Bitcoin Core  22.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2020 Jonas Nick *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_EXTRAKEYS_TESTS_H
8 #define SECP256K1_MODULE_EXTRAKEYS_TESTS_H
9 
10 #include "../../../include/secp256k1_extrakeys.h"
11 
12 static secp256k1_context* api_test_context(int flags, int *ecount) {
16  return ctx0;
17 }
18 
19 void test_xonly_pubkey(void) {
21  secp256k1_xonly_pubkey xonly_pk, xonly_pk_tmp;
22  secp256k1_ge pk1;
23  secp256k1_ge pk2;
24  secp256k1_fe y;
25  unsigned char sk[32];
26  unsigned char xy_sk[32];
27  unsigned char buf32[32];
28  unsigned char ones32[32];
29  unsigned char zeros64[64] = { 0 };
30  int pk_parity;
31  int i;
32 
33  int ecount;
37 
39  memset(ones32, 0xFF, 32);
40  secp256k1_testrand256(xy_sk);
41  CHECK(secp256k1_ec_pubkey_create(sign, &pk, sk) == 1);
42  CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1);
43 
44  /* Test xonly_pubkey_from_pubkey */
45  ecount = 0;
46  CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1);
47  CHECK(secp256k1_xonly_pubkey_from_pubkey(sign, &xonly_pk, &pk_parity, &pk) == 1);
48  CHECK(secp256k1_xonly_pubkey_from_pubkey(verify, &xonly_pk, &pk_parity, &pk) == 1);
49  CHECK(secp256k1_xonly_pubkey_from_pubkey(none, NULL, &pk_parity, &pk) == 0);
50  CHECK(ecount == 1);
51  CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, NULL, &pk) == 1);
52  CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, NULL) == 0);
53  CHECK(ecount == 2);
54  memset(&pk, 0, sizeof(pk));
55  CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 0);
56  CHECK(ecount == 3);
57 
58  /* Choose a secret key such that the resulting pubkey and xonly_pubkey match. */
59  memset(sk, 0, sizeof(sk));
60  sk[0] = 1;
61  CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1);
62  CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1);
63  CHECK(secp256k1_memcmp_var(&pk, &xonly_pk, sizeof(pk)) == 0);
64  CHECK(pk_parity == 0);
65 
66  /* Choose a secret key such that pubkey and xonly_pubkey are each others
67  * negation. */
68  sk[0] = 2;
69  CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1);
70  CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1);
71  CHECK(secp256k1_memcmp_var(&xonly_pk, &pk, sizeof(xonly_pk)) != 0);
72  CHECK(pk_parity == 1);
73  secp256k1_pubkey_load(ctx, &pk1, &pk);
74  secp256k1_pubkey_load(ctx, &pk2, (secp256k1_pubkey *) &xonly_pk);
75  CHECK(secp256k1_fe_equal(&pk1.x, &pk2.x) == 1);
76  secp256k1_fe_negate(&y, &pk2.y, 1);
77  CHECK(secp256k1_fe_equal(&pk1.y, &y) == 1);
78 
79  /* Test xonly_pubkey_serialize and xonly_pubkey_parse */
80  ecount = 0;
81  CHECK(secp256k1_xonly_pubkey_serialize(none, NULL, &xonly_pk) == 0);
82  CHECK(ecount == 1);
83  CHECK(secp256k1_xonly_pubkey_serialize(none, buf32, NULL) == 0);
84  CHECK(secp256k1_memcmp_var(buf32, zeros64, 32) == 0);
85  CHECK(ecount == 2);
86  {
87  /* A pubkey filled with 0s will fail to serialize due to pubkey_load
88  * special casing. */
90  memset(&pk_tmp, 0, sizeof(pk_tmp));
91  CHECK(secp256k1_xonly_pubkey_serialize(none, buf32, &pk_tmp) == 0);
92  }
93  /* pubkey_load called illegal callback */
94  CHECK(ecount == 3);
95 
96  CHECK(secp256k1_xonly_pubkey_serialize(none, buf32, &xonly_pk) == 1);
97  ecount = 0;
98  CHECK(secp256k1_xonly_pubkey_parse(none, NULL, buf32) == 0);
99  CHECK(ecount == 1);
100  CHECK(secp256k1_xonly_pubkey_parse(none, &xonly_pk, NULL) == 0);
101  CHECK(ecount == 2);
102 
103  /* Serialization and parse roundtrip */
104  CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, NULL, &pk) == 1);
105  CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &xonly_pk) == 1);
106  CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk_tmp, buf32) == 1);
107  CHECK(secp256k1_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(xonly_pk)) == 0);
108 
109  /* Test parsing invalid field elements */
110  memset(&xonly_pk, 1, sizeof(xonly_pk));
111  /* Overflowing field element */
112  CHECK(secp256k1_xonly_pubkey_parse(none, &xonly_pk, ones32) == 0);
113  CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0);
114  memset(&xonly_pk, 1, sizeof(xonly_pk));
115  /* There's no point with x-coordinate 0 on secp256k1 */
116  CHECK(secp256k1_xonly_pubkey_parse(none, &xonly_pk, zeros64) == 0);
117  CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0);
118  /* If a random 32-byte string can not be parsed with ec_pubkey_parse
119  * (because interpreted as X coordinate it does not correspond to a point on
120  * the curve) then xonly_pubkey_parse should fail as well. */
121  for (i = 0; i < count; i++) {
122  unsigned char rand33[33];
123  secp256k1_testrand256(&rand33[1]);
124  rand33[0] = SECP256K1_TAG_PUBKEY_EVEN;
125  if (!secp256k1_ec_pubkey_parse(ctx, &pk, rand33, 33)) {
126  memset(&xonly_pk, 1, sizeof(xonly_pk));
127  CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 0);
128  CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0);
129  } else {
130  CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 1);
131  }
132  }
133  CHECK(ecount == 2);
134 
138 }
139 
141  unsigned char pk1_ser[32] = {
142  0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
143  0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
144  };
145  const unsigned char pk2_ser[32] = {
146  0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
147  0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
148  };
151  int ecount = 0;
153 
154  CHECK(secp256k1_xonly_pubkey_parse(none, &pk1, pk1_ser) == 1);
155  CHECK(secp256k1_xonly_pubkey_parse(none, &pk2, pk2_ser) == 1);
156 
157  CHECK(secp256k1_xonly_pubkey_cmp(none, NULL, &pk2) < 0);
158  CHECK(ecount == 1);
159  CHECK(secp256k1_xonly_pubkey_cmp(none, &pk1, NULL) > 0);
160  CHECK(ecount == 2);
161  CHECK(secp256k1_xonly_pubkey_cmp(none, &pk1, &pk2) < 0);
162  CHECK(secp256k1_xonly_pubkey_cmp(none, &pk2, &pk1) > 0);
163  CHECK(secp256k1_xonly_pubkey_cmp(none, &pk1, &pk1) == 0);
164  CHECK(secp256k1_xonly_pubkey_cmp(none, &pk2, &pk2) == 0);
165  CHECK(ecount == 2);
166  memset(&pk1, 0, sizeof(pk1)); /* illegal pubkey */
167  CHECK(secp256k1_xonly_pubkey_cmp(none, &pk1, &pk2) < 0);
168  CHECK(ecount == 3);
169  CHECK(secp256k1_xonly_pubkey_cmp(none, &pk1, &pk1) == 0);
170  CHECK(ecount == 5);
171  CHECK(secp256k1_xonly_pubkey_cmp(none, &pk2, &pk1) > 0);
172  CHECK(ecount == 6);
173 
175 }
176 
178  unsigned char zeros64[64] = { 0 };
179  unsigned char overflows[32];
180  unsigned char sk[32];
181  secp256k1_pubkey internal_pk;
182  secp256k1_xonly_pubkey internal_xonly_pk;
183  secp256k1_pubkey output_pk;
184  int pk_parity;
185  unsigned char tweak[32];
186  int i;
187 
188  int ecount;
192 
193  memset(overflows, 0xff, sizeof(overflows));
194  secp256k1_testrand256(tweak);
196  CHECK(secp256k1_ec_pubkey_create(ctx, &internal_pk, sk) == 1);
197  CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &internal_xonly_pk, &pk_parity, &internal_pk) == 1);
198 
199  ecount = 0;
200  CHECK(secp256k1_xonly_pubkey_tweak_add(none, &output_pk, &internal_xonly_pk, tweak) == 1);
201  CHECK(ecount == 0);
202  CHECK(secp256k1_xonly_pubkey_tweak_add(sign, &output_pk, &internal_xonly_pk, tweak) == 1);
203  CHECK(ecount == 0);
204  CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 1);
205  CHECK(secp256k1_xonly_pubkey_tweak_add(verify, NULL, &internal_xonly_pk, tweak) == 0);
206  CHECK(ecount == 1);
207  CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, NULL, tweak) == 0);
208  CHECK(ecount == 2);
209  /* NULL internal_xonly_pk zeroes the output_pk */
210  CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
211  CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, NULL) == 0);
212  CHECK(ecount == 3);
213  /* NULL tweak zeroes the output_pk */
214  CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
215 
216  /* Invalid tweak zeroes the output_pk */
217  CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, overflows) == 0);
218  CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
219 
220  /* A zero tweak is fine */
221  CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, zeros64) == 1);
222 
223  /* Fails if the resulting key was infinity */
224  for (i = 0; i < count; i++) {
225  secp256k1_scalar scalar_tweak;
226  /* Because sk may be negated before adding, we need to try with tweak =
227  * sk as well as tweak = -sk. */
228  secp256k1_scalar_set_b32(&scalar_tweak, sk, NULL);
229  secp256k1_scalar_negate(&scalar_tweak, &scalar_tweak);
230  secp256k1_scalar_get_b32(tweak, &scalar_tweak);
231  CHECK((secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, sk) == 0)
232  || (secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 0));
233  CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
234  }
235 
236  /* Invalid pk with a valid tweak */
237  memset(&internal_xonly_pk, 0, sizeof(internal_xonly_pk));
238  secp256k1_testrand256(tweak);
239  ecount = 0;
240  CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 0);
241  CHECK(ecount == 1);
242  CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
243 
247 }
248 
250  unsigned char zeros64[64] = { 0 };
251  unsigned char overflows[32];
252  unsigned char sk[32];
253  secp256k1_pubkey internal_pk;
254  secp256k1_xonly_pubkey internal_xonly_pk;
255  secp256k1_pubkey output_pk;
256  secp256k1_xonly_pubkey output_xonly_pk;
257  unsigned char output_pk32[32];
258  unsigned char buf32[32];
259  int pk_parity;
260  unsigned char tweak[32];
261 
262  int ecount;
266 
267  memset(overflows, 0xff, sizeof(overflows));
268  secp256k1_testrand256(tweak);
270  CHECK(secp256k1_ec_pubkey_create(ctx, &internal_pk, sk) == 1);
271  CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &internal_xonly_pk, &pk_parity, &internal_pk) == 1);
272 
273  ecount = 0;
274  CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 1);
275  CHECK(secp256k1_xonly_pubkey_from_pubkey(verify, &output_xonly_pk, &pk_parity, &output_pk) == 1);
276  CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &output_xonly_pk) == 1);
277  CHECK(secp256k1_xonly_pubkey_tweak_add_check(none, buf32, pk_parity, &internal_xonly_pk, tweak) == 1);
278  CHECK(ecount == 0);
279  CHECK(secp256k1_xonly_pubkey_tweak_add_check(sign, buf32, pk_parity, &internal_xonly_pk, tweak) == 1);
280  CHECK(ecount == 0);
281  CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, &internal_xonly_pk, tweak) == 1);
282  CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, NULL, pk_parity, &internal_xonly_pk, tweak) == 0);
283  CHECK(ecount == 1);
284  /* invalid pk_parity value */
285  CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, buf32, 2, &internal_xonly_pk, tweak) == 0);
286  CHECK(ecount == 1);
287  CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, NULL, tweak) == 0);
288  CHECK(ecount == 2);
289  CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, &internal_xonly_pk, NULL) == 0);
290  CHECK(ecount == 3);
291 
292  memset(tweak, 1, sizeof(tweak));
293  CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &internal_xonly_pk, NULL, &internal_pk) == 1);
294  CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1);
295  CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &output_xonly_pk, &pk_parity, &output_pk) == 1);
296  CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk32, &output_xonly_pk) == 1);
297  CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, tweak) == 1);
298 
299  /* Wrong pk_parity */
300  CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, !pk_parity, &internal_xonly_pk, tweak) == 0);
301  /* Wrong public key */
302  CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &internal_xonly_pk) == 1);
303  CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 0);
304 
305  /* Overflowing tweak not allowed */
306  CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, overflows) == 0);
307  CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, overflows) == 0);
308  CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
309  CHECK(ecount == 3);
310 
314 }
315 
316 /* Starts with an initial pubkey and recursively creates N_PUBKEYS - 1
317  * additional pubkeys by calling tweak_add. Then verifies every tweak starting
318  * from the last pubkey. */
319 #define N_PUBKEYS 32
321  unsigned char sk[32];
323  unsigned char pk_serialized[32];
324  unsigned char tweak[N_PUBKEYS - 1][32];
325  int i;
326 
328  CHECK(secp256k1_ec_pubkey_create(ctx, &pk[0], sk) == 1);
329  /* Add tweaks */
330  for (i = 0; i < N_PUBKEYS - 1; i++) {
331  secp256k1_xonly_pubkey xonly_pk;
332  memset(tweak[i], i + 1, sizeof(tweak[i]));
333  CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i]) == 1);
334  CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &pk[i + 1], &xonly_pk, tweak[i]) == 1);
335  }
336 
337  /* Verify tweaks */
338  for (i = N_PUBKEYS - 1; i > 0; i--) {
339  secp256k1_xonly_pubkey xonly_pk;
340  int pk_parity;
341  CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk[i]) == 1);
342  CHECK(secp256k1_xonly_pubkey_serialize(ctx, pk_serialized, &xonly_pk) == 1);
343  CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i - 1]) == 1);
344  CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, pk_serialized, pk_parity, &xonly_pk, tweak[i - 1]) == 1);
345  }
346 }
347 #undef N_PUBKEYS
348 
349 void test_keypair(void) {
350  unsigned char sk[32];
351  unsigned char sk_tmp[32];
352  unsigned char zeros96[96] = { 0 };
353  unsigned char overflows[32];
354  secp256k1_keypair keypair;
355  secp256k1_pubkey pk, pk_tmp;
356  secp256k1_xonly_pubkey xonly_pk, xonly_pk_tmp;
357  int pk_parity, pk_parity_tmp;
358  int ecount;
365 
366  CHECK(sizeof(zeros96) == sizeof(keypair));
367  memset(overflows, 0xFF, sizeof(overflows));
368 
369  /* Test keypair_create */
370  ecount = 0;
372  CHECK(secp256k1_keypair_create(none, &keypair, sk) == 1);
373  CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) != 0);
374  CHECK(ecount == 0);
375  CHECK(secp256k1_keypair_create(verify, &keypair, sk) == 1);
376  CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) != 0);
377  CHECK(ecount == 0);
378  CHECK(secp256k1_keypair_create(sign, NULL, sk) == 0);
379  CHECK(ecount == 1);
380  CHECK(secp256k1_keypair_create(sign, &keypair, NULL) == 0);
381  CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
382  CHECK(ecount == 2);
383  CHECK(secp256k1_keypair_create(sign, &keypair, sk) == 1);
384  CHECK(ecount == 2);
385  CHECK(secp256k1_keypair_create(sttc, &keypair, sk) == 0);
386  CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
387  CHECK(ecount == 3);
388 
389  /* Invalid secret key */
390  CHECK(secp256k1_keypair_create(sign, &keypair, zeros96) == 0);
391  CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
392  CHECK(secp256k1_keypair_create(sign, &keypair, overflows) == 0);
393  CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
394 
395  /* Test keypair_pub */
396  ecount = 0;
398  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
399  CHECK(secp256k1_keypair_pub(none, &pk, &keypair) == 1);
400  CHECK(secp256k1_keypair_pub(none, NULL, &keypair) == 0);
401  CHECK(ecount == 1);
402  CHECK(secp256k1_keypair_pub(none, &pk, NULL) == 0);
403  CHECK(ecount == 2);
404  CHECK(secp256k1_memcmp_var(zeros96, &pk, sizeof(pk)) == 0);
405 
406  /* Using an invalid keypair is fine for keypair_pub */
407  memset(&keypair, 0, sizeof(keypair));
408  CHECK(secp256k1_keypair_pub(none, &pk, &keypair) == 1);
409  CHECK(secp256k1_memcmp_var(zeros96, &pk, sizeof(pk)) == 0);
410 
411  /* keypair holds the same pubkey as pubkey_create */
412  CHECK(secp256k1_ec_pubkey_create(sign, &pk, sk) == 1);
413  CHECK(secp256k1_keypair_create(sign, &keypair, sk) == 1);
414  CHECK(secp256k1_keypair_pub(none, &pk_tmp, &keypair) == 1);
415  CHECK(secp256k1_memcmp_var(&pk, &pk_tmp, sizeof(pk)) == 0);
416 
418  ecount = 0;
420  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
421  CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 1);
422  CHECK(secp256k1_keypair_xonly_pub(none, NULL, &pk_parity, &keypair) == 0);
423  CHECK(ecount == 1);
424  CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, NULL, &keypair) == 1);
425  CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, &pk_parity, NULL) == 0);
426  CHECK(ecount == 2);
427  CHECK(secp256k1_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0);
428  /* Using an invalid keypair will set the xonly_pk to 0 (first reset
429  * xonly_pk). */
430  CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 1);
431  memset(&keypair, 0, sizeof(keypair));
432  CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 0);
433  CHECK(secp256k1_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0);
434  CHECK(ecount == 3);
435 
437  CHECK(secp256k1_ec_pubkey_create(sign, &pk, sk) == 1);
438  CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1);
439  CHECK(secp256k1_keypair_create(sign, &keypair, sk) == 1);
440  CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk_tmp, &pk_parity_tmp, &keypair) == 1);
441  CHECK(secp256k1_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(pk)) == 0);
442  CHECK(pk_parity == pk_parity_tmp);
443 
444  /* Test keypair_seckey */
445  ecount = 0;
447  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
448  CHECK(secp256k1_keypair_sec(none, sk_tmp, &keypair) == 1);
449  CHECK(secp256k1_keypair_sec(none, NULL, &keypair) == 0);
450  CHECK(ecount == 1);
451  CHECK(secp256k1_keypair_sec(none, sk_tmp, NULL) == 0);
452  CHECK(ecount == 2);
453  CHECK(secp256k1_memcmp_var(zeros96, sk_tmp, sizeof(sk_tmp)) == 0);
454 
455  /* keypair returns the same seckey it got */
456  CHECK(secp256k1_keypair_create(sign, &keypair, sk) == 1);
457  CHECK(secp256k1_keypair_sec(none, sk_tmp, &keypair) == 1);
458  CHECK(secp256k1_memcmp_var(sk, sk_tmp, sizeof(sk_tmp)) == 0);
459 
460 
461  /* Using an invalid keypair is fine for keypair_seckey */
462  memset(&keypair, 0, sizeof(keypair));
463  CHECK(secp256k1_keypair_sec(none, sk_tmp, &keypair) == 1);
464  CHECK(secp256k1_memcmp_var(zeros96, sk_tmp, sizeof(sk_tmp)) == 0);
465 
470 }
471 
472 void test_keypair_add(void) {
473  unsigned char sk[32];
474  secp256k1_keypair keypair;
475  unsigned char overflows[32];
476  unsigned char zeros96[96] = { 0 };
477  unsigned char tweak[32];
478  int i;
479  int ecount = 0;
483 
484  CHECK(sizeof(zeros96) == sizeof(keypair));
486  secp256k1_testrand256(tweak);
487  memset(overflows, 0xFF, 32);
488  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
489 
490  CHECK(secp256k1_keypair_xonly_tweak_add(none, &keypair, tweak) == 1);
491  CHECK(ecount == 0);
492  CHECK(secp256k1_keypair_xonly_tweak_add(sign, &keypair, tweak) == 1);
493  CHECK(ecount == 0);
494  CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 1);
495  CHECK(secp256k1_keypair_xonly_tweak_add(verify, NULL, tweak) == 0);
496  CHECK(ecount == 1);
497  CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, NULL) == 0);
498  CHECK(ecount == 2);
499  /* This does not set the keypair to zeroes */
500  CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) != 0);
501 
502  /* Invalid tweak zeroes the keypair */
503  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
504  CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, overflows) == 0);
505  CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0);
506 
507  /* A zero tweak is fine */
508  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
509  CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, zeros96) == 1);
510 
511  /* Fails if the resulting keypair was (sk=0, pk=infinity) */
512  for (i = 0; i < count; i++) {
513  secp256k1_scalar scalar_tweak;
514  secp256k1_keypair keypair_tmp;
516  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
517  memcpy(&keypair_tmp, &keypair, sizeof(keypair));
518  /* Because sk may be negated before adding, we need to try with tweak =
519  * sk as well as tweak = -sk. */
520  secp256k1_scalar_set_b32(&scalar_tweak, sk, NULL);
521  secp256k1_scalar_negate(&scalar_tweak, &scalar_tweak);
522  secp256k1_scalar_get_b32(tweak, &scalar_tweak);
523  CHECK((secp256k1_keypair_xonly_tweak_add(ctx, &keypair, sk) == 0)
524  || (secp256k1_keypair_xonly_tweak_add(ctx, &keypair_tmp, tweak) == 0));
525  CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0
526  || secp256k1_memcmp_var(&keypair_tmp, zeros96, sizeof(keypair_tmp)) == 0);
527  }
528 
529  /* Invalid keypair with a valid tweak */
530  memset(&keypair, 0, sizeof(keypair));
531  secp256k1_testrand256(tweak);
532  ecount = 0;
533  CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0);
534  CHECK(ecount == 1);
535  CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0);
536  /* Only seckey part of keypair invalid */
537  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
538  memset(&keypair, 0, 32);
539  CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0);
540  CHECK(ecount == 2);
541  /* Only pubkey part of keypair invalid */
542  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
543  memset(&keypair.data[32], 0, 64);
544  CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0);
545  CHECK(ecount == 3);
546 
547  /* Check that the keypair_tweak_add implementation is correct */
548  CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
549  for (i = 0; i < count; i++) {
550  secp256k1_xonly_pubkey internal_pk;
551  secp256k1_xonly_pubkey output_pk;
552  secp256k1_pubkey output_pk_xy;
553  secp256k1_pubkey output_pk_expected;
554  unsigned char pk32[32];
555  unsigned char sk32[32];
556  int pk_parity;
557 
558  secp256k1_testrand256(tweak);
559  CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
560  CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
561  CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
562 
563  /* Check that it passes xonly_pubkey_tweak_add_check */
564  CHECK(secp256k1_xonly_pubkey_serialize(ctx, pk32, &output_pk) == 1);
565  CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, pk32, pk_parity, &internal_pk, tweak) == 1);
566 
567  /* Check that the resulting pubkey matches xonly_pubkey_tweak_add */
568  CHECK(secp256k1_keypair_pub(ctx, &output_pk_xy, &keypair) == 1);
569  CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk_expected, &internal_pk, tweak) == 1);
570  CHECK(secp256k1_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0);
571 
572  /* Check that the secret key in the keypair is tweaked correctly */
573  CHECK(secp256k1_keypair_sec(none, sk32, &keypair) == 1);
574  CHECK(secp256k1_ec_pubkey_create(ctx, &output_pk_expected, sk32) == 1);
575  CHECK(secp256k1_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0);
576  }
580 }
581 
583  /* xonly key test cases */
589 
590  /* keypair tests */
591  test_keypair();
593 }
594 
595 #endif
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:162
test_xonly_pubkey
void test_xonly_pubkey(void)
Definition: tests_impl.h:19
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_xonly_pubkey_cmp
SECP256K1_API int secp256k1_xonly_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_xonly_pubkey *pk1, const secp256k1_xonly_pubkey *pk2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two x-only public keys using lexicographic order.
Definition: main_impl.h:58
count
static int count
Definition: tests.c:31
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:128
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:184
test_keypair_add
void test_keypair_add(void)
Definition: tests_impl.h:472
SECP256K1_TAG_PUBKEY_EVEN
#define SECP256K1_TAG_PUBKEY_EVEN
Prefix byte used to tag various encoded curvepoints for specific purposes.
Definition: secp256k1.h:194
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:19
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:185
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
flags
int flags
Definition: bitcoin-tx.cpp:529
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:195
secp256k1_context_struct
Definition: secp256k1.c:47
secp256k1_xonly_pubkey_from_pubkey
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context *ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
Definition: main_impl.h:98
test_keypair
void test_keypair(void)
Definition: tests_impl.h:349
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:221
test_xonly_pubkey_tweak
void test_xonly_pubkey_tweak(void)
Definition: tests_impl.h:177
secp256k1_keypair_xonly_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4)
Get the x-only public key from a keypair.
Definition: main_impl.h:233
secp256k1_keypair_sec
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_sec(const secp256k1_context *ctx, unsigned char *seckey, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Get the secret key from a keypair.
Definition: main_impl.h:213
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:153
N_PUBKEYS
#define N_PUBKEYS
Definition: tests_impl.h:319
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:107
secp256k1_keypair
Opaque data structure that holds a keypair consisting of a secret and a public key.
Definition: secp256k1_extrakeys.h:33
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:34
secp256k1_keypair_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the keypair for a secret key.
Definition: main_impl.h:195
api_test_context
static secp256k1_context * api_test_context(int flags, int *ecount)
Definition: tests_impl.h:12
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:228
secp256k1_fe
Definition: field_10x26.h:12
verify
static bool verify(const CScriptNum10 &bignum, const CScriptNum &scriptnum)
Definition: scriptnum_tests.cpp:21
secp256k1_keypair_pub
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_pub(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_keypair *keypair) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Get the public key from a keypair.
Definition: main_impl.h:223
secp256k1_xonly_pubkey_tweak_add_check
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context *ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5)
Checks that a tweaked pubkey is the result of calling secp256k1_xonly_pubkey_tweak_add with internal_...
Definition: main_impl.h:134
secp256k1_fe_equal
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Compare two field elements.
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
test_xonly_pubkey_tweak_recursive
void test_xonly_pubkey_tweak_recursive(void)
Definition: tests_impl.h:320
secp256k1_xonly_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(const secp256k1_context *ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a 32-byte sequence into a xonly_pubkey object.
Definition: main_impl.h:21
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:146
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:187
test_xonly_pubkey_tweak_check
void test_xonly_pubkey_tweak_check(void)
Definition: tests_impl.h:249
secp256k1_xonly_pubkey_serialize
SECP256K1_API int secp256k1_xonly_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an xonly_pubkey object into a 32-byte sequence.
Definition: main_impl.h:43
run_extrakeys_tests
void run_extrakeys_tests(void)
Definition: tests_impl.h:582
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:547
secp256k1_fe_negate
static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m)
Set a field element equal to the additive inverse of another.
secp256k1_keypair_xonly_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(const secp256k1_context *ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a keypair by adding tweak32 to the secret key and updating the public key accordingly.
Definition: main_impl.h:254
secp256k1_keypair::data
unsigned char data[96]
Definition: secp256k1_extrakeys.h:34
secp256k1_context_no_precomp
const SECP256K1_API secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:60
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:18
test_xonly_pubkey_comparison
void test_xonly_pubkey_comparison(void)
Definition: tests_impl.h:140
secp256k1_xonly_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *output_pubkey, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Tweak an x-only public key by adding the generator multiplied with tweak32 to it.
Definition: main_impl.h:117
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:13
ctx
static secp256k1_context * ctx
Definition: tests.c:32
secp256k1_xonly_pubkey
Opaque data structure that holds a parsed and valid "x-only" public key.
Definition: secp256k1_extrakeys.h:22