LedgerCosmos.getAddressPubKeySECP256K1 could use string operations as they are for properly checking runes instead of bytes

[odeke-em]

This code takes a string and then converts it to a byteslice then manually runs some operations on it

ledger-cosmos-go/user_app.go

Lines 298 to 303 in e9d4c19

	hrpBytes := []byte(hrp)
	for _, b := range hrpBytes {
	if !validHRPByte(b) {
	return nil, "", errors.New("all characters in the HRP must be in the [33, 126] range")
	}
	}

and then

ledger-cosmos-go/user_app.go

Lines 317 to 318 in e9d4c19

	message := append(header, byte(len(hrpBytes)))
	message = append(message, hrpBytes...)

From reading the above, it seems that Ledger ONLY deals with ASCII but I've seen them display emoji so seems that they are capable of using Unicode for future purposes like Unicode passphrases or keys, in which I could use runes (Unicode code point with a very high range) that are invalid but when turned into bytes (very narrow range) overflow and pass the error checks

Suggestions

Use string operations

func validHRPRune(r rune) bool {
	// https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki
	return r >= 33 && r <= 126
}

func (ledger *LedgerCosmos) getAddressPubKeySECP256K1(bip32Path []uint32, hrp string... {
   ...
   if strings.ContainsFunc(hrp, func(r rune) bool { return !validHRPRune(r) }) {
      return nil, "", errors.New("all runes in the HRP must be in the [33, 126] range")
   }

  ...
  message := append(header, byte(len(hrp)))
  message = append(message, hrp...)

Use bytes.ContainsFunc

   if bytes.ContainsFunc(hrpBytes, invalidHRPByte) {
      return nil, "", errors.New("all runes in the HRP must be in the [33, 126] range")
   }

/cc @elias-orijtech @julienrbrt

[jleni]

The restriction is due to bech32 definition in BIP173 and it is not purely a representation restriction. For this reason, code should be restricted to byte instead of runes.

https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki#bech32