Add 'tweak' output parameter to bip32_CKDpub; exposed BIP341 constants

src/crypto.c

@@ -43,9 +43,9 @@
 #include "secp256k1.h"
 
 /* BIP0341 tags for computing the tagged hashes when tweaking public keys */
-static const uint8_t BIP0341_taptweak_tag[] = {'T', 'a', 'p', 'T', 'w', 'e', 'a', 'k'};
-static const uint8_t BIP0341_tapbranch_tag[] = {'T', 'a', 'p', 'B', 'r', 'a', 'n', 'c', 'h'};
-static const uint8_t BIP0341_tapleaf_tag[] = {'T', 'a', 'p', 'L', 'e', 'a', 'f'};
+const uint8_t BIP0341_taptweak_tag[8] = {'T', 'a', 'p', 'T', 'w', 'e', 'a', 'k'};
+const uint8_t BIP0341_tapbranch_tag[9] = {'T', 'a', 'p', 'B', 'r', 'a', 'n', 'c', 'h'};
+const uint8_t BIP0341_tapleaf_tag[7] = {'T', 'a', 'p', 'L', 'e', 'a', 'f'};
 
 /**
  * Gets the point on the SECP256K1 that corresponds to kG, where G is the curve's generator point.
@@ -59,7 +59,8 @@ static int secp256k1_point(const uint8_t k[static 32], uint8_t out[static 65]) {
 
 int bip32_CKDpub(const serialized_extended_pubkey_t *parent,
                  uint32_t index,
-                 serialized_extended_pubkey_t *child) {
+                 serialized_extended_pubkey_t *child,
+                 uint8_t *tweak) {
     PRINT_STACK_POINTER();
 
     if (index >= BIP32_FIRST_HARDENED_CHILD) {
@@ -84,6 +85,10 @@ int bip32_CKDpub(const serialized_extended_pubkey_t *parent,
     uint8_t *I_L = &I[0];
     uint8_t *I_R = &I[32];
 
+    if (tweak != NULL) {
+        memcpy(tweak, I_L, 32);
+    }
+
     // fail if I_L is not smaller than the group order n, but the probability is < 1/2^128
     int diff;
     if (CX_OK != cx_math_cmp_no_throw(I_L, secp256k1_n, 32, &diff) || diff >= 0) {

src/crypto.h

@@ -36,18 +36,22 @@ typedef struct {
  *
  * @param[in]  parent
  *   Pointer to the extended serialized pubkey of the parent.
- * @param[out] index
+ * @param[in] index
  *   Index of the child to derive. It MUST be not hardened, that is, strictly less than 0x80000000.
  * @param[out] child
  *   Pointer to the output struct for the child's serialized pubkey. It can equal parent, which in
  * that case is overwritten.
+ * @param[out] tweak
+ *   If not NULL, pointer to a 32-byte array that will receive the 32-byte tweak used during the
+ * child key derivation.
  *
  * @return 0 if success, a negative number on failure.
  *
  */
 int bip32_CKDpub(const serialized_extended_pubkey_t *parent,
                  uint32_t index,
-                 serialized_extended_pubkey_t *child);
+                 serialized_extended_pubkey_t *child,
+                 uint8_t *tweak);
 
 /**
  * Convenience wrapper for cx_hash_no_throw to add some data to an initialized hash context.
@@ -331,6 +335,11 @@ int crypto_ecdsa_sign_sha256_hash_with_key(const uint32_t bip32_path[],
                                            uint8_t out[static MAX_DER_SIG_LEN],
                                            uint32_t *info);
 
+// Constants defined in BIP-0341
+extern const uint8_t BIP0341_taptweak_tag[8];
+extern const uint8_t BIP0341_tapbranch_tag[9];
+extern const uint8_t BIP0341_tapleaf_tag[7];
+
 /**
  * Initializes the "tagged" SHA256 hash with the given tag, as defined by BIP-0340.
  *

src/handler/lib/policy.c

@@ -497,8 +497,9 @@ __attribute__((warn_unused_result)) static int get_derived_pubkey(
     // we reuse the same memory of ext_pubkey
     bip32_CKDpub(&ext_pubkey,
                  wdi->change ? key_expr->num_second : key_expr->num_first,
-                 &ext_pubkey);
-    bip32_CKDpub(&ext_pubkey, wdi->address_index, &ext_pubkey);
+                 &ext_pubkey,
+                 NULL);
+    bip32_CKDpub(&ext_pubkey, wdi->address_index, &ext_pubkey, NULL);
 
     memcpy(out, ext_pubkey.compressed_pubkey, 33);