tests_wycheproof_generate_ecdh.py

Go to the documentation of this file.

#!/usr/bin/env python3
# Copyright (c) 2024 Random "Randy" Lattice and Sean Andersen
# Distributed under the MIT software license, see the accompanying
# file COPYING or https://www.opensource.org/licenses/mit-license.php.
'''
Generate a C file with ECDH testvectors from the Wycheproof project.
'''

import json
import sys

from binascii import hexlify, unhexlify
from wycheproof_utils import to_c_array

def should_skip_flags(test_vector_flags):
    # skip these vectors because they are for ASN.1 encoding issues and other curves.
    # for more details, see https://github.com/bitcoin-core/secp256k1/pull/1492#discussion_r1572491546
    flags_to_skip = {"InvalidAsn", "WrongCurve"}
    return any(flag in test_vector_flags for flag in flags_to_skip)

def should_skip_tcid(test_vector_tcid):
    # We skip some test case IDs that have a public key whose custom ASN.1 representation explicitly
    # encodes some curve parameters that are invalid. libsecp256k1 never parses this part so we do
    # not care testing those. See https://github.com/bitcoin-core/secp256k1/pull/1492#discussion_r1572491546
    tcids_to_skip = [496, 497, 502, 503, 504, 505, 507]
    return test_vector_tcid in tcids_to_skip

# Rudimentary ASN.1 DER public key parser.
# This should not be used for anything other than parsing Wycheproof test vectors.
def parse_der_pk(s):
    tag = s[0]
    L = int(s[1])
    offset = 0
    if L & 0x80:
        if L == 0x81:
            L = int(s[2])
            offset = 1
        elif L == 0x82:
            L = 256 * int(s[2]) + int(s[3])
            offset = 2
        else:
            raise ValueError("invalid L")
    value = s[(offset + 2):(L + 2 + offset)]
    rest = s[(L + 2 + offset):]

    if len(rest) > 0 or tag == 0x06: # OBJECT IDENTIFIER
        return parse_der_pk(rest)
    if tag == 0x03: # BIT STRING
        return value
    if tag == 0x30: # SEQUENCE
        return parse_der_pk(value)
    raise ValueError("unknown tag")

def parse_public_key(pk):
    der_pub_key = parse_der_pk(unhexlify(pk))   # Convert back to str and strip off the `0x`
    return hexlify(der_pub_key).decode()[2:]

def normalize_private_key(sk):
    # Ensure the private key is at most 64 characters long, retaining the last 64 if longer.
    # In the wycheproof test vectors, some private keys have leading zeroes
    normalized = sk[-64:].zfill(64)
    if len(normalized) != 64:
        raise ValueError("private key must be exactly 64 characters long.")
    return normalized

def normalize_expected_result(er):
    result_mapping = {"invalid": 0, "valid": 1, "acceptable": 1}
    return result_mapping[er]

filename_input = sys.argv[1]

with open(filename_input) as f:
    doc = json.load(f)

num_vectors = 0
offset_sk_running, offset_pk_running, offset_shared = 0, 0, 0
test_vectors_out = ""
private_keys = ""
shared_secrets = ""
public_keys = ""
cache_sks = {}
cache_public_keys = {}

for group in doc['testGroups']:
    assert group["type"] == "EcdhTest"
    assert group["curve"] == "secp256k1"
    for test_vector in group['tests']:
        if should_skip_flags(test_vector['flags']) or should_skip_tcid(test_vector['tcId']):
            continue

        public_key = parse_public_key(test_vector['public'])
        private_key = normalize_private_key(test_vector['private'])
        expected_result = normalize_expected_result(test_vector['result'])

        # // 2 to convert hex to byte length
        shared_size = len(test_vector['shared']) // 2
        sk_size = len(private_key) // 2
        pk_size = len(public_key) // 2

        new_sk = False
        sk = to_c_array(private_key)
        sk_offset = offset_sk_running

        # check for repeated sk
        if sk not in cache_sks:
            if num_vectors != 0 and sk_size != 0:
                private_keys += ",\n  "
            cache_sks[sk] = offset_sk_running
            private_keys += sk
            new_sk = True
        else:
            sk_offset = cache_sks[sk]

        new_pk = False
        pk = to_c_array(public_key) if public_key != '0x' else ''

        pk_offset = offset_pk_running
        # check for repeated pk
        if pk not in cache_public_keys:
            if num_vectors != 0 and len(pk) != 0:
                public_keys += ",\n  "
            cache_public_keys[pk] = offset_pk_running
            public_keys += pk
            new_pk = True
        else:
            pk_offset = cache_public_keys[pk]


        shared_secrets += ",\n  " if num_vectors and shared_size else ""
        shared_secrets += to_c_array(test_vector['shared'])
        wycheproof_tcid = test_vector['tcId']

        test_vectors_out += "  /" + "* tcId: " + str(test_vector['tcId']) + ". " + test_vector['comment'] + " *" + "/\n"
        test_vectors_out += f"  {{{pk_offset}, {pk_size}, {sk_offset}, {sk_size}, {offset_shared}, {shared_size}, {expected_result}, {wycheproof_tcid} }},\n"
        if new_sk:
            offset_sk_running += sk_size
        if new_pk:
            offset_pk_running += pk_size
        offset_shared += shared_size
        num_vectors += 1

struct_definition = """
typedef struct {
    size_t pk_offset;
    size_t pk_len;
    size_t sk_offset;
    size_t sk_len;
    size_t shared_offset;
    size_t shared_len;
    int expected_result;
    int wycheproof_tcid;
} wycheproof_ecdh_testvector;
"""

print("/* Note: this file was autogenerated using tests_wycheproof_ecdh.py. Do not edit. */")
print(f"#define SECP256K1_ECDH_WYCHEPROOF_NUMBER_TESTVECTORS ({num_vectors})")

print(struct_definition)

print("static const unsigned char wycheproof_ecdh_private_keys[]    = { " + private_keys + "};\n")
print("static const unsigned char wycheproof_ecdh_public_keys[] = { " + public_keys + "};\n")
print("static const unsigned char wycheproof_ecdh_shared_secrets[]  = { " + shared_secrets + "};\n")

print("static const wycheproof_ecdh_testvector testvectors[SECP256K1_ECDH_WYCHEPROOF_NUMBER_TESTVECTORS] = {")
print(test_vectors_out)
print("};")