Working Account recovery from {x,y,z}pub

Author: pjkundert

slip39/api.py

@@ -24,6 +24,7 @@
 import math
 import re
 import secrets
+import string
 import warnings
 
 from functools		import wraps
@@ -442,18 +443,58 @@ def from_mnemonic( self, mnemonic: str, path: str = None ) -> "Account":
         self.from_path( path )
         return self
 
+    def from_xpubkey( self, xpubkey: str, path: str = None ) -> "Account":
+        """Derive the Account from the supplied xpubkey and (optionally) path; uses default
+        derivation path for the Account address format, if None provided.
+
+        Since this xpubkey may have been generated at an arbitrary path, eg.
+
+            m/44'/60'/0'
+
+        any subsequent path provided, such as "m/0/0" will give us the address at
+        effective path:
+
+            m/44'/60'/0'/0/0
+
+        However, if we ask for the path from this account, it will return:
+
+            m/0/0
+
+        It is impossible to correctly recover any "hardened" accounts from an xpubkey, such as
+        "m/1'/0".  These would need access to the private key material, which is missing.
+        Therefore, the original account (or an xprivkey) would be required to access the desired
+        path:
+
+            m/44'/60'/0'/1'/0
+
+        """
+        self.hdwallet.from_xpublic_key( xpubkey )
+        self.from_path( path )
+        return self
+
+    def from_xprvkey( self, xprvkey: str, path: str = None ) -> "Account":
+        self.hdwallet.from_xpublic_key( xprvkey )
+        self.from_path( path )
+        return self
+
     def from_path( self, path: str = None ) -> "Account":
         """Change the Account to derive from the provided path.
 
         If a partial path is provided (eg "...1'/0/3"), then use it to replace the given segments in
         current (or the default) account path, leaving the remainder alone.
 
+        If the derivation path is empty (only "m/") then leave the Account at clean_derivation state
+
         """
         from_path		= self.path or Account.path_default( self.crypto, self.format )
         if path:
             from_path		= path_edit( from_path, path )
         self.hdwallet.clean_derivation()
-        self.hdwallet.from_path( from_path )
+        # Valid DH wallet derivation paths always start with "m/"
+        if not ( from_path and len( from_path ) >= 2 and from_path.startswith( "m/" ) ):
+            raise ValueError( f"Unrecognized HD wallet derivation path: {from_path!r}" )
+        if len( from_path ) > 2:
+            self.hdwallet.from_path( from_path )
         return self
 
     @property
@@ -515,10 +556,12 @@ def path( self ):
     @property
     def key( self ):
         return self.hdwallet.private_key()
+    prvkey		= key
 
     @property
     def xkey( self ):
         return self.hdwallet.xprivate_key()
+    xprvkey		= xkey
 
     @property
     def pubkey( self ):
@@ -950,15 +993,43 @@ def account(
     """Generate an HD wallet Account from the supplied master_secret seed, at the given HD derivation
     path, for the specified cryptocurrency.
 
+    If the master_secret is bytes, it is used as-is.  If a str, then we generally expect it to be
+    hex.  However, this is where we can detect alternatives like "{x,y,z}{pub,priv}key...".  These
+    are identifiable by their prefix, which is incompatible with hex, so there is no ambiguity.
+
     """
-    acct			= Account(
-        crypto		= crypto or 'ETH',
-        format		= format,
-    ).from_seed(
-        seed		= master_secret,
-        path		= path,
-    )
-    log.debug( f"Created {acct} from {len(master_secret)*8}-bit seed, at derivation path {path}" )
+    if isinstance( master_secret, bytes ) or all( c in string.hexdigits for c in master_secret ):
+        acct			= Account(
+            crypto	= crypto or 'ETH',
+            format	= format,
+        )
+        acct.from_seed(
+            seed	= master_secret,
+            path	= path,
+        )
+        log.debug( f"Created {acct} from {len(master_secret)*8}-bit seed, at derivation path {path}" )
+    else:
+        # See if we recognize the prefix as a {x,y,z}pub... or .prv...  Get the bound function for
+        # initializing the seed.  Also, deduce the default format from the x/y/z+pub/prv.
+        default_fmt,from_method	= {
+            'xpub': ('legacy', Account.from_xpubkey),
+            'xprv': ('legacy', Account.from_xprvkey),
+            'ypub': ('segwit', Account.from_xpubkey),
+            'yprv': ('segwit', Account.from_xprvkey),
+            'zpub': ('bech32', Account.from_xpubkey),
+            'zprv': ('bech32', Account.from_xprvkey),
+        }.get( master_secret[:4], (None,None) )
+        if from_method is None:
+            raise ValueError(
+                f"Only x/y/z + pub/prv prefixes supported; {master_secret[:8]+'...'!r} prefix supplied" )
+        if format is None:
+            format		= default_fmt
+        acct			= Account(
+            crypto	= crypto or 'ETH',
+            format	= format
+        )
+        from_method( acct, master_secret, path )  # It's an unbound method, so pass the instance
+
     return acct
 
 

slip39/recovery_test.py

@@ -315,10 +315,58 @@ def test_recover_bip39_vectors():
             path		= t.get( 'path' ),
             format		= format
         )
-        # Finally, generate the account's address or xpubkey
-        addresses		= [ acct.address, acct.xpubkey ]
+        # Finally, generate the account's address and xpubkey, and see that one of them match the
+        # address in the test case.  Only the address/xpubkey is in the test cases, but lets get the
+        # compressed public key as well for comparision w/ the xpubkey derived account...
+        addresses		= [ acct.address, acct.pubkey, acct.xpubkey ]
         assert address in addresses, \
             f"row {i+1}: BTC account {address} not in {addresses!r} for entropy {entropy} ==> {master_secret}"
+        log.info( f"BIP-44 HD path {acct.path:36}: {commas( addresses )}" )
+
+        # OK, we recovered the same address/xpubkey as the test case did.  Now, if the path ends in
+        # at least one layer of non-hardened path, we should be able to:
+        #
+        #     - remove one (or more) path segments, back to a hardened path component
+        #     - generate the xpubkey for that hardened path
+        #     - recover a new account using that xpubkey
+        #     - generate the same sub-account from it, using the remainder of the path.
+        #     - confirm that the address generated by both the original (at full path) and the new
+        #       account (from its xpubkey at hardened path + the remaining path) are identical (xpub
+        #       will be different, but will produce the same address
+        log.info( f"Testing recovery from xpub, generating sub-addresses for {acct.path}" )
+        path			= acct.path.split('/')
+        # Always leaves the m/ on the hard path
+        for hardened in range( 1, len( path )):
+            if not any( "'" in seg for seg in path[hardened:] ):
+                break
+        else:
+            log.debug( f" - No non-hardened path segments in {acct.path}" )
+            continue
+
+        hard			= 'm/' + '/'.join( path[1:hardened] )
+        soft			= 'm/' + '/'.join( path[hardened:] )
+        log.debug( f"BIP-44 HD path hard: {hard:14}, soft: {soft:8}" )
+        acct.from_path( hard )
+        xpubkey			= acct.xpubkey
+
+        # Now recover from that xpubkey, and use the soft remainder of the path; deduces the addresses format
+        acct_xpub		= account(
+            master_secret	= xpubkey,
+            crypto		= 'BTC',
+            path		= soft,
+        )
+
+        # Finally, generate the xpub-derived account's address or xpubkey, and see that one of them
+        # match the address in the test case.  NOTE: the xpubkey will differ, but the address will
+        # match.  This is because in the presence of the full secret key, both the public and the
+        # private SECP256k1 curve points are maintained as the HD wallet path is parsed; when only
+        # the public key is available, only it is modified; the secret key information is
+        # unavailable, and therefore not modified as each path component is parsed.
+        addresses_xpub		= [ acct_xpub.address, acct_xpub.pubkey, acct_xpub.xpubkey ]
+        log.info( f"BIP-44 HD path hard: {hard:14}, soft: {soft:8}: {commas( addresses_xpub )}" )
+
+        assert acct_xpub.address in addresses, \
+            f"row {i+1}: BTC account {acct_xpub.address} not in original account's {addresses!r} for xpub-derived account"
 
 
 def test_util():

slip39/version.py

@@ -1,2 +1,2 @@
-__version_info__		= ( 9, 1, 2 )
+__version_info__		= ( 9, 2, 0 )
 __version__			= '.'.join( map( str, __version_info__ ))