var Buffer = require('safe-buffer').Buffer
var base58check = require('bs58check')
var bcrypto = require('./crypto')
var baddress = require('./address')
var createHmac = require('create-hmac')
var typeforce = require('typeforce')
var types = require('./types')
var NETWORKS = require('./networks')
var BigInteger = require('bigi')
var ECPair = require('./ecpair')
// var KeyToScript = require('./keytoscript')
var ecurve = require('ecurve')
var curve = ecurve.getCurveByName('secp256k1')
function HDNode (keyPair, chainCode, prefix) {
typeforce(types.tuple('ECPair', types.Buffer256bit), arguments)
if (!prefix) {
prefix = keyPair.network.bip32
}
if (!keyPair.compressed) throw new TypeError('BIP32 only allows compressed keyPairs')
this.keyPair = keyPair
this.chainCode = chainCode
this.depth = 0
this.index = 0
this.parentFingerprint = 0x00000000
this.prefix = prefix
}
HDNode.HIGHEST_BIT = 0x80000000
HDNode.LENGTH = 78
HDNode.MASTER_SECRET = Buffer.from('Bitcoin seed', 'utf8')
HDNode.fromSeedBuffer = function (seed, network, prefix) {
typeforce(types.tuple(types.Buffer, types.maybe(types.Network)), arguments)
if (seed.length < 16) throw new TypeError('Seed should be at least 128 bits')
if (seed.length > 64) throw new TypeError('Seed should be at most 512 bits')
var I = createHmac('sha512', HDNode.MASTER_SECRET).update(seed).digest()
var IL = I.slice(0, 32)
var IR = I.slice(32)
// In case IL is 0 or >= n, the master key is invalid
// This is handled by the ECPair constructor
var pIL = BigInteger.fromBuffer(IL)
var keyPair = new ECPair(pIL, null, {
network: network
})
return new HDNode(keyPair, IR, prefix)
}
HDNode.fromSeedHex = function (hex, network, prefix) {
return HDNode.fromSeedBuffer(Buffer.from(hex, 'hex'), network, prefix)
}
/**
*
* @param {string} string
* @param {Array<network>|network} networks
* @param {Array<prefix>} prefixes - only used if networks is object/undefined(so bitcoin).
* @returns {HDNode}
*/
HDNode.fromBase58 = function (string, networks, prefixes) {
var buffer = base58check.decode(string)
if (buffer.length !== 78) throw new Error('Invalid buffer length')
// 4 bytes: version bytes
var version = buffer.readUInt32BE(0)
var network
// list of networks?
var prefix
if (Array.isArray(networks)) {
network = networks.filter(function (x) {
return version === x.bip32.private ||
version === x.bip32.public
}).pop()
if (!network) throw new Error('Unknown network version')
// we found a network by it's bip32 prefixes, use that
prefix = network.bip32
// otherwise, assume a network object (or default to bitcoin)
} else {
network = networks || NETWORKS.bitcoin
if (prefixes) {
prefix = prefixes.filter(function (x) {
return version === x.private ||
version === x.public
}).pop()
} else {
// no special prefixes to consider, use networks bip32 prefix
prefix = network.bip32
}
}
// sanity check the version against the prefix
if (version !== prefix.private &&
version !== prefix.public) throw new Error('Invalid network version')
// 1 byte: depth: 0x00 for master nodes, 0x01 for level-1 descendants, ...
var depth = buffer[4]
// 4 bytes: the fingerprint of the parent's key (0x00000000 if master key)
var parentFingerprint = buffer.readUInt32BE(5)
if (depth === 0) {
if (parentFingerprint !== 0x00000000) throw new Error('Invalid parent fingerprint')
}
// 4 bytes: child number. This is the number i in xi = xpar/i, with xi the key being serialized.
// This is encoded in MSB order. (0x00000000 if master key)
var index = buffer.readUInt32BE(9)
if (depth === 0 && index !== 0) throw new Error('Invalid index')
// 32 bytes: the chain code
var chainCode = buffer.slice(13, 45)
var keyPair
// 33 bytes: private key data (0x00 + k)
if (version === network.bip32.private) {
if (buffer.readUInt8(45) !== 0x00) throw new Error('Invalid private key')
var d = BigInteger.fromBuffer(buffer.slice(46, 78))
keyPair = new ECPair(d, null, { network: network })
// 33 bytes: public key data (0x02 + X or 0x03 + X)
} else {
var Q = ecurve.Point.decodeFrom(curve, buffer.slice(45, 78))
// Q.compressed is assumed, if somehow this assumption is broken, `new HDNode` will throw
// Verify that the X coordinate in the public point corresponds to a point on the curve.
// If not, the extended public key is invalid.
curve.validate(Q)
keyPair = new ECPair(null, Q, { network: network })
}
var hd = new HDNode(keyPair, chainCode, prefix)
hd.depth = depth
hd.index = index
hd.parentFingerprint = parentFingerprint
return hd
}
HDNode.prototype.getScriptData = function () {
return this.prefix.scriptFactory.convert(this.keyPair)
}
HDNode.prototype.getAddress = function () {
var scriptData = this.getScriptData()
return baddress.fromOutputScript(scriptData.scriptPubKey, this.keyPair.network)
}
HDNode.prototype.getIdentifier = function () {
return bcrypto.hash160(this.keyPair.getPublicKeyBuffer())
}
HDNode.prototype.getFingerprint = function () {
return this.getIdentifier().slice(0, 4)
}
HDNode.prototype.getNetwork = function () {
return this.keyPair.getNetwork()
}
HDNode.prototype.getPublicKeyBuffer = function () {
return this.keyPair.getPublicKeyBuffer()
}
HDNode.prototype.neutered = function () {
var neuteredKeyPair = new ECPair(null, this.keyPair.Q, {
network: this.keyPair.network
})
var neutered = new HDNode(neuteredKeyPair, this.chainCode, this.prefix)
neutered.depth = this.depth
neutered.index = this.index
neutered.parentFingerprint = this.parentFingerprint
return neutered
}
HDNode.prototype.sign = function (hash) {
return this.keyPair.sign(hash)
}
HDNode.prototype.verify = function (hash, signature) {
return this.keyPair.verify(hash, signature)
}
HDNode.prototype.toBase58 = function (__isPrivate) {
if (__isPrivate !== undefined) throw new TypeError('Unsupported argument in 2.0.0')
// Version
var version = (!this.isNeutered()) ? this.prefix.private : this.prefix.public
var buffer = Buffer.allocUnsafe(78)
// 4 bytes: version bytes
buffer.writeUInt32BE(version, 0)
// 1 byte: depth: 0x00 for master nodes, 0x01 for level-1 descendants, ....
buffer.writeUInt8(this.depth, 4)
// 4 bytes: the fingerprint of the parent's key (0x00000000 if master key)
buffer.writeUInt32BE(this.parentFingerprint, 5)
// 4 bytes: child number. This is the number i in xi = xpar/i, with xi the key being serialized.
// This is encoded in big endian. (0x00000000 if master key)
buffer.writeUInt32BE(this.index, 9)
// 32 bytes: the chain code
this.chainCode.copy(buffer, 13)
// 33 bytes: the public key or private key data
if (!this.isNeutered()) {
// 0x00 + k for private keys
buffer.writeUInt8(0, 45)
this.keyPair.d.toBuffer(32).copy(buffer, 46)
// 33 bytes: the public key
} else {
// X9.62 encoding for public keys
this.keyPair.getPublicKeyBuffer().copy(buffer, 45)
}
return base58check.encode(buffer)
}
// https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#child-key-derivation-ckd-functions
HDNode.prototype.derive = function (index) {
typeforce(types.UInt32, index)
var isHardened = index >= HDNode.HIGHEST_BIT
var data = Buffer.allocUnsafe(37)
// Hardened child
if (isHardened) {
if (this.isNeutered()) throw new TypeError('Could not derive hardened child key')
// data = 0x00 || ser256(kpar) || ser32(index)
data[0] = 0x00
this.keyPair.d.toBuffer(32).copy(data, 1)
data.writeUInt32BE(index, 33)
// Normal child
} else {
// data = serP(point(kpar)) || ser32(index)
// = serP(Kpar) || ser32(index)
this.keyPair.getPublicKeyBuffer().copy(data, 0)
data.writeUInt32BE(index, 33)
}
var I = createHmac('sha512', this.chainCode).update(data).digest()
var IL = I.slice(0, 32)
var IR = I.slice(32)
var pIL = BigInteger.fromBuffer(IL)
// In case parse256(IL) >= n, proceed with the next value for i
if (pIL.compareTo(curve.n) >= 0) {
return this.derive(index + 1)
}
// Private parent key -> private child key
var derivedKeyPair
if (!this.isNeutered()) {
// ki = parse256(IL) + kpar (mod n)
var ki = pIL.add(this.keyPair.d).mod(curve.n)
// In case ki == 0, proceed with the next value for i
if (ki.signum() === 0) {
return this.derive(index + 1)
}
derivedKeyPair = new ECPair(ki, null, {
network: this.keyPair.network
})
// Public parent key -> public child key
} else {
// Ki = point(parse256(IL)) + Kpar
// = G*IL + Kpar
var Ki = curve.G.multiply(pIL).add(this.keyPair.Q)
// In case Ki is the point at infinity, proceed with the next value for i
if (curve.isInfinity(Ki)) {
return this.derive(index + 1)
}
derivedKeyPair = new ECPair(null, Ki, {
network: this.keyPair.network
})
}
var hd = new HDNode(derivedKeyPair, IR, this.prefix)
hd.depth = this.depth + 1
hd.index = index
hd.parentFingerprint = this.getFingerprint().readUInt32BE(0)
return hd
}
HDNode.prototype.deriveHardened = function (index) {
typeforce(types.UInt31, index)
// Only derives hardened private keys by default
return this.derive(index + HDNode.HIGHEST_BIT)
}
// Private === not neutered
// Public === neutered
HDNode.prototype.isNeutered = function () {
return !(this.keyPair.d)
}
HDNode.prototype.derivePath = function (path) {
typeforce(types.BIP32Path, path)
var splitPath = path.split('/')
if (splitPath[0] === 'm') {
if (this.parentFingerprint) {
throw new Error('Not a master node')
}
splitPath = splitPath.slice(1)
}
return splitPath.reduce(function (prevHd, indexStr) {
var index
if (indexStr.slice(-1) === "'") {
index = parseInt(indexStr.slice(0, -1), 10)
return prevHd.deriveHardened(index)
} else {
index = parseInt(indexStr, 10)
return prevHd.derive(index)
}
}, this)
}
module.exports = HDNode