sparrowwallet/UltrafastSecp256k1
sparrowwallet/UltrafastSecp256k1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
78a8e525af
UltrafastSecp256k1/audit/test_parse_strictness.cpp

664 lines
26 KiB
C++
Raw Blame History

// ============================================================================
// test_parse_strictness.cpp -- Public Parse Path Strictness Audit
// ============================================================================
//
// Systematically verifies that every public parse/decode function in the
// ufsecp C API rejects ALL malformed inputs with a documented error code
// and NEVER silently accepts corrupt data.
//
// An external auditor checking "can a malformed input reach signing / key
// derivation / ECDH code?" will walk every parse entry point. This module
// does exactly that.
//
// Parse paths covered:
// 1. ufsecp_pubkey_parse -- compressed / uncompressed SEC1
// 2. ufsecp_pubkey_xonly -- x-only 32-byte encoding
// 3. ufsecp_seckey_verify -- 32-byte scalar in [1, n-1]
// 4. ufsecp_ecdsa_sig_from_der -- DER-encoded ECDSA signature
// 5. ufsecp_wif_decode -- WIF-encoded private key
// 6. ufsecp_bip32_master -- HD seed input
// 7. ufsecp_pubkey_parse -- uncompressed (0x04) path
//
// For each path we test:
// - All-zero input
// - All-0xFF input
// - Truncated input (correct prefix, wrong length)
// - Wrong version/prefix byte
// - Off-curve point (x on curve but y wrong for compressed)
// - Scalar = 0 (additive identity -- invalid private key)
// - Scalar = n (group order -- congruent to 0)
// - Scalar > n (out of range)
// - Garbled DER (for DER path: flipped length, wrong sequence tag)
// - Non-canonical DER (leading zero on r/s, negative high bit)
//
// PS-1 … PS-16 : ufsecp_pubkey_parse (compressed)
// PS-17 … PS-22 : ufsecp_seckey_verify
// PS-23 … PS-30 : ufsecp_ecdsa_sig_from_der
// PS-31 … PS-36 : ufsecp_wif_decode
// PS-37 … PS-40 : ufsecp_bip32_master
// PS-41 … PS-48 : ufsecp_pubkey_parse (uncompressed)
// PS-49 … PS-53 : ufsecp_pubkey_xonly
// PS-54 … PS-60 : Round-trip fidelity (valid inputs parse correctly)
// ============================================================================
#include <cstdio>
#include <cstdint>
#include <cstdlib>
#include <cstring>
#include <array>
#ifndef UFSECP_BUILDING
#define UFSECP_BUILDING
#endif
#include "ufsecp/ufsecp.h"
static int g_pass = 0, g_fail = 0;
#include "audit_check.hpp"
// Macro: CHECK that an error code is in a set of acceptable failure codes.
// A "strict" parse that returns any failure is correct; we only care that it
// is NOT UFSECP_OK (i.e. it does not silently accept garbage).
#define CHECK_REJECT(rc, msg) \
CHECK((rc) != UFSECP_OK, msg)
// Check exact error code
#define CHECK_CODE(rc, expected, msg) \
CHECK((rc) == (expected), msg)
// ---------------------------------------------------------------------------
// Well-known valid material (privkey = 3)
// ---------------------------------------------------------------------------
// privkey = 3 (small, valid, non-trivial)
static constexpr uint8_t PRIVKEY3[32] = {
0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,3
};
// privkey = 1
static constexpr uint8_t PRIVKEY1[32] = {
0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,1
};
// secp256k1 group order n (this scalar is 0 mod n — invalid key)
static constexpr uint8_t SCALAR_N[32] = {
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
};
// n + 1 (out of range)
static constexpr uint8_t SCALAR_N_PLUS1[32] = {
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x42
};
// ---------------------------------------------------------------------------
// PS-1 … PS-16 : ufsecp_pubkey_parse (compressed, prefix 0x02/0x03)
// ---------------------------------------------------------------------------
static void run_ps1_pubkey_compressed(ufsecp_ctx* ctx) {
AUDIT_LOG("\n [PS-1..16] pubkey_parse: compressed SEC1 input validation\n");
uint8_t out33[33] = {};
uint8_t outlen = 33;
// First, get a valid 33-byte compressed pubkey for key=1
uint8_t valid33[33] = {};
{
size_t len = 33;
ufsecp_error_t rc = ufsecp_pubkey_create(ctx, PRIVKEY1,
/*compressed=*/1, valid33, &len);
CHECK(rc == UFSECP_OK, "PS-setup: pubkey_create for key=1 succeeds");
}
// PS-1: all-zero 33 bytes (prefix 0x00 is invalid)
{
uint8_t buf[33] = {};
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 33, out33, &outlen2);
CHECK_REJECT(rc, "PS-1: all-zero 33-byte compressed pubkey rejected");
}
// PS-2: all-0xFF (prefix 0xFF is invalid)
{
uint8_t buf[33];
std::memset(buf, 0xFF, 33);
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 33, out33, &outlen2);
CHECK_REJECT(rc, "PS-2: all-0xFF 33-byte pubkey rejected");
}
// PS-3: valid prefix 0x02, but x = 0 (no such point on secp256k1)
{
uint8_t buf[33] = {};
buf[0] = 0x02;
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 33, out33, &outlen2);
CHECK_REJECT(rc, "PS-3: 0x02||0x00...00 (x=0) rejected");
}
// PS-4: valid prefix 0x03, but x = 0
{
uint8_t buf[33] = {};
buf[0] = 0x03;
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 33, out33, &outlen2);
CHECK_REJECT(rc, "PS-4: 0x03||0x00...00 (x=0, odd y) rejected");
}
// PS-5: valid prefix 0x02 but x = p (field prime, out of range)
// p = FFFFFFFF...FFFFFFFEFFFFFC2F
{
uint8_t buf[33] = {
0x02,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFC,0x2F
};
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 33, out33, &outlen2);
CHECK_REJECT(rc, "PS-5: 0x02 + x=p (field prime) rejected");
}
// PS-6: valid prefix 0x02 but x = p+1 (clearly out of range)
{
uint8_t buf[33] = {
0x02,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFC,0x30
};
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 33, out33, &outlen2);
CHECK_REJECT(rc, "PS-6: 0x02 + x=p+1 (out of range) rejected");
}
// PS-7: x coordinate on curve (from valid pubkey), but wrong prefix parity
// Take valid33 which has prefix 0x02 or 0x03, flip it to make y-parity mismatch
// This tests x-on-curve but wrong parity — should still parse (just different point)
// So we SKIP the "reject" expectation here and verify it parses to different pubkey
{
uint8_t flipped[33];
std::memcpy(flipped, valid33, 33);
flipped[0] ^= 0x01; // flip 0x02<->0x03
uint8_t parsed[33] = {};
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, flipped, 33, parsed, &outlen2);
CHECK(rc == UFSECP_OK,
"PS-7: parity-flipped prefix (valid x) parses successfully");
// The resulting pubkey must differ from original (negated y)
CHECK(std::memcmp(parsed, valid33, 33) != 0,
"PS-8: parity-flipped pubkey produces different output than original");
}
// PS-9: wrong prefix byte 0x01
{
uint8_t buf[33];
std::memcpy(buf, valid33, 33);
buf[0] = 0x01;
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 33, out33, &outlen2);
CHECK_REJECT(rc, "PS-9: prefix 0x01 rejected");
}
// PS-10: wrong prefix byte 0x05
{
uint8_t buf[33];
std::memcpy(buf, valid33, 33);
buf[0] = 0x05;
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 33, out33, &outlen2);
CHECK_REJECT(rc, "PS-10: prefix 0x05 rejected");
}
// PS-11: truncated to 32 bytes (correct prefix, missing last byte)
{
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, valid33, 32, out33, &outlen2);
CHECK_REJECT(rc, "PS-11: 32-byte input (truncated compressed) rejected");
}
// PS-12: truncated to 1 byte (only prefix)
{
uint8_t buf[1] = { 0x02 };
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 1, out33, &outlen2);
CHECK_REJECT(rc, "PS-12: 1-byte input (prefix only) rejected");
}
// PS-13: zero-length input
{
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, valid33, 0, out33, &outlen2);
CHECK_REJECT(rc, "PS-13: zero-length input rejected");
}
// PS-14: NULL input
{
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, nullptr, 33, out33, &outlen2);
CHECK_CODE(rc, UFSECP_ERR_NULL_ARG, "PS-14: NULL input pointer returns NULL_ARG");
}
// PS-15: NULL output
{
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, valid33, 33, nullptr, &outlen2);
CHECK_CODE(rc, UFSECP_ERR_NULL_ARG, "PS-15: NULL output pointer returns NULL_ARG");
}
// PS-16: valid input round-trips correctly
{
uint8_t parsed[33] = {};
size_t outlen2 = 33;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, valid33, 33, parsed, &outlen2);
CHECK(rc == UFSECP_OK, "PS-16a: valid compressed pubkey parses OK");
CHECK(std::memcmp(parsed, valid33, 33) == 0,
"PS-16b: parsed pubkey round-trips to same bytes");
}
}
// ---------------------------------------------------------------------------
// PS-17 … PS-22 : ufsecp_seckey_verify
// ---------------------------------------------------------------------------
static void run_ps17_seckey_verify(ufsecp_ctx* ctx) {
AUDIT_LOG("\n [PS-17..22] seckey_verify: scalar range validation\n");
// PS-17: all-zero scalar (= 0 mod n — invalid)
{
uint8_t z[32] = {};
ufsecp_error_t rc = ufsecp_seckey_verify(ctx, z);
CHECK_REJECT(rc, "PS-17: zero scalar rejected by seckey_verify");
}
// PS-18: scalar = n (= 0 mod n — invalid)
{
ufsecp_error_t rc = ufsecp_seckey_verify(ctx, SCALAR_N);
CHECK_REJECT(rc, "PS-18: scalar=n (= 0 mod n) rejected");
}
// PS-19: scalar = n+1 (> n — invalid)
{
ufsecp_error_t rc = ufsecp_seckey_verify(ctx, SCALAR_N_PLUS1);
CHECK_REJECT(rc, "PS-19: scalar=n+1 (out of range) rejected");
}
// PS-20: all-0xFF (> n — invalid, since n < 2^256)
{
uint8_t ff[32];
std::memset(ff, 0xFF, 32);
ufsecp_error_t rc = ufsecp_seckey_verify(ctx, ff);
CHECK_REJECT(rc, "PS-20: all-0xFF scalar (> n) rejected");
}
// PS-21: scalar = 1 (minimum valid)
{
ufsecp_error_t rc = ufsecp_seckey_verify(ctx, PRIVKEY1);
CHECK_CODE(rc, UFSECP_OK, "PS-21: scalar=1 (minimum valid) accepted");
}
// PS-22: scalar = n-1 (maximum valid)
{
uint8_t n_minus1[32] = {
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
};
ufsecp_error_t rc = ufsecp_seckey_verify(ctx, n_minus1);
CHECK_CODE(rc, UFSECP_OK, "PS-22: scalar=n-1 (maximum valid) accepted");
}
}
// ---------------------------------------------------------------------------
// PS-23 … PS-30 : ufsecp_ecdsa_sig_from_der
// ---------------------------------------------------------------------------
static void run_ps23_der_parse(ufsecp_ctx* ctx) {
AUDIT_LOG("\n [PS-23..30] ecdsa_sig_from_der: DER signature parsing\n");
// Build a valid DER signature first
uint8_t msg[32] = {
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,
0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,
0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,0x20
};
uint8_t compact[64] = {};
CHECK(ufsecp_ecdsa_sign(ctx, msg, PRIVKEY3, compact) == UFSECP_OK,
"PS-der-setup: sign succeeds");
uint8_t der[72] = {};
size_t derlen = 72;
CHECK(ufsecp_ecdsa_sig_to_der(ctx, compact, der, &derlen) == UFSECP_OK,
"PS-der-setup: sig_to_der succeeds");
uint8_t out64[64] = {};
// PS-23: all-zero DER buffer
{
uint8_t buf[72] = {};
ufsecp_error_t rc = ufsecp_ecdsa_sig_from_der(ctx, buf, 72, out64);
CHECK_REJECT(rc, "PS-23: all-zero DER rejected");
}
// PS-24: wrong sequence tag (0x00 instead of 0x30)
{
uint8_t buf[72];
std::memcpy(buf, der, derlen);
buf[0] = 0x00;
ufsecp_error_t rc = ufsecp_ecdsa_sig_from_der(ctx, buf, derlen, out64);
CHECK_REJECT(rc, "PS-24: DER with tag 0x00 (not 0x30) rejected");
}
// PS-25: wrong sequence tag (0x31 — SET instead of SEQUENCE)
{
uint8_t buf[72];
std::memcpy(buf, der, derlen);
buf[0] = 0x31;
ufsecp_error_t rc = ufsecp_ecdsa_sig_from_der(ctx, buf, derlen, out64);
CHECK_REJECT(rc, "PS-25: DER with tag 0x31 (SET not SEQUENCE) rejected");
}
// PS-26: truncated (length says N bytes, only N-1 provided)
{
ufsecp_error_t rc = ufsecp_ecdsa_sig_from_der(ctx, der, derlen - 1, out64);
CHECK_REJECT(rc, "PS-26: truncated DER (1 byte short) rejected");
}
// PS-27: declared length too large
{
uint8_t buf[72];
std::memcpy(buf, der, derlen);
buf[1] = 0x7F; // claim length = 127 bytes, but only ~70 available
ufsecp_error_t rc = ufsecp_ecdsa_sig_from_der(ctx, buf, derlen, out64);
CHECK_REJECT(rc, "PS-27: DER with inflated length field rejected");
}
// PS-28: zero-length input
{
ufsecp_error_t rc = ufsecp_ecdsa_sig_from_der(ctx, der, 0, out64);
CHECK_REJECT(rc, "PS-28: zero-length DER input rejected");
}
// PS-29: NULL input pointer
{
ufsecp_error_t rc = ufsecp_ecdsa_sig_from_der(ctx, nullptr, 72, out64);
CHECK_CODE(rc, UFSECP_ERR_NULL_ARG, "PS-29: NULL DER input returns NULL_ARG");
}
// PS-30: valid DER round-trips correctly
{
uint8_t roundtrip[64] = {};
ufsecp_error_t rc = ufsecp_ecdsa_sig_from_der(ctx, der, derlen, roundtrip);
CHECK_CODE(rc, UFSECP_OK, "PS-30a: valid DER parses OK");
CHECK(std::memcmp(roundtrip, compact, 64) == 0,
"PS-30b: DER round-trip produces original compact signature");
}
}
// ---------------------------------------------------------------------------
// PS-31 … PS-36 : ufsecp_wif_decode
// ---------------------------------------------------------------------------
static void run_ps31_wif_decode(ufsecp_ctx* ctx) {
AUDIT_LOG("\n [PS-31..36] wif_decode: WIF private key parsing\n");
// Well-known valid WIF for privkey=1, mainnet, compressed
static const char* VALID_WIF = "KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qYjgd9M7rFU73NUBBy9s";
uint8_t out32[32] = {};
uint8_t net_out = 0;
int comp_out = 0;
// PS-31: NULL input
{
ufsecp_error_t rc = ufsecp_wif_decode(ctx, nullptr, out32, &net_out, &comp_out);
CHECK_CODE(rc, UFSECP_ERR_NULL_ARG, "PS-31: NULL WIF string returns NULL_ARG");
}
// PS-32: empty string
{
ufsecp_error_t rc = ufsecp_wif_decode(ctx, "", out32, &net_out, &comp_out);
CHECK_REJECT(rc, "PS-32: empty WIF string rejected");
}
// PS-33: single character
{
ufsecp_error_t rc = ufsecp_wif_decode(ctx, "K", out32, &net_out, &comp_out);
CHECK_REJECT(rc, "PS-33: single-char WIF string rejected");
}
// PS-34: corrupted checksum (last char changed)
{
std::string wif(VALID_WIF);
wif.back() ^= 0x01; // corrupt last Base58 digit
// Note: incrementing a Base58 char may leave it in alphabet — if not,
// it's double-rejected. Either way, it must not decode as OK.
ufsecp_error_t rc = ufsecp_wif_decode(ctx, wif.c_str(), out32, &net_out, &comp_out);
CHECK_REJECT(rc, "PS-34: WIF with corrupted checksum rejected");
}
// PS-35: all-'A' string of correct length (not valid Base58 WIF)
{
std::string garbage(52, 'A');
ufsecp_error_t rc = ufsecp_wif_decode(ctx, garbage.c_str(), out32, &net_out, &comp_out);
CHECK_REJECT(rc, "PS-35: all-'A' WIF-length string rejected");
}
// PS-36: valid WIF decodes correctly
{
ufsecp_error_t rc = ufsecp_wif_decode(ctx, VALID_WIF, out32, &net_out, &comp_out);
CHECK_CODE(rc, UFSECP_OK, "PS-36a: valid WIF parses OK");
CHECK(std::memcmp(out32, PRIVKEY1, 32) == 0,
"PS-36b: valid WIF decodes to privkey=1");
}
}
// ---------------------------------------------------------------------------
// PS-37 … PS-40 : ufsecp_bip32_master
// ---------------------------------------------------------------------------
static void run_ps37_bip32_master(ufsecp_ctx* ctx) {
AUDIT_LOG("\n [PS-37..40] bip32_master: HD seed input validation\n");
ufsecp_bip32_key out_key = {};
// PS-37: NULL seed
{
ufsecp_error_t rc = ufsecp_bip32_master(ctx, nullptr, 16, &out_key);
CHECK_CODE(rc, UFSECP_ERR_NULL_ARG, "PS-37: NULL seed returns NULL_ARG");
}
// PS-38: seed too short (< 16 bytes per BIP-32 spec minimum)
{
uint8_t short_seed[15] = {};
ufsecp_error_t rc = ufsecp_bip32_master(ctx, short_seed, 15, &out_key);
CHECK_REJECT(rc, "PS-38: 15-byte seed (< 16-byte BIP-32 minimum) rejected");
}
// PS-39: zero-length seed
{
uint8_t buf[64] = {};
ufsecp_error_t rc = ufsecp_bip32_master(ctx, buf, 0, &out_key);
CHECK_REJECT(rc, "PS-39: zero-length seed rejected");
}
// PS-40: valid 32-byte seed succeeds
{
uint8_t seed[32] = {
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
};
ufsecp_error_t rc = ufsecp_bip32_master(ctx, seed, 32, &out_key);
CHECK_CODE(rc, UFSECP_OK, "PS-40: valid 32-byte seed accepted");
}
}
// ---------------------------------------------------------------------------
// PS-41 … PS-48 : ufsecp_pubkey_parse (uncompressed, prefix 0x04)
// ---------------------------------------------------------------------------
static void run_ps41_pubkey_uncompressed(ufsecp_ctx* ctx) {
AUDIT_LOG("\n [PS-41..48] pubkey_parse: uncompressed SEC1 (65 bytes)\n");
// Get a valid uncompressed pubkey for key=1
uint8_t valid65[65] = {};
size_t len65 = 65;
CHECK(ufsecp_pubkey_create(ctx, PRIVKEY1, /*compressed=*/0, valid65, &len65) == UFSECP_OK,
"PS-unc-setup: pubkey_create uncompressed succeeds");
uint8_t out65[65] = {};
size_t outlen65 = 65;
// PS-41: all-zero 65 bytes (prefix 0x00 is invalid)
{
uint8_t buf[65] = {};
size_t ol = 65;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 65, out65, &ol);
CHECK_REJECT(rc, "PS-41: all-zero 65-byte uncompressed pubkey rejected");
}
// PS-42: correct prefix 0x04 but x=0, y=0 (infinity — invalid)
{
uint8_t buf[65] = {};
buf[0] = 0x04;
size_t ol = 65;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 65, out65, &ol);
CHECK_REJECT(rc, "PS-42: 0x04||0x00...x...y (x=0,y=0) rejected");
}
// PS-43: correct prefix 0x04, valid x from G, but y = 0 (off-curve)
{
uint8_t buf[65] = {};
buf[0] = 0x04;
// G.x = 79BE667E...
const uint8_t gx[32] = {
0x79,0xBE,0x66,0x7E,0xF9,0xDC,0xBB,0xAC,
0x55,0xA0,0x62,0x95,0xCE,0x87,0x02,0x1D,
0x17,0x50,0x83,0x5D,0x2D,0xC6,0x76,0x60,
0xDD,0x52,0x56,0x01,0xFC,0x8B,0x72,0xEC
};
std::memcpy(buf + 1, gx, 32);
// y = 0 (wrong — not on curve)
size_t ol = 65;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 65, out65, &ol);
CHECK_REJECT(rc, "PS-43: 0x04 + G.x + y=0 (off-curve) rejected");
}
// PS-44: wrong prefix 0x05 for uncompressed
{
uint8_t buf[65];
std::memcpy(buf, valid65, 65);
buf[0] = 0x05;
size_t ol = 65;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 65, out65, &ol);
CHECK_REJECT(rc, "PS-44: prefix 0x05 for uncompressed rejected");
}
// PS-45: truncated to 64 bytes
{
size_t ol = 65;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, valid65, 64, out65, &ol);
CHECK_REJECT(rc, "PS-45: 64-byte uncompressed (truncated) rejected");
}
// PS-46: overlong (66 bytes with extra garbage)
{
uint8_t buf[66];
std::memcpy(buf, valid65, 65);
buf[65] = 0xAB;
size_t ol = 65;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 66, out65, &ol);
// Overlong might be silently truncated or rejected; strictly it should reject
// We accept either reject OR parse-to-same-key (implementation-defined)
// but we must not get a DIFFERENT valid key
if (rc == UFSECP_OK) {
CHECK(std::memcmp(out65, valid65, 65) == 0,
"PS-46: if overlong accepted, output must match the 65-byte key");
} else {
CHECK(true, "PS-46: overlong uncompressed pubkey rejected");
}
}
// PS-47: hybrid encoding prefix 0x06 (deprecated, must reject)
{
uint8_t buf[65];
std::memcpy(buf, valid65, 65);
buf[0] = 0x06;
size_t ol = 65;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, buf, 65, out65, &ol);
CHECK_REJECT(rc, "PS-47: hybrid prefix 0x06 rejected");
}
// PS-48: valid uncompressed pubkey round-trips
{
uint8_t parsed[65] = {};
size_t ol = 65;
ufsecp_error_t rc = ufsecp_pubkey_parse(ctx, valid65, 65, parsed, &ol);
CHECK_CODE(rc, UFSECP_OK, "PS-48a: valid uncompressed pubkey parses OK");
CHECK(std::memcmp(parsed, valid65, 65) == 0,
"PS-48b: uncompressed pubkey round-trips correctly");
}
}
// ---------------------------------------------------------------------------
// PS-49 … PS-53 : ufsecp_pubkey_xonly
// ---------------------------------------------------------------------------
static void run_ps49_pubkey_xonly(ufsecp_ctx* ctx) {
AUDIT_LOG("\n [PS-49..53] pubkey_xonly: x-only encoding validation\n");
uint8_t xonly32[32] = {};
// Get a valid compressed pubkey first
uint8_t valid33[33] = {};
size_t len33 = 33;
CHECK(ufsecp_pubkey_create(ctx, PRIVKEY1, 1, valid33, &len33) == UFSECP_OK,
"PS-xonly-setup: pubkey_create compressed succeeds");
// PS-49: NULL input
{
ufsecp_error_t rc = ufsecp_pubkey_xonly(ctx, nullptr, 33, xonly32);
CHECK_CODE(rc, UFSECP_ERR_NULL_ARG, "PS-49: NULL input returns NULL_ARG");
}
// PS-50: all-zero 32-byte x-only input (x=0 not on curve)
{
uint8_t z[32] = {};
ufsecp_error_t rc = ufsecp_pubkey_xonly(ctx, z, 32, xonly32);
CHECK_REJECT(rc, "PS-50: all-zero x-only (x=0) rejected");
}
// PS-51: x = p (field prime, out of range)
{
uint8_t xp[32] = {
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFC,0x2F
};
ufsecp_error_t rc = ufsecp_pubkey_xonly(ctx, xp, 32, xonly32);
CHECK_REJECT(rc, "PS-51: x=p (field prime) x-only rejected");
}
// PS-52: x coordinate that's in-range but not on curve
{
// x = 2 is not a valid x-coordinate on secp256k1 (no y satisfies y²=x³+7)
uint8_t x2[32] = {};
x2[31] = 0x02;
ufsecp_error_t rc = ufsecp_pubkey_xonly(ctx, x2, 32, xonly32);
CHECK_REJECT(rc, "PS-52: x=2 (no valid y on secp256k1) x-only rejected");
}
// PS-53: valid compressed pubkey → extract x-only succeeds
{
ufsecp_error_t rc = ufsecp_pubkey_xonly(ctx, valid33, 33, xonly32);
CHECK_CODE(rc, UFSECP_OK, "PS-53a: extract x-only from valid compressed pubkey OK");
// x-only must match bytes [1..32] of the compressed pubkey
CHECK(std::memcmp(xonly32, valid33 + 1, 32) == 0,
"PS-53b: extracted x-only matches bytes [1..32] of compressed pubkey");
}
}
// ---------------------------------------------------------------------------
// Entry point
// ---------------------------------------------------------------------------
int test_parse_strictness_run() {
g_pass = 0; g_fail = 0;
AUDIT_LOG("============================================================\n");
AUDIT_LOG(" Public Parse Path Strictness Audit\n");
AUDIT_LOG(" Every public parse/decode entry point vs malformed inputs\n");
AUDIT_LOG("============================================================\n");
ufsecp_ctx* ctx = nullptr;
if (ufsecp_ctx_create(&ctx) != UFSECP_OK || ctx == nullptr) {
CHECK(false, "PS-ctx: failed to create context");
printf("[test_parse_strictness] %d/%d checks passed (context failed)\n",
g_pass, g_pass + g_fail);
return 1;
}
run_ps1_pubkey_compressed(ctx);
run_ps17_seckey_verify(ctx);
run_ps23_der_parse(ctx);
run_ps31_wif_decode(ctx);
run_ps37_bip32_master(ctx);
run_ps41_pubkey_uncompressed(ctx);
run_ps49_pubkey_xonly(ctx);
ufsecp_ctx_destroy(ctx);
printf("[test_parse_strictness] %d/%d checks passed\n",
g_pass, g_pass + g_fail);
return (g_fail > 0) ? 1 : 0;
}
#ifndef UNIFIED_AUDIT_RUNNER
int main() {
return test_parse_strictness_run();
}
#endif
Reference in New Issue View Git Blame Copy Permalink