// check for validity of curve point in case of public data not performed int hdnode_deserialize(const char *str, HDNode *node) { uint8_t node_data[78]; memset(node, 0, sizeof(HDNode)); if (!base58_decode_check(str, node_data, sizeof(node_data))) { return -1; } uint32_t version = read_be(node_data); if (version == 0x0488B21E) { // public node memcpy(node->public_key, node_data + 45, 33); } else if (version == 0x0488ADE4) { // private node if (node_data[45]) { // invalid data return -2; } memcpy(node->private_key, node_data + 46, 32); hdnode_fill_public_key(node); } else { return -3; // invalid version } node->depth = node_data[4]; node->fingerprint = read_be(node_data + 5); node->child_num = read_be(node_data + 9); memcpy(node->chain_code, node_data + 13, 32); return 0; }
void hdnode_from_xprv(uint8_t version_byte, uint32_t version, uint32_t depth, uint32_t fingerprint, uint32_t child_num, uint8_t *chain_code, uint8_t *private_key, HDNode *out) { out->version = version; out->depth = depth; out->fingerprint = fingerprint; out->child_num = child_num; memcpy(out->chain_code, chain_code, 32); memcpy(out->private_key, private_key, 32); hdnode_fill_public_key(out); out->version_byte = version_byte; hdnode_fill_address(out); }
void hdnode_from_seed(uint8_t version_byte, uint32_t version, uint8_t *seed, int seed_len, HDNode *out) { uint8_t I[32 + 32]; out->version = version; out->depth = 0; out->fingerprint = 0x00000000; out->child_num = 0; hmac_sha512((uint8_t *)"Bitcoin seed", 12, seed, seed_len, I); memcpy(out->chain_code, I + 32, 32); memcpy(out->private_key, I, 32); hdnode_fill_public_key(out); out->version_byte = version_byte; hdnode_fill_address(out); }
int hdnode_from_xprv(uint32_t depth, uint32_t fingerprint, uint32_t child_num, const uint8_t *chain_code, const uint8_t *private_key, HDNode *out) { bignum256 a; bn_read_be(private_key, &a); if (bn_is_zero(&a) || !bn_is_less(&a, &order256k1)) { // == 0 or >= order return 0; } out->depth = depth; out->fingerprint = fingerprint; out->child_num = child_num; memcpy(out->chain_code, chain_code, 32); memcpy(out->private_key, private_key, 32); hdnode_fill_public_key(out); return 1; }
serializedAsymmetricKey TrezorCrypto::PrivateToPublic( const proto::AsymmetricKey& key) const { std::shared_ptr<HDNode> node = SerializedToHDNode(key); hdnode_fill_public_key(node.get()); // This will cause the next function to serialize as public OTPassword::zeroMemory(node->private_key, sizeof(node->private_key)); serializedAsymmetricKey publicVersion = HDNodeToSerialized( *node, TrezorCrypto::DERIVE_PUBLIC); publicVersion->set_role(key.role()); return publicVersion; }
int hdnode_private_ckd(HDNode *inout, uint32_t i) { uint8_t data[1 + 32 + 4]; uint8_t I[32 + 32]; uint8_t fingerprint[32]; bignum256 a, b; if (i & 0x80000000) { // private derivation data[0] = 0; memcpy(data + 1, inout->private_key, 32); } else { // public derivation memcpy(data, inout->public_key, 33); } write_be(data + 33, i); sha256_Raw(inout->public_key, 33, fingerprint); ripemd160(fingerprint, 32, fingerprint); inout->fingerprint = (fingerprint[0] << 24) + (fingerprint[1] << 16) + (fingerprint[2] << 8) + fingerprint[3]; bn_read_be(inout->private_key, &a); hmac_sha512(inout->chain_code, 32, data, sizeof(data), I); memcpy(inout->chain_code, I + 32, 32); memcpy(inout->private_key, I, 32); bn_read_be(inout->private_key, &b); if (!bn_is_less(&b, &order256k1)) { // >= order return 0; } bn_addmod(&a, &b, &order256k1); if (bn_is_zero(&a)) { return 0; } inout->depth++; inout->child_num = i; bn_write_be(&a, inout->private_key); hdnode_fill_public_key(inout); return 1; }
int hdnode_from_seed(const uint8_t *seed, int seed_len, HDNode *out) { uint8_t I[32 + 32]; memset(out, 0, sizeof(HDNode)); out->depth = 0; out->fingerprint = 0x00000000; out->child_num = 0; hmac_sha512((uint8_t *)"Bitcoin seed", 12, seed, seed_len, I); memcpy(out->private_key, I, 32); bignum256 a; bn_read_be(out->private_key, &a); if (bn_is_zero(&a) || !bn_is_less(&a, &order256k1)) { // == 0 or >= order return 0; } memcpy(out->chain_code, I + 32, 32); hdnode_fill_public_key(out); return 1; }
/* * verify_exchange_address - verify address specified in exchange contract belongs to device. * * INPUT * coin - the CoinType * address_n_count - depth of node * address_n - pointer to node path * address_str - string representation of address * address_str_len - address length * root - root hd node * * OUTPUT * true/false - success/failure */ static bool verify_exchange_address(const CoinType *coin, size_t address_n_count, uint32_t *address_n, char *address_str, size_t address_str_len, const HDNode *root, bool is_token) { static CONFIDENTIAL HDNode node; memcpy(&node, root, sizeof(HDNode)); if (hdnode_private_ckd_cached(&node, address_n, address_n_count, NULL) == 0) { memzero(&node, sizeof(node)); return false; } if (isEthereumLike(coin->coin_name) || is_token) { char tx_out_address[sizeof(((ExchangeAddress *)NULL)->address)]; EthereumAddress_address_t ethereum_addr; ethereum_addr.size = 20; if (hdnode_get_ethereum_pubkeyhash(&node, ethereum_addr.bytes) == 0) { memzero(&node, sizeof(node)); return false; } data2hex((char *)ethereum_addr.bytes, 20, tx_out_address); return addresses_same(tx_out_address, sizeof(tx_out_address), address_str, address_str_len, true); } const curve_info *curve = get_curve_by_name(coin->curve_name); if (!curve) { memzero(&node, sizeof(node)); return false; } char tx_out_address[36]; hdnode_fill_public_key(&node); ecdsa_get_address(node.public_key, coin->address_type, curve->hasher_pubkey, curve->hasher_base58, tx_out_address, sizeof(tx_out_address)); memzero(&node, sizeof(node)); return strncmp(tx_out_address, address_str, sizeof(tx_out_address)) == 0; }
int main(int argc, char **argv) { if (argc != 2 && argc != 3) { fprintf(stderr, "Usage: bip39bruteforce address [mnemonic]\n"); return 1; } const char *address = argv[1]; const char *mnemonic, *item; if (argc == 3) { mnemonic = argv[2]; item = "passphrase"; } else { mnemonic = NULL; item = "mnemonic"; } if (mnemonic && !mnemonic_check(mnemonic)) { fprintf(stderr, "\"%s\" is not a valid mnemonic\n", mnemonic); return 2; } if (!ecdsa_address_decode(address, 0, secp256k1_info.hasher_base58, addr)) { fprintf(stderr, "\"%s\" is not a valid address\n", address); return 3; } printf("Reading %ss from stdin ...\n", item); start = clock(); for (;;) { if (fgets(iter, 256, stdin) == NULL) break; int len = strlen(iter); if (len <= 0) { continue; } count++; iter[len - 1] = 0; if (mnemonic) { mnemonic_to_seed(mnemonic, iter, seed, NULL); } else { mnemonic_to_seed(iter, "", seed, NULL); } hdnode_from_seed(seed, 512 / 8, SECP256K1_NAME, &node); hdnode_private_ckd_prime(&node, 44); hdnode_private_ckd_prime(&node, 0); hdnode_private_ckd_prime(&node, 0); hdnode_private_ckd(&node, 0); hdnode_private_ckd(&node, 0); hdnode_fill_public_key(&node); ecdsa_get_pubkeyhash(node.public_key, secp256k1_info.hasher_pubkey, pubkeyhash); if (memcmp(addr + 1, pubkeyhash, 20) == 0) { found = 1; break; } } float dur = (float)(clock() - start) / CLOCKS_PER_SEC; printf("Tried %d %ss in %f seconds = %f tries/second\n", count, item, dur, (float)count / dur); if (found) { printf("Correct %s found! :-)\n\"%s\"\n", item, iter); return 0; } printf("Correct %s not found. :-(\n", item); return 4; }