1cfg_if::cfg_if! {
2 if #[cfg(feature = "std")] {
3 use std::borrow::Cow;
4 } else {
5 use alloc::borrow::Cow;
6 }
7}
8use super::common::{
9 impl_private_key_wrapper, impl_public_key_wrapper, PrivateKeyInner, PublicKeyInner, CURVE_NAME,
10 PRIVATE_KEY_LENGTH, PUBLIC_KEY_LENGTH,
11};
12#[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))]
13use aws_lc_rs::signature::{UnparsedPublicKey, ECDSA_P256_SHA256_FIXED};
14use bytes::{Buf, BufMut};
15use commonware_codec::{Error as CodecError, FixedArray, FixedSize, Read, ReadExt, Write};
16use commonware_formatting::Hex;
17use commonware_utils::{union_unique, Array, Span};
18use core::{
19 fmt::{Debug, Display},
20 hash::{Hash, Hasher},
21 ops::Deref,
22};
23#[cfg(not(any(target_arch = "x86_64", target_arch = "aarch64")))]
24use p256::ecdsa::signature::Verifier;
25use p256::{ecdsa::signature::Signer, elliptic_curve::scalar::IsHigh};
26
27const SIGNATURE_LENGTH: usize = 64; #[derive(Clone, Eq, PartialEq)]
31pub struct PrivateKey(PrivateKeyInner);
32
33impl_private_key_wrapper!(PrivateKey);
34
35impl crate::Signer for PrivateKey {
36 type Signature = Signature;
37 type PublicKey = PublicKey;
38
39 fn sign(&self, namespace: &[u8], msg: &[u8]) -> Self::Signature {
40 self.sign_inner(Some(namespace), msg)
41 }
42
43 fn public_key(&self) -> Self::PublicKey {
44 PublicKey(PublicKeyInner::from_private_key(&self.0))
45 }
46}
47
48impl PrivateKey {
49 #[inline(always)]
50 fn sign_inner(&self, namespace: Option<&[u8]>, msg: &[u8]) -> Signature {
51 let payload = namespace.map_or(Cow::Borrowed(msg), |namespace| {
52 Cow::Owned(union_unique(namespace, msg))
53 });
54 let signature: p256::ecdsa::Signature = self.0.key.expose(|key| key.sign(&payload));
55 let signature = signature.normalize_s();
56 Signature::try_from(signature).expect("freshly signed signature is valid")
57 }
58}
59
60impl From<PrivateKey> for PublicKey {
61 fn from(value: PrivateKey) -> Self {
62 Self(PublicKeyInner::from_private_key(&value.0))
63 }
64}
65
66#[derive(Clone, Eq, PartialEq, Ord, PartialOrd, FixedArray)]
68#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
69pub struct PublicKey(PublicKeyInner);
70
71impl_public_key_wrapper!(PublicKey);
72
73impl crate::Verifier for PublicKey {
74 type Signature = Signature;
75
76 fn verify(&self, namespace: &[u8], msg: &[u8], sig: &Self::Signature) -> bool {
77 self.verify_inner(Some(namespace), msg, sig)
78 }
79}
80
81impl PublicKey {
82 #[cfg(not(any(target_arch = "x86_64", target_arch = "aarch64")))]
83 #[inline(always)]
84 fn verify_inner(&self, namespace: Option<&[u8]>, msg: &[u8], sig: &Signature) -> bool {
85 let payload = namespace.map_or(Cow::Borrowed(msg), |namespace| {
86 Cow::Owned(union_unique(namespace, msg))
87 });
88 self.0.key.verify(&payload, &sig.signature).is_ok()
89 }
90
91 #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))]
92 #[inline(always)]
93 fn verify_inner(&self, namespace: Option<&[u8]>, msg: &[u8], sig: &Signature) -> bool {
94 let payload = namespace.map_or(Cow::Borrowed(msg), |namespace| {
95 Cow::Owned(union_unique(namespace, msg))
96 });
97 let uncompressed = self.0.to_uncompressed();
98 let public_key = UnparsedPublicKey::new(&ECDSA_P256_SHA256_FIXED, &uncompressed);
99 public_key.verify(&payload, &sig.raw).is_ok()
100 }
101}
102
103#[derive(Clone, Eq, PartialEq, FixedArray)]
105pub struct Signature {
106 raw: [u8; SIGNATURE_LENGTH],
107 signature: p256::ecdsa::Signature,
108}
109
110impl crate::Signature for Signature {}
111
112impl Write for Signature {
113 fn write(&self, buf: &mut impl BufMut) {
114 self.raw.write(buf);
115 }
116}
117
118impl Read for Signature {
119 type Cfg = ();
120
121 fn read_cfg(buf: &mut impl Buf, _: &()) -> Result<Self, CodecError> {
122 let raw = <[u8; Self::SIZE]>::read(buf)?;
123 let result = p256::ecdsa::Signature::from_slice(&raw);
124 #[cfg(feature = "std")]
125 let signature = result.map_err(|e| CodecError::Wrapped(CURVE_NAME, e.into()))?;
126 #[cfg(not(feature = "std"))]
127 let signature = result
128 .map_err(|e| CodecError::Wrapped(CURVE_NAME, alloc::format!("{:?}", e).into()))?;
129 if signature.s().is_high().into() {
131 return Err(CodecError::Invalid(CURVE_NAME, "Signature S is high"));
132 }
133 Ok(Self { raw, signature })
134 }
135}
136
137impl FixedSize for Signature {
138 const SIZE: usize = SIGNATURE_LENGTH;
139}
140
141impl Span for Signature {}
142
143impl Array for Signature {}
144
145impl Hash for Signature {
146 fn hash<H: Hasher>(&self, state: &mut H) {
147 self.raw.hash(state);
148 }
149}
150
151impl Ord for Signature {
152 fn cmp(&self, other: &Self) -> core::cmp::Ordering {
153 self.raw.cmp(&other.raw)
154 }
155}
156
157impl PartialOrd for Signature {
158 fn partial_cmp(&self, other: &Self) -> Option<core::cmp::Ordering> {
159 Some(self.cmp(other))
160 }
161}
162
163impl AsRef<[u8]> for Signature {
164 fn as_ref(&self) -> &[u8] {
165 &self.raw
166 }
167}
168
169impl Deref for Signature {
170 type Target = [u8];
171 fn deref(&self) -> &[u8] {
172 &self.raw
173 }
174}
175
176impl TryFrom<p256::ecdsa::Signature> for Signature {
177 type Error = CodecError;
178
179 fn try_from(value: p256::ecdsa::Signature) -> Result<Self, Self::Error> {
180 let raw: [u8; _] = value.to_bytes().into();
181 Self::try_from(raw)
182 }
183}
184
185impl Debug for Signature {
186 fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
187 write!(f, "{}", Hex(&self.raw))
188 }
189}
190
191impl Display for Signature {
192 fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
193 write!(f, "{}", Hex(&self.raw))
194 }
195}
196
197#[cfg(feature = "arbitrary")]
198impl arbitrary::Arbitrary<'_> for Signature {
199 fn arbitrary(u: &mut arbitrary::Unstructured<'_>) -> arbitrary::Result<Self> {
200 use crate::Signer;
201 use commonware_math::algebra::Random;
202 use rand::{rngs::StdRng, SeedableRng};
203
204 let mut rand = StdRng::from_seed(u.arbitrary::<[u8; 32]>()?);
205 let private_key = PrivateKey(PrivateKeyInner::random(&mut rand));
206 let len = u.arbitrary::<usize>()? % 256;
207 let message = u
208 .arbitrary_iter()?
209 .take(len)
210 .collect::<Result<Vec<_>, _>>()?;
211
212 Ok(private_key.sign(&[], &message))
213 }
214}
215
216#[cfg(test)]
217mod tests {
218 use super::*;
219 use crate::{secp256r1::common::tests::*, Signer as _, Verifier as _};
220 use bytes::Bytes;
221 use commonware_codec::{DecodeExt, Encode};
222 use p256::elliptic_curve::scalar::IsHigh;
223 use rstest::rstest;
224
225 const NAMESPACE: &[u8] = b"test-namespace";
226
227 #[test]
228 fn test_codec_private_key() {
229 let original = PrivateKey(create_private_key());
230 let encoded = original.encode();
231 assert_eq!(encoded.len(), PRIVATE_KEY_LENGTH);
232
233 let decoded = PrivateKey::decode(encoded).unwrap();
234 assert_eq!(original, decoded);
235 }
236
237 #[test]
238 fn test_codec_public_key() {
239 let private_key = PrivateKey(create_private_key());
240 let original = PublicKey::from(private_key);
241
242 let encoded = original.encode();
243 assert_eq!(encoded.len(), PUBLIC_KEY_LENGTH);
244
245 let decoded = PublicKey::decode(encoded).unwrap();
246 assert_eq!(original, decoded);
247 }
248
249 #[test]
250 fn test_codec_signature() {
251 let private_key = PrivateKey(create_private_key());
252 let original = private_key.sign(NAMESPACE, "Hello World".as_bytes());
253
254 let encoded = original.encode();
255 assert_eq!(encoded.len(), SIGNATURE_LENGTH);
256
257 let decoded = Signature::decode(encoded).unwrap();
258 assert_eq!(original, decoded);
259 }
260
261 #[test]
262 fn test_codec_signature_invalid() {
263 let (_, sig, ..) = vector_sig_verification_5();
264 let result = Signature::decode(Bytes::from(sig));
265 assert!(result.is_err());
266 }
267
268 #[test]
269 fn test_scheme_sign() {
270 let private_key: PrivateKey = PrivateKey::decode(
271 commonware_formatting::from_hex(
272 "519b423d715f8b581f4fa8ee59f4771a5b44c8130b4e3eacca54a56dda72b464",
273 )
274 .unwrap()
275 .as_ref(),
276 )
277 .unwrap();
278 let public_key: PublicKey = private_key.clone().into();
279 let message = commonware_formatting::from_hex(
280 "5905238877c77421f73e43ee3da6f2d9e2ccad5fc942dcec0cbd25482935faaf416983fe165b1a045e
281 e2bcd2e6dca3bdf46c4310a7461f9a37960ca672d3feb5473e253605fb1ddfd28065b53cb5858a8ad28175bf
282 9bd386a5e471ea7a65c17cc934a9d791e91491eb3754d03799790fe2d308d16146d5c9b0d0debd97d79ce8",
283 )
284 .unwrap();
285 let signature = private_key.sign(NAMESPACE, &message);
286 assert_eq!(SIGNATURE_LENGTH, signature.len());
287 assert!(public_key.verify(NAMESPACE, &message, &signature));
288 }
289
290 #[test]
291 fn test_decode_zero_signature_fails() {
292 let result = Signature::decode(vec![0u8; SIGNATURE_LENGTH].as_ref());
293 assert!(result.is_err());
294 }
295
296 #[test]
297 fn test_decode_high_s_signature_fails() {
298 let (inner, _) = vector_keypair_1();
299 let private_key = PrivateKey(inner);
300 let message = b"edge";
301 let signature = private_key.sign(NAMESPACE, message);
302 let mut bad_signature = signature.to_vec();
303 bad_signature[32] |= 0x80;
304 assert!(Signature::decode(bad_signature.as_ref()).is_err());
305 }
306
307 #[test]
308 fn test_decode_zero_r_signature_fails() {
309 let (inner, _) = vector_keypair_1();
310 let private_key = PrivateKey(inner);
311 let message = b"edge";
312 let signature = private_key.sign(NAMESPACE, message);
313 let mut bad_signature = signature.to_vec();
314 for b in bad_signature.iter_mut().take(32) {
315 *b = 0x00;
316 }
317 bad_signature[32] = 1;
318 assert!(Signature::decode(bad_signature.as_ref()).is_err());
319 }
320
321 #[test]
322 fn test_rfc6979() {
323 let private_key: PrivateKey = PrivateKey::decode(
324 commonware_formatting::from_hex(
325 "c9afa9d845ba75166b5c215767b1d6934e50c3db36e89b127b8a622b120f6721",
326 )
327 .unwrap()
328 .as_ref(),
329 )
330 .unwrap();
331
332 let (message, exp_sig) = (
333 b"sample",
334 p256::ecdsa::Signature::from_slice(
335 &commonware_formatting::from_hex(
336 "efd48b2aacb6a8fd1140dd9cd45e81d69d2c877b56aaf991c34d0ea84eaf3716
337 f7cb1c942d657c41d436c7a1b6e29f65f3e900dbb9aff4064dc4ab2f843acda8",
338 )
339 .unwrap(),
340 )
341 .unwrap(),
342 );
343 let signature = private_key.sign_inner(None, message);
344 assert_eq!(signature.to_vec(), exp_sig.normalize_s().to_vec());
345
346 let (message, exp_sig) = (
347 b"test",
348 p256::ecdsa::Signature::from_slice(
349 &commonware_formatting::from_hex(
350 "f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d38367
351 019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083",
352 )
353 .unwrap(),
354 )
355 .unwrap(),
356 );
357
358 let signature = private_key.sign_inner(None, message);
359 assert_eq!(signature.to_vec(), exp_sig.to_vec());
360 }
361
362 #[test]
363 fn test_scheme_validate_public_key_too_long() {
364 let qx_hex = "d0720dc691aa80096ba32fed1cb97c2b620690d06de0317b8618d5ce65eb728f";
365 let qy_hex = "d0720dc691aa80096ba32fed1cb97c2b620690d06de0317b8618d5ce65eb728f";
366
367 let uncompressed_public_key = parse_public_key_as_uncompressed_vector(qx_hex, qy_hex);
368 let public_key = PublicKey::decode(uncompressed_public_key.as_ref());
369 assert!(matches!(public_key, Err(CodecError::Invalid(_, _))));
370
371 let mut compressed_public_key = parse_public_key_as_compressed_vector(qx_hex, qy_hex);
372 compressed_public_key.push(0u8);
373 let public_key = PublicKey::decode(compressed_public_key.as_ref());
374 assert!(matches!(public_key, Err(CodecError::ExtraData(1))));
375
376 let compressed_public_key = parse_public_key_as_compressed_vector(qx_hex, qy_hex);
377 let public_key = PublicKey::decode(compressed_public_key.as_ref());
378 assert!(public_key.is_ok());
379 }
380
381 #[test]
382 fn test_scheme_verify_signature_r0() {
383 let private_key: PrivateKey = PrivateKey::decode(
384 commonware_formatting::from_hex(
385 "c9806898a0334916c860748880a541f093b579a9b1f32934d86c363c39800357",
386 )
387 .unwrap()
388 .as_ref(),
389 )
390 .unwrap();
391 let message = b"sample";
392 let signature = private_key.sign_inner(None, message);
393 let (_, s) = signature.split_at(32);
394 let mut signature: Vec<u8> = vec![0x00; 32];
395 signature.extend_from_slice(s);
396
397 assert!(Signature::decode(signature.as_ref()).is_err());
398 }
399
400 #[test]
401 fn test_scheme_verify_signature_s0() {
402 let private_key: PrivateKey = PrivateKey::decode(
403 commonware_formatting::from_hex(
404 "c9806898a0334916c860748880a541f093b579a9b1f32934d86c363c39800357",
405 )
406 .unwrap()
407 .as_ref(),
408 )
409 .unwrap();
410 let message = b"sample";
411 let signature = private_key.sign_inner(None, message);
412 let (r, _) = signature.split_at(32);
413 let s: Vec<u8> = vec![0x00; 32];
414 let mut signature = r.to_vec();
415 signature.extend(s);
416
417 assert!(Signature::decode(signature.as_ref()).is_err());
418 }
419
420 #[rstest]
421 #[case(vector_keypair_1())]
422 #[case(vector_keypair_2())]
423 #[case(vector_keypair_3())]
424 #[case(vector_keypair_4())]
425 #[case(vector_keypair_5())]
426 #[case(vector_keypair_6())]
427 #[case(vector_keypair_7())]
428 #[case(vector_keypair_8())]
429 #[case(vector_keypair_9())]
430 #[case(vector_keypair_10())]
431 fn test_keypairs(#[case] (inner_priv, inner_pub): (PrivateKeyInner, PublicKeyInner)) {
432 let private_key = PrivateKey(inner_priv);
433 let public_key = PublicKey::from(private_key);
434 let exp_public_key = PublicKey(inner_pub);
435 assert_eq!(exp_public_key, public_key);
436 assert!(public_key.len() == PUBLIC_KEY_LENGTH);
437 }
438
439 #[rstest]
440 #[case(1, vector_public_key_validation_1())]
441 #[case(3, vector_public_key_validation_3())]
442 #[case(4, vector_public_key_validation_4())]
443 #[case(5, vector_public_key_validation_5())]
444 #[case(6, vector_public_key_validation_6())]
445 #[case(7, vector_public_key_validation_7())]
446 #[case(8, vector_public_key_validation_8())]
447 #[case(9, vector_public_key_validation_9())]
448 #[case(10, vector_public_key_validation_10())]
449 #[case(12, vector_public_key_validation_12())]
450 fn test_public_key_validation(
451 #[case] n: usize,
452 #[case] (public_key, exp_valid): (Vec<u8>, bool),
453 ) {
454 let res = PublicKey::decode(public_key.as_ref());
455 assert_eq!(exp_valid, res.is_ok(), "vector_public_key_validation_{n}");
456 }
457
458 fn vector_sig_verification_1() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
459 let (public_key, sig, message, expected) = vector_sig_verification_1_raw();
460 (PublicKey(public_key), sig.to_vec(), message, expected)
461 }
462
463 fn vector_sig_verification_2() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
464 let (public_key, sig, message, expected) = vector_sig_verification_2_raw();
465 (PublicKey(public_key), sig.to_vec(), message, expected)
466 }
467
468 fn vector_sig_verification_3() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
469 let (public_key, sig, message, expected) = vector_sig_verification_3_raw();
470 (PublicKey(public_key), sig.to_vec(), message, expected)
471 }
472
473 fn vector_sig_verification_4() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
474 let (public_key, sig, message, expected) = vector_sig_verification_4_raw();
475 (PublicKey(public_key), sig.to_vec(), message, expected)
476 }
477
478 fn vector_sig_verification_5() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
479 let (public_key, sig, message, expected) = vector_sig_verification_5_raw();
480 (PublicKey(public_key), sig.to_vec(), message, expected)
481 }
482
483 fn vector_sig_verification_6() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
484 let (public_key, sig, message, expected) = vector_sig_verification_6_raw();
485 (PublicKey(public_key), sig.to_vec(), message, expected)
486 }
487
488 fn vector_sig_verification_7() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
489 let (public_key, sig, message, expected) = vector_sig_verification_7_raw();
490 (PublicKey(public_key), sig.to_vec(), message, expected)
491 }
492
493 fn vector_sig_verification_8() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
494 let (public_key, sig, message, expected) = vector_sig_verification_8_raw();
495 (PublicKey(public_key), sig.to_vec(), message, expected)
496 }
497
498 fn vector_sig_verification_9() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
499 let (public_key, sig, message, expected) = vector_sig_verification_9_raw();
500 (PublicKey(public_key), sig.to_vec(), message, expected)
501 }
502
503 fn vector_sig_verification_10() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
504 let (public_key, sig, message, expected) = vector_sig_verification_10_raw();
505 (PublicKey(public_key), sig.to_vec(), message, expected)
506 }
507
508 fn vector_sig_verification_11() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
509 let (public_key, sig, message, expected) = vector_sig_verification_11_raw();
510 (PublicKey(public_key), sig.to_vec(), message, expected)
511 }
512
513 fn vector_sig_verification_12() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
514 let (public_key, sig, message, expected) = vector_sig_verification_12_raw();
515 (PublicKey(public_key), sig.to_vec(), message, expected)
516 }
517
518 fn vector_sig_verification_13() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
519 let (public_key, sig, message, expected) = vector_sig_verification_13_raw();
520 (PublicKey(public_key), sig.to_vec(), message, expected)
521 }
522
523 fn vector_sig_verification_14() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
524 let (public_key, sig, message, expected) = vector_sig_verification_14_raw();
525 (PublicKey(public_key), sig.to_vec(), message, expected)
526 }
527
528 fn vector_sig_verification_15() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
529 let (public_key, sig, message, expected) = vector_sig_verification_15_raw();
530 (PublicKey(public_key), sig.to_vec(), message, expected)
531 }
532
533 #[rstest]
534 #[case(vector_sig_verification_1())]
535 #[case(vector_sig_verification_2())]
536 #[case(vector_sig_verification_3())]
537 #[case(vector_sig_verification_4())]
538 #[case(vector_sig_verification_5())]
539 #[case(vector_sig_verification_6())]
540 #[case(vector_sig_verification_7())]
541 #[case(vector_sig_verification_8())]
542 #[case(vector_sig_verification_9())]
543 #[case(vector_sig_verification_10())]
544 #[case(vector_sig_verification_11())]
545 #[case(vector_sig_verification_12())]
546 #[case(vector_sig_verification_13())]
547 #[case(vector_sig_verification_14())]
548 #[case(vector_sig_verification_15())]
549 fn test_signature_verification(
550 #[case] (public_key, sig, message, expected): (PublicKey, Vec<u8>, Vec<u8>, bool),
551 ) {
552 let expected = if expected {
553 let mut ecdsa_signature = p256::ecdsa::Signature::from_slice(&sig).unwrap();
554 if ecdsa_signature.s().is_high().into() {
555 assert!(Signature::decode(sig.as_ref()).is_err());
556 assert!(Signature::decode(Bytes::from(sig)).is_err());
557
558 ecdsa_signature = ecdsa_signature.normalize_s();
559 }
560 let signature = Signature::try_from(ecdsa_signature).unwrap();
561 public_key.verify_inner(None, &message, &signature)
562 } else {
563 let tf_res = Signature::decode(sig.as_ref());
564 let dc_res = Signature::decode(Bytes::from(sig));
565 if tf_res.is_err() && dc_res.is_err() {
566 true
567 } else {
568 let f1 = !public_key.verify_inner(None, &message, &tf_res.unwrap());
569 let f2 = !public_key.verify_inner(None, &message, &dc_res.unwrap());
570 f1 && f2
571 }
572 };
573 assert!(expected);
574 }
575
576 #[cfg(feature = "arbitrary")]
577 mod conformance {
578 use super::*;
579 use commonware_codec::conformance::CodecConformance;
580
581 commonware_conformance::conformance_tests! {
582 CodecConformance<Signature> => 1024,
583 }
584 }
585}