HDW: Fix a decryption bug where we were (again) accidentally relying on padding checks to detect wrong passwords. Check the watching key derives correctly to fix.

2025-02-07 14:54:15 +00:00 · 2014-04-22 22:14:21 +02:00 · 2014-04-22 22:14:21 +02:00 · b374ba5108
commit b374ba5108
parent 24e41f01c6
3 changed files with 9 additions and 2 deletions
--- a/core/src/main/java/com/google/bitcoin/crypto/DeterministicKey.java
+++ b/core/src/main/java/com/google/bitcoin/crypto/DeterministicKey.java
@ -289,6 +289,9 @@ public class DeterministicKey extends ECKey {
        return checkNotNull(downCursor.priv);
    }

+    /**
+     * Derives a child at the given index (note: not the "i" value).
+     */
    public DeterministicKey derive(int child) {
        return HDKeyDerivation.deriveChildKey(this, new ChildNumber(child, true));
    }
--- a/core/src/main/java/com/google/bitcoin/wallet/DeterministicKeyChain.java
+++ b/core/src/main/java/com/google/bitcoin/wallet/DeterministicKeyChain.java
@ -553,6 +553,9 @@ public class DeterministicKeyChain implements EncryptableKeyChain {
        checkState(seed.isEncrypted());
        DeterministicSeed decSeed = seed.decrypt(getKeyCrypter(), aesKey);
        DeterministicKeyChain chain = new DeterministicKeyChain(decSeed);
+        // Now double check that the keys match to catch the case where the key is wrong but padding didn't catch it.
+        if (!chain.getWatchingKey().getPubKeyPoint().equals(getWatchingKey().getPubKeyPoint()))
+            throw new KeyCrypterException("Provided AES key is wrong");
        chain.lookaheadSize = lookaheadSize;
        // Now copy the (pubkey only) leaf keys across to avoid rederiving them. The private key bytes are missing
        // anyway so there's nothing to decrypt.
--- a/core/src/test/java/com/google/bitcoin/wallet/KeyChainGroupTest.java
+++ b/core/src/test/java/com/google/bitcoin/wallet/KeyChainGroupTest.java
@ -27,6 +27,7 @@ import com.google.bitcoin.utils.BriefLogFormatter;
 import com.google.bitcoin.utils.Threading;
 import com.google.common.collect.ImmutableList;
 import org.bitcoinj.wallet.Protos;
+import org.junit.Before;
 import org.junit.Test;
 import org.spongycastle.crypto.params.KeyParameter;

@ -43,7 +44,8 @@ public class KeyChainGroupTest {
    private static final int LOOKAHEAD_SIZE = 5;
    private KeyChainGroup group;

-    public KeyChainGroupTest() {
+    @Before
+    public void setup() {
        BriefLogFormatter.init();
        Utils.setMockClock();
        group = new KeyChainGroup();
@ -92,7 +94,6 @@ public class KeyChainGroupTest {
    @Test
    public void findKey() throws Exception {
        ECKey a = group.freshKey(KeyChain.KeyPurpose.RECEIVE_FUNDS);
-        assertTrue(a instanceof DeterministicKey);
        ECKey b = group.freshKey(KeyChain.KeyPurpose.CHANGE);
        ECKey c = new ECKey();
        ECKey d = new ECKey();   // Not imported.