1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181

use crate::internal_prelude::*;

#[cfg(feature = "secp256k1_sign_and_validate")]
pub fn recover_secp256k1(
    signed_hash: &Hash,
    signature: &Secp256k1Signature,
) -> Option<Secp256k1PublicKey> {
    let recovery_id = signature.0[0];
    let signature_data = &signature.0[1..];
    if let Ok(id) = ::secp256k1::ecdsa::RecoveryId::from_i32(recovery_id.into()) {
        if let Ok(sig) = ::secp256k1::ecdsa::RecoverableSignature::from_compact(signature_data, id)
        {
            let msg = ::secp256k1::Message::from_slice(&signed_hash.0)
                .expect("Hash is always a valid message");

            if let Ok(pk) = SECP256K1_CTX.recover_ecdsa(&msg, &sig) {
                return Some(Secp256k1PublicKey(pk.serialize()));
            }
        }
    }
    None
}

#[cfg(feature = "secp256k1_sign_and_validate")]
pub fn verify_secp256k1(
    signed_hash: &Hash,
    public_key: &Secp256k1PublicKey,
    signature: &Secp256k1Signature,
) -> bool {
    let recovery_id = signature.0[0];
    let signature_data = &signature.0[1..];
    if ::secp256k1::ecdsa::RecoveryId::from_i32(recovery_id.into()).is_ok() {
        if let Ok(sig) = ::secp256k1::ecdsa::Signature::from_compact(signature_data) {
            if let Ok(pk) = ::secp256k1::PublicKey::from_slice(&public_key.0) {
                let msg = ::secp256k1::Message::from_slice(&signed_hash.0)
                    .expect("Hash is always a valid message");
                return SECP256K1_CTX.verify_ecdsa(&msg, &sig, &pk).is_ok();
            }
        }
    }

    false
}

pub fn verify_ed25519(
    signed_hash: &Hash,
    public_key: &Ed25519PublicKey,
    signature: &Ed25519Signature,
) -> bool {
    if let Ok(sig) = ed25519_dalek::Signature::from_bytes(&signature.0) {
        if let Ok(pk) = ed25519_dalek::PublicKey::from_bytes(&public_key.0) {
            return pk.verify_strict(&signed_hash.0, &sig).is_ok();
        }
    }

    false
}

/// Performs BLS12-381 G2 signature verification.
/// Domain specifier tag: BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_
pub fn verify_bls12381_v1(
    message: &[u8],
    public_key: &Bls12381G1PublicKey,
    signature: &Bls12381G2Signature,
) -> bool {
    if let Ok(sig) = blst::min_pk::Signature::from_bytes(&signature.0) {
        if let Ok(pk) = blst::min_pk::PublicKey::from_bytes(&public_key.0) {
            let result = sig.verify(true, message, BLS12381_CIPHERSITE_V1, &[], &pk, true);

            match result {
                blst::BLST_ERROR::BLST_SUCCESS => return true,
                _ => return false,
            }
        }
    }

    false
}

#[cfg(any(target_arch = "wasm32", feature = "alloc"))]
/// Local implementation of aggregated verify for no_std and WASM32 variants (no threads)
/// see: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-05#name-coreaggregateverify
/// Inspired with blst::min_pk::Signature::aggregate_verify
fn aggregate_verify_bls12381_v1_no_threads(
    pub_keys_and_msgs: &[(Bls12381G1PublicKey, Vec<u8>)],
    signature: blst::min_pk::Signature,
) -> bool {
    // Below structs are copies of PublicKey and Signature
    // Redefining them to be able to access point field, which is private for PublicKey and Signature
    struct LocalPublicKey {
        point: blst::blst_p1_affine,
    }
    struct LocalSignature {
        point: blst::blst_p2_affine,
    }
    let mut pairing = blst::Pairing::new(true, BLS12381_CIPHERSITE_V1);

    // Aggregate
    for (pk, msg) in pub_keys_and_msgs.iter() {
        if let Ok(pk) = blst::min_pk::PublicKey::from_bytes(&pk.0) {
            // transmute to LocalPublicKey to access point field
            let local_pk: LocalPublicKey = unsafe { core::mem::transmute(pk) };

            if pairing.aggregate(
                &local_pk.point,
                true,
                &unsafe { core::ptr::null::<blst::blst_p2_affine>().as_ref() },
                false,
                msg,
                &[],
            ) != blst::BLST_ERROR::BLST_SUCCESS
            {
                return false;
            }
        } else {
            return false;
        }
    }
    pairing.commit();

    if let Err(_err) = signature.validate(false) {
        return false;
    }

    // transmute to LocalSignature to access point field
    let local_sig: LocalSignature = unsafe { core::mem::transmute(signature) };
    let mut gtsig = blst::blst_fp12::default();
    blst::Pairing::aggregated(&mut gtsig, &local_sig.point);

    pairing.finalverify(Some(&gtsig))
}

/// Performs BLS12-381 G2 aggregated signature verification of
/// multiple messages each signed with different key.
/// Domain specifier tag: BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_
pub fn aggregate_verify_bls12381_v1(
    pub_keys_and_msgs: &[(Bls12381G1PublicKey, Vec<u8>)],
    signature: &Bls12381G2Signature,
) -> bool {
    if let Ok(sig) = blst::min_pk::Signature::from_bytes(&signature.0) {
        #[cfg(not(any(target_arch = "wasm32", feature = "alloc")))]
        {
            let mut pks = vec![];
            let mut msg_refs = vec![];
            for (pk, msg) in pub_keys_and_msgs.iter() {
                if let Ok(pk) = blst::min_pk::PublicKey::from_bytes(&pk.0) {
                    pks.push(pk);
                } else {
                    return false;
                }
                msg_refs.push(msg.as_slice());
            }
            let pks_refs: Vec<&blst::min_pk::PublicKey> = pks.iter().collect();

            let result =
                sig.aggregate_verify(true, &msg_refs, BLS12381_CIPHERSITE_V1, &pks_refs, true);

            matches!(result, blst::BLST_ERROR::BLST_SUCCESS)
        }

        #[cfg(any(target_arch = "wasm32", feature = "alloc"))]
        aggregate_verify_bls12381_v1_no_threads(pub_keys_and_msgs, sig)
    } else {
        false
    }
}

/// Performs BLS12-381 G2 aggregated signature verification
/// one message signed with multiple keys.
/// Domain specifier tag: BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_
pub fn fast_aggregate_verify_bls12381_v1(
    message: &[u8],
    public_keys: &[Bls12381G1PublicKey],
    signature: &Bls12381G2Signature,
) -> bool {
    if let Ok(agg_pk) = Bls12381G1PublicKey::aggregate(public_keys) {
        return verify_bls12381_v1(message, &agg_pk, signature);
    }

    false
}