feat: ensure that seed phrase must produce a 64 byte seed (#915)

* feat: ensure that seed phrase must produce a 64 byte seed * changelog
dfinity · Aug 7, 2024 · 5a21dae · 5a21dae
1 parent bee3ef5
commit 5a21dae
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Added
 
 - feat: management canister interface updates for schnorr signatures
+- feat: ensure that identity-secp256k1 seed phrase must produce a 64 byte seed
 - docs: documentation and metadata for use-auth-client
 
 ### Changed

diff --git a/packages/identity-secp256k1/src/secp256k1.test.ts b/packages/identity-secp256k1/src/secp256k1.test.ts
@@ -244,4 +244,17 @@ describe('public key serialization from various types', () => {
     const shouldFailHex = () => Secp256k1PublicKey.from('not a hex string');
     expect(shouldFailHex).toThrow('Invalid hexadecimal string');
   });
+
+  it('should throw an error serializing a too short seed phrase', () => {
+    const shouldFail = () => Secp256k1KeyIdentity.fromSeedPhrase('one two three');
+    expect(shouldFail).toThrow('Invalid mnemonic');
+  });
+
+  it('should throw an error serializing a too long seed phrase', () => {
+    const shouldFail = () =>
+      Secp256k1KeyIdentity.fromSeedPhrase(
+        'one two three four five six seven eight nine ten eleven twelve thirteen fourteen fifteen sixteen seventeen',
+      );
+    expect(shouldFail).toThrow('Invalid mnemonic');
+  });
 });
diff --git a/packages/identity-secp256k1/src/secp256k1.ts b/packages/identity-secp256k1/src/secp256k1.ts
@@ -198,6 +198,10 @@ export class Secp256k1KeyIdentity extends SignIdentity {
     }
 
     const seed = bip39.mnemonicToSeedSync(phrase, password);
+    // Ensure the seed is 64 bytes long
+    if (seed.byteLength !== 64) {
+      throw new Error('Derived seed must be 64 bytes long.');
+    }
     const root = HDKey.fromMasterSeed(seed);
     const addrnode = root.derive("m/44'/223'/0'/0/0");