From: Scott Robinson <ssr@squareup.com>
Date: Mon, 15 Aug 2022 05:07:14 +0000 (+1000)
Subject: Verify signatures after signing
X-Git-Tag: 0.22.0-rc.1~7^2
X-Git-Url: http://internal-gitweb-vhost/script/%22https:/struct.CommandStringError.html?a=commitdiff_plain;h=7b1ad1b62914a26d6f445364ace4e784bb2901c2;p=bdk

Verify signatures after signing

As per [BIP-340, footnote 14][fn]:
> Verifying the signature before leaving the signer prevents random or
> attacker provoked computation errors. This prevents publishing invalid
> signatures which may leak information about the secret key. It is
> recommended, but can be omitted if the computation cost is prohibitive.

[fn]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki#cite_note-14
---

diff --git a/src/wallet/signer.rs b/src/wallet/signer.rs
index 11dda3e3..7548b321 100644
--- a/src/wallet/signer.rs
+++ b/src/wallet/signer.rs
@@ -475,10 +475,10 @@ fn sign_psbt_ecdsa(
     hash_ty: EcdsaSighashType,
     secp: &SecpCtx,
 ) {
-    let sig = secp.sign_ecdsa(
-        &Message::from_slice(&hash.into_inner()[..]).unwrap(),
-        secret_key,
-    );
+    let msg = &Message::from_slice(&hash.into_inner()[..]).unwrap();
+    let sig = secp.sign_ecdsa(msg, secret_key);
+    secp.verify_ecdsa(msg, &sig, &pubkey.inner)
+        .expect("invalid or corrupted ecdsa signature");
 
     let final_signature = ecdsa::EcdsaSig { sig, hash_ty };
     psbt_input.partial_sigs.insert(pubkey, final_signature);
@@ -504,10 +504,10 @@ fn sign_psbt_schnorr(
         Some(_) => keypair, // no tweak for script spend
     };
 
-    let sig = secp.sign_schnorr(
-        &Message::from_slice(&hash.into_inner()[..]).unwrap(),
-        &keypair,
-    );
+    let msg = &Message::from_slice(&hash.into_inner()[..]).unwrap();
+    let sig = secp.sign_schnorr(msg, &keypair);
+    secp.verify_schnorr(&sig, msg, &XOnlyPublicKey::from_keypair(&keypair))
+        .expect("invalid or corrupted schnorr signature");
 
     let final_signature = schnorr::SchnorrSig { sig, hash_ty };