reverts to proper slip-10/bip-32 based key generation

QuestofIranon · QuestofIranon · commit fc8b848d3371 · 2019-09-14T02:03:04.000-07:00
diff --git a/src/crypto.rs b/src/crypto.rs
@@ -1,5 +1,5 @@
 use crate::proto::{self, ToProto};
-use bip39::{Language, Mnemonic};
+use bip39::{Language, Mnemonic, MnemonicType, Seed};
 use ed25519_dalek;
 use failure::{bail, err_msg, Error};
 use failure_derive::Fail;
@@ -15,7 +15,9 @@ use std::{
     str::FromStr,
 };
 use try_from::{TryFrom, TryInto};
-use hmac::Hmac;
+use hmac::{Hmac, Mac};
+use sha2::Sha512;
+use failure::_core::ops::Deref;
 
 // Types used for (de-)serializing public and secret keys from ASN.1 byte
 // streams.
@@ -366,61 +368,58 @@ impl TryFrom<proto::BasicTypes::Key> for PublicKey {
 
 /// An EdDSA secret key.
 #[repr(C)]
-pub struct SecretKey(ed25519_dalek::SecretKey);
+pub struct SecretKey {
+    pub value: ed25519_dalek::SecretKey,
+    chain_code: Option<[u8; 32]>
+}
 
 impl SecretKey {
     /// Generate a `SecretKey` with 32 cryptographically random bytes
+    ///
+    /// This `SecretKey` will _not_ support child key derivation.
     pub fn generate() -> Self {
-        let mut buf = [0u8; 32];
-
-        getrandom::getrandom(&mut buf).expect("Could not retrieve entropy from the os");
+        let mut bytes:[u8; 32] = Default::default();
 
-        let bytes = Self::derive_seed(&buf);
+        getrandom::getrandom(&mut bytes)
+            .expect("Could not retrieve secure entropy from the os");
 
-        // this should never fail unless getrandom fails which will cause a panic
-        SecretKey(ed25519_dalek::SecretKey::from_bytes(&bytes).unwrap())
+        Self::generate_from_entropy(&bytes)
     }
 
     /// Generate a `SecretKey` with 32 bytes of provided entropy
+    ///
+    /// This `SecretKey` will _not_ support child key derivation.
+    #[inline]
     pub fn generate_from_entropy(entropy: &[u8; 32]) -> Self {
-        // this should never fail since entropy is required to be a 32-length u8 array
-        SecretKey(ed25519_dalek::SecretKey::from_bytes(entropy).unwrap())
+        // this should never fail since 32 byte arrays are guaranteed to be compatible
+        Self::from_bytes(entropy).unwrap()
     }
 
     /// Generate a `SecretKey` alongside a BIP-39 mnemonic using a cryptographically
     /// secure random number generator.
+    ///
+    /// Generated `SecretKey` will support deriving child keys with `.derive_child()`.
+    #[inline]
     pub fn generate_mnemonic() -> (Self, String) {
-        let mut entropy = [0u8; 32];
-
-        getrandom::getrandom(&mut entropy).expect("Could not retrieve entropy from the os");
-
-        // this should never fail as 32 is a valid entropy length
-        let mnemonic = Mnemonic::from_entropy(&entropy, Language::English).unwrap();
-        let secret = Self::generate_from_entropy(&entropy);
-
-        (secret, mnemonic.into_phrase())
+        Self::generate_mnemonic_with_passphrase("")
     }
 
-    /// Duplicating what is done here:
-    /// https://github.com/hashgraph/hedera-keygen-java/blob/master/src/main/java/com/hedera/sdk/keygen/CryptoUtils.java#L43
-    fn derive_seed(entropy: &[u8]) -> [u8; 32] {
-        let password = entropy
-            .into_iter()
-            .chain([u8::max_value(); 8].iter())
-            .map(|u| { *u })
-            .collect::<Vec<u8>>();
-
-        let salt = [u8::max_value()];
-
-        let mut seed = [0u8; 32];
-
-        pbkdf2::pbkdf2::<Hmac<sha2::Sha512>>(&password, &salt, 2048, &mut seed);
+    /// Generate a `SecretKey` alongside a BIP-39 mnemonic using a cryptographically
+    /// secure random number generate and provided passphrase
+    ///
+    /// Generated `SecretKey` will support deriving child keys with `.derive_child()`.
+    pub fn generate_mnemonic_with_passphrase(passphrase: &str) -> (Self, String) {
+        let mnemonic_phrase = Mnemonic::new(MnemonicType::Words24, Language::English).into_phrase();
 
-        seed
+        // Cannot fail since it is being passed in compatible generated values
+        (Self::from_mnemonic_with_passphrase(&mnemonic_phrase, passphrase).unwrap(), mnemonic_phrase)
     }
 
     /// Construct a `SecretKey` from a slice of bytes.
     /// Bytes are expected to be either a raw key or encoded in ASN.1.
+    ///
+    /// This `SecretKey` will _not_ support child key derivation as it is impossible
+    /// to determine if the original key was generated with compatibility
     pub fn from_bytes(bytes: impl AsRef<[u8]>) -> Result<Self, Error> {
         let bytes = bytes.as_ref();
 
@@ -429,9 +428,10 @@ impl SecretKey {
         {
             // If the buffer looks like a {secret}{public} byte string; just pull the secret
             // key bytes off of it
-            return Ok(SecretKey(ed25519_dalek::SecretKey::from_bytes(
-                &bytes[..ed25519_dalek::SECRET_KEY_LENGTH],
-            )?));
+            return Ok(SecretKey{
+                value: ed25519_dalek::SecretKey::from_bytes(&bytes[..ed25519_dalek::SECRET_KEY_LENGTH], )?,
+                chain_code: None
+            });
         }
 
         let info: PrivateKeyInfo = der_decode(&bytes)?;
@@ -443,32 +443,56 @@ impl SecretKey {
             );
         }
 
-        Ok(SecretKey(ed25519_dalek::SecretKey::from_bytes(
-            &info.private_key[2..],
-        )?))
+        Ok(SecretKey{
+            value: ed25519_dalek::SecretKey::from_bytes(&info.private_key[2..],)?,
+            chain_code: None
+        })
     }
 
-    /// Re-construct a `SecretKey` from the supplied mnemonic and password.
+    /// Re-construct a `SecretKey` from a supplied 24-word mnemonic and passphrase.
+    ///
+    /// There is no corresponding `to_mnemonic()` as the mnemonic cannot be recovered from the key.
+    ///
+    /// Mnemonics generated by the Android and iOS wallets will work
+    ///
+    /// Returned key will support deriving child keys with `.derive_child()`
+    #[inline]
     pub fn from_mnemonic(mnemonic: &str) -> Result<Self, Error> {
+        Self::from_mnemonic_with_passphrase(mnemonic, "")
+    }
+
+    /// Re-construct a `SecretKey` from a supplied 24-word mnemonic and passphrase.
+    ///
+    /// There is no corresponding `to_mnemonic_with_passphrase()` as the mnemonic cannot be
+    /// recovered from the key.
+    ///
+    /// Mnemonics generated by the Android and iOS wallets will work
+    ///
+    /// Returned key will support deriving child keys with `.derive_child()`
+    pub fn from_mnemonic_with_passphrase(mnemonic: &str, passphrase: &str) -> Result<Self, Error> {
         let mnemonic = Mnemonic::from_phrase(mnemonic, Language::English)?;
 
-        let mut entropy =  [0u8; 32];
+        let seed = Seed::new(&mnemonic, passphrase);
 
-        let seed_entropy = mnemonic.entropy();
+        let mut key_bytes: [u8; 32] = Default::default();
+        key_bytes.copy_from_slice(&seed.as_bytes()[0..32]);
 
-        for i in 0..32 {
-            entropy[i] = seed_entropy[i];
-        }
+        let mut chain_code: [u8; 32] = Default::default();
+        chain_code.copy_from_slice(&seed.as_bytes()[32..64]);
 
-        //let entropy: &[u8; 32] = vec!(mnemonic.entropy()).try_into()?;
+        for i in [44u32, 3030u32, 0u32, 0u32].iter() {
+            let (new_key_bytes, new_chain_code) = Self::derive_child_key_bytes(&key_bytes, &chain_code, i)?;
 
-        Ok(Self::generate_from_entropy(&entropy))
-    }
+            key_bytes.copy_from_slice(&new_key_bytes);
+            chain_code.copy_from_slice(&new_chain_code);
+        }
 
-    /// Return the `SecretKey` as raw bytes.
-    #[inline]
-    pub fn as_bytes(&self) -> &[u8; ed25519_dalek::SECRET_KEY_LENGTH] {
-        self.0.as_bytes()
+        let secret_key = SecretKey {
+            value: ed25519_dalek::SecretKey::from_bytes(&key_bytes)?,
+            chain_code: Some(chain_code)
+        };
+
+        Ok(secret_key)
     }
 
     /// Format a `SecretKey` as a vec of bytes in ASN.1 format.
@@ -477,7 +501,7 @@ impl SecretKey {
             algorithm: AlgorithmIdentifier {
                 algorithm: OID_ED25519.clone(),
             },
-            private_key: self.0.to_bytes().to_vec(),
+            private_key: self.to_bytes().to_vec(),
         })
         // NOTE: Not possible to fail. Only fail case the library has is if OIDs are
         //       given incorrectly.
@@ -487,23 +511,49 @@ impl SecretKey {
     /// Derive a `PublicKey` from this `SecretKey`.
     #[inline]
     pub fn public(&self) -> PublicKey {
-        PublicKey(ed25519_dalek::PublicKey::from(&self.0))
+        PublicKey(ed25519_dalek::PublicKey::from(&self.value))
     }
 
     /// Sign a message with this `SecretKey`.
     #[inline]
     pub fn sign(&self, message: impl AsRef<[u8]>) -> Signature {
         Signature(
-            ed25519_dalek::ExpandedSecretKey::from(&self.0)
+            ed25519_dalek::ExpandedSecretKey::from(&self.value)
                 .sign(message.as_ref(), &self.public().0),
         )
     }
+
+    /// SLIP-10/BIP-32 child key derivation
+    fn derive_child_key_bytes(parent_key: &[u8; 32], chain_code: &[u8; 32], index: &u32) -> Result<([u8; 32], [u8; 32]), Error> {
+        // This can't fail since 32 bytes is a valid key length
+        let mut hmac = Hmac::<Sha512>::new_varkey(chain_code).unwrap();
+
+        let mut input= [0u8; 37];
+
+        input[0] = 0u8;
+        input[1..33].copy_from_slice(parent_key);
+        input[34..37].copy_from_slice(&index.to_be_bytes());
+
+        input[33] = input[33] | 128u8;
+
+        hmac.input(&input);
+
+        let hmac = hmac.result().code();
+
+        let mut new_key_bytes: [u8; 32] = Default::default();
+        let mut chain_code: [u8; 32] = Default::default();
+        new_key_bytes.copy_from_slice(&hmac.as_slice()[0..32]);
+        chain_code.copy_from_slice(&hmac.as_slice()[32..64]);
+
+        Ok((new_key_bytes, chain_code))
+    }
+
 }
 
 impl Clone for SecretKey {
     #[inline]
     fn clone(&self) -> Self {
-        Self::from_bytes(self.0.as_bytes()).unwrap()
+        Self::from_bytes(self.as_bytes()).unwrap()
     }
 }
 
@@ -555,6 +605,15 @@ impl Debug for SecretKey {
     }
 }
 
+impl Deref for SecretKey {
+    type Target = ed25519_dalek::SecretKey;
+
+    #[inline]
+    fn deref(&self) -> &Self::Target {
+        &self.value
+    }
+}
+
 /// Format a `SecretKey` as a hex representation of its bytes in ASN.1 format.
 impl Display for SecretKey {
     #[inline]
@@ -653,7 +712,7 @@ mod tests {
         let secret_key2: SecretKey = KEY_SECRET_HEX.parse()?;
 
         assert_eq!(public_key1, public_key2);
-        assert_eq!(secret_key1.0.as_bytes(), secret_key2.0.as_bytes());
+        assert_eq!(secret_key1.as_bytes(), secret_key2.as_bytes());
         assert_eq!(public_key1, secret_key1.public());
         assert_eq!(public_key2, secret_key2.public());
         assert_eq!(secret_key2.public(), secret_key1.public());
