Merge remote-tracking branch 'benma/ed25519-seed'

Author: benma

src/keystore.c

@@ -28,8 +28,6 @@
 
 #include <rust/rust.h>
 #include <secp256k1_ecdsa_s2c.h>
-#include <secp256k1_extrakeys.h>
-#include <secp256k1_schnorrsig.h>
 
 // Change this ONLY via keystore_unlock() or keystore_lock()
 static bool _is_unlocked_device = false;
@@ -549,94 +547,6 @@ bool keystore_get_u2f_seed(uint8_t* seed_out)
     return true;
 }
 
-bool keystore_get_ed25519_seed(uint8_t* seed_out)
-{
-    uint8_t bip39_seed[64] = {0};
-    UTIL_CLEANUP_64(bip39_seed);
-    if (!keystore_copy_bip39_seed(bip39_seed)) {
-        return false;
-    }
-
-    const uint8_t key[] = "ed25519 seed";
-
-    // Derive a 64 byte expanded ed25519 private key and put it into seed_out.
-    memcpy(seed_out, bip39_seed, 64);
-    do {
-        rust_hmac_sha512(key, sizeof(key), seed_out, 64, seed_out);
-    } while (seed_out[31] & 0x20);
-
-    seed_out[0] &= 248;
-    seed_out[31] &= 127;
-    seed_out[31] |= 64;
-
-    // Compute chain code and put it into seed_out at offset 64.
-    uint8_t message[65] = {0};
-    message[0] = 0x01;
-    memcpy(&message[1], bip39_seed, 64);
-    util_zero(bip39_seed, sizeof(bip39_seed));
-    rust_hmac_sha256(key, sizeof(key), message, sizeof(message), &seed_out[64]);
-    util_zero(message, sizeof(message));
-    return true;
-}
-
-static bool _schnorr_keypair(
-    const secp256k1_context* ctx,
-    const uint32_t* keypath,
-    size_t keypath_len,
-    const uint8_t* tweak,
-    secp256k1_keypair* keypair_out,
-    secp256k1_xonly_pubkey* pubkey_out)
-{
-    if (keystore_is_locked()) {
-        return false;
-    }
-    uint8_t private_key[32] = {0};
-    UTIL_CLEANUP_32(private_key);
-    if (!rust_secp256k1_get_private_key(
-            keypath, keypath_len, rust_util_bytes_mut(private_key, sizeof(private_key)))) {
-        return false;
-    }
-
-    if (!secp256k1_keypair_create(ctx, keypair_out, private_key)) {
-        return false;
-    }
-    if (tweak != NULL) {
-        if (secp256k1_keypair_xonly_tweak_add(ctx, keypair_out, tweak) != 1) {
-            return false;
-        }
-    }
-    if (!secp256k1_keypair_xonly_pub(ctx, pubkey_out, NULL, keypair_out)) {
-        return false;
-    }
-    return true;
-}
-
-static void _cleanup_keypair(secp256k1_keypair* keypair)
-{
-    util_zero(keypair, sizeof(secp256k1_keypair));
-}
-
-bool keystore_secp256k1_schnorr_sign(
-    const secp256k1_context* ctx,
-    const uint32_t* keypath,
-    size_t keypath_len,
-    const uint8_t* msg32,
-    const uint8_t* tweak,
-    uint8_t* sig64_out)
-{
-    secp256k1_keypair __attribute__((__cleanup__(_cleanup_keypair))) keypair = {0};
-    secp256k1_xonly_pubkey pubkey = {0};
-    if (!_schnorr_keypair(ctx, keypath, keypath_len, tweak, &keypair, &pubkey)) {
-        return false;
-    }
-    uint8_t aux_rand[32] = {0};
-    random_32_bytes(aux_rand);
-    if (secp256k1_schnorrsig_sign32(ctx, sig64_out, msg32, &keypair, aux_rand) != 1) {
-        return false;
-    }
-    return secp256k1_schnorrsig_verify(ctx, sig64_out, msg32, 32, &pubkey) == 1;
-}
-
 #ifdef TESTING
 void keystore_mock_unlocked(const uint8_t* seed, size_t seed_len, const uint8_t* bip39_seed)
 {

src/keystore.h

@@ -186,35 +186,6 @@ USE_RESULT bool keystore_secp256k1_sign(
  */
 USE_RESULT bool keystore_get_u2f_seed(uint8_t* seed_out);
 
-/**
- * Get the seed to be used for ed25519 applications such as Cardano. The output is the root key to
- * BIP32-ED25519.
- * This implements a derivation compatible with Ledger according to
- * https://github.com/LedgerHQ/orakolo/blob/0b2d5e669ec61df9a824df9fa1a363060116b490/src/python/orakolo/HDEd25519.py.
- * @param seed_out Buffer for the seed. Must be 96 bytes. It will contain a 64 byte expanded
- * ed25519 private key followed by a 32 byte chain code.
- */
-USE_RESULT bool keystore_get_ed25519_seed(uint8_t* seed_out);
-
-/**
- * Sign a message that verifies against the pubkey tweaked using BIP-86.
- *
- * @param[in] ctx secp256k1 context
- * @param[in] keypath derivation keypath
- * @param[in] keypath_len number of elements in keypath
- * @param[in] msg32 32 byte message to sign
- * @param[in] tweak 32 bytes, tweak private key before signing with this tweak. Use NULL to not
- *            tweak.
- * @param[out] sig64_out resulting 64 byte signature
- */
-USE_RESULT bool keystore_secp256k1_schnorr_sign(
-    const secp256k1_context* ctx,
-    const uint32_t* keypath,
-    size_t keypath_len,
-    const uint8_t* msg32,
-    const uint8_t* tweak,
-    uint8_t* sig64_out);
-
 #ifdef TESTING
 /**
  * convenience to mock the keystore state (locked, seed) in tests.

src/rust/bitbox02-rust/src/hww/api/bitcoin/signtx.rs

@@ -1173,8 +1173,7 @@ async fn _process(
             });
 
             next_response.next.has_signature = true;
-            next_response.next.signature = bitbox02::keystore::secp256k1_schnorr_sign(
-                SECP256K1,
+            next_response.next.signature = crate::keystore::secp256k1_schnorr_sign(
                 &tx_input.keypath,
                 &sighash,
                 if let TaprootSpendInfo::KeySpend(tweak_hash) = &spend_info {

src/rust/bitbox02-rust/src/keystore.rs

@@ -156,6 +156,34 @@ pub fn bip85_ln(index: u32) -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
     Ok(entropy)
 }
 
+/// Sign a message using the private key at the keypath, which is optionally tweaked with the given
+/// tweak.
+pub fn secp256k1_schnorr_sign(
+    keypath: &[u32],
+    msg: &[u8; 32],
+    tweak: Option<&[u8; 32]>,
+) -> Result<[u8; 64], ()> {
+    let private_key = secp256k1_get_private_key(keypath)?;
+    let mut keypair =
+        bitcoin::secp256k1::Keypair::from_seckey_slice(SECP256K1, &private_key).map_err(|_| ())?;
+
+    if let Some(tweak) = tweak {
+        keypair = keypair
+            .add_xonly_tweak(
+                SECP256K1,
+                &bitcoin::secp256k1::Scalar::from_be_bytes(*tweak).map_err(|_| ())?,
+            )
+            .map_err(|_| ())?;
+    }
+
+    let sig = SECP256K1.sign_schnorr_with_aux_rand(
+        &bitcoin::secp256k1::Message::from_digest(*msg),
+        &keypair,
+        &bitbox02::random::random_32_bytes(),
+    );
+    Ok(sig.serialize())
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -164,6 +192,8 @@ mod tests {
         TEST_MNEMONIC, mock_memory, mock_unlocked, mock_unlocked_using_mnemonic,
     };
 
+    use bitcoin::secp256k1;
+
     #[test]
     fn test_secp256k1_get_private_key() {
         keystore::lock();
@@ -433,4 +463,54 @@ mod tests {
             );
         }
     }
+
+    #[test]
+    fn test_secp256k1_schnorr_sign() {
+        mock_unlocked_using_mnemonic(
+            "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about",
+            "",
+        );
+        let keypath = [86 + HARDENED, 0 + HARDENED, 0 + HARDENED, 0, 0];
+        let msg = [0x88u8; 32];
+
+        let expected_pubkey = {
+            let pubkey =
+                hex::decode("cc8a4bc64d897bddc5fbc2f670f7a8ba0b386779106cf1223c6fc5d7cd6fc115")
+                    .unwrap();
+            secp256k1::XOnlyPublicKey::from_slice(&pubkey).unwrap()
+        };
+
+        // Test without tweak
+        bitbox02::random::fake_reset();
+        let sig = secp256k1_schnorr_sign(&keypath, &msg, None).unwrap();
+        assert!(
+            SECP256K1
+                .verify_schnorr(
+                    &secp256k1::schnorr::Signature::from_slice(&sig).unwrap(),
+                    &secp256k1::Message::from_digest_slice(&msg).unwrap(),
+                    &expected_pubkey
+                )
+                .is_ok()
+        );
+
+        // Test with tweak
+        bitbox02::random::fake_reset();
+        let tweak = {
+            let tweak =
+                hex::decode("a39fb163dbd9b5e0840af3cc1ee41d5b31245c5dd8d6bdc3d026d09b8964997c")
+                    .unwrap();
+            secp256k1::Scalar::from_be_bytes(tweak.try_into().unwrap()).unwrap()
+        };
+        let (tweaked_pubkey, _) = expected_pubkey.add_tweak(SECP256K1, &tweak).unwrap();
+        let sig = secp256k1_schnorr_sign(&keypath, &msg, Some(&tweak.to_be_bytes())).unwrap();
+        assert!(
+            SECP256K1
+                .verify_schnorr(
+                    &secp256k1::schnorr::Signature::from_slice(&sig).unwrap(),
+                    &secp256k1::Message::from_digest(msg),
+                    &tweaked_pubkey
+                )
+                .is_ok()
+        );
+    }
 }

src/rust/bitbox02-rust/src/keystore/ed25519.rs

@@ -17,8 +17,45 @@ use alloc::vec::Vec;
 use crate::hash::Sha512;
 use bip32_ed25519::{ED25519_EXPANDED_SECRET_KEY_SIZE, Xprv, Xpub};
 
+use bitcoin::hashes::{Hash, HashEngine, Hmac, HmacEngine, sha256, sha512};
+
+fn hmac_sha512(key: &[u8], msg: &[u8]) -> [u8; 64] {
+    let mut engine = HmacEngine::<sha512::Hash>::new(key);
+    engine.input(msg);
+    Hmac::from_engine(engine).to_byte_array()
+}
+
+/// Get the seed to be used for ed25519 applications such as Cardano. The output is the root key to
+/// BIP32-ED25519.
+/// This implements a derivation compatible with Ledger according to
+/// https://github.com/LedgerHQ/orakolo/blob/0b2d5e669ec61df9a824df9fa1a363060116b490/src/python/orakolo/HDEd25519.py.
+/// Returns 96 bytes. It will contain a 64 byte expanded ed25519 private key followed by a 32 byte chain code.
 fn get_seed() -> Result<zeroize::Zeroizing<Vec<u8>>, ()> {
-    bitbox02::keystore::get_ed25519_seed()
+    let bip39_seed = bitbox02::keystore::copy_bip39_seed()?;
+    let mut seed_out = zeroize::Zeroizing::new(vec![0u8; 96]);
+    let first64: &mut [u8] = &mut seed_out.as_mut_slice()[..64];
+    first64.copy_from_slice(&bip39_seed);
+
+    let key = b"ed25519 seed";
+
+    loop {
+        first64.copy_from_slice(&hmac_sha512(key, first64));
+        if first64[31] & 0x20 == 0 {
+            break;
+        }
+    }
+
+    seed_out[0] &= 248;
+    seed_out[31] &= 127;
+    seed_out[31] |= 64;
+
+    // Compute chain code and put it into seed_out at offset 64.
+    let mut engine = HmacEngine::<sha256::Hash>::new(key);
+    engine.input(&[0x01]);
+    engine.input(&bip39_seed);
+    let hmac_result: [u8; 32] = Hmac::from_engine(engine).to_byte_array();
+    seed_out[64..].copy_from_slice(&hmac_result);
+    Ok(seed_out)
 }
 
 fn get_xprv(keypath: &[u32]) -> Result<Xprv<Sha512>, ()> {

src/rust/bitbox02-sys/build.rs

@@ -73,13 +73,11 @@ const ALLOWLIST_FNS: &[&str] = &[
     "keystore_create_and_store_seed",
     "keystore_encrypt_and_store_seed",
     "keystore_get_bip39_word",
-    "keystore_get_ed25519_seed",
     "keystore_get_u2f_seed",
     "keystore_is_locked",
     "keystore_lock",
     "keystore_mock_unlocked",
     "keystore_secp256k1_nonce_commit",
-    "keystore_secp256k1_schnorr_sign",
     "keystore_secp256k1_sign",
     "keystore_unlock",
     "keystore_unlock_bip39",