Add a secp256k1_ecdsa_signature_t type

Author: sipa

include/secp256k1.h

@@ -120,6 +120,80 @@ int secp256k1_ec_pubkey_serialize(
   int compressed
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
+/** Data type to hold a parsed ECDSA signature, optionally supporting pubkey
+ *  recovery */
+typedef struct {
+  unsigned char data[65];
+} secp256k1_ecdsa_signature_t;
+
+/** Parse a DER ECDSA signature.
+ *  Returns: 1 when the signature could be parsed, 0 otherwise.
+ *  In:  ctx:      a secp256k1 context object
+ *       input:    a pointer to the signature to be parsed
+ *       inputlen: the length of the array pointed to be input
+ *  Out: sig:      a pointer to a signature object
+ *
+ *  Note that this function also supports some violations of DER.
+ *
+ *  The resulting signature object will not support pubkey recovery.
+ */
+int secp256k1_ecdsa_signature_parse_der(
+  const secp256k1_context_t* ctx,
+  secp256k1_ecdsa_signature_t* sig,
+  const unsigned char *input,
+  int inputlen
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Parse a compact ECDSA signature (64 bytes + recovery id).
+ *  Returns: 1 when the signature could be parsed, 0 otherwise
+ *  In:  ctx:     a secp256k1 context object
+ *       input64: a pointer to a 64-byte compact signature
+ *       recid:   the recovery id (0, 1, 2 or 3, or -1 for unknown)
+ *  Out: sig:     a pointer to a signature object
+ *
+ *  If recid is not -1, the resulting signature object will support pubkey
+ *  recovery.
+ */
+int secp256k1_ecdsa_signature_parse_compact(
+  const secp256k1_context_t* ctx,
+  secp256k1_ecdsa_signature_t* sig,
+  const unsigned char *input64,
+  int recid
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize an ECDSA signature in DER format.
+ *  Returns: 1 if enough space was available to serialize, 0 otherwise
+ *  In:     ctx:       a secp256k1 context object
+ *          sig:       a pointer to an initialized signature object
+ *  Out:    output:    a pointer to an array to store the DER serialization
+ *  In/Out: outputlen: a pointer to a length integer. Initially, this integer
+ *                     should be set to the length of output. After the call
+ *                     it will be set to the length of the serialization (even
+ *                     if 0 was returned).
+ */
+int secp256k1_ecdsa_signature_serialize_der(
+  const secp256k1_context_t* ctx,
+  unsigned char *output,
+  int *outputlen,
+  const secp256k1_ecdsa_signature_t* sig
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Serialize an ECDSA signature in compact format (64 bytes + recovery id).
+ *  Returns: 1
+ *  In: ctx:       a secp256k1 context object
+ *      sig:       a pointer to an initialized signature object (cannot be NULL)
+ *  Out: output64: a pointer to a 64-byte array of the compact signature (cannot be NULL)
+ *       recid:    a pointer to an integer to hold the recovery id (can be NULL).
+ *
+ *  If recid is not NULL, the signature must support pubkey recovery.
+ */
+int secp256k1_ecdsa_signature_serialize_compact(
+  const secp256k1_context_t* ctx,
+  unsigned char *output64,
+  int *recid,
+  const secp256k1_ecdsa_signature_t* sig
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4);
+
 /** Verify an ECDSA signature.
  *  Returns: 1: correct signature
  *           0: incorrect or unparseable signature
@@ -132,10 +206,9 @@ int secp256k1_ec_pubkey_serialize(
 SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(
   const secp256k1_context_t* ctx,
   const unsigned char *msg32,
-  const unsigned char *sig,
-  int siglen,
+  const secp256k1_ecdsa_signature_t *sig,
   const secp256k1_pubkey_t *pubkey
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
 /** A pointer to a function to deterministically generate a nonce.
  * Returns: 1 if a nonce was successfully generated. 0 will cause signing to fail.
@@ -168,16 +241,15 @@ extern const secp256k1_nonce_function_t secp256k1_nonce_function_default;
 
 /** Create an ECDSA signature.
  *  Returns: 1: signature created
- *           0: the nonce generation function failed, the private key was invalid, or there is not
- *              enough space in the signature (as indicated by siglen).
+ *           0: the nonce generation function failed, or the private key was invalid.
  *  In:      ctx:    pointer to a context object, initialized for signing (cannot be NULL)
  *           msg32:  the 32-byte message hash being signed (cannot be NULL)
  *           seckey: pointer to a 32-byte secret key (cannot be NULL)
  *           noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
  *           ndata:  pointer to arbitrary data used by the nonce generation function (can be NULL)
  *  Out:     sig:    pointer to an array where the signature will be placed (cannot be NULL)
- *  In/Out:  siglen: pointer to an int with the length of sig, which will be updated
- *                   to contain the actual signature length (<=72).
+ *
+ * The resulting signature will support pubkey recovery.
  *
  * The sig always has an s value in the lower half of the range (From 0x1
  * to 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0,
@@ -208,50 +280,25 @@ extern const secp256k1_nonce_function_t secp256k1_nonce_function_default;
 int secp256k1_ecdsa_sign(
   const secp256k1_context_t* ctx,
   const unsigned char *msg32,
-  unsigned char *sig,
-  int *siglen,
+  secp256k1_ecdsa_signature_t *sig,
   const unsigned char *seckey,
   secp256k1_nonce_function_t noncefp,
   const void *ndata
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
-
-/** Create a compact ECDSA signature (64 byte + recovery id).
- *  Returns: 1: signature created
- *           0: the nonce generation function failed, or the secret key was invalid.
- *  In:      ctx:    pointer to a context object, initialized for signing (cannot be NULL)
- *           msg32:  the 32-byte message hash being signed (cannot be NULL)
- *           seckey: pointer to a 32-byte secret key (cannot be NULL)
- *           noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
- *           ndata:  pointer to arbitrary data used by the nonce generation function (can be NULL)
- *  Out:     sig:    pointer to a 64-byte array where the signature will be placed (cannot be NULL)
- *                   In case 0 is returned, the returned signature length will be zero.
- *           recid:  pointer to an int, which will be updated to contain the recovery id (can be NULL)
- */
-int secp256k1_ecdsa_sign_compact(
-  const secp256k1_context_t* ctx,
-  const unsigned char *msg32,
-  unsigned char *sig64,
-  const unsigned char *seckey,
-  secp256k1_nonce_function_t noncefp,
-  const void *ndata,
-  int *recid
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
-/** Recover an ECDSA public key from a compact signature.
+/** Recover an ECDSA public key from a signature.
  *  Returns: 1: public key successfully recovered (which guarantees a correct signature).
  *           0: otherwise.
  *  In:      ctx:        pointer to a context object, initialized for verification (cannot be NULL)
  *           msg32:      the 32-byte message hash assumed to be signed (cannot be NULL)
- *           sig64:      signature as 64 byte array (cannot be NULL)
- *           recid:      the recovery id (0-3, as returned by ecdsa_sign_compact)
+ *           sig64:      pointer to initialized signature that supports pubkey recovery (cannot be NULL)
  *  Out:     pubkey:     pointer to the recoved public key (cannot be NULL)
  */
-SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover_compact(
+SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(
   const secp256k1_context_t* ctx,
   const unsigned char *msg32,
-  const unsigned char *sig64,
-  secp256k1_pubkey_t *pubkey,
-  int recid
+  const secp256k1_ecdsa_signature_t *sig,
+  secp256k1_pubkey_t *pubkey
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
 /** Verify an ECDSA secret key.

src/bench_recover.c

@@ -23,7 +23,9 @@ void bench_recover(void* arg) {
     for (i = 0; i < 20000; i++) {
         int j;
         int pubkeylen = 33;
-        CHECK(secp256k1_ecdsa_recover_compact(data->ctx, data->msg, data->sig, &pubkey, i % 2));
+        secp256k1_ecdsa_signature_t sig;
+        CHECK(secp256k1_ecdsa_signature_parse_compact(data->ctx, &sig, data->sig, i % 2));
+        CHECK(secp256k1_ecdsa_recover(data->ctx, data->msg, &sig, &pubkey));
         CHECK(secp256k1_ec_pubkey_serialize(data->ctx, pubkeyc, &pubkeylen, &pubkey, 1));
         for (j = 0; j < 32; j++) {
             data->sig[j + 32] = data->msg[j];    /* Move former message to S. */

src/bench_sign.c

@@ -30,7 +30,9 @@ static void bench_sign(void* arg) {
     for (i = 0; i < 20000; i++) {
         int j;
         int recid = 0;
-        CHECK(secp256k1_ecdsa_sign_compact(data->ctx, data->msg, sig, data->key, NULL, NULL, &recid));
+        secp256k1_ecdsa_signature_t signature;
+        CHECK(secp256k1_ecdsa_sign(data->ctx, data->msg, &signature, data->key, NULL, NULL));
+        CHECK(secp256k1_ecdsa_signature_serialize_compact(data->ctx, sig, &recid, &signature));
         for (j = 0; j < 32; j++) {
             data->msg[j] = sig[j];             /* Move former R to message. */
             data->key[j] = sig[j + 32];        /* Move former S to key.     */

src/bench_verify.c

@@ -27,11 +27,13 @@ static void benchmark_verify(void* arg) {
 
     for (i = 0; i < 20000; i++) {
         secp256k1_pubkey_t pubkey;
+        secp256k1_ecdsa_signature_t sig;
         data->sig[data->siglen - 1] ^= (i & 0xFF);
         data->sig[data->siglen - 2] ^= ((i >> 8) & 0xFF);
         data->sig[data->siglen - 3] ^= ((i >> 16) & 0xFF);
         CHECK(secp256k1_ec_pubkey_parse(data->ctx, &pubkey, data->pubkey, data->pubkeylen) == 1);
-        CHECK(secp256k1_ecdsa_verify(data->ctx, data->msg, data->sig, data->siglen, &pubkey) == (i == 0));
+        CHECK(secp256k1_ecdsa_signature_parse_der(data->ctx, &sig, data->sig, data->siglen) == 1);
+        CHECK(secp256k1_ecdsa_verify(data->ctx, data->msg, &sig, &pubkey) == (i == 0));
         data->sig[data->siglen - 1] ^= (i & 0xFF);
         data->sig[data->siglen - 2] ^= ((i >> 8) & 0xFF);
         data->sig[data->siglen - 3] ^= ((i >> 16) & 0xFF);
@@ -41,14 +43,16 @@ static void benchmark_verify(void* arg) {
 int main(void) {
     int i;
     secp256k1_pubkey_t pubkey;
+    secp256k1_ecdsa_signature_t sig;
     benchmark_verify_t data;
 
     data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
 
     for (i = 0; i < 32; i++) data.msg[i] = 1 + i;
     for (i = 0; i < 32; i++) data.key[i] = 33 + i;
     data.siglen = 72;
-    secp256k1_ecdsa_sign(data.ctx, data.msg, data.sig, &data.siglen, data.key, NULL, NULL);
+    CHECK(secp256k1_ecdsa_sign(data.ctx, data.msg, &sig, data.key, NULL, NULL));
+    CHECK(secp256k1_ecdsa_signature_serialize_der(data.ctx, data.sig, &data.siglen, &sig));
     CHECK(secp256k1_ec_pubkey_create(data.ctx, &pubkey, data.key));
     CHECK(secp256k1_ec_pubkey_serialize(data.ctx, data.pubkey, &data.pubkeylen, &pubkey, 1) == 1);
 

src/ecdsa_impl.h

@@ -118,6 +118,7 @@ static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, int *size, const se
     while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; }
     while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; }
     if (*size < 6+lenS+lenR) {
+        *size = 6 + lenS + lenR;
         return 0;
     }
     *size = 6 + lenS + lenR;