Add Bip32 smart contract and adjust the key manager to utilizes it (#37)

* Add sha512 bashscript to mock the precompile in AndromedaForge.sol

* Add the crypto interface and the necessary data structures for the BIP32.

* Continue the BIP32 protocol implementation in solidity. Add unit tests

* Remove the sha512 call from the split function

* Fix the nil byte issue. Add more unit tests

* Add child's extended public key derivation from a parent extended public key

* Add a failing test of hardened key derivation from a parent public key

* Add new key manager that utilizes BIP32 key derivation with corresponding unit tests

* Modify scripts to utilize the new key manager with the BIP32 implementation

* Refactor code as follows:
1- use IHash instead of ICrypto and forging the BIP32
2- add new way to address indexing in the NewKeyManager utilizing the BIP32

Author: MoeMahhouk

Makefile

@@ -1,6 +1,10 @@
+.PHONY: build-debug
+build-debug:
+	forge build --revert-strings debug
+
 .PHONY: build
 build:
-	forge build --revert-strings debug
+	forge build
 
 .PHONY: test
 test:

ffi/sha512.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Check if argument is provided
+if [ -z "$1" ]
+then
+    echo "No argument supplied. Please provide a string to hash."
+    exit 1
+fi
+
+# Compute and print the SHA512 hash
+echo -n "$1" | sha512sum | awk '{ print $1 }'

package-lock.json

@@ -14,6 +14,7 @@ async function main() {
 
   /* Assumes andromeda is configured, might not be */
   const Andromeda = await attach_artifact(LocalConfig.ANDROMEDA_ARTIFACT, wallet, LocalConfig.ADDR_OVERRIDES[LocalConfig.ANDROMEDA_ARTIFACT]);
+
   const [KM, _] = await deploy_artifact(LocalConfig.KEY_MANAGER_SN_ARTIFACT, wallet, Andromeda.target);
 
   let resp = await kettle_advance(new_kettle_socket);

scripts/onboard_kettle.ts

@@ -14,6 +14,7 @@ contract Andromeda is IAndromeda, DcapDemo {
     address public constant VOLATILEGET_ADDR = 0x0000000000000000000000000000000000040702;
     address public constant RANDOM_ADDR = 0x0000000000000000000000000000000000040703;
     address public constant SEALINGKEY_ADDR = 0x0000000000000000000000000000000000040704;
+    address public constant SHA512_ADDR = 0x0000000000000000000000000000000000050700;
 
     function volatileSet(bytes32 key, bytes32 value) external override {
         bytes memory cdata = abi.encodePacked([key, value]);
@@ -62,4 +63,12 @@ contract Andromeda is IAndromeda, DcapDemo {
         require(sealingBytes.length == 32);
         return bytes32(keccak256(abi.encode(bytes32(sealingBytes), key)));
     }
+
+    function sha512(bytes memory data) external view override returns (bytes memory) {
+        require(data.length > 0, "sha512: data length must be greater than 0");
+        (bool success, bytes memory output) = SHA512_ADDR.staticcall(data);
+        require(success);
+        require(output.length == 64);
+        return output;
+    }
 }

src/Andromeda.sol

@@ -79,4 +79,13 @@ contract AndromedaForge is IAndromeda {
         }
         return string(abi.encodePacked("0x", converted));
     }
+
+    function sha512(bytes memory data) external view override returns (bytes memory) {
+        require(data.length > 0, "sha512: data length must be greater than 0");
+        string[] memory inputs = new string[](3);
+        inputs[0] = "sh";
+        inputs[1] = "ffi/sha512.sh";
+        inputs[2] = string(data);
+        return vm.ffi(inputs);
+    }
 }

src/AndromedaForge.sol

@@ -163,6 +163,15 @@ contract AndromedaRemote is IAndromeda, DcapDemo {
         //return string(abi.encodePacked("0x", converted));
     }
 
+    function sha512(bytes memory data) external view override returns (bytes memory) {
+        require(data.length > 0, "sha512: data length must be greater than 0");
+        string[] memory inputs = new string[](3);
+        inputs[0] = "sh";
+        inputs[1] = "ffi/sha512.sh";
+        inputs[2] = string(data);
+        return vm.ffi(inputs);
+    }
+
     ///////////////////////////////////////////////////////
     // Forge functions for tcbInfo and qeIdentity from file
     ///////////////////////////////////////////////////////

src/AndromedaRemote.sol

@@ -0,0 +1,125 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.8;
+
+import {IHash} from "src/hash/IHash.sol";
+import {PKE} from "../src/crypto/encryption.sol";
+import {Utils} from "src/utils/Utils.sol";
+
+contract BIP32 {
+    // Derivation domain separator for BIP39 keys array (Suave seed)
+    bytes public constant BIP32_DERIVATION_DOMAIN = hex"416E64726F6D6564612073656564";
+    // Hardened key indexes start from 0x80000000 (2³¹) and above
+    uint32 public constant HARDENED_START_INDEX = 0x80000000;
+
+    struct ExtendedKeyAttributes {
+        // Index of the key in the parent's children
+        uint32 childNumber;
+        bytes32 chainCode;
+    }
+    struct ExtendedPrivateKey {
+        bytes32 key;
+        ExtendedKeyAttributes attributes;
+    }
+    struct ExtendedPublicKey {
+        bytes key;
+        ExtendedKeyAttributes attributes;
+    }
+
+    IHash private hasher;
+    
+    constructor(IHash _hasher) {
+        hasher = _hasher;
+    }
+
+    function split(bytes memory data) public pure returns(bytes32 key, bytes32 chain_code) {
+        require(data.length == 64, "BIP32: data length must be 64 bytes");
+        assembly {
+        // this starts with 32 index because the first 32 bytes are the length of the bytes array    
+        key := mload(add(data, 32)) // Load first 32 bytes
+        chain_code := mload(add(data, 64)) // Load second 32 bytes
+        }
+    }
+
+    // Based on the context, it generates either the extended private key or extended public key
+    function newFromSeed(bytes memory seed) public view returns (ExtendedPrivateKey memory) {
+        // if seed length is not 16 32 or 64 bytes, throw
+        require(seed.length == 16 || seed.length == 32 || seed.length == 64, "BIP32: seed length must be 16, 32 or 64 bytes");
+        bytes memory output = hasher.sha512(abi.encodePacked(Utils.bytesToHexString(abi.encodePacked(BIP32_DERIVATION_DOMAIN, seed))));
+        (bytes32 secret_key, bytes32 chain_code) = split(output);
+        return ExtendedPrivateKey(secret_key, ExtendedKeyAttributes(0, chain_code));
+    }
+
+    // derive extended child key pair from a parent seed
+    function deriveChildKeyPairFromSeed(bytes memory seed, uint32 index) external view returns (ExtendedPrivateKey memory xPriv, ExtendedPublicKey memory xPub) {
+        ExtendedPrivateKey memory parent = newFromSeed(seed);
+        return deriveChildKeyPair(parent, index);
+    }
+
+    // derive extended child key pair from a parent extended private key
+    function deriveChildKeyPair(ExtendedPrivateKey memory parent, uint32 index) public view returns (ExtendedPrivateKey memory xPriv, ExtendedPublicKey memory xPub) {
+        // hardened key derivation if index > 0x80000000
+        if (index >= 0x80000000) {
+            bytes memory data = abi.encodePacked(hex"00", parent.key, index);
+            bytes memory output = hasher.sha512(abi.encodePacked(Utils.bytesToHexString(abi.encodePacked(parent.attributes.chainCode, data))));
+            (bytes32 secret_key, bytes32 chain_code) = split(output);
+            ExtendedKeyAttributes memory extKeyAttr = ExtendedKeyAttributes(index, chain_code);
+            xPriv =  ExtendedPrivateKey(secret_key, extKeyAttr);
+            xPub = ExtendedPublicKey(PKE.derivePubKey(secret_key), extKeyAttr);  
+        } else {
+            bytes memory data = abi.encodePacked(PKE.derivePubKey(parent.key), index);
+            bytes memory output = hasher.sha512(abi.encodePacked(Utils.bytesToHexString(abi.encodePacked(parent.attributes.chainCode, data))));
+            (bytes32 secret_key, bytes32 chain_code) = split(output);
+            ExtendedKeyAttributes memory extKeyAttr = ExtendedKeyAttributes(index, chain_code);
+            xPriv =  ExtendedPrivateKey(secret_key, extKeyAttr);
+            xPub = ExtendedPublicKey(PKE.derivePubKey(secret_key), extKeyAttr);
+        }
+    }
+
+    // derive child extended key pairs from a given string path
+    function deriveChildKeyPairFromPath(bytes memory seed, string memory path) external view returns (ExtendedPrivateKey memory xPriv, ExtendedPublicKey memory xPub) {
+        bytes memory pathBytes = bytes(path);
+        // require that the path is not empty and the first character of the path is "m" or "M"
+        require(pathBytes.length > 0 || pathBytes[0] == bytes1('m') || pathBytes[0] == bytes1('M'), "BIP32: invalid path");
+
+        ExtendedPrivateKey memory data = newFromSeed(seed);
+        // if the path is just "m" or "M", return the extended private key and extended public key
+        if(pathBytes.length <= 2) {
+            return (data, ExtendedPublicKey(PKE.derivePubKey(data.key), data.attributes));
+        }
+        
+        uint32 index = 0;
+        // iterate through the path and derive the child key pair at each level and check the occurrence of ' to define hardened derivation or not
+        for (uint i = 2; i < pathBytes.length; i++) {
+            if (pathBytes[i] == bytes1('\'')) {
+                //check if index + 2147483648 does not exceed uint32 max value
+                require(index <= 2147483647, "BIP32: invalid path");
+                index += 2147483648;
+            } else if (pathBytes[i] == bytes1('/')) {
+                (xPriv, xPub) = deriveChildKeyPair(data, index);
+                data = xPriv;
+                index = 0;
+            } else {
+                // check if the character is not a number and throw instead of converting it to a number
+                require(uint8(pathBytes[i]) >= 48 && uint8(pathBytes[i]) <= 57, "BIP32: invalid path");
+                index = index * 10 + uint32(uint8(pathBytes[i]) - 48);
+                // TODO further formating checks are probably needed to avoid invalid formats, such as m/000123 or m/' or m/1'' or m// etc...
+            }
+        }  
+        (xPriv, xPub) = deriveChildKeyPair(data, index);
+    }
+
+    // derive child public key from a parent public key
+    function derivePubKeyFromParentPubKey(ExtendedPublicKey memory parent, uint32 index) external view returns (ExtendedPublicKey memory xPub) {
+        require(index < 0x80000000, "BIP32: can't derive hardened public keys from a parent public key");
+        bytes memory data = abi.encodePacked(parent.key, index);
+        bytes memory output = hasher.sha512(abi.encodePacked(Utils.bytesToHexString(abi.encodePacked(parent.attributes.chainCode, data))));
+        (bytes32 secret_key, bytes32 chain_code) = split(output);
+        ExtendedKeyAttributes memory extKeyAttr = ExtendedKeyAttributes(index, chain_code);
+        xPub = ExtendedPublicKey(PKE.derivePubKey(secret_key), extKeyAttr);
+    }
+
+    // derive public key from a given private key
+    function derivePubKey(ExtendedPrivateKey memory xPriv) external view returns (ExtendedPublicKey memory xPub) {
+        return ExtendedPublicKey(PKE.derivePubKey(xPriv.key), xPriv.attributes);
+    }
+}

src/BIP32.sol

@@ -2,8 +2,9 @@
 pragma solidity ^0.8.8;
 
 import "solidity-stringutils/strings.sol";
+import {IHash} from "src/hash/IHash.sol";
 
-interface IAndromeda {
+interface IAndromeda is IHash {
     function attestSgx(bytes32 appData) external returns (bytes memory);
     function verifySgx(address caller, bytes32 appData, bytes memory att) external view returns (bool);
     function volatileSet(bytes32 tag, bytes32 value) external;