Merge branch 'xpubcache'

Author: benma

CHANGELOG.md

@@ -7,6 +7,7 @@ customers cannot upgrade their bootloader, its changes are recorded separately.
 ## Firmware
 
 ### [Unreleased]
+- Increased performance when signing Bitcoin transactions
 - Warn if the transaction fee is higher than 10% of the coins sent
 - ETH Testnets: add Goerli and remove deprecated Rinkeby and Ropsten
 

src/CMakeLists.txt

@@ -15,6 +15,7 @@
 # limitations under the License.
 
 set(DBB-FIRMWARE-SOURCES
+  ${CMAKE_SOURCE_DIR}/src/bip32.c
   ${CMAKE_SOURCE_DIR}/src/firmware_main_loop.c
   ${CMAKE_SOURCE_DIR}/src/keystore.c
   ${CMAKE_SOURCE_DIR}/src/random.c
@@ -271,6 +272,7 @@ add_custom_target(rust-bindgen
     --use-core
     --with-derive-default
     --ctypes-prefix util::c_types
+    --allowlist-function bip32_derive_xpub
     --allowlist-function strftime
     --allowlist-function localtime
     --allowlist-function wally_free_string

src/bip32.c

@@ -0,0 +1,42 @@
+// Copyright 2023 Shift Crypto AG
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "bip32.h"
+
+#include <string.h>
+#include <wally_bip32.h>
+
+bool bip32_derive_xpub(
+    const uint8_t* xpub78,
+    const uint32_t* keypath,
+    size_t keypath_len,
+    uint8_t* xpub78_out)
+{
+    if (keypath_len == 0) {
+        memcpy(xpub78_out, xpub78, BIP32_SERIALIZED_LEN);
+        return true;
+    }
+
+    struct ext_key xpub = {0};
+    if (bip32_key_unserialize(xpub78, BIP32_SERIALIZED_LEN, &xpub) != WALLY_OK) {
+        return false;
+    }
+    struct ext_key derived_xpub = {0};
+    if (bip32_key_from_parent_path(
+            &xpub, keypath, keypath_len, BIP32_FLAG_KEY_PUBLIC, &derived_xpub) != WALLY_OK) {
+        return false;
+    }
+    return bip32_key_serialize(
+               &derived_xpub, BIP32_FLAG_KEY_PUBLIC, xpub78_out, BIP32_SERIALIZED_LEN) == WALLY_OK;
+}

src/bip32.h

@@ -0,0 +1,30 @@
+// Copyright 2023 Shift Crypto AG
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _BIP32_H_
+#define _BIP32_H_
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#include <compiler_util.h>
+
+USE_RESULT bool bip32_derive_xpub(
+    const uint8_t* xpub78,
+    const uint32_t* keypath,
+    size_t keypath_len,
+    uint8_t* xpub78_out);
+
+#endif

src/rust/bitbox02-rust/src/bip32.rs

@@ -56,6 +56,7 @@ impl Xpub {
             public_key: xpub[45..78].to_vec(),
         }))
     }
+
     /// Serializes a protobuf XPub to bytes according to the BIP32 specification. If xpub_type is
     /// None, the four version bytes are skipped.
     pub fn serialize(&self, xpub_type: Option<XPubType>) -> Result<Vec<u8>, ()> {
@@ -100,6 +101,12 @@ impl Xpub {
             .into_string())
     }
 
+    /// Derives child xpub at the keypath. All keypath elements must be unhardened.
+    pub fn derive(&self, keypath: &[u32]) -> Result<Self, ()> {
+        let xpub_ser = self.serialize(Some(XPubType::Xpub))?;
+        Xpub::from_bytes(&bitbox02::bip32::derive_xpub(&xpub_ser, keypath)?)
+    }
+
     /// Returns the 33 bytes secp256k1 compressed pubkey.
     pub fn public_key(&self) -> &[u8] {
         self.xpub.public_key.as_slice()
@@ -116,6 +123,17 @@ impl Xpub {
     pub fn pubkey_uncompressed(&self) -> Result<[u8; 65], ()> {
         bitbox02::keystore::secp256k1_pubkey_compressed_to_uncompressed(self.public_key())
     }
+
+    /// Return the tweaked taproot pubkey.
+    ///
+    /// Instead of returning the original pubkey at the keypath directly, it is tweaked with the
+    /// hash of the pubkey.
+    ///
+    /// See
+    /// https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#address-derivation
+    pub fn schnorr_bip86_pubkey(&self) -> Result<[u8; 32], ()> {
+        bitbox02::keystore::secp256k1_schnorr_bip86_pubkey(self.public_key())
+    }
 }
 
 /// Parses a Base58Check-encoded xpub string. The 4 version bytes are not checked and discarded.
@@ -178,6 +196,30 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_derive() {
+        let xpub_str = "xpub661MyMwAqRbcGpuMRXa55WgyqinF4dpxvqQK63xBHtnH5yK4e3cTLqbX9CP4mEMHUbqsjSQ8y3hhbAzuMhpn8eEiLNVSWYaVSbKMAtUPyYH";
+        let xpub = Xpub::from(parse_xpub(xpub_str).unwrap());
+
+        assert_eq!(
+            xpub.derive(&[])
+                .unwrap()
+                .serialize_str(XPubType::Xpub)
+                .unwrap(),
+            xpub_str,
+        );
+        let expected = "xpub6CYiDoWMtLVQNrc4tbAvuRk5wjsp6MFgtYEdBUV7TGLUjutavHdEKLu9KpTpRxEZULbSwM1UQPaQpqAhmWYvngXCGHGE7hSZFNofeSRzmk5";
+        assert_eq!(
+            xpub.derive(&[0, 1, 2])
+                .unwrap()
+                .serialize_str(XPubType::Xpub)
+                .unwrap(),
+            expected,
+        );
+
+        assert!(xpub.derive(&[0, 1, util::bip32::HARDENED]).is_err());
+    }
+
     #[test]
     fn test_pubkey_hash160() {
         let xpub = Xpub::from(parse_xpub("xpub6GugPDcUhrSudznFss7wXvQV3gwFTEanxHdCyoNoHnZEr3PTbh2Fosg4JjfphaYAsqjBhmtTZ3Yo8tmGjSHtaPhExNiMCSvPzreqjrX4Wr7").unwrap());
@@ -201,4 +243,28 @@ mod tests {
             *b"\x04\x77\xa4\x4a\xa9\xe8\xc8\xfb\x51\x05\xef\x5e\xe2\x39\x4e\x8a\xed\x89\xad\x73\xfc\x74\x36\x14\x25\xf0\x63\x47\xec\xfe\x32\x61\x31\xe1\x33\x93\x67\xee\x3c\xbe\x87\x71\x92\x85\xa0\x7f\x77\x4b\x17\xeb\x93\x3e\xcf\x0b\x9b\x82\xac\xeb\xc1\x95\x22\x6d\x63\x42\x44",
         );
     }
+
+    #[test]
+    fn test_schnorr_bip86_pubkey() {
+        // Test vectors from:
+        // https://github.com/bitcoin/bips/blob/edffe529056f6dfd33d8f716fb871467c3c09263/bip-0086.mediawiki#test-vectors
+        // Here we only test the creation of the tweaked pubkkey. See `Payload::from_simple` for address generation.
+
+        let xpub = Xpub::from(parse_xpub("xpub6BgBgsespWvERF3LHQu6CnqdvfEvtMcQjYrcRzx53QJjSxarj2afYWcLteoGVky7D3UKDP9QyrLprQ3VCECoY49yfdDEHGCtMMj92pReUsQ").unwrap());
+
+        assert_eq!(
+            xpub.derive(&[0, 0]).unwrap().schnorr_bip86_pubkey().unwrap(),
+            *b"\xa6\x08\x69\xf0\xdb\xcf\x1d\xc6\x59\xc9\xce\xcb\xaf\x80\x50\x13\x5e\xa9\xe8\xcd\xc4\x87\x05\x3f\x1d\xc6\x88\x09\x49\xdc\x68\x4c",
+        );
+
+        assert_eq!(
+            xpub.derive(&[0, 1]).unwrap().schnorr_bip86_pubkey().unwrap(),
+            *b"\xa8\x2f\x29\x94\x4d\x65\xb8\x6a\xe6\xb5\xe5\xcc\x75\xe2\x94\xea\xd6\xc5\x93\x91\xa1\xed\xc5\xe0\x16\xe3\x49\x8c\x67\xfc\x7b\xbb",
+        );
+
+        assert_eq!(
+            xpub.derive(&[1, 0]).unwrap().schnorr_bip86_pubkey().unwrap(),
+            *b"\x88\x2d\x74\xe5\xd0\x57\x2d\x5a\x81\x6c\xef\x00\x41\xa9\x6b\x6c\x1d\xe8\x32\xf6\xf9\x67\x6d\x96\x05\xc4\x4d\x5e\x9a\x97\xd3\xdc",
+        );
+    }
 }

src/rust/bitbox02-rust/src/hww/api/bitcoin.rs

@@ -134,7 +134,13 @@ pub fn derive_address_simple(
         coin_params.taproot_support,
     )
     .or(Err(Error::InvalidInput))?;
-    Ok(common::Payload::from_simple(coin_params, simple_type, keypath)?.address(coin_params)?)
+    Ok(common::Payload::from_simple(
+        &mut crate::xpubcache::XpubCache::new(),
+        coin_params,
+        simple_type,
+        keypath,
+    )?
+    .address(coin_params)?)
 }
 
 /// Processes a SimpleType (single-sig) adress api call.

src/rust/bitbox02-rust/src/hww/api/bitcoin/common.rs

@@ -15,7 +15,7 @@
 use super::pb;
 use super::Error;
 
-use crate::keystore;
+use crate::xpubcache::Bip32XpubCache;
 
 use alloc::string::String;
 use alloc::vec::Vec;
@@ -71,17 +71,19 @@ pub struct Payload {
 
 impl Payload {
     pub fn from_simple(
+        xpub_cache: &mut Bip32XpubCache,
         params: &Params,
         simple_type: SimpleType,
         keypath: &[u32],
     ) -> Result<Self, Error> {
         match simple_type {
             SimpleType::P2wpkh => Ok(Payload {
-                data: keystore::get_xpub(keypath)?.pubkey_hash160(),
+                data: xpub_cache.get_xpub(keypath)?.pubkey_hash160(),
                 output_type: BtcOutputType::P2wpkh,
             }),
             SimpleType::P2wpkhP2sh => {
-                let payload_p2wpkh = Payload::from_simple(params, SimpleType::P2wpkh, keypath)?;
+                let payload_p2wpkh =
+                    Payload::from_simple(xpub_cache, params, SimpleType::P2wpkh, keypath)?;
                 let pkscript_p2wpkh = payload_p2wpkh.pk_script(params)?;
                 Ok(Payload {
                     data: bitbox02::hash160(&pkscript_p2wpkh).to_vec(),
@@ -91,7 +93,10 @@ impl Payload {
             SimpleType::P2tr => {
                 if params.taproot_support {
                     Ok(Payload {
-                        data: keystore::secp256k1_schnorr_bip86_pubkey(keypath)?.to_vec(),
+                        data: xpub_cache
+                            .get_xpub(keypath)?
+                            .schnorr_bip86_pubkey()?
+                            .to_vec(),
                         output_type: BtcOutputType::P2tr,
                     })
                 } else {
@@ -144,6 +149,7 @@ impl Payload {
     /// Computes the payload data from a script config. The payload can then be used generate a
     /// pkScript or an address.
     pub fn from(
+        xpub_cache: &mut Bip32XpubCache,
         params: &Params,
         keypath: &[u32],
         script_config_account: &pb::BtcScriptConfigWithKeypath,
@@ -158,7 +164,7 @@ impl Payload {
             } => {
                 let simple_type = pb::btc_script_config::SimpleType::from_i32(*simple_type)
                     .ok_or(Error::InvalidInput)?;
-                Self::from_simple(params, simple_type, keypath)
+                Self::from_simple(xpub_cache, params, simple_type, keypath)
             }
             pb::BtcScriptConfigWithKeypath {
                 script_config:
@@ -533,10 +539,12 @@ mod tests {
         mock_unlocked_using_mnemonic(
             "sudden tenant fault inject concert weather maid people chunk youth stumble grit",
         );
+        let mut xpub_cache = Bip32XpubCache::new();
         let coin_params = super::super::params::get(pb::BtcCoin::Btc);
         // p2wpkh
         assert_eq!(
             Payload::from_simple(
+                &mut xpub_cache,
                 coin_params,
                 SimpleType::P2wpkh,
                 &[84 + HARDENED, 0 + HARDENED, 0 + HARDENED, 0, 0]
@@ -550,6 +558,7 @@ mod tests {
         //  p2wpkh-p2sh
         assert_eq!(
             Payload::from_simple(
+                &mut xpub_cache,
                 coin_params,
                 SimpleType::P2wpkhP2sh,
                 &[49 + HARDENED, 0 + HARDENED, 0 + HARDENED, 0, 0]
@@ -563,6 +572,7 @@ mod tests {
         // p2tr
         assert_eq!(
             Payload::from_simple(
+                &mut xpub_cache,
                 coin_params,
                 SimpleType::P2tr,
                 &[86 + HARDENED, 0 + HARDENED, 0 + HARDENED, 0, 0]