added support for key signatures: during import, during provisioning, added test coverage, added config option to include verification pub

Author: Danny Diekroeger

app/admin.js

@@ -13,6 +13,7 @@ const MasterKey = require('./models/masterkey.js');
 const signingTool = require('./sign.js');
 const WalletKey = require('./models/walletkey.js');
 const utils = require('./utils');
+const bitcoinMessage = require('bitcoinjs-message');
 
 const parser = new ArgumentParser({
   version: pjson.version,
@@ -188,6 +189,28 @@ const validateKey = function(key, type) {
     return false;
   }
 
+  // if we have provided a verificationPub, then check the key signature
+  if (process.config.verificationPub) {
+
+      if (!key.signature) {
+          console.log('Key ${key.pub} requires a signature and does not have one.');
+          return false;
+      }
+
+      let validSig = false;
+      try {
+          validSig = bitcoinMessage.verify(key.pub, process.config.verificationPub, key.signature);
+      } catch (err) {
+          console.log('There was an error when verifying key ${key.pub}: ' + err.message);
+          return false;
+      }
+
+      if (!validSig) {
+          console.log('Invalid signature detected on key ${key.pub}');
+          return false;
+      }
+  }
+
   return true;
 };
 
@@ -208,7 +231,7 @@ const saveKeys = co(function *(keys, type) {
       type: type,
       pub: key.pub,
       path: key.path,
-      keyid: key.keyid,
+      signature: key.signature,
       keyCount: 0
   }));
 
@@ -365,4 +388,4 @@ const run = co(function *(testArgs) {
 });
 
 // For admin script and unit testing of functions
-module.exports = { run, validateKey, db };
+module.exports = { run, validateKey, saveKeys, db };

app/krs.js

@@ -157,6 +157,11 @@ exports.provisionKey = co(function *(req) {
 
   yield key.save();
 
+  // If the master key has a signature, we include the signature in the response to the user
+  if (masterKey.signature) {
+    key.masterKeySig = masterKey.signature;
+  }
+
   yield masterKey.update({ $inc: { keyCount: 1 } });
 
   if (!req.body.disableKRSEmail) {

app/models/masterkey.js

@@ -7,13 +7,13 @@ const masterKeySchema = new mongoose.Schema({
   customerId: { type: String },
   pub: { type: String },
   path: { type: String },
-  keyid: {type: String},
+  signature: {type: String},
   keyCount: { type: Number }
 });
 
 masterKeySchema.methods = {
   toJSON: function() {
-    return _.pick(this, ['type', 'coin', 'customerId', 'pub', 'path', 'keyCount']);
+    return _.pick(this, ['type', 'coin', 'customerId', 'pub', 'path', 'signature', 'keyCount']);
   }
 };
 

config.js

@@ -40,6 +40,7 @@ module.exports = {
       "bitgo": "changeThisSecret"
     }
   },
+  "verificationPub": null,
   "neverReuseMasterKey": true,
   "lowKeyWarningLevels": [10000, 5000, 1000, 500, 100, 0]
 };

test/admin.js

@@ -3,7 +3,18 @@ const should = require('should');
 const testutils = require('./testutils');
 const admin = require('../app/admin.js');
 const WalletKey = require('../app/models/walletkey');
+const MasterKey = require('../app/models/masterkey');
 const utils = require('../app/utils.js');
+const Promise = require('bluebird');
+const co = Promise.coroutine;
+let originalVerifcationPub = process.config.verificationPub;
+
+const testVerificationPub = '1GS6JPCUpyFZLrE5bbJBcpeg1EdqW63nHd';
+const xpub = 'xpub661MyMwAqRbcGGPNi42htgwXoLuPjEtdRSRUm65GWRPAb31WPRRkxzL18TGrpU2sirNjXAHFjAEmiav9kmVfY83dTfxh3DVVwNcM9JNVebh';
+const xpubSig = 'IJB1Ubed4LNVvHfbH3s7i9duWmVi+98rCcGpB/t/V9xkY+VLl+YEv3w/g/79QgHYFv4D/nm2SGrT+FaOL1PomTU';
+const xlmPub = 'GCM67ICQVOYN7GYYHMMGVPQ7NDCLNVBM4R74IIQTG65H4DM3KGEDMW3S';
+const xlmSig = 'IBdvAO2063rsqo6zyhcoq4qGWMZFFQXCbcP4X7/vnbuyQO7VF2FHHr/M85CQb/yBfPgZRy5VsmDmrW3Qa6OXk6w';
+const badSig = 'IBadAO2063rsqo6zyhcoq4qGWMZFFQXCbcP4X7/vnbuyQO7VF2FHHr/M85CQb/yBfPgZRy5VsmDmrW3Qa6OXk6w';
 
 describe('Offline Admin Tool', function() {
   before(function() {
@@ -12,15 +23,18 @@ describe('Offline Admin Tool', function() {
 
   after(function() {
     testutils.mongoose.connection.close();
+    process.config.verificationPub = originalVerifcationPub;
   });
 
   describe('Xpub validation', function() {
+
     // Xpub importing was tested with a local file with contents: (w/o line breaks)
     // xpub6AHA9hZDN11k2ijHMeS5QqHx2KP9aMBRhTDqANMnwVtdyw2TDYRmF8PjpvwUFcL1Et8Hj59S3gTSMcUQ5gAqTz3Wd8EsMTmF3DChhqPQBnU,
     // xpub69pXXVvsBtZHWE1wgoix7xRAnbp1r6tR1kTK9cKvCd4QgYh4JBSLBmLA65Kg7rCMwGYrNHKFKxZDtjRkU4Ex2ozMYGfk14EyotJ5xjf2Goy,
     // xpub6AU2iYgKUY8FvUc2Nz2fcWpKU1HJTeYTbzv4MZLGPBw2YnhoZPkkUo54fvqZyVtxtszMdyksF8k3iqMcoegyvj72xKZCmuCjDWneXjjztLN
     // and successfully saved to local Mongo instance
     describe('failure', function() {
+      process.config.verificationPub = null;
       it('should fail if length is not 111', function() {
         const SHORT_XPUB = { path: 'm/0\'', pub: 'xpub1234567890' };
 
@@ -42,14 +56,15 @@ describe('Offline Admin Tool', function() {
 
     describe('success', function() {
       it('should succeed with a valid key', function() {
+        process.config.verificationPub = null;
         const GOOD_XPUB = { path: 'm/0\'', pub: 'xpub6B7XuUcPQ9MeszNzaTTGtni9W79MmFnHa7FUe7Hrbv3pefnaDFCHtJWaWdg1FVbocHhivnCRTCbHTjDrMBEyAGDJHGyqCnLhtEWP2rtb1sL' };
-
         admin.validateKey(GOOD_XPUB, 'xpub').should.equal(true);
       });
     });
   });
 
   describe('BIP32 child key derivation', function() {
+  process.config.verificationPub = null;
     // from https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki test vector 2 chain m
     const MASTER_XPUB = 'xpub661MyMwAqRbcFW31YEwpkMuc5THy2PSt5bDMsktWQcFF8syAmRUapSCGu8ED9W6oDMSgv6Zz8idoc4a6mr8BDzTJY47LJhkJ8UB7WEGuduB';
 
@@ -80,6 +95,7 @@ describe('Offline Admin Tool', function() {
   });
 
   describe('Stellar key derivation', function() {
+      process.config.verificationPub = null;
       // from test 3 at https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0005.md#test-cases
       const MASTER_SEED = '937ae91f6ab6f12461d9936dfc1375ea5312d097f3f1eb6fed6a82fbe38c85824da8704389831482db0433e5f6c6c9700ff1946aa75ad8cc2654d6e40f567866'
 
@@ -120,6 +136,86 @@ describe('Offline Admin Tool', function() {
       })
   });
 
+  describe('Key signature verification', function() {
+
+        describe('failure', function() {
+            it('should fail xpub validation with a bad signature', function() {
+                process.config.verificationPub = testVerificationPub;
+                const key = {
+                    pub: xpub,
+                    signature: badSig
+                };
+                const valid = admin.validateKey(key,'xpub');
+                valid.should.equal(false);
+            });
+
+            it('should fail xlm validation with a bad signature', function() {
+                process.config.verificationPub = testVerificationPub;
+                const key = {
+                    pub: xlmPub,
+                    signature: badSig
+                };
+                const valid = admin.validateKey(key,'xlm');
+                valid.should.equal(false);
+            });
+
+            it('should fail xpub validation with no signature', function() {
+                process.config.verificationPub = testVerificationPub;
+                const key = {
+                    pub: xpub
+                };
+                const valid = admin.validateKey(key,'xpub');
+                valid.should.equal(false);
+            });
+
+            it('should fail xlm validation with no signature', function() {
+                process.config.verificationPub = testVerificationPub;
+                const key = {
+                    pub: xlmPub
+                };
+                const valid = admin.validateKey(key,'xlm');
+                valid.should.equal(false);
+            });
+        });
+
+        describe('success', function() {
+            it('should validate xpub with a good signature', function() {
+                process.config.verificationPub = testVerificationPub;
+                const key = {
+                    pub: xpub,
+                    signature: xpubSig
+                };
+                const valid = admin.validateKey(key,'xpub');
+                valid.should.equal(true);
+            });
+
+            it('should validate xlm with a good signature', function() {
+                process.config.verificationPub = testVerificationPub;
+                const key = {
+                    pub: xlmPub,
+                    signature: xlmSig
+                };
+                const valid = admin.validateKey(key,'xlm');
+                valid.should.equal(true);
+            });
+        });
+   });
+
+  describe('Save a key with a signature', co(function *() {
+      it('should successfully save a key with a signature to the database', co(function *() {
+          process.config.verificationPub = testVerificationPub;
+          const key = {
+              pub: xpub,
+              signature: xpubSig,
+              path: '0'
+          };
+          const keyList = [key];
+          yield admin.saveKeys(keyList, 'xpub');
+          const foundKey = yield MasterKey.findOne({ pub: xpub });
+          foundKey.should.have.property('signature');
+      }));
+  }));
+
   describe('Verification', function() {
     before(function() {
       const key = new WalletKey({