Skip to content

fix: scalar bytes for js secp256k1 #220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
amagyar-iohk merged 2 commits into from
Apr 16, 2026
+36 −1
Merged

fix: scalar bytes for js secp256k1 #220

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e39b116
fix: scalar bytes for js secp256k1
amagyar-iohk Apr 2, 2026
8b3b788
test: update unit test
amagyar-iohk Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 19 additions & 1 deletion apollo/src/jsMain/kotlin/org/hyperledger/identus/apollo/secp256k1/Secp256k1Lib.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,25 @@ actual class Secp256k1Lib actual constructor() {
val privKey = BigInteger.parseString(privKeyString, 16)
val derivedPrivKey = BigInteger.parseString(derivedPrivKeyString, 16)
val added = (privKey + derivedPrivKey) % ECConfig.n
return added.toByteArray()
// ionspin BigInteger.toByteArray() is minimal-length big-endian; secp256k1 secrets must be 32 bytes (left-pad zeros).
return normalizeSecp256k1ScalarBytes(added.toByteArray())
}

private fun normalizeSecp256k1ScalarBytes(bytes: ByteArray): ByteArray {
val n = ECConfig.PRIVATE_KEY_BYTE_SIZE
var b = bytes
while (b.size > n && b[0] == 0.toByte()) {
b = b.copyOfRange(1, b.size)
}
require(b.size <= n) {
"Secp256k1 private scalar exceeds $n bytes after normalization (${b.size})"
}
if (b.size == n) {
return b
}
return ByteArray(n).also { out ->
b.copyInto(out, destinationOffset = n - b.size)
}
}

/**
Expand Down
17 changes: 17 additions & 0 deletions apollo/src/jsTest/kotlin/org/hyperledger/identus/apollo/utils/Secp256k1LibTestJS.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package org.hyperledger.identus.apollo.utils

import org.hyperledger.identus.apollo.derivation.Mnemonic
import org.hyperledger.identus.apollo.secp256k1.Secp256k1Lib
import kotlin.test.Test
import kotlin.test.assertEquals

Expand All @@ -20,4 +21,20 @@ class Secp256k1LibTestJS {
true
)
}

/**
* Regression: JS [derivePrivateKey] used ionspin [BigInteger.toByteArray], which is minimal-length.
* For (priv + tweak) % n == 1, that is a single non-zero byte — callers expect a fixed 32-byte secret.
* (This is unrelated to public-key 0x02/0x03/0x04 prefix bytes; those apply to encoded public points, not private scalars.)
*/
@Test
fun derivePrivateKey_leftPadsMinimalScalarTo32Bytes() {
val lib = Secp256k1Lib()
val priv = ByteArray(32) { 0 }.also { it[31] = 1 }
val tweak = ByteArray(32) { 0 }
val r = lib.derivePrivateKey(priv, tweak)!!
assertEquals(32, r.size)
assertEquals(0, r[0].toInt() and 0xff)
assertEquals(1, r[31].toInt() and 0xff)
}
}
Loading