feat: use deciphered seed for xud key

This changes the way the xud node key is derived from the recovery
mnemonic to use the deciphered seed - which does not contain salt and
certain error checking bytes - rather than the enciphered seed. This
is to ensure that the same node key is derived from a recovery seed
regardless of how it is enciphered using salt and an aezeed password.

Author: sangaman

Diff for: lib/lndclient/LndClient.ts

@@ -774,11 +774,11 @@ class LndClient extends SwapClient {
     return this.unaryCall<lndrpc.QueryRoutesRequest, lndrpc.QueryRoutesResponse>('queryRoutes', request);
   }
 
-  public genSeed = async (): Promise<lndrpc.GenSeedResponse.AsObject> => {
+  public genSeed = async () => {
     const genSeedResponse = await this.unaryWalletUnlockerCall<lndrpc.GenSeedRequest, lndrpc.GenSeedResponse>(
       'genSeed', new lndrpc.GenSeedRequest(),
     );
-    return genSeedResponse.toObject();
+    return genSeedResponse.getCipherSeedMnemonicList();
   }
 
   public initWallet = async (walletPassword: string, seedMnemonic: string[]): Promise<lndrpc.InitWalletResponse.AsObject> => {

Diff for: lib/nodekey/NodeKey.ts

@@ -8,17 +8,13 @@ import { createCipheriv, createDecipheriv, createHash } from 'crypto';
  * and can sign messages to prove their veracity.
  */
 class NodeKey {
-  /**
-   * The public key in hex string format.
-   */
-  public readonly pubKey: string;
-
   private static ENCRYPTION_IV_LENGTH = 16;
 
-  constructor(public readonly privKey: Buffer) {
-    const pubKey = secp256k1.publicKeyCreate(privKey);
-    this.pubKey = pubKey.toString('hex');
-  }
+  /**
+   * @param privKey The 32 byte private key
+   * @param pubKey The public key in hex string format.
+   */
+  constructor(public readonly privKey: Buffer, public readonly pubKey: string) { }
 
   /**
    * Generates a random NodeKey.
@@ -29,7 +25,27 @@ class NodeKey {
       privKey = await randomBytes(32);
     } while (!secp256k1.privateKeyVerify(privKey));
 
-    return new NodeKey(privKey);
+    return NodeKey.fromBytes(privKey);
+  }
+
+  /**
+   * Converts a buffer of bytes to a NodeKey. Uses the first 32 bytes from the buffer to generate
+   * the private key. If the buffer has fewer than 32 bytes, the buffer is right-padded with zeros.
+   */
+  public static fromBytes = (bytes: Buffer): NodeKey => {
+    let privKey: Buffer;
+    if (bytes.byteLength === 32) {
+      privKey = bytes;
+    } else if (bytes.byteLength < 32) {
+      privKey = Buffer.concat([bytes, Buffer.alloc(32 - bytes.byteLength)]);
+    } else {
+      privKey = bytes.slice(0, 32);
+    }
+
+    const pubKeyBytes = secp256k1.publicKeyCreate(privKey);
+    const pubKey = pubKeyBytes.toString('hex');
+
+    return new NodeKey(privKey, pubKey);
   }
 
   private static getCipherKey = (password: string) => {
@@ -58,7 +74,7 @@ class NodeKey {
       privKey = fileBuffer;
     }
     if (secp256k1.privateKeyVerify(privKey)) {
-      return new NodeKey(privKey);
+      return NodeKey.fromBytes(privKey);
     } else {
       throw new Error(`${path} does not contain a valid ECDSA private key`);
     }

Diff for: lib/service/InitService.ts

@@ -2,9 +2,8 @@ import { EventEmitter } from 'events';
 import NodeKey from '../nodekey/NodeKey';
 import swapErrors from '../swaps/errors';
 import SwapClientManager from '../swaps/SwapClientManager';
+import { decipher } from '../utils/seedutil';
 import errors from './errors';
-import assert = require('assert');
-import { encipher } from '../utils/seedutil';
 
 interface InitService {
   once(event: 'nodekey', listener: (nodeKey: NodeKey) => void): this;
@@ -27,18 +26,13 @@ class InitService extends EventEmitter {
     await this.prepareCall();
 
     try {
-      const seed = await this.swapClientManager.genSeed();
+      const seedMnemonic = await this.swapClientManager.genSeed();
 
-      const seedBytes = typeof seed.encipheredSeed === 'string' ?
-        Buffer.from(seed.encipheredSeed, 'base64') :
-        Buffer.from(seed.encipheredSeed);
-      assert.equal(seedBytes.length, 33);
-
-      // the seed is 33 bytes, the first byte of which is the version
-      // so we use the remaining 32 bytes to generate our private key
+      // we use the deciphered seed (without the salt and extra fields that make up the enciphered seed)
+      // to generate an xud nodekey from the same seed used for wallets
       // TODO: use seedutil tool to derive a child private key from deciphered seed key?
-      const privKey = Buffer.from(seedBytes.slice(1));
-      const nodeKey = new NodeKey(privKey);
+      const decipheredSeed = await decipher(seedMnemonic);
+      const nodeKey = NodeKey.fromBytes(decipheredSeed);
 
       // use this seed to init any lnd wallets that are uninitialized
       const initWalletResult = await this.swapClientManager.initWallets(password, seed.cipherSeedMnemonicList);
@@ -50,7 +44,7 @@ class InitService extends EventEmitter {
       return {
         initializedLndWallets,
         initializedRaiden,
-        mnemonic: seed ? seed.cipherSeedMnemonicList : undefined,
+        mnemonic: seedMnemonic,
       };
     } finally {
       this.pendingCall = false;
@@ -85,13 +79,8 @@ class InitService extends EventEmitter {
     await this.prepareCall();
 
     try {
-      const seedBytes = await encipher(seedMnemonicList);
-
-      // the seed is 33 bytes, the first byte of which is the version
-      // so we use the remaining 32 bytes to generate our private key
-      // TODO: use seedutil tool to derive a child private key from deciphered seed key?
-      const privKey = Buffer.from(seedBytes.slice(1));
-      const nodeKey = new NodeKey(privKey);
+      const decipheredSeed = await decipher(seedMnemonicList);
+      const nodeKey = NodeKey.fromBytes(decipheredSeed);
 
       // use this seed to restore any lnd wallets that are uninitialized
       const initWalletResult = await this.swapClientManager.initWallets(password, seedMnemonicList);

Diff for: lib/utils/seedutil.ts

@@ -38,4 +38,15 @@ async function encipher(mnemonic: string[]) {
   return Buffer.from(encipheredSeed, 'hex');
 }
 
-export { keystore, encipher };
+async function decipher(mnemonic: string[]) {
+  const { stdout, stderr } = await exec(`./seedutil/seedutil decipher ${mnemonic.join(' ')}`);
+
+  if (stderr) {
+    throw new Error(stderr);
+  }
+
+  const decipheredSeed = stdout.trim();
+  return Buffer.from(decipheredSeed, 'hex');
+}
+
+export { keystore, encipher, decipher };

Diff for: seedutil/SeedUtil.spec.ts

@@ -46,6 +46,7 @@ const ERRORS = {
   MISSING_ENCRYPTION_PASSWORD: 'expecting encryption password',
   INVALID_AEZEED: 'invalid aezeed',
   KEYSTORE_FILE_ALREADY_EXISTS: 'account already exists',
+  INVALID_PASSPHRASE: 'invalid passphrase',
 };
 
 const PASSWORD = 'wasspord';
@@ -102,6 +103,35 @@ describe('SeedUtil encipher', () => {
   });
 });
 
+describe('SeedUtil decipher', () => {
+  test('it errors with no arguments', async () => {
+    await expect(executeCommand('./seedutil/seedutil decipher'))
+      .rejects.toThrow(ERRORS.INVALID_ARGS_LENGTH);
+  });
+
+  test('it errors with 23 words', async () => {
+    const cmd = `./seedutil/seedutil decipher ${VALID_SEED.seedWords.slice(0, 23).join(' ')}`;
+    await expect(executeCommand(cmd))
+      .rejects.toThrow(ERRORS.INVALID_ARGS_LENGTH);
+  });
+
+  test('it errors with 24 words and invalid aezeed password', async () => {
+    const cmd = `./seedutil/seedutil decipher ${VALID_SEED.seedWords.join(' ')}`;
+    await expect(executeCommand(cmd))
+      .rejects.toThrow(ERRORS.INVALID_PASSPHRASE);
+  });
+
+  test('it succeeds with 24 words, valid aezeed password', async () => {
+    const cmd = `./seedutil/seedutil decipher -aezeedpass=${VALID_SEED.seedPassword} ${VALID_SEED.seedWords.join(' ')}`;
+    await expect(executeCommand(cmd)).resolves.toMatchSnapshot();
+  });
+
+  test('it succeeds with 24 words, no aezeed password', async () => {
+    const cmd = `./seedutil/seedutil decipher ${VALID_SEED_NO_PASS.seedWords.join(' ')}`;
+    await expect(executeCommand(cmd)).resolves.toMatchSnapshot();
+  });
+});
+
 describe('SeedUtil keystore', () => {
   beforeEach(async () => {
     await deleteDir(DEFAULT_KEYSTORE_PATH);

Diff for: seedutil/__snapshots__/SeedUtil.spec.ts.snap

@@ -1,5 +1,15 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
+exports[`SeedUtil decipher it succeeds with 24 words, no aezeed password 1`] = `
+"000f4b8aab5f566c2dc3be2675a537fedcb9ad
+"
+`;
+
+exports[`SeedUtil decipher it succeeds with 24 words, valid aezeed password 1`] = `
+"000ecd52fdfc072182654f163f5f0f9a621d72
+"
+`;
+
 exports[`SeedUtil encipher it succeeds with 24 words, no aezeed password 1`] = `
 "00738860374692022c462027a35aaaef3c3289aa0a057e2600000000002cad2e2b
 "

Diff for: seedutil/main.go

@@ -26,16 +26,20 @@ var (
 	defaultKeyStorePath = filepath.Join(filepath.Dir(os.Args[0]))
 )
 
-func parseSeed(args []string, aezeedPassphrase *string) *aezeed.CipherSeed {
-	if len(args) < aezeed.NummnemonicWords {
+func parseMnemonic(words []string) aezeed.Mnemonic{
+	if len(words) < aezeed.NummnemonicWords {
 		fmt.Fprintf(os.Stderr, "\nerror: expecting %v-word mnemonic seed separated by spaces\n", aezeed.NummnemonicWords)
 		os.Exit(1)
 	}
 
 	// parse seed from args
 	var mnemonic aezeed.Mnemonic
-	copy(mnemonic[:], args[0:24])
+	copy(mnemonic[:], words[0:24])
 
+	return mnemonic
+}
+
+func mnemonicToCipherSeed(mnemonic aezeed.Mnemonic, aezeedPassphrase *string) *aezeed.CipherSeed {
 	// map back to cipher
 	aezeedPassphraseBytes := []byte(*aezeedPassphrase)
 	cipherSeed, err := mnemonic.ToCipherSeed(aezeedPassphraseBytes)
@@ -50,9 +54,10 @@ func parseSeed(args []string, aezeedPassphrase *string) *aezeed.CipherSeed {
 func main() {
 	keystoreCommand := flag.NewFlagSet("keystore", flag.ExitOnError)
 	encipherCommand := flag.NewFlagSet("encipher", flag.ExitOnError)
+	mnemonicCommand := flag.NewFlagSet("mnemonic", flag.ExitOnError)
 
 	if len(os.Args) < 2 {
-		fmt.Println("keystore or encipher subcommand is required")
+		fmt.Println("subcommand is required")
 		os.Exit(1)
 	}
 
@@ -65,7 +70,8 @@ func main() {
 		keystoreCommand.Parse(os.Args[2:])
 		args = keystoreCommand.Args()
 
-		cipherSeed := parseSeed(args, aezeedPassphrase)
+		mnemonic := parseMnemonic(args)
+		cipherSeed := mnemonicToCipherSeed(mnemonic, aezeedPassphrase)
 
 		// derive 64-byte key from cipherSeed's 16 bytes of entropy
 		hmac512 := hmac.New(sha512.New, masterKey)
@@ -105,11 +111,24 @@ func main() {
 		encipherCommand.Parse(os.Args[2:])
 		args = encipherCommand.Args()
 
-		cipherSeed := parseSeed(args, aezeedPassphrase)
+		mnemonic := parseMnemonic(args)
+		cipherSeed := mnemonicToCipherSeed(mnemonic, aezeedPassphrase)
+
 		encipheredSeed, _ := cipherSeed.Encipher([]byte(*aezeedPassphrase))
-		enciphedSeedArr := make([]byte, 33)
-		copy(enciphedSeedArr[:], encipheredSeed[:])
-		fmt.Println(hex.EncodeToString(enciphedSeedArr))
+		fmt.Println(hex.EncodeToString(encipheredSeed[:]))
+	case "decipher":
+		aezeedPassphrase := mnemonicCommand.String("aezeedpass", defaultAezeedPassphrase, "aezeed passphrase")
+		mnemonicCommand.Parse(os.Args[2:])
+		args = mnemonicCommand.Args()
+
+		mnemonic := parseMnemonic(args)
+		decipheredSeed, err := mnemonic.Decipher([]byte(*aezeedPassphrase))
+		if err != nil {
+			fmt.Fprintln(os.Stderr, err)
+			os.Exit(1)
+		}
+
+		fmt.Println(hex.EncodeToString(decipheredSeed[:]))
 	default:
 		flag.PrintDefaults()
 		os.Exit(1)

Diff for: test/jest/Backup.spec.ts

@@ -88,8 +88,6 @@ describe('Backup', () => {
   });
 
   test('should write LND backups on new event', () => {
-    expect(onListenerMock).toBeCalledTimes(2);
-
     channelBackupCallback(backups.lnd.event);
 
     expect(

Diff for: test/jest/NodeKey.spec.ts

@@ -0,0 +1,56 @@
+import NodeKey from '../../lib/nodekey/NodeKey';
+import secp256k1 from 'secp256k1';
+import { getTempDir } from '../utils';
+
+function validateNodeKey(nodeKey: NodeKey) {
+  expect(nodeKey.pubKey).toHaveLength(66);
+  expect(secp256k1.privateKeyVerify(nodeKey['privKey'])).toEqual(true);
+  expect(secp256k1.publicKeyVerify(Buffer.from(nodeKey.pubKey, 'hex'))).toEqual(true);
+}
+
+describe('NodeKey', () => {
+  test('it should generate a valid node key', async () => {
+    const nodeKey = await NodeKey['generate']();
+    validateNodeKey(nodeKey);
+  });
+
+  test('it should write a nodekey to disk and read it back without encryption', async () => {
+    const nodeKey = await NodeKey['generate']();
+    const path = NodeKey.getPath(getTempDir(true));
+    await nodeKey.toFile(path);
+    const nodeKeyFromDisk = await NodeKey.fromFile(path);
+    expect(nodeKey.privKey.compare(nodeKeyFromDisk.privKey)).toEqual(0);
+  });
+
+  test('it should write a nodekey to disk and read it back with encryption', async () => {
+    const password = 'wasspord';
+    const nodeKey = await NodeKey['generate']();
+    const path = NodeKey.getPath(getTempDir(true));
+    await nodeKey.toFile(path, password);
+    const nodeKeyFromDisk = await NodeKey.fromFile(path, password);
+    expect(nodeKey.privKey.compare(nodeKeyFromDisk.privKey)).toEqual(0);
+  });
+
+  test('it should write a nodekey to disk with encryption and fail reading it with the wrong password', async () => {
+    const password = 'wasspord';
+    const nodeKey = await NodeKey['generate']();
+    const path = NodeKey.getPath(getTempDir(true));
+    await nodeKey.toFile(path, password);
+    await expect(NodeKey.fromFile(path, 'wrongpassword')).rejects.toThrow();
+  });
+
+  test('it should create a valid nodekey from a 32 byte buffer', async () => {
+    const nodeKey = NodeKey.fromBytes(Buffer.allocUnsafe(32));
+    validateNodeKey(nodeKey);
+  });
+
+  test('it should create a valid nodekey from a greater than 32 byte buffer', async () => {
+    const nodeKey = NodeKey.fromBytes(Buffer.allocUnsafe(42));
+    validateNodeKey(nodeKey);
+  });
+
+  test('it should create a valid nodekey from a lesser than 32 byte buffer', async () => {
+    const nodeKey = NodeKey.fromBytes(Buffer.allocUnsafe(22));
+    validateNodeKey(nodeKey);
+  });
+});