Merge pull request #66 from Sword-Smith/master

Fix broken unit tests

Author: tylerlevine

app/admin.js

@@ -208,7 +208,7 @@ const validateKey = function(key, type) {
   if (process.config.verificationPub) {
 
     if (!key.signature) {
-      console.log(`Key ${key.pub} requires a signature and does not have one.`);
+      console.log(`Key ${key.pub} has a verification public key but no signature.`);
       return false;
     }
 

app/sign.js

@@ -78,6 +78,12 @@ const confirmRecovery = function(backupKey, outputs, customMessage, skipConfirm)
   }
 };
 
+/**
+ * Verifies that input is a valid HD key and parses it into HDNode object.
+ * @param xprv Base58 representation of extended private key
+ * @param expectedXpub The corresponding extended public key
+ * @returns The HDNode object representing the extended private key
+ */
 const getHDNodeAndVerify = function(xprv, expectedXpub) {
   let node;
 
@@ -99,7 +105,7 @@ const getHDNodeAndVerify = function(xprv, expectedXpub) {
 };
 
 /**
- * Prints the recovery transaction information and prompt for the confirmation as well as the key, if needed to.
+ * Prints the recovery transaction information and prompt the user for the confirmation as well as the key, if needed to.
  * @param recoveryRequest The recovery transansaction request object.
  * @param outputs The outputs of the transaction.
  * @param skipConfirm The boolean value that indicates to whether or not to prompt the user to confirm the transaction.
@@ -120,14 +126,14 @@ const promptForConfirmationAndKey = function(recoveryRequest, outputs, skipConfi
 
 /**
  * Gets the backup private key that can be used to sign the transaction.
- * @param key The provided private key.
+ * @param xprv The provided extended private key (BIP32).
  * @param expectedXpub The public key specified with the request. 
  * @returns The private key to sign the transaction.
  */
-const getBackupSigningKey = function(key, expectedXpub) {
-  const backupKeyNode = getHDNodeAndVerify(key, expectedXpub);
+const getBackupSigningKey = function(xprv, expectedXpub) {
+  const backupKeyNode = getHDNodeAndVerify(xprv, expectedXpub);
 
-  return backupKeyNode.keyPair.getPrivateKeyBuffer;
+  return backupKeyNode.keyPair.getPrivateKeyBuffer();
 }
 
 const handleSignUtxo = function(recoveryRequest, key, skipConfirm) {
@@ -219,6 +225,7 @@ const handleSignEthereum = function(recoveryRequest, key, skipConfirm) {
  */
 const signEthTx = function(recoveryRequest, key, skipConfirm, isToken) {
   const EthTx = require('ethereumjs-tx');
+  const EthUtil = require('ethereumjs-util');
 
   const txHex = getTransactionHexFromRequest(recoveryRequest);
   const transaction = new EthTx(txHex);
@@ -236,9 +243,20 @@ const signEthTx = function(recoveryRequest, key, skipConfirm, isToken) {
     outputs[0].amount = outputs[0].amount.div(TEN.pow(decimals));
   }
 
-  key = promptForConfirmationAndKey(recoveryRequest, outputs, skipConfirm, key);
+  // When generating signatures, we don't currently use EIP155 but this could
+  // be activated if we wanted to. This would protect against replay attacks on other
+  // blockchains, such as Ethereum Classic. To activate the EIP155, we would have to
+  // know the chain ID of the Ethereum blockchains we are using as this value goes
+  // into the V field when using EIP155.
+  // cf. https://github.com/ethereum/EIPs/blob/master/EIPS/eip-155.md
+  const useEip155 = false;
 
-  transaction.sign(getBackupSigningKey(key, recoveryRequest.backupKey));
+  key = promptForConfirmationAndKey(recoveryRequest, outputs, skipConfirm, key);
+  const signingKey = Buffer.from(getBackupSigningKey(key, recoveryRequest.backupKey), "hex");
+  const signature = EthUtil.ecsign(transaction.hash(useEip155), signingKey, transaction.chainId);
+  transaction.v = signature.v; // Change this if activating EIP155
+  transaction.r = signature.r;
+  transaction.s = signature.s;
 
   return transaction.serialize().toString('hex');
 };
@@ -258,8 +276,9 @@ const handleSignTrx = function(recoveryRequest, key, skipConfirm) {
   });
 
   key = promptForConfirmationAndKey(recoveryRequest, outputs, skipConfirm, key);
+  const signingKey = getBackupSigningKey(key, recoveryRequest.backupKey);
 
-  builder.sign({ key: getBackupSigningKey(key, recoveryRequest.backupKey) });
+  builder.sign({ key: signingKey });
   return JSON.stringify(builder.build().toJson());
 };
 

app/utils.js

@@ -87,6 +87,16 @@ exports.sendMailQ = function(toEmail, subject, template, templateParams, attachm
   return sendMail(mailOptions);
 };
 
+/*
+ * Check if input is a valid seed input formatted as a hex string.
+ * Cf. the BIP32 specification, a valid seed is between 128 bits and 512 bits (both included),
+ * i.e. between 16 and 64 bytes.
+ * https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#master-key-generation
+ */
+function IsValidBip32Seed(input) {
+  return input.match(/^(([0-9a-f]{2}){16,64})$/);
+}
+
 /** deriveChildKey
  *
  * returns the derived key as a string
@@ -107,6 +117,12 @@ exports.deriveChildKey = function(master, derivationPath, type, neuter) {
 
     return childKey.toBase58();
   } else if (type === 'xlm') {
+
+    // Verify that input is a valid seed, cf. SEP05 (Stellar Ecosystem Proposals 5) which follows BIP39
+    // which is based on BIP32:
+    // https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0005.md
+    if (!IsValidBip32Seed(master)) { throw new Error(`Invalid seed. Got: ${master}`); }
+
     const masterNode = stellarHd.fromSeed(master);
     const childKey = stellar.Keypair.fromRawEd25519Seed(masterNode.derive(derivationPath));
 

package-lock.json

@@ -27,6 +27,7 @@
     "eosjs": "^16.0.9",
     "eosjs-ecc": "^4.0.4",
     "ethereumjs-tx": "^1.3.7",
+    "ethereumjs-util": "6.2.0",
     "express": "^4.16.3",
     "jsrender": "^0.9.90",
     "lodash": "^4.17.11",