1cfg_if::cfg_if! {
2 if #[cfg(feature = "std")] {
3 use std::borrow::Cow;
4 } else {
5 use alloc::borrow::Cow;
6 }
7}
8use super::common::{
9 impl_private_key_wrapper, impl_public_key_wrapper, PrivateKeyInner, PublicKeyInner, CURVE_NAME,
10 PRIVATE_KEY_LENGTH, PUBLIC_KEY_LENGTH,
11};
12use bytes::{Buf, BufMut};
13use commonware_codec::{Error as CodecError, FixedSize, Read, ReadExt, Write};
14use commonware_utils::{hex, union_unique, Array, Span};
15use core::{
16 fmt::{Debug, Display},
17 hash::{Hash, Hasher},
18 ops::Deref,
19};
20use p256::{
21 ecdsa::signature::{Signer, Verifier},
22 elliptic_curve::scalar::IsHigh,
23};
24
25const SIGNATURE_LENGTH: usize = 64; #[derive(Clone, Eq, PartialEq)]
29pub struct PrivateKey(PrivateKeyInner);
30
31impl_private_key_wrapper!(PrivateKey);
32
33impl crate::Signer for PrivateKey {
34 type Signature = Signature;
35 type PublicKey = PublicKey;
36
37 fn sign(&self, namespace: &[u8], msg: &[u8]) -> Self::Signature {
38 self.sign_inner(Some(namespace), msg)
39 }
40
41 fn public_key(&self) -> Self::PublicKey {
42 PublicKey(PublicKeyInner::from_private_key(&self.0))
43 }
44}
45
46impl PrivateKey {
47 #[inline(always)]
48 fn sign_inner(&self, namespace: Option<&[u8]>, msg: &[u8]) -> Signature {
49 let payload = namespace.map_or(Cow::Borrowed(msg), |namespace| {
50 Cow::Owned(union_unique(namespace, msg))
51 });
52 let signature: p256::ecdsa::Signature = self.0.key.sign(&payload);
53 let signature = signature.normalize_s().unwrap_or(signature);
54 Signature::from(signature)
55 }
56}
57
58impl From<PrivateKey> for PublicKey {
59 fn from(value: PrivateKey) -> Self {
60 Self(PublicKeyInner::from_private_key(&value.0))
61 }
62}
63
64#[derive(Clone, Eq, PartialEq, Ord, PartialOrd)]
66#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
67pub struct PublicKey(PublicKeyInner);
68
69impl_public_key_wrapper!(PublicKey);
70
71impl crate::Verifier for PublicKey {
72 type Signature = Signature;
73
74 fn verify(&self, namespace: &[u8], msg: &[u8], sig: &Self::Signature) -> bool {
75 self.verify_inner(Some(namespace), msg, sig)
76 }
77}
78
79impl PublicKey {
80 #[inline(always)]
81 fn verify_inner(&self, namespace: Option<&[u8]>, msg: &[u8], sig: &Signature) -> bool {
82 let payload = namespace.map_or(Cow::Borrowed(msg), |namespace| {
83 Cow::Owned(union_unique(namespace, msg))
84 });
85 self.0.key.verify(&payload, &sig.signature).is_ok()
86 }
87}
88
89#[derive(Clone, Eq, PartialEq)]
91pub struct Signature {
92 raw: [u8; SIGNATURE_LENGTH],
93 signature: p256::ecdsa::Signature,
94}
95
96impl crate::Signature for Signature {}
97
98impl Write for Signature {
99 fn write(&self, buf: &mut impl BufMut) {
100 self.raw.write(buf);
101 }
102}
103
104impl Read for Signature {
105 type Cfg = ();
106
107 fn read_cfg(buf: &mut impl Buf, _: &()) -> Result<Self, CodecError> {
108 let raw = <[u8; Self::SIZE]>::read(buf)?;
109 let result = p256::ecdsa::Signature::from_slice(&raw);
110 #[cfg(feature = "std")]
111 let signature = result.map_err(|e| CodecError::Wrapped(CURVE_NAME, e.into()))?;
112 #[cfg(not(feature = "std"))]
113 let signature = result
114 .map_err(|e| CodecError::Wrapped(CURVE_NAME, alloc::format!("{:?}", e).into()))?;
115 if signature.s().is_high().into() {
117 return Err(CodecError::Invalid(CURVE_NAME, "Signature S is high"));
118 }
119 Ok(Self { raw, signature })
120 }
121}
122
123impl FixedSize for Signature {
124 const SIZE: usize = SIGNATURE_LENGTH;
125}
126
127impl Span for Signature {}
128
129impl Array for Signature {}
130
131impl Hash for Signature {
132 fn hash<H: Hasher>(&self, state: &mut H) {
133 self.raw.hash(state);
134 }
135}
136
137impl Ord for Signature {
138 fn cmp(&self, other: &Self) -> core::cmp::Ordering {
139 self.raw.cmp(&other.raw)
140 }
141}
142
143impl PartialOrd for Signature {
144 fn partial_cmp(&self, other: &Self) -> Option<core::cmp::Ordering> {
145 Some(self.cmp(other))
146 }
147}
148
149impl AsRef<[u8]> for Signature {
150 fn as_ref(&self) -> &[u8] {
151 &self.raw
152 }
153}
154
155impl Deref for Signature {
156 type Target = [u8];
157 fn deref(&self) -> &[u8] {
158 &self.raw
159 }
160}
161
162impl From<p256::ecdsa::Signature> for Signature {
163 fn from(signature: p256::ecdsa::Signature) -> Self {
164 let raw = signature.to_bytes().into();
165 Self { raw, signature }
166 }
167}
168
169impl Debug for Signature {
170 fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
171 write!(f, "{}", hex(&self.raw))
172 }
173}
174
175impl Display for Signature {
176 fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
177 write!(f, "{}", hex(&self.raw))
178 }
179}
180
181#[cfg(feature = "arbitrary")]
182impl arbitrary::Arbitrary<'_> for Signature {
183 fn arbitrary(u: &mut arbitrary::Unstructured<'_>) -> arbitrary::Result<Self> {
184 use crate::Signer;
185 use commonware_math::algebra::Random;
186 use rand::{rngs::StdRng, SeedableRng};
187
188 let mut rand = StdRng::from_seed(u.arbitrary::<[u8; 32]>()?);
189 let private_key = PrivateKey(PrivateKeyInner::random(&mut rand));
190 let len = u.arbitrary::<usize>()? % 256;
191 let message = u
192 .arbitrary_iter()?
193 .take(len)
194 .collect::<Result<Vec<_>, _>>()?;
195
196 Ok(private_key.sign(&[], &message))
197 }
198}
199
200#[cfg(test)]
201mod tests {
202 use super::*;
203 use crate::{secp256r1::common::tests::*, Signer as _, Verifier as _};
204 use bytes::Bytes;
205 use commonware_codec::{DecodeExt, Encode};
206 use p256::elliptic_curve::scalar::IsHigh;
207 use rstest::rstest;
208
209 const NAMESPACE: &[u8] = b"test-namespace";
210
211 #[test]
212 fn test_codec_private_key() {
213 let original = PrivateKey(create_private_key());
214 let encoded = original.encode();
215 assert_eq!(encoded.len(), PRIVATE_KEY_LENGTH);
216
217 let decoded = PrivateKey::decode(encoded).unwrap();
218 assert_eq!(original, decoded);
219 }
220
221 #[test]
222 fn test_codec_public_key() {
223 let private_key = PrivateKey(create_private_key());
224 let original = PublicKey::from(private_key);
225
226 let encoded = original.encode();
227 assert_eq!(encoded.len(), PUBLIC_KEY_LENGTH);
228
229 let decoded = PublicKey::decode(encoded).unwrap();
230 assert_eq!(original, decoded);
231 }
232
233 #[test]
234 fn test_codec_signature() {
235 let private_key = PrivateKey(create_private_key());
236 let original = private_key.sign(NAMESPACE, "Hello World".as_bytes());
237
238 let encoded = original.encode();
239 assert_eq!(encoded.len(), SIGNATURE_LENGTH);
240
241 let decoded = Signature::decode(encoded).unwrap();
242 assert_eq!(original, decoded);
243 }
244
245 #[test]
246 fn test_codec_signature_invalid() {
247 let (_, sig, ..) = vector_sig_verification_5();
248 let result = Signature::decode(Bytes::from(sig));
249 assert!(result.is_err());
250 }
251
252 #[test]
253 fn test_scheme_sign() {
254 let private_key: PrivateKey = PrivateKey::decode(
255 commonware_utils::from_hex_formatted(
256 "519b423d715f8b581f4fa8ee59f4771a5b44c8130b4e3eacca54a56dda72b464",
257 )
258 .unwrap()
259 .as_ref(),
260 )
261 .unwrap();
262 let public_key: PublicKey = private_key.clone().into();
263 let message = commonware_utils::from_hex_formatted(
264 "5905238877c77421f73e43ee3da6f2d9e2ccad5fc942dcec0cbd25482935faaf416983fe165b1a045e
265 e2bcd2e6dca3bdf46c4310a7461f9a37960ca672d3feb5473e253605fb1ddfd28065b53cb5858a8ad28175bf
266 9bd386a5e471ea7a65c17cc934a9d791e91491eb3754d03799790fe2d308d16146d5c9b0d0debd97d79ce8",
267 )
268 .unwrap();
269 let signature = private_key.sign(NAMESPACE, &message);
270 assert_eq!(SIGNATURE_LENGTH, signature.len());
271 assert!(public_key.verify(NAMESPACE, &message, &signature));
272 }
273
274 #[test]
275 fn test_decode_zero_signature_fails() {
276 let result = Signature::decode(vec![0u8; SIGNATURE_LENGTH].as_ref());
277 assert!(result.is_err());
278 }
279
280 #[test]
281 fn test_decode_high_s_signature_fails() {
282 let (inner, _) = vector_keypair_1();
283 let private_key = PrivateKey(inner);
284 let message = b"edge";
285 let signature = private_key.sign(NAMESPACE, message);
286 let mut bad_signature = signature.to_vec();
287 bad_signature[32] |= 0x80;
288 assert!(Signature::decode(bad_signature.as_ref()).is_err());
289 }
290
291 #[test]
292 fn test_decode_zero_r_signature_fails() {
293 let (inner, _) = vector_keypair_1();
294 let private_key = PrivateKey(inner);
295 let message = b"edge";
296 let signature = private_key.sign(NAMESPACE, message);
297 let mut bad_signature = signature.to_vec();
298 for b in bad_signature.iter_mut().take(32) {
299 *b = 0x00;
300 }
301 bad_signature[32] = 1;
302 assert!(Signature::decode(bad_signature.as_ref()).is_err());
303 }
304
305 #[test]
306 fn test_rfc6979() {
307 let private_key: PrivateKey = PrivateKey::decode(
308 commonware_utils::from_hex_formatted(
309 "c9afa9d845ba75166b5c215767b1d6934e50c3db36e89b127b8a622b120f6721",
310 )
311 .unwrap()
312 .as_ref(),
313 )
314 .unwrap();
315
316 let (message, exp_sig) = (
317 b"sample",
318 p256::ecdsa::Signature::from_slice(
319 &commonware_utils::from_hex_formatted(
320 "efd48b2aacb6a8fd1140dd9cd45e81d69d2c877b56aaf991c34d0ea84eaf3716
321 f7cb1c942d657c41d436c7a1b6e29f65f3e900dbb9aff4064dc4ab2f843acda8",
322 )
323 .unwrap(),
324 )
325 .unwrap(),
326 );
327 let signature = private_key.sign_inner(None, message);
328 assert_eq!(signature.to_vec(), exp_sig.normalize_s().unwrap().to_vec());
329
330 let (message, exp_sig) = (
331 b"test",
332 p256::ecdsa::Signature::from_slice(
333 &commonware_utils::from_hex_formatted(
334 "f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d38367
335 019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083",
336 )
337 .unwrap(),
338 )
339 .unwrap(),
340 );
341
342 let signature = private_key.sign_inner(None, message);
343 assert_eq!(signature.to_vec(), exp_sig.to_vec());
344 }
345
346 #[test]
347 fn test_scheme_validate_public_key_too_long() {
348 let qx_hex = "d0720dc691aa80096ba32fed1cb97c2b620690d06de0317b8618d5ce65eb728f";
349 let qy_hex = "d0720dc691aa80096ba32fed1cb97c2b620690d06de0317b8618d5ce65eb728f";
350
351 let uncompressed_public_key = parse_public_key_as_uncompressed_vector(qx_hex, qy_hex);
352 let public_key = PublicKey::decode(uncompressed_public_key.as_ref());
353 assert!(matches!(public_key, Err(CodecError::Invalid(_, _))));
354
355 let mut compressed_public_key = parse_public_key_as_compressed_vector(qx_hex, qy_hex);
356 compressed_public_key.push(0u8);
357 let public_key = PublicKey::decode(compressed_public_key.as_ref());
358 assert!(matches!(public_key, Err(CodecError::ExtraData(1))));
359
360 let compressed_public_key = parse_public_key_as_compressed_vector(qx_hex, qy_hex);
361 let public_key = PublicKey::decode(compressed_public_key.as_ref());
362 assert!(public_key.is_ok());
363 }
364
365 #[test]
366 fn test_scheme_verify_signature_r0() {
367 let private_key: PrivateKey = PrivateKey::decode(
368 commonware_utils::from_hex_formatted(
369 "c9806898a0334916c860748880a541f093b579a9b1f32934d86c363c39800357",
370 )
371 .unwrap()
372 .as_ref(),
373 )
374 .unwrap();
375 let message = b"sample";
376 let signature = private_key.sign_inner(None, message);
377 let (_, s) = signature.split_at(32);
378 let mut signature: Vec<u8> = vec![0x00; 32];
379 signature.extend_from_slice(s);
380
381 assert!(Signature::decode(signature.as_ref()).is_err());
382 }
383
384 #[test]
385 fn test_scheme_verify_signature_s0() {
386 let private_key: PrivateKey = PrivateKey::decode(
387 commonware_utils::from_hex_formatted(
388 "c9806898a0334916c860748880a541f093b579a9b1f32934d86c363c39800357",
389 )
390 .unwrap()
391 .as_ref(),
392 )
393 .unwrap();
394 let message = b"sample";
395 let signature = private_key.sign_inner(None, message);
396 let (r, _) = signature.split_at(32);
397 let s: Vec<u8> = vec![0x00; 32];
398 let mut signature = r.to_vec();
399 signature.extend(s);
400
401 assert!(Signature::decode(signature.as_ref()).is_err());
402 }
403
404 #[rstest]
405 #[case(vector_keypair_1())]
406 #[case(vector_keypair_2())]
407 #[case(vector_keypair_3())]
408 #[case(vector_keypair_4())]
409 #[case(vector_keypair_5())]
410 #[case(vector_keypair_6())]
411 #[case(vector_keypair_7())]
412 #[case(vector_keypair_8())]
413 #[case(vector_keypair_9())]
414 #[case(vector_keypair_10())]
415 fn test_keypairs(#[case] (inner_priv, inner_pub): (PrivateKeyInner, PublicKeyInner)) {
416 let private_key = PrivateKey(inner_priv);
417 let public_key = PublicKey::from(private_key);
418 let exp_public_key = PublicKey(inner_pub);
419 assert_eq!(exp_public_key, public_key);
420 assert!(public_key.len() == PUBLIC_KEY_LENGTH);
421 }
422
423 #[rstest]
424 #[case(1, vector_public_key_validation_1())]
425 #[case(3, vector_public_key_validation_3())]
426 #[case(4, vector_public_key_validation_4())]
427 #[case(5, vector_public_key_validation_5())]
428 #[case(6, vector_public_key_validation_6())]
429 #[case(7, vector_public_key_validation_7())]
430 #[case(8, vector_public_key_validation_8())]
431 #[case(9, vector_public_key_validation_9())]
432 #[case(10, vector_public_key_validation_10())]
433 #[case(12, vector_public_key_validation_12())]
434 fn test_public_key_validation(
435 #[case] n: usize,
436 #[case] (public_key, exp_valid): (Vec<u8>, bool),
437 ) {
438 let res = PublicKey::decode(public_key.as_ref());
439 assert_eq!(exp_valid, res.is_ok(), "vector_public_key_validation_{n}");
440 }
441
442 fn vector_sig_verification_1() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
443 let (public_key, sig, message, expected) = vector_sig_verification_1_raw();
444 (PublicKey(public_key), sig.to_vec(), message, expected)
445 }
446
447 fn vector_sig_verification_2() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
448 let (public_key, sig, message, expected) = vector_sig_verification_2_raw();
449 (PublicKey(public_key), sig.to_vec(), message, expected)
450 }
451
452 fn vector_sig_verification_3() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
453 let (public_key, sig, message, expected) = vector_sig_verification_3_raw();
454 (PublicKey(public_key), sig.to_vec(), message, expected)
455 }
456
457 fn vector_sig_verification_4() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
458 let (public_key, sig, message, expected) = vector_sig_verification_4_raw();
459 (PublicKey(public_key), sig.to_vec(), message, expected)
460 }
461
462 fn vector_sig_verification_5() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
463 let (public_key, sig, message, expected) = vector_sig_verification_5_raw();
464 (PublicKey(public_key), sig.to_vec(), message, expected)
465 }
466
467 fn vector_sig_verification_6() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
468 let (public_key, sig, message, expected) = vector_sig_verification_6_raw();
469 (PublicKey(public_key), sig.to_vec(), message, expected)
470 }
471
472 fn vector_sig_verification_7() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
473 let (public_key, sig, message, expected) = vector_sig_verification_7_raw();
474 (PublicKey(public_key), sig.to_vec(), message, expected)
475 }
476
477 fn vector_sig_verification_8() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
478 let (public_key, sig, message, expected) = vector_sig_verification_8_raw();
479 (PublicKey(public_key), sig.to_vec(), message, expected)
480 }
481
482 fn vector_sig_verification_9() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
483 let (public_key, sig, message, expected) = vector_sig_verification_9_raw();
484 (PublicKey(public_key), sig.to_vec(), message, expected)
485 }
486
487 fn vector_sig_verification_10() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
488 let (public_key, sig, message, expected) = vector_sig_verification_10_raw();
489 (PublicKey(public_key), sig.to_vec(), message, expected)
490 }
491
492 fn vector_sig_verification_11() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
493 let (public_key, sig, message, expected) = vector_sig_verification_11_raw();
494 (PublicKey(public_key), sig.to_vec(), message, expected)
495 }
496
497 fn vector_sig_verification_12() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
498 let (public_key, sig, message, expected) = vector_sig_verification_12_raw();
499 (PublicKey(public_key), sig.to_vec(), message, expected)
500 }
501
502 fn vector_sig_verification_13() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
503 let (public_key, sig, message, expected) = vector_sig_verification_13_raw();
504 (PublicKey(public_key), sig.to_vec(), message, expected)
505 }
506
507 fn vector_sig_verification_14() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
508 let (public_key, sig, message, expected) = vector_sig_verification_14_raw();
509 (PublicKey(public_key), sig.to_vec(), message, expected)
510 }
511
512 fn vector_sig_verification_15() -> (PublicKey, Vec<u8>, Vec<u8>, bool) {
513 let (public_key, sig, message, expected) = vector_sig_verification_15_raw();
514 (PublicKey(public_key), sig.to_vec(), message, expected)
515 }
516
517 #[rstest]
518 #[case(vector_sig_verification_1())]
519 #[case(vector_sig_verification_2())]
520 #[case(vector_sig_verification_3())]
521 #[case(vector_sig_verification_4())]
522 #[case(vector_sig_verification_5())]
523 #[case(vector_sig_verification_6())]
524 #[case(vector_sig_verification_7())]
525 #[case(vector_sig_verification_8())]
526 #[case(vector_sig_verification_9())]
527 #[case(vector_sig_verification_10())]
528 #[case(vector_sig_verification_11())]
529 #[case(vector_sig_verification_12())]
530 #[case(vector_sig_verification_13())]
531 #[case(vector_sig_verification_14())]
532 #[case(vector_sig_verification_15())]
533 fn test_signature_verification(
534 #[case] (public_key, sig, message, expected): (PublicKey, Vec<u8>, Vec<u8>, bool),
535 ) {
536 let expected = if expected {
537 let mut ecdsa_signature = p256::ecdsa::Signature::from_slice(&sig).unwrap();
538 if ecdsa_signature.s().is_high().into() {
539 assert!(Signature::decode(sig.as_ref()).is_err());
540 assert!(Signature::decode(Bytes::from(sig)).is_err());
541
542 if let Some(normalized_sig) = ecdsa_signature.normalize_s() {
543 ecdsa_signature = normalized_sig;
544 }
545 }
546 let signature = Signature::from(ecdsa_signature);
547 public_key.verify_inner(None, &message, &signature)
548 } else {
549 let tf_res = Signature::decode(sig.as_ref());
550 let dc_res = Signature::decode(Bytes::from(sig));
551 if tf_res.is_err() && dc_res.is_err() {
552 true
553 } else {
554 let f1 = !public_key.verify_inner(None, &message, &tf_res.unwrap());
555 let f2 = !public_key.verify_inner(None, &message, &dc_res.unwrap());
556 f1 && f2
557 }
558 };
559 assert!(expected);
560 }
561
562 #[cfg(feature = "arbitrary")]
563 mod conformance {
564 use super::*;
565 use commonware_codec::conformance::CodecConformance;
566
567 commonware_conformance::conformance_tests! {
568 CodecConformance<Signature>,
569 }
570 }
571}