Merge pull request #34 from BitGo/support-key-signatures

[BG-9016] added support for key signatures

Author: dannydeezy

app/admin.js

@@ -13,6 +13,7 @@ const MasterKey = require('./models/masterkey.js');
 const signingTool = require('./sign.js');
 const WalletKey = require('./models/walletkey.js');
 const utils = require('./utils');
+const bitcoinMessage = require('bitcoinjs-message');
 
 const parser = new ArgumentParser({
   version: pjson.version,
@@ -196,6 +197,28 @@ const validateKey = function(key, type) {
     return false;
   }
 
+  // if we have provided a verificationPub, then check the key signature
+  if (process.config.verificationPub) {
+
+    if (!key.signature) {
+      console.log(`Key ${key.pub} requires a signature and does not have one.`);
+      return false;
+    }
+
+    let validSig = false;
+    try {
+      validSig = bitcoinMessage.verify(key.pub, process.config.verificationPub, key.signature);
+    } catch (err) {
+      console.log(`There was an error when verifying key ${key.pub}: ` + err.message);
+      return false;
+    }
+
+    if (!validSig) {
+      console.log(`Invalid signature detected on key ${key.pub}`);
+      return false;
+    }
+  }
+
   return true;
 };
 
@@ -216,6 +239,7 @@ const saveKeys = co(function *(keys, type) {
       type: type,
       pub: key.pub,
       path: key.path,
+      signature: key.signature,
       keyCount: 0
   }));
 
@@ -372,4 +396,4 @@ const run = co(function *(testArgs) {
 });
 
 // For admin script and unit testing of functions
-module.exports = { run, validateKey, db };
+module.exports = { run, validateKey, saveKeys, db };

app/krs.js

@@ -157,6 +157,11 @@ exports.provisionKey = co(function *(req) {
 
   yield key.save();
 
+  // If the master key has a signature, we include the signature in the response to the user
+  if (masterKey.signature) {
+    key.masterKeySig = masterKey.signature;
+  }
+
   yield masterKey.update({ $inc: { keyCount: 1 } });
 
   if (!req.body.disableKRSEmail && !process.config.disableAllKRSEmail) {

app/models/masterkey.js

@@ -7,12 +7,13 @@ const masterKeySchema = new mongoose.Schema({
   customerId: { type: String },
   pub: { type: String },
   path: { type: String },
+  signature: {type: String},
   keyCount: { type: Number }
 });
 
 masterKeySchema.methods = {
   toJSON: function() {
-    return _.pick(this, ['type', 'coin', 'customerId', 'pub', 'path', 'keyCount']);
+    return _.pick(this, ['type', 'coin', 'customerId', 'pub', 'path', 'signature', 'keyCount']);
   }
 };
 

config.js

@@ -40,6 +40,7 @@ module.exports = {
       "bitgo": "changeThisSecret"
     }
   },
+  "verificationPub": null,
   "neverReuseMasterKey": true,
   "disableAllKRSEmail": true,
   "lowKeyWarningLevels": [10000, 5000, 1000, 500, 100, 0]

package-lock.json

@@ -17,6 +17,7 @@
   "dependencies": {
     "argparse": "^1.0.10",
     "bignumber.js": "^7.2.1",
+    "bitcoinjs-message": "^2.0.0",
     "bitgo-utxo-lib": "^1.1.2",
     "body-parser": "^1.18.3",
     "dotenv": "^6.1.0",

package.json

@@ -3,7 +3,18 @@ const should = require('should');
 const testutils = require('./testutils');
 const admin = require('../app/admin.js');
 const WalletKey = require('../app/models/walletkey');
+const MasterKey = require('../app/models/masterkey');
 const utils = require('../app/utils.js');
+const Promise = require('bluebird');
+const co = Promise.coroutine;
+let originalVerifcationPub = process.config.verificationPub;
+
+const testVerificationPub = '1GS6JPCUpyFZLrE5bbJBcpeg1EdqW63nHd';
+const xpub = 'xpub661MyMwAqRbcGGPNi42htgwXoLuPjEtdRSRUm65GWRPAb31WPRRkxzL18TGrpU2sirNjXAHFjAEmiav9kmVfY83dTfxh3DVVwNcM9JNVebh';
+const xpubSig = 'IJB1Ubed4LNVvHfbH3s7i9duWmVi+98rCcGpB/t/V9xkY+VLl+YEv3w/g/79QgHYFv4D/nm2SGrT+FaOL1PomTU';
+const xlmPub = 'GCM67ICQVOYN7GYYHMMGVPQ7NDCLNVBM4R74IIQTG65H4DM3KGEDMW3S';
+const xlmSig = 'IBdvAO2063rsqo6zyhcoq4qGWMZFFQXCbcP4X7/vnbuyQO7VF2FHHr/M85CQb/yBfPgZRy5VsmDmrW3Qa6OXk6w';
+const badSig = 'IBadAO2063rsqo6zyhcoq4qGWMZFFQXCbcP4X7/vnbuyQO7VF2FHHr/M85CQb/yBfPgZRy5VsmDmrW3Qa6OXk6w';
 
 describe('Offline Admin Tool', function() {
   before(function() {
@@ -12,15 +23,18 @@ describe('Offline Admin Tool', function() {
 
   after(function() {
     testutils.mongoose.connection.close();
+    process.config.verificationPub = originalVerifcationPub;
   });
 
   describe('Xpub validation', function() {
+
     // Xpub importing was tested with a local file with contents: (w/o line breaks)
     // xpub6AHA9hZDN11k2ijHMeS5QqHx2KP9aMBRhTDqANMnwVtdyw2TDYRmF8PjpvwUFcL1Et8Hj59S3gTSMcUQ5gAqTz3Wd8EsMTmF3DChhqPQBnU,
     // xpub69pXXVvsBtZHWE1wgoix7xRAnbp1r6tR1kTK9cKvCd4QgYh4JBSLBmLA65Kg7rCMwGYrNHKFKxZDtjRkU4Ex2ozMYGfk14EyotJ5xjf2Goy,
     // xpub6AU2iYgKUY8FvUc2Nz2fcWpKU1HJTeYTbzv4MZLGPBw2YnhoZPkkUo54fvqZyVtxtszMdyksF8k3iqMcoegyvj72xKZCmuCjDWneXjjztLN
     // and successfully saved to local Mongo instance
     describe('failure', function() {
+      process.config.verificationPub = null;
       it('should fail if length is not 111', function() {
         const SHORT_XPUB = { path: 'm/0\'', pub: 'xpub1234567890' };
 
@@ -42,14 +56,15 @@ describe('Offline Admin Tool', function() {
 
     describe('success', function() {
       it('should succeed with a valid key', function() {
+        process.config.verificationPub = null;
         const GOOD_XPUB = { path: 'm/0\'', pub: 'xpub6B7XuUcPQ9MeszNzaTTGtni9W79MmFnHa7FUe7Hrbv3pefnaDFCHtJWaWdg1FVbocHhivnCRTCbHTjDrMBEyAGDJHGyqCnLhtEWP2rtb1sL' };
-
         admin.validateKey(GOOD_XPUB, 'xpub').should.equal(true);
       });
     });
   });
 
   describe('BIP32 child key derivation', function() {
+  process.config.verificationPub = null;
     // from https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki test vector 2 chain m
     const MASTER_XPUB = 'xpub661MyMwAqRbcFW31YEwpkMuc5THy2PSt5bDMsktWQcFF8syAmRUapSCGu8ED9W6oDMSgv6Zz8idoc4a6mr8BDzTJY47LJhkJ8UB7WEGuduB';
 
@@ -80,46 +95,123 @@ describe('Offline Admin Tool', function() {
   });
 
   describe('Stellar key derivation', function() {
-      // from test 3 at https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0005.md#test-cases
-      const MASTER_SEED = '937ae91f6ab6f12461d9936dfc1375ea5312d097f3f1eb6fed6a82fbe38c85824da8704389831482db0433e5f6c6c9700ff1946aa75ad8cc2654d6e40f567866'
-
-      describe('failure', function() {
-          it('should fail with an invalid master seed', function() {
-              const BAD_SEED = '-thisisabadseed';
-
-              (function() { utils.deriveChildKey(BAD_SEED, "m/148'", 'xlm') }).should.throw(Error);
-          });
-
-          it('should fail with an invalid derivation path', function() {
-              (function() { utils.deriveChildKey(MASTER_SEED, 'derivation path', 'xlm') }).should.throw(Error);
-          });
-      });
-
-      describe('success', function() {
-          // test 3 from https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0005.md#test-cases
-          it("should find m/44'/148'/0' of test vector 3", function() {
-              const pub = 'GC3MMSXBWHL6CPOAVERSJITX7BH76YU252WGLUOM5CJX3E7UCYZBTPJQ';
-              const priv = 'SAEWIVK3VLNEJ3WEJRZXQGDAS5NVG2BYSYDFRSH4GKVTS5RXNVED5AX7';
-
-              const publicKey = utils.deriveChildKey(MASTER_SEED, "m/44'/148'/0'", 'xlm', true);
-              publicKey.should.equal(pub);
-              const secret = utils.deriveChildKey(MASTER_SEED, "m/44'/148'/0'", 'xlm', false);
-              secret.should.equal(priv);
-          });
-
-          // test 3 from https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0005.md#test-cases
-          it("should find m/44'/148'/6' of test vector 3", function() {
-              const pub = 'GCUDW6ZF5SCGCMS3QUTELZ6LSAH6IVVXNRPRLAUNJ2XYLCA7KH7ZCVQS';
-              const priv = 'SBSHUZQNC45IAIRSAHMWJEJ35RY7YNW6SMOEBZHTMMG64NKV7Y52ZEO2';
-
-              const publicKey = utils.deriveChildKey(MASTER_SEED, "m/44'/148'/6'", 'xlm', true);
-              publicKey.should.equal(pub);
-              const secret = utils.deriveChildKey(MASTER_SEED, "m/44'/148'/6'", 'xlm', false);
-              secret.should.equal(priv);
-          });
-      })
+    process.config.verificationPub = null;
+    // from test 3 at https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0005.md#test-cases
+    const MASTER_SEED = '937ae91f6ab6f12461d9936dfc1375ea5312d097f3f1eb6fed6a82fbe38c85824da8704389831482db0433e5f6c6c9700ff1946aa75ad8cc2654d6e40f567866'
+
+    describe('failure', function() {
+      it('should fail with an invalid master seed', function() {
+        const BAD_SEED = '-thisisabadseed';
+        (function() { utils.deriveChildKey(BAD_SEED, "m/148'", 'xlm') }).should.throw(Error);
+      });
+
+      it('should fail with an invalid derivation path', function() {
+        (function() { utils.deriveChildKey(MASTER_SEED, 'derivation path', 'xlm') }).should.throw(Error);
+      });
+    });
+    describe('success', function() {
+      // test 3 from https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0005.md#test-cases
+      it("should find m/44'/148'/0' of test vector 3", function() {
+        const pub = 'GC3MMSXBWHL6CPOAVERSJITX7BH76YU252WGLUOM5CJX3E7UCYZBTPJQ';
+        const priv = 'SAEWIVK3VLNEJ3WEJRZXQGDAS5NVG2BYSYDFRSH4GKVTS5RXNVED5AX7';
+
+        const publicKey = utils.deriveChildKey(MASTER_SEED, "m/44'/148'/0'", 'xlm', true);
+         publicKey.should.equal(pub);
+        const secret = utils.deriveChildKey(MASTER_SEED, "m/44'/148'/0'", 'xlm', false);
+        secret.should.equal(priv);
+      });
+
+      // test 3 from https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0005.md#test-cases
+      it("should find m/44'/148'/6' of test vector 3", function() {
+        const pub = 'GCUDW6ZF5SCGCMS3QUTELZ6LSAH6IVVXNRPRLAUNJ2XYLCA7KH7ZCVQS';
+        const priv = 'SBSHUZQNC45IAIRSAHMWJEJ35RY7YNW6SMOEBZHTMMG64NKV7Y52ZEO2';
+        const publicKey = utils.deriveChildKey(MASTER_SEED, "m/44'/148'/6'", 'xlm', true);
+        publicKey.should.equal(pub);
+        const secret = utils.deriveChildKey(MASTER_SEED, "m/44'/148'/6'", 'xlm', false);
+        secret.should.equal(priv);
+      });
+  })
   });
 
+  describe('Key signature verification', function() {
+    describe('failure', function() {
+      it('should fail xpub validation with a bad signature', function() {
+        process.config.verificationPub = testVerificationPub;
+        const key = {
+          pub: xpub,
+          signature: badSig
+        };
+        const valid = admin.validateKey(key,'xpub');
+        valid.should.equal(false);
+      });
+
+      it('should fail xlm validation with a bad signature', function() {
+        process.config.verificationPub = testVerificationPub;
+        const key = {
+          pub: xlmPub,
+          signature: badSig
+        };
+        const valid = admin.validateKey(key,'xlm');
+        valid.should.equal(false);
+      });
+
+      it('should fail xpub validation with no signature', function() {
+        process.config.verificationPub = testVerificationPub;
+        const key = {
+          pub: xpub
+        };
+        const valid = admin.validateKey(key,'xpub');
+        valid.should.equal(false);
+      });
+
+    it('should fail xlm validation with no signature', function() {
+        process.config.verificationPub = testVerificationPub;
+        const key = {
+          pub: xlmPub
+        };
+        const valid = admin.validateKey(key,'xlm');
+        valid.should.equal(false);
+    });
+   });
+
+    describe('success', function() {
+      it('should validate xpub with a good signature', function() {
+        process.config.verificationPub = testVerificationPub;
+        const key = {
+          pub: xpub,
+          signature: xpubSig
+        };
+        const valid = admin.validateKey(key,'xpub');
+        valid.should.equal(true);
+      });
+
+      it('should validate xlm with a good signature', function() {
+        process.config.verificationPub = testVerificationPub;
+        const key = {
+          pub: xlmPub,
+          signature: xlmSig
+        };
+        const valid = admin.validateKey(key,'xlm');
+        valid.should.equal(true);
+      });
+    });
+   });
+
+  describe('Save a key with a signature', co(function *() {
+    it('should successfully save a key with a signature to the database', co(function *() {
+      process.config.verificationPub = testVerificationPub;
+      const key = {
+        pub: xpub,
+        signature: xpubSig,
+        path: '0'
+      };
+      const keyList = [key];
+      yield admin.saveKeys(keyList, 'xpub');
+      const foundKey = yield MasterKey.findOne({ pub: xpub });
+      foundKey.should.have.property('signature');
+    }));
+  }));
+
   describe('Verification', function() {
     before(function() {
       const key = new WalletKey({