@ledgerhq/hw-ledger-key-ring-protocol 0.2.1-nightly.0

package/src/Device.ts

@@ -0,0 +1,254 @@
+import { PublicKey } from "./PublicKey";
+import {
+  CommandBlock,
+  CommandType,
+  signCommandBlock,
+  Derive,
+  PublishKey,
+  Seed,
+} from "./CommandBlock";
+import CommandStreamResolver from "./CommandStreamResolver";
+import { crypto, DerivationPath, KeyPair } from "./Crypto";
+import { StreamTree } from "./StreamTree";
+
+/**
+ *
+ */
+export interface Device {
+  // Get the public key of the device
+  getPublicKey(): Promise<PublicKey>;
+
+  /**
+   * Checks wether the public key can be directly fetched or if acquiring the public key
+   * requires a user action.
+   *
+   * @returns True if the public key is directly available, false otherwise
+   */
+  isPublicKeyAvailable(): boolean;
+
+  // The function receives the full stream but must only sign the last command block
+  sign(stream: CommandBlock[], tree?: StreamTree): Promise<CommandBlock>;
+
+  /**
+   * Read the symmetric key from the stream tree at the given path. This function may not be implemented by all devices.
+   * @param tree The stream tree
+   * @param path The path to the key
+   * @returns The public key of the symmetric key
+   */
+  readKey(tree: StreamTree, path: number[]): Promise<Uint8Array>;
+}
+
+interface SharedKey {
+  xpriv: Uint8Array;
+  publicKey: Uint8Array;
+}
+
+interface EncryptedSharedKey {
+  encryptedXpriv: Uint8Array;
+  publicKey: Uint8Array;
+  ephemeralPublicKey: Uint8Array;
+  initializationVector: Uint8Array;
+}
+
+export class SoftwareDevice implements Device {
+  private keyPair: KeyPair;
+
+  constructor(kp: KeyPair) {
+    this.keyPair = kp;
+  }
+
+  async getPublicKey(): Promise<PublicKey> {
+    return new PublicKey(this.keyPair.publicKey);
+  }
+
+  private async generateSharedKey(): Promise<SharedKey> {
+    const xpriv = await crypto.randomBytes(64);
+    const pk = await crypto.derivePrivate(xpriv, []);
+    return { xpriv, publicKey: pk.publicKey };
+  }
+
+  private async encryptSharedKey(
+    sharedKey: SharedKey,
+    recipient: Uint8Array,
+  ): Promise<EncryptedSharedKey> {
+    const kp = await crypto.randomKeypair();
+    const ecdh = await crypto.ecdh(kp, recipient);
+    const initializationVector = await crypto.randomBytes(16);
+    const encryptedXpriv = await crypto.encrypt(ecdh, initializationVector, sharedKey.xpriv);
+    return {
+      encryptedXpriv,
+      publicKey: sharedKey.publicKey,
+      ephemeralPublicKey: kp.publicKey,
+      initializationVector,
+    };
+  }
+
+  private async decryptSharedKey(encryptedSharedKey: EncryptedSharedKey): Promise<SharedKey> {
+    const ecdh = await crypto.ecdh(this.keyPair, encryptedSharedKey.ephemeralPublicKey);
+    const xpriv = await crypto.decrypt(
+      ecdh,
+      encryptedSharedKey.initializationVector,
+      encryptedSharedKey.encryptedXpriv,
+    );
+    return { xpriv, publicKey: encryptedSharedKey.publicKey };
+  }
+
+  private async deriveKey(tree: StreamTree, path: number[]): Promise<SharedKey> {
+    const event = await tree.getPublishKeyEvent(this.keyPair.publicKey, path);
+    if (!event) {
+      throw new Error("Cannot find key in the tree for the current device");
+    }
+    const encryptedSharedKey = {
+      encryptedXpriv: event.encryptedXpriv,
+      publicKey: event.groupPublicKey,
+      ephemeralPublicKey: event.ephemeralPublicKey,
+      initializationVector: event.nonce,
+    };
+    const sharedKey = await this.decryptSharedKey(encryptedSharedKey);
+    const newKey = await crypto.derivePrivate(sharedKey.xpriv, path);
+    const xpriv = new Uint8Array(64);
+    xpriv.set(newKey.privateKey);
+    xpriv.set(newKey.chainCode, 32);
+    return { xpriv, publicKey: newKey.publicKey };
+  }
+
+  async sign(stream: CommandBlock[], tree?: StreamTree): Promise<CommandBlock> {
+    if (stream.length === 0) {
+      throw new Error("Cannot sign an empty stream");
+    }
+    if (stream[stream.length - 1].commands.length === 0) {
+      throw new Error("Cannot sign an empty block");
+    }
+    const lastBlock = stream[stream.length - 1];
+
+    lastBlock.issuer = this.keyPair.publicKey;
+
+    // Resolve the stream (before the last block)
+    const resolved = await CommandStreamResolver.resolve(stream.slice(0, stream.length - 1));
+
+    // The shared key of the stream
+
+    let sharedKey: SharedKey | null = null;
+
+    // Iterate through the commands to inject encrypted keys
+    for (let commandIndex = 0; commandIndex < lastBlock.commands.length; commandIndex++) {
+      const command = lastBlock.commands[commandIndex];
+      switch (command.getType()) {
+        case CommandType.Seed: {
+          // Generate the shared key
+          sharedKey = await this.generateSharedKey();
+
+          // Encrypt the shared key and inject it in the command
+          const encryptedSharedKey = await this.encryptSharedKey(sharedKey, this.keyPair.publicKey);
+          (command as Seed).groupKey = sharedKey.publicKey;
+          (command as Seed).encryptedXpriv = encryptedSharedKey.encryptedXpriv;
+          (command as Seed).ephemeralPublicKey = encryptedSharedKey.ephemeralPublicKey;
+          (command as Seed).initializationVector = encryptedSharedKey.initializationVector;
+          break;
+        }
+        case CommandType.Derive: {
+          // Derive the shared key from the tree
+          if (!tree) {
+            throw new Error("Cannot derive a key without a tree");
+          }
+          sharedKey = await this.deriveKey(tree, (command as Derive).path);
+
+          // Encrypt the shared key and inject it in the command
+          const encryptedDerivedKey = await this.encryptSharedKey(
+            sharedKey,
+            this.keyPair.publicKey,
+          );
+          (command as Derive).groupKey = sharedKey.publicKey;
+          (command as Derive).encryptedXpriv = encryptedDerivedKey.encryptedXpriv;
+          (command as Derive).initializationVector = encryptedDerivedKey.initializationVector;
+          (command as Derive).ephemeralPublicKey = encryptedDerivedKey.ephemeralPublicKey;
+          break;
+        }
+        case CommandType.PublishKey: {
+          // Derive the shared key from the tree
+          if (!sharedKey) {
+            // If the current stream is the seed stream, read the key from the first command in the first block
+            const encryptedKey = resolved.getEncryptedKey(this.keyPair.publicKey);
+            if (encryptedKey) {
+              sharedKey = await this.decryptSharedKey({
+                encryptedXpriv: encryptedKey.encryptedXpriv,
+                initializationVector: encryptedKey.initialiationVector,
+                publicKey: encryptedKey.issuer,
+                ephemeralPublicKey: encryptedKey.ephemeralPublicKey,
+              });
+            } else if (stream[0].commands[0].getType() == CommandType.Seed) {
+              if (crypto.to_hex(stream[0].issuer) !== crypto.to_hex(this.keyPair.publicKey)) {
+                throw new Error("Cannot read the seed key from another device");
+              }
+            } else {
+              // console.dir(stream, { depth: null });
+              sharedKey = await this.deriveKey(tree!, resolved.getStreamDerivationPath());
+            }
+            if (!sharedKey) throw new Error("Cannot find the shared key");
+          }
+          const encryptedSharedKey = await this.encryptSharedKey(
+            sharedKey!,
+            (command as PublishKey).recipient,
+          );
+          (command as PublishKey).encryptedXpriv = encryptedSharedKey.encryptedXpriv;
+          (command as PublishKey).initializationVector = encryptedSharedKey.initializationVector;
+          (command as PublishKey).ephemeralPublicKey = encryptedSharedKey.ephemeralPublicKey;
+          break;
+        }
+      }
+    }
+    const signature = (
+      await signCommandBlock(
+        lastBlock,
+        (await this.getPublicKey()).publicKey,
+        this.keyPair.privateKey,
+      )
+    ).signature;
+    lastBlock.signature = signature;
+    return lastBlock;
+  }
+
+  async readKey(tree: StreamTree, path: number[]): Promise<Uint8Array> {
+    const event = await tree.getPublishKeyEvent(this.keyPair.publicKey, path);
+    if (!event) {
+      throw new Error("Cannot find key in the tree for the current device");
+    }
+    const encryptedSharedKey: EncryptedSharedKey = {
+      encryptedXpriv: event.encryptedXpriv,
+      initializationVector: event.nonce,
+      publicKey: event.groupPublicKey,
+      ephemeralPublicKey: event.ephemeralPublicKey,
+    };
+    const sharedKey = await this.decryptSharedKey(encryptedSharedKey);
+
+    // Derive the key to match the path
+    let index = DerivationPath.toIndexArray(event.stream.getStreamPath()!).length;
+    while (index < path.length) {
+      const derivation = await crypto.derivePrivate(sharedKey.xpriv, [index]);
+      const xpriv = new Uint8Array(64);
+      xpriv.set(derivation.privateKey);
+      xpriv.set(derivation.chainCode, 32);
+      sharedKey.xpriv = xpriv;
+      sharedKey.publicKey = derivation.publicKey;
+      index += 1;
+    }
+
+    return sharedKey.xpriv;
+  }
+
+  isPublicKeyAvailable(): boolean {
+    return true;
+  }
+}
+
+/**
+ *
+ */
+export async function createDevice(): Promise<Device> {
+  const kp = await crypto.randomKeypair();
+  return new SoftwareDevice(kp);
+}
+
+export const ISSUER_PLACEHOLDER = new Uint8Array([
+  3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+]);

package/src/IndexedTree.ts

@@ -0,0 +1,80 @@
+export class IndexedTree<T> {
+  private node: T | null;
+  private children: Map<number, IndexedTree<T>>;
+
+  constructor(node: T | null, children: Map<number, IndexedTree<T>> = new Map()) {
+    this.node = node;
+    this.children = children;
+  }
+
+  public getHighestIndex(): number {
+    return [...this.children.keys()].reduce((a, b) => Math.max(a, b), 0);
+  }
+
+  public getChildren(): Map<number, IndexedTree<T>> {
+    return this.children;
+  }
+
+  public getChild(index: number): IndexedTree<T> | undefined {
+    return this.children.get(index);
+  }
+
+  public findChild(path: number[]): IndexedTree<T> | undefined {
+    if (path.length === 0) {
+      return this;
+    }
+    const index = path[0];
+    const rest = path.slice(1);
+    if (this.children.has(index)) {
+      return this.children.get(index)!.findChild(rest);
+    }
+    return undefined;
+  }
+
+  public getValue(): T | null {
+    return this.node;
+  }
+
+  /// Update the value of the node, if the node doesn't exist, it will be created
+  public updateChild(path: number[], value: T): IndexedTree<T> {
+    if (path.length === 0) {
+      return new IndexedTree(value, this.children);
+    }
+
+    const index = path[0];
+    const rest = path.slice(1);
+    const children = new Map(this.children);
+    if (this.children.has(index)) {
+      const subTree = this.children.get(index)!.updateChild(rest, value);
+      children.set(index, subTree);
+    } else {
+      const subTree = new IndexedTree<T>(null).updateChild(rest, value);
+      children.set(index, subTree);
+    }
+    return new IndexedTree(this.node, children);
+  }
+
+  /// Adds a subtree to the tree
+  public addChild(path: number[], child: IndexedTree<T>): IndexedTree<T> {
+    if (path.length === 0) {
+      return this;
+    }
+    if (path.length == 1) {
+      const children = new Map(this.children);
+      children.set(path[0], child);
+      return new IndexedTree(this.node, children);
+    }
+    const index = path[0];
+    const rest = path.slice(1);
+    const children = new Map(this.children);
+
+    if (this.children.has(index)) {
+      const subTree = this.children.get(index)!.addChild(rest, child);
+      children.set(index, subTree);
+    } else {
+      const subTree = new IndexedTree<T>(null).addChild(rest, child);
+      children.set(index, subTree);
+    }
+    return new IndexedTree(this.node, children);
+  }
+}

package/src/NobleCrypto.ts

@@ -0,0 +1,294 @@
+import * as secp256k1 from "secp256k1";
+import * as ecc from "tiny-secp256k1";
+import { BIP32Factory } from "bip32";
+import hmac from "create-hmac";
+import * as crypto from "crypto";
+
+import { Crypto, KeyPair, KeyPairWithChainCode } from "./Crypto";
+
+const bip32 = BIP32Factory(ecc);
+const AES_BLOCK_SIZE = 16;
+const PRIVATE_KEY_SIZE = 32;
+
+export class NobleCryptoSecp256k1 implements Crypto {
+  async randomKeypair(): Promise<KeyPair> {
+    let pk: Uint8Array;
+    do {
+      pk = crypto.randomBytes(PRIVATE_KEY_SIZE);
+    } while (!secp256k1.privateKeyVerify(pk));
+    return this.keypairFromSecretKey(pk);
+  }
+
+  async derivePrivate(xpriv: Uint8Array, path: number[]): Promise<KeyPairWithChainCode> {
+    const pk = xpriv.slice(0, 32);
+    const chainCode = xpriv.slice(32);
+    let node = bip32.fromPrivateKey(Buffer.from(pk), Buffer.from(chainCode));
+    for (const index of path) {
+      node = node.derive(index);
+    }
+    return {
+      publicKey: this.to_array(node.publicKey),
+      privateKey: this.to_array(node.privateKey!),
+      chainCode: this.to_array(node.chainCode),
+    };
+  }
+
+  async keypairFromSecretKey(secretKey: Uint8Array): Promise<KeyPair> {
+    return {
+      publicKey: secp256k1.publicKeyCreate(secretKey),
+      privateKey: secretKey,
+    };
+  }
+
+  private derEncode(R: Uint8Array, S: Uint8Array): Uint8Array {
+    if (R[0] > 0x7f) {
+      R = this.concat(new Uint8Array([0x00]), R);
+    }
+    if (S[0] > 0x7f) {
+      S = this.concat(new Uint8Array([0x00]), S);
+    }
+    R = this.concat(new Uint8Array([0x02, R.length]), R);
+    S = this.concat(new Uint8Array([0x02, S.length]), S);
+    const prefix = new Uint8Array([0x30, R.length + S.length]);
+    return this.concat(prefix, this.concat(R, S));
+  }
+
+  private derDecode(signature: Uint8Array): { R: Uint8Array; S: Uint8Array } {
+    const R: Uint8Array = signature.slice(4, 4 + signature[3]);
+    const S: Uint8Array = signature.slice(
+      6 + signature[3],
+      6 + signature[3] + signature[5 + signature[3]],
+    );
+    return {
+      R: this.enforceLength(R, PRIVATE_KEY_SIZE),
+      S: this.enforceLength(S, PRIVATE_KEY_SIZE),
+    };
+  }
+
+  async sign(message: Uint8Array, keyPair: KeyPair): Promise<Uint8Array> {
+    const signature = secp256k1.ecdsaSign(message, keyPair.privateKey).signature;
+    // DER encoding
+    return this.derEncode(signature.slice(0, 32), signature.slice(32, 64));
+  }
+
+  async verify(
+    message: Uint8Array,
+    signature: Uint8Array,
+    publicKey: Uint8Array,
+  ): Promise<boolean> {
+    // DER decoding
+    const { R, S } = this.derDecode(signature);
+    return secp256k1.ecdsaVerify(this.concat(R, S), message, publicKey);
+  }
+
+  private to_array(buffer: Buffer): Uint8Array {
+    return new Uint8Array(buffer);
+  }
+
+  private normalizeKey(key: Uint8Array): Uint8Array {
+    if (key.length === 32) {
+      return key;
+    }
+    throw new Error("Invalid key length for AES-256 " + `(invalid length is ${key.length})`);
+  }
+
+  private normalizeNonce(nonce: Uint8Array): Uint8Array {
+    if (nonce.length < 16) {
+      throw new Error(
+        "Invalid nonce length (must be 128bits) " + `(invalid length is ${nonce.length})`,
+      );
+    }
+    return nonce.slice(0, 16);
+  }
+
+  private concat(a: Uint8Array, b: Uint8Array): Uint8Array {
+    const c = new Uint8Array(a.length + b.length);
+    c.set(a);
+    c.set(b, a.length);
+    return c;
+  }
+
+  private enforceLength(buffer: Uint8Array, length: number): Uint8Array {
+    if (buffer.length > length) {
+      return buffer.slice(buffer.length - length); // truncate extra bytes from the start
+    } else if (buffer.length < length) {
+      const padded = new Uint8Array(length);
+      const start = length - buffer.length;
+      padded.set(Array(start).fill(0));
+      padded.set(buffer, start);
+      return padded;
+    }
+    return buffer;
+  }
+
+  private pad(message: Uint8Array): Uint8Array {
+    // ISO9797M2 implementation
+    const padLength = AES_BLOCK_SIZE - (message.length % AES_BLOCK_SIZE);
+    if (padLength === AES_BLOCK_SIZE) {
+      return message;
+    }
+    const padding = new Uint8Array(padLength);
+    padding[0] = 0x80;
+    padding.fill(0, 1);
+    return this.concat(message, padding);
+  }
+
+  private unpad(message: Uint8Array): Uint8Array {
+    // ISO9797M2 implementation
+    for (let i = message.length - 1; i >= 0; i--) {
+      if (message[i] === 0x80) {
+        return message.slice(0, i);
+      }
+      if (message[i] !== 0x00) {
+        return message;
+      }
+    }
+    throw new Error("Invalid padding");
+  }
+
+  async encrypt(secret: Uint8Array, nonce: Uint8Array, message: Uint8Array): Promise<Uint8Array> {
+    const normalizedSecret = this.normalizeKey(secret);
+    const normalizeNonce = this.normalizeNonce(nonce);
+    const cipher = crypto.createCipheriv("aes-256-gcm", normalizedSecret, normalizeNonce);
+    cipher.setAutoPadding(false);
+    let result = cipher.update(this.to_hex(message), "hex", "hex");
+    result += cipher.final("hex");
+    const bytes = this.from_hex(result);
+    return this.concat(bytes, cipher.getAuthTag());
+  }
+
+  async decrypt(
+    secret: Uint8Array,
+    nonce: Uint8Array,
+    ciphertext: Uint8Array,
+  ): Promise<Uint8Array> {
+    const normalizedSecret = this.normalizeKey(secret);
+    const normalizeNonce = this.normalizeNonce(nonce);
+    const encryptedData = ciphertext.slice(0, ciphertext.length - AES_BLOCK_SIZE);
+    const authTag = ciphertext.slice(encryptedData.length);
+    const decipher = crypto.createDecipheriv("aes-256-gcm", normalizedSecret, normalizeNonce);
+    decipher.setAuthTag(authTag);
+    let result = decipher.update(this.to_hex(encryptedData), "hex", "hex");
+    result += decipher.final("hex");
+    return this.from_hex(result);
+  }
+
+  /**
+   * Ledger Live data are encrypted following pattern based on ECIES.
+   * For each encryption the Ledger Live instance generates a random keypair over secp256k1 (ephemeral public key)
+   * and a 16 bytes IV. Ledger Live then perform an ECDH between the command stream public key and
+   * the ephemeral private key to get the encryption key.
+   * The data is then encrypted using AES-256-GCM and serialized using the following format:
+1 byte : Version of the format (0x00)
+33 bytes : Compressed ephemeral public key
+16 bytes : Nonce/IV
+16 bytes : Tag/MAC (from AES-256-GCM)
+variable : Encrypted data
+   */
+  async encryptUserData(
+    commandStreamPrivateKey: Uint8Array,
+    data: Uint8Array,
+  ): Promise<Uint8Array> {
+    // Generate ephemeral key pair
+    const ephemeralKeypair = await this.randomKeypair();
+
+    // Derive the shared secret using ECDH
+    const sharedSecret = await this.ecdh(
+      await this.keypairFromSecretKey(commandStreamPrivateKey),
+      ephemeralKeypair.publicKey,
+    );
+
+    // Normalize the shared secret to be used as AES key
+    const aesKey = await this.computeSymmetricKey(sharedSecret, new Uint8Array());
+
+    // Generate a random IV (nonce)
+    const iv = crypto.randomBytes(16);
+
+    // Encrypt the data using AES-256-GCM
+    const cipher = crypto.createCipheriv("aes-256-gcm", aesKey, iv);
+    let encryptedData = cipher.update(data);
+    encryptedData = Buffer.concat([encryptedData, cipher.final()]);
+    const tag = cipher.getAuthTag();
+
+    // Serialize the format
+    const result = new Uint8Array(
+      1 + ephemeralKeypair.publicKey.length + iv.length + tag.length + encryptedData.length,
+    );
+    result[0] = 0x00; // Version of the format
+    result.set(ephemeralKeypair.publicKey, 1);
+    result.set(iv, 34);
+    result.set(tag, 50);
+    result.set(encryptedData, 66);
+
+    return result;
+  }
+
+  async decryptUserData(
+    commandStreamPrivateKey: Uint8Array,
+    data: Uint8Array,
+  ): Promise<Uint8Array> {
+    const version = data[0];
+    if (version !== 0x00) {
+      throw new Error("Unsupported format version");
+    }
+    const ephemeralPublicKey = data.slice(1, 34);
+    const iv = data.slice(34, 50);
+    const tag = data.slice(50, 66);
+    const encryptedData = data.slice(66);
+
+    // Derive the shared secret using ECDH
+    const sharedSecret = await this.ecdh(
+      await this.keypairFromSecretKey(commandStreamPrivateKey),
+      ephemeralPublicKey,
+    );
+
+    // Normalize the shared secret to be used as AES key
+    const aesKey = await this.computeSymmetricKey(sharedSecret, new Uint8Array());
+
+    // Decrypt the data using AES-256-GCM
+    const decipher = crypto.createDecipheriv("aes-256-gcm", aesKey, iv);
+    decipher.setAuthTag(tag);
+    let decryptedData = decipher.update(encryptedData);
+    decryptedData = Buffer.concat([decryptedData, decipher.final()]);
+    return new Uint8Array(decryptedData.buffer, decryptedData.byteOffset, decryptedData.byteLength);
+  }
+
+  async randomBytes(size: number): Promise<Uint8Array> {
+    return crypto.randomBytes(size);
+  }
+
+  async ecdh(keyPair: KeyPair, publicKey: Uint8Array): Promise<Uint8Array> {
+    const pubkey = Buffer.from(publicKey);
+    const privkey = Buffer.from(keyPair.privateKey);
+    const point = ecc.pointMultiply(pubkey, privkey, ecc.isPointCompressed(pubkey))!;
+    return point.slice(1);
+  }
+
+  async computeSymmetricKey(privateKey: Uint8Array, extra: Uint8Array): Promise<Uint8Array> {
+    const digest = hmac("sha256", Buffer.from(extra)).update(Buffer.from(privateKey)).digest();
+    return digest;
+  }
+
+  async hash(message: Uint8Array): Promise<Uint8Array> {
+    return crypto.createHash("sha256").update(Buffer.from(message)).digest();
+  }
+
+  from_hex(hex: string): Uint8Array {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < hex.length; i += 2) {
+      bytes[i / 2] = parseInt(hex[i] + hex[i + 1], 16);
+    }
+    return bytes;
+  }
+
+  to_hex(bytes?: Uint8Array | undefined | null): string {
+    return to_hex(bytes);
+  }
+}
+
+export function to_hex(bytes?: Uint8Array | undefined | null): string {
+  if (!bytes) {
+    return "";
+  }
+  return bytes.reduce((str, byte) => str + byte.toString(16).padStart(2, "0"), "");
+}

package/src/PublicKey.ts

@@ -0,0 +1,6 @@
+export class PublicKey {
+  publicKey: Uint8Array;
+  constructor(publicKey: Uint8Array) {
+    this.publicKey = publicKey;
+  }
+}