From e39b116440692a223ba60948143739ceaac82b56 Mon Sep 17 00:00:00 2001
From: Allain Magyar <allain.magyar@iohk.io>
Date: Thu, 2 Apr 2026 13:58:13 -0300
Subject: [PATCH 1/2] fix: scalar bytes for js secp256k1

Signed-off-by: Allain Magyar <allain.magyar@iohk.io>
---
 .../identus/apollo/secp256k1/Secp256k1Lib.kt  | 20 ++++++++++++++++++-
 .../apollo/utils/Secp256k1LibTestJS.kt        | 14 +++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/apollo/src/jsMain/kotlin/org/hyperledger/identus/apollo/secp256k1/Secp256k1Lib.kt b/apollo/src/jsMain/kotlin/org/hyperledger/identus/apollo/secp256k1/Secp256k1Lib.kt
index 1dd2bc4a8..0117def82 100644
--- a/apollo/src/jsMain/kotlin/org/hyperledger/identus/apollo/secp256k1/Secp256k1Lib.kt
+++ b/apollo/src/jsMain/kotlin/org/hyperledger/identus/apollo/secp256k1/Secp256k1Lib.kt
@@ -40,7 +40,25 @@ actual class Secp256k1Lib actual constructor() {
         val privKey = BigInteger.parseString(privKeyString, 16)
         val derivedPrivKey = BigInteger.parseString(derivedPrivKeyString, 16)
         val added = (privKey + derivedPrivKey) % ECConfig.n
-        return added.toByteArray()
+        // ionspin BigInteger.toByteArray() is minimal-length big-endian; secp256k1 secrets must be 32 bytes (left-pad zeros).
+        return normalizeSecp256k1ScalarBytes(added.toByteArray())
+    }
+
+    private fun normalizeSecp256k1ScalarBytes(bytes: ByteArray): ByteArray {
+        val n = ECConfig.PRIVATE_KEY_BYTE_SIZE
+        var b = bytes
+        while (b.size > n && b[0] == 0.toByte()) {
+            b = b.copyOfRange(1, b.size)
+        }
+        require(b.size <= n) {
+            "Secp256k1 private scalar exceeds $n bytes after normalization (${b.size})"
+        }
+        if (b.size == n) {
+            return b
+        }
+        return ByteArray(n).also { out ->
+            b.copyInto(out, destinationOffset = n - b.size)
+        }
     }
 
     /**
diff --git a/apollo/src/jsTest/kotlin/org/hyperledger/identus/apollo/utils/Secp256k1LibTestJS.kt b/apollo/src/jsTest/kotlin/org/hyperledger/identus/apollo/utils/Secp256k1LibTestJS.kt
index a37e0da66..53fbed452 100644
--- a/apollo/src/jsTest/kotlin/org/hyperledger/identus/apollo/utils/Secp256k1LibTestJS.kt
+++ b/apollo/src/jsTest/kotlin/org/hyperledger/identus/apollo/utils/Secp256k1LibTestJS.kt
@@ -1,6 +1,8 @@
 package org.hyperledger.identus.apollo.utils
 
 import org.hyperledger.identus.apollo.derivation.Mnemonic
+import org.hyperledger.identus.apollo.secp256k1.Secp256k1Lib
+import kotlin.random.Random
 import kotlin.test.Test
 import kotlin.test.assertEquals
 
@@ -20,4 +22,16 @@ class Secp256k1LibTestJS {
             true
         )
     }
+
+    @Test
+    fun derivePrivateKey_alwaysReturns32Bytes() {
+        val lib = Secp256k1Lib()
+        val rnd = Random(42)
+        repeat(2000) { i ->
+            val a = ByteArray(32) { rnd.nextInt(256).toByte() }
+            val b = ByteArray(32) { rnd.nextInt(256).toByte() }
+            val r = lib.derivePrivateKey(a, b)
+            assertEquals(32, r!!.size, "iteration $i")
+        }
+    }
 }

From 8b3b7887d14b7c3079fa018338e782615bd3244c Mon Sep 17 00:00:00 2001
From: Allain Magyar <allain.magyar@iohk.io>
Date: Thu, 2 Apr 2026 19:27:54 -0300
Subject: [PATCH 2/2] test: update unit test

Signed-off-by: Allain Magyar <allain.magyar@iohk.io>
---
 .../apollo/utils/Secp256k1LibTestJS.kt        | 21 +++++++++++--------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/apollo/src/jsTest/kotlin/org/hyperledger/identus/apollo/utils/Secp256k1LibTestJS.kt b/apollo/src/jsTest/kotlin/org/hyperledger/identus/apollo/utils/Secp256k1LibTestJS.kt
index 53fbed452..01da0a6b4 100644
--- a/apollo/src/jsTest/kotlin/org/hyperledger/identus/apollo/utils/Secp256k1LibTestJS.kt
+++ b/apollo/src/jsTest/kotlin/org/hyperledger/identus/apollo/utils/Secp256k1LibTestJS.kt
@@ -2,7 +2,6 @@ package org.hyperledger.identus.apollo.utils
 
 import org.hyperledger.identus.apollo.derivation.Mnemonic
 import org.hyperledger.identus.apollo.secp256k1.Secp256k1Lib
-import kotlin.random.Random
 import kotlin.test.Test
 import kotlin.test.assertEquals
 
@@ -23,15 +22,19 @@ class Secp256k1LibTestJS {
         )
     }
 
+    /**
+     * Regression: JS [derivePrivateKey] used ionspin [BigInteger.toByteArray], which is minimal-length.
+     * For (priv + tweak) % n == 1, that is a single non-zero byte — callers expect a fixed 32-byte secret.
+     * (This is unrelated to public-key 0x02/0x03/0x04 prefix bytes; those apply to encoded public points, not private scalars.)
+     */
     @Test
-    fun derivePrivateKey_alwaysReturns32Bytes() {
+    fun derivePrivateKey_leftPadsMinimalScalarTo32Bytes() {
         val lib = Secp256k1Lib()
-        val rnd = Random(42)
-        repeat(2000) { i ->
-            val a = ByteArray(32) { rnd.nextInt(256).toByte() }
-            val b = ByteArray(32) { rnd.nextInt(256).toByte() }
-            val r = lib.derivePrivateKey(a, b)
-            assertEquals(32, r!!.size, "iteration $i")
-        }
+        val priv = ByteArray(32) { 0 }.also { it[31] = 1 }
+        val tweak = ByteArray(32) { 0 }
+        val r = lib.derivePrivateKey(priv, tweak)!!
+        assertEquals(32, r.size)
+        assertEquals(0, r[0].toInt() and 0xff)
+        assertEquals(1, r[31].toInt() and 0xff)
     }
 }