## Copyright (c) 2018-2020 Status Research & Development GmbH ## Licensed under either of ## * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE)) ## * MIT license ([LICENSE-MIT](LICENSE-MIT)) ## at your option. ## This file may not be copied, modified, or distributed except according to ## those terms. ## when (NimMajor, NimMinor) < (1, 4): {.push raises: [Defect].} else: {.push raises: [].} import strformat, typetraits, stew/[byteutils, objects, results, ctops, ptrops], ./secp256k1/abi from nimcrypto/utils import burnMem export results # Implementation notes # # The goal of this wrapper is to create a thin layer on top of the API presented # in secp256k1/abi, exploiting some of its regulatities to make it slightly more # convenient to use from Nim # # * Types like keys and signatures are guaranteed to hold valid values which # simplifies reasoning about errors # * An exception is keys that have been cleared - these are no longer valid # to be passed as arguments to functions # * TODO a sink that makes the compiler guarantee that `clear` is the last # thing called on the instance # * We hide raw pointer accesses and lengths behind nim types # * We guarantee certain parameter properties, like not null and proper length, # on the Nim side - in turn, we can rely on certain errors never happening in # libsecp256k1, so we can skip checking for them # * Functions like "fromRaw/toRaw" are balanced and will always rountrip # * Functions like `fromRaw` are not called `init` because they may fail # * No CatchableErrors # * Where `secp256k1_context_no_precomp`, we surround the code with # `{.noSideEffect.}` as the compiler cannot deduce that this is a constant const SkRawSecretKeySize* = 32 # 256 div 8 ## Size of private key in octets (bytes) SkRawSignatureSize* = 64 ## Compact serialized non-recoverable signature SkDerSignatureMaxSize* = 72 ## Max bytes in DER encoding SkRawRecoverableSignatureSize* = 65 ## Size of recoverable signature in octets (bytes) SkRawSchnorrSignatureSize* = 64 ## Size of Schnorr signature in octets (bytes) SkRawPublicKeySize* = 65 ## Size of uncompressed public key in octets (bytes) SkRawCompressedPublicKeySize* = 33 ## Size of compressed public key in octets (bytes) SkRawXOnlyPublicKeySize* = 32 ## Size of x-only public key in octets (bytes) SkMessageSize* = 32 ## Size of message that can be signed SkEcdhSecretSize* = 32 ## ECDH-agreed key size type SkPublicKey* {.requiresInit.} = object ## Representation of public key. data: secp256k1_pubkey SkXOnlyPublicKey* {.requiresInit.} = object ## Representation of public key that only reveals the x-coordinate. data: secp256k1_xonly_pubkey SkSecretKey* {.requiresInit.} = object ## Representation of secret key. data: array[SkRawSecretKeySize, byte] SkKeyPair* = object ## Representation of private/public keys pair. seckey*: SkSecretKey pubkey*: SkPublicKey SkSignature* {.requiresInit.} = object ## Representation of non-recoverable signature. data: secp256k1_ecdsa_signature SkRecoverableSignature* {.requiresInit.} = object ## Representation of recoverable signature. data: secp256k1_ecdsa_recoverable_signature SkSchnorrSignature* {.requiresInit.} = object ## Representation of a Schnorr signature. data: array[SkRawSchnorrSignatureSize, byte] SkContext = object ## Representation of Secp256k1 context object. context: ptr secp256k1_context SkMessage* = distinct array[SkMessageSize, byte] ## Message that can be signed or verified SkEcdhSecret* {.requiresInit.} = object ## Representation of ECDH shared secret data*: array[SkEcdhSecretSize, byte] SkEcdhHashFunc* = secp256k1_ecdh_hash_function SkResult*[T] = Result[T, cstring] ## ## Private procedures interface ## var secpContext {.threadvar.}: SkContext ## Thread local variable which holds current context proc illegalCallback(message: cstring, data: pointer) {.cdecl, raises: [].} = # Internal panic - should never happen - all objects we pass into functions # are guaranteed valid per their type echo message echo getStackTrace() quit 1 proc errorCallback(message: cstring, data: pointer) {.cdecl, raises: [].} = # Internal panic - should never happen echo message echo getStackTrace() quit 1 template baseAddr(v: SkMessage): ptr byte = baseAddr(distinctBase(v)) proc releaseThread*(T: type SkContext): T = if not isNil(secpContext.context): secp256k1_context_destroy(secpContext.context) secpContext.context = nil proc init(T: type SkContext): T = ## Create new Secp256k1 context object - when no longer needed, it should be ## destroyed # TODO We _should_ release the context on thread shutdown but there's no # reliable way to do that short of doing it manually, which the code is # not really prepared for - unfortunately, nim finalizers are broken: # https://github.com/nim-lang/Nim/issues/4851 # A workaround is to call SkContext.releaseThread() on thread end - this # will become a no-op when the issue is fixed let flags = cuint(SECP256K1_CONTEXT_VERIFY or SECP256K1_CONTEXT_SIGN) result.context = secp256k1_context_create(flags) secp256k1_context_set_illegal_callback( result.context, illegalCallback, nil) secp256k1_context_set_error_callback( result.context, errorCallback, nil) func getContext(): ptr secp256k1_context = ## Get current `EccContext` {.noSideEffect.}: # TODO modifying the secp context here is a side effect, but not # necessarily an observable one, since the modification is done to # a thread-local variable that is only updated from within here. # Technically, it should be possible to precompute a static context # at compile time and use that instead, which would turn this into # a truly side-effect-free function, instead of an as-if-free one. if isNil(secpContext.context): secpContext = SkContext.init() secpContext.context func fromHex*(T: type seq[byte], s: string): SkResult[T] = # TODO move this to some common location and return a general error? try: ok(hexToSeqByte(s)) except CatchableError: err("secp: cannot parse hex string") type Rng* = proc(data: var openArray[byte]): bool {.raises: [Defect], gcsafe.} ## A function that fills data with random bytes from a cryptographically ## secure source or returns false FoolproofRng* = proc(data: var openArray[byte]) {.raises: [Defect], gcsafe.} ## The world will run out of fools before this RNG fails! proc random*(T: type SkSecretKey, rng: Rng): SkResult[T] = ## Generates new random private key - a cryptographically secure RNG should be ## used - see nimcrypto or bearssl for good RNG's. ## ## The random number generator in the Nim standard library `random` module is ## not cryptographically secure. ## ## This function may fail to generate a valid key if the RNG fails. In the ## current version, the random number generation will be called in a loop ## which may be vulnerable to timing attacks. Generate your keys elsewhere ## if this is a issue. var data{.noinit.}: array[SkRawSecretKeySize, byte] while rng(data): if secp256k1_ec_seckey_verify(secp256k1_context_no_precomp, data.baseAddr) == 1: return ok(T(data: data)) return err("secp: cannot get random bytes for key") proc random*(T: type SkSecretKey, rng: FoolproofRng): T = ## Generates new random private key - a cryptographically secure RNG should be ## used - see nimcrypto or bearssl for good RNG's. ## ## The random number generator in the Nim standard library `random` module is ## not cryptographically secure. ## ## This function may fail to generate a valid key if the RNG fails, in which ## case it will raise a Defect. ## ## In the current version, the random number generation will be called in a ## loop which may be vulnerable to timing attacks. Generate your keys ## elsewhere if this is a issue. var data{.noinit.}: array[SkRawSecretKeySize, byte] for _ in 0..1000*1000: rng(data) if secp256k1_ec_seckey_verify(secp256k1_context_no_precomp, data.baseAddr) == 1: return T(data: data) result = T(data: default(array[32, byte])) # Silence compiler # All-zeroes all the time for example will break this function raiseAssert "RNG not giving random enough bytes, can't create valid key" func fromRaw*(T: type SkSecretKey, data: openArray[byte]): SkResult[T] = ## Load a valid private key, as created by `toRaw` if len(data) < SkRawSecretKeySize: return err(static(&"secp: raw private key should be {SkRawSecretKeySize} bytes")) if secp256k1_ec_seckey_verify(secp256k1_context_no_precomp, data.baseAddr) != 1: return err("secp: invalid private key") ok(T(data: toArray(32, data.toOpenArray(0, SkRawSecretKeySize - 1)))) func fromHex*(T: type SkSecretKey, data: string): SkResult[T] = ## Initialize Secp256k1 `private key` ``key`` from hexadecimal string ## representation ``data``. T.fromRaw(? seq[byte].fromHex(data)) func toRaw*(seckey: SkSecretKey): array[SkRawSecretKeySize, byte] = ## Serialize Secp256k1 `private key` ``key`` to raw binary form seckey.data func toHex*(seckey: SkSecretKey): string = toHex(toRaw(seckey)) func toPublicKey*(key: SkSecretKey): SkPublicKey = ## Calculate and return Secp256k1 `public key` from `private key` ``key``. var pubkey {.noinit.}: secp256k1_pubkey let res = secp256k1_ec_pubkey_create( getContext(), addr pubkey, key.data.baseAddr) doAssert res == 1, "Valid private keys should always have a corresponding pub" SkPublicKey(data: pubkey) func fromRaw*(T: type SkPublicKey, data: openArray[byte]): SkResult[T] = ## Initialize Secp256k1 `public key` ``key`` from raw binary ## representation ``data``, which may be compressed, uncompressed or hybrid if len(data) < SkRawCompressedPublicKeySize: return err(static( &"secp: public key must be {SkRawCompressedPublicKeySize} or {SkRawPublicKeySize} bytes")) var length: int if data[0] == 0x02'u8 or data[0] == 0x03'u8: length = min(len(data), SkRawCompressedPublicKeySize) elif data[0] == 0x04'u8 or data[0] == 0x06'u8 or data[0] == 0x07'u8: length = min(len(data), SkRawPublicKeySize) else: return err("secp: public key format not recognised") var key {.noinit.}: secp256k1_pubkey if secp256k1_ec_pubkey_parse( secp256k1_context_no_precomp, addr key, data.baseAddr, csize_t(length)) != 1: return err("secp: cannot parse public key") ok(SkPublicKey(data: key)) func fromHex*(T: type SkPublicKey, data: string): SkResult[T] = ## Initialize Secp256k1 `public key` ``key`` from hexadecimal string ## representation ``data``. T.fromRaw(? seq[byte].fromHex(data)) func toRaw*(pubkey: SkPublicKey): array[SkRawPublicKeySize, byte] = ## Serialize Secp256k1 `public key` ``key`` to raw uncompressed form var length = csize_t(len(result)) let res = secp256k1_ec_pubkey_serialize( secp256k1_context_no_precomp, result.baseAddr, addr length, unsafeAddr pubkey.data, SECP256K1_EC_UNCOMPRESSED) doAssert res == 1, "Can't fail, per documentation" func toHex*(pubkey: SkPublicKey): string = toHex(toRaw(pubkey)) func toRawCompressed*(pubkey: SkPublicKey): array[SkRawCompressedPublicKeySize, byte] = ## Serialize Secp256k1 `public key` ``key`` to raw compressed form var length = csize_t(len(result)) let res = secp256k1_ec_pubkey_serialize( secp256k1_context_no_precomp, result.baseAddr, addr length, unsafeAddr pubkey.data, SECP256K1_EC_COMPRESSED) doAssert res == 1, "Can't fail, per documentation" func toHexCompressed*(pubkey: SkPublicKey): string = toHex(toRawCompressed(pubkey)) func toXOnly*(pk: SkPublicKey): SkXOnlyPublicKey = ## Gets a pubkey that reveals only the x-coordinate on the curve. var data {.noinit.}: secp256k1_xonly_pubkey let res = secp256k1_xonly_pubkey_from_pubkey( secp256k1_context_no_precomp, addr data, nil, unsafeAddr pk.data) doAssert res == 1, "cannot get xonly pubkey from pubkey, key invalid?" SkXOnlyPublicKey(data: data) func fromRaw*(T: type SkXOnlyPublicKey, data: openArray[byte]): SkResult[T] = ## Initialize Secp256k1 `x-only public key` ``key`` from raw binary ## representation ``data``. if len(data) != SkRawXOnlyPublicKeySize: return err(static( &"secp: x-only public key must be {SkRawXOnlyPublicKeySize} bytes")) var key {.noinit.}: secp256k1_xonly_pubkey if secp256k1_xonly_pubkey_parse( secp256k1_context_no_precomp, addr key, data.baseAddr) != 1: return err("secp: cannot parse x-only public key") ok(SkXOnlyPublicKey(data: key)) func fromHex*(T: type SkXOnlyPublicKey, data: string): SkResult[T] = ## Initialize Secp256k1 `x-only public key` ``key`` from hexadecimal string ## representation ``data``. T.fromRaw(? seq[byte].fromHex(data)) func toRaw*(pubkey: SkXOnlyPublicKey): array[SkRawXOnlyPublicKeySize, byte] = ## Serialize Secp256k1 `x-only public key` ``key`` to raw form. let res = secp256k1_xonly_pubkey_serialize( secp256k1_context_no_precomp, result.baseAddr, unsafeAddr pubkey.data) doAssert res == 1, "Can't fail, per documentation" func toHex*(pubkey: SkXOnlyPublicKey): string = toHex(toRaw(pubkey)) func fromRaw*(T: type SkSignature, data: openArray[byte]): SkResult[T] = ## Load compact signature from data if data.len() < SkRawSignatureSize: return err(static(&"secp: signature must be {SkRawSignatureSize} bytes")) var sig {.noinit.}: secp256k1_ecdsa_signature if secp256k1_ecdsa_signature_parse_compact( secp256k1_context_no_precomp, addr sig, data.baseAddr) != 1: return err("secp: cannot parse signaure") ok(T(data: sig)) func fromDer*(T: type SkSignature, data: openArray[byte]): SkResult[T] = ## Initialize Secp256k1 `signature` ``sig`` from DER ## representation ``data``. if len(data) < 1: return err("secp: DER signature too short") var sig {.noinit.}: secp256k1_ecdsa_signature if secp256k1_ecdsa_signature_parse_der( secp256k1_context_no_precomp, addr sig, data.baseAddr, csize_t(len(data))) != 1: return err("secp: cannot parse DER signature") ok(T(data: sig)) func fromHex*(T: type SkSignature, data: string): SkResult[T] = ## Initialize Secp256k1 `signature` ``sig`` from hexadecimal string ## representation ``data``. T.fromRaw(? seq[byte].fromHex(data)) func toRaw*(sig: SkSignature): array[SkRawSignatureSize, byte] = ## Serialize signature to compact binary form let res = secp256k1_ecdsa_signature_serialize_compact( secp256k1_context_no_precomp, result.baseAddr, unsafeAddr sig.data) doAssert res == 1, "Can't fail, per documentation" func toDer*(sig: SkSignature, data: var openArray[byte]): int = ## Serialize Secp256k1 `signature` ``sig`` to raw binary form and store it ## to ``data``. ## ## Returns number of bytes (octets) needed to store secp256k1 signature - if ## this is more than `data.len`, `data` is not written to. var buffer: array[SkDerSignatureMaxSize, byte] var plength = csize_t(len(buffer)) let res = secp256k1_ecdsa_signature_serialize_der( secp256k1_context_no_precomp, buffer.baseAddr, addr plength, unsafeAddr sig.data) doAssert res == 1, "Can't fail, per documentation" result = int(plength) if len(data) >= result: copyMem(addr data[0], addr buffer[0], result) func toDer*(sig: SkSignature): seq[byte] = ## Serialize Secp256k1 `signature` and return it. result = newSeq[byte](72) let length = toDer(sig, result) result.setLen(length) func toHex*(sig: SkSignature): string = toHex(toRaw(sig)) func fromRaw*(T: type SkRecoverableSignature, data: openArray[byte]): SkResult[T] = if data.len() < SkRawRecoverableSignatureSize: return err( static(&"secp: recoverable signature must be {SkRawRecoverableSignatureSize} bytes")) let recid = cint(data[64]) if recid < 0 or recid > 3: return err("secp: recoverable signature's recid must be >= 0 and <= 3") var sig {.noinit.}: secp256k1_ecdsa_recoverable_signature if secp256k1_ecdsa_recoverable_signature_parse_compact( secp256k1_context_no_precomp, addr sig, data.baseAddr, recid) != 1: return err("secp: invalid recoverable signature") ok(T(data: sig)) func fromHex*(T: type SkRecoverableSignature, data: string): SkResult[T] = ## Initialize Secp256k1 `signature` ``sig`` from hexadecimal string ## representation ``data``. T.fromRaw(? seq[byte].fromHex(data)) func toRaw*(sig: SkRecoverableSignature): array[SkRawRecoverableSignatureSize, byte] = ## Converts recoverable signature to compact binary form var recid = cint(0) let res = secp256k1_ecdsa_recoverable_signature_serialize_compact( secp256k1_context_no_precomp, result.baseAddr, addr recid, unsafeAddr sig.data) doAssert res == 1, "Can't fail, per documentation" result[64] = byte(recid) func toHex*(sig: SkRecoverableSignature): string = toHex(toRaw(sig)) func fromRaw*(T: type SkSchnorrSignature, data: openArray[byte]): SkResult[T] = ## Load Schnorr `signature` from data as created by `toRaw`. if len(data) < SkRawSchnorrSignatureSize: return err(static(&"secp: raw schnorr signature should be {SkRawSchnorrSignatureSize} bytes")) ok(T(data: toArray(64, data.toOpenArray(0, SkRawSchnorrSignatureSize - 1)))) func fromHex*(T: type SkSchnorrSignature, data: string): SkResult[T] = ## Initialize Schnorr `signature` from hexadecimal string representation ``data``. T.fromRaw(? seq[byte].fromHex(data)) func toRaw*(sig: SkSchnorrSignature): array[SkRawSchnorrSignatureSize, byte] = ## Serialize Schnorr `signature` ``sig`` to raw binary form. sig.data func toHex*(sig: SkSchnorrSignature): string = toHex(toRaw(sig)) proc random*(T: type SkKeyPair, rng: Rng): SkResult[T] = ## Generates new random key pair. let seckey = ? SkSecretKey.random(rng) ok(T( seckey: seckey, pubkey: seckey.toPublicKey() )) proc random*(T: type SkKeyPair, rng: FoolproofRng): T = ## Generates new random key pair. let seckey = SkSecretKey.random(rng) T( seckey: seckey, pubkey: seckey.toPublicKey() ) func `==`*(lhs, rhs: SkPublicKey): bool = ## Compare Secp256k1 `public key` objects for equality. CT.isEqual(lhs.toRaw(), rhs.toRaw()) func `==`*(lhs, rhs: SkSignature): bool = ## Compare Secp256k1 `signature` objects for equality. CT.isEqual(lhs.toRaw(), rhs.toRaw()) func `==`*(lhs, rhs: SkXOnlyPublicKey): bool = ## Compare Secp256k1 `x-only public key` objects for equality. CT.isEqual(lhs.toRaw(), rhs.toRaw()) func `==`*(lhs, rhs: SkRecoverableSignature): bool = ## Compare Secp256k1 `recoverable signature` objects for equality. CT.isEqual(lhs.toRaw(), rhs.toRaw()) func `==`*(lhs, rhs: SkSchnorrSignature): bool = ## Compare Schnorr signature objects for equality. CT.isEqual(lhs.toRaw(), rhs.toRaw()) func sign*(key: SkSecretKey, msg: SkMessage): SkSignature = ## Sign message `msg` using private key `key` and return signature object. ## It is recommended that `msg` is produced by hashing the input data to ## a 32-byte hash, like sha256. var data {.noinit.}: secp256k1_ecdsa_signature let res = secp256k1_ecdsa_sign( getContext(), addr data, msg.baseAddr, key.data.baseAddr, nil, nil) doAssert res == 1, "cannot create signature, key invalid?" SkSignature(data: data) func signRecoverable*(key: SkSecretKey, msg: SkMessage): SkRecoverableSignature = ## Sign message `msg` using private key `key` and return signature object. var data {.noinit.}: secp256k1_ecdsa_recoverable_signature let res = secp256k1_ecdsa_sign_recoverable( getContext(), addr data, msg.baseAddr, key.data.baseAddr, nil, nil) doAssert res == 1, "cannot create recoverable signature, key invalid?" SkRecoverableSignature(data: data) template signSchnorrImpl(signMsg: untyped): untyped = var kp {.noinit, inject.}: secp256k1_keypair let res = secp256k1_keypair_create( getContext(), addr kp, key.data.baseAddr) doAssert res == 1, "cannot create keypair, key invalid?" var data {.noinit, inject.}: array[SkRawSchnorrSignatureSize, byte] let res2 = signMsg doAssert res2 == 1, "cannot create signature, key invalid?" SkSchnorrSignature(data: data) func signSchnorr*(key: SkSecretKey, msg: SkMessage, randbytes: Opt[array[32, byte]]): SkSchnorrSignature = ## Sign message `msg` using private key `key` with the Schnorr signature algorithm and return signature object. ## `randbytes` should be an array of 32 freshly generated random bytes. let aux_rand32 = if randbytes.isSome: randbytes[].baseAddr else: nil signSchnorrImpl( secp256k1_schnorrsig_sign32( getContext(), data.baseAddr, msg.baseAddr, addr kp, aux_rand32)) func signSchnorr*(key: SkSecretKey, msg: openArray[byte], randbytes: Opt[array[32, byte]]): SkSchnorrSignature = ## Sign message `msg` using private key `key` with the Schnorr signature algorithm and return signature object. ## `randbytes` should be an array of 32 freshly generated random bytes. let aux_rand32 = if randbytes.isSome: randbytes[].baseAddr else: nil let extraparams = secp256k1_schnorrsig_extraparams(magic: SECP256K1_SCHNORRSIG_EXTRAPARAMS_MAGIC, noncefp: nil, ndata: aux_rand32) signSchnorrImpl( secp256k1_schnorrsig_sign_custom( getContext(), data.baseAddr, msg.baseAddr, csize_t msg.len, addr kp, unsafeAddr extraparams)) template signSchnorrRngImpl(): untyped = var randbytes: array[32, byte] if rng(randbytes): return ok(signSchnorr(key, msg, Opt.some randbytes)) return err("secp: cannot get random bytes for signature") proc signSchnorr*(key: SkSecretKey, msg: SkMessage, rng: Rng): SkResult[SkSchnorrSignature] {.inline.} = ## Sign message `msg` using private key `key` with the Schnorr signature algorithm and return signature object. ## Uses ``rng`` to generate 32-bytes of random data for signature generation. signSchnorrRngImpl() proc signSchnorr*(key: SkSecretKey, msg: openArray[byte], rng: Rng): SkResult[SkSchnorrSignature] {.inline.} = ## Sign message `msg` using private key `key` with the Schnorr signature algorithm and return signature object. ## Uses ``rng`` to generate 32-bytes of random data for signature generation. signSchnorrRngImpl() template signSchnorrFoolproofRngImpl(): untyped = var randbytes: array[32, byte] rng(randbytes) return signSchnorr(key, msg, Opt.some randbytes) proc signSchnorr*(key: SkSecretKey, msg: SkMessage, rng: FoolproofRng): SkSchnorrSignature {.inline.} = ## Sign message `msg` using private key `key` with the Schnorr signature algorithm and return signature object. ## Uses ``rng`` to generate 32-bytes of random data for signature generation. signSchnorrFoolproofRngImpl() proc signSchnorr*(key: SkSecretKey, msg: openArray[byte], rng: FoolproofRng): SkSchnorrSignature {.inline.} = ## Sign message `msg` using private key `key` with the Schnorr signature algorithm and return signature object. ## Uses ``rng`` to generate 32-bytes of random data for signature generation. signSchnorrFoolproofRngImpl() func verify*(sig: SkSignature, msg: SkMessage, key: SkPublicKey): bool = secp256k1_ecdsa_verify( getContext(), unsafeAddr sig.data, msg.baseAddr, unsafeAddr key.data) == 1 func verify*(sig: SkSchnorrSignature, msg: SkMessage, pubkey: SkXOnlyPublicKey): bool = secp256k1_schnorrsig_verify( getContext(), unsafeAddr sig.data[0], msg.baseAddr, csize_t SkMessageSize, unsafeAddr pubkey.data) == 1 func verify*(sig: SkSchnorrSignature, msg: openArray[byte], pubkey: SkXOnlyPublicKey): bool = secp256k1_schnorrsig_verify( getContext(), unsafeAddr sig.data[0], msg.baseAddr, csize_t msg.len, unsafeAddr pubkey.data) == 1 template verify*(sig: SkSchnorrSignature, msg: SkMessage, pubkey: SkPublicKey): bool = verify(sig, msg, pubkey.toXOnly) template verify*(sig: SkSchnorrSignature, msg: openArray[byte], pubkey: SkPublicKey): bool = verify(sig, msg, pubkey.toXOnly) func recover*(sig: SkRecoverableSignature, msg: SkMessage): SkResult[SkPublicKey] = var data {.noinit.}: secp256k1_pubkey if secp256k1_ecdsa_recover( getContext(), addr data, unsafeAddr sig.data, msg.baseAddr) != 1: return err("secp: cannot recover public key from signature") ok(SkPublicKey(data: data)) func ecdh*(seckey: SkSecretKey, pubkey: SkPublicKey): SkEcdhSecret = ## Calculate ECDH shared secret. ## Default hash function and `requiresInit` should prevent this function ## from failing. var secret {.noinit.}: array[SkEcdhSecretSize, byte] let res = secp256k1_ecdh( secp256k1_context_no_precomp, secret.baseAddr, unsafeAddr pubkey.data, seckey.data.baseAddr) doAssert res == 1, "cannot compute ECDH secret, keys invalid?" SkEcdhSecret(data: secret) func ecdh*[N: static[int]](seckey: SkSecretKey, pubkey: SkPublicKey, hashfn: SkEcdhHashFunc, data: pointer): SkResult[array[N, byte]] = ## Calculate ECDH shared secret using custom hash function. ## This function may fail if the custom hash function return zero ## although other inputs have been initialized properly. var secret {.noinit.}: array[N, byte] if secp256k1_ecdh( secp256k1_context_no_precomp, secret.baseAddr, unsafeAddr pubkey.data, seckey.data.baseAddr, hashfn, data) != 1: return err("cannot compute ECDH secret, keys invalid?") ok(secret) func clear*(v: var SkSecretKey) = ## Wipe and clear memory of Secp256k1 `private key`. ## After calling this function, the key is invalid and using it elsewhere will ## result in undefined behaviour or Defect burnMem(v.data) func clear*(v: var SkEcdhSecret) = ## Wipe and clear memory of ECDH `shared secret`. ## After calling this function, the key is invalid and using it elsewhere will ## result in undefined behaviour or Defect burnMem(v.data) func `$`*( v: SkPublicKey | SkSecretKey | SkXOnlyPublicKey | SkSignature | SkRecoverableSignature | SkSchnorrSignature): string = toHex(v) func fromBytes*(T: type SkMessage, data: openArray[byte]): SkResult[SkMessage] = if data.len() != SkMessageSize: return err("Message must be 32 bytes") ok(SkMessage(toArray(SkMessageSize, data))) # Close `requiresInit` loophole # TODO replace `requiresInit` with a pragma that does the expected thing proc default*(T: type SkPublicKey): T {.error: "loophole".} proc default*(T: type SkSecretKey): T {.error: "loophole".} proc default*(T: type SkXOnlyPublicKey): T {.error: "loophole".} proc default*(T: type SkSignature): T {.error: "loophole".} proc default*(T: type SkRecoverableSignature): T {.error: "loophole".} proc default*(T: type SkSchnorrSignature): T {.error: "loophole".} proc default*(T: type SkEcdhSecret): T {.error: "loophole".} func tweakAdd*(secretKey: var SkSecretKey, tweak: openArray[byte]): SkResult[void] = let res = secp256k1_ec_privkey_tweak_add( secp256k1_context_no_precomp, secretKey.data.baseAddr, tweak.baseAddr) if res != 1: err("Tweak out of range, or invalid private key") else: ok() func tweakMul*(secretKey: var SkSecretKey, tweak: openArray[byte]): SkResult[void] = let res = secp256k1_ec_privkey_tweak_mul( secp256k1_context_no_precomp, secretKey.data.baseAddr, tweak.baseAddr) if res != 1: err("Tweak out of range, or equal to zero") else: ok()