Copy bit twiddling from libgcrypt/cipher/ecc.c

Reversed order buisness agrees with KC's experence from gnunet-rs

src/util/crypto.c

@@ -194,7 +194,20 @@ TALER_setup_fresh_coin (const struct TALER_TransferSecretP *secret_seed,
                                     "taler-coin-derivation",
                                     strlen ("taler-coin-derivation"),
                                     NULL, 0));
-  /* FIXME: twiddle the bits of the private key */
+
+  /* Taken from like 170-172 of libgcrypt/cipher/ecc.c
+   * We note that libgcrypt stores the private key in the reverse order
+   * from many Ed25519 implementatons. */
+  fc->coin_priv[0] &= 0x7f;  /* Clear bit 255. */
+  fc->coin_priv[0] |= 0x40;  /* Set bit 254.   */
+  fc->coin_priv[31] &= 0xf8; /* Clear bits 2..0 so that d mod 8 == 0  */
+
+  /* FIXME: Run GNUNET_CRYPTO_ecdhe_key_create several times and inspect
+   * the output to verify that the same bits are set and cleared.  
+   * Is it worth also adding a test case that runs gcry_pk_testkey on
+   * this key after first parsing it into libgcrypt's s-expression mess
+   * ala decode_private_eddsa_key from gnunet/src/util/crypto_ecc.c? 
+   * It'd run check_secret_key but not test_keys from libgcrypt/cipher/ecc.c */
 }