keystore: port antiklepto protocol test to Rust

Author: benma's agent

src/rust/bitbox02-rust/src/hww/api/bitcoin/signtx.rs

@@ -2695,8 +2695,8 @@ mod tests {
         let host_nonce = hex!("abababababababababababababababababababababababababababababababab");
         // The host nonce commitment value does not impact this test, but an invalid commitment
         // would fail the antiklepto signature check on the host. The host check is skipped here and
-        // tested in test_keystore_antiklepto.c. That the host nonce was included in the sig is
-        // tested by the siganture fixture test below.x
+        // tested in keystore::tests::test_secp256k1_antiklepto_protocol. That the host nonce was included in the sig is
+        // tested by the signature fixture test below.
         let host_nonce_commitment = pb::AntiKleptoHostNonceCommitment {
             commitment: bitbox02::secp256k1::ecdsa_anti_exfil_host_commit(SECP256K1, &host_nonce)
                 .unwrap(),

src/rust/bitbox02-rust/src/keystore.rs

@@ -1202,6 +1202,67 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_secp256k1_antiklepto_protocol() {
+        mock_unlocked();
+
+        let mut keypath = [84 + HARDENED, 1 + HARDENED, 0 + HARDENED, 0, 0];
+        let mut msg = [0x23u8; 32];
+        let mut host_nonce = [0x55u8; 32];
+
+        for index in 0..3 {
+            keypath[4] = index;
+            msg[0] = index as u8;
+            host_nonce[0] = index as u8;
+
+            // Protocol steps are described in secp256k1/include/secp256k1_ecdsa_s2c.h under
+            // "ECDSA Anti-Klepto Protocol".
+
+            // Protocol step 1.
+            let host_commitment_vec =
+                bitbox02::secp256k1::ecdsa_anti_exfil_host_commit(SECP256K1, &host_nonce).unwrap();
+            let host_commitment: [u8; 32] = host_commitment_vec.try_into().unwrap();
+
+            // Get pubkey at keypath.
+            let private_key = secp256k1_get_private_key(&keypath).unwrap();
+            let private_key_bytes: [u8; 32] = private_key.as_slice().try_into().unwrap();
+            let secret_key = secp256k1::SecretKey::from_slice(&private_key_bytes).unwrap();
+            let public_key = secret_key.public_key(SECP256K1);
+
+            // Commit - protocol step 2.
+            let signer_commitment =
+                secp256k1_nonce_commit(&private_key_bytes, &msg, &host_commitment).unwrap();
+            // Protocol step 3: host_nonce sent from host to signer to be used in step 4.
+            // Sign - protocol step 4.
+            let sign_result = secp256k1_sign(&private_key_bytes, &msg, &host_nonce).unwrap();
+
+            let signature =
+                secp256k1::ecdsa::Signature::from_compact(&sign_result.signature).unwrap();
+            // Protocol step 5: host verification.
+            bitbox02::secp256k1::anti_exfil_host_verify(
+                SECP256K1,
+                &signature,
+                &msg,
+                &public_key,
+                &host_nonce,
+                &signer_commitment,
+            )
+            .unwrap();
+
+            let message = secp256k1::Message::from_digest_slice(&msg).unwrap();
+            let recoverable_sig = secp256k1::ecdsa::RecoverableSignature::from_compact(
+                &sign_result.signature,
+                secp256k1::ecdsa::RecoveryId::from_i32(sign_result.recid as i32).unwrap(),
+            )
+            .unwrap();
+            assert!(
+                SECP256K1
+                    .verify_ecdsa(&message, &recoverable_sig.to_standard(), &public_key)
+                    .is_ok()
+            );
+        }
+    }
+
     #[test]
     fn test_secp256k1_schnorr_sign() {
         mock_unlocked_using_mnemonic(

src/rust/bitbox02-sys/build.rs

@@ -51,6 +51,9 @@ const ALLOWLIST_TYPES: &[&str] = &[
     "confirm_params_t",
     "trinary_input_string_params_t",
     "securechip_error_t",
+    "secp256k1_ecdsa_s2c_opening",
+    "secp256k1_ecdsa_signature",
+    "secp256k1_pubkey",
 ];
 
 const ALLOWLIST_FNS: &[&str] = &[
@@ -141,6 +144,8 @@ const ALLOWLIST_FNS: &[&str] = &[
     "sd_write_bin",
     "sdcard_create",
     "secp256k1_ecdsa_anti_exfil_host_commit",
+    "secp256k1_ecdsa_s2c_opening_parse",
+    "secp256k1_anti_exfil_host_verify",
     "securechip_attestation_sign",
     "securechip_kdf",
     "securechip_model",

src/rust/bitbox02/src/secp256k1.rs

@@ -32,6 +32,40 @@ pub fn ecdsa_anti_exfil_host_commit(secp: &Secp256k1<All>, rand32: &[u8]) -> Res
     }
 }
 
+#[cfg(feature = "testing")]
+pub fn anti_exfil_host_verify(
+    secp: &Secp256k1<All>,
+    signature: &bitcoin::secp256k1::ecdsa::Signature,
+    msg: &[u8; 32],
+    pubkey: &bitcoin::secp256k1::PublicKey,
+    host_nonce: &[u8; 32],
+    signer_commitment: &[u8; 33],
+) -> Result<(), ()> {
+    let mut opening = core::mem::MaybeUninit::<bitbox02_sys::secp256k1_ecdsa_s2c_opening>::uninit();
+    let parse_res = unsafe {
+        bitbox02_sys::secp256k1_ecdsa_s2c_opening_parse(
+            secp.ctx().as_ptr().cast(),
+            opening.as_mut_ptr(),
+            signer_commitment.as_ptr(),
+        )
+    };
+    if parse_res != 1 {
+        return Err(());
+    }
+    let opening = unsafe { opening.assume_init() };
+    let verify_res = unsafe {
+        bitbox02_sys::secp256k1_anti_exfil_host_verify(
+            secp.ctx().as_ptr().cast(),
+            signature.as_c_ptr() as *const bitbox02_sys::secp256k1_ecdsa_signature,
+            msg.as_ptr(),
+            pubkey.as_c_ptr() as *const bitbox02_sys::secp256k1_pubkey,
+            host_nonce.as_ptr(),
+            &opening,
+        )
+    };
+    if verify_res == 1 { Ok(()) } else { Err(()) }
+}
+
 pub fn dleq_prove(
     secp: &Secp256k1<All>,
     sk: &[u8; 32],

test/unit-test/CMakeLists.txt

@@ -49,8 +49,6 @@ target_include_directories(mocks
 set(TEST_LIST
    cleanup
    "-Wl,--wrap=util_cleanup_32"
-   keystore_antiklepto
-   ""
    gestures
    ""
    random