|
|
|
@ -18,168 +18,129 @@ package secp256k1 |
|
|
|
|
|
|
|
|
|
import ( |
|
|
|
|
"bytes" |
|
|
|
|
"fmt" |
|
|
|
|
"log" |
|
|
|
|
"encoding/hex" |
|
|
|
|
"testing" |
|
|
|
|
|
|
|
|
|
"github.com/ethereum/go-ethereum/crypto/randentropy" |
|
|
|
|
) |
|
|
|
|
|
|
|
|
|
const TESTS = 10000 // how many tests
|
|
|
|
|
const SigSize = 65 //64+1
|
|
|
|
|
const TestCount = 10000 |
|
|
|
|
|
|
|
|
|
func Test_Secp256_00(t *testing.T) { |
|
|
|
|
|
|
|
|
|
var nonce []byte = randentropy.GetEntropyCSPRNG(32) //going to get bitcoins stolen!
|
|
|
|
|
|
|
|
|
|
if len(nonce) != 32 { |
|
|
|
|
t.Fatal() |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
//tests for Malleability
|
|
|
|
|
//highest bit of S must be 0; 32nd byte
|
|
|
|
|
func CompactSigTest(sig []byte) { |
|
|
|
|
|
|
|
|
|
var b int = int(sig[32]) |
|
|
|
|
if b < 0 { |
|
|
|
|
log.Panic() |
|
|
|
|
} |
|
|
|
|
if ((b >> 7) == 1) != ((b & 0x80) == 0x80) { |
|
|
|
|
log.Panic("b= %v b2= %v \n", b, b>>7) |
|
|
|
|
} |
|
|
|
|
if (b & 0x80) == 0x80 { |
|
|
|
|
log.Panic("b= %v b2= %v \n", b, b&0x80) |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
//test pubkey/private generation
|
|
|
|
|
func Test_Secp256_01(t *testing.T) { |
|
|
|
|
pubkey, seckey := GenerateKeyPair() |
|
|
|
|
func TestPrivkeyGenerate(t *testing.T) { |
|
|
|
|
_, seckey := GenerateKeyPair() |
|
|
|
|
if err := VerifySeckeyValidity(seckey); err != nil { |
|
|
|
|
t.Fatal() |
|
|
|
|
} |
|
|
|
|
if err := VerifyPubkeyValidity(pubkey); err != nil { |
|
|
|
|
t.Fatal() |
|
|
|
|
t.Errorf("seckey not valid: %s", err) |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
//test size of messages
|
|
|
|
|
func Test_Secp256_02s(t *testing.T) { |
|
|
|
|
func TestSignatureValidity(t *testing.T) { |
|
|
|
|
pubkey, seckey := GenerateKeyPair() |
|
|
|
|
msg := randentropy.GetEntropyCSPRNG(32) |
|
|
|
|
sig, _ := Sign(msg, seckey) |
|
|
|
|
CompactSigTest(sig) |
|
|
|
|
if sig == nil { |
|
|
|
|
t.Fatal("Signature nil") |
|
|
|
|
sig, err := Sign(msg, seckey) |
|
|
|
|
if err != nil { |
|
|
|
|
t.Errorf("signature error: %s", err) |
|
|
|
|
} |
|
|
|
|
compactSigCheck(t, sig) |
|
|
|
|
if len(pubkey) != 65 { |
|
|
|
|
t.Fail() |
|
|
|
|
t.Errorf("pubkey length mismatch: want: 65 have: %d", len(pubkey)) |
|
|
|
|
} |
|
|
|
|
if len(seckey) != 32 { |
|
|
|
|
t.Fail() |
|
|
|
|
t.Errorf("seckey length mismatch: want: 32 have: %d", len(seckey)) |
|
|
|
|
} |
|
|
|
|
if len(sig) != 65 { |
|
|
|
|
t.Errorf("sig length mismatch: want: 65 have: %d", len(sig)) |
|
|
|
|
} |
|
|
|
|
if len(sig) != 64+1 { |
|
|
|
|
t.Fail() |
|
|
|
|
recid := int(sig[64]) |
|
|
|
|
if recid > 4 || recid < 0 { |
|
|
|
|
t.Errorf("sig recid mismatch: want: within 0 to 4 have: %d", int(sig[64])) |
|
|
|
|
} |
|
|
|
|
if int(sig[64]) > 4 { |
|
|
|
|
t.Fail() |
|
|
|
|
} //should be 0 to 4
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
//test signing message
|
|
|
|
|
func Test_Secp256_02(t *testing.T) { |
|
|
|
|
func TestSignAndRecover(t *testing.T) { |
|
|
|
|
pubkey1, seckey := GenerateKeyPair() |
|
|
|
|
msg := randentropy.GetEntropyCSPRNG(32) |
|
|
|
|
sig, _ := Sign(msg, seckey) |
|
|
|
|
if sig == nil { |
|
|
|
|
t.Fatal("Signature nil") |
|
|
|
|
sig, err := Sign(msg, seckey) |
|
|
|
|
if err != nil { |
|
|
|
|
t.Errorf("signature error: %s", err) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
pubkey2, _ := RecoverPubkey(msg, sig) |
|
|
|
|
if pubkey2 == nil { |
|
|
|
|
t.Fatal("Recovered pubkey invalid") |
|
|
|
|
pubkey2, err := RecoverPubkey(msg, sig) |
|
|
|
|
if err != nil { |
|
|
|
|
t.Errorf("recover error: %s", err) |
|
|
|
|
} |
|
|
|
|
if bytes.Equal(pubkey1, pubkey2) == false { |
|
|
|
|
t.Fatal("Recovered pubkey does not match") |
|
|
|
|
if !bytes.Equal(pubkey1, pubkey2) { |
|
|
|
|
t.Errorf("pubkey mismatch: want: %x have: %x", pubkey1, pubkey2) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
err := VerifySignature(msg, sig, pubkey1) |
|
|
|
|
err = VerifySignature(msg, sig, pubkey1) |
|
|
|
|
if err != nil { |
|
|
|
|
t.Fatal("Signature invalid") |
|
|
|
|
t.Errorf("signature verification error: %s", err) |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
//test pubkey recovery
|
|
|
|
|
func Test_Secp256_02a(t *testing.T) { |
|
|
|
|
pubkey1, seckey1 := GenerateKeyPair() |
|
|
|
|
msg := randentropy.GetEntropyCSPRNG(32) |
|
|
|
|
sig, _ := Sign(msg, seckey1) |
|
|
|
|
|
|
|
|
|
if sig == nil { |
|
|
|
|
t.Fatal("Signature nil") |
|
|
|
|
func TestRandomMessagesWithSameKey(t *testing.T) { |
|
|
|
|
pubkey, seckey := GenerateKeyPair() |
|
|
|
|
keys := func() ([]byte, []byte) { |
|
|
|
|
// Sign function zeroes the privkey so we need a new one in each call
|
|
|
|
|
newkey := make([]byte, len(seckey)) |
|
|
|
|
copy(newkey, seckey) |
|
|
|
|
return pubkey, newkey |
|
|
|
|
} |
|
|
|
|
err := VerifySignature(msg, sig, pubkey1) |
|
|
|
|
if err != nil { |
|
|
|
|
t.Fatal("Signature invalid") |
|
|
|
|
signAndRecoverWithRandomMessages(t, keys) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
pubkey2, _ := RecoverPubkey(msg, sig) |
|
|
|
|
if len(pubkey1) != len(pubkey2) { |
|
|
|
|
t.Fatal() |
|
|
|
|
} |
|
|
|
|
for i, _ := range pubkey1 { |
|
|
|
|
if pubkey1[i] != pubkey2[i] { |
|
|
|
|
t.Fatal() |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
if bytes.Equal(pubkey1, pubkey2) == false { |
|
|
|
|
t.Fatal() |
|
|
|
|
func TestRandomMessagesWithRandomKeys(t *testing.T) { |
|
|
|
|
keys := func() ([]byte, []byte) { |
|
|
|
|
pubkey, seckey := GenerateKeyPair() |
|
|
|
|
return pubkey, seckey |
|
|
|
|
} |
|
|
|
|
signAndRecoverWithRandomMessages(t, keys) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
//test random messages for the same pub/private key
|
|
|
|
|
func Test_Secp256_03(t *testing.T) { |
|
|
|
|
_, seckey := GenerateKeyPair() |
|
|
|
|
for i := 0; i < TESTS; i++ { |
|
|
|
|
func signAndRecoverWithRandomMessages(t *testing.T, keys func() ([]byte, []byte)) { |
|
|
|
|
for i := 0; i < TestCount; i++ { |
|
|
|
|
pubkey1, seckey := keys() |
|
|
|
|
msg := randentropy.GetEntropyCSPRNG(32) |
|
|
|
|
sig, _ := Sign(msg, seckey) |
|
|
|
|
CompactSigTest(sig) |
|
|
|
|
sig, err := Sign(msg, seckey) |
|
|
|
|
if err != nil { |
|
|
|
|
t.Fatalf("signature error: %s", err) |
|
|
|
|
} |
|
|
|
|
if sig == nil { |
|
|
|
|
t.Fatal("signature is nil") |
|
|
|
|
} |
|
|
|
|
compactSigCheck(t, sig) |
|
|
|
|
|
|
|
|
|
// TODO: why do we flip around the recovery id?
|
|
|
|
|
sig[len(sig)-1] %= 4 |
|
|
|
|
pubkey2, _ := RecoverPubkey(msg, sig) |
|
|
|
|
|
|
|
|
|
pubkey2, err := RecoverPubkey(msg, sig) |
|
|
|
|
if err != nil { |
|
|
|
|
t.Fatalf("recover error: %s", err) |
|
|
|
|
} |
|
|
|
|
if pubkey2 == nil { |
|
|
|
|
t.Fail() |
|
|
|
|
t.Error("pubkey is nil") |
|
|
|
|
} |
|
|
|
|
if !bytes.Equal(pubkey1, pubkey2) { |
|
|
|
|
t.Fatalf("pubkey mismatch: want: %x have: %x", pubkey1, pubkey2) |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
//test random messages for different pub/private keys
|
|
|
|
|
func Test_Secp256_04(t *testing.T) { |
|
|
|
|
for i := 0; i < TESTS; i++ { |
|
|
|
|
func TestRecoveryOfRandomSignature(t *testing.T) { |
|
|
|
|
pubkey1, seckey := GenerateKeyPair() |
|
|
|
|
msg := randentropy.GetEntropyCSPRNG(32) |
|
|
|
|
sig, _ := Sign(msg, seckey) |
|
|
|
|
CompactSigTest(sig) |
|
|
|
|
|
|
|
|
|
if sig[len(sig)-1] >= 4 { |
|
|
|
|
t.Fail() |
|
|
|
|
sig, err := Sign(msg, seckey) |
|
|
|
|
if err != nil { |
|
|
|
|
t.Errorf("signature error: %s", err) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
for i := 0; i < TestCount; i++ { |
|
|
|
|
sig = randSig() |
|
|
|
|
pubkey2, _ := RecoverPubkey(msg, sig) |
|
|
|
|
if pubkey2 == nil { |
|
|
|
|
t.Fail() |
|
|
|
|
// recovery can sometimes work, but if so should always give wrong pubkey
|
|
|
|
|
if bytes.Equal(pubkey1, pubkey2) { |
|
|
|
|
t.Fatalf("iteration: %d: pubkey mismatch: do NOT want %x: ", i, pubkey2) |
|
|
|
|
} |
|
|
|
|
if bytes.Equal(pubkey1, pubkey2) == false { |
|
|
|
|
t.Fail() |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
//test random signatures against fixed messages; should fail
|
|
|
|
|
|
|
|
|
|
//crashes:
|
|
|
|
|
// -SIPA look at this
|
|
|
|
|
|
|
|
|
|
func randSig() []byte { |
|
|
|
|
sig := randentropy.GetEntropyCSPRNG(65) |
|
|
|
@ -188,67 +149,83 @@ func randSig() []byte { |
|
|
|
|
return sig |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func Test_Secp256_06a_alt0(t *testing.T) { |
|
|
|
|
func TestRandomMessagesAgainstValidSig(t *testing.T) { |
|
|
|
|
pubkey1, seckey := GenerateKeyPair() |
|
|
|
|
msg := randentropy.GetEntropyCSPRNG(32) |
|
|
|
|
sig, _ := Sign(msg, seckey) |
|
|
|
|
|
|
|
|
|
if sig == nil { |
|
|
|
|
t.Fail() |
|
|
|
|
for i := 0; i < TestCount; i++ { |
|
|
|
|
msg = randentropy.GetEntropyCSPRNG(32) |
|
|
|
|
pubkey2, _ := RecoverPubkey(msg, sig) |
|
|
|
|
// recovery can sometimes work, but if so should always give wrong pubkey
|
|
|
|
|
if bytes.Equal(pubkey1, pubkey2) { |
|
|
|
|
t.Fatalf("iteration: %d: pubkey mismatch: do NOT want %x: ", i, pubkey2) |
|
|
|
|
} |
|
|
|
|
if len(sig) != 65 { |
|
|
|
|
t.Fail() |
|
|
|
|
} |
|
|
|
|
for i := 0; i < TESTS; i++ { |
|
|
|
|
sig = randSig() |
|
|
|
|
pubkey2, _ := RecoverPubkey(msg, sig) |
|
|
|
|
|
|
|
|
|
if bytes.Equal(pubkey1, pubkey2) == true { |
|
|
|
|
t.Fail() |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
if pubkey2 != nil && VerifySignature(msg, sig, pubkey2) != nil { |
|
|
|
|
t.Fail() |
|
|
|
|
func TestZeroPrivkey(t *testing.T) { |
|
|
|
|
zeroedBytes := make([]byte, 32) |
|
|
|
|
err := VerifySeckeyValidity(zeroedBytes) |
|
|
|
|
if err == nil { |
|
|
|
|
t.Errorf("zeroed bytes should have returned error") |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
if VerifySignature(msg, sig, pubkey1) == nil { |
|
|
|
|
t.Fail() |
|
|
|
|
// Useful when the underlying libsecp256k1 API changes to quickly
|
|
|
|
|
// check only recover function without use of signature function
|
|
|
|
|
func TestRecoverSanity(t *testing.T) { |
|
|
|
|
msg, _ := hex.DecodeString("ce0677bb30baa8cf067c88db9811f4333d131bf8bcf12fe7065d211dce971008") |
|
|
|
|
sig, _ := hex.DecodeString("90f27b8b488db00b00606796d2987f6a5f59ae62ea05effe84fef5b8b0e549984a691139ad57a3f0b906637673aa2f63d1f55cb1a69199d4009eea23ceaddc9301") |
|
|
|
|
pubkey1, _ := hex.DecodeString("04e32df42865e97135acfb65f3bae71bdc86f4d49150ad6a440b6f15878109880a0a2b2667f7e725ceea70c673093bf67663e0312623c8e091b13cf2c0f11ef652") |
|
|
|
|
pubkey2, err := RecoverPubkey(msg, sig) |
|
|
|
|
if err != nil { |
|
|
|
|
t.Fatalf("recover error: %s", err) |
|
|
|
|
} |
|
|
|
|
if !bytes.Equal(pubkey1, pubkey2) { |
|
|
|
|
t.Errorf("pubkey mismatch: want: %x have: %x", pubkey1, pubkey2) |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
//test random messages against valid signature: should fail
|
|
|
|
|
|
|
|
|
|
func Test_Secp256_06b(t *testing.T) { |
|
|
|
|
pubkey1, seckey := GenerateKeyPair() |
|
|
|
|
msg := randentropy.GetEntropyCSPRNG(32) |
|
|
|
|
sig, _ := Sign(msg, seckey) |
|
|
|
|
|
|
|
|
|
fail_count := 0 |
|
|
|
|
for i := 0; i < TESTS; i++ { |
|
|
|
|
msg = randentropy.GetEntropyCSPRNG(32) |
|
|
|
|
pubkey2, _ := RecoverPubkey(msg, sig) |
|
|
|
|
if bytes.Equal(pubkey1, pubkey2) == true { |
|
|
|
|
t.Fail() |
|
|
|
|
// tests for malleability
|
|
|
|
|
// highest bit of signature ECDSA s value must be 0, in the 33th byte
|
|
|
|
|
func compactSigCheck(t *testing.T, sig []byte) { |
|
|
|
|
var b int = int(sig[32]) |
|
|
|
|
if b < 0 { |
|
|
|
|
t.Errorf("highest bit is negative: %d", b) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
if pubkey2 != nil && VerifySignature(msg, sig, pubkey2) != nil { |
|
|
|
|
t.Fail() |
|
|
|
|
if ((b >> 7) == 1) != ((b & 0x80) == 0x80) { |
|
|
|
|
t.Errorf("highest bit: %d bit >> 7: %d", b, b>>7) |
|
|
|
|
} |
|
|
|
|
if (b & 0x80) == 0x80 { |
|
|
|
|
t.Errorf("highest bit: %d bit & 0x80: %d", b, b&0x80) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
if VerifySignature(msg, sig, pubkey1) == nil { |
|
|
|
|
t.Fail() |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// godep go test -v -run=XXX -bench=BenchmarkSignRandomInputEachRound
|
|
|
|
|
// add -benchtime=10s to benchmark longer for more accurate average
|
|
|
|
|
func BenchmarkSignRandomInputEachRound(b *testing.B) { |
|
|
|
|
for i := 0; i < b.N; i++ { |
|
|
|
|
b.StopTimer() |
|
|
|
|
_, seckey := GenerateKeyPair() |
|
|
|
|
msg := randentropy.GetEntropyCSPRNG(32) |
|
|
|
|
b.StartTimer() |
|
|
|
|
if _, err := Sign(msg, seckey); err != nil { |
|
|
|
|
b.Fatal(err) |
|
|
|
|
} |
|
|
|
|
if fail_count != 0 { |
|
|
|
|
fmt.Printf("ERROR: Accepted signature for %v of %v random messages\n", fail_count, TESTS) |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func TestInvalidKey(t *testing.T) { |
|
|
|
|
p1 := make([]byte, 32) |
|
|
|
|
err := VerifySeckeyValidity(p1) |
|
|
|
|
if err == nil { |
|
|
|
|
t.Errorf("pvk %x varify sec key should have returned error", p1) |
|
|
|
|
//godep go test -v -run=XXX -bench=BenchmarkRecoverRandomInputEachRound
|
|
|
|
|
func BenchmarkRecoverRandomInputEachRound(b *testing.B) { |
|
|
|
|
for i := 0; i < b.N; i++ { |
|
|
|
|
b.StopTimer() |
|
|
|
|
_, seckey := GenerateKeyPair() |
|
|
|
|
msg := randentropy.GetEntropyCSPRNG(32) |
|
|
|
|
sig, _ := Sign(msg, seckey) |
|
|
|
|
b.StartTimer() |
|
|
|
|
if _, err := RecoverPubkey(msg, sig); err != nil { |
|
|
|
|
b.Fatal(err) |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|