Merge #718: Verify signatures after signing

7b1ad1b Verify signatures after signing (Scott Robinson) Pull request description: ### Description Verify signatures after signing As per [BIP-340, footnote 14][fn]: > Verifying the signature before leaving the signer prevents random or > attacker provoked computation errors. This prevents publishing invalid > signatures which may leak information about the secret key. It is > recommended, but can be omitted if the computation cost is prohibitive. [fn]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki#cite_note-14 ### Notes to the reviewers How do we test this? ### Checklists #### All Submissions: * [ ] I've signed all my commits * [x] I followed the [contribution guidelines](https://github.com/bitcoindevkit/bdk/blob/master/CONTRIBUTING.md) * [x] I ran `cargo fmt` and `cargo clippy` before committing ACKs for top commit: afilini: re-ACK 7b1ad1b Tree-SHA512: 7319db1f8cec2fcfe4ac443ab5728893f9fb6133b33331b35ec6910662c45de8a7cdcf80ac1f3bb435815e914ccf639682a5c07ff0baef42605bf044a34a8232
bitcoindevkit · Aug 25, 2022 · 0a3734e · 0a3734e
2 parents a5d1a3d + 7b1ad1b
commit 0a3734e
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/src/wallet/signer.rs b/src/wallet/signer.rs
@@ -475,10 +475,10 @@ fn sign_psbt_ecdsa(
  hash_ty: EcdsaSighashType,
  secp: &SecpCtx,
 ) {
- let sig = secp.sign_ecdsa(
-  &Message::from_slice(&hash.into_inner()[..]).unwrap(),
-  secret_key,
- );
+ let msg = &Message::from_slice(&hash.into_inner()[..]).unwrap();
+ let sig = secp.sign_ecdsa(msg, secret_key);
+ secp.verify_ecdsa(msg, &sig, &pubkey.inner)
+  .expect("invalid or corrupted ecdsa signature");
 
  let final_signature = ecdsa::EcdsaSig { sig, hash_ty };
  psbt_input.partial_sigs.insert(pubkey, final_signature);
@@ -504,10 +504,10 @@ fn sign_psbt_schnorr(
  Some(_) => keypair, // no tweak for script spend
  };
 
- let sig = secp.sign_schnorr(
-  &Message::from_slice(&hash.into_inner()[..]).unwrap(),
-  &keypair,
- );
+ let msg = &Message::from_slice(&hash.into_inner()[..]).unwrap();
+ let sig = secp.sign_schnorr(msg, &keypair);
+ secp.verify_schnorr(&sig, msg, &XOnlyPublicKey::from_keypair(&keypair))
+  .expect("invalid or corrupted schnorr signature");
 
  let final_signature = schnorr::SchnorrSig { sig, hash_ty };