1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
use super::{recoverable, Error, Signature};
use crate::{ElementBytes, ProjectivePoint, PublicKey, Scalar, Secp256k1, SecretKey};
use core::borrow::Borrow;
use ecdsa_core::{hazmat::RecoverableSignPrimitive, signature::RandomizedSigner};
use elliptic_curve::{
ops::Invert,
rand_core::{CryptoRng, RngCore},
zeroize::Zeroizing,
FromBytes, Generate,
};
use sha2::{Digest, Sha256};
#[cfg(debug_assertions)]
use crate::{ecdsa::signature::Verifier as _, ecdsa::Verifier};
#[cfg_attr(docsrs, doc(cfg(feature = "ecdsa")))]
pub struct Signer {
secret_key: SecretKey,
public_key: PublicKey,
}
impl Signer {
pub fn new(secret_key: &SecretKey) -> Result<Self, Error> {
let public_key = PublicKey::from_secret_key(secret_key, true).map_err(|_| Error::new())?;
Ok(Self {
secret_key: secret_key.clone(),
public_key,
})
}
pub fn public_key(&self) -> &PublicKey {
&self.public_key
}
}
impl RandomizedSigner<Signature> for Signer {
fn try_sign_with_rng(
&self,
rng: impl CryptoRng + RngCore,
msg: &[u8],
) -> Result<Signature, Error> {
let signer = ecdsa_core::Signer::new(&self.secret_key)?;
let signature = signer.try_sign_with_rng(rng, msg)?;
#[cfg(debug_assertions)]
assert!(Verifier::new(&self.public_key)
.expect("invalid public key")
.verify(msg, &signature)
.is_ok());
Ok(signature)
}
}
impl RandomizedSigner<recoverable::Signature> for Signer {
fn try_sign_with_rng(
&self,
rng: impl CryptoRng + RngCore,
msg: &[u8],
) -> Result<recoverable::Signature, Error> {
let d = Scalar::from_bytes(self.secret_key.as_bytes()).unwrap();
let k = Zeroizing::new(Scalar::generate(rng));
let z = Sha256::digest(msg);
let signature = d.try_sign_recoverable_prehashed(&*k, &z)?;
#[cfg(debug_assertions)]
assert_eq!(
self.public_key,
signature.recover_pubkey(msg).expect("recovery failed")
);
Ok(signature)
}
}
impl From<&Signer> for PublicKey {
fn from(signer: &Signer) -> PublicKey {
signer.public_key
}
}
impl RecoverableSignPrimitive<Secp256k1> for Scalar {
type RecoverableSignature = recoverable::Signature;
#[allow(non_snake_case, clippy::many_single_char_names)]
fn try_sign_recoverable_prehashed<K>(
&self,
ephemeral_scalar: &K,
hashed_msg: &ElementBytes,
) -> Result<recoverable::Signature, Error>
where
K: Borrow<Scalar> + Invert<Output = Scalar>,
{
let k_inverse = ephemeral_scalar.invert();
let k = ephemeral_scalar.borrow();
if k_inverse.is_none().into() || k.is_zero().into() {
return Err(Error::new());
}
let k_inverse = k_inverse.unwrap();
let R = (ProjectivePoint::generator() * k).to_affine().unwrap();
let r = Scalar::from_bytes_reduced(&R.x.to_bytes());
let z = Scalar::from_bytes_reduced(&hashed_msg);
let s = k_inverse * &(z + &(r * self));
if s.is_zero().into() {
return Err(Error::new());
}
let mut signature = Signature::from_scalars(&r.into(), &s.into());
let is_r_odd = bool::from(R.y.normalize().is_odd());
let is_s_high = signature.normalize_s()?;
let recovery_id = recoverable::Id((is_r_odd ^ is_s_high) as u8);
let recoverable_signature = recoverable::Signature::new(&signature, recovery_id);
Ok(recoverable_signature)
}
}
#[cfg(test)]
mod tests {
use super::*;
use crate::test_vectors::ecdsa::ECDSA_TEST_VECTORS;
use ecdsa_core::hazmat::SignPrimitive;
ecdsa_core::new_signing_test!(ECDSA_TEST_VECTORS);
}