
394        let mut signature: Vec<u8> = vec![0x00; 32];
395        signature.extend_from_slice(s);
396
397        assert!(Signature::decode(signature.as_ref()).is_err());
398    }
399
400    #[test]
401    fn test_scheme_verify_signature_s0() {
402        let private_key: PrivateKey = PrivateKey::decode(
403            commonware_formatting::from_hex(
404                "c9806898a0334916c860748880a541f093b579a9b1f32934d86c363c39800357",
405            )
406            .unwrap()
407            .as_ref(),
408        )
409        .unwrap();
410        let message = b"sample";
411        let signature = private_key.sign_inner(None, message);
412        let (r, _) = signature.split_at(32);
413        let s: Vec<u8> = vec![0x00; 32];
414        let mut signature = r.to_vec();
415        signature.extend(s);
416
417        assert!(Signature::decode(signature.as_ref()).is_err());
418    }
419
420    #[rstest]
421    #[case(vector_keypair_1())]
422    #[case(vector_keypair_2())]
423    #[case(vector_keypair_3())]
424    #[case(vector_keypair_4())]
425    #[case(vector_keypair_5())]
426    #[case(vector_keypair_6())]
427    #[case(vector_keypair_7())]
428    #[case(vector_keypair_8())]
429    #[case(vector_keypair_9())]
430    #[case(vector_keypair_10())]
431    fn test_keypairs(#[case] (inner_priv, inner_pub): (PrivateKeyInner, PublicKeyInner)) {
432        let private_key = PrivateKey(inner_priv);
433        let public_key = PublicKey::from(private_key);
434        let exp_public_key = PublicKey(inner_pub);
435        assert_eq!(exp_public_key, public_key);
436        assert!(public_key.len() == PUBLIC_KEY_LENGTH);
437    }
438
439    #[rstest]
440    #[case(1, vector_public_key_validation_1())]
441    #[case(3, vector_public_key_validation_3())]
442    #[case(4, vector_public_key_validation_4())]
443    #[case(5, vector_public_key_validation_5())]
444    #[case(6, vector_public_key_validation_6())]
445    #[case(7, vector_public_key_validation_7())]
446    #[case(8, vector_public_key_validation_8())]
447    #[case(9, vector_public_key_validation_9())]
448    #[case(10, vector_public_key_validation_10())]
449    #[case(12, vector_public_key_validation_12())]
450    fn test_public_key_validation(
451        #[case] n: usize,
452        #[case] (public_key, exp_valid): (Vec<u8>, bool),
453    ) {
454        let res = PublicKey::decode(public_key.as_ref());
455        assert_eq!(exp_valid, res.is_ok(), "vector_public_key_validation_{n}");
456    }
457
458    fn vector_sig_verification_1() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
459        let (public_key, sig, message, expected) = vector_sig_verification_1_raw();
460        (PublicKey(public_key), sig.to_vec(), message, expected)
461    }
462
463    fn vector_sig_verification_2() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
464        let (public_key, sig, message, expected) = vector_sig_verification_2_raw();
465        (PublicKey(public_key), sig.to_vec(), message, expected)
466    }
467
468    fn vector_sig_verification_3() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
469        let (public_key, sig, message, expected) = vector_sig_verification_3_raw();
470        (PublicKey(public_key), sig.to_vec(), message, expected)
471    }
472
473    fn vector_sig_verification_4() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
474        let (public_key, sig, message, expected) = vector_sig_verification_4_raw();
475        (PublicKey(public_key), sig.to_vec(), message, expected)
476    }
477
478    fn vector_sig_verification_5() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
479        let (public_key, sig, message, expected) = vector_sig_verification_5_raw();
480        (PublicKey(public_key), sig.to_vec(), message, expected)
481    }
482
483    fn vector_sig_verification_6() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
484        let (public_key, sig, message, expected) = vector_sig_verification_6_raw();
485        (PublicKey(public_key), sig.to_vec(), message, expected)
486    }
487
488    fn vector_sig_verification_7() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
489        let (public_key, sig, message, expected) = vector_sig_verification_7_raw();
490        (PublicKey(public_key), sig.to_vec(), message, expected)
491    }
492
493    fn vector_sig_verification_8() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
494        let (public_key, sig, message, expected) = vector_sig_verification_8_raw();
495        (PublicKey(public_key), sig.to_vec(), message, expected)
496    }
497
498    fn vector_sig_verification_9() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
499        let (public_key, sig, message, expected) = vector_sig_verification_9_raw();
500        (PublicKey(public_key), sig.to_vec(), message, expected)
501    }
502
503    fn vector_sig_verification_10() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
504        let (public_key, sig, message, expected) = vector_sig_verification_10_raw();
505        (PublicKey(public_key), sig.to_vec(), message, expected)
506    }
507
508    fn vector_sig_verification_11() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
509        let (public_key, sig, message, expected) = vector_sig_verification_11_raw();
510        (PublicKey(public_key), sig.to_vec(), message, expected)
511    }
512
513    fn vector_sig_verification_12() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
514        let (public_key, sig, message, expected) = vector_sig_verification_12_raw();
515        (PublicKey(public_key), sig.to_vec(), message, expected)
516    }
517
518    fn vector_sig_verification_13() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
519        let (public_key, sig, message, expected) = vector_sig_verification_13_raw();
520        (PublicKey(public_key), sig.to_vec(), message, expected)
521    }
522
523    fn vector_sig_verification_14() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
524        let (public_key, sig, message, expected) = vector_sig_verification_14_raw();
525        (PublicKey(public_key), sig.to_vec(), message, expected)
526    }
527
528    fn vector_sig_verification_15() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
529        let (public_key, sig, message, expected) = vector_sig_verification_15_raw();
530        (PublicKey(public_key), sig.to_vec(), message, expected)
531    }
532
533    #[rstest]
534    #[case(vector_sig_verification_1())]
535    #[case(vector_sig_verification_2())]
536    #[case(vector_sig_verification_3())]
537    #[case(vector_sig_verification_4())]
538    #[case(vector_sig_verification_5())]
539    #[case(vector_sig_verification_6())]
540    #[case(vector_sig_verification_7())]
541    #[case(vector_sig_verification_8())]
542    #[case(vector_sig_verification_9())]
543    #[case(vector_sig_verification_10())]
544    #[case(vector_sig_verification_11())]
545    #[case(vector_sig_verification_12())]
546    #[case(vector_sig_verification_13())]
547    #[case(vector_sig_verification_14())]
548    #[case(vector_sig_verification_15())]
549    fn test_signature_verification(
550        #[case] (public_key, sig, message, expected): (PublicKey, Vec<u8>, Vec<u8>, bool),
551    ) {
552        let expected = if expected {
553            let mut ecdsa_signature = p256::ecdsa::Signature::from_slice(&sig).unwrap();
554            if ecdsa_signature.s().is_high().into() {
555                assert!(Signature::decode(sig.as_ref()).is_err());
556                assert!(Signature::decode(Bytes::from(sig)).is_err());
557
558                ecdsa_signature = ecdsa_signature.normalize_s();
559            }
560            let signature = Signature::try_from(ecdsa_signature).unwrap();
561            public_key.verify_inner(None, &message, &signature)
562        } else {
563            let tf_res = Signature::decode(sig.as_ref());
564            let dc_res = Signature::decode(Bytes::from(sig));
565            if tf_res.is_err() && dc_res.is_err() {
566                true
567            } else {
568                let f1 = !public_key.verify_inner(None, &message, &tf_res.unwrap());
569                let f2 = !public_key.verify_inner(None, &message, &dc_res.unwrap());
570                f1 && f2
571            }
572        };
573        assert!(expected);
574    }
575
576    #[cfg(feature = "arbitrary")]
577    mod conformance {
578        use super::*;
579        use commonware_codec::conformance::CodecConformance;
580
581        commonware_conformance::conformance_tests! {
582            CodecConformance<Signature> => 1024,
583        }
584    }
585}