secp256k1-kmp/jni/c/src/fr_acinq_secp256k1_Secp256k1CFunctions.c

#include <string.h>
#include <stdlib.h>

#ifdef WIN32
#define SECP256K1_STATIC // needed on windows when linking to a static version of secp256k1
#endif
#include "include/secp256k1.h"
#include "include/secp256k1_ecdh.h"
#include "include/secp256k1_recovery.h"
#include "include/secp256k1_schnorrsig.h"
#include "include/secp256k1_musig.h"
#include "fr_acinq_secp256k1_Secp256k1CFunctions.h"

#define SIG_FORMAT_UNKNOWN 0
#define SIG_FORMAT_COMPACT 1
#define SIG_FORMAT_DER 2

void JNI_ThrowByName(JNIEnv *penv, const char *name, const char *msg)
{
  jclass cls = (*penv)->FindClass(penv, name);
  if (cls != NULL)
  {
    (*penv)->ThrowNew(penv, cls, msg);
    (*penv)->DeleteLocalRef(penv, cls);
  }
}

#define CHECKRESULT(errorcheck, message)                                       \
  {                                                                            \
    if (errorcheck)                                                            \
    {                                                                          \
      JNI_ThrowByName(penv, "fr/acinq/secp256k1/Secp256k1Exception", message); \
      return 0;                                                                \
    }                                                                          \
  }

#define CHECKRESULT1(errorcheck, message, dosomething)                         \
  {                                                                            \
    if (errorcheck)                                                            \
    {                                                                          \
      dosomething;                                                             \
      JNI_ThrowByName(penv, "fr/acinq/secp256k1/Secp256k1Exception", message); \
      return 0;                                                                \
    }                                                                          \
  }

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_context_create
 * Signature: (I)J
 */
JNIEXPORT jlong JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1context_1create(JNIEnv *penv, jclass clazz, jint flags)
{
  return (jlong)secp256k1_context_create(flags);
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_context_destroy
 * Signature: (J)V
 */
JNIEXPORT void JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1context_1destroy(JNIEnv *penv, jclass clazz, jlong ctx)
{
  if (ctx != 0)
  {
    secp256k1_context_destroy((secp256k1_context *)ctx);
  }
}

/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_ec_seckey_verify
 * Signature: (J[B)I
 */
JNIEXPORT jint JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ec_1seckey_1verify(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jseckey)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *seckey;
  int result = 0;

  if (jctx == 0)
    return 0;
  if (jseckey == NULL)
    return 0;
  if ((*penv)->GetArrayLength(penv, jseckey) != 32)
    return 0;

  seckey = (*penv)->GetByteArrayElements(penv, jseckey, 0);
  result = secp256k1_ec_seckey_verify(ctx, (unsigned char *)seckey);
  (*penv)->ReleaseByteArrayElements(penv, jseckey, seckey, 0);
  return result;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ec_pubkey_parse
 * Signature: (J[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ec_1pubkey_1parse(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jpubkey)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *pubkeyBytes;
  secp256k1_pubkey pubkey;
  size_t size;
  int result = 0;

  if (jctx == 0)
    return 0;
  if (jpubkey == NULL)
    return 0;

  size = (*penv)->GetArrayLength(penv, jpubkey);
  CHECKRESULT((size != 33) && (size != 65), "invalid public key size");

  pubkeyBytes = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_parse(ctx, &pubkey, (unsigned char *)pubkeyBytes, size);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pubkeyBytes, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_parse failed");

  size = 65;
  jpubkey = (*penv)->NewByteArray(penv, 65);
  pubkeyBytes = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_serialize(ctx, (unsigned char *)pubkeyBytes, &size, &pubkey, SECP256K1_EC_UNCOMPRESSED);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pubkeyBytes, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_serialize failed");
  return jpubkey;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ec_pubkey_create
 * Signature: (J[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ec_1pubkey_1create(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jseckey)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *seckey, *pubkey;
  secp256k1_pubkey pub;
  int result = 0;
  size_t len;
  jbyteArray jpubkey = 0;

  if (jseckey == NULL)
    return NULL;
  if (jctx == 0)
    return NULL;

  CHECKRESULT((*penv)->GetArrayLength(penv, jseckey) != 32, "secret key must be 32 bytes");
  seckey = (*penv)->GetByteArrayElements(penv, jseckey, 0);
  result = secp256k1_ec_pubkey_create(ctx, &pub, (unsigned char *)seckey);
  (*penv)->ReleaseByteArrayElements(penv, jseckey, seckey, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_create failed");
  jpubkey = (*penv)->NewByteArray(penv, 65);
  pubkey = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  len = 65;
  result = secp256k1_ec_pubkey_serialize(ctx, (unsigned char *)pubkey, &len, &pub, SECP256K1_EC_UNCOMPRESSED);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pubkey, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_serialize failed");
  return jpubkey;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ecdsa_sign
 * Signature: (J[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ecdsa_1sign(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jmsg, jbyteArray jseckey)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *seckey, *msg, *sig;
  secp256k1_ecdsa_signature signature;
  int result = 0;
  jbyteArray jsig;

  if (jctx == 0)
    return NULL;
  if (jmsg == NULL)
    return NULL;
  if (jseckey == NULL)
    return NULL;

  CHECKRESULT((*penv)->GetArrayLength(penv, jseckey) != 32, "secret key must be 32 bytes");
  CHECKRESULT((*penv)->GetArrayLength(penv, jmsg) != 32, "message key must be 32 bytes");
  seckey = (*penv)->GetByteArrayElements(penv, jseckey, 0);
  msg = (*penv)->GetByteArrayElements(penv, jmsg, 0);

  result = secp256k1_ecdsa_sign(ctx, &signature, (unsigned char *)msg, (unsigned char *)seckey, NULL, NULL);
  (*penv)->ReleaseByteArrayElements(penv, jseckey, seckey, 0);
  (*penv)->ReleaseByteArrayElements(penv, jmsg, msg, 0);
  CHECKRESULT(!result, "secp256k1_ecdsa_sign failed");

  jsig = (*penv)->NewByteArray(penv, 64);
  sig = (*penv)->GetByteArrayElements(penv, jsig, 0);
  result = secp256k1_ecdsa_signature_serialize_compact(ctx, (unsigned char *)sig, &signature);
  (*penv)->ReleaseByteArrayElements(penv, jsig, sig, 0);
  CHECKRESULT(!result, "secp256k1_ecdsa_signature_serialize_compact failed");
  return jsig;
}

int GetSignatureFormat(size_t size)
{
  if (size == 64)
    return SIG_FORMAT_COMPACT;
  if (size < 64)
    return SIG_FORMAT_UNKNOWN;
  return SIG_FORMAT_DER;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ecdsa_verify
 * Signature: (J[B[B[B)I
 */
JNIEXPORT jint JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ecdsa_1verify(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jsig, jbyteArray jmsg, jbyteArray jpubkey)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *pub, *msg, *sig;
  secp256k1_ecdsa_signature signature;
  secp256k1_pubkey pubkey;
  size_t sigSize, pubSize;
  int result = 0;

  if (jctx == 0)
    return 0;
  if (jsig == NULL)
    return 0;
  if (jmsg == NULL)
    return 0;
  if (jpubkey == NULL)
    return 0;

  sigSize = (*penv)->GetArrayLength(penv, jsig);
  int sigFormat = GetSignatureFormat(sigSize);
  CHECKRESULT(sigFormat == SIG_FORMAT_UNKNOWN, "invalid signature size");

  pubSize = (*penv)->GetArrayLength(penv, jpubkey);
  CHECKRESULT((pubSize != 33) && (pubSize != 65), "invalid public key size");

  CHECKRESULT((*penv)->GetArrayLength(penv, jmsg) != 32, "message must be 32 bytes");

  sig = (*penv)->GetByteArrayElements(penv, jsig, 0);
  switch (sigFormat)
  {
  case SIG_FORMAT_COMPACT:
    result = secp256k1_ecdsa_signature_parse_compact(ctx, &signature, (unsigned char *)sig);
    (*penv)->ReleaseByteArrayElements(penv, jsig, sig, 0);
    CHECKRESULT(!result, "secp256k1_ecdsa_signature_parse_compact failed");
    break;
  case SIG_FORMAT_DER:
    result = secp256k1_ecdsa_signature_parse_der(ctx, &signature, (unsigned char *)sig, sigSize);
    (*penv)->ReleaseByteArrayElements(penv, jsig, sig, 0);
    CHECKRESULT(!result, "secp256k1_ecdsa_signature_parse_der failed");
    break;
  }

  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_parse(ctx, &pubkey, (unsigned char *)pub, pubSize);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_parse failed");

  msg = (*penv)->GetByteArrayElements(penv, jmsg, 0);
  result = secp256k1_ecdsa_verify(ctx, &signature, (unsigned char *)msg, &pubkey);
  (*penv)->ReleaseByteArrayElements(penv, jmsg, msg, 0);
  return result;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ecdsa_signature_normalize
 * Signature: (J[B[B)I
 */
JNIEXPORT jint JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ecdsa_1signature_1normalize(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jsigin, jbyteArray jsigout)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *sig;
  secp256k1_ecdsa_signature signature_in, signature_out;
  size_t size;
  int result = 0;
  int return_value = 0;
  int sigFormat = SIG_FORMAT_UNKNOWN;

  if (jctx == 0)
    return 0;
  if (jsigin == NULL)
    return 0;
  if (jsigout == NULL)
    return 0;

  size = (*penv)->GetArrayLength(penv, jsigin);
  sigFormat = GetSignatureFormat(size);
  CHECKRESULT(sigFormat == SIG_FORMAT_UNKNOWN, "invalid signature size");
  CHECKRESULT((*penv)->GetArrayLength(penv, jsigout) != 64, "output signature length must be 64 bytes");

  sig = (*penv)->GetByteArrayElements(penv, jsigin, 0);
  switch (sigFormat)
  {
  case SIG_FORMAT_COMPACT:
    result = secp256k1_ecdsa_signature_parse_compact(ctx, &signature_in, (unsigned char *)sig);
    (*penv)->ReleaseByteArrayElements(penv, jsigin, sig, 0);
    CHECKRESULT(!result, "secp256k1_ecdsa_signature_parse_compact failed");
    break;
  case SIG_FORMAT_DER:
    result = secp256k1_ecdsa_signature_parse_der(ctx, &signature_in, (unsigned char *)sig, size);
    (*penv)->ReleaseByteArrayElements(penv, jsigin, sig, 0);
    CHECKRESULT(!result, "secp256k1_ecdsa_signature_parse_der failed");
    break;
  }
  return_value = secp256k1_ecdsa_signature_normalize(ctx, &signature_out, &signature_in);
  sig = (*penv)->GetByteArrayElements(penv, jsigout, 0);
  result = secp256k1_ecdsa_signature_serialize_compact(ctx, (unsigned char *)sig, &signature_out);
  (*penv)->ReleaseByteArrayElements(penv, jsigout, sig, 0);
  CHECKRESULT(!result, "secp256k1_ecdsa_signature_serialize_compact failed");

  return return_value;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ec_privkey_negate
 * Signature: (J[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ec_1privkey_1negate(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jseckey)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *seckey;
  int result = 0;

  if (jctx == 0)
    return 0;
  if (jseckey == NULL)
    return 0;
  CHECKRESULT((*penv)->GetArrayLength(penv, jseckey) != 32, "secret key must be 32 bytes");
  seckey = (*penv)->GetByteArrayElements(penv, jseckey, 0);
  result = secp256k1_ec_seckey_negate(ctx, (unsigned char *)seckey);
  (*penv)->ReleaseByteArrayElements(penv, jseckey, seckey, 0);
  CHECKRESULT(!result, "secp256k1_ec_seckey_negate failed");
  return jseckey;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ec_pubkey_negate
 * Signature: (J[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ec_1pubkey_1negate(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jpubkey)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *pub;
  secp256k1_pubkey pubkey;
  size_t size;
  int result = 0;

  if (jctx == 0)
    return 0;
  if (jpubkey == NULL)
    return 0;

  size = (*penv)->GetArrayLength(penv, jpubkey);
  CHECKRESULT((size != 33) && (size != 65), "invalid public key size");
  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_parse(ctx, &pubkey, (unsigned char *)pub, size);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_parse failed");

  result = secp256k1_ec_pubkey_negate(ctx, &pubkey);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_negate failed");

  size = 65;
  jpubkey = (*penv)->NewByteArray(penv, 65);
  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_serialize(ctx, (unsigned char *)pub, &size, &pubkey, SECP256K1_EC_UNCOMPRESSED);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_serialize failed");
  return jpubkey;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ec_privkey_tweak_add
 * Signature: (J[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ec_1privkey_1tweak_1add(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jseckey, jbyteArray jtweak)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *seckey, *tweak;
  int result = 0;

  if (jctx == 0)
    return NULL;
  if (jseckey == NULL)
    return NULL;
  if (jtweak == NULL)
    return NULL;

  CHECKRESULT((*penv)->GetArrayLength(penv, jseckey) != 32, "secret key must be 32 bytes");
  CHECKRESULT((*penv)->GetArrayLength(penv, jtweak) != 32, "tweak must be 32 bytes");
  seckey = (*penv)->GetByteArrayElements(penv, jseckey, 0);
  tweak = (*penv)->GetByteArrayElements(penv, jtweak, 0);
  result = secp256k1_ec_seckey_tweak_add(ctx, (unsigned char *)seckey, (unsigned char *)tweak);
  (*penv)->ReleaseByteArrayElements(penv, jseckey, seckey, 0);
  (*penv)->ReleaseByteArrayElements(penv, jtweak, tweak, 0);
  CHECKRESULT(!result, "secp256k1_ec_seckey_tweak_add failed");
  return jseckey;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ec_pubkey_tweak_add
 * Signature: (J[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ec_1pubkey_1tweak_1add(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jpubkey, jbyteArray jtweak)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *pub, *tweak;
  secp256k1_pubkey pubkey;
  size_t size;
  int result = 0;

  if (jctx == 0)
    return NULL;
  if (jpubkey == NULL)
    return NULL;
  if (jtweak == NULL)
    return NULL;

  size = (*penv)->GetArrayLength(penv, jpubkey);
  CHECKRESULT((size != 33) && (size != 65), "invalid public key size");
  CHECKRESULT((*penv)->GetArrayLength(penv, jtweak) != 32, "tweak must be 32 bytes");

  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_parse(ctx, &pubkey, (unsigned char *)pub, size);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_parse failed");

  tweak = (*penv)->GetByteArrayElements(penv, jtweak, 0);
  result = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, (unsigned char *)tweak);
  (*penv)->ReleaseByteArrayElements(penv, jtweak, tweak, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_tweak_add failed");

  size = 65;
  jpubkey = (*penv)->NewByteArray(penv, 65);
  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_serialize(ctx, (unsigned char *)pub, &size, &pubkey, SECP256K1_EC_UNCOMPRESSED);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_serialize failed");
  return jpubkey;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ec_privkey_tweak_mul
 * Signature: (J[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ec_1privkey_1tweak_1mul(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jseckey, jbyteArray jtweak)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *seckey, *tweak;
  int result = 0;

  if (jctx == 0)
    return NULL;
  if (jseckey == NULL)
    return NULL;
  if (jtweak == NULL)
    return NULL;

  CHECKRESULT((*penv)->GetArrayLength(penv, jseckey) != 32, "secret key must be 32 bytes");
  CHECKRESULT((*penv)->GetArrayLength(penv, jtweak) != 32, "tweak must be 32 bytes");
  seckey = (*penv)->GetByteArrayElements(penv, jseckey, 0);
  tweak = (*penv)->GetByteArrayElements(penv, jtweak, 0);
  result = secp256k1_ec_seckey_tweak_mul(ctx, (unsigned char *)seckey, (unsigned char *)tweak);
  CHECKRESULT(!result, "secp256k1_ec_seckey_tweak_mul failed");
  (*penv)->ReleaseByteArrayElements(penv, jseckey, seckey, 0);
  (*penv)->ReleaseByteArrayElements(penv, jtweak, tweak, 0);
  return jseckey;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ec_pubkey_tweak_mul
 * Signature: (J[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ec_1pubkey_1tweak_1mul(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jpubkey, jbyteArray jtweak)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *pub, *tweak;
  secp256k1_pubkey pubkey;
  size_t size;
  int result = 0;

  if (jctx == 0)
    return NULL;
  if (jpubkey == NULL)
    return NULL;
  if (jtweak == NULL)
    return NULL;

  size = (*penv)->GetArrayLength(penv, jpubkey);
  CHECKRESULT((size != 33) && (size != 65), "invalid public key size");
  CHECKRESULT((*penv)->GetArrayLength(penv, jtweak) != 32, "tweak must be 32 bytes");
  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_parse(ctx, &pubkey, (unsigned char *)pub, size);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_parse failed");

  tweak = (*penv)->GetByteArrayElements(penv, jtweak, 0);
  result = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, (unsigned char *)tweak);
  (*penv)->ReleaseByteArrayElements(penv, jtweak, tweak, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_tweak_mul failed");

  size = 65;
  jpubkey = (*penv)->NewByteArray(penv, 65);
  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_serialize(ctx, (unsigned char *)pub, &size, &pubkey, SECP256K1_EC_UNCOMPRESSED);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_serialize failed");
  return jpubkey;
}

void free_pubkeys(secp256k1_pubkey **pubkeys, size_t count)
{
  size_t i;
  for (i = 0; i < count; i++)
  {
    if (pubkeys[i] != NULL)
      free(pubkeys[i]);
  }
  free(pubkeys);
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ec_pubkey_combine
 * Signature: (J[[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ec_1pubkey_1combine(JNIEnv *penv, jclass clazz, jlong jctx, jobjectArray jpubkeys)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *pub;
  secp256k1_pubkey **pubkeys;
  secp256k1_pubkey combined;
  jbyteArray jpubkey;
  size_t size, count;
  size_t i;
  int result = 0;

  if (jctx == 0)
    return NULL;
  if (jpubkeys == NULL)
    return NULL;

    count = (*penv)->GetArrayLength(penv, jpubkeys);
    CHECKRESULT(count < 1, "pubkey array cannot be empty")
    pubkeys = calloc(count, sizeof(secp256k1_pubkey *));

  for (i = 0; i < count; i++)
  {
    pubkeys[i] = calloc(1, sizeof(secp256k1_pubkey));
    jpubkey = (jbyteArray)(*penv)->GetObjectArrayElement(penv, jpubkeys, i);
    size = (*penv)->GetArrayLength(penv, jpubkey);
    CHECKRESULT1((size != 33) && (size != 65), "invalid public key size", free_pubkeys(pubkeys, count));
    pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
    result = secp256k1_ec_pubkey_parse(ctx, pubkeys[i], (unsigned char *)pub, size);
    (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
    CHECKRESULT1(!result, "secp256k1_ec_pubkey_parse failed", free_pubkeys(pubkeys, count));
  }
  result = secp256k1_ec_pubkey_combine(ctx, &combined, (const secp256k1_pubkey *const *)pubkeys, count);
  free_pubkeys(pubkeys, count);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_combine failed");

  size = 65;
  jpubkey = (*penv)->NewByteArray(penv, 65);
  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_serialize(ctx, (unsigned char *)pub, &size, &combined, SECP256K1_EC_UNCOMPRESSED);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_serialize failed");
  return jpubkey;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ecdh
 * Signature: (J[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ecdh(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jseckey, jbyteArray jpubkey)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *seckeyBytes, *pubkeyBytes, *output;
  secp256k1_pubkey pubkey;
  jbyteArray joutput;
  size_t size;
  int result;

  if (jctx == 0)
    return NULL;
  if (jseckey == NULL)
    return NULL;
  if (jpubkey == NULL)
    return NULL;

  CHECKRESULT((*penv)->GetArrayLength(penv, jseckey) != 32, "invalid private key size");

  size = (*penv)->GetArrayLength(penv, jpubkey);
  CHECKRESULT((size != 33) && (size != 65), "invalid public key size");
  pubkeyBytes = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_parse(ctx, &pubkey, (unsigned char *)pubkeyBytes, size);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pubkeyBytes, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_parse failed");

  seckeyBytes = (*penv)->GetByteArrayElements(penv, jseckey, 0);
  joutput = (*penv)->NewByteArray(penv, 32);
  output = (*penv)->GetByteArrayElements(penv, joutput, 0);
  result = secp256k1_ecdh(ctx, (unsigned char *)output, &pubkey, (unsigned char *)seckeyBytes, NULL, NULL);
  (*penv)->ReleaseByteArrayElements(penv, joutput, output, 0);
  (*penv)->ReleaseByteArrayElements(penv, jseckey, seckeyBytes, 0);
  return joutput;
}

/*
 * Class:     fr_acinq_bitcoin_Secp256k1Bindings
 * Method:    secp256k1_ecdsa_recover
 * Signature: (J[B[BI)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1ecdsa_1recover(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jsig, jbyteArray jmsg, jint recid)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *sig, *msg, *pub;
  jbyteArray jpubkey;
  secp256k1_pubkey pubkey;
  secp256k1_ecdsa_recoverable_signature signature;
  secp256k1_ecdsa_signature dummy;
  unsigned char dummyBytes[64];
  size_t sigSize, size;
  int result;

  if (jctx == 0)
    return NULL;
  if (jsig == NULL)
    return NULL;
  if (jmsg == NULL)
    return NULL;
  CHECKRESULT(recid < 0 || recid > 3, "invalid recovery id");

  sigSize = (*penv)->GetArrayLength(penv, jsig);
  int sigFormat = GetSignatureFormat(sigSize);
  CHECKRESULT(sigFormat == SIG_FORMAT_UNKNOWN, "invalid signature size");
  CHECKRESULT((*penv)->GetArrayLength(penv, jmsg) != 32, "message must be 32 bytes");
  sig = (*penv)->GetByteArrayElements(penv, jsig, 0);
  switch (sigFormat)
  {
  case SIG_FORMAT_COMPACT:
    result = secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &signature, (unsigned char *)sig, recid);
    (*penv)->ReleaseByteArrayElements(penv, jsig, sig, 0);
    CHECKRESULT(!result, "secp256k1_ecdsa_recoverable_signature_parse_compact failed");
    break;
  case SIG_FORMAT_DER:
    result = secp256k1_ecdsa_signature_parse_der(ctx, &dummy, (unsigned char *)sig, sigSize);
    (*penv)->ReleaseByteArrayElements(penv, jsig, sig, 0);
    CHECKRESULT(!result, "secp256k1_ecdsa_signature_parse_der failed");
    result = secp256k1_ecdsa_signature_serialize_compact(ctx, dummyBytes, &dummy);
    CHECKRESULT(!result, "secp256k1_ecdsa_signature_serialize_compact failed");
    result = secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &signature, dummyBytes, recid);
    CHECKRESULT(!result, "secp256k1_ecdsa_recoverable_signature_parse_compact failed");
    break;
  }
  msg = (*penv)->GetByteArrayElements(penv, jmsg, 0);
  result = secp256k1_ecdsa_recover(ctx, &pubkey, &signature, (unsigned char *)msg);
  (*penv)->ReleaseByteArrayElements(penv, jmsg, msg, 0);
  CHECKRESULT(!result, "secp256k1_ecdsa_recover failed");

  size = 65;
  jpubkey = (*penv)->NewByteArray(penv, 65);
  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_serialize(ctx, (unsigned char *)pub, &size, &pubkey, SECP256K1_EC_UNCOMPRESSED);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_serialize failed");
  return jpubkey;
}

/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_compact_to_der
 * Signature: (J[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1compact_1to_1der(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jsig)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *sig;
  secp256k1_ecdsa_signature signature;
  unsigned char der[73];
  size_t size;
  int result = 0;

  if (jctx == 0)
    return 0;
  if (jsig == NULL)
    return 0;
  CHECKRESULT((*penv)->GetArrayLength(penv, jsig) != 64, "invalid signature size");

  size = (*penv)->GetArrayLength(penv, jsig);
  sig = (*penv)->GetByteArrayElements(penv, jsig, 0);
  result = secp256k1_ecdsa_signature_parse_compact(ctx, &signature, (unsigned char *)sig);
  (*penv)->ReleaseByteArrayElements(penv, jsig, sig, 0);
  CHECKRESULT(!result, "secp256k1_ecdsa_signature_parse_compact failed");

  size = 73;
  result = secp256k1_ecdsa_signature_serialize_der(ctx, der, &size, &signature);
  CHECKRESULT(!result, "secp256k1_ecdsa_signature_serialize_der failed");
  jsig = (*penv)->NewByteArray(penv, size);
  sig = (*penv)->GetByteArrayElements(penv, jsig, 0);
  memcpy(sig, der, size);
  (*penv)->ReleaseByteArrayElements(penv, jsig, sig, 0);
  return jsig;
}

/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_schnorrsig_sign
 * Signature: (J[B[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1schnorrsig_1sign(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jmsg, jbyteArray jseckey, jbyteArray jauxrand32)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *seckey, *msg, *sig, *auxrand32 = NULL;
  secp256k1_keypair keypair;
  unsigned char signature[64];
  int result = 0;
  jbyteArray jsig;

  if (jctx == 0)
    return NULL;
  if (jmsg == NULL)
    return NULL;
  if (jseckey == NULL)
    return NULL;

  CHECKRESULT((*penv)->GetArrayLength(penv, jseckey) != 32, "secret key must be 32 bytes");
  CHECKRESULT((*penv)->GetArrayLength(penv, jmsg) != 32, "message must be 32 bytes");
  if (jauxrand32 != 0)
  {
    CHECKRESULT((*penv)->GetArrayLength(penv, jauxrand32) != 32, "auxiliary random data must be 32 bytes");
  }
  seckey = (*penv)->GetByteArrayElements(penv, jseckey, 0);
  result = secp256k1_keypair_create(ctx, &keypair, seckey);
  (*penv)->ReleaseByteArrayElements(penv, jseckey, seckey, 0);
  CHECKRESULT(!result, "secp256k1_keypair_create failed");

  msg = (*penv)->GetByteArrayElements(penv, jmsg, 0);
  if (jauxrand32 != 0)
  {
    auxrand32 = (*penv)->GetByteArrayElements(penv, jauxrand32, 0);
  }

  result = secp256k1_schnorrsig_sign32(ctx, signature, (unsigned char *)msg, &keypair, auxrand32);
  (*penv)->ReleaseByteArrayElements(penv, jmsg, msg, 0);
  if (auxrand32 != 0)
  {
    (*penv)->ReleaseByteArrayElements(penv, jauxrand32, auxrand32, 0);
  }
  CHECKRESULT(!result, "secp256k1_schnorrsig_sign failed");

  jsig = (*penv)->NewByteArray(penv, 64);
  sig = (*penv)->GetByteArrayElements(penv, jsig, 0);
  memcpy(sig, signature, 64);
  (*penv)->ReleaseByteArrayElements(penv, jsig, sig, 0);
  return jsig;
}

/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_schnorrsig_verify
 * Signature: (J[B[B[B)I
 */
JNIEXPORT jint JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1schnorrsig_1verify(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jsig, jbyteArray jmsg, jbyteArray jpubkey)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *pub, *msg, *sig;
  secp256k1_xonly_pubkey pubkey;
  int result = 0;

  if (jctx == 0)
    return 0;
  if (jsig == NULL)
    return 0;
  if (jmsg == NULL)
    return 0;
  if (jpubkey == NULL)
    return 0;

  CHECKRESULT((*penv)->GetArrayLength(penv, jsig) != 64, "signature must be 64 bytes");
  CHECKRESULT((*penv)->GetArrayLength(penv, jpubkey) != 32, "public key must be 32 bytes");
  CHECKRESULT((*penv)->GetArrayLength(penv, jmsg) != 32, "message must be 32 bytes");

  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_xonly_pubkey_parse(ctx, &pubkey, (unsigned char *)pub);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_parse failed");

  sig = (*penv)->GetByteArrayElements(penv, jsig, 0);
  msg = (*penv)->GetByteArrayElements(penv, jmsg, 0);
  result = secp256k1_schnorrsig_verify(ctx, (unsigned char *)sig, (unsigned char *)msg, 32, &pubkey);
  (*penv)->ReleaseByteArrayElements(penv, jsig, sig, 0);
  (*penv)->ReleaseByteArrayElements(penv, jmsg, msg, 0);
  return result;
}

static void copy_bytes_from_java(JNIEnv *penv, jbyteArray source, size_t size, unsigned char *dest)
{
  jbyte *ptr = NULL;
  if (source == NULL)
    return; // nothing to do
  ptr = (*penv)->GetByteArrayElements(penv, source, 0);
  memcpy(dest, ptr, size);
  (*penv)->ReleaseByteArrayElements(penv, source, ptr, 0);
}

static void copy_bytes_to_java(JNIEnv *penv, jbyteArray dest, size_t size, unsigned char *source)
{
  jbyte *ptr = (*penv)->GetByteArrayElements(penv, dest, 0);
  memcpy(ptr, source, size);
  (*penv)->ReleaseByteArrayElements(penv, dest, ptr, 0);
}

// session_id32: ByteArray, seckey: ByteArray?, pubkey: ByteArray, msg32: ByteArray?, keyagg_cache: ByteArray?, extra_input32: ByteArray?
/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_musig_nonce_gen
 * Signature: (J[B[B[B[B[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1musig_1nonce_1gen(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jsession_id32, jbyteArray jseckey, jbyteArray jpubkey, jbyteArray jmsg32, jbyteArray jkeyaggcache, jbyteArray jextra_input32)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  int result = 0;
  size_t size;
  secp256k1_musig_pubnonce pubnonce;
  secp256k1_musig_secnonce secnonce;
  unsigned char session_id32[32];
  jbyte *pubkey_ptr;
  secp256k1_pubkey pubkey;
  unsigned char seckey[32];
  unsigned char msg32[32];
  secp256k1_musig_keyagg_cache keyaggcache;
  unsigned char extra_input32[32];
  jbyteArray jnonce;
  jbyte *nonce_ptr = NULL;
  unsigned char nonce[fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SECRET_NONCE_SIZE + fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_PUBLIC_NONCE_SIZE];

  if (jctx == 0)
    return NULL;

  if (jsession_id32 == 0)
    return NULL;
  size = (*penv)->GetArrayLength(penv, jsession_id32);
  CHECKRESULT(size != 32, "invalid session_id size");
  copy_bytes_from_java(penv, jsession_id32, size, session_id32);

  if (jseckey != NULL)
  {
    size = (*penv)->GetArrayLength(penv, jseckey);
    CHECKRESULT(size != 32, "invalid private key size");
    copy_bytes_from_java(penv, jseckey, size, seckey);
  }

  if (jpubkey == NULL)
    return NULL;
  size = (*penv)->GetArrayLength(penv, jpubkey);
  CHECKRESULT((size != 33) && (size != 65), "invalid public key size");
  pubkey_ptr = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_parse(ctx, &pubkey, (unsigned char *)pubkey_ptr, size);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pubkey_ptr, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_parse failed");

  if (jmsg32 != NULL)
  {
    size = (*penv)->GetArrayLength(penv, jmsg32);
    CHECKRESULT(size != 32, "invalid message size");
    copy_bytes_from_java(penv, jmsg32, size, msg32);
  }

  if (jkeyaggcache != NULL)
  {
    size = (*penv)->GetArrayLength(penv, jkeyaggcache);
    CHECKRESULT(size != sizeof(secp256k1_musig_keyagg_cache), "invalid keyagg cache size");
    copy_bytes_from_java(penv, jkeyaggcache, size, keyaggcache.data);
  }

  if (jextra_input32 != NULL)
  {
    size = (*penv)->GetArrayLength(penv, jextra_input32);
    CHECKRESULT(size != 32, "invalid extra input size");
    copy_bytes_from_java(penv, jextra_input32, size, extra_input32);
  }

  result = secp256k1_musig_nonce_gen(ctx, &secnonce, &pubnonce, session_id32,
                                     jseckey == NULL ? NULL : seckey, &pubkey,
                                     jmsg32 == NULL ? NULL : msg32, jkeyaggcache == NULL ? NULL : &keyaggcache, jextra_input32 == NULL ? NULL : extra_input32);
  CHECKRESULT(!result, "secp256k1_musig_nonce_gen failed");

  memcpy(nonce, secnonce.data, fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SECRET_NONCE_SIZE);
  result = secp256k1_musig_pubnonce_serialize(ctx, nonce + fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SECRET_NONCE_SIZE, &pubnonce);
  CHECKRESULT(!result, "secp256k1_musig_pubnonce_serialize failed");

  jnonce = (*penv)->NewByteArray(penv, sizeof(nonce));
  nonce_ptr = (*penv)->GetByteArrayElements(penv, jnonce, 0);
  memcpy(nonce_ptr, nonce, sizeof(nonce));
  (*penv)->ReleaseByteArrayElements(penv, jnonce, nonce_ptr, 0);
  return jnonce;
}

void free_nonces(secp256k1_musig_pubnonce **nonces, size_t count)
{
  size_t i;
  for (i = 0; i < count; i++)
  {
    if (nonces[i] != NULL)
      free(nonces[i]);
  }
  free(nonces);
}

/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_musig_nonce_agg
 * Signature: (J[[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1musig_1nonce_1agg(JNIEnv *penv, jclass clazz, jlong jctx, jobjectArray jnonces)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *in66;
  secp256k1_musig_pubnonce **pubnonces;
  secp256k1_musig_aggnonce combined;
  jbyteArray jnonce;
  size_t size, count;
  size_t i;
  int result = 0;

  if (jctx == 0)
    return NULL;
  if (jnonces == NULL)
    return NULL;

  count = (*penv)->GetArrayLength(penv, jnonces);
  CHECKRESULT(count <= 0, "public nonces count cannot be 0");

  pubnonces = calloc(count, sizeof(secp256k1_musig_pubnonce *));

  for (i = 0; i < count; i++)
  {
    pubnonces[i] = calloc(1, sizeof(secp256k1_musig_pubnonce));
    jnonce = (jbyteArray)(*penv)->GetObjectArrayElement(penv, jnonces, i);
    size = (*penv)->GetArrayLength(penv, jnonce);
    CHECKRESULT1(size != fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_PUBLIC_NONCE_SIZE, "invalid public nonce size", free_nonces(pubnonces, count));
    in66 = (*penv)->GetByteArrayElements(penv, jnonce, 0);
    result = secp256k1_musig_pubnonce_parse(ctx, pubnonces[i], (unsigned char *)in66);
    (*penv)->ReleaseByteArrayElements(penv, jnonce, in66, 0);
    CHECKRESULT1(!result, "secp256k1_musig_pubnonce_parse failed", free_nonces(pubnonces, count));
  }
  result = secp256k1_musig_nonce_agg(ctx, &combined, (const secp256k1_musig_pubnonce *const *)pubnonces, count);
  free_nonces(pubnonces, count);
  CHECKRESULT(!result, "secp256k1_musig_nonce_agg failed");

  jnonce = (*penv)->NewByteArray(penv, fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_PUBLIC_NONCE_SIZE);
  in66 = (*penv)->GetByteArrayElements(penv, jnonce, 0);
  result = secp256k1_musig_aggnonce_serialize(ctx, (unsigned char *)in66, &combined);
  (*penv)->ReleaseByteArrayElements(penv, jnonce, in66, 0);
  CHECKRESULT(!result, "secp256k1_musig_aggnonce_serialize failed");
  return jnonce;
}

/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_musig_pubkey_agg
 * Signature: (J[[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1musig_1pubkey_1agg(JNIEnv *penv, jclass clazz, jlong jctx, jobjectArray jpubkeys, jbyteArray jkeyaggcache)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *pub;
  secp256k1_pubkey **pubkeys;
  secp256k1_xonly_pubkey combined;
  secp256k1_musig_keyagg_cache keyaggcache;
  jbyteArray jpubkey;
  size_t size, count;
  size_t i;
  int result = 0;

  if (jctx == 0)
    return NULL;
  if (jpubkeys == NULL)
    return NULL;
  CHECKRESULT((*penv)->GetArrayLength(penv, jpubkeys) <= 0, "pubkeys count cannot be 0");

  if (jkeyaggcache != NULL)
  {
    size = (*penv)->GetArrayLength(penv, jkeyaggcache);
    CHECKRESULT(size != sizeof(secp256k1_musig_keyagg_cache), "invalid keyagg cache size");
    copy_bytes_from_java(penv, jkeyaggcache, size, keyaggcache.data);
  }

  count = (*penv)->GetArrayLength(penv, jpubkeys);
  pubkeys = calloc(count, sizeof(secp256k1_pubkey *));

  for (i = 0; i < count; i++)
  {
    pubkeys[i] = calloc(1, sizeof(secp256k1_pubkey));
    jpubkey = (jbyteArray)(*penv)->GetObjectArrayElement(penv, jpubkeys, i);
    size = (*penv)->GetArrayLength(penv, jpubkey);
    CHECKRESULT1((size != 33) && (size != 65), "invalid public key size", free_pubkeys(pubkeys, count));
    pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
    result = secp256k1_ec_pubkey_parse(ctx, pubkeys[i], (unsigned char *)pub, size);
    (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
    CHECKRESULT1(!result, "secp256k1_ec_pubkey_parse failed", free_pubkeys(pubkeys, count));
  }
  result = secp256k1_musig_pubkey_agg(ctx, &combined, jkeyaggcache == NULL ? NULL : &keyaggcache, (const secp256k1_pubkey *const *)pubkeys, count);
  free_pubkeys(pubkeys, count);
  CHECKRESULT(!result, "secp256k1_musig_pubkey_agg failed");

  jpubkey = (*penv)->NewByteArray(penv, 32);
  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_xonly_pubkey_serialize(ctx, (unsigned char *)pub, &combined);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_xonly_pubkey_serialize failed");

  if (jkeyaggcache != NULL)
  {
    pub = (*penv)->GetByteArrayElements(penv, jkeyaggcache, 0);
    memcpy(pub, keyaggcache.data, sizeof(secp256k1_musig_keyagg_cache));
    (*penv)->ReleaseByteArrayElements(penv, jkeyaggcache, pub, 0);
  }
  return jpubkey;
}

/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_musig_pubkey_ec_tweak_add
 * Signature: (J[B[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1musig_1pubkey_1ec_1tweak_1add(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jkeyaggcache, jbyteArray jtweak32)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *tweak32, *pub;
  secp256k1_pubkey pubkey;
  secp256k1_musig_keyagg_cache keyaggcache;
  jbyteArray jpubkey;
  size_t size;
  int result = 0;

  if (jctx == 0)
    return NULL;
  if (jkeyaggcache == NULL)
    return NULL;
  size = (*penv)->GetArrayLength(penv, jkeyaggcache);
  CHECKRESULT(size != sizeof(secp256k1_musig_keyagg_cache), "invalid keyagg cache size");
  copy_bytes_from_java(penv, jkeyaggcache, size, keyaggcache.data);
  if (jtweak32 == NULL)
    return NULL;
  CHECKRESULT((*penv)->GetArrayLength(penv, jtweak32) != 32, "tweak must be 32 bytes");
  tweak32 = (*penv)->GetByteArrayElements(penv, jtweak32, 0);

  result = secp256k1_musig_pubkey_ec_tweak_add(ctx, &pubkey, &keyaggcache, tweak32);
  (*penv)->ReleaseByteArrayElements(penv, jtweak32, tweak32, 0);
  CHECKRESULT(!result, "secp256k1_musig_pubkey_ec_tweak_add failed");

  jpubkey = (*penv)->NewByteArray(penv, 65);
  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  size = 65;
  result = secp256k1_ec_pubkey_serialize(ctx, pub, &size, &pubkey, SECP256K1_EC_UNCOMPRESSED);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_serialize failed");

  pub = (*penv)->GetByteArrayElements(penv, jkeyaggcache, 0);
  memcpy(pub, keyaggcache.data, sizeof(secp256k1_musig_keyagg_cache));
  (*penv)->ReleaseByteArrayElements(penv, jkeyaggcache, pub, 0);

  return jpubkey;
}

/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_musig_pubkey_xonly_tweak_add
 * Signature: (J[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1musig_1pubkey_1xonly_1tweak_1add(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jkeyaggcache, jbyteArray jtweak32)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  jbyte *tweak32, *pub;
  secp256k1_pubkey pubkey;
  secp256k1_musig_keyagg_cache keyaggcache;
  jbyteArray jpubkey;
  size_t size;
  int result = 0;

  if (jctx == 0)
    return NULL;
  if (jkeyaggcache == NULL)
    return NULL;
  size = (*penv)->GetArrayLength(penv, jkeyaggcache);
  CHECKRESULT(size != sizeof(secp256k1_musig_keyagg_cache), "invalid keyagg cache size");
  copy_bytes_from_java(penv, jkeyaggcache, size, keyaggcache.data);
  if (jtweak32 == NULL)
    return NULL;
  CHECKRESULT((*penv)->GetArrayLength(penv, jtweak32) != 32, "tweak must be 32 bytes");
  tweak32 = (*penv)->GetByteArrayElements(penv, jtweak32, 0);

  result = secp256k1_musig_pubkey_xonly_tweak_add(ctx, &pubkey, &keyaggcache, tweak32);
  (*penv)->ReleaseByteArrayElements(penv, jtweak32, tweak32, 0);
  CHECKRESULT(!result, "secp256k1_musig_pubkey_xonly_tweak_add failed");

  jpubkey = (*penv)->NewByteArray(penv, 65);
  pub = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  size = 65;
  result = secp256k1_ec_pubkey_serialize(ctx, pub, &size, &pubkey, SECP256K1_EC_UNCOMPRESSED);
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, pub, 0);
  CHECKRESULT(!result, "secp256k1_ec_pubkey_serialize failed");

  pub = (*penv)->GetByteArrayElements(penv, jkeyaggcache, 0);
  memcpy(pub, keyaggcache.data, sizeof(secp256k1_musig_keyagg_cache));
  (*penv)->ReleaseByteArrayElements(penv, jkeyaggcache, pub, 0);

  return jpubkey;
}

/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_musig_nonce_process
 * Signature: (J[B[B[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1musig_1nonce_1process(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jaggnonce, jbyteArray jmsg32, jbyteArray jkeyaggcache)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  secp256k1_musig_keyagg_cache keyaggcache;
  secp256k1_musig_aggnonce aggnonce;
  secp256k1_musig_session session;
  unsigned char msg32[32];
  jbyteArray jsession;
  jbyte *ptr;
  size_t size;
  int result = 0;

  if (jctx == 0)
    return NULL;
  if (jaggnonce == NULL)
    return NULL;
  CHECKRESULT((*penv)->GetArrayLength(penv, jaggnonce) != fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_PUBLIC_NONCE_SIZE, "invalid nonce size");
  if (jmsg32 == NULL)
    return NULL;
  CHECKRESULT((*penv)->GetArrayLength(penv, jmsg32) != 32, "invalid message size");
  if (jkeyaggcache == NULL)
    return NULL;
  CHECKRESULT((*penv)->GetArrayLength(penv, jkeyaggcache) != fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_KEYAGG_CACHE_SIZE, "invalid keyagg cache size");

  ptr = (*penv)->GetByteArrayElements(penv, jaggnonce, 0);
  result = secp256k1_musig_aggnonce_parse(ctx, &aggnonce, ptr);
  (*penv)->ReleaseByteArrayElements(penv, jaggnonce, ptr, 0);
  CHECKRESULT(!result, "secp256k1_musig_aggnonce_parse failed");

  copy_bytes_from_java(penv, jmsg32, 32, msg32);
  copy_bytes_from_java(penv, jkeyaggcache, fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_KEYAGG_CACHE_SIZE, keyaggcache.data);

  result = secp256k1_musig_nonce_process(ctx, &session, &aggnonce, msg32, &keyaggcache);
  CHECKRESULT(!result, "secp256k1_musig_nonce_process failed");

  jsession = (*penv)->NewByteArray(penv, fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SESSION_SIZE);
  copy_bytes_to_java(penv, jsession, fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SESSION_SIZE, session.data);
  return jsession;
}

/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_musig_partial_sign
 * Signature: (J[B[B[B[B[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1musig_1partial_1sign(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jsecnonce, jbyteArray jprivkey, jbyteArray jkeyaggcache, jbyteArray jsession)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  secp256k1_musig_partial_sig psig;
  secp256k1_musig_secnonce secnonce;
  unsigned char seckey[32];
  secp256k1_keypair keypair;
  secp256k1_musig_keyagg_cache keyaggcache;
  secp256k1_musig_session session;
  jbyteArray jpsig;
  jbyte *ptr;
  int result = 0;

  if (jctx == 0)
    return NULL;
  if (jsecnonce == NULL)
    return NULL;
  CHECKRESULT((*penv)->GetArrayLength(penv, jsecnonce) != fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SECRET_NONCE_SIZE, "invalid secret nonce size");
  if (jprivkey == NULL)
    return NULL;
  CHECKRESULT((*penv)->GetArrayLength(penv, jprivkey) != 32, "invalid private key size");
  if (jkeyaggcache == NULL)
    return NULL;
  CHECKRESULT((*penv)->GetArrayLength(penv, jkeyaggcache) != fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_KEYAGG_CACHE_SIZE, "invalid cache size");
  if (jsession == NULL)
    return NULL;
  CHECKRESULT((*penv)->GetArrayLength(penv, jsession) != fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SESSION_SIZE, "invalid session size");

  copy_bytes_from_java(penv, jsecnonce, fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SECRET_NONCE_SIZE, secnonce.data);

  copy_bytes_from_java(penv, jprivkey, 32, seckey);
  result = secp256k1_keypair_create(ctx, &keypair, seckey);
  CHECKRESULT(!result, "secp256k1_keypair_create failed");

  copy_bytes_from_java(penv, jkeyaggcache, fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_KEYAGG_CACHE_SIZE, keyaggcache.data);
  copy_bytes_from_java(penv, jsession, fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SESSION_SIZE, session.data);

  result = secp256k1_musig_partial_sign(ctx, &psig, &secnonce, &keypair, &keyaggcache, &session);
  CHECKRESULT(!result, "secp256k1_musig_partial_sign failed");

  result = secp256k1_musig_partial_sig_serialize(ctx, seckey, &psig);
  CHECKRESULT(!result, "secp256k1_musig_partial_sig_serialize failed");

  jpsig = (*penv)->NewByteArray(penv, 32);
  copy_bytes_to_java(penv, jpsig, 32, seckey);
  return jpsig;
}

/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_musig_partial_sig_verify
 * Signature: (J[B[B[B[B[B)I
 */
JNIEXPORT jint JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1musig_1partial_1sig_1verify(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jpsig, jbyteArray jpubnonce, jbyteArray jpubkey, jbyteArray jkeyaggcache, jbyteArray jsession)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  secp256k1_musig_partial_sig psig;
  secp256k1_musig_pubnonce pubnonce;
  secp256k1_pubkey pubkey;
  secp256k1_musig_keyagg_cache keyaggcache;
  secp256k1_musig_session session;
  jbyte *ptr;
  int result = 0;

  if (jctx == 0)
    return 0;
  if (jpsig == NULL)
    return 0;
  CHECKRESULT((*penv)->GetArrayLength(penv, jpsig) != 32, "invalid partial signature size");
  if (jpubnonce == NULL)
    return 0;
  CHECKRESULT((*penv)->GetArrayLength(penv, jpubnonce) != fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_PUBLIC_NONCE_SIZE, "invalid public nonce size");
  if (jpubkey == NULL)
    return 0;
  CHECKRESULT(((*penv)->GetArrayLength(penv, jpubkey) != 33) && ((*penv)->GetArrayLength(penv, jpubkey) != 65), "invalid public key size");
  if (jkeyaggcache == NULL)
    return 0;
  CHECKRESULT((*penv)->GetArrayLength(penv, jkeyaggcache) != fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_KEYAGG_CACHE_SIZE, "invalid cache size");
  if (jsession == NULL)
    return 0;
  CHECKRESULT((*penv)->GetArrayLength(penv, jsession) != fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SESSION_SIZE, "invalid session size");

  ptr = (*penv)->GetByteArrayElements(penv, jpsig, 0);
  result = secp256k1_musig_partial_sig_parse(ctx, &psig, ptr);
  (*penv)->ReleaseByteArrayElements(penv, jpsig, ptr, 0);
  CHECKRESULT(!result, "secp256k1_musig_partial_sig_parse failed");

  ptr = (*penv)->GetByteArrayElements(penv, jpubnonce, 0);
  result = secp256k1_musig_pubnonce_parse(ctx, &pubnonce, ptr);
  (*penv)->ReleaseByteArrayElements(penv, jpubnonce, ptr, 0);
  CHECKRESULT(!result, "secp256k1_musig_pubnonce_parse failed");

  ptr = (*penv)->GetByteArrayElements(penv, jpubkey, 0);
  result = secp256k1_ec_pubkey_parse(ctx, &pubkey, ptr, (*penv)->GetArrayLength(penv, jpubkey));
  (*penv)->ReleaseByteArrayElements(penv, jpubkey, ptr, 0);
  CHECKRESULT(!result, "secp256k1_musig_pubkey_parse failed");

  copy_bytes_from_java(penv, jkeyaggcache, fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_KEYAGG_CACHE_SIZE, keyaggcache.data);
  copy_bytes_from_java(penv, jsession, fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SESSION_SIZE, session.data);

  result = secp256k1_musig_partial_sig_verify(ctx, &psig, &pubnonce, &pubkey, &keyaggcache, &session);
  return result;
}

void free_partial_sigs(secp256k1_musig_partial_sig **psigs, size_t count)
{
  size_t i;
  for (i = 0; i < count; i++)
  {
    if (psigs[i] != NULL)
      free(psigs[i]);
  }
  free(psigs);
}

/*
 * Class:     fr_acinq_secp256k1_Secp256k1CFunctions
 * Method:    secp256k1_musig_partial_sig_agg
 * Signature: (J[B[[B)[B
 */
JNIEXPORT jbyteArray JNICALL Java_fr_acinq_secp256k1_Secp256k1CFunctions_secp256k1_1musig_1partial_1sig_1agg(JNIEnv *penv, jclass clazz, jlong jctx, jbyteArray jsession, jobjectArray jpsigs)
{
  secp256k1_context *ctx = (secp256k1_context *)jctx;
  secp256k1_musig_session session;
  secp256k1_musig_partial_sig **psigs;
  unsigned char sig64[64];
  secp256k1_musig_keyagg_cache keyaggcache;
  jbyteArray jpsig;
  jbyte *ptr;
  size_t size, count;
  size_t i;
  int result = 0;

  if (jctx == 0)
    return NULL;
  if (jsession == NULL)
    return NULL;
  CHECKRESULT((*penv)->GetArrayLength(penv, jsession) != fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SESSION_SIZE, "invalid session size");
  copy_bytes_from_java(penv, jsession, fr_acinq_secp256k1_Secp256k1CFunctions_SECP256K1_MUSIG_SESSION_SIZE, session.data);
  if (jpsigs == NULL)
    return NULL;

  count = (*penv)->GetArrayLength(penv, jpsigs);
  CHECKRESULT(count <= 0, "partial sigs count cannot be 0");

  psigs = calloc(count, sizeof(secp256k1_musig_partial_sig *));

  for (i = 0; i < count; i++)
  {
    psigs[i] = calloc(1, sizeof(secp256k1_musig_partial_sig));
    jpsig = (jbyteArray)(*penv)->GetObjectArrayElement(penv, jpsigs, i);
    size = (*penv)->GetArrayLength(penv, jpsig);
    CHECKRESULT1(size != 32, "invalid partial signature size", free_partial_sigs(psigs, count));
    ptr = (*penv)->GetByteArrayElements(penv, jpsig, 0);
    result = secp256k1_musig_partial_sig_parse(ctx, psigs[i], (unsigned char *)ptr);
    (*penv)->ReleaseByteArrayElements(penv, jpsig, ptr, 0);
    CHECKRESULT1(!result, "secp256k1_musig_partial_sig_parse failed", free_partial_sigs(psigs, count));
  }
  result = secp256k1_musig_partial_sig_agg(ctx, sig64, &session, (const secp256k1_musig_partial_sig *const *)psigs, count);
  free_partial_sigs(psigs, count);
  CHECKRESULT(!result, "secp256k1_musig_pubkey_agg failed");

  jpsig = (*penv)->NewByteArray(penv, 64);
  copy_bytes_to_java(penv, jpsig, 64, sig64);
  return jpsig;
}