1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181

// Bitcoin secp256k1 bindings
// Written in 2014 by
//   Dawid Ciężarkiewicz
//   Andrew Poelstra
//
// To the extent possible under law, the author(s) have dedicated all
// copyright and related and neighboring rights to this software to
// the public domain worldwide. This software is distributed without
// any warranty.
//
// You should have received a copy of the CC0 Public Domain Dedication
// along with this software.
// If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
//

//! # Secp256k1-zkp
//!
//! Rust bindings for libsecp256k1-zkp, a fork of Pieter Wuille's secp256k1 library.
//!
//! This library re-exports everything from `secp256k1` and adds bindings for the following modules:
//!
//! - generators
//! - range proofs
//! - pedersen commitments
//!
//! As such, it can be used as a drop-in replacement for `secp256k1`. All types are interoperable
//! (as long as you are dependening on the correct version) which means [`SecretKey`]s and the [`Context`]
//! are interoperable.
//!

// Coding conventions
#![cfg_attr(docsrs, feature(doc_auto_cfg))]
#![warn(missing_docs)]
#![cfg_attr(all(not(test), not(feature = "std")), no_std)]

/// Re-export of the internal FFI bindings crate
pub extern crate secp256k1_zkp_sys;
/// Re-export of the internal FFI bindings crate under the alternate name `ffi`
pub use secp256k1_zkp_sys as ffi;

extern crate secp256k1;

#[cfg(feature = "bitcoin_hashes")]
pub use secp256k1::hashes;
/// Re-export of the `rand` crate
#[cfg(feature = "actual-rand")]
pub extern crate actual_rand as rand;
/// Re-export of the `serde` crate
#[cfg(feature = "serde")]
pub extern crate actual_serde as serde;
#[cfg(any(test, feature = "std"))]
extern crate core;
#[cfg(all(test, feature = "serde"))]
extern crate serde_test;
#[cfg(all(test, target_arch = "wasm32"))]
#[macro_use]
extern crate wasm_bindgen_test;

use core::{fmt, str};

pub use secp256k1::constants;
pub use secp256k1::ecdh;
pub use secp256k1::ecdsa;
pub use secp256k1::schnorr;

pub use crate::{PublicKey, SecretKey};

pub use secp256k1::*;

#[cfg(feature = "serde")]
mod serde_util;
mod zkp;
pub use crate::zkp::*;

pub use secp256k1::Error as UpstreamError;

/// An ECDSA error
#[derive(Copy, PartialEq, Eq, Clone, Debug)]
pub enum Error {
    /// Calling through to `secp256k1` resulted in an error.
    Upstream(UpstreamError),
    /// Failed to produce a surjection proof because of an internal error within `libsecp256k1-zkp`
    CannotProveSurjection,
    /// Given bytes don't represent a valid surjection proof
    InvalidSurjectionProof,
    /// Given bytes don't represent a valid pedersen commitment
    InvalidPedersenCommitment,
    /// Failed to produce a range proof because of an internal error within `libsecp256k1-zkp`
    CannotMakeRangeProof,
    /// Given range proof does not prove that the commitment is within a range
    InvalidRangeProof,
    /// Bad generator
    InvalidGenerator,
    /// Tweak must of len 32
    InvalidTweakLength,
    /// Tweak must be less than secp curve order
    TweakOutOfBounds,
    /// Given bytes don't represent a valid adaptor signature
    InvalidEcdsaAdaptorSignature,
    /// Failed to decrypt an adaptor signature because of an internal error within `libsecp256k1-zkp`
    CannotDecryptAdaptorSignature,
    /// Failed to recover an adaptor secret from an adaptor signature because of an internal error within `libsecp256k1-zkp`
    CannotRecoverAdaptorSecret,
    /// Given adaptor signature is not valid for the provided combination of public key, encryption key and message
    CannotVerifyAdaptorSignature,
    /// Given bytes don't represent a valid whitelist signature
    InvalidWhitelistSignature,
    /// Invalid PAK list
    InvalidPakList,
    /// Couldn't create whitelist signature with the given data.
    CannotCreateWhitelistSignature,
    /// The given whitelist signature doesn't correctly prove inclusion in the whitelist.
    InvalidWhitelistProof,
}

// Passthrough Debug to Display, since errors should be user-visible
impl fmt::Display for Error {
    fn fmt(&self, f: &mut fmt::Formatter) -> Result<(), fmt::Error> {
        let str = match *self {
            Error::CannotProveSurjection => "failed to prove surjection",
            Error::InvalidSurjectionProof => "malformed surjection proof",
            Error::InvalidPedersenCommitment => "malformed pedersen commitment",
            Error::CannotMakeRangeProof => "failed to generate range proof",
            Error::InvalidRangeProof => "failed to verify range proof",
            Error::InvalidGenerator => "malformed generator",
            Error::InvalidEcdsaAdaptorSignature => "malformed ecdsa adaptor signature",
            Error::CannotDecryptAdaptorSignature => "failed to decrypt adaptor signature",
            Error::CannotRecoverAdaptorSecret => "failed to recover adaptor secret",
            Error::CannotVerifyAdaptorSignature => "failed to verify adaptor signature",
            Error::Upstream(inner) => return write!(f, "{}", inner),
            Error::InvalidTweakLength => "Tweak must of size 32",
            Error::TweakOutOfBounds => "Tweak must be less than secp curve order",
            Error::InvalidWhitelistSignature => "malformed whitelist signature",
            Error::InvalidPakList => "invalid PAK list",
            Error::CannotCreateWhitelistSignature => {
                "cannot create whitelist signature with the given data"
            }
            Error::InvalidWhitelistProof => {
                "given whitelist signature doesn't correctly prove inclusion in the whitelist"
            }
        };

        f.write_str(str)
    }
}

#[cfg(feature = "std")]
impl std::error::Error for Error {}

impl From<UpstreamError> for Error {
    fn from(e: UpstreamError) -> Self {
        Error::Upstream(e)
    }
}

/// Utility function used to parse hex into a target u8 buffer. Returns
/// the number of bytes converted or an error if it encounters an invalid
/// character or unexpected end of string.
fn from_hex(hex: &str, target: &mut [u8]) -> Result<usize, ()> {
    if hex.len() % 2 == 1 || hex.len() > target.len() * 2 {
        return Err(());
    }

    let mut b = 0;
    let mut idx = 0;
    for c in hex.bytes() {
        b <<= 4;
        match c {
            b'A'..=b'F' => b |= c - b'A' + 10,
            b'a'..=b'f' => b |= c - b'a' + 10,
            b'0'..=b'9' => b |= c - b'0',
            _ => return Err(()),
        }
        if (idx & 1) == 1 {
            target[idx / 2] = b;
            b = 0;
        }
        idx += 1;
    }
    Ok(idx / 2)
}