1 /***********************************************************************
2 * Copyright (c) 2020 Jonas Nick *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
7 #ifndef SECP256K1_MODULE_EXTRAKEYS_TESTS_H
8 #define SECP256K1_MODULE_EXTRAKEYS_TESTS_H
10 #include "secp256k1_extrakeys.h"
12 static secp256k1_context* api_test_context(int flags, int *ecount) {
13 secp256k1_context *ctx0 = secp256k1_context_create(flags);
14 secp256k1_context_set_error_callback(ctx0, counting_illegal_callback_fn, ecount);
15 secp256k1_context_set_illegal_callback(ctx0, counting_illegal_callback_fn, ecount);
19 void test_xonly_pubkey(void) {
21 secp256k1_xonly_pubkey xonly_pk, xonly_pk_tmp;
26 unsigned char xy_sk[32];
27 unsigned char buf32[32];
28 unsigned char ones32[32];
29 unsigned char zeros64[64] = { 0 };
34 secp256k1_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount);
35 secp256k1_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount);
36 secp256k1_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount);
38 secp256k1_testrand256(sk);
39 memset(ones32, 0xFF, 32);
40 secp256k1_testrand256(xy_sk);
41 CHECK(secp256k1_ec_pubkey_create(sign, &pk, sk) == 1);
42 CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1);
44 /* Test xonly_pubkey_from_pubkey */
46 CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1);
47 CHECK(secp256k1_xonly_pubkey_from_pubkey(sign, &xonly_pk, &pk_parity, &pk) == 1);
48 CHECK(secp256k1_xonly_pubkey_from_pubkey(verify, &xonly_pk, &pk_parity, &pk) == 1);
49 CHECK(secp256k1_xonly_pubkey_from_pubkey(none, NULL, &pk_parity, &pk) == 0);
51 CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, NULL, &pk) == 1);
52 CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, NULL) == 0);
54 memset(&pk, 0, sizeof(pk));
55 CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 0);
58 /* Choose a secret key such that the resulting pubkey and xonly_pubkey match. */
59 memset(sk, 0, sizeof(sk));
61 CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1);
62 CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1);
63 CHECK(secp256k1_memcmp_var(&pk, &xonly_pk, sizeof(pk)) == 0);
64 CHECK(pk_parity == 0);
66 /* Choose a secret key such that pubkey and xonly_pubkey are each others
69 CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1);
70 CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1);
71 CHECK(secp256k1_memcmp_var(&xonly_pk, &pk, sizeof(xonly_pk)) != 0);
72 CHECK(pk_parity == 1);
73 secp256k1_pubkey_load(ctx, &pk1, &pk);
74 secp256k1_pubkey_load(ctx, &pk2, (secp256k1_pubkey *) &xonly_pk);
75 CHECK(secp256k1_fe_equal(&pk1.x, &pk2.x) == 1);
76 secp256k1_fe_negate(&y, &pk2.y, 1);
77 CHECK(secp256k1_fe_equal(&pk1.y, &y) == 1);
79 /* Test xonly_pubkey_serialize and xonly_pubkey_parse */
81 CHECK(secp256k1_xonly_pubkey_serialize(none, NULL, &xonly_pk) == 0);
83 CHECK(secp256k1_xonly_pubkey_serialize(none, buf32, NULL) == 0);
84 CHECK(secp256k1_memcmp_var(buf32, zeros64, 32) == 0);
87 /* A pubkey filled with 0s will fail to serialize due to pubkey_load
89 secp256k1_xonly_pubkey pk_tmp;
90 memset(&pk_tmp, 0, sizeof(pk_tmp));
91 CHECK(secp256k1_xonly_pubkey_serialize(none, buf32, &pk_tmp) == 0);
93 /* pubkey_load called illegal callback */
96 CHECK(secp256k1_xonly_pubkey_serialize(none, buf32, &xonly_pk) == 1);
98 CHECK(secp256k1_xonly_pubkey_parse(none, NULL, buf32) == 0);
100 CHECK(secp256k1_xonly_pubkey_parse(none, &xonly_pk, NULL) == 0);
103 /* Serialization and parse roundtrip */
104 CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, NULL, &pk) == 1);
105 CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &xonly_pk) == 1);
106 CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk_tmp, buf32) == 1);
107 CHECK(secp256k1_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(xonly_pk)) == 0);
109 /* Test parsing invalid field elements */
110 memset(&xonly_pk, 1, sizeof(xonly_pk));
111 /* Overflowing field element */
112 CHECK(secp256k1_xonly_pubkey_parse(none, &xonly_pk, ones32) == 0);
113 CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0);
114 memset(&xonly_pk, 1, sizeof(xonly_pk));
115 /* There's no point with x-coordinate 0 on secp256k1 */
116 CHECK(secp256k1_xonly_pubkey_parse(none, &xonly_pk, zeros64) == 0);
117 CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0);
118 /* If a random 32-byte string can not be parsed with ec_pubkey_parse
119 * (because interpreted as X coordinate it does not correspond to a point on
120 * the curve) then xonly_pubkey_parse should fail as well. */
121 for (i = 0; i < count; i++) {
122 unsigned char rand33[33];
123 secp256k1_testrand256(&rand33[1]);
124 rand33[0] = SECP256K1_TAG_PUBKEY_EVEN;
125 if (!secp256k1_ec_pubkey_parse(ctx, &pk, rand33, 33)) {
126 memset(&xonly_pk, 1, sizeof(xonly_pk));
127 CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 0);
128 CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0);
130 CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 1);
135 secp256k1_context_destroy(none);
136 secp256k1_context_destroy(sign);
137 secp256k1_context_destroy(verify);
140 void test_xonly_pubkey_tweak(void) {
141 unsigned char zeros64[64] = { 0 };
142 unsigned char overflows[32];
143 unsigned char sk[32];
144 secp256k1_pubkey internal_pk;
145 secp256k1_xonly_pubkey internal_xonly_pk;
146 secp256k1_pubkey output_pk;
148 unsigned char tweak[32];
152 secp256k1_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount);
153 secp256k1_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount);
154 secp256k1_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount);
156 memset(overflows, 0xff, sizeof(overflows));
157 secp256k1_testrand256(tweak);
158 secp256k1_testrand256(sk);
159 CHECK(secp256k1_ec_pubkey_create(ctx, &internal_pk, sk) == 1);
160 CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &internal_xonly_pk, &pk_parity, &internal_pk) == 1);
163 CHECK(secp256k1_xonly_pubkey_tweak_add(none, &output_pk, &internal_xonly_pk, tweak) == 0);
165 CHECK(secp256k1_xonly_pubkey_tweak_add(sign, &output_pk, &internal_xonly_pk, tweak) == 0);
167 CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 1);
168 CHECK(secp256k1_xonly_pubkey_tweak_add(verify, NULL, &internal_xonly_pk, tweak) == 0);
170 CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, NULL, tweak) == 0);
172 /* NULL internal_xonly_pk zeroes the output_pk */
173 CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
174 CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, NULL) == 0);
176 /* NULL tweak zeroes the output_pk */
177 CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
179 /* Invalid tweak zeroes the output_pk */
180 CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, overflows) == 0);
181 CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
183 /* A zero tweak is fine */
184 CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, zeros64) == 1);
186 /* Fails if the resulting key was infinity */
187 for (i = 0; i < count; i++) {
188 secp256k1_scalar scalar_tweak;
189 /* Because sk may be negated before adding, we need to try with tweak =
190 * sk as well as tweak = -sk. */
191 secp256k1_scalar_set_b32(&scalar_tweak, sk, NULL);
192 secp256k1_scalar_negate(&scalar_tweak, &scalar_tweak);
193 secp256k1_scalar_get_b32(tweak, &scalar_tweak);
194 CHECK((secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, sk) == 0)
195 || (secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 0));
196 CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
199 /* Invalid pk with a valid tweak */
200 memset(&internal_xonly_pk, 0, sizeof(internal_xonly_pk));
201 secp256k1_testrand256(tweak);
203 CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 0);
205 CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
207 secp256k1_context_destroy(none);
208 secp256k1_context_destroy(sign);
209 secp256k1_context_destroy(verify);
212 void test_xonly_pubkey_tweak_check(void) {
213 unsigned char zeros64[64] = { 0 };
214 unsigned char overflows[32];
215 unsigned char sk[32];
216 secp256k1_pubkey internal_pk;
217 secp256k1_xonly_pubkey internal_xonly_pk;
218 secp256k1_pubkey output_pk;
219 secp256k1_xonly_pubkey output_xonly_pk;
220 unsigned char output_pk32[32];
221 unsigned char buf32[32];
223 unsigned char tweak[32];
226 secp256k1_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount);
227 secp256k1_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount);
228 secp256k1_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount);
230 memset(overflows, 0xff, sizeof(overflows));
231 secp256k1_testrand256(tweak);
232 secp256k1_testrand256(sk);
233 CHECK(secp256k1_ec_pubkey_create(ctx, &internal_pk, sk) == 1);
234 CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &internal_xonly_pk, &pk_parity, &internal_pk) == 1);
237 CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 1);
238 CHECK(secp256k1_xonly_pubkey_from_pubkey(verify, &output_xonly_pk, &pk_parity, &output_pk) == 1);
239 CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &output_xonly_pk) == 1);
240 CHECK(secp256k1_xonly_pubkey_tweak_add_check(none, buf32, pk_parity, &internal_xonly_pk, tweak) == 0);
242 CHECK(secp256k1_xonly_pubkey_tweak_add_check(sign, buf32, pk_parity, &internal_xonly_pk, tweak) == 0);
244 CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, &internal_xonly_pk, tweak) == 1);
245 CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, NULL, pk_parity, &internal_xonly_pk, tweak) == 0);
247 /* invalid pk_parity value */
248 CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, buf32, 2, &internal_xonly_pk, tweak) == 0);
250 CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, NULL, tweak) == 0);
252 CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, &internal_xonly_pk, NULL) == 0);
255 memset(tweak, 1, sizeof(tweak));
256 CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &internal_xonly_pk, NULL, &internal_pk) == 1);
257 CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1);
258 CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &output_xonly_pk, &pk_parity, &output_pk) == 1);
259 CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk32, &output_xonly_pk) == 1);
260 CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, tweak) == 1);
262 /* Wrong pk_parity */
263 CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, !pk_parity, &internal_xonly_pk, tweak) == 0);
264 /* Wrong public key */
265 CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &internal_xonly_pk) == 1);
266 CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 0);
268 /* Overflowing tweak not allowed */
269 CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, overflows) == 0);
270 CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, overflows) == 0);
271 CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
274 secp256k1_context_destroy(none);
275 secp256k1_context_destroy(sign);
276 secp256k1_context_destroy(verify);
279 /* Starts with an initial pubkey and recursively creates N_PUBKEYS - 1
280 * additional pubkeys by calling tweak_add. Then verifies every tweak starting
281 * from the last pubkey. */
283 void test_xonly_pubkey_tweak_recursive(void) {
284 unsigned char sk[32];
285 secp256k1_pubkey pk[N_PUBKEYS];
286 unsigned char pk_serialized[32];
287 unsigned char tweak[N_PUBKEYS - 1][32];
290 secp256k1_testrand256(sk);
291 CHECK(secp256k1_ec_pubkey_create(ctx, &pk[0], sk) == 1);
293 for (i = 0; i < N_PUBKEYS - 1; i++) {
294 secp256k1_xonly_pubkey xonly_pk;
295 memset(tweak[i], i + 1, sizeof(tweak[i]));
296 CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i]) == 1);
297 CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &pk[i + 1], &xonly_pk, tweak[i]) == 1);
301 for (i = N_PUBKEYS - 1; i > 0; i--) {
302 secp256k1_xonly_pubkey xonly_pk;
304 CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk[i]) == 1);
305 CHECK(secp256k1_xonly_pubkey_serialize(ctx, pk_serialized, &xonly_pk) == 1);
306 CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i - 1]) == 1);
307 CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, pk_serialized, pk_parity, &xonly_pk, tweak[i - 1]) == 1);
312 void test_keypair(void) {
313 unsigned char sk[32];
314 unsigned char sk_tmp[32];
315 unsigned char zeros96[96] = { 0 };
316 unsigned char overflows[32];
317 secp256k1_keypair keypair;
318 secp256k1_pubkey pk, pk_tmp;
319 secp256k1_xonly_pubkey xonly_pk, xonly_pk_tmp;
320 int pk_parity, pk_parity_tmp;
322 secp256k1_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount);
323 secp256k1_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount);
324 secp256k1_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount);
326 CHECK(sizeof(zeros96) == sizeof(keypair));
327 memset(overflows, 0xFF, sizeof(overflows));
329 /* Test keypair_create */
331 secp256k1_testrand256(sk);
332 CHECK(secp256k1_keypair_create(none, &keypair, sk) == 0);
333 CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
335 CHECK(secp256k1_keypair_create(verify, &keypair, sk) == 0);
336 CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
338 CHECK(secp256k1_keypair_create(sign, &keypair, sk) == 1);
339 CHECK(secp256k1_keypair_create(sign, NULL, sk) == 0);
341 CHECK(secp256k1_keypair_create(sign, &keypair, NULL) == 0);
342 CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
345 /* Invalid secret key */
346 CHECK(secp256k1_keypair_create(sign, &keypair, zeros96) == 0);
347 CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
348 CHECK(secp256k1_keypair_create(sign, &keypair, overflows) == 0);
349 CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
351 /* Test keypair_pub */
353 secp256k1_testrand256(sk);
354 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
355 CHECK(secp256k1_keypair_pub(none, &pk, &keypair) == 1);
356 CHECK(secp256k1_keypair_pub(none, NULL, &keypair) == 0);
358 CHECK(secp256k1_keypair_pub(none, &pk, NULL) == 0);
360 CHECK(secp256k1_memcmp_var(zeros96, &pk, sizeof(pk)) == 0);
362 /* Using an invalid keypair is fine for keypair_pub */
363 memset(&keypair, 0, sizeof(keypair));
364 CHECK(secp256k1_keypair_pub(none, &pk, &keypair) == 1);
365 CHECK(secp256k1_memcmp_var(zeros96, &pk, sizeof(pk)) == 0);
367 /* keypair holds the same pubkey as pubkey_create */
368 CHECK(secp256k1_ec_pubkey_create(sign, &pk, sk) == 1);
369 CHECK(secp256k1_keypair_create(sign, &keypair, sk) == 1);
370 CHECK(secp256k1_keypair_pub(none, &pk_tmp, &keypair) == 1);
371 CHECK(secp256k1_memcmp_var(&pk, &pk_tmp, sizeof(pk)) == 0);
373 /** Test keypair_xonly_pub **/
375 secp256k1_testrand256(sk);
376 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
377 CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 1);
378 CHECK(secp256k1_keypair_xonly_pub(none, NULL, &pk_parity, &keypair) == 0);
380 CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, NULL, &keypair) == 1);
381 CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, &pk_parity, NULL) == 0);
383 CHECK(secp256k1_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0);
384 /* Using an invalid keypair will set the xonly_pk to 0 (first reset
386 CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 1);
387 memset(&keypair, 0, sizeof(keypair));
388 CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 0);
389 CHECK(secp256k1_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0);
392 /** keypair holds the same xonly pubkey as pubkey_create **/
393 CHECK(secp256k1_ec_pubkey_create(sign, &pk, sk) == 1);
394 CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1);
395 CHECK(secp256k1_keypair_create(sign, &keypair, sk) == 1);
396 CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk_tmp, &pk_parity_tmp, &keypair) == 1);
397 CHECK(secp256k1_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(pk)) == 0);
398 CHECK(pk_parity == pk_parity_tmp);
400 /* Test keypair_seckey */
402 secp256k1_testrand256(sk);
403 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
404 CHECK(secp256k1_keypair_sec(none, sk_tmp, &keypair) == 1);
405 CHECK(secp256k1_keypair_sec(none, NULL, &keypair) == 0);
407 CHECK(secp256k1_keypair_sec(none, sk_tmp, NULL) == 0);
409 CHECK(secp256k1_memcmp_var(zeros96, sk_tmp, sizeof(sk_tmp)) == 0);
411 /* keypair returns the same seckey it got */
412 CHECK(secp256k1_keypair_create(sign, &keypair, sk) == 1);
413 CHECK(secp256k1_keypair_sec(none, sk_tmp, &keypair) == 1);
414 CHECK(secp256k1_memcmp_var(sk, sk_tmp, sizeof(sk_tmp)) == 0);
417 /* Using an invalid keypair is fine for keypair_seckey */
418 memset(&keypair, 0, sizeof(keypair));
419 CHECK(secp256k1_keypair_sec(none, sk_tmp, &keypair) == 1);
420 CHECK(secp256k1_memcmp_var(zeros96, sk_tmp, sizeof(sk_tmp)) == 0);
422 secp256k1_context_destroy(none);
423 secp256k1_context_destroy(sign);
424 secp256k1_context_destroy(verify);
427 void test_keypair_add(void) {
428 unsigned char sk[32];
429 secp256k1_keypair keypair;
430 unsigned char overflows[32];
431 unsigned char zeros96[96] = { 0 };
432 unsigned char tweak[32];
435 secp256k1_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount);
436 secp256k1_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount);
437 secp256k1_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount);
439 CHECK(sizeof(zeros96) == sizeof(keypair));
440 secp256k1_testrand256(sk);
441 secp256k1_testrand256(tweak);
442 memset(overflows, 0xFF, 32);
443 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
445 CHECK(secp256k1_keypair_xonly_tweak_add(none, &keypair, tweak) == 0);
447 CHECK(secp256k1_keypair_xonly_tweak_add(sign, &keypair, tweak) == 0);
449 CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 1);
450 CHECK(secp256k1_keypair_xonly_tweak_add(verify, NULL, tweak) == 0);
452 CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, NULL) == 0);
454 /* This does not set the keypair to zeroes */
455 CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) != 0);
457 /* Invalid tweak zeroes the keypair */
458 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
459 CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, overflows) == 0);
460 CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0);
462 /* A zero tweak is fine */
463 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
464 CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, zeros96) == 1);
466 /* Fails if the resulting keypair was (sk=0, pk=infinity) */
467 for (i = 0; i < count; i++) {
468 secp256k1_scalar scalar_tweak;
469 secp256k1_keypair keypair_tmp;
470 secp256k1_testrand256(sk);
471 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
472 memcpy(&keypair_tmp, &keypair, sizeof(keypair));
473 /* Because sk may be negated before adding, we need to try with tweak =
474 * sk as well as tweak = -sk. */
475 secp256k1_scalar_set_b32(&scalar_tweak, sk, NULL);
476 secp256k1_scalar_negate(&scalar_tweak, &scalar_tweak);
477 secp256k1_scalar_get_b32(tweak, &scalar_tweak);
478 CHECK((secp256k1_keypair_xonly_tweak_add(ctx, &keypair, sk) == 0)
479 || (secp256k1_keypair_xonly_tweak_add(ctx, &keypair_tmp, tweak) == 0));
480 CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0
481 || secp256k1_memcmp_var(&keypair_tmp, zeros96, sizeof(keypair_tmp)) == 0);
484 /* Invalid keypair with a valid tweak */
485 memset(&keypair, 0, sizeof(keypair));
486 secp256k1_testrand256(tweak);
488 CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0);
490 CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0);
491 /* Only seckey part of keypair invalid */
492 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
493 memset(&keypair, 0, 32);
494 CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0);
496 /* Only pubkey part of keypair invalid */
497 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
498 memset(&keypair.data[32], 0, 64);
499 CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0);
502 /* Check that the keypair_tweak_add implementation is correct */
503 CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
504 for (i = 0; i < count; i++) {
505 secp256k1_xonly_pubkey internal_pk;
506 secp256k1_xonly_pubkey output_pk;
507 secp256k1_pubkey output_pk_xy;
508 secp256k1_pubkey output_pk_expected;
509 unsigned char pk32[32];
510 unsigned char sk32[32];
513 secp256k1_testrand256(tweak);
514 CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
515 CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
516 CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
518 /* Check that it passes xonly_pubkey_tweak_add_check */
519 CHECK(secp256k1_xonly_pubkey_serialize(ctx, pk32, &output_pk) == 1);
520 CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, pk32, pk_parity, &internal_pk, tweak) == 1);
522 /* Check that the resulting pubkey matches xonly_pubkey_tweak_add */
523 CHECK(secp256k1_keypair_pub(ctx, &output_pk_xy, &keypair) == 1);
524 CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk_expected, &internal_pk, tweak) == 1);
525 CHECK(secp256k1_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0);
527 /* Check that the secret key in the keypair is tweaked correctly */
528 CHECK(secp256k1_keypair_sec(none, sk32, &keypair) == 1);
529 CHECK(secp256k1_ec_pubkey_create(ctx, &output_pk_expected, sk32) == 1);
530 CHECK(secp256k1_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0);
532 secp256k1_context_destroy(none);
533 secp256k1_context_destroy(sign);
534 secp256k1_context_destroy(verify);
537 void run_extrakeys_tests(void) {
538 /* xonly key test cases */
540 test_xonly_pubkey_tweak();
541 test_xonly_pubkey_tweak_check();
542 test_xonly_pubkey_tweak_recursive();
projects / secp256k1.git / blob