keystore: port bip85_ln() to Rust

The sha512 digest adaptor is moved to a util file as it's no longer
only used by ed25519.

Author: benma

src/keystore.c

@@ -793,30 +793,6 @@ bool keystore_bip85_bip39(
     return snprintf_result >= 0 && snprintf_result < (int)mnemonic_out_size;
 }
 
-bool keystore_bip85_ln(uint32_t index, uint8_t* entropy_out)
-{
-    if (index >= BIP32_INITIAL_HARDENED_CHILD) {
-        return false;
-    }
-
-    const uint32_t keypath[] = {
-        83696968 + BIP32_INITIAL_HARDENED_CHILD,
-        19534 + BIP32_INITIAL_HARDENED_CHILD,
-        0 + BIP32_INITIAL_HARDENED_CHILD,
-        12 + BIP32_INITIAL_HARDENED_CHILD,
-        index + BIP32_INITIAL_HARDENED_CHILD,
-    };
-
-    uint8_t entropy[64] = {0};
-    UTIL_CLEANUP_64(entropy);
-    if (!_bip85_entropy(keypath, sizeof(keypath) / sizeof(uint32_t), entropy)) {
-        return false;
-    }
-
-    memcpy(entropy_out, entropy, 16);
-    return true;
-}
-
 USE_RESULT bool keystore_encode_xpub_at_keypath(
     const uint32_t* keypath,
     size_t keypath_len,

src/keystore.h

@@ -245,16 +245,6 @@ USE_RESULT bool keystore_bip85_bip39(
     char* mnemonic_out,
     size_t mnemonic_out_size);
 
-/**
- * Computes a 16 byte deterministic seed specifically for Lightning hot wallets according to BIP-85.
- * It is the same as BIP-85 with app number 39', but instead using app number 19534' (= 0x4c4e =
- * 'LN'). https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki#bip39
- * Restricted to 16 byte output entropy.
- * @param[in] index must be smaller than `BIP32_INITIAL_HARDENED_CHILD`.
- * @param[out] entropy_out resulting entropy, must be at least 16 bytes in size.
- */
-USE_RESULT bool keystore_bip85_ln(uint32_t index, uint8_t* entropy_out);
-
 /**
  * Encode an xpub at the given `keypath` as 78 bytes according to BIP32. The version bytes are
  * the ones corresponding to `xpub`, i.e. 0x0488B21E.

src/rust/bitbox02-rust/src/hash.rs

@@ -0,0 +1,54 @@
+// Copyright 2025 Shift Crypto AG
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use alloc::vec::Vec;
+
+/// Implements the digest traits for Sha512 backing it with the wally_sha512 C function. This is
+/// done to avoid using a second sha512 implementation like `sha2::Sha512`, which bloats the binary
+/// by an additional ~12.7kB (at the time of writing).
+///
+/// This implementation accumulates the data to be hashed in heap, it does **not** hash in a
+/// streaming fashion, even when using `update()`.
+#[derive(Default, Clone)]
+pub struct Sha512(Vec<u8>);
+
+impl digest::HashMarker for Sha512 {}
+
+impl digest::OutputSizeUser for Sha512 {
+    type OutputSize = digest::typenum::U64;
+}
+
+impl digest::FixedOutput for Sha512 {
+    fn finalize_into(self, out: &mut digest::Output<Self>) {
+        // use digest::Digest;
+        // out.copy_from_slice(&sha2::Sha512::digest(&self.0));
+        out.copy_from_slice(&bitbox02::sha512(&self.0));
+    }
+}
+
+impl digest::Update for Sha512 {
+    fn update(&mut self, data: &[u8]) {
+        self.0.extend(data);
+    }
+}
+
+impl digest::Reset for Sha512 {
+    fn reset(&mut self) {
+        self.0 = vec![];
+    }
+}
+
+impl digest::core_api::BlockSizeUser for Sha512 {
+    type BlockSize = digest::typenum::U128;
+}

src/rust/bitbox02-rust/src/hww/api/bip85.rs

@@ -160,5 +160,7 @@ async fn process_ln(
         })
         .await?;
 
-    keystore::bip85_ln(account_number).map_err(|_| Error::Generic)
+    Ok(crate::keystore::bip85_ln(account_number)
+        .map_err(|_| Error::Generic)?
+        .to_vec())
 }

src/rust/bitbox02-rust/src/keystore.rs

@@ -20,6 +20,11 @@ use alloc::vec::Vec;
 use crate::bip32;
 use bitbox02::keystore;
 
+use util::bip32::HARDENED;
+
+use crate::hash::Sha512;
+use hmac::{digest::FixedOutput, Mac, SimpleHmac};
+
 /// Derives an xpub from the keystore seed at the given keypath.
 pub fn get_xpub(keypath: &[u32]) -> Result<bip32::Xpub, ()> {
     // Convert from C keystore to Rust by encoding the xpub in C and decoding it in Rust.
@@ -33,12 +38,43 @@ pub fn root_fingerprint() -> Result<Vec<u8>, ()> {
     Ok(get_xpub(&[])?.pubkey_hash160().get(..4).ok_or(())?.to_vec())
 }
 
+fn bip85_entropy(keypath: &[u32]) -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
+    let priv_key = keystore::secp256k1_get_private_key(keypath)?;
+    let mut mac = SimpleHmac::<Sha512>::new_from_slice(b"bip-entropy-from-k").unwrap();
+    mac.update(&priv_key);
+    let mut out = zeroize::Zeroizing::new(vec![0u8; 64]);
+    let fixed_out: &mut [u8; 64] = out.as_mut_slice().try_into().unwrap();
+    mac.finalize_into(fixed_out.into());
+    Ok(out)
+}
+
+/// Computes a 16 byte deterministic seed specifically for Lightning hot wallets according to BIP-85.
+/// It is the same as BIP-85 with app number 39', but instead using app number 19534' (= 0x4c4e =
+/// 'LN'). https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki#bip39
+/// Restricted to 16 byte output entropy.
+/// `index` must be smaller than `bip32::HARDENED`.
+pub fn bip85_ln(index: u32) -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
+    if index >= HARDENED {
+        return Err(());
+    }
+    let keypath = [
+        83696968 + HARDENED,
+        19534 + HARDENED,
+        0 + HARDENED,
+        12 + HARDENED,
+        index + HARDENED,
+    ];
+
+    let mut entropy = bip85_entropy(&keypath)?;
+    entropy.truncate(16);
+    Ok(entropy)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
 
     use bitbox02::testing::{mock_unlocked, mock_unlocked_using_mnemonic};
-    use util::bip32::HARDENED;
 
     #[test]
     fn test_get_xpub() {
@@ -99,4 +135,31 @@ mod tests {
         );
         assert_eq!(root_fingerprint(), Ok(vec![0xf4, 0x0b, 0x46, 0x9a]));
     }
+
+    #[test]
+    fn test_bip85_ln() {
+        keystore::lock();
+        assert!(bip85_ln(0).is_err());
+
+        mock_unlocked_using_mnemonic(
+            "virtual weapon code laptop defy cricket vicious target wave leopard garden give",
+            "",
+        );
+
+        assert_eq!(
+            bip85_ln(0).unwrap().as_slice(),
+            b"\x3a\x5f\x3b\x88\x8a\xab\x88\xe2\xa9\xab\x99\x1b\x60\xa0\x3e\xd8",
+        );
+        assert_eq!(
+            bip85_ln(1).unwrap().as_slice(),
+            b"\xe7\xd9\xce\x75\xf8\xcb\x17\x57\x0e\x66\x54\x17\xb4\x7f\xa0\xbe",
+        );
+        assert_eq!(
+            bip85_ln(HARDENED - 1).unwrap().as_slice(),
+            b"\x1f\x3b\x75\xea\x25\x27\x49\x70\x0a\x1e\x45\x34\x69\x14\x8c\xa6",
+        );
+
+        // Index too high.
+        assert!(bip85_ln(HARDENED).is_err());
+    }
 }

src/rust/bitbox02-rust/src/keystore/ed25519.rs

@@ -14,48 +14,9 @@
 
 use alloc::vec::Vec;
 
+use crate::hash::Sha512;
 use bip32_ed25519::{Xprv, Xpub, ED25519_EXPANDED_SECRET_KEY_SIZE};
 
-/// Implements the digest traits for Sha512 backing it with the wally_sha512 C function. This is
-/// done to avoid using a second sha512 implementation like `sha2::Sha512`, which bloats the binary
-/// by an additional ~12.7kB (at the time of writing).
-///
-/// This implementation accumulates the data to be hashed in heap, it does **not** hash in a
-/// streaming fashion, even when using `update()`. This is okay for the use within this module, as
-/// bip32_ed25519 and sign_raw() do not hash a lot of data.
-#[derive(Default, Clone)]
-pub struct Sha512(Vec<u8>);
-
-impl digest::HashMarker for Sha512 {}
-
-impl digest::OutputSizeUser for Sha512 {
-    type OutputSize = digest::typenum::U64;
-}
-
-impl digest::FixedOutput for Sha512 {
-    fn finalize_into(self, out: &mut digest::Output<Self>) {
-        // use digest::Digest;
-        // out.copy_from_slice(&sha2::Sha512::digest(&self.0));
-        out.copy_from_slice(&bitbox02::sha512(&self.0));
-    }
-}
-
-impl digest::Update for Sha512 {
-    fn update(&mut self, data: &[u8]) {
-        self.0.extend(data);
-    }
-}
-
-impl digest::Reset for Sha512 {
-    fn reset(&mut self) {
-        self.0 = vec![];
-    }
-}
-
-impl digest::core_api::BlockSizeUser for Sha512 {
-    type BlockSize = digest::typenum::U128;
-}
-
 fn get_seed() -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
     bitbox02::keystore::get_ed25519_seed()
 }

src/rust/bitbox02-rust/src/lib.rs

@@ -32,6 +32,7 @@ pub mod backup;
 pub mod bb02_async;
 mod bip32;
 pub mod hal;
+mod hash;
 pub mod hww;
 pub mod keystore;
 mod version;

src/rust/bitbox02-sys/build.rs

@@ -68,7 +68,6 @@ const ALLOWLIST_FNS: &[&str] = &[
     "empty_create",
     "keystore_bip39_mnemonic_to_seed",
     "keystore_bip85_bip39",
-    "keystore_bip85_ln",
     "keystore_copy_seed",
     "keystore_create_and_store_seed",
     "keystore_encode_xpub_at_keypath",

src/rust/bitbox02/src/keystore.rs

@@ -328,14 +328,6 @@ pub fn bip85_bip39(words: u32, index: u32) -> Result<zeroize::Zeroizing<String>,
     }
 }
 
-pub fn bip85_ln(index: u32) -> Result<Vec<u8>, ()> {
-    let mut entropy = vec![0u8; 16];
-    match unsafe { bitbox02_sys::keystore_bip85_ln(index, entropy.as_mut_ptr()) } {
-        false => Err(()),
-        true => Ok(entropy),
-    }
-}
-
 pub fn secp256k1_schnorr_sign(
     keypath: &[u32],
     msg: &[u8; 32],
@@ -512,33 +504,6 @@ mod tests {
         assert!(bip85_bip39(12, HARDENED).is_err());
     }
 
-    #[test]
-    fn test_bip85_ln() {
-        lock();
-        assert!(bip85_ln(0).is_err());
-
-        mock_unlocked_using_mnemonic(
-            "virtual weapon code laptop defy cricket vicious target wave leopard garden give",
-            "",
-        );
-
-        assert_eq!(
-            bip85_ln(0).unwrap().as_slice(),
-            b"\x3a\x5f\x3b\x88\x8a\xab\x88\xe2\xa9\xab\x99\x1b\x60\xa0\x3e\xd8",
-        );
-        assert_eq!(
-            bip85_ln(1).unwrap().as_slice(),
-            b"\xe7\xd9\xce\x75\xf8\xcb\x17\x57\x0e\x66\x54\x17\xb4\x7f\xa0\xbe",
-        );
-        assert_eq!(
-            bip85_ln(HARDENED - 1).unwrap().as_slice(),
-            b"\x1f\x3b\x75\xea\x25\x27\x49\x70\x0a\x1e\x45\x34\x69\x14\x8c\xa6",
-        );
-
-        // Index too high.
-        assert!(bip85_ln(HARDENED).is_err());
-    }
-
     #[test]
     fn test_secp256k1_get_private_key() {
         lock();