use secp256k1 for producing ecdsa signature (#2766)

* use secp256k1 for producing ecdsa signature

* toml fmt

* debug: fmt

* add bitacross build GHA

* delete gha yaml

---------

Co-authored-by: Kai <[email protected]>
Co-authored-by: WMQ <[email protected]>
Co-authored-by: Minqi Wang <[email protected]>
Co-authored-by: mi1ktea <[email protected]>

bitacross-worker/core-primitives/sgx/crypto/Cargo.toml

@@ -12,6 +12,7 @@ derive_more = { version = "0.99.5" }
 k256 = { version = "0.13.3", default-features = false, features = ["ecdsa-core", "schnorr", "alloc"] }
 log = { version = "0.4", default-features = false }
 ofb = { version = "0.4.0" }
+secp256k1 = { version = "0.29.0", default-features = false, features = ["alloc", "recovery"] }
 serde_json = { version = "1.0", default-features = false, features = ["alloc"], optional = true }
 
 # sgx deps

bitacross-worker/core-primitives/sgx/crypto/src/ecdsa.rs

@@ -22,7 +22,7 @@ use k256::{
 	elliptic_curve::group::GroupEncoding,
 	PublicKey,
 };
-use std::string::ToString;
+use secp256k1::Message;
 
 /// File name of the sealed seed file.
 pub const SEALED_SIGNER_SEED_FILE: &str = "ecdsa_key_sealed.bin";
@@ -55,13 +55,20 @@ impl Pair {
 
 	// sign the prehashed message
 	pub fn sign_prehash_recoverable(&self, payload: &[u8]) -> Result<[u8; 65]> {
-		let (signature, rid) = self
-			.private
-			.sign_prehash_recoverable(payload)
-			.map_err(|e| Error::Other(e.to_string().into()))?;
+		let secret = secp256k1::SecretKey::from_slice(&self.private_bytes())
+			.map_err(|e| Error::Other(format!("SecKey error {:?}", e).into()))?;
+		let secp = secp256k1::Secp256k1::new();
+		let msg = Message::from_digest_slice(payload).map_err(|e| {
+			Error::Other(
+				format!("Could not create message from given prehashed payload {:?}", e).into(),
+			)
+		})?;
+		let sig = secp.sign_ecdsa_recoverable(&msg, &secret);
+
+		let (rid, sig_bytes) = sig.serialize_compact();
 		let mut bytes = [0u8; 65];
-		bytes[..64].copy_from_slice(signature.to_vec().as_slice());
-		bytes[64] = rid.to_byte();
+		bytes[..64].copy_from_slice(sig_bytes.as_slice());
+		bytes[64] = rid.to_i32().to_le_bytes()[0];
 		Ok(bytes)
 	}
 }
@@ -152,6 +159,7 @@ pub mod sgx_tests {
 	};
 	use itp_sgx_temp_dir::TempDir;
 	use k256::ecdsa::VerifyingKey;
+	use secp256k1::Message;
 	use sgx_tstd::path::PathBuf;
 
 	pub fn ecdsa_creating_repository_with_same_path_and_prefix_results_in_same_key() {
@@ -210,10 +218,18 @@ pub mod sgx_tests {
 		let message = [1u8; 32];
 
 		//when
-		let (signature, rid) = &pair.private.sign_prehash_recoverable(&message).unwrap();
+		let signature = &pair.sign_prehash_recoverable(&message).unwrap();
 
 		//then
-		let verifying_key = VerifyingKey::recover_from_prehash(&message, signature, *rid).unwrap();
-		assert_eq!(verifying_key, VerifyingKey::from(&pair.private));
+		let msg = Message::from_digest_slice(&message).unwrap();
+		let id = secp256k1::ecdsa::RecoveryId::from_i32(signature[64] as i32).unwrap();
+		let sig =
+			secp256k1::ecdsa::RecoverableSignature::from_compact(&signature[0..64], id).unwrap();
+		let secp = secp256k1::Secp256k1::new();
+		let pub_key = secp.recover_ecdsa(&msg, &sig).unwrap();
+		assert_eq!(
+			pub_key,
+			secp256k1::PublicKey::from_slice(&pair.public.to_sec1_bytes()).unwrap()
+		);
 	}
 }

bitacross-worker/core-primitives/sgx/crypto/src/lib.rs

@@ -73,6 +73,5 @@ pub mod tests {
 		schnorr_creating_repository_with_same_path_and_prefix_results_in_same_key,
 		schnorr_seal_init_should_create_new_key_if_not_present,
 		schnorr_seal_init_should_not_change_key_if_exists,
-		schnorr_sign_should_produce_valid_signature,
 	};
 }

bitacross-worker/core-primitives/sgx/crypto/src/schnorr.rs

@@ -17,12 +17,7 @@
 pub use sgx::*;
 
 use crate::error::{Error, Result};
-use k256::{
-	elliptic_curve::group::GroupEncoding,
-	schnorr::{signature::Signer, Signature, SigningKey},
-	PublicKey,
-};
-use std::string::ToString;
+use k256::{elliptic_curve::group::GroupEncoding, schnorr::SigningKey, PublicKey};
 
 /// File name of the sealed seed file.
 pub const SEALED_SIGNER_SEED_FILE: &str = "schnorr_key_sealed.bin";
@@ -54,12 +49,6 @@ impl Pair {
 		// safe to unwrap here
 		self.private.to_bytes().as_slice().try_into().unwrap()
 	}
-
-	pub fn sign(&self, payload: &[u8]) -> Result<[u8; 64]> {
-		let signature: Signature =
-			self.private.try_sign(payload).map_err(|e| Error::Other(e.to_string().into()))?;
-		Ok(signature.to_bytes())
-	}
 }
 
 #[cfg(feature = "sgx")]
@@ -151,7 +140,6 @@ pub mod sgx_tests {
 		std::string::ToString,
 	};
 	use itp_sgx_temp_dir::TempDir;
-	use k256::schnorr::{signature::Verifier, Signature, VerifyingKey};
 	use std::path::PathBuf;
 
 	pub fn schnorr_creating_repository_with_same_path_and_prefix_results_in_same_key() {
@@ -201,19 +189,4 @@ pub mod sgx_tests {
 		//then
 		assert_eq!(pair.public, new_pair.public);
 	}
-
-	pub fn schnorr_sign_should_produce_valid_signature() {
-		//given
-		let temp_dir = TempDir::with_prefix("ecdsa_sign_should_produce_valid_signature").unwrap();
-		let seal = Seal::new(temp_dir.path().to_path_buf(), "test".to_string());
-		let pair = seal.init().unwrap();
-		let message = [1; 32];
-
-		//when
-		let signature = Signature::try_from(pair.sign(&message).unwrap().as_slice()).unwrap();
-
-		//then
-		let verifying_key = VerifyingKey::try_from(&pair.public).unwrap();
-		assert!(verifying_key.verify(&message, &signature).is_ok());
-	}
 }

bitacross-worker/enclave-runtime/src/test/tests_main.rs

@@ -91,7 +91,6 @@ pub extern "C" fn test_main_entrance() -> size_t {
 		itp_sgx_crypto::tests::schnorr_creating_repository_with_same_path_and_prefix_results_in_same_key,
 		itp_sgx_crypto::tests::schnorr_seal_init_should_create_new_key_if_not_present,
 		itp_sgx_crypto::tests::schnorr_seal_init_should_not_change_key_if_exists,
-		itp_sgx_crypto::tests::schnorr_sign_should_produce_valid_signature,
 		test_submit_trusted_call_to_top_pool,
 		test_submit_trusted_getter_to_top_pool,
 		test_differentiate_getter_and_call_works,