bee-rs 1.1.1

Rust client for the Swarm Bee API. Functional parity with bee-js / bee-go.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368

//! `PrivateKey` / `PublicKey` and the Ethereum signed-message signer.
//!
//! Mirrors bee-go's `pkg/swarm/typed_bytes.go` crypto block. Uses
//! pure-Rust [`k256`] (RustCrypto secp256k1) so we don't pull in a
//! libsecp C dependency.
//!
//! The scheme matches bee-js:
//!
//! ```text
//! digest = keccak256("\x19Ethereum Signed Message:\n32" || keccak256(data))
//! ```
//!
//! and signatures are stored with `V ∈ {27, 28}` on the wire (v0
//! / v1 are normalized on the way out, denormalized on the way in).

use std::fmt;
use std::str::FromStr;

use k256::ecdsa::{
    RecoveryId, Signature as K256Signature, SigningKey, VerifyingKey,
    signature::hazmat::PrehashSigner,
};
use sha3::{Digest, Keccak256};
use subtle::ConstantTimeEq;
use zeroize::{Zeroize, ZeroizeOnDrop};

use crate::swarm::bytes::{decode_hex, encode_hex};
use crate::swarm::errors::Error;
use crate::swarm::typed_bytes::{
    ETH_ADDRESS_LENGTH, EthAddress, PRIVATE_KEY_LENGTH, PUBLIC_KEY_LENGTH, SIGNATURE_LENGTH,
    Signature,
};

// ---- PrivateKey --------------------------------------------------------

/// secp256k1 private key (32 bytes).
///
/// Not [`Copy`] — copies of secret material should be intentional.
/// Implements [`ZeroizeOnDrop`] so the bytes are scrubbed from memory
/// when the value is dropped, and [`PartialEq`] is constant-time.
#[derive(Clone, Zeroize, ZeroizeOnDrop)]
pub struct PrivateKey([u8; PRIVATE_KEY_LENGTH]);

impl PartialEq for PrivateKey {
    fn eq(&self, other: &Self) -> bool {
        self.0.ct_eq(&other.0).into()
    }
}

impl Eq for PrivateKey {}

impl PrivateKey {
    /// Length in bytes.
    pub const LENGTH: usize = PRIVATE_KEY_LENGTH;

    /// Construct from raw bytes.
    pub fn new(b: &[u8]) -> Result<Self, Error> {
        if b.len() != PRIVATE_KEY_LENGTH {
            return Err(Error::LengthMismatch {
                kind: "PrivateKey",
                expected: &[PRIVATE_KEY_LENGTH],
                got: b.len(),
            });
        }
        let mut a = [0u8; PRIVATE_KEY_LENGTH];
        a.copy_from_slice(b);
        Ok(Self(a))
    }

    /// Parse from hex (with or without `0x` prefix).
    pub fn from_hex(s: &str) -> Result<Self, Error> {
        Self::new(&decode_hex(s)?)
    }

    /// Borrow the raw bytes.
    pub fn as_bytes(&self) -> &[u8] {
        &self.0
    }

    /// Lowercase hex, no `0x` prefix.
    pub fn to_hex(&self) -> String {
        encode_hex(&self.0)
    }

    fn signing_key(&self) -> Result<SigningKey, Error> {
        SigningKey::from_slice(&self.0).map_err(Error::crypto)
    }

    /// Derive the uncompressed (64-byte `X || Y`) public key.
    pub fn public_key(&self) -> Result<PublicKey, Error> {
        let sk = self.signing_key()?;
        let vk = VerifyingKey::from(&sk);
        let point = vk.to_encoded_point(false);
        // SEC1 uncompressed: 0x04 || X(32) || Y(32). Strip the prefix.
        let bytes = point.as_bytes();
        debug_assert_eq!(bytes.len(), 65);
        let mut a = [0u8; PUBLIC_KEY_LENGTH];
        a.copy_from_slice(&bytes[1..]);
        Ok(PublicKey(a))
    }

    /// Sign `data` using the Ethereum signed-message scheme and return
    /// a 65-byte `R || S || V` signature with `V ∈ {27, 28}`.
    pub fn sign(&self, data: &[u8]) -> Result<Signature, Error> {
        let digest = eth_signed_message_digest(data);
        let sk = self.signing_key()?;
        let (sig, recovery_id): (K256Signature, RecoveryId) =
            sk.sign_prehash(&digest).map_err(Error::crypto)?;
        let normalized = sig.normalize_s().unwrap_or(sig);
        // k256 returns the recovery id corresponding to the original sig;
        // when normalize_s flips s, the recovery id also flips parity.
        let recovery_id = if normalized != sig {
            RecoveryId::from_byte(recovery_id.to_byte() ^ 1).expect("flipped recovery id valid")
        } else {
            recovery_id
        };

        let mut out = [0u8; SIGNATURE_LENGTH];
        let bytes = normalized.to_bytes();
        out[..64].copy_from_slice(&bytes);
        out[64] = recovery_id.to_byte() + 27;
        Signature::new(&out)
    }
}

impl fmt::Debug for PrivateKey {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        // Don't leak private bytes in Debug output.
        f.write_str("PrivateKey(<redacted>)")
    }
}

impl FromStr for PrivateKey {
    type Err = Error;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        Self::from_hex(s)
    }
}

// ---- PublicKey ---------------------------------------------------------

/// Uncompressed secp256k1 public key (`X || Y`, 64 bytes).
///
/// Constructors accept the 33-byte SEC1-compressed encoding too.
#[derive(Clone, Copy, PartialEq, Eq, Hash)]
pub struct PublicKey([u8; PUBLIC_KEY_LENGTH]);

impl PublicKey {
    /// Length in bytes when stored uncompressed.
    pub const LENGTH: usize = PUBLIC_KEY_LENGTH;

    /// Construct from bytes. Accepts 64-byte uncompressed (`X || Y`)
    /// or 33-byte compressed (SEC1).
    pub fn new(b: &[u8]) -> Result<Self, Error> {
        match b.len() {
            PUBLIC_KEY_LENGTH => {
                let mut a = [0u8; PUBLIC_KEY_LENGTH];
                a.copy_from_slice(b);
                Ok(Self(a))
            }
            33 => {
                let vk = VerifyingKey::from_sec1_bytes(b).map_err(Error::crypto)?;
                let point = vk.to_encoded_point(false);
                let bytes = point.as_bytes();
                let mut a = [0u8; PUBLIC_KEY_LENGTH];
                a.copy_from_slice(&bytes[1..]);
                Ok(Self(a))
            }
            n => Err(Error::LengthMismatch {
                kind: "PublicKey",
                expected: &[33, PUBLIC_KEY_LENGTH],
                got: n,
            }),
        }
    }

    /// Parse from hex (with or without `0x` prefix). Length must be 33
    /// (compressed) or 64 (uncompressed).
    pub fn from_hex(s: &str) -> Result<Self, Error> {
        Self::new(&decode_hex(s)?)
    }

    /// Borrow the raw 64-byte uncompressed encoding.
    pub fn as_bytes(&self) -> &[u8] {
        &self.0
    }

    /// Lowercase hex of the uncompressed encoding, no `0x` prefix.
    pub fn to_hex(&self) -> String {
        encode_hex(&self.0)
    }

    /// Ethereum address: last 20 bytes of `keccak256(X || Y)`.
    pub fn address(&self) -> EthAddress {
        let mut h = Keccak256::new();
        h.update(self.0);
        let out = h.finalize();
        let mut a = [0u8; ETH_ADDRESS_LENGTH];
        a.copy_from_slice(&out[12..]);
        EthAddress::new(&a).expect("hash slice has fixed length")
    }

    /// 33-byte SEC1-compressed encoding.
    pub fn compressed_bytes(&self) -> Result<[u8; 33], Error> {
        let mut full = [0u8; 65];
        full[0] = 0x04;
        full[1..].copy_from_slice(&self.0);
        let vk = VerifyingKey::from_sec1_bytes(&full).map_err(Error::crypto)?;
        let point = vk.to_encoded_point(true);
        let bytes = point.as_bytes();
        if bytes.len() != 33 {
            return Err(Error::crypto("compressed point not 33 bytes"));
        }
        let mut a = [0u8; 33];
        a.copy_from_slice(bytes);
        Ok(a)
    }

    /// Lowercase hex of the compressed encoding, no `0x` prefix.
    pub fn compressed_hex(&self) -> Result<String, Error> {
        Ok(encode_hex(&self.compressed_bytes()?))
    }
}

impl fmt::Debug for PublicKey {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "PublicKey({})", self.to_hex())
    }
}

impl fmt::Display for PublicKey {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.write_str(&self.to_hex())
    }
}

impl FromStr for PublicKey {
    type Err = Error;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        Self::from_hex(s)
    }
}

// ---- Signature recovery ------------------------------------------------

impl Signature {
    /// Recover the public key that produced this signature for `data`,
    /// using the Ethereum signed-message scheme.
    pub fn recover_public_key(&self, data: &[u8]) -> Result<PublicKey, Error> {
        let digest = eth_signed_message_digest(data);
        let bytes = self.as_bytes();
        let v = bytes[64];
        let recovery_byte = if v >= 27 { v - 27 } else { v };
        let recovery_id =
            RecoveryId::from_byte(recovery_byte).ok_or_else(|| Error::crypto("invalid V byte"))?;
        let sig = K256Signature::from_slice(&bytes[..64]).map_err(Error::crypto)?;
        let vk = VerifyingKey::recover_from_prehash(&digest, &sig, recovery_id)
            .map_err(Error::crypto)?;
        let point = vk.to_encoded_point(false);
        let raw = point.as_bytes();
        let mut a = [0u8; PUBLIC_KEY_LENGTH];
        a.copy_from_slice(&raw[1..]);
        Ok(PublicKey(a))
    }

    /// True iff the signature is valid against `data` and the recovered
    /// signer matches `expected`.
    pub fn is_valid(&self, data: &[u8], expected: EthAddress) -> bool {
        match self.recover_public_key(data) {
            Ok(pk) => pk.address() == expected,
            Err(_) => false,
        }
    }
}

// ---- digest helper -----------------------------------------------------

/// `keccak256("\x19Ethereum Signed Message:\n32" || keccak256(data))`.
/// The exact digest Bee verifies SOC and feed signatures against.
pub fn eth_signed_message_digest(data: &[u8]) -> [u8; 32] {
    let mut h = Keccak256::new();
    h.update(data);
    let inner = h.finalize();

    let mut h = Keccak256::new();
    h.update(b"\x19Ethereum Signed Message:\n32");
    h.update(inner);
    let out = h.finalize();
    let mut a = [0u8; 32];
    a.copy_from_slice(&out);
    a
}

#[cfg(test)]
mod tests {
    use super::*;

    fn priv_repeat(byte: u8) -> PrivateKey {
        PrivateKey::new(&[byte; PRIVATE_KEY_LENGTH]).unwrap()
    }

    #[test]
    fn private_to_public_to_address_is_consistent() {
        let pk = priv_repeat(0x11);
        let pub_a = pk.public_key().unwrap();
        let pub_b = pk.public_key().unwrap();
        assert_eq!(pub_a.as_bytes(), pub_b.as_bytes());
        assert_eq!(pub_a.address(), pub_b.address());
    }

    #[test]
    fn public_key_compressed_round_trip() {
        let pk = priv_repeat(0x22);
        let pub_a = pk.public_key().unwrap();
        let compressed = pub_a.compressed_bytes().unwrap();
        assert_eq!(compressed.len(), 33);
        let pub_b = PublicKey::new(&compressed).unwrap();
        assert_eq!(pub_a.as_bytes(), pub_b.as_bytes());
    }

    #[test]
    fn sign_recover_round_trip() {
        let pk = priv_repeat(0x33);
        let data = b"hello swarm";
        let sig = pk.sign(data).unwrap();
        // V normalized to {27, 28} per bee-js wire format.
        let v = sig.as_bytes()[64];
        assert!(v == 27 || v == 28, "V was {v}");
        let recovered = sig.recover_public_key(data).unwrap();
        assert_eq!(recovered.as_bytes(), pk.public_key().unwrap().as_bytes());
        assert!(sig.is_valid(data, pk.public_key().unwrap().address()));
        assert!(!sig.is_valid(b"tampered", pk.public_key().unwrap().address()));
    }

    #[test]
    fn debug_does_not_leak_private_bytes() {
        let pk = priv_repeat(0x44);
        let s = format!("{pk:?}");
        assert!(!s.contains("44"));
        assert!(s.contains("redacted"));
    }

    #[test]
    fn zeroize_clears_private_bytes() {
        let mut pk = priv_repeat(0x55);
        assert_eq!(pk.as_bytes(), &[0x55; PRIVATE_KEY_LENGTH]);
        pk.zeroize();
        assert_eq!(pk.as_bytes(), &[0u8; PRIVATE_KEY_LENGTH]);
    }

    #[test]
    fn private_key_is_zeroize_on_drop() {
        // Compile-time bound: ZeroizeOnDrop is what we promise in the
        // type's docs; this assertion fails to compile if the trait is
        // ever removed.
        fn assert_zod<T: zeroize::ZeroizeOnDrop>() {}
        assert_zod::<PrivateKey>();
    }

    #[test]
    fn private_key_eq_is_correct() {
        let a = priv_repeat(0x66);
        let b = priv_repeat(0x66);
        let c = priv_repeat(0x77);
        assert_eq!(a, b);
        assert_ne!(a, c);
    }
}