diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 08eb35ef..d4bb990e 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -5,6 +5,7 @@ ### Added - feat: management canister interface updates for schnorr signatures +- feat: ensure that identity-secp256k1 seed phrase must produce a 64 byte seed - docs: documentation and metadata for use-auth-client ### Changed diff --git a/packages/identity-secp256k1/src/secp256k1.test.ts b/packages/identity-secp256k1/src/secp256k1.test.ts index 642121ba..a52b3727 100644 --- a/packages/identity-secp256k1/src/secp256k1.test.ts +++ b/packages/identity-secp256k1/src/secp256k1.test.ts @@ -244,4 +244,17 @@ describe('public key serialization from various types', () => { const shouldFailHex = () => Secp256k1PublicKey.from('not a hex string'); expect(shouldFailHex).toThrow('Invalid hexadecimal string'); }); + + it('should throw an error serializing a too short seed phrase', () => { + const shouldFail = () => Secp256k1KeyIdentity.fromSeedPhrase('one two three'); + expect(shouldFail).toThrow('Invalid mnemonic'); + }); + + it('should throw an error serializing a too long seed phrase', () => { + const shouldFail = () => + Secp256k1KeyIdentity.fromSeedPhrase( + 'one two three four five six seven eight nine ten eleven twelve thirteen fourteen fifteen sixteen seventeen', + ); + expect(shouldFail).toThrow('Invalid mnemonic'); + }); }); diff --git a/packages/identity-secp256k1/src/secp256k1.ts b/packages/identity-secp256k1/src/secp256k1.ts index 305b418c..464f748f 100644 --- a/packages/identity-secp256k1/src/secp256k1.ts +++ b/packages/identity-secp256k1/src/secp256k1.ts @@ -198,6 +198,10 @@ export class Secp256k1KeyIdentity extends SignIdentity { } const seed = bip39.mnemonicToSeedSync(phrase, password); + // Ensure the seed is 64 bytes long + if (seed.byteLength !== 64) { + throw new Error('Derived seed must be 64 bytes long.'); + } const root = HDKey.fromMasterSeed(seed); const addrnode = root.derive("m/44'/223'/0'/0/0");