706 lines
25 KiB
Go
706 lines
25 KiB
Go
// Copyright (c) 2014-2016 The btcsuite developers
|
|
// Use of this source code is governed by an ISC
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package hdkeychain
|
|
|
|
// References:
|
|
// [BIP32]: BIP0032 - Hierarchical Deterministic Wallets
|
|
// https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/hmac"
|
|
"crypto/rand"
|
|
"crypto/sha512"
|
|
"encoding/binary"
|
|
"errors"
|
|
"fmt"
|
|
"math/big"
|
|
|
|
"github.com/btcsuite/btcd/btcec"
|
|
"github.com/btcsuite/btcd/chaincfg"
|
|
"github.com/btcsuite/btcd/chaincfg/chainhash"
|
|
"github.com/btcsuite/btcutil"
|
|
"github.com/btcsuite/btcutil/base58"
|
|
)
|
|
|
|
const (
|
|
// RecommendedSeedLen is the recommended length in bytes for a seed
|
|
// to a master node.
|
|
RecommendedSeedLen = 32 // 256 bits
|
|
|
|
// HardenedKeyStart is the index at which a hardened key starts. Each
|
|
// extended key has 2^31 normal child keys and 2^31 hardened child keys.
|
|
// Thus the range for normal child keys is [0, 2^31 - 1] and the range
|
|
// for hardened child keys is [2^31, 2^32 - 1].
|
|
HardenedKeyStart = 0x80000000 // 2^31
|
|
|
|
// MinSeedBytes is the minimum number of bytes allowed for a seed to
|
|
// a master node.
|
|
MinSeedBytes = 16 // 128 bits
|
|
|
|
// MaxSeedBytes is the maximum number of bytes allowed for a seed to
|
|
// a master node.
|
|
MaxSeedBytes = 64 // 512 bits
|
|
|
|
// serializedKeyLen is the length of a serialized public or private
|
|
// extended key. It consists of 4 bytes version, 1 byte depth, 4 bytes
|
|
// fingerprint, 4 bytes child number, 32 bytes chain code, and 33 bytes
|
|
// public/private key data.
|
|
serializedKeyLen = 4 + 1 + 4 + 4 + 32 + 33 // 78 bytes
|
|
|
|
// maxUint8 is the max positive integer which can be serialized in a uint8
|
|
maxUint8 = 1<<8 - 1
|
|
)
|
|
|
|
var (
|
|
// ErrDeriveHardFromPublic describes an error in which the caller
|
|
// attempted to derive a hardened extended key from a public key.
|
|
ErrDeriveHardFromPublic = errors.New("cannot derive a hardened key " +
|
|
"from a public key")
|
|
|
|
// ErrDeriveBeyondMaxDepth describes an error in which the caller
|
|
// has attempted to derive more than 255 keys from a root key.
|
|
ErrDeriveBeyondMaxDepth = errors.New("cannot derive a key with more than " +
|
|
"255 indices in its path")
|
|
|
|
// ErrNotPrivExtKey describes an error in which the caller attempted
|
|
// to extract a private key from a public extended key.
|
|
ErrNotPrivExtKey = errors.New("unable to create private keys from a " +
|
|
"public extended key")
|
|
|
|
// ErrInvalidChild describes an error in which the child at a specific
|
|
// index is invalid due to the derived key falling outside of the valid
|
|
// range for secp256k1 private keys. This error indicates the caller
|
|
// should simply ignore the invalid child extended key at this index and
|
|
// increment to the next index.
|
|
ErrInvalidChild = errors.New("the extended key at this index is invalid")
|
|
|
|
// ErrUnusableSeed describes an error in which the provided seed is not
|
|
// usable due to the derived key falling outside of the valid range for
|
|
// secp256k1 private keys. This error indicates the caller must choose
|
|
// another seed.
|
|
ErrUnusableSeed = errors.New("unusable seed")
|
|
|
|
// ErrInvalidSeedLen describes an error in which the provided seed or
|
|
// seed length is not in the allowed range.
|
|
ErrInvalidSeedLen = fmt.Errorf("seed length must be between %d and %d "+
|
|
"bits", MinSeedBytes*8, MaxSeedBytes*8)
|
|
|
|
// ErrBadChecksum describes an error in which the checksum encoded with
|
|
// a serialized extended key does not match the calculated value.
|
|
ErrBadChecksum = errors.New("bad extended key checksum")
|
|
|
|
// ErrInvalidKeyLen describes an error in which the provided serialized
|
|
// key is not the expected length.
|
|
ErrInvalidKeyLen = errors.New("the provided serialized extended key " +
|
|
"length is invalid")
|
|
)
|
|
|
|
// masterKey is the master key used along with a random seed used to generate
|
|
// the master node in the hierarchical tree.
|
|
var masterKey = []byte("Bitcoin seed")
|
|
|
|
// ExtendedKey houses all the information needed to support a hierarchical
|
|
// deterministic extended key. See the package overview documentation for
|
|
// more details on how to use extended keys.
|
|
type ExtendedKey struct {
|
|
key []byte // This will be the pubkey for extended pub keys
|
|
pubKey []byte // This will only be set for extended priv keys
|
|
chainCode []byte
|
|
depth uint8
|
|
parentFP []byte
|
|
childNum uint32
|
|
version []byte
|
|
isPrivate bool
|
|
}
|
|
|
|
// NewExtendedKey returns a new instance of an extended key with the given
|
|
// fields. No error checking is performed here as it's only intended to be a
|
|
// convenience method used to create a populated struct. This function should
|
|
// only be used by applications that need to create custom ExtendedKeys. All
|
|
// other applications should just use NewMaster, Derive, or Neuter.
|
|
func NewExtendedKey(version, key, chainCode, parentFP []byte, depth uint8,
|
|
childNum uint32, isPrivate bool) *ExtendedKey {
|
|
|
|
// NOTE: The pubKey field is intentionally left nil so it is only
|
|
// computed and memoized as required.
|
|
return &ExtendedKey{
|
|
key: key,
|
|
chainCode: chainCode,
|
|
depth: depth,
|
|
parentFP: parentFP,
|
|
childNum: childNum,
|
|
version: version,
|
|
isPrivate: isPrivate,
|
|
}
|
|
}
|
|
|
|
// pubKeyBytes returns bytes for the serialized compressed public key associated
|
|
// with this extended key in an efficient manner including memoization as
|
|
// necessary.
|
|
//
|
|
// When the extended key is already a public key, the key is simply returned as
|
|
// is since it's already in the correct form. However, when the extended key is
|
|
// a private key, the public key will be calculated and memoized so future
|
|
// accesses can simply return the cached result.
|
|
func (k *ExtendedKey) pubKeyBytes() []byte {
|
|
// Just return the key if it's already an extended public key.
|
|
if !k.isPrivate {
|
|
return k.key
|
|
}
|
|
|
|
// This is a private extended key, so calculate and memoize the public
|
|
// key if needed.
|
|
if len(k.pubKey) == 0 {
|
|
pkx, pky := btcec.S256().ScalarBaseMult(k.key)
|
|
pubKey := btcec.PublicKey{Curve: btcec.S256(), X: pkx, Y: pky}
|
|
k.pubKey = pubKey.SerializeCompressed()
|
|
}
|
|
|
|
return k.pubKey
|
|
}
|
|
|
|
// IsPrivate returns whether or not the extended key is a private extended key.
|
|
//
|
|
// A private extended key can be used to derive both hardened and non-hardened
|
|
// child private and public extended keys. A public extended key can only be
|
|
// used to derive non-hardened child public extended keys.
|
|
func (k *ExtendedKey) IsPrivate() bool {
|
|
return k.isPrivate
|
|
}
|
|
|
|
// Depth returns the current derivation level with respect to the root.
|
|
//
|
|
// The root key has depth zero, and the field has a maximum of 255 due to
|
|
// how depth is serialized.
|
|
func (k *ExtendedKey) Depth() uint8 {
|
|
return k.depth
|
|
}
|
|
|
|
// Version returns the extended key's hardened derivation version. This can be
|
|
// used to identify the extended key's type.
|
|
func (k *ExtendedKey) Version() []byte {
|
|
return k.version
|
|
}
|
|
|
|
// ParentFingerprint returns a fingerprint of the parent extended key from which
|
|
// this one was derived.
|
|
func (k *ExtendedKey) ParentFingerprint() uint32 {
|
|
return binary.BigEndian.Uint32(k.parentFP)
|
|
}
|
|
|
|
// ChainCode returns the chain code part of this extended key.
|
|
//
|
|
// It is identical for both public and private extended keys.
|
|
func (k *ExtendedKey) ChainCode() []byte {
|
|
return append([]byte{}, k.chainCode...)
|
|
}
|
|
|
|
// Derive returns a derived child extended key at the given index.
|
|
//
|
|
// IMPORTANT: if you were previously using the Child method, this method is incompatible.
|
|
// The Child method had a BIP-32 standard compatibility issue. You have to check whether
|
|
// any hardened derivations in your derivation path are affected by this issue, via the
|
|
// IsAffectedByIssue172 method and migrate the wallet if so. This method does conform
|
|
// to the standard. If you need the old behavior, use DeriveNonStandard.
|
|
//
|
|
// When this extended key is a private extended key (as determined by the IsPrivate
|
|
// function), a private extended key will be derived. Otherwise, the derived
|
|
// extended key will be also be a public extended key.
|
|
//
|
|
// When the index is greater to or equal than the HardenedKeyStart constant, the
|
|
// derived extended key will be a hardened extended key. It is only possible to
|
|
// derive a hardened extended key from a private extended key. Consequently,
|
|
// this function will return ErrDeriveHardFromPublic if a hardened child
|
|
// extended key is requested from a public extended key.
|
|
//
|
|
// A hardened extended key is useful since, as previously mentioned, it requires
|
|
// a parent private extended key to derive. In other words, normal child
|
|
// extended public keys can be derived from a parent public extended key (no
|
|
// knowledge of the parent private key) whereas hardened extended keys may not
|
|
// be.
|
|
//
|
|
// NOTE: There is an extremely small chance (< 1 in 2^127) the specific child
|
|
// index does not derive to a usable child. The ErrInvalidChild error will be
|
|
// returned if this should occur, and the caller is expected to ignore the
|
|
// invalid child and simply increment to the next index.
|
|
func (k *ExtendedKey) Derive(i uint32) (*ExtendedKey, error) {
|
|
// Prevent derivation of children beyond the max allowed depth.
|
|
if k.depth == maxUint8 {
|
|
return nil, ErrDeriveBeyondMaxDepth
|
|
}
|
|
|
|
// There are four scenarios that could happen here:
|
|
// 1) Private extended key -> Hardened child private extended key
|
|
// 2) Private extended key -> Non-hardened child private extended key
|
|
// 3) Public extended key -> Non-hardened child public extended key
|
|
// 4) Public extended key -> Hardened child public extended key (INVALID!)
|
|
|
|
// Case #4 is invalid, so error out early.
|
|
// A hardened child extended key may not be created from a public
|
|
// extended key.
|
|
isChildHardened := i >= HardenedKeyStart
|
|
if !k.isPrivate && isChildHardened {
|
|
return nil, ErrDeriveHardFromPublic
|
|
}
|
|
|
|
// The data used to derive the child key depends on whether or not the
|
|
// child is hardened per [BIP32].
|
|
//
|
|
// For hardened children:
|
|
// 0x00 || ser256(parentKey) || ser32(i)
|
|
//
|
|
// For normal children:
|
|
// serP(parentPubKey) || ser32(i)
|
|
keyLen := 33
|
|
data := make([]byte, keyLen+4)
|
|
if isChildHardened {
|
|
// Case #1.
|
|
// When the child is a hardened child, the key is known to be a
|
|
// private key due to the above early return. Pad it with a
|
|
// leading zero as required by [BIP32] for deriving the child.
|
|
// Additionally, right align it if it's shorter than 32 bytes.
|
|
offset := 33 - len(k.key)
|
|
copy(data[offset:], k.key)
|
|
} else {
|
|
// Case #2 or #3.
|
|
// This is either a public or private extended key, but in
|
|
// either case, the data which is used to derive the child key
|
|
// starts with the secp256k1 compressed public key bytes.
|
|
copy(data, k.pubKeyBytes())
|
|
}
|
|
binary.BigEndian.PutUint32(data[keyLen:], i)
|
|
|
|
// Take the HMAC-SHA512 of the current key's chain code and the derived
|
|
// data:
|
|
// I = HMAC-SHA512(Key = chainCode, Data = data)
|
|
hmac512 := hmac.New(sha512.New, k.chainCode)
|
|
_, _ = hmac512.Write(data)
|
|
ilr := hmac512.Sum(nil)
|
|
|
|
// Split "I" into two 32-byte sequences Il and Ir where:
|
|
// Il = intermediate key used to derive the child
|
|
// Ir = child chain code
|
|
il := ilr[:len(ilr)/2]
|
|
childChainCode := ilr[len(ilr)/2:]
|
|
|
|
// Both derived public or private keys rely on treating the left 32-byte
|
|
// sequence calculated above (Il) as a 256-bit integer that must be
|
|
// within the valid range for a secp256k1 private key. There is a small
|
|
// chance (< 1 in 2^127) this condition will not hold, and in that case,
|
|
// a child extended key can't be created for this index and the caller
|
|
// should simply increment to the next index.
|
|
ilNum := new(big.Int).SetBytes(il)
|
|
if ilNum.Cmp(btcec.S256().N) >= 0 || ilNum.Sign() == 0 {
|
|
return nil, ErrInvalidChild
|
|
}
|
|
|
|
// The algorithm used to derive the child key depends on whether or not
|
|
// a private or public child is being derived.
|
|
//
|
|
// For private children:
|
|
// childKey = parse256(Il) + parentKey
|
|
//
|
|
// For public children:
|
|
// childKey = serP(point(parse256(Il)) + parentKey)
|
|
var isPrivate bool
|
|
var childKey []byte
|
|
if k.isPrivate {
|
|
// Case #1 or #2.
|
|
// Add the parent private key to the intermediate private key to
|
|
// derive the final child key.
|
|
//
|
|
// childKey = parse256(Il) + parenKey
|
|
keyNum := new(big.Int).SetBytes(k.key)
|
|
ilNum.Add(ilNum, keyNum)
|
|
ilNum.Mod(ilNum, btcec.S256().N)
|
|
childKey = ilNum.Bytes()
|
|
isPrivate = true
|
|
} else {
|
|
// Case #3.
|
|
// Calculate the corresponding intermediate public key for
|
|
// intermediate private key.
|
|
ilx, ily := btcec.S256().ScalarBaseMult(il)
|
|
if ilx.Sign() == 0 || ily.Sign() == 0 {
|
|
return nil, ErrInvalidChild
|
|
}
|
|
|
|
// Convert the serialized compressed parent public key into X
|
|
// and Y coordinates so it can be added to the intermediate
|
|
// public key.
|
|
pubKey, err := btcec.ParsePubKey(k.key, btcec.S256())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Add the intermediate public key to the parent public key to
|
|
// derive the final child key.
|
|
//
|
|
// childKey = serP(point(parse256(Il)) + parentKey)
|
|
childX, childY := btcec.S256().Add(ilx, ily, pubKey.X, pubKey.Y)
|
|
pk := btcec.PublicKey{Curve: btcec.S256(), X: childX, Y: childY}
|
|
childKey = pk.SerializeCompressed()
|
|
}
|
|
|
|
// The fingerprint of the parent for the derived child is the first 4
|
|
// bytes of the RIPEMD160(SHA256(parentPubKey)).
|
|
parentFP := btcutil.Hash160(k.pubKeyBytes())[:4]
|
|
return NewExtendedKey(k.version, childKey, childChainCode, parentFP,
|
|
k.depth+1, i, isPrivate), nil
|
|
}
|
|
|
|
// Returns true if this key was affected by the BIP-32 issue in the Child
|
|
// method (since renamed to DeriveNonStandard).
|
|
func (k *ExtendedKey) IsAffectedByIssue172() bool {
|
|
return len(k.key) < 32
|
|
}
|
|
|
|
// Deprecated: This is a non-standard derivation that is affected by issue #172.
|
|
// 1-of-256 hardened derivations will be wrong. See note in the Derive method
|
|
// and IsAffectedByIssue172.
|
|
func (k *ExtendedKey) DeriveNonStandard(i uint32) (*ExtendedKey, error) {
|
|
if k.depth == maxUint8 {
|
|
return nil, ErrDeriveBeyondMaxDepth
|
|
}
|
|
|
|
isChildHardened := i >= HardenedKeyStart
|
|
if !k.isPrivate && isChildHardened {
|
|
return nil, ErrDeriveHardFromPublic
|
|
}
|
|
|
|
keyLen := 33
|
|
data := make([]byte, keyLen+4)
|
|
if isChildHardened {
|
|
copy(data[1:], k.key)
|
|
} else {
|
|
copy(data, k.pubKeyBytes())
|
|
}
|
|
binary.BigEndian.PutUint32(data[keyLen:], i)
|
|
|
|
hmac512 := hmac.New(sha512.New, k.chainCode)
|
|
_, _ = hmac512.Write(data)
|
|
ilr := hmac512.Sum(nil)
|
|
|
|
il := ilr[:len(ilr)/2]
|
|
childChainCode := ilr[len(ilr)/2:]
|
|
|
|
ilNum := new(big.Int).SetBytes(il)
|
|
if ilNum.Cmp(btcec.S256().N) >= 0 || ilNum.Sign() == 0 {
|
|
return nil, ErrInvalidChild
|
|
}
|
|
|
|
var isPrivate bool
|
|
var childKey []byte
|
|
if k.isPrivate {
|
|
keyNum := new(big.Int).SetBytes(k.key)
|
|
ilNum.Add(ilNum, keyNum)
|
|
ilNum.Mod(ilNum, btcec.S256().N)
|
|
childKey = ilNum.Bytes()
|
|
isPrivate = true
|
|
} else {
|
|
ilx, ily := btcec.S256().ScalarBaseMult(il)
|
|
if ilx.Sign() == 0 || ily.Sign() == 0 {
|
|
return nil, ErrInvalidChild
|
|
}
|
|
|
|
pubKey, err := btcec.ParsePubKey(k.key, btcec.S256())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
childX, childY := btcec.S256().Add(ilx, ily, pubKey.X, pubKey.Y)
|
|
pk := btcec.PublicKey{Curve: btcec.S256(), X: childX, Y: childY}
|
|
childKey = pk.SerializeCompressed()
|
|
}
|
|
|
|
parentFP := btcutil.Hash160(k.pubKeyBytes())[:4]
|
|
return NewExtendedKey(k.version, childKey, childChainCode, parentFP,
|
|
k.depth+1, i, isPrivate), nil
|
|
}
|
|
|
|
// ChildNum returns the index at which the child extended key was derived.
|
|
//
|
|
// Extended keys with ChildNum value between 0 and 2^31-1 are normal child
|
|
// keys, and those with a value between 2^31 and 2^32-1 are hardened keys.
|
|
func (k *ExtendedKey) ChildIndex() uint32 {
|
|
return k.childNum
|
|
}
|
|
|
|
// Neuter returns a new extended public key from this extended private key. The
|
|
// same extended key will be returned unaltered if it is already an extended
|
|
// public key.
|
|
//
|
|
// As the name implies, an extended public key does not have access to the
|
|
// private key, so it is not capable of signing transactions or deriving
|
|
// child extended private keys. However, it is capable of deriving further
|
|
// child extended public keys.
|
|
func (k *ExtendedKey) Neuter() (*ExtendedKey, error) {
|
|
// Already an extended public key.
|
|
if !k.isPrivate {
|
|
return k, nil
|
|
}
|
|
|
|
// Get the associated public extended key version bytes.
|
|
version, err := chaincfg.HDPrivateKeyToPublicKeyID(k.version)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Convert it to an extended public key. The key for the new extended
|
|
// key will simply be the pubkey of the current extended private key.
|
|
//
|
|
// This is the function N((k,c)) -> (K, c) from [BIP32].
|
|
return NewExtendedKey(version, k.pubKeyBytes(), k.chainCode, k.parentFP,
|
|
k.depth, k.childNum, false), nil
|
|
}
|
|
|
|
// CloneWithVersion returns a new extended key cloned from this extended key,
|
|
// but using the provided HD version bytes. The version must be a private HD
|
|
// key ID for an extended private key, and a public HD key ID for an extended
|
|
// public key.
|
|
//
|
|
// This method creates a new copy and therefore does not mutate the original
|
|
// extended key instance.
|
|
//
|
|
// Unlike Neuter(), this does NOT convert an extended private key to an
|
|
// extended public key. It is particularly useful for converting between
|
|
// standard BIP0032 extended keys (serializable to xprv/xpub) and keys based
|
|
// on the SLIP132 standard (serializable to yprv/ypub, zprv/zpub, etc.).
|
|
//
|
|
// References:
|
|
// [SLIP132]: SLIP-0132 - Registered HD version bytes for BIP-0032
|
|
// https://github.com/satoshilabs/slips/blob/master/slip-0132.md
|
|
func (k *ExtendedKey) CloneWithVersion(version []byte) (*ExtendedKey, error) {
|
|
if len(version) != 4 {
|
|
// TODO: The semantically correct error to return here is
|
|
// ErrInvalidHDKeyID (introduced in btcsuite/btcd#1617). Update the
|
|
// error type once available in a stable btcd / chaincfg release.
|
|
return nil, chaincfg.ErrUnknownHDKeyID
|
|
}
|
|
|
|
// Initialize a new extended key instance with the same fields as the
|
|
// current extended private/public key and the provided HD version bytes.
|
|
return NewExtendedKey(version, k.key, k.chainCode, k.parentFP,
|
|
k.depth, k.childNum, k.isPrivate), nil
|
|
}
|
|
|
|
// ECPubKey converts the extended key to a btcec public key and returns it.
|
|
func (k *ExtendedKey) ECPubKey() (*btcec.PublicKey, error) {
|
|
return btcec.ParsePubKey(k.pubKeyBytes(), btcec.S256())
|
|
}
|
|
|
|
// ECPrivKey converts the extended key to a btcec private key and returns it.
|
|
// As you might imagine this is only possible if the extended key is a private
|
|
// extended key (as determined by the IsPrivate function). The ErrNotPrivExtKey
|
|
// error will be returned if this function is called on a public extended key.
|
|
func (k *ExtendedKey) ECPrivKey() (*btcec.PrivateKey, error) {
|
|
if !k.isPrivate {
|
|
return nil, ErrNotPrivExtKey
|
|
}
|
|
|
|
privKey, _ := btcec.PrivKeyFromBytes(btcec.S256(), k.key)
|
|
return privKey, nil
|
|
}
|
|
|
|
// Address converts the extended key to a standard bitcoin pay-to-pubkey-hash
|
|
// address for the passed network.
|
|
func (k *ExtendedKey) Address(net *chaincfg.Params) (*btcutil.AddressPubKeyHash, error) {
|
|
pkHash := btcutil.Hash160(k.pubKeyBytes())
|
|
return btcutil.NewAddressPubKeyHash(pkHash, net)
|
|
}
|
|
|
|
// paddedAppend appends the src byte slice to dst, returning the new slice.
|
|
// If the length of the source is smaller than the passed size, leading zero
|
|
// bytes are appended to the dst slice before appending src.
|
|
func paddedAppend(size uint, dst, src []byte) []byte {
|
|
for i := 0; i < int(size)-len(src); i++ {
|
|
dst = append(dst, 0)
|
|
}
|
|
return append(dst, src...)
|
|
}
|
|
|
|
// String returns the extended key as a human-readable base58-encoded string.
|
|
func (k *ExtendedKey) String() string {
|
|
if len(k.key) == 0 {
|
|
return "zeroed extended key"
|
|
}
|
|
|
|
var childNumBytes [4]byte
|
|
binary.BigEndian.PutUint32(childNumBytes[:], k.childNum)
|
|
|
|
// The serialized format is:
|
|
// version (4) || depth (1) || parent fingerprint (4)) ||
|
|
// child num (4) || chain code (32) || key data (33) || checksum (4)
|
|
serializedBytes := make([]byte, 0, serializedKeyLen+4)
|
|
serializedBytes = append(serializedBytes, k.version...)
|
|
serializedBytes = append(serializedBytes, k.depth)
|
|
serializedBytes = append(serializedBytes, k.parentFP...)
|
|
serializedBytes = append(serializedBytes, childNumBytes[:]...)
|
|
serializedBytes = append(serializedBytes, k.chainCode...)
|
|
if k.isPrivate {
|
|
serializedBytes = append(serializedBytes, 0x00)
|
|
serializedBytes = paddedAppend(32, serializedBytes, k.key)
|
|
} else {
|
|
serializedBytes = append(serializedBytes, k.pubKeyBytes()...)
|
|
}
|
|
|
|
checkSum := chainhash.DoubleHashB(serializedBytes)[:4]
|
|
serializedBytes = append(serializedBytes, checkSum...)
|
|
return base58.Encode(serializedBytes)
|
|
}
|
|
|
|
// IsForNet returns whether or not the extended key is associated with the
|
|
// passed bitcoin network.
|
|
func (k *ExtendedKey) IsForNet(net *chaincfg.Params) bool {
|
|
return bytes.Equal(k.version, net.HDPrivateKeyID[:]) ||
|
|
bytes.Equal(k.version, net.HDPublicKeyID[:])
|
|
}
|
|
|
|
// SetNet associates the extended key, and any child keys yet to be derived from
|
|
// it, with the passed network.
|
|
func (k *ExtendedKey) SetNet(net *chaincfg.Params) {
|
|
if k.isPrivate {
|
|
k.version = net.HDPrivateKeyID[:]
|
|
} else {
|
|
k.version = net.HDPublicKeyID[:]
|
|
}
|
|
}
|
|
|
|
// zero sets all bytes in the passed slice to zero. This is used to
|
|
// explicitly clear private key material from memory.
|
|
func zero(b []byte) {
|
|
lenb := len(b)
|
|
for i := 0; i < lenb; i++ {
|
|
b[i] = 0
|
|
}
|
|
}
|
|
|
|
// Zero manually clears all fields and bytes in the extended key. This can be
|
|
// used to explicitly clear key material from memory for enhanced security
|
|
// against memory scraping. This function only clears this particular key and
|
|
// not any children that have already been derived.
|
|
func (k *ExtendedKey) Zero() {
|
|
zero(k.key)
|
|
zero(k.pubKey)
|
|
zero(k.chainCode)
|
|
zero(k.parentFP)
|
|
k.version = nil
|
|
k.key = nil
|
|
k.depth = 0
|
|
k.childNum = 0
|
|
k.isPrivate = false
|
|
}
|
|
|
|
// NewMaster creates a new master node for use in creating a hierarchical
|
|
// deterministic key chain. The seed must be between 128 and 512 bits and
|
|
// should be generated by a cryptographically secure random generation source.
|
|
//
|
|
// NOTE: There is an extremely small chance (< 1 in 2^127) the provided seed
|
|
// will derive to an unusable secret key. The ErrUnusable error will be
|
|
// returned if this should occur, so the caller must check for it and generate a
|
|
// new seed accordingly.
|
|
func NewMaster(seed []byte, net *chaincfg.Params) (*ExtendedKey, error) {
|
|
// Per [BIP32], the seed must be in range [MinSeedBytes, MaxSeedBytes].
|
|
if len(seed) < MinSeedBytes || len(seed) > MaxSeedBytes {
|
|
return nil, ErrInvalidSeedLen
|
|
}
|
|
|
|
// First take the HMAC-SHA512 of the master key and the seed data:
|
|
// I = HMAC-SHA512(Key = "Bitcoin seed", Data = S)
|
|
hmac512 := hmac.New(sha512.New, masterKey)
|
|
_, _ = hmac512.Write(seed)
|
|
lr := hmac512.Sum(nil)
|
|
|
|
// Split "I" into two 32-byte sequences Il and Ir where:
|
|
// Il = master secret key
|
|
// Ir = master chain code
|
|
secretKey := lr[:len(lr)/2]
|
|
chainCode := lr[len(lr)/2:]
|
|
|
|
// Ensure the key in usable.
|
|
secretKeyNum := new(big.Int).SetBytes(secretKey)
|
|
if secretKeyNum.Cmp(btcec.S256().N) >= 0 || secretKeyNum.Sign() == 0 {
|
|
return nil, ErrUnusableSeed
|
|
}
|
|
|
|
parentFP := []byte{0x00, 0x00, 0x00, 0x00}
|
|
return NewExtendedKey(net.HDPrivateKeyID[:], secretKey, chainCode,
|
|
parentFP, 0, 0, true), nil
|
|
}
|
|
|
|
// NewKeyFromString returns a new extended key instance from a base58-encoded
|
|
// extended key.
|
|
func NewKeyFromString(key string) (*ExtendedKey, error) {
|
|
// The base58-decoded extended key must consist of a serialized payload
|
|
// plus an additional 4 bytes for the checksum.
|
|
decoded := base58.Decode(key)
|
|
if len(decoded) != serializedKeyLen+4 {
|
|
return nil, ErrInvalidKeyLen
|
|
}
|
|
|
|
// The serialized format is:
|
|
// version (4) || depth (1) || parent fingerprint (4)) ||
|
|
// child num (4) || chain code (32) || key data (33) || checksum (4)
|
|
|
|
// Split the payload and checksum up and ensure the checksum matches.
|
|
payload := decoded[:len(decoded)-4]
|
|
checkSum := decoded[len(decoded)-4:]
|
|
expectedCheckSum := chainhash.DoubleHashB(payload)[:4]
|
|
if !bytes.Equal(checkSum, expectedCheckSum) {
|
|
return nil, ErrBadChecksum
|
|
}
|
|
|
|
// Deserialize each of the payload fields.
|
|
version := payload[:4]
|
|
depth := payload[4:5][0]
|
|
parentFP := payload[5:9]
|
|
childNum := binary.BigEndian.Uint32(payload[9:13])
|
|
chainCode := payload[13:45]
|
|
keyData := payload[45:78]
|
|
|
|
// The key data is a private key if it starts with 0x00. Serialized
|
|
// compressed pubkeys either start with 0x02 or 0x03.
|
|
isPrivate := keyData[0] == 0x00
|
|
if isPrivate {
|
|
// Ensure the private key is valid. It must be within the range
|
|
// of the order of the secp256k1 curve and not be 0.
|
|
keyData = keyData[1:]
|
|
keyNum := new(big.Int).SetBytes(keyData)
|
|
if keyNum.Cmp(btcec.S256().N) >= 0 || keyNum.Sign() == 0 {
|
|
return nil, ErrUnusableSeed
|
|
}
|
|
} else {
|
|
// Ensure the public key parses correctly and is actually on the
|
|
// secp256k1 curve.
|
|
_, err := btcec.ParsePubKey(keyData, btcec.S256())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
return NewExtendedKey(version, keyData, chainCode, parentFP, depth,
|
|
childNum, isPrivate), nil
|
|
}
|
|
|
|
// GenerateSeed returns a cryptographically secure random seed that can be used
|
|
// as the input for the NewMaster function to generate a new master node.
|
|
//
|
|
// The length is in bytes and it must be between 16 and 64 (128 to 512 bits).
|
|
// The recommended length is 32 (256 bits) as defined by the RecommendedSeedLen
|
|
// constant.
|
|
func GenerateSeed(length uint8) ([]byte, error) {
|
|
// Per [BIP32], the seed must be in range [MinSeedBytes, MaxSeedBytes].
|
|
if length < MinSeedBytes || length > MaxSeedBytes {
|
|
return nil, ErrInvalidSeedLen
|
|
}
|
|
|
|
buf := make([]byte, length)
|
|
_, err := rand.Read(buf)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return buf, nil
|
|
}
|