keystore: port secp256k1_schnorr_bip86_pubkey to Rust

Since the inclusion of the miniscript feature and rust-miniscript dep,
we depend on rust-bitcoin and rust-secp256k1, so we can make use of it
instead of manually wrapping secp256k1. This does not change the
binary size.

The deleted C test was already previously replicated in
`test_schnorr_bip86_pubkey` in bip32.rs.

Author: benma

src/keystore.c

@@ -826,46 +826,6 @@ USE_RESULT bool keystore_encode_xpub_at_keypath(
            WALLY_OK;
 }
 
-static void _tagged_hash(const char* tag, const uint8_t* msg, size_t msg_len, uint8_t* hash_out)
-{
-    uint8_t tag_hash[32] = {0};
-    rust_sha256(tag, strlen(tag), tag_hash);
-    void* hash_ctx = rust_sha256_new();
-    rust_sha256_update(hash_ctx, tag_hash, sizeof(tag_hash));
-    rust_sha256_update(hash_ctx, tag_hash, sizeof(tag_hash));
-    rust_sha256_update(hash_ctx, msg, msg_len);
-    rust_sha256_finish(&hash_ctx, hash_out);
-}
-
-bool keystore_secp256k1_schnorr_bip86_pubkey(const uint8_t* pubkey33, uint8_t* pubkey_out)
-{
-    const secp256k1_context* ctx = wally_get_secp_context();
-
-    secp256k1_pubkey pubkey = {0};
-    if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkey33, 33)) {
-        return false;
-    }
-    secp256k1_xonly_pubkey xonly_pubkey = {0};
-    if (!secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pubkey, NULL, &pubkey)) {
-        return false;
-    }
-    uint8_t xonly_pubkey_serialized[32] = {0};
-    if (!secp256k1_xonly_pubkey_serialize(ctx, xonly_pubkey_serialized, &xonly_pubkey)) {
-        return false;
-    }
-    uint8_t hash[32] = {0};
-    secp256k1_pubkey tweaked_pubkey = {0};
-    _tagged_hash("TapTweak", xonly_pubkey_serialized, sizeof(xonly_pubkey_serialized), hash);
-    if (!secp256k1_xonly_pubkey_tweak_add(ctx, &tweaked_pubkey, &xonly_pubkey, hash)) {
-        return false;
-    }
-    secp256k1_xonly_pubkey tweaked_xonly_pubkey = {0};
-    if (!secp256k1_xonly_pubkey_from_pubkey(ctx, &tweaked_xonly_pubkey, NULL, &tweaked_pubkey)) {
-        return false;
-    }
-    return secp256k1_xonly_pubkey_serialize(ctx, pubkey_out, &tweaked_xonly_pubkey) == 1;
-}
-
 static bool _schnorr_keypair(
     const uint32_t* keypath,
     size_t keypath_len,

src/keystore.h

@@ -266,23 +266,7 @@ USE_RESULT bool keystore_encode_xpub_at_keypath(
     uint8_t* out);
 
 /**
- * Return the tweaked taproot pubkey.
- *
- * Instead of returning the original pubkey directly, it is tweaked with the hash of the pubkey.
- *
- * See
- * https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#address-derivation
- *
- * @param[in] pubkey33 33 byte compressed pubkey.
- * @param[out] pubkey_out 32 byte x-only pubkey (see BIP-340 for details).
- */
-USE_RESULT bool keystore_secp256k1_schnorr_bip86_pubkey(
-    const uint8_t* pubkey33,
-    uint8_t* pubkey_out);
-
-/**
- * Sign a message that verifies against the pubkey returned by
- * `keystore_secp256k1_schnorr_bip86_pubkey()`.
+ * Sign a message that verifies against the pubkey tweaked using BIP-86.
  *
  * @param[in] keypath derivation keypath
  * @param[in] keypath_len number of elements in keypath

src/rust/bitbox02-rust/src/bip32.rs

@@ -137,7 +137,14 @@ impl Xpub {
     /// See
     /// https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#address-derivation
     pub fn schnorr_bip86_pubkey(&self) -> Result<[u8; 32], ()> {
-        bitbox02::keystore::secp256k1_schnorr_bip86_pubkey(self.public_key())
+        use bitcoin::key::TapTweak;
+        let untweaked_pubkey: bitcoin::key::UntweakedPublicKey =
+            bitcoin::key::PublicKey::from_slice(self.public_key())
+                .map_err(|_| ())?
+                .into();
+        let secp = bitcoin::secp256k1::Secp256k1::new();
+        let (tweaked, _) = untweaked_pubkey.tap_tweak(&secp, None);
+        Ok(tweaked.serialize())
     }
 }
 

src/rust/bitbox02-sys/build.rs

@@ -74,7 +74,6 @@ const ALLOWLIST_FNS: &[&str] = &[
     "keystore_mock_unlocked",
     "keystore_secp256k1_get_private_key",
     "keystore_secp256k1_nonce_commit",
-    "keystore_secp256k1_schnorr_bip86_pubkey",
     "keystore_secp256k1_schnorr_sign",
     "keystore_secp256k1_sign",
     "keystore_unlock",

src/rust/bitbox02/src/keystore.rs

@@ -360,19 +360,6 @@ pub fn secp256k1_schnorr_sign(
     }
 }
 
-pub fn secp256k1_schnorr_bip86_pubkey(pubkey33: &[u8]) -> Result<[u8; 32], ()> {
-    let mut pubkey = [0u8; 32];
-    match unsafe {
-        bitbox02_sys::keystore_secp256k1_schnorr_bip86_pubkey(
-            pubkey33.as_ptr(),
-            pubkey.as_mut_ptr(),
-        )
-    } {
-        true => Ok(pubkey),
-        false => Err(()),
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;

test/unit-test/test_keystore.c

@@ -638,68 +638,6 @@ static void _test_secp256k1_schnorr_sign(void** state)
     }
 }
 
-static void _test_keystore_secp256k1_schnorr_bip86_pubkey(void** state)
-{
-    // Test vectors from:
-    // https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#test-vectors
-    // Here we only test the creation of the tweaked pubkkey.
-    _mock_with_mnemonic(
-        "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon "
-        "about",
-        "");
-    {
-        const uint32_t keypath[] = {
-            86 + BIP32_INITIAL_HARDENED_CHILD,
-            0 + BIP32_INITIAL_HARDENED_CHILD,
-            0 + BIP32_INITIAL_HARDENED_CHILD,
-            0,
-            0,
-        };
-        struct ext_key xpub = {0};
-        assert_true(keystore_get_xpub(keypath, 5, &xpub));
-        uint8_t pubkey[32] = {0};
-        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
-        const uint8_t expected_pubkey[32] =
-            "\xa6\x08\x69\xf0\xdb\xcf\x1d\xc6\x59\xc9\xce\xcb\xaf\x80\x50\x13\x5e\xa9\xe8\xcd\xc4"
-            "\x87\x05\x3f\x1d\xc6\x88\x09\x49\xdc\x68\x4c";
-        assert_memory_equal(pubkey, expected_pubkey, sizeof(pubkey));
-    }
-    {
-        const uint32_t keypath[] = {
-            86 + BIP32_INITIAL_HARDENED_CHILD,
-            0 + BIP32_INITIAL_HARDENED_CHILD,
-            0 + BIP32_INITIAL_HARDENED_CHILD,
-            0,
-            1,
-        };
-        struct ext_key xpub = {0};
-        assert_true(keystore_get_xpub(keypath, 5, &xpub));
-        uint8_t pubkey[32] = {0};
-        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
-        const uint8_t expected_pubkey[32] =
-            "\xa8\x2f\x29\x94\x4d\x65\xb8\x6a\xe6\xb5\xe5\xcc\x75\xe2\x94\xea\xd6\xc5\x93\x91\xa1"
-            "\xed\xc5\xe0\x16\xe3\x49\x8c\x67\xfc\x7b\xbb";
-        assert_memory_equal(pubkey, expected_pubkey, sizeof(pubkey));
-    }
-    {
-        const uint32_t keypath[] = {
-            86 + BIP32_INITIAL_HARDENED_CHILD,
-            0 + BIP32_INITIAL_HARDENED_CHILD,
-            0 + BIP32_INITIAL_HARDENED_CHILD,
-            1,
-            0,
-        };
-        struct ext_key xpub = {0};
-        assert_true(keystore_get_xpub(keypath, 5, &xpub));
-        uint8_t pubkey[32] = {0};
-        assert_true(keystore_secp256k1_schnorr_bip86_pubkey(xpub.pub_key, pubkey));
-        const uint8_t expected_pubkey[32] =
-            "\x88\x2d\x74\xe5\xd0\x57\x2d\x5a\x81\x6c\xef\x00\x41\xa9\x6b\x6c\x1d\xe8\x32\xf6\xf9"
-            "\x67\x6d\x96\x05\xc4\x4d\x5e\x9a\x97\xd3\xdc";
-        assert_memory_equal(pubkey, expected_pubkey, sizeof(pubkey));
-    }
-}
-
 static void _test_keystore_secp256k1_schnorr_sign(void** state)
 {
     _mock_with_mnemonic(
@@ -762,7 +700,6 @@ int main(void)
         cmocka_unit_test(_test_keystore_create_and_store_seed),
         cmocka_unit_test(_test_keystore_get_ed25519_seed),
         cmocka_unit_test(_test_secp256k1_schnorr_sign),
-        cmocka_unit_test(_test_keystore_secp256k1_schnorr_bip86_pubkey),
         cmocka_unit_test(_test_keystore_secp256k1_schnorr_sign),
     };
     return cmocka_run_group_tests(tests, NULL, NULL);