@swapkit/wallet-hardware 4.8.1 → 4.8.2

package/src/ledger/clients/thorchain/lib.ts

@@ -0,0 +1,258 @@
+import type Transport from "@ledgerhq/hw-transport";
+import { SwapKitError } from "@swapkit/helpers";
+
+import {
+  CHUNK_SIZE,
+  CLA,
+  ERROR_CODE,
+  errorCodeToString,
+  getVersion,
+  INS,
+  P1_VALUES,
+  P2_VALUES,
+  processErrorResponse,
+} from "./common";
+import {
+  publicKeyv1,
+  publicKeyv2,
+  serializePathv1,
+  serializePathv2,
+  signSendChunkv1,
+  signSendChunkv2,
+} from "./helpers";
+
+export class THORChainApp {
+  transport: Transport;
+  versionResponse: any;
+
+  constructor(transport: any) {
+    if (!transport) {
+      throw new SwapKitError("wallet_ledger_transport_not_defined");
+    }
+
+    this.transport = transport;
+  }
+
+  static serializeHRP(hrp: string) {
+    if (hrp == null || hrp.length < 3 || hrp.length > 83) {
+      throw new SwapKitError("wallet_ledger_invalid_params", { reason: "Invalid HRP" });
+    }
+    const buf = Buffer.alloc(1 + hrp.length);
+    buf.writeUInt8(hrp.length, 0);
+    buf.write(hrp, 1);
+    return buf;
+  }
+
+  async serializePath(path: number[]) {
+    this.versionResponse = await getVersion(this.transport);
+
+    if (this.versionResponse.return_code !== ERROR_CODE.NoError) {
+      throw this.versionResponse;
+    }
+
+    switch (this.versionResponse.major) {
+      case 1:
+        return serializePathv1(path);
+      case 2:
+        return serializePathv2(path);
+      default:
+        return Buffer.alloc(0);
+    }
+  }
+
+  async signGetChunks(path: number[], buffer: Buffer) {
+    const serializedPath = await this.serializePath(path);
+
+    const chunks = [];
+    chunks.push(serializedPath);
+
+    for (let i = 0; i < buffer.length; i += CHUNK_SIZE) {
+      let end = i + CHUNK_SIZE;
+      if (i > buffer.length) {
+        end = buffer.length;
+      }
+      chunks.push(buffer.slice(i, end));
+    }
+
+    return chunks;
+  }
+
+  async getVersion() {
+    try {
+      this.versionResponse = await getVersion(this.transport);
+      return this.versionResponse;
+    } catch (e) {
+      return processErrorResponse(e);
+    }
+  }
+
+  appInfo() {
+    return this.transport.send(0xb0, 0x01, 0, 0).then((response: any) => {
+      const returnCode = response.readUInt16BE(response.length - 2);
+
+      let appName = "";
+      let appVersion = "";
+      let flagLen = 0;
+      let flagsValue = 0;
+
+      if (response[0] !== 1) {
+        // Ledger responds with format ID 1. There is no spec for any format != 1
+        return { error_message: "response format ID not recognized", return_code: 0x9001 };
+      }
+
+      const appNameLen = response[1];
+      appName = response.slice(2, 2 + appNameLen).toString("ascii");
+      let idx = 2 + appNameLen;
+      const appVersionLen = response[idx];
+      idx += 1;
+      appVersion = response.slice(idx, idx + appVersionLen).toString("ascii");
+      idx += appVersionLen;
+      const appFlagsLen = response[idx];
+      idx += 1;
+      flagLen = appFlagsLen;
+      flagsValue = response[idx];
+
+      return {
+        appName,
+        appVersion,
+        error_message: errorCodeToString(returnCode),
+        flag_onboarded: (flagsValue & 4) !== 0,
+        flag_pin_validated: (flagsValue & 128) !== 0,
+        flag_recovery: (flagsValue & 1) !== 0,
+        flag_signed_mcu_code: (flagsValue & 2) !== 0,
+        flagLen,
+        flagsValue,
+        return_code: returnCode,
+      };
+    }, processErrorResponse);
+  }
+
+  deviceInfo() {
+    return this.transport
+      .send(0xe0, 0x01, 0, 0, Buffer.from([]), [ERROR_CODE.NoError, 0x6e00])
+      .then((response: any) => {
+        const errorCodeData = response.slice(-2);
+        const returnCode = errorCodeData[0] * 256 + errorCodeData[1];
+
+        if (returnCode === 0x6e00) {
+          return { error_message: "This command is only available in the Dashboard", return_code: returnCode };
+        }
+
+        const targetId = response.slice(0, 4).toString("hex");
+
+        let pos = 4;
+        const secureElementVersionLen = response[pos];
+        pos += 1;
+        const seVersion = response.slice(pos, pos + secureElementVersionLen).toString();
+        pos += secureElementVersionLen;
+
+        const flagsLen = response[pos];
+        pos += 1;
+        const flag = response.slice(pos, pos + flagsLen).toString("hex");
+        pos += flagsLen;
+
+        const mcuVersionLen = response[pos];
+        pos += 1;
+        // Patch issue in mcu version
+        let tmp = response.slice(pos, pos + mcuVersionLen);
+        if (tmp[mcuVersionLen - 1] === 0) {
+          tmp = response.slice(pos, pos + mcuVersionLen - 1);
+        }
+        const mcuVersion = tmp.toString();
+
+        return {
+          error_message: errorCodeToString(returnCode),
+          flag,
+          mcuVersion,
+          return_code: returnCode,
+          seVersion,
+          // //
+          targetId,
+        };
+      }, processErrorResponse);
+  }
+
+  async publicKey(path: number[]) {
+    try {
+      const serializedPath = await this.serializePath(path);
+
+      switch (this.versionResponse.major) {
+        case 1:
+          return publicKeyv1(this, serializedPath);
+        case 2: {
+          const data = Buffer.concat([THORChainApp.serializeHRP("thor"), serializedPath]);
+          return publicKeyv2(this, data);
+        }
+        default:
+          return { error_message: "App Version is not supported", return_code: 0x6400 };
+      }
+    } catch (e) {
+      return processErrorResponse(e);
+    }
+  }
+
+  async getAddressAndPubKey(path: number[], hrp: string, showInDevice = false) {
+    try {
+      const serializedPath = await this.serializePath(path);
+      const data = Buffer.concat([THORChainApp.serializeHRP(hrp), serializedPath]);
+      const response = await this.transport.send(
+        CLA,
+        INS.GET_ADDR_SECP256K1,
+        showInDevice ? P1_VALUES.SHOW_ADDRESS_IN_DEVICE : P1_VALUES.ONLY_RETRIEVE,
+        0,
+        data,
+        [ERROR_CODE.NoError],
+      );
+
+      const compressedPk = Buffer.from(response.slice(0, 33));
+      const bech32Address = Buffer.from(response.slice(33, -2)).toString();
+      const returnCode = response.readUInt16BE(response.length - 2);
+
+      return {
+        bech32_address: bech32Address,
+        compressed_pk: compressedPk,
+        error_message: errorCodeToString(returnCode),
+        return_code: returnCode,
+      };
+    } catch (err) {
+      return processErrorResponse(err);
+    }
+  }
+
+  showAddressAndPubKey(path: number[], hrp: string) {
+    return this.getAddressAndPubKey(path, hrp, true);
+  }
+
+  signSendChunk(chunkIdx: number, chunkNum: number, chunk: Buffer, txType = P2_VALUES.JSON) {
+    switch (this.versionResponse.major) {
+      case 1:
+        return signSendChunkv1(this, chunkIdx, chunkNum, chunk, txType);
+      case 2:
+        return signSendChunkv2(this, chunkIdx, chunkNum, chunk, txType);
+      default:
+        return { error_message: "App Version is not supported", return_code: 0x6400 };
+    }
+  }
+
+  async sign(path: number[], message: string, txType = P2_VALUES.JSON) {
+    const buffer = Buffer.from(message);
+    let chunks: Buffer[] = [];
+    let response: any;
+    try {
+      chunks = await this.signGetChunks(path, buffer);
+      response = await this.signSendChunk(1, chunks.length, chunks[0] as Buffer, txType);
+    } catch (error) {
+      processErrorResponse(error);
+    }
+    let result = { error_message: response.error_message, return_code: response.return_code, signature: null };
+
+    for (let i = 1; i < chunks.length; i += 1) {
+      result = await this.signSendChunk(1 + i, chunks.length, chunks[i] as Buffer, txType);
+      if (result.return_code !== ERROR_CODE.NoError) {
+        break;
+      }
+    }
+
+    return { error_message: result.error_message, return_code: result.return_code, signature: result.signature };
+  }
+}

package/src/ledger/clients/thorchain/utils.ts

@@ -0,0 +1,69 @@
+import { base64 } from "@scure/base";
+import { SwapKitError } from "@swapkit/helpers";
+
+export const getSignature = (signatureArray: any) => {
+  // Check Type Length Value encoding
+  if (signatureArray.length < 64) {
+    throw new SwapKitError("wallet_ledger_invalid_signature", { reason: "Too short" });
+  }
+  if (signatureArray[0] !== 0x30) {
+    throw new SwapKitError("wallet_ledger_invalid_signature", { reason: "TLV encoding: expected first byte 0x30" });
+  }
+  if (signatureArray[1] + 2 !== signatureArray.length) {
+    throw new SwapKitError("wallet_ledger_invalid_signature", { reason: "signature length does not match TLV" });
+  }
+  if (signatureArray[2] !== 0x02) {
+    throw new SwapKitError("wallet_ledger_invalid_signature", { reason: "TLV encoding: expected length type 0x02" });
+  }
+
+  // r signature
+  const rLength = signatureArray[3];
+  let rSignature = signatureArray.slice(4, rLength + 4);
+
+  // Drop leading zero on some 'r' signatures that are 33 bytes.
+  if (rSignature.length === 33 && rSignature[0] === 0) {
+    rSignature = rSignature.slice(1, 33);
+  } else if (rSignature.length === 33) {
+    throw new SwapKitError("wallet_ledger_invalid_signature", { reason: "r too long" });
+  }
+
+  // add leading zero's to pad to 32 bytes
+  while (rSignature.length < 32) {
+    rSignature.unshift(0);
+  }
+
+  // s signature
+  if (signatureArray[rLength + 4] !== 0x02) {
+    throw new SwapKitError("wallet_ledger_invalid_signature", {
+      reason: "TLV encoding: expected length type 0x02 for s",
+    });
+  }
+
+  const sLength = signatureArray[rLength + 5];
+
+  if (4 + rLength + 2 + sLength !== signatureArray.length) {
+    throw new SwapKitError("wallet_ledger_invalid_signature", {
+      reason: "TLV byte lengths do not match message length",
+    });
+  }
+
+  let sSignature = signatureArray.slice(rLength + 6, signatureArray.length);
+
+  // Drop leading zero on 's' signatures that are 33 bytes. This shouldn't occur since ledger signs using "Small s" math. But just to be sure...
+  if (sSignature.length === 33 && sSignature[0] === 0) {
+    sSignature = sSignature.slice(1, 33);
+  } else if (sSignature.length === 33) {
+    throw new SwapKitError("wallet_ledger_invalid_signature", { reason: "s too long" });
+  }
+
+  // add leading zero's to pad to 32 bytes
+  while (sSignature.length < 32) {
+    sSignature.unshift(0);
+  }
+
+  if (rSignature.length !== 32 || sSignature.length !== 32) {
+    throw new SwapKitError("wallet_ledger_invalid_signature", { reason: "must be 32 bytes each" });
+  }
+
+  return base64.encode(Buffer.concat([rSignature, sSignature]));
+};

package/src/ledger/clients/tron.ts

@@ -0,0 +1,85 @@
+import type TronApp from "@ledgerhq/hw-app-trx";
+import {
+  type DerivationPathArray,
+  derivationPathToString,
+  NetworkDerivationPath,
+  SwapKitError,
+} from "@swapkit/helpers";
+import type { TronSignedTransaction, TronSigner, TronTransaction } from "@swapkit/toolboxes/tron";
+
+import { getLedgerTransport } from "../helpers/getLedgerTransport";
+
+export class TronLedgerInterface implements TronSigner {
+  derivationPath: string;
+  ledgerApp: InstanceType<typeof TronApp> | null = null;
+  ledgerTimeout = 50000;
+
+  constructor(derivationPath?: DerivationPathArray | string) {
+    this.derivationPath =
+      typeof derivationPath === "string"
+        ? derivationPath
+        : derivationPathToString(derivationPath || NetworkDerivationPath.TRON);
+  }
+
+  checkOrCreateTransportAndLedger = async () => {
+    if (this.ledgerApp) return;
+    await this.createTransportAndLedger();
+  };
+
+  createTransportAndLedger = async () => {
+    const transport = await getLedgerTransport();
+    const TronApp = (await import("@ledgerhq/hw-app-trx")).default;
+
+    this.ledgerApp = new TronApp(transport);
+  };
+
+  getAddress = async (): Promise<string> => {
+    const response = await this.getAddressAndPubKey();
+    if (!response) throw new SwapKitError("wallet_ledger_failed_to_get_address");
+    return response.address;
+  };
+
+  getAddressAndPubKey = async () => {
+    await this.createTransportAndLedger();
+    const result = await this.ledgerApp?.getAddress(this.derivationPath);
+
+    if (!result) throw new SwapKitError("wallet_ledger_failed_to_get_address");
+
+    return { address: result.address, publicKey: result.publicKey };
+  };
+
+  showAddressAndPubKey = async () => {
+    await this.createTransportAndLedger();
+    return this.ledgerApp?.getAddress(this.derivationPath, true);
+  };
+
+  signTransaction = async (transaction: TronTransaction): Promise<TronSignedTransaction> => {
+    await this.createTransportAndLedger();
+
+    if (!this.ledgerApp) {
+      throw new SwapKitError("wallet_ledger_transport_error");
+    }
+
+    // Tron transactions need to be serialized before signing
+    const serializedTx = JSON.stringify(transaction);
+
+    try {
+      const signature = await this.ledgerApp.signTransaction(
+        this.derivationPath,
+        serializedTx,
+        [], // Token signatures array - empty for native TRX transfers
+      );
+
+      if (!signature) {
+        throw new SwapKitError("wallet_ledger_signing_error");
+      }
+
+      // Return the signed transaction in Tron's expected format
+      return { ...transaction, signature: [signature] };
+    } catch (error) {
+      throw new SwapKitError("wallet_ledger_signing_error", { error });
+    }
+  };
+}
+
+export const TronLedger = (derivationPath?: DerivationPathArray) => new TronLedgerInterface(derivationPath);

package/src/ledger/clients/utxo-legacy-adapter.ts

@@ -0,0 +1,71 @@
+import { hex } from "@scure/base";
+import type { UTXOChain } from "@swapkit/helpers";
+import type { UTXOType } from "@swapkit/toolboxes/utxo";
+import type { Transaction } from "@swapkit/utxo-signer";
+
+/**
+ * Extract per-input metadata from a V3 PSBT in the shape the legacy
+ * `@ledgerhq/hw-app-btc.createPaymentTransaction` adapter expects.
+ *
+ * For segwit inputs the SwapKit V3 API populates `witnessUtxo`; for legacy
+ * (BCH/DOGE/DASH) it populates `nonWitnessUtxo` with the full prior-tx bytes.
+ * We re-encode the parsed `nonWitnessUtxo` back to hex via `RawTx.encode` so
+ * `btcApp.splitTransaction(hex)` can consume it.
+ *
+ * Single-address account assumption: all inputs share our derivation path.
+ */
+export async function extractInputsFromPsbt(tx: Transaction): Promise<UTXOType[]> {
+  const { RawTx } = await import("@swapkit/utxo-signer");
+  const inputs: UTXOType[] = [];
+
+  for (let i = 0; i < tx.inputsLength; i++) {
+    const input = tx.getInput(i);
+
+    if (!input.txid || input.index === undefined) {
+      throw new Error(`PSBT input ${i} is missing txid/index`);
+    }
+
+    const txHex = input.nonWitnessUtxo ? hex.encode(RawTx.encode(input.nonWitnessUtxo)) : "";
+    const witnessUtxo = input.witnessUtxo
+      ? { script: input.witnessUtxo.script, value: Number(input.witnessUtxo.amount) }
+      : undefined;
+
+    inputs.push({
+      hash: hex.encode(input.txid),
+      index: input.index,
+      txHex,
+      value: witnessUtxo?.value ?? 0,
+      witnessUtxo,
+    } as UTXOType);
+  }
+
+  return inputs;
+}
+
+/**
+ * Build a toolbox-compatible signer from the existing legacy Ledger UTXO
+ * client. The toolbox synthesizes `signAndBroadcastTransaction` on top of
+ * `signer.signTransaction(tx) → Transaction`.
+ */
+export function createLegacyPsbtSigner({
+  legacyClient,
+  chain: _chain,
+  address,
+}: {
+  legacyClient: { signTransaction: (tx: Transaction, inputUtxos: UTXOType[]) => Promise<string> };
+  chain: UTXOChain;
+  address: string;
+}) {
+  return {
+    getAddress: async () => address,
+    signTransaction: async (tx: Transaction): Promise<Transaction> => {
+      const inputUtxos = await extractInputsFromPsbt(tx);
+      const signedTxHex = await legacyClient.signTransaction(tx, inputUtxos);
+
+      const { Transaction: TxClass } = await import("@swapkit/utxo-signer");
+      // `Transaction.fromRaw` parses a serialised tx (no PSBT envelope) — exactly
+      // what `createPaymentTransaction` returns.
+      return TxClass.fromRaw(hex.decode(signedTxHex));
+    },
+  };
+}

package/src/ledger/clients/utxo-psbt.ts

@@ -0,0 +1,145 @@
+import { base64 } from "@scure/base";
+import { HDKey } from "@scure/bip32";
+import { type DerivationPathArray, derivationPathToString, getWalletFormatFor, SwapKitError } from "@swapkit/helpers";
+import type { Transaction } from "@swapkit/utxo-signer";
+
+import { getLedgerTransport } from "../helpers/getLedgerTransport";
+
+type SupportedCoin = "bitcoin" | "litecoin";
+
+type DefaultDescriptorTemplate = "wpkh(@0/**)" | "tr(@0/**)" | "sh(wpkh(@0/**))" | "pkh(@0/**)";
+
+function templateForFormat(format: ReturnType<typeof getWalletFormatFor>): DefaultDescriptorTemplate {
+  switch (format) {
+    case "bech32":
+      return "wpkh(@0/**)";
+    case "p2sh":
+      return "sh(wpkh(@0/**))";
+    case "legacy":
+      return "pkh(@0/**)";
+    default:
+      return "wpkh(@0/**)";
+  }
+}
+
+function pathToString(path: DerivationPathArray | string): string {
+  return typeof path === "string" ? path : derivationPathToString(path);
+}
+
+function pathToNumberArray(path: string): number[] {
+  return path
+    .replace(/^m\//, "")
+    .split("/")
+    .filter(Boolean)
+    .map((p) => {
+      const hardened = p.endsWith("'");
+      const num = Number.parseInt(hardened ? p.slice(0, -1) : p, 10);
+      return hardened ? (num | 0x80000000) >>> 0 : num;
+    });
+}
+
+const BaseLedgerPsbtUTXO = ({ chain }: { chain: SupportedCoin }) => {
+  let appClient: import("ledger-bitcoin").AppClient | undefined;
+  let masterFingerprint: string | undefined;
+
+  async function getAppClient() {
+    if (!appClient) {
+      const transport = await getLedgerTransport();
+      const { AppClient } = await import("ledger-bitcoin");
+      appClient = new AppClient(transport);
+    }
+    return appClient;
+  }
+
+  async function getFingerprint() {
+    if (!masterFingerprint) {
+      const app = await getAppClient();
+      masterFingerprint = await app.getMasterFingerprint();
+    }
+    return masterFingerprint;
+  }
+
+  return (derivationPathArray?: DerivationPathArray | string) => {
+    // Single-address account: change == index == 0 by default.
+    const derivationPath = derivationPathArray ? pathToString(derivationPathArray) : "84'/0'/0'/0/0";
+    const accountPath = derivationPath.split("/").slice(0, 3).join("/");
+    const leafSegments = derivationPath.split("/").slice(3);
+    const change = Number(leafSegments[0] ?? 0);
+    const addressIndex = Number(leafSegments[1] ?? 0);
+    const format = getWalletFormatFor(derivationPath);
+    const template = templateForFormat(format);
+
+    let cachedAccountXpub: string | undefined;
+    let cachedLeafPubkey: Uint8Array | undefined;
+
+    async function buildPolicy() {
+      const app = await getAppClient();
+      const fpr = await getFingerprint();
+      if (!cachedAccountXpub) {
+        cachedAccountXpub = await app.getExtendedPubkey(`m/${accountPath}`);
+      }
+      const { DefaultWalletPolicy } = await import("ledger-bitcoin");
+      const policy = new DefaultWalletPolicy(template, `[${fpr}/${accountPath}]${cachedAccountXpub}`);
+      return { app, fpr, policy, xpub: cachedAccountXpub };
+    }
+
+    async function getLeafPubkey() {
+      if (!cachedLeafPubkey) {
+        const { xpub } = await buildPolicy();
+        const accountKey = HDKey.fromExtendedKey(xpub);
+        const leaf = accountKey.derive(`m/${change}/${addressIndex}`);
+        if (!leaf.publicKey) {
+          throw new SwapKitError("wallet_ledger_get_address_error", {
+            message: `Cannot derive leaf pubkey for ${chain}`,
+          });
+        }
+        cachedLeafPubkey = leaf.publicKey;
+      }
+      return cachedLeafPubkey;
+    }
+
+    return {
+      connect: async () => {
+        await getAppClient();
+      },
+      getAddress: async () => {
+        const { app, policy } = await buildPolicy();
+        const address = await app.getWalletAddress(policy, null, change, addressIndex, false);
+        if (!address) {
+          throw new SwapKitError("wallet_ledger_get_address_error", {
+            message: `Cannot get ${chain} address from ledger derivation path: ${derivationPath}`,
+          });
+        }
+        return address;
+      },
+      getExtendedPublicKey: async (path = `m/${accountPath}`) => {
+        const app = await getAppClient();
+        return app.getExtendedPubkey(path);
+      },
+      signTransaction: async (tx: Transaction): Promise<Transaction> => {
+        const { app, policy, fpr } = await buildPolicy();
+        const fingerprintBE = Number.parseInt(fpr, 16) >>> 0;
+        const pathNumbers = pathToNumberArray(derivationPath);
+        const leafPubkey = await getLeafPubkey();
+
+        // Single-address account: every input is owned by the same key + path.
+        for (let i = 0; i < tx.inputsLength; i++) {
+          tx.updateInput(i, { bip32Derivation: [[leafPubkey, { fingerprint: fingerprintBE, path: pathNumbers }]] });
+        }
+
+        const psbtB64 = base64.encode(tx.toPSBT(0));
+        const sigs = await app.signPsbt(psbtB64, policy, null);
+
+        for (const [idx, partial] of sigs) {
+          tx.updateInput(idx, { partialSig: [[new Uint8Array(partial.pubkey), new Uint8Array(partial.signature)]] });
+        }
+
+        tx.finalize();
+        return tx;
+      },
+    };
+  };
+};
+
+export const BitcoinPsbtLedger = BaseLedgerPsbtUTXO({ chain: "bitcoin" });
+export const LitecoinPsbtLedger = BaseLedgerPsbtUTXO({ chain: "litecoin" });