feat: implement display/debug traits for private keys

src/bls12381.rs

@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use std::{
-    fmt::{self, Display},
+    fmt::{self, Debug, Display},
     mem::MaybeUninit,
     str::FromStr,
 };
@@ -52,7 +52,7 @@ pub struct BLS12381PublicKey {
 pub type BLS12381PublicKeyBytes = PublicKeyBytes<BLS12381PublicKey, { BLS12381PublicKey::LENGTH }>;
 
 #[readonly::make]
-#[derive(Default, Debug)]
+#[derive(Default)]
 pub struct BLS12381PrivateKey {
     pub privkey: blst::SecretKey,
     pub bytes: OnceCell<[u8; BLS_PRIVATE_KEY_LENGTH]>,
@@ -372,6 +372,18 @@ impl Signer<BLS12381Signature> for BLS12381PrivateKey {
     }
 }
 
+impl Display for BLS12381PrivateKey {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "[elided BLS12381PrivateKey]")
+    }
+}
+
+impl Debug for BLS12381PrivateKey {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{}", self)
+    }
+}
+
 ///
 /// Implement KeyPair
 ///

src/ed25519.rs

@@ -13,7 +13,7 @@ use serde_bytes::{ByteBuf, Bytes};
 use serde_with::serde_as;
 use signature::{rand_core::OsRng, Signature, Signer, Verifier};
 use std::{
-    fmt::{self, Display},
+    fmt::{self, Debug, Display},
     str::FromStr,
 };
 use zeroize::{Zeroize, ZeroizeOnDrop};
@@ -43,7 +43,7 @@ pub struct Ed25519PublicKey(pub ed25519_consensus::VerificationKey);
 
 pub type Ed25519PublicKeyBytes = PublicKeyBytes<Ed25519PublicKey, { Ed25519PublicKey::LENGTH }>;
 
-#[derive(Debug, Zeroize, ZeroizeOnDrop)]
+#[derive(Zeroize, ZeroizeOnDrop)]
 pub struct Ed25519PrivateKey(pub ed25519_consensus::SigningKey);
 
 // There is a strong requirement for this specific impl. in Fab benchmarks
@@ -203,6 +203,18 @@ impl ToFromBytes for Ed25519PrivateKey {
     }
 }
 
+impl Display for Ed25519PrivateKey {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "[elided Ed25519PrivateKey]")
+    }
+}
+
+impl Debug for Ed25519PrivateKey {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{}", self)
+    }
+}
+
 // There is a strong requirement for this specific impl. in Fab benchmarks
 impl Serialize for Ed25519PrivateKey {
     fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>

src/secp256k1.rs

@@ -34,7 +34,6 @@ pub type Secp256k1PublicKeyBytes =
     PublicKeyBytes<Secp256k1PublicKey, { Secp256k1PublicKey::LENGTH }>;
 
 #[readonly::make]
-#[derive(Debug)]
 pub struct Secp256k1PrivateKey {
     pub privkey: SecretKey,
     pub bytes: OnceCell<[u8; constants::SECRET_KEY_SIZE]>,
@@ -217,6 +216,18 @@ impl ToFromBytes for Secp256k1PrivateKey {
     }
 }
 
+impl Display for Secp256k1PrivateKey {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "[elided Secp256k1PrivateKey]")
+    }
+}
+
+impl Debug for Secp256k1PrivateKey {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{}", self)
+    }
+}
+
 // There is a strong requirement for this specific impl. in Fab benchmarks
 impl Serialize for Secp256k1PrivateKey {
     fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>

src/tests/bls12381_tests.rs

@@ -436,3 +436,13 @@ fn test_sk_zeroization_on_drop() {
         unsafe { ::std::slice::from_raw_parts(bytes_ptr, BLS12381PrivateKey::LENGTH) };
     assert_ne!(sk_memory, &sk_bytes[..]);
 }
+
+#[test]
+fn dont_display_secrets() {
+    let keypairs = keys();
+    keypairs.into_iter().for_each(|keypair| {
+        let sk = keypair.private();
+        assert_eq!(format!("{}", sk), "[elided BLS12381PrivateKey]");
+        assert_eq!(format!("{:?}", sk), "[elided BLS12381PrivateKey]");
+    });
+}

src/tests/ed25519_tests.rs

@@ -475,6 +475,7 @@ fn test_public_key_bytes_conversion() {
 }
 
 #[test]
+#[cfg(feature = "copy_key")]
 fn test_copy_key_pair() {
     let kp = keys().pop().unwrap();
     let kp_copied = kp.copy();
@@ -571,3 +572,13 @@ fn wycheproof_test() {
         }
     }
 }
+
+#[test]
+fn dont_display_secrets() {
+    let keypairs = keys();
+    keypairs.into_iter().for_each(|keypair| {
+        let sk = keypair.private();
+        assert_eq!(format!("{}", sk), "[elided Ed25519PrivateKey]");
+        assert_eq!(format!("{:?}", sk), "[elided Ed25519PrivateKey]");
+    });
+}

src/tests/secp256k1_tests.rs

@@ -110,6 +110,7 @@ fn import_export_secret_key() {
 }
 
 #[test]
+#[cfg(feature = "copy_key")]
 fn test_copy_key_pair() {
     let kp = keys().pop().unwrap();
     let kp_copied = kp.copy();
@@ -312,6 +313,7 @@ use wycheproof::TestResult;
 
 proptest::proptest! {
     #[test]
+    #[cfg(feature = "copy_key")]
     fn test_k256_against_secp256k1_lib_with_recovery(
         r in <[u8; 32]>::arbitrary()
 ) {
@@ -417,3 +419,13 @@ fn map_result(t: TestResult) -> TestResult {
         _ => TestResult::Invalid, // Treat Acceptable as Invalid
     }
 }
+
+#[test]
+fn dont_display_secrets() {
+    let keypairs = keys();
+    keypairs.into_iter().for_each(|keypair| {
+        let sk = keypair.private();
+        assert_eq!(format!("{}", sk), "[elided Secp256k1PrivateKey]");
+        assert_eq!(format!("{:?}", sk), "[elided Secp256k1PrivateKey]");
+    });
+}