chore: assert top bit isn't set (#552)

joe-p · web-flow · commit a049642efac3 · 2026-03-15T08:36:40.000-04:00
* chore: assert top bit isn't set In the xHD lib, the signing function uses [crypto_scalarmult_ed25519_base_noclamp](https://github.com/algorandfoundation/xHD-Wallet-API-ts/blob/96e7a4be6bca67a4f77252206811f7676e59e5ec/src/x.hd.wallet.api.crypto.ts#L144-L144) to get the public key which [clears the top bit](https://github.com/algorandfoundation/xHD-Wallet-API-ts/blob/9849fb3e90cecfb6348e188ff445b55806bfde00/src/sumo.facade.ts#L106-L106). Then for the signing, the [raw scalar](https://github.com/algorandfoundation/xHD-Wallet-API-ts/blob/96e7a4be6bca67a4f77252206811f7676e59e5ec/src/x.hd.wallet.api.crypto.ts#L156-L156) is used without clearing the top bit. Since this is not an exported function and the keys used are always from the known derivation function (which ensure the top bit is clear), then this is not an issue. In AlgoKit, however, we have no guarantees about where the scalar comes from. As such, it's possible for someone to pass a scalar that does not have the top bit cleared. The two options are to either clear it automatically or error, but since a scalar without the top bit cleared is invalid ed255519 scalar it seems preferable to just throw an error. * test: add scalar top-bit tests
diff --git a/packages/crypto/src/index.ts b/packages/crypto/src/index.ts
@@ -67,8 +67,12 @@ function rawSign(extendedSecretKey: Uint8Array, data: Uint8Array): Uint8Array {
 
 function rawPubkey(extendedSecretKey: Uint8Array): Uint8Array {
   const scalar = bytesToNumberLE(extendedSecretKey.subarray(0, 32))
-  const clearedTopBitScalar = scalar & ((1n << 255n) - 1n)
-  const reducedScalar = mod(clearedTopBitScalar, ed25519.Point.Fn.ORDER)
+  if ((scalar & (1n << 255n)) !== 0n) {
+    throw new Error(
+      'Invalid HD-expanded Ed25519 secret scalar: most-significant bit (bit 255) of the 32-byte scalar must be 0 for rawSign/rawPubkey inputs.',
+    )
+  }
+  const reducedScalar = mod(scalar, ed25519.Point.Fn.ORDER)
 
   // pubKey = scalar * G
   const publicKey = ed25519.Point.BASE.multiply(reducedScalar)
diff --git a/packages/transact/src/signer.spec.ts b/packages/transact/src/signer.spec.ts
@@ -217,6 +217,51 @@ describe('signer', () => {
     )
   })
 
+  test('wrapped HD extended private key rejects scalar with high bit set during pubkey derivation', async () => {
+    const extendedKey = new Uint8Array(96)
+    // Fill with arbitrary data
+    for (let i = 0; i < 96; i++) {
+      extendedKey[i] = i
+    }
+    // Set bit 255 in scalar (byte 31 of the scalar, which is byte 31 overall)
+    extendedKey[31] = 0x80
+
+    const wrappedHdExtendedPrivateKey = {
+      unwrapHdExtendedPrivateKey: async () => extendedKey,
+      wrapHdExtendedPrivateKey: async () => {},
+    }
+
+    await expect(nobleEd25519SigningKeyFromWrappedSecret(wrappedHdExtendedPrivateKey)).rejects.toThrow(
+      'Invalid HD-expanded Ed25519 secret scalar: most-significant bit (bit 255) of the 32-byte scalar must be 0 for rawSign/rawPubkey inputs.',
+    )
+  })
+
+  test('wrapped HD extended private key rejects scalar with high bit set during signing', async () => {
+    // First create a valid key to get a working signer
+    const { accountGenerator } = await peikertXHdWalletGenerator()
+    const generated = await accountGenerator(0, 0)
+
+    let callCount = 0
+    const extendedKey = new Uint8Array(generated.extendedPrivateKey)
+    // Create an invalid version with bit 255 set in scalar
+    const invalidExtendedKey = new Uint8Array(extendedKey)
+    invalidExtendedKey[31] = 0x80
+
+    const wrappedHdExtendedPrivateKey = {
+      unwrapHdExtendedPrivateKey: async () => {
+        callCount++
+        return callCount === 1 ? extendedKey : invalidExtendedKey
+      },
+      wrapHdExtendedPrivateKey: async () => {},
+    }
+
+    const signingKey = await nobleEd25519SigningKeyFromWrappedSecret(wrappedHdExtendedPrivateKey)
+
+    await expect(signingKey.rawEd25519Signer(new Uint8Array([1, 2, 3]))).rejects.toThrow(
+      'Invalid HD-expanded Ed25519 secret scalar: most-significant bit (bit 255) of the 32-byte scalar must be 0 for rawSign/rawPubkey inputs.',
+    )
+  })
+
   test('wrapped seed zeroes seed after successful signing', async () => {
     const seed = ed.utils.randomSecretKey()
     const wrappedSeed = {
