keychain: hold service path as array of uint32_t rather than uint8_t

Author: Jamie C. Driver

main/keychain.c

@@ -283,7 +283,7 @@ void keychain_derive_from_seed(const uint8_t* seed, const size_t seed_len, keych
         wally_asset_blinding_key_from_seed(seed, seed_len, keydata->master_unblinding_key, HMAC_SHA512_LEN));
 
     // Compute and cache the path the GA server will use to sign
-    wallet_calculate_gaservice_path(&keydata->xpriv, keydata->service_path, sizeof(keydata->service_path));
+    wallet_calculate_gaservice_path(&keydata->xpriv, keydata->gaservice_path, GASERVICE_PATH_LEN);
 }
 
 // Derive master key from mnemonic if passed a valid mnemonic
@@ -361,7 +361,9 @@ static void serialize(uint8_t* serialized, const size_t serialized_len, const ke
 
     // ext-key, ga-path, master-blinding-key
     JADE_WALLY_VERIFY(bip32_key_serialize(&keydata->xpriv, BIP32_FLAG_KEY_PRIVATE, serialized, BIP32_SERIALIZED_LEN));
-    memcpy(serialized + BIP32_SERIALIZED_LEN, keydata->service_path, HMAC_SHA512_LEN);
+    const bool ret = wallet_serialize_gaservice_path(
+        serialized + BIP32_SERIALIZED_LEN, HMAC_SHA512_LEN, keydata->gaservice_path, GASERVICE_PATH_LEN);
+    JADE_ASSERT(ret);
     memcpy(serialized + BIP32_SERIALIZED_LEN + HMAC_SHA512_LEN, keydata->master_unblinding_key, HMAC_SHA512_LEN);
 }
 
@@ -373,7 +375,9 @@ static void unserialize(const uint8_t* decrypted, const size_t decrypted_len, ke
 
     // ext-key, ga-path, master-blinding-key
     JADE_WALLY_VERIFY(bip32_key_unserialize(decrypted, BIP32_SERIALIZED_LEN, &keydata->xpriv));
-    memcpy(keydata->service_path, decrypted + BIP32_SERIALIZED_LEN, HMAC_SHA512_LEN);
+    const bool ret = wallet_unserialize_gaservice_path(
+        decrypted + BIP32_SERIALIZED_LEN, HMAC_SHA512_LEN, keydata->gaservice_path, GASERVICE_PATH_LEN);
+    JADE_ASSERT(ret);
     memcpy(keydata->master_unblinding_key, decrypted + BIP32_SERIALIZED_LEN + HMAC_SHA512_LEN, HMAC_SHA512_LEN);
 }
 

main/keychain.h

@@ -8,12 +8,13 @@
 #include <wally_crypto.h>
 
 #define PASSPHRASE_MAX_LEN 100
+#define GASERVICE_PATH_LEN (HMAC_SHA512_LEN / 2)
 
 typedef struct {
-    struct ext_key xpriv;
-    uint8_t service_path[HMAC_SHA512_LEN];
+    uint32_t gaservice_path[GASERVICE_PATH_LEN];
     uint8_t master_unblinding_key[HMAC_SHA512_LEN];
     uint8_t seed[BIP32_ENTROPY_LEN_512];
+    struct ext_key xpriv;
     size_t seed_len;
 } keychain_t;
 

main/process/debug_handshake.c

@@ -136,7 +136,7 @@ void debug_handshake(void* process_ptr)
     JADE_ASSERT(res == 0);
     res = sodium_memcmp(&keydata.xpriv, &keychain_get()->xpriv, sizeof(keydata.xpriv));
     JADE_ASSERT(res == 0);
-    res = crypto_verify_64(keydata.service_path, keychain_get()->service_path);
+    res = sodium_memcmp(keydata.gaservice_path, keychain_get()->gaservice_path, sizeof(keydata.gaservice_path));
     JADE_ASSERT(res == 0);
     res = crypto_verify_64(keydata.master_unblinding_key, keychain_get()->master_unblinding_key);
     JADE_ASSERT(res == 0);

main/selfcheck.c

@@ -1,7 +1,6 @@
 #ifndef AMALGAMATED_BUILD
 #include <sdkconfig.h>
 #include <string.h>
-#include <wally_bip32.h>
 
 #include "bcur.h"
 #include "jade_assert.h"
@@ -12,15 +11,18 @@
 #include "random.h"
 #include "rsa.h"
 #include "storage.h"
-#include <sodium/crypto_verify_64.h>
-#include <sodium/utils.h>
-#include <utils/malloc_ext.h>
-#include <utils/util.h>
-
+#include "utils/malloc_ext.h"
 #include "utils/shake256.h"
+#include "utils/util.h"
+#include "wallet.h"
+
 #include <mbedtls/pem.h>
 #include <mbedtls/pk.h>
 #include <mbedtls/rsa.h>
+#include <sodium/crypto_verify_64.h>
+#include <sodium/utils.h>
+
+#include <wally_bip32.h>
 #include <wally_bip85.h>
 
 #include <cdecoder.h>
@@ -65,7 +67,7 @@ static bool all_fields_same(const keychain_t* keydata1, const keychain_t* keydat
     if (sodium_memcmp(&keydata1->xpriv, &keydata2->xpriv, sizeof(keydata1->xpriv))) {
         return false;
     }
-    if (crypto_verify_64(keydata1->service_path, keydata2->service_path)) {
+    if (sodium_memcmp(keydata1->gaservice_path, keydata2->gaservice_path, sizeof(keydata1->gaservice_path))) {
         return false;
     }
     if (crypto_verify_64(keydata1->master_unblinding_key, keydata2->master_unblinding_key)) {
@@ -97,7 +99,7 @@ static bool any_fields_same(const keychain_t* keydata1, const keychain_t* keydat
     if (!sodium_memcmp(&keydata1->xpriv, &keydata2->xpriv, sizeof(keydata1->xpriv))) {
         return true;
     }
-    if (!crypto_verify_64(keydata1->service_path, keydata2->service_path)) {
+    if (!sodium_memcmp(keydata1->gaservice_path, keydata2->gaservice_path, sizeof(keydata1->gaservice_path))) {
         return true;
     }
     if (!crypto_verify_64(keydata1->master_unblinding_key, keydata2->master_unblinding_key)) {
@@ -119,9 +121,9 @@ static bool any_fields_same(const keychain_t* keydata1, const keychain_t* keydat
 static bool test_simple_restore(void)
 {
     size_t written = 0;
-    uint8_t expected_service_path[HMAC_SHA512_LEN];
+    uint8_t expected_gaservice_path[HMAC_SHA512_LEN];
     const int ret
-        = wally_hex_to_bytes(SERVICE_PATH_HEX, expected_service_path, sizeof(expected_service_path), &written);
+        = wally_hex_to_bytes(SERVICE_PATH_HEX, expected_gaservice_path, sizeof(expected_gaservice_path), &written);
     if (ret != WALLY_OK || written != HMAC_SHA512_LEN) {
         FAIL();
     }
@@ -130,9 +132,24 @@ static bool test_simple_restore(void)
     if (!keychain_derive_from_mnemonic(TEST_MNEMONIC, NULL, &keydata)) {
         FAIL();
     }
-    if (crypto_verify_64(keydata.service_path, expected_service_path) != 0) {
+
+    uint8_t serialized[HMAC_SHA512_LEN];
+    if (!wallet_serialize_gaservice_path(serialized, sizeof(serialized), keydata.gaservice_path, GASERVICE_PATH_LEN)) {
+        FAIL();
+    }
+    if (crypto_verify_64(serialized, expected_gaservice_path) != 0) {
         FAIL();
     }
+
+    uint32_t deserialised_expected_path[GASERVICE_PATH_LEN];
+    if (!wallet_unserialize_gaservice_path(
+            expected_gaservice_path, sizeof(expected_gaservice_path), deserialised_expected_path, GASERVICE_PATH_LEN)) {
+        FAIL();
+    }
+    if (sodium_memcmp(keydata.gaservice_path, deserialised_expected_path, sizeof(keydata.gaservice_path))) {
+        FAIL();
+    }
+
     return true;
 }
 

main/wallet.c

@@ -500,11 +500,42 @@ void wallet_build_receive_path(const uint32_t subaccount, const uint32_t branch,
     }
 }
 
+bool wallet_serialize_gaservice_path(
+    uint8_t* serialized, const size_t serialized_len, const uint32_t* gaservice_path, const size_t gaservice_path_len)
+{
+    if (!serialized || serialized_len != HMAC_SHA512_LEN || !gaservice_path
+        || gaservice_path_len != GASERVICE_PATH_LEN) {
+        return false;
+    }
+
+    for (size_t i = 0; i < gaservice_path_len; ++i) {
+        JADE_ASSERT(!(gaservice_path[i] & 0xFFFF0000));
+        serialized[2 * i] = gaservice_path[i] >> 8;
+        serialized[2 * i + 1] = gaservice_path[i] & 0xFF;
+    }
+    return true;
+}
+
+bool wallet_unserialize_gaservice_path(
+    const uint8_t* serialized, const size_t serialized_len, uint32_t* gaservice_path, const size_t gaservice_path_len)
+{
+    if (!serialized || serialized_len != HMAC_SHA512_LEN || !gaservice_path
+        || gaservice_path_len != GASERVICE_PATH_LEN) {
+        return false;
+    }
+
+    for (size_t i = 0; i < gaservice_path_len; ++i) {
+        gaservice_path[i] = (serialized[2 * i] << 8) + serialized[2 * i + 1];
+    }
+    return true;
+}
+
 // Helper to create the service/gait path.
 // (The below is correct for newly created wallets, verified in regtest).
-bool wallet_calculate_gaservice_path(struct ext_key* root_key, uint8_t* service_path, const size_t service_path_len)
+bool wallet_calculate_gaservice_path(
+    struct ext_key* root_key, uint32_t* gaservice_path, const size_t gaservice_path_len)
 {
-    if (!root_key || !service_path || service_path_len != HMAC_SHA512_LEN) {
+    if (!root_key || !gaservice_path || gaservice_path_len != (HMAC_SHA512_LEN / 2)) {
         return false;
     }
 
@@ -520,13 +551,15 @@ bool wallet_calculate_gaservice_path(struct ext_key* root_key, uint8_t* service_
     memcpy(extkeydata, derived.chain_code, sizeof(derived.chain_code));
     memcpy(extkeydata + sizeof(derived.chain_code), derived.pub_key, sizeof(derived.pub_key));
 
-    // 3. HMAC the fixed GA key message with 2. to yield the 512-bit 'service path' for this mnemonic/private key
+    // 3. HMAC the fixed GA key message with 2. to yield the 64 'service path' bytes for this mnemonic/private key
+    uint8_t serialized[HMAC_SHA512_LEN];
     JADE_WALLY_VERIFY(wally_hmac_sha512(
-        GA_KEY_MSG, sizeof(GA_KEY_MSG), extkeydata, sizeof(extkeydata), service_path, service_path_len));
+        GA_KEY_MSG, sizeof(GA_KEY_MSG), extkeydata, sizeof(extkeydata), serialized, sizeof(serialized)));
     SENSITIVE_POP(extkeydata);
     SENSITIVE_POP(&derived);
 
-    return true;
+    // 4. Deserialize to 32 '16 bit' (ie. unhardened) path elements
+    return wallet_unserialize_gaservice_path(serialized, sizeof(serialized), gaservice_path, gaservice_path_len);
 }
 
 bool wallet_get_gaservice_fingerprint(const char* network, uint8_t* output, size_t output_len)
@@ -554,7 +587,8 @@ bool wallet_get_gaservice_path(
         return false;
     }
 
-    JADE_ASSERT(keychain_get());
+    const keychain_t* const keychain = keychain_get();
+    JADE_ASSERT(keychain);
 
     // We only support the following cases
     if (path_len == 2) {
@@ -587,10 +621,8 @@ bool wallet_get_gaservice_path(
     }
 
     // GA service path goes in elements 1 - 32 incl.
-    const keychain_t* const keychain = keychain_get();
-    for (size_t i = 0; i < 32; ++i) {
-        ga_path[i + 1] = (keychain->service_path[2 * i] << 8) + keychain->service_path[2 * i + 1];
-    }
+    JADE_STATIC_ASSERT(sizeof(keychain->gaservice_path) == (ga_path_len - 1) * sizeof(ga_path[0]));
+    memcpy(&ga_path[1], keychain->gaservice_path, sizeof(keychain->gaservice_path));
 
     return true;
 }

main/wallet.h

@@ -89,7 +89,11 @@ void wallet_get_fingerprint(uint8_t* output, size_t output_len);
 bool wallet_get_hdkey(const uint32_t* path, size_t path_len, uint32_t flags, struct ext_key* output);
 bool wallet_get_xpub(const char* network, const uint32_t* path, size_t path_len, char** output);
 
-bool wallet_calculate_gaservice_path(struct ext_key* root_key, uint8_t* service_path, size_t service_path_len);
+bool wallet_calculate_gaservice_path(struct ext_key* root_key, uint32_t* gaservice_path, size_t gaservice_path_len);
+bool wallet_serialize_gaservice_path(
+    uint8_t* serialized, size_t serialized_len, const uint32_t* gaservice_path, size_t gaservice_path_len);
+bool wallet_unserialize_gaservice_path(
+    const uint8_t* serialized, size_t serialized_len, uint32_t* gaservice_path, size_t gaservice_path_len);
 bool wallet_get_gaservice_fingerprint(const char* network, uint8_t* output, size_t output_len);
 bool wallet_get_gaservice_path(
     const uint32_t* path, size_t path_len, uint32_t* ga_path, size_t ga_path_len, size_t* written);