3 files changed, 40 insertions, 42 deletions

diff --git a/Cargo.lock b/Cargo.lock
index 1f2cca6cb..b9f3e4c2e 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1454,6 +1454,7 @@ dependencies = [
  "http",
  "idna 0.3.0",
  "indexmap 2.0.2",
+ "k256",
  "lazy-regex",
  "libc",
  "libz-sys",
@@ -1476,7 +1477,6 @@ dependencies = [
  "ripemd",
  "rsa",
  "scrypt",
- "secp256k1",
  "serde",
  "sha-1",
  "sha2",
@@ -3015,6 +3015,20 @@ dependencies = [
 ]
 
 [[package]]
+name = "k256"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cadb76004ed8e97623117f3df85b17aaa6626ab0b0831e6573f104df16cd1bcc"
+dependencies = [
+ "cfg-if",
+ "ecdsa",
+ "elliptic-curve",
+ "once_cell",
+ "sha2",
+ "signature",
+]
+
+[[package]]
 name = "kqueue"
 version = "1.0.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -4602,25 +4616,6 @@ dependencies = [
 ]
 
 [[package]]
-name = "secp256k1"
-version = "0.28.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2acea373acb8c21ecb5a23741452acd2593ed44ee3d343e72baaa143bc89d0d5"
-dependencies = [
- "rand",
- "secp256k1-sys",
-]
-
-[[package]]
-name = "secp256k1-sys"
-version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "09e67c467c38fd24bd5499dc9a18183b31575c12ee549197e3e20d57aa4fe3b7"
-dependencies = [
- "cc",
-]
-
-[[package]]
 name = "security-framework"
 version = "2.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
diff --git a/ext/node/Cargo.toml b/ext/node/Cargo.toml
index ea0246a72..49f5c846e 100644
--- a/ext/node/Cargo.toml
+++ b/ext/node/Cargo.toml
@@ -38,6 +38,7 @@ hkdf.workspace = true
 http.workspace = true
 idna = "0.3.0"
 indexmap.workspace = true
+k256 = "0.13.1"
 lazy-regex.workspace = true
 libc.workspace = true
 libz-sys = { version = "1.1.8", features = ["static"] }
@@ -60,7 +61,6 @@ ring.workspace = true
 ripemd = "0.1.3"
 rsa.workspace = true
 scrypt = "0.11.0"
-secp256k1 = { version = "0.28.0", features = ["rand-std"] }
 serde = "1.0.149"
 sha-1 = "0.10.0"
 sha2.workspace = true
diff --git a/ext/node/ops/crypto/mod.rs b/ext/node/ops/crypto/mod.rs
index 35940da77..4aaa3f494 100644
--- a/ext/node/ops/crypto/mod.rs
+++ b/ext/node/ops/crypto/mod.rs
@@ -39,9 +39,6 @@ use rsa::Oaep;
 use rsa::Pkcs1v15Encrypt;
 use rsa::RsaPrivateKey;
 use rsa::RsaPublicKey;
-use secp256k1::ecdh::SharedSecret;
-use secp256k1::Secp256k1;
-use secp256k1::SecretKey;
 
 mod cipher;
 mod dh;
@@ -1012,10 +1009,11 @@ pub fn op_node_ecdh_generate_keys(
   let mut rng = rand::thread_rng();
   match curve {
     "secp256k1" => {
-      let secp = Secp256k1::new();
-      let (privkey, pubkey) = secp.generate_keypair(&mut rng);
-      pubbuf.copy_from_slice(&pubkey.serialize_uncompressed());
-      privbuf.copy_from_slice(&privkey.secret_bytes());
+      let privkey =
+        elliptic_curve::SecretKey::<k256::Secp256k1>::random(&mut rng);
+      let pubkey = privkey.public_key();
+      pubbuf.copy_from_slice(pubkey.to_sec1_bytes().as_ref());
+      privbuf.copy_from_slice(privkey.to_nonzero_scalar().to_bytes().as_ref());
 
       Ok(0)
     }
@@ -1053,16 +1051,22 @@ pub fn op_node_ecdh_compute_secret(
 ) -> Result<(), AnyError> {
   match curve {
     "secp256k1" => {
-      let this_secret_key = SecretKey::from_slice(
-        this_priv.expect("no private key provided?").as_ref(),
-      )
-      .unwrap();
       let their_public_key =
-        secp256k1::PublicKey::from_slice(their_pub).unwrap();
-      let shared_secret =
-        SharedSecret::new(&their_public_key, &this_secret_key);
+        elliptic_curve::PublicKey::<k256::Secp256k1>::from_sec1_bytes(
+          their_pub,
+        )
+        .expect("bad public key");
+      let this_private_key =
+        elliptic_curve::SecretKey::<k256::Secp256k1>::from_slice(
+          &this_priv.expect("must supply private key"),
+        )
+        .expect("bad private key");
+      let shared_secret = elliptic_curve::ecdh::diffie_hellman(
+        this_private_key.to_nonzero_scalar(),
+        their_public_key.as_affine(),
+      );
+      secret.copy_from_slice(shared_secret.raw_secret_bytes());
 
-      secret.copy_from_slice(&shared_secret.secret_bytes());
       Ok(())
     }
     "prime256v1" | "secp256r1" => {
@@ -1125,12 +1129,11 @@ pub fn op_node_ecdh_compute_public_key(
 ) -> Result<(), AnyError> {
   match curve {
     "secp256k1" => {
-      let secp = Secp256k1::new();
-      let secret_key = SecretKey::from_slice(privkey).unwrap();
-      let public_key =
-        secp256k1::PublicKey::from_secret_key(&secp, &secret_key);
-
-      pubkey.copy_from_slice(&public_key.serialize_uncompressed());
+      let this_private_key =
+        elliptic_curve::SecretKey::<k256::Secp256k1>::from_slice(privkey)
+          .expect("bad private key");
+      let public_key = this_private_key.public_key();
+      pubkey.copy_from_slice(public_key.to_sec1_bytes().as_ref());
 
       Ok(())
     }